--- Day changed Thu Jan 01 2009 00:36 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:54 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 02:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:13 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 04:36 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 04:36 < gfather> haappy new yeaaaaaaaar :) 04:55 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 04:56 < mRCUTEO> happey new ya 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 05:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 06:28 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:05 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 07:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:28 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:56 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 09:08 < ecrist> fwiw, the named.root file has been updated (newest revision is 12/12/2008) in which they've added an AAAA record for L.ROOT-SERVERS.NET. 09:23 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Pagautas 09:24 -!- Netsplit over, joins: Pagautas 09:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:32 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 11:32 < Mahmoud> any freely available vpn setup that uses openvpn? 11:34 < Mahmoud> i recall one available, but can't get its correct name 11:38 < reiffert> "setup"? 11:38 < Mahmoud> a free vpn provider 11:39 < reiffert> "any freely available vpn a free vpn provider that uses openvpn"? 11:39 < reiffert> sorry, but I dont get you. 11:39 < Mahmoud> hmmmm 11:40 < Mahmoud> similar to free shared web hosting providers. there are some vpn providers 11:40 < Mahmoud> i want a vpn provider that uses openvpn's client to connect to it 11:40 < Mahmoud> there is one, pretty sure, but forgot its name 11:41 < reiffert> I have no idea which free shared web hosting provider offers vpn access. 11:41 < Mahmoud> aghh 11:41 < Mahmoud> this is not what i asked 11:41 < Mahmoud> what i want is only a free vpn provideer (i don't care about websites) 11:57 < reiffert> still no idea 12:58 < ebf0> Mahmoud: I get you, but I dont know of any 13:04 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has joined ##openvpn 13:04 < Balzac21> Hi. I have openvpn going and I've set my iptables right so that all traffic is properly in nat. On my end (vista) it still won't tunnel properly and won't connect to the internet 13:27 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has quit [Connection timed out] 14:38 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 15:13 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 15:55 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 16:26 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:19 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 17:24 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 18:15 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:35 -!- gfather [n=g@77.241.65.48] has quit [Read error: 110 (Connection timed out)] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 19:02 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:12 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 20:10 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:04 -!- solj [n=solj@layer9.ices.utexas.edu] has joined ##openvpn 21:04 < solj> !menu 21:04 < vpnHelper> solj: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 21:05 < solj> hi, i'm having some trouble with getting certain keys to work 21:06 < solj> i have some client keys working, but others that were generated the same way are not 21:06 < solj> i'm getting a generic TLS timeout message on the client 21:08 < krzie> !logs 21:08 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:08 < krzie> on one that doesnt work 21:14 < solj> krzie: k, i'll get back to you in a bit 21:14 -!- solj [n=solj@layer9.ices.utexas.edu] has left ##openvpn [] 21:19 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 21:37 < krzie> lol 22:05 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 22:11 < tjz> any malaysian on streamyx? 22:12 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:15 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:18 < Skiz> so I have a tunnel set up between my mac and a remote debian system running openvpn which I can connect to fine. My issue is the masquerading (I think..) I'm trying to set my default route so that all of my traffic is sent through the tunnel by default, but it seems that I can make connections to only the server itself and the nat doesnt work. http://pastie.org/private/thqkl7syh02xd3n7mpbyw is some configs and specs. Any ideas would be 22:26 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:29 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:29 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:32 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:33 < tjz> hey !!! 22:33 < mRCUTEO> hiya tjz 22:33 < mRCUTEO> hehe 22:33 < tjz> haha 22:33 < tjz> Happy new year 22:33 < tjz> :) 22:33 < mRCUTEO> happy new year to you too :D 22:35 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 22:45 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:47 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me. 22:47 < Skiz_> yet I'm still on irc :S 22:47 -!- Skiz_ is now known as Skiz 22:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:49 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:49 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me and everything starts getting dropped. 22:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 23:05 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 23:07 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 23:08 -!- ropetin_ is now known as ropetin 23:09 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:18 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, hiptobecubic, Skiz, bigjohnto, mepholic, smk, Solver, (+14 more, use /NETSPLIT to show all of them) 23:21 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:26 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, Skiz, mepholic, Solver, phlax, dogmeat, jabular, (+5 more, use /NETSPLIT to show all of them) 23:28 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:28 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 23:28 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has joined ##openvpn 23:28 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:28 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:28 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has joined ##openvpn 23:28 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 23:28 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 23:28 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 23:31 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 23:34 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:39 < tjz> omg 23:39 < tjz> what happen 23:39 < dvl> a net split. 23:40 < tjz> hmm 23:40 < dvl> followed by a rejoin 23:40 < tjz> do you know why i can't auto join #openvpn ? 23:40 < tjz> under "perform" 23:40 < tjz> in irc client 23:40 < dvl> I don't even know what IRC client you are using. 23:41 < dvl> Normally, there is a field for channels you want to join. 23:49 < Skiz_> try it with 2 #'s 23:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 23:56 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 131 (Connection reset by peer)] 23:56 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn --- Day changed Fri Jan 02 2009 00:10 < tjz> welcome back 00:10 < tjz> hehe 00:11 < tjz> let me try with 2 #'s 00:11 < tjz> brb 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 00:11 < tjz> doesn't auto join to openvpn 00:26 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:27 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 00:31 < krzee> tjz 00:32 < krzee> your client needs to auth to nickserv before joining 00:32 < krzee> mine can do that auto 00:32 < krzee> but im using xchat aqua for osx 00:41 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 00:51 < tjz> i have auto auth setup under "option" > "perform" for my mirc 00:51 < tjz> :( 00:51 < tjz> it works for another irc network 00:51 < tjz> not this 00:51 < tjz> :( 00:51 < tjz> :) 01:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:29 < tjz> welcome 01:50 < ropetin> Hi-de-ho all 01:51 < krzee> tjz 01:51 < krzee> just cause it auto-auths doesnt mean it waits for the auth to be successful to join channels 01:51 < krzee> wassup rope 01:52 < ropetin> Meh, just trying to get motivated for work krzee, how're you? 01:53 < tjz> lol rope 01:53 < tjz> doesn't make sense.. 01:53 < ropetin> tjz: what doesn't? 01:54 < tjz> i run the auth first before the auto join to openvpn channel 01:54 < ropetin> Which client? 01:54 < tjz> i am using mirc client 01:55 < ropetin> How're you doing the authentication? Do you have it configured in the server config or are you running it as a post connection command? (I may be confused, haven't used mIRC for long time) 01:57 < tjz> lol 01:57 < tjz> what i did is "/msg NickServ identify xxx" 01:57 < tjz> to auth 01:58 < tjz> under connect > option > perform 01:58 < tjz> when on connect 01:58 < tjz> hmm 01:58 < tjz> actually.. 01:59 < tjz> not really important 01:59 < tjz> just ranting 01:59 < tjz> :P 01:59 < ropetin> Hehhe, ok 01:59 < ropetin> I'd recommend using irssi, works like a champ :D 02:06 < tjz> x_x 02:06 < tjz> <- on windows xp 02:18 < tjz> :P 02:20 < ropetin> Luckily they have a version for Windows :) 02:21 < ropetin> Nicely packaged in an .exe, right on the home page 02:29 < ropetin> Meh, Mutt is driving me nuts 02:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:01 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has joined ##openvpn 03:01 < DigitallyStoned> !route 03:01 < vpnHelper> DigitallyStoned: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:02 < DigitallyStoned> ok i have a weird problem with routing 03:02 < DigitallyStoned> is anyone descent at it? 03:03 < ropetin> Depends what the problem is :) 03:03 < DigitallyStoned> ok i have pfsense with openvpn setup 03:03 < DigitallyStoned> it connects fine 03:03 < DigitallyStoned> my default lan is on a 10.0.0.0/16 and my VPN is on a 10.0.2.0/26 03:04 < DigitallyStoned> i can ping 10.0.0.1 *default gateway* and hit the box, i can hit 10.0.0.2 and get its interface 03:04 < DigitallyStoned> 10.0.0.3 thru 10.0.0.255 i cannot see 03:04 < DigitallyStoned> i have a push "route 10.0.0.0 255.255.0.0" setup for my vpn config 03:04 < DigitallyStoned> dns and all works 03:04 < DigitallyStoned> just cant access via telnet or http any device above 3 03:05 < DigitallyStoned> really weird 03:05 < ropetin> You have forwarding set up on the vpn server? 03:06 < DigitallyStoned> when you say forwarding youre talking about the local lan pool correct right? for a remote vpn connection? 03:07 < ropetin> Well let me take step back, what OS is your vpn server? 03:07 < DigitallyStoned> its running on pfsense 03:07 < DigitallyStoned> so openbsd 03:07 < DigitallyStoned> and i have my default lan rules set for any 03:07 < DigitallyStoned> so any tcp/udp connection is accepted 03:07 < DigitallyStoned> i can ping both 10.0.0.1 and 10.0.0.2 via vpn 03:08 < ropetin> Hmmm, no experience with any bsd, but on Linux if I want to connect to something 'beyond' the VPN server I have to set an iptables masquerade rule to forward the traffic, as well as make sure ip forwarding is enabled 03:08 < DigitallyStoned> yeah thats all enabled on the box 03:08 < DigitallyStoned> nat rules are in place 03:09 < ropetin> .1 and .2 are interfaces on the server? 03:09 < DigitallyStoned> no 03:09 < DigitallyStoned> .1 is the server 03:09 < DigitallyStoned> .2 is a remote power boot device connected to the switch at .3 03:09 < DigitallyStoned> its a cisco switch 03:09 < ropetin> Weird then that you can get to that but nothing else 03:09 < DigitallyStoned> yeah thats what i thought 03:09 < DigitallyStoned> the route locally on this machine shows 10.0.0.0 network 255.255.0.0 using interface 10.0.2.5 03:09 < ropetin> Hmmm, only thing I can say is double check your netmasks are correct, other than that, I'm stumped 03:09 < DigitallyStoned> which is right 03:10 < ropetin> Well one thing, your netmasks overlap, correct? 03:10 < ropetin> Is that intentional? 03:10 < DigitallyStoned> do they? 03:10 < DigitallyStoned> oh shit youre right 03:11 < DigitallyStoned> shoulda been 10.2 03:11 < DigitallyStoned> crap 03:11 < DigitallyStoned> let me change that 03:11 < DigitallyStoned> hold 1 03:11 < ropetin> :D 03:11 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:12 < DigitallyStoned> haha 03:12 < DigitallyStoned> holy shit 03:12 < DigitallyStoned> my fault 03:12 < DigitallyStoned> i screwed that one up 03:12 < ropetin> It worked? 03:13 < DigitallyStoned> yeah 03:13 < DigitallyStoned> i screwed that u 03:13 < DigitallyStoned> up 03:13 < DigitallyStoned> 10.2.0.0 was supposed to be the net not 10.0.2.0 03:14 < ropetin> Excellent 03:14 < DigitallyStoned> heh 03:14 < DigitallyStoned> thanks for pointing that out else idda been scratching my head all day 03:15 < ropetin> NP, I'm good at catching the easy sutff :) 03:15 < DigitallyStoned> its what i get for playing halo 2 all the time 03:15 < DigitallyStoned> youd like the setup i made here though 03:16 < DigitallyStoned> i had like 100 cat5 cables running all over my house to a few different routers 03:16 < DigitallyStoned> now its all meshed 03:16 < DigitallyStoned> on an A channel 03:16 < ropetin> Just for fun? 03:16 < DigitallyStoned> no i finally intergrated my hardware 03:16 < DigitallyStoned> i have 2 50mb circuits coming in 03:16 < DigitallyStoned> i used pfsense to multiwan them 03:17 < DigitallyStoned> i tried it on centos and it halfassed worked 03:17 < DigitallyStoned> pfsense is totally worth dedicating one old server to it 03:17 < ropetin> In your house? 03:17 < DigitallyStoned> yeah 03:17 < ropetin> You're either in Japan, Korea, or just really rich, right? 03:18 < DigitallyStoned> Alabama 03:18 < DigitallyStoned> and no not rich 03:19 < DigitallyStoned> can i set a secondary remote server in my ovpn file? 03:19 < ropetin> What service gives you 50mb? And what's the upstream rate like? 03:19 < ropetin> Secondary as a backup? Or just a second one? 03:19 < DigitallyStoned> as a backup 03:19 < DigitallyStoned> upstream is only 4mb 03:20 < ropetin> Never done that, but you have the option of multiple servers yes 03:21 < ropetin> But it will only connect to one at a time, unless you put them in their own config file 03:21 < DigitallyStoned> happen to know the syntax? 03:21 < DigitallyStoned> well i dont need more than 1 03:21 < DigitallyStoned> its the saem server, just 2 different IPs 03:22 < ropetin> I think it's the same format, you just put them below each other. It tries the first, if that fails, it tries the second 03:22 < ropetin> !man 03:22 < vpnHelper> ropetin: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:23 < DigitallyStoned> blah ill have to figure out how to make openvpn bind to the 2nd interface on the server 03:25 < ropetin> :D 03:27 < DigitallyStoned> i think i just need to add the port to the opt1 interface 03:27 < DigitallyStoned> we will see 03:28 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 03:30 < DigitallyStoned> yep 03:30 < DigitallyStoned> thats all i have to do 03:30 < DigitallyStoned> sweet 03:33 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has quit [] 03:53 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:57 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:34 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:34 < bsdbandit> can someone help me out 04:34 < reiffert> Moin! 04:44 < bsdbandit> what do you think it could be 04:44 < bsdbandit> ? 04:48 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has joined ##openvpn 04:48 < mRCUTEO> hey krzee u there ? :) 04:52 < krzee> hey 04:52 < krzee> moin reif 04:53 < krzee> !factoids search bsd 04:53 < vpnHelper> krzee: 'bsdnat', 'freebsd', 'fbsdbridge', and 'fbsdjail' 04:53 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:53 < mRCUTEO> can ou help me correct my english sentence just one :) . here it is: 04:53 < krzee> mRCUTEO, yes 04:53 < mRCUTEO> New students intake registration now until 8 January 2009 04:53 < krzee> bsdbandit, 04:53 < krzee> !configs 04:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < bsdbandit> !configs 04:54 < vpnHelper> bsdbandit: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < krzee> mRCUTEO, i need context, can you show me the surrounding text in pastebin? 04:54 < mRCUTEO> okay hold on 04:56 < mRCUTEO> its just 2 sentences actually 04:56 < mRCUTEO> an announcment 04:56 < mRCUTEO> http://pastebin.com/m4c8bca50 04:57 < mRCUTEO> the announcement looks a lil error 04:57 < mRCUTEO> frament(consider revising) error in ms word 04:57 < krzee> New students may begin intake registration now until 8 January 2009. 04:57 < krzee> ya, you needed a helping verb 04:57 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 60 (Operation timed out)] 04:58 < mRCUTEO> aha thats sounds better 04:58 < mRCUTEO> :) thanks 04:58 < krzee> np =] 05:01 < mRCUTEO> New students begin intake registration now until 8 January 2009 ? Will this sounds okay too krzee? 05:02 < ropetin> mRCUTEO: are you trying to say that new students CAN begin registration between now and 8th, or WILL? 05:02 < krzee> in other words you want to get rid of the word may 05:03 < krzee> may is another word for can, and i believe one of them belong in the sentence for the reason ropetin is saying 05:03 < krzee> may is more formal, which is why i chose it 05:04 < mRCUTEO> im trying to say the new student intake registration day is today until 8th 05:04 < krzee> you are trying to say they can register between now and the 8th 05:05 < mRCUTEO> yes 05:05 < mRCUTEO> the new intake student 05:05 < mRCUTEO> cn register now until 8th.. 05:05 < mRCUTEO> New student intake registration begins now until 8 January 2009 <-- how about this one 05:05 < mRCUTEO> is the student in plural or sinmgular 05:06 < krzee> if you dont want to use what i said, why ask me? 05:06 < krzee> singular in this tense 05:06 < mRCUTEO> no, u give me the ight word actually the word begin in the sentence 05:06 < mRCUTEO> *right 05:07 < mRCUTEO> but my sentence still jumble up 05:07 < reiffert> Register or die until Jan 8. 05:07 < mRCUTEO> :P 05:07 < krzee> New students must register between now and Jan 8 05:07 < krzee> is prolly more correct 05:07 < mRCUTEO> aha thats more like it 05:07 < reiffert> Dont register until Jan 8 and I have a nice time without you! 05:07 < mRCUTEO> yeah thats more simple 05:08 < mRCUTEO> New students must register between now and Jan 8 <-- this one better 05:08 < mRCUTEO> :) 05:08 < krzee> i like reif's 05:08 < mRCUTEO> thanks 05:08 < krzee> register or die 05:08 < krzee> lol 05:08 < mRCUTEO> :) 05:08 < reiffert> New students must register next door/floor, so I can bring my money home 05:08 < krzee> register by jan 8th or you will be a failure 05:08 < mRCUTEO> hehe 05:08 < reiffert> or fail 05:09 < krzee> epic fail for those who do not register by jan 8th 05:10 < mRCUTEO> english words are very tricky 05:10 < mRCUTEO> :) 05:10 < krzee> especially irc based 05:10 < krzee> haha 05:10 < mRCUTEO> haha :D 05:10 < krzee> irc has its own slang 05:11 < mRCUTEO> my oh my 05:11 < krzee> its lulz to say epid faily on irc 05:11 < krzee> epic fail 05:12 < krzee> if you say lulz or epid fail in real life, people will just look at you funny 05:12 < mRCUTEO> ehehe 05:12 < mRCUTEO> yeah very very tricky 05:12 * mRCUTEO dont even know how to speak fluent english in daily life 05:12 < mRCUTEO> lol.. 05:13 < krzee> you do fine on irc 05:13 * mRCUTEO too much billingual 05:13 < mRCUTEO> i speak mostly in chinese language and spanish.. so sometimes its hard to intereprate it in english 05:13 < krzee> my spanish is getting much better 05:14 < mRCUTEO> oh good :) 05:14 < krzee> ive been in a spanish speaking country going on 2 yrs 05:14 < reiffert> buenas nodches 05:14 < reiffert> buenas tardes 05:14 < krzee> quiero nochos 05:14 < krzee> nachos 05:14 < reiffert> commo estas? 05:14 < mRCUTEO> my spanish is philippine spanish 05:14 < krzee> but they speak tagalog 05:14 < mRCUTEO> yes mix with spanish 05:14 < mRCUTEO> tagalug and spanish mixing 05:14 < krzee> sip sippin mo yun titiko 05:15 < krzee> i only know how to say it, not spell it 05:15 < mRCUTEO> you know how to speak tagalug too? 05:15 < krzee> a friend taught me that yrs ago 05:15 < krzee> nope 05:15 < krzee> thats all i know 05:15 < mRCUTEO> oh.. 05:15 < mRCUTEO> :) 05:15 < krzee> did it seem right? 05:16 < krzee> all i know in german is plutz and moin 05:16 < mRCUTEO> it sounds like suloh 05:16 < mRCUTEO> *sulog 05:16 < krzee> oh and sitzen 05:16 < mRCUTEO> i dont know any german language hehe 05:16 < krzee> reif does 05:16 < mRCUTEO> but my language main is chinese 05:17 < reiffert> krzee: plutz? 05:17 < krzee> primary language 05:17 < krzee> plutz = lay down 05:17 < reiffert> krzee: platz 05:17 < krzee> my mom sometimes trains her dogs in german 05:17 < krzee> ahh 05:17 < reiffert> so your german neighbour got a dog? 05:17 < mRCUTEO> oh :) 05:17 < krzee> nope, its from mama 05:17 < krzee> she trains search and rescue dogs 05:17 < krzee> to find lost people 05:17 < mRCUTEO> :) 05:18 < reiffert> krzee: ah but why the german lang then? 05:18 < krzee> german commands are more harsh sounding 05:18 < mRCUTEO> your mum a german? 05:18 < krzee> plus nobody else giving commands to their dogs can confuse a new dog 05:18 < krzee> nope, mom is italian but from usa 05:18 < mRCUTEO> ic 05:18 < reiffert> A friend is lawyer, he's from czech republic. He's got a danish mastiff and all the boy knows is czech language.... 05:19 < mRCUTEO> hehe 05:19 < krzee> i think my german neighbor is moving out =/ 05:19 < krzee> which sucks cause hes cool 05:19 < mRCUTEO> :-) 05:20 < mRCUTEO> do you have chinese people living in your area? 05:20 < krzee> nope 05:20 < krzee> i seen like 5 asians the whole time i been here 05:20 < mRCUTEO> ic where they from? 05:20 < krzee> which sucks, i love asian women 05:20 < reiffert> I guess asian people are under 1% here. 05:20 < krzee> mRCUTEO, no idea, only saw them 05:21 < mRCUTEO> oh... 1% really in which area is that? 05:21 < krzee> under 1% here too 05:21 < krzee> caribbean 05:21 < mRCUTEO> ic 05:21 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:21 < reiffert> mRCUTEO: center of germany, mainz, next to frankfurt 05:22 * mRCUTEO checking google maps :D 05:22 < reiffert> http://maps.google.de/maps?f=q&hl=de&geocode=&q=mainz&sll=51.151786,10.415039&sspn=13.468074,28.300781&ie=UTF8&ll=50.035974,8.261719&spn=13.788082,28.300781&t=h&z=5 05:22 < vpnHelper> Title: Google Maps (at maps.google.de) 05:22 < mRCUTEO> aha 05:22 < mRCUTEO> :) 05:24 < mRCUTEO> very big city 05:24 < mRCUTEO> beautiful cities too.. 05:25 < mRCUTEO> in my country i can only see trees, hills, small buildings, ruins and jungles.. 05:25 < reiffert> I'm living countryside in a small village 05:25 < mRCUTEO> reiffert: u know where is borneo? 05:25 < reiffert> mRCUTEO: something with the apes? 05:26 < reiffert> next to Malaysia 05:26 < mRCUTEO> yes, just as i expected you're going to say that :) 05:26 < krzee> mRCUTEO, that sounds like a nice place 05:26 < mRCUTEO> thats my home 05:26 < mRCUTEO> i live here in borneo.. 05:27 < mRCUTEO> and nobody will believe if i said i'm now online using a T-1 line on a tree house.. 05:27 < mRCUTEO> :) 05:27 < krzee> hahahah 05:27 < reiffert> Ah, Borneo is the whole Island? 05:27 < mRCUTEO> ripleys believe it or not :) 05:27 < krzee> badass 05:27 < mRCUTEO> yes 05:27 < mRCUTEO> im in north borneo the most primitive among all the areas.. 05:28 < mRCUTEO> you see anaconda, beast, giant spider,, crocodiles.. 05:28 < reiffert> 16 inhabitants per square km 05:28 < mRCUTEO> but i get used to the environment alreeady.. 05:29 < mRCUTEO> tjz is my neighbour a sea away from borneo 05:30 < mRCUTEO> tjz from singapore which is more modernized country than borneo.. 05:30 < mRCUTEO> borneo is primitive and wild.. 05:31 < mRCUTEO> i wish i could go to europe someday... or USA maybe someday.. 05:33 < mRCUTEO> most people thought that the natives in borneo are cannibals.. yes our ancestors are cannibal and our friends are some cannibals too but we still surfing the net using ADSL or T-1 line or DS3 from the tree house :D 05:34 < mRCUTEO> ripleys believe it or not :) 05:34 < krzee> ever tried human? 05:34 < krzee> i prolly would if it were being served in a place i was at and it was normal there 05:34 < krzee> im curious how it is 05:35 < mRCUTEO> human meat taste like chicken actually... 05:35 < mRCUTEO> if you cook it well it taste like roasted lamb 05:35 < krzee> ahh 05:35 < mRCUTEO> my friend cook his half-dead neighbour once.. and serve to us .. 05:36 < mRCUTEO> well in borneo there is one tradition here 05:36 < mRCUTEO> when they serve you human flesh you must consume it.. 05:36 < mRCUTEO> otherwise you show unrespect to them .. 05:36 < krzee> ahh 05:36 < mRCUTEO> and they will cutthroat you.. 05:37 < krzee> but what if the serve you chicken? 05:37 < mRCUTEO> well tell them i prefer KFC 05:37 < mRCUTEO> lol.. 05:37 < mRCUTEO> and they will ask you buy them a barrel of roasted KFC 05:38 < mRCUTEO> ;lol.. 05:38 < krzee> hahah 05:38 < mRCUTEO> nah.. things are different already around here.. :) 05:38 < mRCUTEO> mostly head hunters are working executive nowadays 05:38 < mRCUTEO> they cannibals and cuthroat stuff is now a legend in borneo :) 05:40 < mRCUTEO> only those who live deep in the trackless forest i think still do cannibals stuff 05:40 < mRCUTEO> i dunno, im a stranger in my own country really :P 05:52 < mRCUTEO> krzee: is your mother tongue is english ? 05:56 * mRCUTEO brb 05:56 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has quit [] 05:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 06:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Read error: 60 (Operation timed out)] 08:12 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 09:33 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:46 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has joined ##openvpn 10:47 < ITguru> what can cause a client to keep dropping its connection, and restarting every 5 seconds 10:47 < ecrist> a bad network connection, a firewall not keeping 'state' on udp sessions. 10:50 * ITguru goes to check if it's udp .... 10:50 < ITguru> ecrist, no, it's tcp 10:50 < ecrist> !tcp 10:50 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:52 < ITguru> ecrist, about 50% of my clients are behind proxies/firewalls that prevent udp connections 10:56 < ITguru> and it is still working fine for other clients 10:58 < ecrist> so, just one client is having a problem? 11:01 < ITguru> yes - mine! 11:02 < ecrist> how many clients? 11:02 < ITguru> i've tried on three diffrent computers, one linux, one, mac, and one windows - the only thing they have in common is the wireless connection they use 11:03 < ITguru> and the connection keeps restarting one each platform 11:04 < ecrist> have you tried with the same computer on a different connection? 11:04 < ITguru> ecrist, no - i was just thinking that 11:04 < ecrist> I think you're running into the problem discussed in the link above. 11:06 < ITguru> i've used this connections for weeks, wierd that it's just started 11:06 < ITguru> but I'll try to check from a diffrent connection 11:31 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 11:32 < kim0> Hi .. I am an "openvpn client" to 2 different VPNs using openvpn same port 1194 .. it connects to one .. but the second says the port is busy !??! 11:32 < kim0> Why does a client need to open a server port 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 11:41 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has joined ##openvpn 11:42 < itguru> how can i get an openvpn client session to output stuff to a log file, so I can find the reason for the disconnections? 11:43 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 11:44 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has quit [Remote closed the connection] 11:44 < kim0> itguru: openvpn --config file.con 11:57 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 12:32 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:00 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:04 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Client Quit] 15:05 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:06 < heemboi> can anyone help with iptables? 15:06 < krzee> !iptables 15:06 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> !linfw 15:07 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> oh they are same, lol 15:08 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < heemboi> I want only two ips on my internal network to access the vpn 15:12 < krzee> heemboi, the vpn is outside the LAN, right? 15:12 < heemboi> right 15:12 < krzee> theres an easier way 15:12 < krzee> just break routing 15:12 < krzee> connect a client from inside the LAN 15:12 < krzee> then do NOT add the route back to vpn to the router 15:12 < krzee> only to the other machine in the lan 15:12 < krzee> other than that, follow !route 15:12 < krzee> !route 15:12 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:13 < krzee> where we deviate from the plan there is the FINAL step: "adding routes outside of openvpn" 15:13 < heemboi> i don't want any clients configured to connect to the vpn 15:13 < krzee> you will choose not to add it to the default gateway, but to the individual machines, so the vpn cannot access any machine you did not give a route back to 15:13 < heemboi> im using a router as a client 15:13 < krzee> welp, have fun with iptables then 15:13 < krzee> heh 15:13 < krzee> bbl, getting food 15:13 < heemboi> lol 15:14 < heemboi> i know, i've read a fre docs 15:14 < heemboi> and my head is hurting 15:14 < heemboi> few* 15:15 < heemboi> im using this script 15:15 < heemboi> http://www.dd-wrt.com/wiki/index.php/VPNC 15:15 < vpnHelper> Title: VPNC - DD-WRT Wiki (at www.dd-wrt.com) 15:16 < heemboi> iptables -A FORWARD -o tun0 -j ACCEPT 15:16 < heemboi> iptables -A FORWARD -i tun0 -j ACCEPT 15:16 < heemboi> iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 15:16 < heemboi> is what i added 15:16 < heemboi> now all the clients can access the vpn 15:17 < heemboi> i only want two ips to access the vpn 15:17 < heemboi> i bet iptables can do it, i just cant figure it out :\ 15:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 18:48 < mRCUTEO> hiya all 18:50 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 18:53 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 19:24 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Success] 19:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 20:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 20:35 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:36 -!- aia [n=aia@unaffiliated/aia] has quit [Client Quit] 20:37 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 20:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:43 * tjz swim in 20:52 < tjz> !help http proxy 20:52 < vpnHelper> tjz: Error: There is no command "http proxy". 20:52 < tjz> !help proxy 20:52 < vpnHelper> tjz: Error: There is no command "proxy". 20:52 < tjz> !proxy 20:52 < vpnHelper> tjz: Error: "proxy" is not a valid command. 20:52 < tjz> !http 20:52 < vpnHelper> tjz: Error: "http" is not a valid command. 20:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:57 < tjz> hmm 20:57 < tjz> i change from udp to tcp for my openvpn 20:57 < tjz> trying to get http proxy to work 21:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 21:08 < tjz> to use http proxy, we will just change protocal from "udp" to "tcp" on both server & client 21:08 < tjz> anything else need to add? 21:09 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:14 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Connection timed out] 21:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:21 < tjz> Hi rope~ 21:22 < ropetin> Evenin' 21:25 < tjz> Have you try using openvpn w/ http proxy? 21:26 < ropetin> No, in fact I've actively avoided it. Are you having problems? 21:26 < tjz> i haven't try configure one before 21:26 < tjz> i went to change protocol from udp to tcp 21:26 < tjz> that is what i change 21:27 < tjz> why do you avoid it? 21:29 < ropetin> Extra steps cause extra problems I guess 21:30 < tjz> x_x 21:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 22:21 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 22:49 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 23:13 < tjz> hey jeff --- Day changed Sat Jan 03 2009 00:03 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:28 -!- xs7 [n=xs7@84.255.141.67] has joined ##openvpn 02:29 < xs7> where to connect to use openvpn ? 02:38 < tjz> openvpn.net 02:38 < tjz> get a openvpn gui 02:54 < xs7> I have openvpn installed but donno where is it in the menus ? 03:12 < tjz> openvpn gui? 03:23 -!- xs7 [n=xs7@84.255.141.67] has quit [Read error: 110 (Connection timed out)] 04:39 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has joined ##openvpn 04:53 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has quit ["Leaving"] 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:10 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee, troy- 05:11 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 05:11 -!- Netsplit over, joins: troy- 05:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:45 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 05:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:17 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has quit ["Leaving."] 06:23 -!- xs7 [n=xs7@77.69.132.211] has joined ##openvpn 06:25 < xs7> vpn , how ? I need to create a vpn connection. 06:26 < xs7> Fedroa 10, need vpn to a free server. openvpn installed but donno how to access it !! 06:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 07:12 -!- xs7 [n=xs7@77.69.132.211] has quit ["Leaving"] 09:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 09:47 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 10:53 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 11:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 11:34 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 11:35 < mRCUTEO> !menu 11:35 < vpnHelper> mRCUTEO: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:35 < mRCUTEO> :D 11:35 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Client Quit] 12:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:48 -!- desrt [i=desrt@ubuntu/member/desrt] has left ##openvpn [] 14:14 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:15 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has joined ##openvpn 15:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:27 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:56 < reiffert> Moin 19:06 < krzie> moin 19:12 < reiffert> happy new year 19:15 < krzie> same to you 19:16 < reiffert> did hunting after presents for all of your girls work out? 19:16 < krzie> yup 19:16 < krzie> ogot them all my favc perfume/lotions 19:17 < krzie> got them all my fav perfume/lotions 19:17 < krzie> i figure theres a few benefits to that 19:17 < krzie> i cant forget who got what, and ill always smell the same no matter who im with 19:18 < reiffert> Allright, Lizzy s going to get Fannys perfume, Fanny's deserving Pam's lotion, Pam's going to get ... 19:18 < krzie> haha 19:18 < reiffert> hehe 19:18 < krzie> they all got victorias secret love spell 19:18 < reiffert> Hopefully they all love it "O) 19:18 < reiffert> :) 19:18 < krzie> hehe yup 19:18 < krzie> they should after they see what ill do to them when they wear it 19:18 < krzie> i LOVE that shit 19:19 < reiffert> hehe 19:21 < reiffert> I'm trunk, going to get some illuminations 19:21 < krzie> huh? 19:21 < reiffert> trunk -> bed 19:21 < reiffert> bed -> dreaming -> illumination 19:21 < krzie> ahhh 19:21 < reiffert> bed -> wakeup -> world domination 19:22 < krzie> hahah 19:22 < krzie> pinky and the brain style? 19:22 < reiffert> nahhh, more the insane way .. 19:23 < reiffert> inventing a wheel that everybody needs, saving me one cent per habitant 19:25 < krzie> ive always wondered why people say they dont want to re-invent the wheel 19:25 < krzie> the wheel has been re-invented many times 19:25 < krzie> improved upon and whatnot 19:28 < reiffert> profit doesnt sound too well for reinventing the wheel, does it? 19:29 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 19:29 < cj> moo 19:29 < reiffert> bar 19:29 < reiffert> and goodnight 19:30 < cj> how do I tell openvpn to keep trying to establish connection when it fails? 19:30 < cj> (windows, if that matters) 19:31 < cj> when the system starts, the wireless interface isn't reliable. it eventually comes up, but by then, openvpn has given up 19:32 < krzie> !man 19:32 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:32 < krzie> 1sec 19:32 < krzie> its something with retry in it 19:33 < reiffert> Set n to "infinite" to retry indefinitely. 19:33 < cj> thanks. I'll look through tfm, then 19:33 < krzie> --connect-retry n 19:33 < krzie> For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5). 19:33 < krzie> hopefully you arent using tcp tho 19:33 < krzie> By default, --resolv-retry infinite is enabled. You can disable by setting n=0. 19:33 < cj> no :) 19:33 < krzie> hopefully you didnt override that either 19:34 < krzie> you prolly want 19:35 < krzie> --persist-tun, --persist-key 19:35 < krzie> but it looks like for udp it should be retrying forever unless you overrode it 19:35 < krzie> !configs 19:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:36 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:37 < krzie> nite reif 19:38 < cj> krzie: it retries resolving the hostname, not establishing the link 19:38 < cj> but with no default route, it seems to not work 19:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 19:39 < krzie> !configs 19:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:50 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 19:50 < gleblanc> Howdy folks 19:50 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 19:51 < gleblanc> I've got the following trying to generate keys on my OpenVPN server 19:51 < gleblanc> http://geeks.pastebin.com/d2ea2d112 19:53 < gleblanc> I'm not sure where it's getting /usr/local/ssl/openssl.conf 19:53 < gleblanc> Nor what path it is that it's not finding 19:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:53 < krzie> you edited and loaded vars.bat right? 19:54 < krzie> looks like you're using unix scripts in windows 19:55 < gleblanc> Yes, I have 19:55 < gleblanc> They're .bat files 19:55 < gleblanc> Here's the contents of build-key 19:56 < gleblanc> http://geeks.pastebin.com/d6cc620f6 19:56 < gleblanc> If I do a wee bit of editing, I can do the following, which still seems not right 19:57 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\Athens.key -out %KEY_DIR%\Athens.csr -config %KEY_CONFIG% 19:57 < gleblanc> WARNING: can't open config file: /usr/local/ssl/openssl.cnf 19:57 < krzie> show me the contents of vars.bat 19:58 < gleblanc> http://geeks.pastebin.com/d7457fe92 19:58 < gleblanc> I changed some capitalization to make it easier to read 19:59 < krzie> type echo %KEY_CONFIG% 20:00 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %KEY_CONFIG% 20:00 < gleblanc> openssl.cnf 20:01 < krzie> weird 20:01 < krzie> echo %HOME% 20:02 < gleblanc> ooh, that's fuxed 20:02 < krzie> then check echo %ProgramFiles% 20:02 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %HOME% 20:02 < gleblanc> C:\Program Files\OpenVPN\easy-rsa 20:02 < gleblanc> I looked at it twice before, and just now caught it 20:02 < krzie> which is likely where your problem is 20:03 < krzie> so in vars.bat modify set HOME line 20:03 < gleblanc> Can I just hard-code it? 20:04 < krzie> yup 20:04 < krzie> with ""'s 20:04 < krzie> to handle the spaces 20:04 < krzie> so like 20:04 < krzie> %ProgramFiles% 20:04 < krzie> err 20:04 < krzie> set HOME=%ProgramFiles%\OpenVPN\easy-rsa 20:04 < krzie> should be 20:04 < gleblanc> Don't need to double-escape the \ or anything? 20:04 < krzie> set HOME="P:\Program Files (x86)\OpenVPN\easy-rsa" 20:05 < krzie> does vars.bat currently escape the \'s? 20:05 < krzie> theres your answer for that... 20:06 < gleblanc> That doesn't cut the mustard, apparently 20:06 < krzie> works for me... 20:06 < gleblanc> Well, I still get the warning about being unable to locate /usr/local/ssl/openssl.conf 20:06 < krzie> C:\Documents and Settings\Administrator>set HOME="P:\Program Files (x86)\OpenVPN 20:06 < krzie> \easy-rsa" 20:06 < krzie> C:\Documents and Settings\Administrator>echo %HOME% 20:06 < krzie> "P:\Program Files (x86)\OpenVPN\easy-rsa" 20:07 < krzie> you re-ran vars.bat, right? 20:08 < krzie> then checked that %HOME% looks right? 20:08 < gleblanc> yes 20:08 * gleblanc turns echo on 20:09 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 20:10 < gleblanc> Here's the command with echo on 20:10 < gleblanc> http://geeks.pastebin.com/d262fd81 20:11 < gleblanc> (sorry about the funky line-wraps, cmd.exe isn't very smart) 20:11 < krzie> ya 20:11 < krzie> justr make KEY_CONFIG a full path 20:12 < gleblanc> I'd not mind, but it also says "unable to write 'random state'" 20:12 < krzie> its not reading your openssl.conf so everything after that is irrelevant for now 20:13 < gleblanc> ah 20:14 < gleblanc> http://geeks.pastebin.com/d3866d28e 20:14 < gleblanc> Still behaves the same 20:15 < krzie> paste me the contents of openssl.conf 20:20 < gleblanc> http://geeks.pastebin.com/d3cec0b04 20:21 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:28 < krzie> i dunno man 20:28 < krzie> you even caught me at a random lucky time im actually on a windows machine 20:29 < krzie> but i have no clue where its getting /usr/local/ssl/openssl.cnf from 20:29 < gleblanc> Hooray for Windows Smoking Crack! 20:30 < gleblanc> Thanks for your help, I'm sure I'll beat it in to submission eventually 20:30 < krzie> if you have a unix box handy you may have an easier time 20:30 < krzie> np 20:30 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:31 < gleblanc> I might give it a try on a 32-bit windows box 20:32 < gleblanc> The linux box handy is so old I'm scared to change anything 20:39 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:39 < RoFLKOPTr> Windows 7? 20:40 < RoFLKOPTr> it refuses to load the TAP driver due to "known incompatibilities" 20:40 < RoFLKOPTr> The only info I can find about the error says to get a driver that's compatible with my OS. 20:41 < RoFLKOPTr> anybody know of any registry hacks or anything that work in Vista that I could try in 7? 20:47 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 20:47 < mepholic> guysd 20:47 < mepholic> how do you get openvpn to work on windows 7 pre-beta 20:47 < mepholic> help plz 20:47 < mepholic> >:3 20:55 < RoFLKOPTr> mepholic i already asked 20:55 < RoFLKOPTr> way 2 b late 20:56 < mepholic> o 20:56 < RoFLKOPTr> late 21:06 < krzie> ive never even heard of windows 7 21:06 < krzie> you should prolly take that one to the mail list 21:06 < krzie> !mail 21:06 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 21:07 < dvl> !crl 21:07 < vpnHelper> dvl: Error: "crl" is not a valid command. 21:07 < dvl> vpnHelper: what good are ya? 21:07 < vpnHelper> dvl: Error: "what" is not a valid command. 21:08 < dvl> !revoke 21:08 < RoFLKOPTr> lol 21:08 < vpnHelper> dvl: Error: "revoke" is not a valid command. 21:09 < dvl> slow too... 21:14 < ropetin> Windows 7? People are already expecting software to work with a pre-release OS?! 21:15 < ropetin> Try the Vista directions I guess 21:15 < ropetin> Evnin' by the way 21:18 < RoFLKOPTr> Well... it's not like I'm coming in here bitching about the fact that it's not working. 21:18 < ropetin> :D 21:19 < ropetin> Which is good 21:19 < ropetin> Are you running Windows 7 as your primary OS? 21:20 < RoFLKOPTr> I understand that this is a pre-release OS, but so far, anything that's worked for Vista (drivers or otherwise) have worked perfectly in 7... and I think the TAP drivers would, too, if it weren't for 7 being all "drr i refuse to load this driver due to known incompatibilities" 21:20 < RoFLKOPTr> yes, I am... I know it's not the best idea, lol, but 7 broke my Vista installation when I was trying to install it on my other hard drive 21:20 < ropetin> Ahh, so they explicitly deny you from using the driver now, rather than giving you the option? 21:21 < ropetin> Hehhe, ok 21:21 < RoFLKOPTr> only for the TAP driver 21:21 < RoFLKOPTr> for soem reason 21:21 < ropetin> Mean MS! 21:21 < RoFLKOPTr> all other drivers gave me the option 21:21 < RoFLKOPTr> but this one refuses to load 21:21 < ropetin> That sucks 21:21 < RoFLKOPTr> yeah 21:21 * ropetin offers to loan RoFLKOPTr an Ubuntu CD... 21:21 < ropetin> ;) 21:22 < ropetin> I hear it works out of the box in Linux... 21:22 < RoFLKOPTr> >:[ 21:22 < RoFLKOPTr> lol 21:22 < ropetin> But I say that as I type away on my Windows laptop 21:23 < ropetin> (although I am SSHd into my Linux server, so that makes up for it) 21:23 * RoFLKOPTr h8 linux for home use 21:23 < RoFLKOPTr> Wine and Cedega suck 21:23 < RoFLKOPTr> and I'm a gamer 21:23 < ropetin> RoFLKOPTr: I guess it depends what 'home use' is 21:23 < RoFLKOPTr> so, no Linux on my computer 21:23 < RoFLKOPTr> lol 21:23 < RoFLKOPTr> yeah 21:23 < ropetin> Yeah, if you like PC gaming, Windows is the way to go 21:23 < RoFLKOPTr> I guess 21:24 < ropetin> If Microsoft ever realease Flight Simulator for Linux I'd never use Windows again 21:24 < RoFLKOPTr> lmao 21:24 < RoFLKOPTr> which is why they will never do that 21:24 < ropetin> I'm only slightly into the game, but some of the people I've spoken to online are obsessed with it 21:25 < ropetin> Way worse than WoW players 21:25 < ropetin> It's scary some times 21:25 < RoFLKOPTr> lol 21:25 < RoFLKOPTr> I enjoy flight sims... don't see how they could be as obsessing as MMOs though... 21:25 < ropetin> They spend $10,000 on insane spec PCs, 3 huge monitors, real flight controls, just so they can pretend to fly a plane 21:26 < RoFLKOPTr> I HAVE AN IDEA 21:26 < RoFLKOPTr> GO BUY A PLANE 21:26 < ropetin> :D 21:26 < RoFLKOPTr> for the amount of time and money they put into those huge rigs, they might as well 21:26 < ropetin> Well it would certainly buy a few lessons, thats for sure 21:26 < RoFLKOPTr> lol 21:28 < RoFLKOPTr> a private license usually costs about $30k after it's all said and done 21:28 < RoFLKOPTr> with all the hours of instruction and soloing 21:28 < RoFLKOPTr> and then money for tests and such 21:28 < ropetin> Not too bad then 21:29 < ropetin> Considering 21:29 < RoFLKOPTr> considering you can make a real career that pays a lot of money out of it 21:29 < RoFLKOPTr> lol 21:29 < ropetin> I'll get my check book 21:30 < ropetin> My understanding is most (all?) commercial pilots get their training in the military, it's teh only way they can get enough flight hours in multi-engined jets 21:30 < RoFLKOPTr> though that $30k is for people who do it in 3 weeks and are flying for hours every day 21:31 < RoFLKOPTr> it costs an extra $10-20k if you only go for a few hours a week just because you don't get as much practice... ends up taking you longer to get a hold of it 21:31 < RoFLKOPTr> yeah, most commercial pilots came out of the military... free training on the best equipment in the world 21:31 < RoFLKOPTr> lol 21:32 < RoFLKOPTr> plus, if they've been flying military jets for a living for 10 years, that's all they know how to do anymore 21:35 < dvl> can the crl.pem file be empty? It seems not. 21:36 < ropetin> Nope, if you're using it, it needs something in it 21:37 < dvl> So you have to revoke something first. How odd. 21:48 < ecrist> dvl - yes and no 21:48 < krzee> just comment it out til you need something revoked 21:48 < krzee> kinda makes sense to me... 21:48 < ecrist> you can generate an empty file, but it has to be signed. 21:49 < ecrist> ssl-admin should be able to do it for you, otherwise let me find the command. 21:49 < krzee> ahh, that i didnt know =] 21:49 < dvl> ecrist: hold, not that important. I can get away without it until I need to do it. 21:51 < ecrist> openssl ca -gencrl -out crl.pem -config openssl_config 21:51 < ecrist> and, it *is* in the latest version of ssl-admin. ;) 21:51 * ecrist is out for the night. 21:52 < ecrist> going to write how-to for Mac OS X HFS+ disk quotas 21:53 < krzee> gnite ecrist 21:54 < tjz> nite ecrist 21:56 < dvl> trying 21:58 < dvl> can't find my openssl_config 22:01 < dvl> installing /usr/ports/security/ssl-admin 22:02 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has joined ##openvpn 22:02 < apo> Hi \o 22:02 < apo> !route 22:02 < vpnHelper> apo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:11 * apo stares. I think I won't bother... 22:13 < krzee> vpns are advanced networking, you're expected to know some about networking and be willing to read docs to set one up 22:17 < apo> krzee: But I don't think I can tell my cheap router to change its routing tables ;) 22:18 < krzee> how many computers on the lan behind the cheap router? 22:19 < apo> 10 or so. But since I'm pretty much just playing around here, I'm too lazy to add the routes to every box. 22:19 < krzee> cool *shrug* 22:19 < apo> Indeed 22:19 < krzee> up to you 22:22 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 22:26 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 23:17 < ecrist> dvl - the openssl.cnf you used with easy-rsa 23:18 < mepholic> ok 23:18 < mepholic> this is bad 23:18 < mepholic> i've resorted to pen and paper to keep teack of my vpn 23:19 < mepholic> any body know of ant good programs that you can easily make a map of a network with? 23:19 < ecrist> dia on linux/bsd 23:19 < ecrist> omnigraffle for mac 23:20 < mepholic> forgot about dia 23:20 < mepholic> :< 23:20 < mepholic> thanks 23:22 < ecrist> np 23:24 < mepholic> ahahhaha 23:24 < mepholic> this is perfect 23:24 < mepholic> thanks 23:30 < ecrist> np 23:32 < cj> srsly --- Day changed Sun Jan 04 2009 00:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 00:25 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 01:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:09 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:58 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 03:25 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:23 -!- mRCUTEO [n=info@124.82.101.32] has joined ##openvpn 04:24 -!- mRCUTEO [n=info@124.82.101.32] has quit [Client Quit] 04:25 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 04:28 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 04:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 05:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 05:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 05:48 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 07:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:51 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 09:31 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 09:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 09:42 < tjz> any reason why we should change from "tun" to "tap"? 09:43 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:44 < smerz> Can i throw a stuipid question out there: Is a dual core 2ghz cpu with 2 gb ram sufficient to move 100mbps? 09:48 < reiffert> The stupid answer is: maybe. 09:49 < smerz> :D 09:50 < smerz> if anyone has plenty of users on their openvpn server and would like to share cpu/mem usage compared to network throughput i'd appreciate it 09:50 < reiffert> plenty? 09:51 < smerz> well 09:51 < smerz> make it 10 for a small sized server and 400 for a big one 09:52 < smerz> im really just looking for hardware spec that can handle 100mb/s 09:52 < reiffert> Sounds interesting, I hope someone on that channel runs such a setup 09:53 < reiffert> You can try the mailing list as well 09:54 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 09:55 < smerz> i dropped a message out there already. i got a small detail mixed up :-) but hopefully someone can help me out yeh 10:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:28 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:42 < gleblanc> Can anybody build-key using 2.1rc15 on Windows? 10:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:45 < gleblanc> I can't get it to run properly, on any machine I've tried so far 10:49 < smerz> hmm it works sweet on linux 10:54 -!- smerz [n=daniel@smerz.demon.nl] has quit ["good night folks"] 10:55 < gleblanc> It complains that it can't find /usr/local/ssl/openssl.cnf 10:56 < gleblanc> Actually, it does that on any build-* script 11:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:40 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 12:00 < gleblanc> How about this error? 12:01 < gleblanc> 4088:error:0200107B:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:1 12:01 < gleblanc> 26:fopen('"c:\Program Files\OpenVPN\easy-rsa\openssl.cnf"','rb') 12:29 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 12:47 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:23 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:45 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit ["Caught sigterm, terminating..."] 13:50 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: mcp, cj, justdave, AndyML, disco-, hiptobecubic, pa, smk, Typone, Solver, (+14 more, use /NETSPLIT to show all of them) 13:52 -!- Netsplit over, joins: Determinist, roentgen, krzee, cj, ikevin, pa, troy-, smk, dvl, int (+14 more) 14:05 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 14:41 -!- Irssi: ##openvpn: Total of 39 nicks [0 ops, 0 halfops, 0 voices, 39 normal] 15:17 < mepholic> Is there a way I could do sort of like 15:17 < mepholic> eh 15:18 < mepholic> meshed routing with openvpn? 15:18 < mepholic> kind of complex 15:18 < mepholic> but so like 15:19 < mepholic> traffic in the vpn is peer to peer instead of going through the vpn server 15:19 < mepholic> so all the vpn server really does is sits there and kind of 15:19 < mepholic> holds everything togeather 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:34 -!- zigovr3 [n=zig@sju13-4-88-161-83-90.fbx.proxad.net] has quit ["Client exiting"] 15:40 < Tykling> you'll need a tunnel between the peers that should talk directly to eachother, I have a fully meshed openvpn net but it requires everyone to have tunnels to everyone else, and so there are as many vpn servers as there are peers 16:05 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 16:09 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 16:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:27 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 16:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Read error: 110 (Connection timed out)] 16:33 < mepholic> oh god lol 16:47 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 110 (Connection timed out)] 16:53 -!- hiptobecubic is now known as hiptobobcubic 16:55 -!- hiptobobcubic is now known as hiptobecubic 17:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:31 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 104 (Connection reset by peer)] 18:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:10 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 19:13 < krzie> !tcp 19:13 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:33 < hiptobecubic> mepholic, why? 19:35 < mepholic> hiptobecubic, lets say 19:35 < mepholic> we have some users that are in michigan 19:35 < mepholic> and some users that are in brazil 19:35 < mepholic> and some users that are in germany 19:35 < krzie> i missed the orig question 19:35 < mepholic> the vpn server is in chicago 19:36 < mepholic> germany to chicago to brazil isnt very practical 19:36 < hiptobecubic> mepholic, ah. 19:36 < mepholic> or brazil to chicago and back to brazil 19:36 < krzie> the best thing for that i can think of is to have a server in each location, and link them together to make 1 seemless vpn 19:36 < mepholic> thats about 500ms 19:36 < hiptobecubic> krzee, ++ 19:36 < hiptobecubic> krzie, 19:37 < krzie> (im both) 19:37 < mepholic> krzie, i'm getting an EU server soon 19:37 < mepholic> the ping between the eu server and the chicago server is like 19:37 < mepholic> 80ms i think 19:37 < mepholic> so nice and fast 19:38 < krzie> wow, thats amazing pin for intercontinental 19:38 < krzie> ping 19:38 < mepholic> yeah 19:45 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:14 < mepholic> ok, one of my users just formatted his computer and lost his key 20:15 < mepholic> i should revoke that certificate, correct? 20:15 < mepholic> also, can i use the same common name again? 20:16 < krzie> if it wasnt comprimised you dont need to revoke 20:17 < krzie> and yes you can reuse the cn 20:18 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:18 < RoFLKOPTr> why hello thar 20:19 < RoFLKOPTr> just thought I'd let you guys know that the problems I was having with Windows 7 is due to my idiocy 20:19 < mepholic> lol'd 20:19 < RoFLKOPTr> I was trying to install the old (like, 1.x something) beta GUI from that third-party site 20:19 < mepholic> ok RoFLKOPTr we're good 20:19 < RoFLKOPTr> so it had V8 TAP drivers instead of V9 20:20 < mepholic> use the samne cn 20:20 < RoFLKOPTr> k 20:21 < RoFLKOPTr> anyways, if anybody else comes in here asking about a "This version of OpenVPN does not work with Windows." error from the beta installer, tell them to run it as admin and in compatibility mode for Vista. 20:32 < krzie> ahh thx 20:33 < RoFLKOPTr> lol 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has joined ##openvpn 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has left ##openvpn [] 21:03 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:05 < Jason404> if there is no Vista support Windows 7? 21:07 < RoFLKOPTr> o wait 21:07 < Jason404> no, Windows Server 2008 21:07 < RoFLKOPTr> 2008 server 21:07 < RoFLKOPTr> yeah 21:07 < RoFLKOPTr> k 21:08 < Jason404> i suppose if it works on Vista, it will work on 2008? 21:08 < Jason404> like drivers 21:08 < RoFLKOPTr> well, I'm using 2.1rc15 on Windows 7... just had to run the installer in compatibility mode for Vista 21:08 < RoFLKOPTr> so 21:08 < Jason404> same new TCP/IP stack etc 21:08 < RoFLKOPTr> theoretically, it should work on 2008 the same way 21:09 < Jason404> ah cool. thanks RoFLKOPTr 21:09 < Jason404> is that RC15 very stable? 21:09 < Jason404> any idea when final comes out? 21:09 < RoFLKOPTr> well... I've only been using it today, lol. Haven't really put it through anything rigorous 21:09 < RoFLKOPTr> but it's working so far 21:09 < Jason404> ok 21:09 < RoFLKOPTr> and nobody I know of has had any issues 21:11 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:26 < krzie> AW_BOT exit 21:26 < krzie> !exit 21:26 < vpnHelper> krzie: Error: "exit" is not a valid command. 21:35 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:39 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:56 < krzie> !sample 21:56 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:56 < krzie> ok... 21:58 < onats> hello 21:58 < onats> happy new year 22:03 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:27 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has joined ##openvpn 22:27 < lzhang> hello 22:27 < lzhang> right now my vpn is connecting via 2 interfaces, I just need it to connect on tun0 22:28 < lzhang> I don't have much knowledge of networking, can someone give me a hint on how to disable vpn on one of the interfaces? 22:48 < lzhang> nvm I got it working thanks guys 22:48 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has left ##openvpn [] --- Day changed Mon Jan 05 2009 00:13 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:27 < reiffert> snow. tons of snow. 02:50 < mepholic> Mon Jan 05 02:52:53 2009 us=234000 Cannot load certificate file xt0rt.crt: error:0906B06B:PEM routines:PEM_get_EVP_CIPHER_INFO:not proc type: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 02:50 < mepholic> uh what 02:50 < mepholic> this is windows btw 02:52 < krzee> !configs 02:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:52 < mepholic> this same config has worked with 12 other clients 02:53 < krzee> check time/date on both machines 02:53 < mepholic> why ._. 02:55 < mepholic> -xt0rt- TIME Mon Jan 05 02:57:50 02:55 < mepholic> Mon Jan 5 02:55:01 CST 2009 02:55 < mepholic> him vs server time 02:55 < mepholic> its not like this is kerberos 02:55 < mepholic> :< 02:55 < krzee> time matters 02:55 < mepholic> how much? 02:55 < mepholic> also, wh 02:55 < mepholic> y 02:56 < krzee> im watching a movie 02:56 < krzee> google that 02:56 < krzee> !configs 02:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:56 < krzee> bbl, will check back to see the configs 03:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 -!- xs7 [n=xs7@84.255.188.196] has joined ##openvpn 03:20 < xs7> I installed openvpn, but donno if there is any GUI for it ? where ? 03:21 -!- krzee is now known as AW_BOT 03:24 -!- AW_BOT is now known as krzee 03:26 < reiffert> :) 03:29 < simplechat> xs7, there is 03:29 < xs7> simplechat: cannot find it in KDE 03:29 < krzee> xs7, what do you want from an openvpn gui? 03:29 < simplechat> its probably not in kde 03:30 < xs7> let me explain, I need to get around my ISP who blocks some of the sites for political and relgious reasons 03:30 < krzee> and how would a gui help that? 03:30 < xs7> so I need a vpn connection to somewhere where I can browse the web !! 03:31 < xs7> krzee: how would I activate the vpn and use it anyway ? 03:31 < krzee> well, if you wanted a single click solution... 03:32 < krzee> you could make a shell script which simply is a 1 liner that runs openvpn 03:32 < krzee> the make it a clickable script 03:32 < krzee> and put it on the desktop 03:32 < krzee> you click it, vpn starts, close the window, it closes 03:32 < krzee> since thats all a gui could do, it led me to ask exactly what you would want from a gui 03:32 < krzee> thats what i do in osx even tho there IS a gui available 03:32 < krzee> using the gui just never made sense to me 03:33 * krzee heads back to the movie 03:35 < xs7> krzee: I need a clickable solution as you said to make it easy for me 03:35 < krzee> welp, thats how 03:36 < xs7> krzee: how would I use vpn for certain activities ie accessing the web without making it active and directed to certain vpn server 03:36 < krzee> you lost me at: "without making it active and directed to certain vpn server" 03:37 < xs7> krzee: how can I start using vpn ? 03:37 < krzee> are you saying "how do i run openvpn?" 03:37 < xs7> krzee: yes 03:37 < krzee> wow 03:37 < krzee> read the docs 03:37 < krzee> !howto 03:38 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:38 < krzee> !sample 03:38 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:38 < krzee> !def1 03:38 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:38 < krzee> !nat 03:38 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 03:38 < krzee> thats everything you need to know 03:38 < krzee> if you do the reading 03:41 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 03:43 < reiffert> I'd start using the howto. 03:43 < krzee> i agree 03:43 < krzee> use the order i provided 03:43 < krzee> the order was no accident 03:46 < reiffert> .oO Howto looks too complicated, I use the next link 03:47 < krzee> lol 03:47 < krzee> reiffert, the people who say that might as well go do something else... vpns are advanced networking 03:48 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 03:48 < krzee> but ya, sadly thats so common 03:48 < kaii> nice topic, hehe :) 03:49 < reiffert> krzee: Windows got some nice one klick solutions ... 03:49 < Jason404> would openvpn make connections like RDP any slower, compared to direct connection? 03:49 < krzee> yes 03:49 < krzee> but not from openvpn 03:49 < krzee> from the fact you're on the inet 03:49 < Jason404> ?? 03:49 < krzee> vs direct connection 03:50 < Jason404> i meant directasin without vpn, with RDP port forwarded 03:50 < kaii> shortly after a "TLS: soft reset" (which is re-keying, happening every hour "uper connection) i getthe "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" 03:50 < Jason404> i did not mean direct as in LAN kreg 03:50 < Jason404> oops krzee 03:51 < reiffert> krzee: well actually the one click windows solution worked so well, it made me switch to openvpn :) 03:51 < krzee> well no, it wont be much different then 03:51 < Jason404> Hamanchi? 03:51 < krzee> reiffert, lol 03:51 < Jason404> really,same speed?? 03:51 < Jason404> cool 03:51 < krzee> reiffert, i click a shell script, it runs in a window 03:51 < krzee> i close the window, closes the connection 03:51 < krzee> how much more 1 click does it get? 03:52 < krzee> i forget exactly how to make the clickable script in X, but in osX you just name the script .command 03:52 < krzee> like openvpn.comman 03:52 < krzee> d 03:52 < reiffert> krzee: it's the 3 millions clicks before it starts running 03:53 < reiffert> krzee: not for me, but it looks as for the guy who was asking 03:54 < krzee> werd 03:54 < krzee> to me its just like.. 03:54 < krzee> a gui to start and stop a program 03:54 < krzee> bleh 03:54 < reiffert> same here, copy config from host a to b, adjust a line, done 03:54 < krzee> gui should be for stuff where you need options, no? 03:54 < krzee> like what would you even make that gui look like? 03:55 < krzee> design the look for that one, lol 03:55 < reiffert> krzee: look, I totally agree to your position. I run fvwm2 with no clickable icon on the screen. 03:55 < krzee> yup, my only box running X runs hackedbox 03:55 < krzee> the lightest X i could find 03:55 < krzee> with just 2 terminal windows and some stats 03:56 < reiffert> I stopped somewhere between comfortable and fast, twm has had chances .. years ago. 03:57 < reiffert> Someone told me to have a look on Ion .. 03:57 < krzee> dunno what that is but if its cool tell me about it sometime 03:57 < krzee> im headed back the my movie 03:57 < krzee> bluerayrips for the win 04:00 < reiffert> some porn I guess :) 04:03 < reiffert> Ah, Fbsd 7.1 came out tonight .. so unixporn on blueray 04:04 < krzee> ooo 04:04 < krzee> ill hafta update the box after watching mission impossible 2 04:04 < krzee> (sorry, not porn) 04:04 < krzee> im only still here cause i had to get a link for someone 04:04 < krzee> http://best.online.docus.googlepages.com/ 04:04 < vpnHelper> Title: best.online.docus - Best Online Documentaries (at best.online.docus.googlepages.com) 04:04 < krzee> you may like it to 04:04 < krzee> too 04:05 < krzee> grabbed it for him for this: 04:05 < krzee> [06:05] technology - other - missing secrets of nikoli tesla 04:06 < reiffert> Last one I saw was "bbc - planet earth" 04:06 < krzee> LOVE THAT 04:06 < krzee> i have that HDrip here 04:06 < krzee> RULES 04:06 < krzee> shit im still here 04:07 < reiffert> Ow, online! 04:07 * krzee puts down the laptop 04:08 < reiffert> good luck :) 04:18 -!- xs7 [n=xs7@84.255.188.196] has quit ["Leaving"] 04:31 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 04:37 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has joined ##openvpn 04:38 < stefanlsd> Hi. Would anyone be able to point me in the right direction with openssl. I have followed the openvpn howto from the wiki. The certificates were valid for 365 days, and I would like to renew them. The command I have requires the CA's private key (.pem) - which I dont seem to have (although i must somewhere) - any ideas? 04:53 < reiffert> The ca private key is named ca.key 04:54 < kaii> stefanlsd: there is no way to re-sign (re-new) your certificates without the CA's private key (ca.key) 04:54 < reiffert> When referring to the howto, did you mean 04:54 < reiffert> !howto 04:54 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:54 < reiffert> ? 04:54 < kaii> stefanlsd: only other option is to create a new CA and new keys/certificates for your clients (a complete new set) 04:55 < stefanlsd> reiffert: yeah. i was using that howto to gen the keys the first time. 04:55 < stefanlsd> reiffert, kaii - i do have the ca.key file... 04:55 < stefanlsd> im using this command to try renew 04:56 < stefanlsd> openssl ca -extensions client_cert -cert ca.key -keyfile server.key -out server.crt -days 365 -infiles server.csr 04:56 < stefanlsd> i did gen a new csr 04:57 < kaii> you dont need -keyfile server.key if you already have a CSR 04:59 < stefanlsd> kaii: aah. k. thanks. seems to be working better now. if i can just remember the passphrase i'll be set 05:02 < reiffert> Try the empty password. 05:03 < stefanlsd> Enter pass phrase for ./demoCA/private/cakey.pem: 05:03 < stefanlsd> 3349:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters 05:03 < stefanlsd> is this asking for the right key? 05:03 < stefanlsd> this isnt my pem im guessing... (or does openssl just use this one by default)? 05:03 < reiffert> have a look into your openssl.cnf file 05:06 < stefanlsd> reiffert: yeah. openssl.cnf points there... isnt ca.key the private key it should be using? 05:07 < reiffert> I'd hand the openssl.cnf file to the openssl command. The openssl.cnf file that you were using when following the howto. 05:09 < stefanlsd> yeah. i think i just ran ./build-ca (i suspect it would of used /etc/openssl.cnf) 05:10 < stefanlsd> reiffert: ooh. that uses pkitool which uses the openssl.cnf in the easy-rsa dir 05:27 < stefanlsd> last one - :Expecting: TRUSTED CERTIFICATE. failing this, im just gonna redo it. hopefully with some more understanding what im doing 05:44 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 06:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 06:04 -!- mepholic [n=mepholic@209.17.190.90] has quit [Read error: 60 (Operation timed out)] 06:09 < krzee> !learn ask as http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:09 < vpnHelper> krzee: Joo got it. 06:10 < reiffert> krzee: short night eh? :p 06:10 < krzee> haha 06:10 < krzee> just finished tonights movie 06:10 < krzee> gunna passout soon since its 8am 06:10 < krzee> hows the snow treatin ya? 06:11 < reiffert> http://www.taunus.info/de/neues/webcam/ 06:11 < vpnHelper> Title: www.taunus.info: Webcam (at www.taunus.info) 06:11 < reiffert> Press Zoom 06:11 < krzee> damn 06:11 < krzee> serious snow 06:11 < krzee> go out ans wave to the cam 06:12 < krzee> s/ans/and/ 06:13 < reiffert> That webcam's sitting on the highest mountain around ... love to ride my bike there in summer 06:14 < reiffert> still looking for a webcam next to me 06:15 < reiffert> http://biebrich.fuhs.de/rheincam.shtml 06:15 < vpnHelper> Title: Biebrich am Rhein - RheinCam Webcam - Foto-CD Reihe von Howard Fuhs (at biebrich.fuhs.de) 06:15 < reiffert> http://www.hr-online.de/website/fernsehen/sendungen/webcam_popup.jsp?number=3 06:16 < vpnHelper> Title: hr-online: Webcam (at www.hr-online.de) 06:32 < stefanlsd> i gave up btw. just redid the keys 06:32 < krzee> you use *nix stefanlsd ? 06:32 < stefanlsd> krzee: yeah 06:32 < krzee> check out ssl-admin and you should be able to avoid that in the future 06:33 < krzee> !ssl-admin 06:33 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 06:33 < krzee> it may be in gentoo now too 06:33 < krzee> it was submitted awhile back to portage 06:34 < stefanlsd> krzee: mm. using ubuntu. dont see it in my repo. i can probably work on getting it into universe if u like... 06:34 < krzee> check it out from svn 06:35 < krzee> if it works good, that would be cool 06:35 < stefanlsd> yeah. option 6 is exactly what i wanted :) 06:35 < krzee> if it does not, let me know 06:35 < stefanlsd> krzee: kk. thanks. will check it out 06:35 < krzee> i did the porting of the install to linux, i did a crappy job (used a ./configure script instead of a proper Makefile) but it should work nicely 06:36 < krzee> right on =] 06:36 < krzee> oh and if im not here let ecrist know, hes the real author 06:37 < krzee> we both use freebsd but i like his tool so much i figured it would be cool to wrap up an install for the linux folks 06:37 < krzee> since theres more of you guys and all ;) 06:37 < reiffert> any webcam from your place around? 06:37 < krzee> reiffert, nah man im just glad theres actually internet here 06:37 < krzee> but its a sunny morning 06:37 < reiffert> stefanlsd: so some debian maintainer has to catch it first so it finally makes it into ubuntu, eh? :p 06:38 < reiffert> krzee: gimme a google maps of your place 06:38 < krzee> oh i didnt catch your spoof, you're a member of the ubuntu team 06:38 < krzee> coolness 06:38 < krzee> google hasnt mapped my area 06:38 < krzee> at all 06:38 < stefanlsd> reiffert: heh. we could get it into ubuntu first via revu.ubuntuwire.com 06:39 < stefanlsd> but actually yeah, preferred is it goes into debian first 06:39 < reiffert> krzee: just do it 06:39 < krzee> do what? map out the island for google? 06:40 < reiffert> yeah 06:40 < krzee> hah 06:40 < reiffert> So I can fetch a webcam for myself then 06:40 < krzee> if you have skype i can put my cam out the window for ya 06:40 < krzee> but ill hafta put on pants first 06:41 < krzee> bleh, after a reboot that is 06:41 < krzee> my macbook likes to pretend it doesnt have a webcam anymore 06:41 < reiffert> no skype around 06:42 < krzee> convince me sometime that isnt 9am and ill use my sony cam to vid outside for ya 06:42 < krzee> and avi it up 06:42 < reiffert> :) 06:42 < krzee> 9am + no sleep = not getting up for that 06:42 < reiffert> I guess any day will do for your weather, eh? 06:42 < krzee> basically 06:42 < krzee> this is tourist season 06:42 < krzee> middle of sumer is known to have some hurricanes 06:43 < krzee> but from now til like late march is sweet 06:43 < reiffert> Ah, that sounds more like smth for me 06:43 < krzee> in feb in heading down to brazil / peru... it'll be the middle of summer there 06:43 < krzee> one day ill be a seasonal bum 06:43 < krzee> moving with the summer 06:44 < krzee> (maybe not bum, but yanno what i mean) 06:45 < reiffert> crazy man 06:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:51 < krzee> !random 06:51 < vpnHelper> krzee: "tcp": Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html; "tls-verify": seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600; "iporder": OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client- 06:51 < vpnHelper> krzee: connect script generated file for static IP (first choice). 06:52 < krzee> heh random is going 2 at a time 06:52 < krzee> my bot takes after me ;] 06:52 < krzee> !ask 06:52 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:55 < krzee> (stealing that factoid for a new bot i made for another channel) 06:56 < krzee> !search bsd 06:56 < vpnHelper> krzee: There were no matching configuration variables. 07:02 < krzee> !factoids search --regexp m/^bsd/ 07:02 < vpnHelper> krzee: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 07:02 < krzee> hehe cool 07:12 < ecrist> good morning, folks 07:12 < krzee> mornin ecrist 07:12 < krzee> stefanlsd is checking out ssl-admin and if it loads up fine on his ubuntu hes gunna submit it to their package system 07:12 < ecrist> sweet 07:13 < krzee> yup 07:13 < krzee> seems had he been using it from the start he could have avoided the problem he ran into to (option 6) 07:19 < ecrist> what is option 6? 07:19 < krzee> he wanted to renew his certs which expired after his 365 days 07:20 < krzee> i think he may have been missing his ca.key or something 07:20 < krzee> i came in too late 07:20 < krzee> he decided to generate new certs by the time i came in, which is how he learned of ssl-admin 07:21 < ecrist> ah 07:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:21 < ecrist> renewing/resigning is not much different from creating new, anyways. simply the benefit of not needing to generate the CSR/key pair is all. 07:24 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 07:28 < stefanlsd> ecrist: after resigning (like renew) - do u still need to copy the keys to the client? 07:28 < krzee> yes 07:28 < krzee> err no not the keys 07:29 < ecrist> not the keys, but the certificates, yes 07:29 < krzee> in fact the keys dont ever need to leave the client 07:29 < krzee> but the certs 07:29 < krzee> its entirely possible for a client to make a key / csr themselves 07:29 < stefanlsd> mm. k. wanted to avoid having to copy anything to clients. (laptops running around) 07:29 < krzee> then they send you the csr, you sign it and give them the cert 07:29 < ecrist> in reality, that should be done by the client, but it's not practical for a VPN setup 07:30 < stefanlsd> yeah. i got lots of non technical users 07:30 < ecrist> stefanlsd: use CRLs and give your keys a 3650 day expiry 07:30 < ecrist> that way, you're only renewing every 10 years. 07:30 < stefanlsd> so then i would just publish keys i want to revoke. 07:30 < ecrist> and you can still revoke old/bad/lost certificates. 07:31 < krzee> agreed 07:32 < krzee> early expiration is useful for temps or consultants (if you dont feel like adding them all to the CRL) 07:32 < stefanlsd> kk. thanks. will look into it 07:32 < krzee> but otherwise a nice long expiration date is useful 07:41 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:59 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has joined ##openvpn 08:00 < geaaru> how can i drop by client side push with default gw param when i connect to a vpn server? 08:00 < geaaru> thanks in advance 08:06 < ecrist> sure 08:06 < ecrist> your server needs to have proper support for it, though (NAT/routing) 08:08 < krzee> !def1 08:08 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:08 < krzee> !nat 08:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:25 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 08:30 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 08:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:37 < c64zottel> what could cause an running connection to aboard suddenly? i can see how the connection get established, making and ssh connection, and watch just: watch ls 08:38 < c64zottel> is it for functioning necessary to use time-synconisation? 08:39 < c64zottel> the fw on the openvpn server, doesn't respond pings, may that be the problem? 08:39 * ecrist reads 08:40 < c64zottel> http://pastebin.com/m584afd10 08:40 < ecrist> so, you're able to connect, but the session ins terminated at some point? 08:40 < c64zottel> this is the output with verb 3 08:40 < c64zottel> ecrist: jepp 08:41 < c64zottel> maybe, one minute later 08:41 < ecrist> tcp or upd? 08:41 < ecrist> udp 08:41 < c64zottel> udp 08:41 < c64zottel> http://pastebin.com/m775410e1 08:42 < c64zottel> the client config 08:42 < c64zottel> can it caused by the router? 08:42 < c64zottel> i forwarded 1194 08:45 < ecrist> what's your keepalive on your server config? 08:45 < c64zottel> i guess the default 08:46 < ecrist> don't guess, please 08:46 < c64zottel> ok 08:46 < c64zottel> i try to find out 08:47 < c64zottel> be back in a min. 08:49 < c64zottel> ok 08:49 < c64zottel> http://pastebin.com/m46dd44fa 08:49 < c64zottel> eepalive 10 60 08:50 < c64zottel> is that the problem? 08:51 < ecrist> try 10 120 08:51 < c64zottel> ok 08:54 < geaaru> i'm back... but --redirect-gateway is a flag for server side? 08:56 < ecrist> generally, yes 08:56 < geaaru> ah ok, because i want leave redirect-gateway flag on server side ... but from client i want ignoring command. how can i do that? 08:57 < ecrist> I don't know of an ignoring command. 08:57 < geaaru> :'( however, thanks for reply 08:58 < ecrist> you could have an up script which deletes the 0.0.0.0/1 route 08:59 < geaaru> ah ok... 09:02 < geaaru> thank you very much 09:08 < ecrist> np 09:10 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 09:11 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 09:11 < c64zottel> changed nothing 09:11 < c64zottel> i tried also 600 1200 09:12 < c64zottel> and restarted via /etc/init.d/openvpn restart 09:12 < c64zottel> but, is it a normal icmp ping? because the server drops ping 09:30 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has quit ["Leaving"] 09:43 < geaaru> i tried to insert up command on my conf file but i have this error: 09:43 < geaaru> openvpn_execve: external program may not be called due to setting of --script-security level 09:43 < geaaru> Mon Jan 5 16:25:46 2009 script failed: external program fork failed 09:58 < dvl> geaaru: what's the output of ls -l of that script? 09:58 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["GG. X_X"] 09:59 < geaaru> maybe i have understand ... i need add to openvpn command line param --script-security 2 09:59 < geaaru> (script is executable however :) ) 10:05 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:17 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:18 < geaaru> and i also founded that must be use route-up command to rewrite routing rules because up command is called before routing command called by server vpn rules 10:18 < geaaru> thanks at all for support 10:22 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:22 < plaerzen> morning irc 10:27 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:46 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 11:01 < ecrist> good morning plaerzen 11:07 < plaerzen> hey ecris 11:07 < plaerzen> ecrist, 11:07 < plaerzen> hi 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:04 < plaerzen> ecrist, how was your christmas / new year ? 12:18 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:33 < ecrist> plaerzen: good. went to a nice little new years party - we played some rock band and drank a lot. 12:33 < ecrist> you? 12:34 < plaerzen> amazing, some old friends from school came down to visit and we didn't drink that much - but we did other things. 12:34 < plaerzen> partied, etc. 12:35 < plaerzen> Re-united with this girl I used to date (to the climbing gym.... we both rock climb) a while back and went for ethiopian this past weekend. 12:35 < plaerzen> (she actually works there) 12:35 < plaerzen> (the gym) 12:35 < plaerzen> overall, amazing 2 weeks. 12:42 < ecrist> cool 12:56 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 13:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:56 -!- acidchild [i=ash@208.92.235.204] has joined ##openvpn 13:56 < acidchild> root@dubstep:~# openvpn /etc/openvpn/openvpn.conf 13:56 < acidchild> File size limit exceeded 13:56 < acidchild> root@dubstep:~# 13:56 < acidchild> my OpenVPN just started doing this :-( 13:57 < acidchild> worked fine before the reboot, i raised the file limit using ulimit to 4096 from 1024. still no luck. 13:57 < acidchild> very little on Google :-( 13:58 < acidchild> OpenVPN 2.0.9 i486-slackware-linux [SSL] [LZO] [EPOLL] built on Jun 11 2007 14:03 < acidchild> I've worked it out, thank you, my log file was full :-) 14:03 < ecrist> was going to say - check your log file. 14:03 < ecrist> ;) 14:04 * acidchild sets up a log rotation. 14:04 < acidchild> open("/var/log/openvpn.log", O_WRONLY|O_CREAT|O_APPEND, 0600) = 4 14:04 < acidchild> open("/etc/localtime", O_RDONLY) = 3 14:04 < acidchild> --- SIGXFSZ (File size limit exceeded) @ 0 (0) --- 14:04 < acidchild> that gave it away :-P 14:09 < acidchild> ecrist: lol turning down the verbos level might help :P 14:09 < acidchild> root@dubstep:/etc/openvpn# cat /var/log/openvpn.log |wc -l 14:09 < acidchild> 48728 14:09 < acidchild> since i deleted it two minutes ago 14:17 < ecrist> a little? 14:21 < acidchild> just a lil bit :-P 14:28 -!- mRCUTEO [n=info@124.82.101.3] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:44 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 14:45 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has quit [Connection timed out] 14:53 -!- mRCUTEO [n=info@124.82.101.3] has quit [] 14:53 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has joined ##openvpn 15:02 -!- acidchild [i=ash@208.92.235.204] has quit ["BRB"] 15:16 < Keizer> Anyone here use OpenVPN on OpenBSD? 15:17 < Keizer> crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 15:32 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 15:34 < Plecebo> I have openvpn server installed on my Windows Server box and I am able to connect via Terminal Services Client on my Ubuntu box. The trouble is that the connection only lasts for 30 seconds or so before it stops and I have to disconnect/reconnect. Any ideas where to start troubleshooting or what the problem might be? 15:38 < xattack> openvpn on openbsd here! 15:45 < Plecebo> would I be better off setting up openvpn on my ubuntu firewall then using remoting into the server for admin duties? 15:47 -!- xattack [i=xattack@132.248.108.239] has quit [] 16:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 16:32 < krzie> Anyone here use OpenVPN on OpenBSD? 16:32 < krzie> it shouldnt really be diff than openvpn on other os, whats the problem... 17:07 * ecrist thinks someone's building an IPSEC tunnel on Cisco hardware 17:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:44 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has quit ["Leaving"] 18:11 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 18:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:21 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 20:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:36 -!- Solver [n=robert@CPE00a0c96b79ba-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit ["Lost terminal"] 21:17 < krzie> http://msdn.microsoft.com/en-us/library/ms972827.aspx 21:17 < krzie> look at the referenced directory in one of the dialog boxes 21:17 < krzie> lol 21:17 < vpnHelper> Title: Browsing the Web and Reading E-mail Safely as an Administrator (at msdn.microsoft.com) 21:31 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 22:37 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:54 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 22:55 < Plecebo> when you are connected to a server do you need to use a special code to close the connection? 22:57 < krzee> no, you just close the openvpn process 22:57 < krzee> trust me, it will disconnect 22:57 < krzee> hehe 22:57 < Plecebo> LOL well that is good to know 22:58 < Plecebo> if I do that and attempt to re-connect it will not let me... any reason you can think of why 22:58 < krzee> persist-tun 22:58 < krzee> persist-key 22:58 < krzee> something like that maybe 22:58 < krzee> something like that maybe 22:58 < Plecebo> it tries to connect, and it doesn't give an error but it gets part of the way and just sits there 22:58 < krzee> !sample 22:58 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:58 < krzee> check those out 22:59 < reiffert> resolv.conf 22:59 < reiffert> and moin 23:00 < Plecebo> I do have the persist options present in my config, and server I think (cant actually connect at the moment) 23:00 < reiffert> Plecebo: change the remote host line into remote ip and try again 23:00 < krzee> omin reif 23:01 < Plecebo> reiffert: ok i'll give that a try 23:01 < reiffert> YAJ! -22 C 23:02 < reiffert> (-7.6 F) 23:05 < Plecebo> putting the IP in the config gives the same result :( Here is the output from my client http://pastebin.com/m40a627c8 23:07 < reiffert> increase verbosity to level 6 23:10 < Plecebo> here it is at verbosity 6 http://pastebin.com/m5682c3c1 23:12 < reiffert> beats me, never seen that 23:13 < Plecebo> LOL OK 23:13 < Plecebo> well thanks for trying :) 23:16 < krzee> show server log 23:20 < reiffert> ah, is it still alive? 23:20 < reiffert> I'm still sleeping ... 23:28 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn --- Day changed Tue Jan 06 2009 00:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:46 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 01:58 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 02:08 -!- gfather [n=user@94.249.23.94] has joined ##openvpn 02:08 < gfather> hello guys 02:19 < gfather> krzee , hay man , can you send me the ur pae about routing ? 02:20 < gfather> can you send me your url about routing 02:29 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 02:58 -!- gfather is now known as gfather[a] 03:47 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:44 < krzee> gfather[a], just type !route 04:45 < krzee> (as seen in the topic) 04:45 < gfather[a]> !route 04:45 < vpnHelper> gfather[a]: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:45 < gfather[a]> thanks ;) 04:46 < krzee> np =] 04:47 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has quit [Read error: 110 (Connection timed out)] 04:52 < gfather[a]> krzee one thing i dont understand is the iroute 04:52 < gfather[a]> should i do iroute for every client ? 04:54 < gfather[a]> ah or only the client should tell whats the lan behind him with i route 04:54 < gfather[a]> right 05:34 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 05:40 < krzee> !iroute 05:40 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:02 < gfather[a]> cools ., 06:02 < gfather[a]> ill do some testign and stuff :) 06:03 < gfather[a]> make sure i understand every thing , 06:03 < gfather[a]> and by the way , the pic is very good for explaining 06:04 < krzee> thx =] 06:05 < gfather[a]> :D 06:08 < gfather[a]> krzee how stuff gonna work whith ipv6 and that nat is gonna be gone ? 06:09 < krzee> that wouldnt change anything other than no nat 06:09 < gfather[a]> lool 06:09 < gfather[a]> so is the latest build of openvpn compatable with ipv6 06:10 < krzee> no 06:10 < gfather[a]> i see 07:10 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:11 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 07:12 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:31 < ecrist> good morning, folks 07:37 < gfather[a]> hello ecrist 07:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 07:40 < disposable> i've installed openvpn on a linux server and two windows clients. i can ping the server from each client, each client from the server but a client cannot ping the other one. i don't seem to have any errors in logs. what am i missing? 07:45 < disposable> this is how my server is configured http://pastebin.com/d1a1b8bb 07:58 < disposable> !route 07:58 < vpnHelper> disposable: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:58 < disposable> !menu 07:58 < vpnHelper> disposable: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 07:58 -!- Tykling [i=tykling@gibfest.dk] has quit [Read error: 110 (Connection timed out)] 08:04 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:16 < ecrist> disposable: do you have client-to-client enabled in your config? 08:17 < disposable> ecrist: i was just about to try that :) from the !route hint 08:19 < disposable> and now it works :) 08:21 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 08:21 < nardul> oi 08:22 < nardul> Does anyone know anything about openvpn-gui under windows? I'm trying to start it as a service, but i can't make it start the connections. 08:24 < tjz> it is an application used to connect to your vpn server 08:25 < disposable> nardul: i am testing it at the moment. 08:25 < nardul> disposable, Thanks. I can't seem to make it run. It's a virtual machine running some backup stuff. And i want it to run without logging in. 08:26 < disposable> control panel, admin tools, services, openvpn - rightclick and make it start automatically. that's what i did 08:27 < nardul> disposable, But the tunnel doesn't start. Atleast i can't make it. 08:27 < ecrist> nardul: do you have the config and certficates? 08:27 < disposable> it takes windows a minute or so to initialise the LANs if you don't log in. what does your log say? (use pastebin) 08:27 < nardul> Yers 08:27 -!- gfather[a] [n=user@94.249.23.94] has quit [Read error: 110 (Connection timed out)] 08:27 < nardul> yes* 08:28 < disposable> check the server's log as well to see if it's even trying to communicate 08:28 < nardul> disposable, Checkign 08:31 < nardul> This is a windows server 2003, i don't know if that matters. 08:31 < nardul> Anyways i can't check right now, my boss wants it to work _right now_ 08:31 < nardul> So i'll just run manually untill i have time to check 08:31 * nardul curses 08:32 < disposable> :) 08:32 < disposable> wow you have a benevolent boss... mine wants things to work yesterday 08:34 < nardul> I have about a 1000 things running at once. 08:34 < nardul> It's awesome (frowney face) 08:34 < nardul> It would be sooo much easier with ini scripts. 08:34 < nardul> inint* 08:34 < nardul> init* 09:08 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 09:08 < chairuou> !route 09:08 < vpnHelper> chairuou: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:09 < chairuou> !menu 09:09 < vpnHelper> chairuou: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 09:09 < chairuou> !menu * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:09 < chairuou> !menu search * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:14 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:41 < ropetin> !factoids search * 09:41 < vpnHelper> ropetin: More than 100 keys matched that query; please narrow your query. 09:41 < ropetin> try that chairuou 09:41 < chairuou> ropetin, thanks 09:42 < chairuou> !factoids search revoke client certificate 09:42 < vpnHelper> chairuou: No keys matched that query. 09:42 < chairuou> !factoids search revoke 09:42 < vpnHelper> chairuou: No keys matched that query. 09:59 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 10:00 < mRCUTEO> hiya all 10:00 < mRCUTEO> hiya kreg 10:00 < mRCUTEO> kreg 10:00 < mRCUTEO> hiya krzee 10:00 < mRCUTEO> :P 10:03 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 10:06 < ecrist> chairuou: you need a CRL 10:06 < ecrist> that can be done with openssl, through easy-rsa or the more elite ssl-admin 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 10:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:09 < chairuou> ecrist, can you explain more 10:13 < ecrist> you need to use openssl to generate a CRL with the revoked certificates 10:13 < ecrist> read the howto - I believe it's mentioned in there. 10:15 < chairuou> ah ok 10:15 < chairuou> got the point 10:16 < chairuou> thanks 10:30 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:04 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 12:05 < Max007> !route 12:05 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:05 < Max007> Hi can someone help me with this problem: http://ubuntuforums.org/showthread.php?p=6504733#post6504733 12:05 < vpnHelper> Title: [ubuntu] Problem with OpenVPN / Route - Ubuntu Forums (at ubuntuforums.org) 12:09 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit [Read error: 110 (Connection timed out)] 12:23 < Max007> no one ? :( 12:32 < dvl> Max007: yes. Exactly. We all hate Ubuntu. ;) 12:33 < dvl> sounds like firewall rules not letting in the ping or the reply, or both. That's my guess without looking at it closely. 12:45 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:31 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:37 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 13:37 < rorx> is it possible for VPN clients to talk to each other when the server uses a multiclient tun setup? 13:38 < rorx> !menu 13:38 < vpnHelper> rorx: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 13:39 < rorx> !route 13:39 < vpnHelper> rorx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:42 < ecrist> rorx: yes 13:44 < rorx> ecrist: hmm, should it do it by default, or is that a question of additional routing? I noticed that the client was not routing the request for a fellow VPN client through the VPN interface, so I manually added a network route of the network which all the VPN clients use, and I can see the request getting the the servers tun0 interface, but no response.. so I think I either need to add more routes on the server or the VPN server config needs some chang 13:44 < rorx> es? 13:46 < rorx> for example, the server does not have a network route for the network that the VPN clients use, so maybe that's what I'm missing? I just see a host route to one of the addresses in the tun0 interface. 13:47 < rorx> so far I've only been using this VPN setup to allow VPN clients to reach a LAN that the VPN server is attached to, and that works fine. Even LAN nodes can reach any VPN client.. and now I have a reason to try and connect to another VPN client instead, and that's what's failing. 13:52 < ecrist> client-to-client 13:52 < ecrist> in your config 13:52 < ecrist> it's in the howto 13:52 < rorx> ecrist: ah, I see, so by default it doesn't allow this eh? 13:53 < rorx> thank you. 13:53 < rorx> indeed, that seems to be the case. 13:55 < ecrist> it's in the howto and man pages. 13:56 < rorx> sure is, I missed it earlier. 14:00 -!- Determinist_ [n=lior@unaffiliated/determinist] has joined ##openvpn 14:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:11 -!- Determinist_ [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 14:28 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 < Keizer> Does anyone know if there is a document on how to create a subnet to subnet vpn tunnel on OpenBSD 15:06 < ecrist> !route 15:06 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:07 < ecrist> Keizer: ^^^^ 15:09 < Keizer> I looked at that doc 15:09 < Keizer> I need the getting started doc 15:10 < Keizer> I looked at that page 15:10 < Keizer> I'm trying to find the one that tells me to setup the Key Infrastructure 15:11 < Keizer> And I don't have iroute on OpenBSD 15:14 < reiffert> !howto 15:14 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:15 < dvl> probably safe for most work places: http://www.cbsnews.com/video/watch/?id=4632991n 15:15 < vpnHelper> Title: A Meal To Die For Video - CBSNews.com (at www.cbsnews.com) 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:01 < ecrist> oh 16:01 < ecrist> !freebsd 16:01 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:10 < ecrist> I want that restaurant here. 16:10 < ecrist> Keizer: ^^^^ 16:13 < Keizer> !openbsd 16:13 < vpnHelper> Keizer: Error: "openbsd" is not a valid command. 16:35 < ecrist> Keizer: read the freebsd page, it should apply to openbsd 16:40 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:41 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 17:12 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:21 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 17:46 < dvl> Anything on the website /etc about the rash of idiocy regarding MD5 collisions and certificates? 18:02 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 18:36 < krzie> idiocy? 18:40 < dvl> krzie : people over-reacting, wondering how to protect themselves, what to do, without really understanding the attack. 18:40 < krzie> ahh 18:40 < dvl> It's still pretty damn hard to achieve, if not impossible. 18:40 < krzie> nope nothing that i know of on the site 18:41 < krzie> thats true, even the people who did it with a huge cluster of game systems said it takes them like 6months 18:41 < dvl> Might help doubters understand the possible risks with OpenVPN. 18:41 < dvl> Using a priviate CA, I can't see any attack vector. 18:41 < krzie> and targetting a vpn would be insane cause you need to target the CA 18:42 < dvl> Easier to send in a burglar to steal the computer. 18:42 < krzie> lol, much easier 19:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:39 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 20:39 * tjz swim in 22:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 22:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Wed Jan 07 2009 00:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 00:07 < muh2000> hi 00:07 < muh2000> :( @ "openvpn[5978]: ******* WARNING *******: '(null)' is a known vulnerable key. See 'man openvpn-vulnkey' for details." 00:07 < muh2000> but i checked the keys with openvpn-vulnkey and it said all fine. 02:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:33 < simplechat> hey 02:33 < simplechat> any bsd users around? 02:33 < simplechat> muh2000, i'd regen 02:33 < simplechat> to be saf 02:33 < simplechat> *safe 02:34 < muh2000> hmmm ok. :) 02:35 < reiffert> simplechat: plenty of bsd users here. 02:35 < simplechat> reiffert, any with any advice as to how to install openvpn on a bsd? 02:36 < simplechat> atm i have a natted bsd host and i'd like to join it onto an existing openvpn net 02:36 < reiffert> !howto 02:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:36 < simplechat> does it have one for the bsds? 02:36 < reiffert> yep. 02:36 < simplechat> also any advice you'd give for an openbsd user? 02:37 < reiffert> such as? 02:37 < simplechat> i don't know, tutorials that will fail 02:38 < simplechat> things to watch out for, common mistakes & that 02:38 < simplechat> things that might trip up a noob 02:38 < reiffert> You seem to refuse the help I was giving you, so what should I help you any further? 02:38 < simplechat> explain? 02:38 < simplechat> i'm reading through that tutorial now 02:39 < simplechat> i was just wondering if there was anything else i should look out for 02:50 < simplechat> reiffert, not to sound too much like a noob, but after installing openvpn 2.1 there is no /etc/openvpn directory. Shouldn't there be one? 03:10 < muh2000> open vpn doc is one of the better docs for oss. (for a basic working setup) 03:50 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 04:49 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 05:25 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: rorx, disco-, jabular, dogmeat, cj 05:26 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 05:26 -!- Netsplit over, joins: cj 05:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 05:26 -!- Netsplit over, joins: jabular, disco- 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 06:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:42 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 06:42 < jrgp> is it possible to tunnel windows filesharing through openvpn? 07:16 < cpm> http://openssl.org/news/secadv_20090107.txt 07:27 < reiffert> jrgp: yes. 07:28 < simplechat> jrgp, yep 07:28 < simplechat> just make sure that you allow ports 139 through your vpn 07:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:30 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has joined ##openvpn 07:31 < reiffert> simplechat is on BSD and wonders why there is no /etc/openvpn instead of /usr/local/etc/openvpn? sigh. 07:31 < reiffert> How fast did I learn, lemme estimate, within the first 30 seconds? 07:31 < ecrist> lol 07:33 < ecrist> msg chanserv help set 07:33 < ecrist> grr 07:33 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 07:34 -!- mode/##openvpn [+o ecrist] by ChanServ 07:35 -!- ecrist changed the topic of ##openvpn to: Potential server verification exploit. See http://openssl.org/news/secadv_20090107.txt for more information. || HowTo: http://openvpn.net/howto 07:35 -!- mode/##openvpn [-o ecrist] by ecrist 07:45 < dazo> anyone know if OpenVPN really is vulnerable to the latest OpenSSL CVE? 07:46 < dazo> according to the recommendations from OpenSSL: "Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled." 07:47 < dazo> I can't find any part in the OpenVPN code using this function at all ... well, there are 2 in debug/valgrind-supress ... but that's not relevant :) 08:09 < dazo> I've skimmed quickly through the code a little bit better now .... I see that SSL_CTX_set_verify is used, which calls a callback ... OpenVPN do not directly use EVP_VerifyFinal() 08:10 < dazo> From my point of view OpenVPN seems to be safe from this bug ... BUT! It might be that there are parts which is called internally in OpenSSL which is buggy, so OpenVPN might be indirectly hit ... but upgrading OpenSSL should solve this 08:12 < dazo> I also had a quick look in the OpenSSL code ... but it wasn't easy to catch when the verify_callback() function in OpenVPN would be called, as SSL_CTX_set_verify() just prepares the callback ... and might be called at any later point 08:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 08:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 < reiffert> ecrist: Would someone mind setting the channel -t so that all users can change the topic (until it gets exploited)? 09:13 < ecrist> I supposed. 09:13 < ecrist> suppose* 09:14 -!- mode/##openvpn [+o ecrist] by ChanServ 09:14 -!- mode/##openvpn [-t] by ecrist 09:14 -!- mode/##openvpn [-o ecrist] by ecrist 09:15 < ecrist> there ya go, reiffert 09:19 < kaii> i'm confused with the Ports system ... i have an openbsd 4.3 based appliance, which has python2.4 on disk. 09:21 < ecrist> ok... 09:22 < reiffert> Thanks 09:22 < reiffert> dazo: isn't the openssl cve about the md5 issue? 09:23 < reiffert> dazo: eeks, it is not. 09:23 < dazo> reiffert: nope :) I was thinking about the one announced today .... but not completely official 09:26 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 09:26 < kaii> can somebody please tell me where the value of the variable "MODPY_VERSION" comes from when i build for example "py-mysql" from ports? 09:27 < kaii> it wants to build for 2.5, but i have 2.4 and really want to stick with that. 09:27 < ecrist> kaii, this isn't #openbsd 09:27 < kaii> oh darn. 09:27 < kaii> ^^ 09:27 < kaii> lol 09:27 < kaii> was just a window away 09:28 * ecrist cries. 09:28 < ecrist> I lost over 4GB of pr0n. :( 09:29 < dazo> reiffert: from what I could see OpenVPN should not be vulnerable .... the only thing which could be done is to make things even tighter is in ssl.c:654 - change if (!preverify_ok) to if (preverify_ok != 1) .... but the docs for SSL_CTX_set_verify says that only 0 or 1 is to be expected, so unless OpenSSL returns something wrong, this is not needed 09:34 < ecrist> reiffert: do you want me to lose the +r, too? 09:34 < ecrist> it's been discussed before 09:34 < reiffert> ecrist: +r is for registered users only, is it? 09:35 < reiffert> ecrist: what was the intentional event that was happening for setting the channel +r? 09:36 < ecrist> reiffert: nothing specific, when I built the chan, just threw it in to keep spam down 09:36 < ecrist> I'm not opposed to dropping it, though 09:40 < reiffert> so why ask me in the first place 09:40 < ecrist> well, you had an opinion on the +t... 09:46 < reiffert> on IRCnet we keep spam low setting the channel to be secret, +s 09:46 < reiffert> What's +c about? 09:47 < ecrist> prevents CTCP to the channel 09:48 < reiffert> Ah well .. then keep it like it is, until next time I ask :) 09:48 < reiffert> Why did we give up #openvpn btw? 09:49 < ecrist> spam and lack of mgmt - network ops wouldn't give me the channel, but they were willing to forward it for me, to here. 09:49 < ecrist> that was back in August of last year, though 09:51 < ecrist> no ops and lots of channel flooding going on 10:01 < reiffert> Intresting, totally missed that. 10:01 < reiffert> that period of time 10:42 < ecrist> it was an experience. 10:43 < ecrist> if you wouldn't/couldn't help someone, they'd just flood the channel for an hour 10:47 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 10:48 < Max007> Hi 10:48 < Max007> where can I find a good documentation on how to join 2 networks with openvpn ? 10:51 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 10:51 < nardul> Evening 10:51 < nardul> I was here a few days ago about the openvpn service not starting tunnels on windows server 2003 10:51 < nardul> can anyone help me with that? 10:53 < dazo> Max007: are you familiar with OpenVPN at all? 10:54 * dazo just want to avoid giving some clues which is far too basic :) 10:56 < ecrist> Max007: the howto 10:56 < ecrist> or see the following 10:56 < ecrist> !route 10:56 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:01 < nardul> So noone knows about windows server 2003 and openvpn? 11:06 < ecrist> not I - we have a couple clients running windows XP, but that's all we use windows for 11:06 < ecrist> and even those are going away in the next 6 months 11:08 < nardul> Good lord i wish i could say the same. 11:08 < nardul> Apparently it works in windows xp, but not on server 2003 11:08 < ecrist> going all mac for our client work stations, all our servers (ALL) run FreeBSD 11:08 < nardul> Which i sort of need it to do 11:09 < nardul> We run a bit of everything. 11:09 < nardul> Some clients want windows though. 11:09 < nardul> And blackberry requires windows 11:09 < ecrist> ah, see our *clients* are staff - they use what we tell them to use. 11:10 < ecrist> we're telling them to use macs. :) Tunnelblick FTW 11:10 < ecrist> nardul: what do you mean, blackberry requires windows? 11:10 < nardul> ecrist, blackberry enterprise server 11:11 < ecrist> I don't know what BES has to do with OpenVPN 11:12 < ecrist> nardul: I've no experience with OpenVPN running under Windows Server 2003, sorry. 11:12 < nardul> Nothing per se. But domino needing a connection to another domino does. 11:12 < ecrist> ah, see that's information I didn't have. 11:13 < ecrist> what problem are you running in to? 11:13 < nardul> I know :) 11:14 < ecrist> what problem are you running in to? 11:14 < ecrist> what problem are you running in to? 11:14 < nardul> My server runs BES and a Domino replicator. The BES is supposed to connect to the domino replicator, and the replicator copies mails over openvpn. I can make openvpn run, no problem, the only problem is, i have to log in to make it run. 11:15 < nardul> I can't make the openvpn service start the connections 11:17 < Max007> dazo: yes i am 11:17 < Max007> My vpn is up 11:18 < Max007> the client can ping the server 11:18 < dazo> Max007: which OS? 11:18 < Max007> but the server can't ping the client 11:18 < Max007> dazo: linux, ubunut 11:18 < dazo> Max007: okey ... have you set up routing properly on both sides of the network? 11:18 < Max007> yes.. i guess 11:19 < Max007> look 11:19 < Max007> routing table for the client 11:19 < Max007> 192.168.0.0 10.10.10.5 255.255.255.128 UG 0 0 0 tun0 11:19 < Max007> 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 11:19 < Max007> for the server: 11:19 < Max007> 192.168.0.0 * 255.255.255.128 U 0 0 0 eth0 11:19 < Max007> 192.168.2.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0 11:19 < Max007> client's lan is 192.168.0.0/24 11:20 < ecrist> Max007: did you see the link I pointed you to? 11:20 < Max007> nop 11:20 < Max007> client's lan is 192.168.0.0/24 11:20 < Max007> ecrist: yes 11:21 < dazo> Max007: if you do: cat /proc/sys/net/ipv4/ip_forward .... do you get "1" as result? ... if yes, then it is only firewalling (iptables) to check in addition the link ecrist sent 11:21 < dazo> Max007: whats your VPN network addresses? 11:21 < Max007> server's lan is 192.168.0.0/255.255.255.128 11:21 < Max007> dazo: vpn network is 10.10.10.0/24 11:22 < Max007> there's no iptables rules 11:22 < Max007> # cat /proc/sys/net/ipv4/ip_forward 11:22 < Max007> 1 11:22 < dazo> Max007: I presume you use 192.168.2.0/24 for client and 192.168.0.0/24 for server 11:22 < Max007> 192.168.0.0/25 for the server 11:22 < dazo> actually, /25 I mean :-P 11:23 < Max007> # iptables -L 11:23 < Max007> Chain INPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain FORWARD (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> # iptables -t nat -L 11:23 < Max007> Chain PREROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain POSTROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < ecrist> Max007: stop 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < dazo> Max007: seems very good 11:23 < Max007> on both the client and the server 11:23 < ecrist> don't paste more than 5 lines in here, please 11:23 < ecrist> use pastebin.com 11:24 < Max007> ecrist: sorry :/ 11:24 < dazo> Max007: the server eth0 is 192.168.0.1? 11:24 < Max007> .125 11:24 < ecrist> nardul: do you get errors when trying to run as a service? 11:24 < dazo> Max007: okey ... if you ping that IP on the client, do you get any answer? 11:24 < Max007> yes 11:25 < nardul> ecrist, Logs say nothing at all 11:25 < dazo> Max007: and vice versa ... can you on the server ping the eth0 interface of the client? 11:25 < ecrist> and it just doesn't start up? 11:26 < ecrist> but you can start it manually? 11:26 < Max007> dazo: nop I can't ping 192.168.2.19 from the server 11:26 < dazo> Max007: .19 is the eth0 of the client? ... okey, then you have some routing issues ... do you have tcpdump available? 11:26 < nardul> ecrist, It doesn't start, and yes, i can start it manually. I've got to go no. I got off 2.5 hours agop 11:27 < nardul> I'll be back tomorrow 11:27 < nardul> laters 11:27 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 11:27 < dazo> Max007: Run tcpdump -n -i tun0 on the server ... and then run ping on the server in another session 11:27 < Max007> dazo: yes 192.168.2.19 is eth0 on the client 11:28 < Max007> i ping the client from the server ? 11:28 < dazo> Max007: yes 11:28 < Max007> http://pastebin.com/m5c7185de 11:28 < dazo> Max007: another nice to know thing .... tun0 ip address of client is 10.10.10.2 ... and 10.10.10.5 on the server? 11:29 < Max007> tcpdump run on the server 11:29 < Max007> server: 11:29 < Max007> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255 11:29 < Max007> client: 11:29 < Max007> inet addr:10.10.10.6 P-t-P:10.10.10.5 Mask:255.255.255.255 11:30 < dazo> Max007: as I thought .... okey ... traffic from the server hits the VPN tunnel, but never comes back ... so it gets stuck somewhere 11:31 < dazo> Max007: what confuses me though is that you seem to have two different p-t-p links .... and these two do not talk together, 11:31 < ecrist> pardon me for interrupting, Max007, are you having a problem getting two VPN clients to talk? 11:31 < dazo> Max007: I usually use tap devices instead of tun devices ... but the theory behind should be pretty much the same when it comes to TCP/IP routing 11:31 < Max007> ecrist: the client can talk to the server but the server can't talk to the client 11:32 < ecrist> that doesn't even make sense. 11:32 < ecrist> what's your test? 11:33 < Max007> ping, ssh connection 11:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:33 < Max007> client to server everything is ok 11:33 < dazo> Max007: ecrist: I believe it is a routing issue since he have two link layers here .... 10.10.10.1-10.10.10.2 on the server .... and :10.10.10.6-10.10.10.5 on the client 11:33 < ecrist> to the VPN client IP? 11:33 < Max007> lan ip 11:34 < ecrist> so, not the IP the vpn server gave the client? 11:34 < dazo> ecrist: does VPN server give IP on tun-connections? (not tap) 11:34 < ecrist> yes 11:35 < dazo> oki ... didn't know :) 11:35 < ecrist> Max007: pastbin.com your configs, please 11:35 < ecrist> both server and client 11:35 < dazo> Max007: what's your ifconfig lines in the config files you are using? 11:35 < dazo> (openvpn) 11:36 < Max007> dazo, ecrist: hold on 11:37 < dazo> Max007: do we stress you? :-P 11:37 < Max007> dazo: not at all :P 11:37 < Max007> I was on the phone 11:37 < dazo> Max007: :) 11:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:37 < rubydiamond> Hi people getting error 11:37 < rubydiamond> Error parsing PKCS#12 11:37 < rubydiamond> dont know why 11:38 < dazo> rubydiamond: to you have openssl command available? 11:38 < rubydiamond> what is that 11:38 < Max007> http://pastebin.com/m268ce9c5 11:38 < dazo> rubydiamond: which OS are you on? 11:38 < rubydiamond> dazo: MacOSX leopard 11:38 < rubydiamond> OpenSSL> exit 11:38 < rubydiamond> it is 11:38 < ecrist> rubydiamond: pastebin your logs, please 11:39 < rubydiamond> ok 11:39 < dazo> rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 11:39 < ecrist> Max007: a couple notes on your config: 11:39 < ecrist> 1) your push of 192.68.0.0/25 is going to break remote LANs 11:40 < Max007> ecrist: why is that &? 11:40 < ecrist> 2) you generally don't need IPP and client-config-dir in the same config, but it won't hurt anything. 11:40 < rubydiamond> ecrist: http://pastie.org/private/t4mlfqyhjstmhudtqqvwa 11:41 < ecrist> Max007: because, for example, my LAN at home is 192.168.0.0/24 - if I were to connect to your VPN, I couldn't route to my LAN, which is going to drop my connection to the VPN. 11:41 < ecrist> viscious cycle 11:41 < dazo> rubydiamond: "Error: private key password verification failed" ... did you use the correct password? 11:42 < rubydiamond> dazo: yes.. looks like 11:42 < Max007> ecrist: remote lan and local lan are not the same 11:42 < Max007> ecrist: on the server's side it's 192.168.0.0/25 and on the client's side it's 192.168.2.0/24 11:42 < ecrist> so, you don't have users connecting to this VPN from home? 11:42 < dazo> ecrist: I don't follow you now .... for me this seems sensible 11:43 < rubydiamond> smk: what is the solution 11:43 < Max007> ecrist: it's not a roadwarrior vpn. I only want to join both networks together 11:43 < ecrist> ok, just be aware if that changes down the road. 11:44 < dazo> rubydiamond: what did you get when using the openssl pkcs12 -in ? ... did you get a certificate out ... or an error? 11:44 < ecrist> what is the LAN subnet for the remote (client) end? 11:44 < Max007> 192.168.2.0/24 11:44 < rubydiamond> dazo http://pasternak.superalloy.nl/pastes/1218 11:45 < dazo> rubydiamond: you need to get the correct password for you certificate file .... with the password you use now, you cannot decrypt the certficate inside the pkcs12 file 11:45 < ecrist> ok, so you need a couple things. You need an iroute in a client-config for the VPN client, for the 192.168.2.0/24 networks 11:45 < ecrist> s/s$// 11:46 < dazo> rubydiamond: and if not, then the file is corrupt and you need to get a new pkcs12 file 11:46 < ecrist> second, you need your lan machines on either end to be pointing the appropriate subnet to the respective OpenVPN system 11:46 < rubydiamond> dazo: okay trying 11:47 < Max007> ecrist: I'm not sure I understand 11:47 < dazo> Max007: is the OpenVPN server and client also the default gw for you computers? 11:47 < ecrist> Max007: see below: 11:47 < ecrist> !iroute 11:47 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:47 < Max007> dazo: yes 11:48 < ecrist> if you read !route, you'll get a better idea 11:48 < dazo> ecrist: since openvpn sits on the default gw .... isn't it enough that the computers in the network points at their local default gw? 11:48 < ecrist> yep 11:49 * dazo thought so as well 11:49 < ecrist> that's plenty - but that's not the case in all circumstances. 11:49 < ecrist> our network at my office, for example, as our OpenVPN server on a different host than the default gateways 11:49 < Max007> right now there's no computer on the LANs .. it's a test environement 11:49 < Max007> there's only the server and the client 11:49 < dazo> ecrist: yeah! and that makes sense 11:50 < ecrist> Max007: you need to setup the iroute on the server side in the client-config-dir, and all should be well, barring firewall problems. 11:50 * dazo catches -SIGWIFE ... need to go .... good luck Max007 ... I'm sure you'll solve it soon :) 11:51 * dazo might catch up later today 11:51 < Max007> dazo: bye, thanks for your help 11:51 < dazo> dazo: no prob :) 11:51 < Max007> !ccd 11:51 < vpnHelper> Max007: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:52 < Max007> !route 11:52 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:52 < ecrist> Max007: about half way down that page, you'll find the iroute bits 11:54 < Max007> # cat /etc/openvpn/ccd/testeux 11:54 < Max007> iroute 192.168.2.0 255.255.255.0 11:55 < Max007> like that &? 11:55 < ecrist> yep 11:55 < Max007> ok 11:55 < Max007> let's testing it 11:56 < Max007> YES 11:56 < Max007> it works 11:56 < Max007> but I don't understand why 11:56 < Max007> lol 11:57 < ecrist> because the openvpn process intercepts routing for the kernel to the tap/tun device 11:57 < ecrist> without the iroute, openvpn isn't aware of how to route the subnet for your testeux client, so it drops the packets. 11:57 < rubydiamond> WARNING: file 'Anil.p12' is group or others accessible 11:57 < Max007> ok 11:58 < Max007> thank a lot dude ! 11:58 < rubydiamond> I see this for my certificate file 11:58 < ecrist> np 11:58 < Max007> i'm on this problem since before xmas 11:58 < ecrist> rubydiamond: fix your permissions. 11:58 < Max007> -=4~-^-^,< 11:58 < Max007> oops 11:58 < ecrist> Max007: you finally found the right place. 11:58 < rubydiamond> ecrist: dazo... what should be the permissions 11:58 < Max007> yep 11:58 < ecrist> rubydiamond: chmod 600 Anil.p12 11:58 < ecrist> erm 11:58 < ecrist> no 11:59 < ecrist> chmod 500 Anil.p12 11:59 < ecrist> nope, 600 was right 11:59 < ecrist> that's the same as chmod u=rw,go= 12:03 < rubydiamond> hmm 12:03 < rubydiamond> http://pastie.org/private/hbo0u2hc2xmtufe1sbfkg 12:05 < rubydiamond> ecrist: is file permissions correct now 12:05 < ecrist> yep 12:05 < rubydiamond> but now. its asking me username and password. 12:05 < rubydiamond> it was asking me paraphrase still 12:05 < rubydiamond> till now 12:06 < ecrist> your Anil-TO-IPCop.ovpn file should be chown anildigital:staff 12:06 < Max007> gotta go 12:06 < Max007> thanks again ecrist 12:06 < ecrist> np 12:06 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 12:07 < rubydiamond> ecrist: it started askin me username and password 12:08 < rubydiamond> it was asking me paraphrase before 12:08 < rubydiamond> how do I use command line for it 12:08 < rubydiamond> http://pasternak.superalloy.nl/pastes/1220 12:09 < ecrist> what are you trying to do? 12:10 < rubydiamond> ecrist: I want to connect to openvpn 12:10 < rubydiamond> I am using mac.. tunnelblick 12:10 < rubydiamond> I used to connect before using tiger. 12:11 < rubydiamond> now I am trying to setyp my leopard with openvpn 12:12 < rubydiamond> ecrist: any idea.. why is it failing 12:16 < ecrist> ok, why are you running openssl command? 12:20 < rubydiamond> dazo: rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 12:20 < rubydiamond> ecrist: I figured out .. 12:20 < rubydiamond> that I was entering wrong password 12:21 < rubydiamond> but my openvpn client is asking me for username and passowrd 12:21 < rubydiamond> instead of paraphrase 12:21 < rubydiamond> how to I connect using command line 12:22 < ecrist> sudo openvpn --config 12:26 < rubydiamond> dazo: and ecrist I can do openssl pkcs12 -in Anil.p12 12:26 < rubydiamond> with my password 12:26 < rubydiamond> but .. I am not able to validate with openvpn with my password 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:28 < rubydiamond> okay restaring my machine 12:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:35 < rubydiamond> $ sudo openvpn --config Anil-TO-IPCop.ovpn 12:35 < rubydiamond> Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:3: client 12:36 < ecrist> did you post your client config? 12:37 < rubydiamond> hi 12:37 < rubydiamond> help 12:37 < ecrist> did you post your client config? 12:49 < rubydiamond> friends Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:6: pkcs12 12:49 < rubydiamond> ecrist: okay 12:50 < rubydiamond> ecrist: https://gist.github.com/e814278a78e160b97c14 12:50 < vpnHelper> Title: gist: e814278a78e160b97c14 GitHub (at gist.github.com) 12:51 < rubydiamond> ecrist: what is wrong.. 12:51 < ecrist> did you follow some howto to set this up? 12:51 < rubydiamond> the same file previously used to work correctly 12:52 < rubydiamond> ecrist: I just want to connect to my office vpn nw 12:53 < rubydiamond> I used to do that earlier 12:54 < ecrist> can you pastebin your entire log, please? 12:56 < ecrist> nm - i'm outta time. bbl 12:56 < rubydiamond> hmm okie 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has joined ##openvpn 13:18 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:21 < dvl> !ca 13:21 < vpnHelper> dvl: Error: "ca" is not a valid command. 13:23 < rubydiamond> the current --script-security setting may allow this configuration to call user-defined scripts 13:23 < rubydiamond> getting this error 13:24 < rubydiamond> vpnHelper: getting this error 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> rubydiamond: Error: "getting" is not a valid command. 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:24 < rubydiamond> dazo: you there? 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:29 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 13:29 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 13:38 < krzee> !mitm 13:38 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 13:39 < krzee> !servercert 13:39 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 13:39 < krzee> lol @ my typo 13:39 < krzee> !forget servercert 2 13:39 < vpnHelper> krzee: Joo got it. 13:39 < krzee> !learn servercert as this will help with !mitm 13:39 < vpnHelper> krzee: Joo got it. 13:40 < krzee> what is Anil.p12 ? 13:45 < rubydiamond> krzee: where do you got it 13:45 < rubydiamond> its mine 13:45 < rubydiamond> krzee: hey 13:45 < rubydiamond> how do I check which comps are running in my nw 13:45 < rubydiamond> 192.168.104.* 13:46 < krzee> nw? 13:46 < krzee> i didnt say who owns the fi;e Anil.p12 13:46 < krzee> i said what is it 13:46 < rubydiamond> krzee: its certificate 13:46 < rubydiamond> name 13:46 < krzee> i know whose it is 13:46 < rubydiamond> mine 13:47 < krzee> check its file permissions / location 14:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:17 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 14:18 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 14:22 * ecrist considers registering for an openvpn group/cloak 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 < Keizer> Can I do a 3des encr with md5 hash subnet to subnet vpn tunnel with OpenVPN? 15:01 < ecrist> that sounds like IPsec, so no 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:33 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:57 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit [Remote closed the connection] 16:02 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:11 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:33 -!- AndyML is now known as AwayML 16:35 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:37 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:40 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:51 -!- AwayML is now known as AndyML 17:07 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:14 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:41 -!- DamZ [n=damz@drupal.org/user/22211/view] has joined ##openvpn 17:42 -!- DamZ [n=damz@drupal.org/user/22211/view] has left ##openvpn [] 20:33 -!- rorx [n=rory@cypher.TrueStep.com] has quit ["Signing off.."] 21:15 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 21:49 < krzie> http://politicalticker.blogs.cnn.com/2009/01/07/porn-industry-seeks-federal-bailout/ 21:49 < vpnHelper> Title: CNN Political Ticker: All politics, all the time Blog Archive - Porn industry seeks federal bailout - Blogs from CNN.com (at politicalticker.blogs.cnn.com) 21:51 < ecrist> way too funny 21:53 < ecrist> g'night 21:54 < krzie> nite 22:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has left ##openvpn ["Konversation terminated!"] 22:16 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has joined ##openvpn 22:19 < tjz> Use of OpenSSL as an SSL/TLS client when connecting to a server whose 22:19 < tjz> certificate uses an RSA key is NOT affected. 22:19 < tjz> hmm... 22:20 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:00 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 23:23 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] --- Day changed Thu Jan 08 2009 00:57 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 01:05 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:38 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 01:38 < nardul> Morning 01:42 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 01:45 < reiffert> moin 01:46 < krzee> moin 02:07 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:09 < nardul> Moin ??? Are you from germany or denmark? 02:11 < tjz> hey jeff 02:11 < tjz> hey everyone 02:11 < tjz> morning, everyone 02:13 < nardul> Morning 02:13 < nardul> Would anyone happen to know anythin about the openvpn service on windows server 2003? In short, it doesn't start the tunnels, i have to log in to make them run. 02:26 < krzee> sure the service starts it as admin? 02:27 < krzee> (i have never used openvpn on windows as a service) 02:47 < tjz> Rockets from Lebanon strike Israel 02:47 < tjz> OMG!! 02:48 < tjz> http://edition.cnn.com/2009/WORLD/meast/01/08/israel.rockets/index.html 02:48 < vpnHelper> Title: 'Unknown group' in Lebanon launches rockets at Israel - CNN.com (at edition.cnn.com) 03:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:11 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 03:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 03:47 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:56 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has quit ["Leaving"] 04:16 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has joined ##openvpn 04:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 04:45 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has joined ##openvpn 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 05:28 -!- stmaher [n=stephen@mateus.province5.tv] has joined ##openvpn 05:28 < stmaher> Hello everyone.. 05:28 < stmaher> I have a linux server and client.. 05:29 < stmaher> I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them again? 05:29 < stmaher> many thanks 05:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:32 < stmaher> Hi roentgen 05:33 < roentgen> Hi 05:33 -!- trifler [i=trifler@farva.bsnet.se] has joined ##openvpn 05:34 < stmaher> roentgen I know you just arrived but was wondering if you could answer my question plase 05:34 < stmaher> I have a linux server and client.. I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them 05:34 < stmaher> again? 05:47 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 06:01 < dazo> stmaher: It would not make sense to regenerate ta.key ... that's a static key, and therefore needs to be identical on all places 06:02 < dazo> stmaher: when copying this key, you should make sure it is copied over a secure channel .... ie. encrypted transfer over the net (ftps, scp, sftp) or via a physical medium which you can observe (flash memory or similar) 06:02 < stmaher> thanks dazo! 06:02 < dazo> stmaher: the ca.crt is nothing secret, and can be globally available, even as a download from a web site if you want 06:03 < stmaher> cool thanks 06:03 < dazo> stmaher: just be sure not to share the ca.key anywhere ;-) 06:03 < dazo> stmaher: np! 06:08 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has quit ["Leaving"] 06:08 -!- dazo [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has joined ##openvpn 06:34 < krzee> !factoids search 06:34 < vpnHelper> krzee: (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 06:34 < krzee> !factoids search --values [ 06:34 < vpnHelper> krzee: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:34 < krzee> !factoids search --values "[" 06:34 < vpnHelper> krzee: No keys matched that query. 06:34 < krzee> !factoids search --values "*[*" 06:35 < vpnHelper> krzee: No keys matched that query. 06:35 < krzee> !factoids search --values " 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values """ 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values "" 06:35 < vpnHelper> krzee: More than 100 keys matched that query; please narrow your query. 06:36 < krzee> !factoids search --values "'" 06:36 < vpnHelper> krzee: 'bridge', 'ask', 'push-reset', 'tap', 'iporder', 'menu', 'chooseip', 'iroute', 'noenc', 'all', 'fbsdbridge', 'bridge-fw', 'configs', and 'pushdns' 06:36 < krzee> cat pushdns 06:36 < krzee> !pushdns 06:36 < vpnHelper> krzee: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 06:36 < ecrist> morning, folks 06:36 < krzee> mornin eric 06:38 < krzee> yanno what i love 06:39 < krzee> still being up in time for mcdonalds breakfast 06:40 < ecrist> lol 07:25 < tjz> lol 07:26 < tjz> do they have this mega mcmuffin over there? 07:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 07:33 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:02 < krzee> neg 08:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:18 -!- lilalinux is now known as lilaunix 08:35 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 08:46 < tjz> lol 09:42 -!- stmaher [n=stephen@mateus.province5.tv] has quit ["My damn controlling terminal disappeared!"] 09:57 -!- resc [n=tgs@galileo.psych.indiana.edu] has joined ##openvpn 09:58 < resc> hi, i was wondering if the windows version of OpenVPN uses OpenSSL (which has a new man in the middle attack) 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 10:01 < resc> ah, yeah, it does 10:03 < ecrist> resc, there was a user in here yesterday who looked into the code and said the exploitable function isn't used with openvpn 10:03 < resc> oh, nice 10:04 < resc> thank you 10:04 < ecrist> np 10:05 < dazo> ecrist: resc: I think I'm that guilty user :-P ... Another person also asked about in the mailing list, so I responded with my point of view there as well 10:06 < resc> cool, i'll look that up 10:06 < dazo> resc: The CVE mentions explicit EVP_VerifyFinal() ... which OpenVPN do not use at all 10:06 < resc> yeah 10:07 < dazo> resc: but of course, it uses some other techniques and uses some other OpenSSL library functions with callbacks to OpenVPN functions ... but I didn't manage to see any obvious things even here 10:08 < resc> sounds good 10:08 < resc> thanks for looking 10:09 < dazo> resc: np! :) 10:09 < ecrist> dazo, would you mind writing something up, somewhere, that I can link to? 10:09 < ecrist> if you need a place, secure-computing.net/wiki/ 10:10 < dazo> ecrist: not all, would be a pleasure ... I believe you mostly can copy-paste from the mail to the mailing list ... I'll find the link to it 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:11 < dazo> ecrist: https://sourceforge.net/mailarchive/message.php?msg_name=4965B51E.5080409%40topphemmelig.net 10:11 < vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net) 10:12 < ecrist> tx 10:12 < dazo> ecrist: I see I was more brief than I thought I was ... I'll give you some more from the chat yesterday if you want/need it 10:13 < ecrist> I've got logs. 10:13 < ecrist> !irclogs 10:13 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 10:13 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:14 < dazo> ecrist: cool! :) no worries then! :) ... If you need more details, don't hesitate to ping me 10:14 < ecrist> sure 10:40 -!- resc [n=tgs@galileo.psych.indiana.edu] has quit ["Leaving"] 11:03 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has quit ["I want to sleep."] 12:07 -!- lilaunix is now known as lilalinux 12:10 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:11 -!- cj [n=cjac@66.152.65.2] has quit [Read error: 110 (Connection timed out)] 12:14 < ponyofdeath> hi, im getting "http://pastebin.com/m275a4f2f" those errors after a tunnel times out and tries to reconnect? 12:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:01 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:02 -!- lilalinux is now known as lilaunix 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Joo got it. 13:17 < krzee> !foo 13:17 < vpnHelper> krzee: "foo" is bar "baz [qux]" 13:17 < krzee> !forget foo 13:17 < vpnHelper> krzee: Joo got it. 13:18 < krzee> !forget pushdns * 13:18 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is push "dhcp-option DNS a.b.c.d" (remove the 's) to push dns to the client 13:19 < krzee> hah! 13:19 < krzee> !forget pushdns * 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:21 < krzee> !ssl-admin 13:21 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:24 < krzee> hrm 13:24 < krzee> no sed -i in NetBSD 13:34 < ecrist> ack 13:41 < krzee> [15:41] basically sed -i is everywhere but here 13:41 < krzee> [15:41] so i will file the PR 13:41 < krzee> [15:42] * ober has quit (Remote closed the connection) 13:41 < krzee> [15:42] i remember i once discovered the same 13:41 < krzee> [15:42] * ober (i=ober@mauthesis.com) has joined #netbsd 13:41 < krzee> [15:42] being told the same i'm telling krzee atm 13:41 < krzee> [15:42] :-) 13:41 < krzee> [15:43] what, to write it out to a temp file and delete it? 13:41 < krzee> [15:43] s/discovered/reported/ 13:41 < krzee> [15:43] yes 13:41 < krzee> [15:43] * syamajala has quit ("Leaving...") 13:41 < krzee> [15:43] well, thats ugly and unacceptable as an answer 13:41 < krzee> [15:43] since the rest of the world got it right 13:42 < krzee> [15:44] hey, there's no sed in windows so rest of the world doesn't even have a clue 13:42 < krzee> [15:44] lol touche 13:42 < krzee> [15:44] i havnt used windows in a long time 13:42 < krzee> [15:44] Nodsu: good point! 13:42 < krzee> [15:45] should i look for ipconfig instead of ifconfig as well? ;] 13:42 < krzee> [15:45] yes 13:49 < krzee> bleh, i need to look into making the Makefile correctly 13:50 < krzee> that will undo the need for that bs 13:59 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 113 (No route to host)] 14:00 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 14:10 < krzee> cat Makefile | sed -ne 's+VARETC+/usr/local/etc+g;wMakefile' 14:10 < krzee> booya 14:17 < krzee> bleh except for SEDCMD 14:17 < krzee> i could hack around that in shell script too, but its losing its point 14:17 < krzee> easier to learn howto use a proper Makefile at this point 14:17 < krzee> or at least cleaner 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 15:05 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:09 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 17:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 17:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["Changing server"] 17:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:01 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:07 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 18:24 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:37 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:53 -!- lilaunix is now known as lilalinux 19:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 19:23 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 19:26 -!- alami [i=alami@unaffiliated/alami] has joined ##openvpn 19:28 < alami> i have openbsd and i want to create vpn server (PPTP) 19:28 < alami> to allow windows user to connect to my openbsd box 19:29 < alami> and the other side to connect from open bsd to a windows vnp server 19:29 < alami> is that possible with openvpn? 19:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 19:49 < dvl> alami: a VPN server running PPTP? 19:50 < dvl> this help? http://openvpn.net/archive/openvpn-users/2007-10/msg00077.html 19:50 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN over PPTP on Vista (at openvpn.net) 20:02 < alami> thanks 20:03 < alami> i will see if i can do it 20:03 < alami> because i don't know wich one i will use :) 20:06 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 20:09 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 20:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 20:34 * tjz swim in 22:09 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:14 < krzee> !forum 22:14 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:39 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 22:42 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:32 < krzee> !factoids search win 23:32 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 23:32 < krzee> !win_noadmin 23:32 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 23:33 < krzee> !learn ipv6 as http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 23:33 < vpnHelper> krzee: Joo got it. 23:38 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has joined ##openvpn --- Day changed Fri Jan 09 2009 00:01 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has quit [Remote closed the connection] 00:47 -!- mRCUTEO [n=info@58.26.212.3] has joined ##openvpn 00:53 -!- mRCUTEO [n=info@58.26.212.3] has quit [] 01:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 01:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:56 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:11 < krzee> !configs 02:11 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:11 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: reiffert, mcp, kaii, Typone 02:11 -!- Netsplit over, joins: kaii, mcp, reiffert, Typone 02:13 -!- disposable [i=disposab@blackhole.sk] has quit [Remote closed the connection] 02:13 -!- jabular [n=jabular@82-32-104-27.cable.ubr02.hawk.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 02:19 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:42 < dazo> alami: I just saw your question regarding VPN server and PPTP 02:43 < dazo> alami: not sure if I understood you correctly, but it looked somehow like you want to setup a PPTP server for Windows clients, is that correct? 02:44 < dazo> alami: if that is correct, then you'll need another server than OpenVPN, unfortunately. PPTP uses a different protocol than OpenVPN 02:47 < dazo> alami: if you really want PPTP, you'll need to implement pptp-server, poptop or something like that .... I'm not a PPTP user at all, so I don't know much about it 02:48 < dazo> alami: but I would rather recommend you to implement OpenVPN on the client side too, the OpenVPN GUI for Windows is pretty good and easy for people who barely understand Word and Outlook 02:49 < dazo> alami: for the other way around ... you'll need to find a PPTP client for your BSD distro ... that's probably easier to set up :) 03:01 -!- lilalinux is now known as lilaunix 03:18 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has joined ##openvpn 03:41 -!- lilaunix is now known as lilalinux 03:42 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 03:50 < krzee> dazo, good advice 03:58 < dazo> krzee: well, of course, being in the openvpn channel, it was just my brief objective point of view :-P 03:58 < krzee> ;] 04:15 < tjz> bring alami to the pptp irc channel 04:15 < tjz> :P 04:17 < krzee> openvpn > pptp 04:17 < dazo> nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 04:19 < krzee> ild rather trust my encryption to openssl with hmac sigs than to a ms proprietary protocol 04:19 < krzee> which has been known to have security issues 04:20 < dazo> ahh ... well, I meant to convert people from pptp > openvpn .... not running openvpn inside a pptp tunnel ... 04:20 < krzee> nope, completely diff protocols 04:20 < dazo> I'd prefer pptp inside a openvpn tunnel, if I'd have to do it like that 04:20 < dazo> yeah 04:20 < krzee> pptp cant hook up to ipsec cant hook up to openvpn 04:21 < dazo> but if you establish a openvpn tunnel between to endpoints (net-to-net)... and then clients on each side establish a pptp tunnel, over the openvpn tunnel ... 04:22 < dazo> :s/over/through/ 04:23 < dazo> but it basically do not give you much more security at all ... pptp is still full of MS errors and security weaknesses 04:23 < dazo> you only limit the chance for other people to snap up the pptp from the outside 04:23 < krzee> ? 04:23 < krzee> why setup a pptp tunnel over a openvpn tunnel? 04:24 < krzee> what goal would that achieve? 04:24 < dazo> just for fun? :-P 04:24 < krzee> *shrug* ok 04:25 < dazo> well, it might be some systems insists on sending data through pptp ... or that some management level persons in a bigger company insists on pptp between sites 04:25 < krzee> #1, like what 04:25 < krzee> #2, then your solution goes against that 04:27 < dazo> well, the management level can see that "Hey, we're using pptp" ... and you won't get kicked when somebody tries to crack public pptp traffic, as it is already secured ... sometimes, sys-admins have to do such dirty tricks to make protect her/himself against wacky management 04:28 < dazo> but I'm not a windows guy .... I don't know much about it which apps/systems who really would insist on pptp ... but in the Windows world, you'll never which traps you'll find 04:30 < krzee> openvpn works based on routing 04:30 < krzee> andthing that works using tcpip works fine 04:30 < krzee> when using tap, anything that travels over ethernet works fine 04:31 < krzee> if you have management that doesnt care about security, thats another thing 04:31 < dazo> true ... but what if the software insists on a specific feature found in the pptp device? 04:31 < krzee> i wouldnt work in a place like that 04:31 < krzee> dazo, show me the software or it doesnt exist 04:32 < krzee> both are methods of tunneling IP traffic 04:34 < dazo> krzee: as I mentioned, I'm not a windows guy, neither a pptp user (even though I tested it once from Linux against a dd-wrt router, and switched to openvpn) ... I'm just in general pessimist when it comes to expect things from software developers, especially closed source software, as you never really know what kind of crazy expectations and assumptions they can make 04:34 < krzee> they send to an ip 04:34 < krzee> pptp or openvpn handles the dirty stuff behind the scenes 04:35 < krzee> that is the nature of a vpn, nothing to do with who codes what 3rd party software 04:35 < krzee> ! 04:35 < krzee> !vpn 04:35 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 04:35 < dazo> yeah, if it is cleanly written software ... but badly written software might even want to talk directly through a specific interface, and not bind to a specific IP address 04:35 < krzee> *shrug* 04:36 < krzee> this conversation is pointless 04:36 < dazo> :) 04:36 < krzee> software doesnt point to a device to send traffic to 04:36 < krzee> the kernel does via routing table 04:36 < krzee> im gunna do something productive, bbl 04:36 < dazo> sure! 04:38 < dazo> but I'm thinking about a listening service ... that can be bound to a particular interface, independent of what the IP address is ... promisc mode of the interface, is one approach (which tcpdump uses btw) 04:38 < dazo> it's more ways to set up a connection and also a listening service with socket bind ... and someone might even go deeper in the stack, wanting to talk directly to the interface 04:40 < dazo> a far fetch example from this discussion, but one I know a little bit more about ... Infiniband interfaces are completely different than normal eth interfaces, and it even needs an additional tcp/ip stack to work with ip addresses ... and applications may access this hardware more directly to achieve higher throughput, but they need then to cover of the OSI layers to make this work 04:42 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:42 < dazo> but if you configure a IB device with the tcp/ip stack, it works almost like a normal eth interface ... and some software use both tcp/ip and some direct hardware access to achieve a simpler implementation, but still have some of the powers of IB, like RDMA 04:51 < krzee> you have ventured far from anything using pptp or openvpn, and i have a feeling you need to learn more on the topic 04:58 < dazo> I think the main difference in our arguments are that you take it for granted that everything works through kernel API which then talks to the hardware interface, in a standardised way - true, this is the case for mostly used software ... but I take nothing for granted, it will always be an exception somewhere, somehow ... but it do not need to be a mainstream application 04:59 < dazo> but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:03 < krzee> ok so stay with pptp in case you one day encounter that exception 05:04 < krzee> [07:02] but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:04 < krzee> your argument is that there might be a program that breaks the standardised way of performing communication 05:04 < krzee> so you will use pptp instead of something better 05:05 < krzee> and i say, go for it 05:05 < krzee> doesnt matter to me what you use 05:05 < krzee> but that SURE doesnt make pptp > openvpn 05:05 < dazo> agreed! 05:06 < krzee> didnt this start from: 05:06 < krzee> [06:20] nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 05:06 < dazo> the thing I see now, is that I misunderstood your '> ... I thought you meant '>' as through ... not better than 05:06 < krzee> > is greater than 05:06 < krzee> < is less than 05:06 < krzee> ahh 05:07 < dazo> yeah, in this setting I completely agrees with you ... openvpn is superior than pptp! that's no discussion! :) 05:08 < krzee> werd 05:16 < krzee> lol reiffert 05:16 < krzee> yes i should sleep 05:16 < krzee> but im migrating my mailserver to netbsd 05:16 < krzee> and its my first time using netbsd 05:16 < krzee> pretty nice os tho, and not very diff than freebsd 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 07:31 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 07:31 < kungfupanda> Oh! 07:31 < kungfupanda> There is a channel for it! 07:31 < ecrist> ? 07:31 < kungfupanda> For OpenVPN. 07:32 < kungfupanda> My main question is this: If I make some company set up a box that I point my domain name to, will my server that receives all the traffic think that it's actually hosting clients directly? 07:32 < kungfupanda> As in: Will Apache etc. see many different IP addresses or just one (the proxy)? 07:38 < reiffert> Both is possible. 07:40 < kungfupanda> Ah. 07:40 < kungfupanda> Does it depend on my setup or their setup? 07:41 < kungfupanda> Please, for the love of God, tell me it depends on MY setup... 07:41 < kungfupanda> Because I want it to be 100% transparent. To trick my server into thinking that it's public. 07:41 * ecrist doesn't understand the question 07:42 < kungfupanda> I mean... 07:42 < kungfupanda> How can I put it any simpler? :S 07:42 < reiffert> It depends on routing on your client and on your server. 07:45 < kungfupanda> "my client"? 07:45 < kungfupanda> Does that mean the "proxy"? 07:45 < reiffert> "I have no idea about your setup" 07:45 < dazo> kungfupanda: do you want SSL encryption to your Apache server (https) ... or do you want VPN (encrypted network tunnel) connection between two site's network? 07:45 < kungfupanda> Cloude -> SomeBox -> My server. 07:46 < kungfupanda> dazo: My Web site has both HTTP and HTTPS traffic. I want this to work transparently. 07:46 < kungfupanda> And I want encryption between the proxy and the server. 07:47 < dazo> kungfupanda: its unclear for me, maybe the others as well, what you try to solve .... where is the proxy located? 07:49 < dazo> how to rephrase the question ..... 07:49 < dazo> kungfupanda: Are you providing some services a customer wants, and you want that network traffic to be encrypted via a VPN network? 07:50 * dazo is doing things stupidly simply now, to see if I understand things better ... 07:52 < kungfupanda> Well... 07:52 < kungfupanda> I am trying to find somebody who can provide DDoS protection. 07:52 < kungfupanda> And NOT use a Web proxy due to many problems associated with those. 07:52 < kungfupanda> Unfortunately, these "real" tunnels seem to be much more expensive. 07:54 < reiffert> ? 07:54 < kungfupanda> What is unclear? 07:54 < dazo> your task you want to solve 07:54 < reiffert> Everything after "Well..." 07:55 < reiffert> brb, postal office 07:55 < dazo> Let's start really basic ... 07:55 < kungfupanda> Trying to keep a Web server from going down due to DDoS, by having a "proxy" that washes the traffic and tunnels back and forth only "good" packets. 07:56 < dazo> aha ... now it is a little bit clearer 07:56 < dazo> so you will have a proxy server, being public somewhere else, which you want to contact your own web server? 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:56 < kungfupanda> Yes. 07:56 < kungfupanda> Exactly. 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 07:57 < dazo> And this proxy server is remote, and you have your web server locally? 07:57 < kungfupanda> Yes. 07:57 < dazo> Now, things are clearer :) 07:57 < kungfupanda> Good! :) 07:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:57 < kungfupanda> Unfortunately, it costs a fortune from misc. companies. 07:58 < dazo> first of all ... the proxy server will need to have it's own SSL certificates for providing https traffic to your encrypted traffic in the public 07:58 < kungfupanda> Why is that, if every bit of data goes through me? 07:58 < kungfupanda> Won't the people see their server as mine? 07:58 < dazo> You can simply divide this in to two parts ... you have the front/public part of the proxy ... and the backend of the proxy 07:59 < dazo> the frontend of the proxy will be the one receiving all http/https requests and answering them as a normal web server does 07:59 < kungfupanda> Well, of course. 07:59 < dazo> the backend of the proxy will act a client towards your webserver 08:00 < dazo> which means that the proxy will break the end-to-end encryption between the browser and your web server 08:00 < kungfupanda> If it's a tunnel, it won't communicate with Apache... but with my server on some special tunnel port... 08:00 < dazo> aha, I thought you wanted to have a proxy server which browsers hit first 08:01 < kungfupanda> Nope. 08:01 < kungfupanda> 100% transparent. 08:01 < kungfupanda> A dumb A <-> B tunnel except they have some sort of firewall which drops (most) bad packets. 08:01 < dazo> okey, you just want a redirect from another IP address from to your own network 08:01 < kungfupanda> So they never see the "secret" server (because then they would DDoS it directly). 08:01 < dazo> but this will not provide any better DDoS protection ... 08:02 < kungfupanda> It will if they do sort out the identified bad packets. 08:02 < kungfupanda> Which I cannot do technically because my pipe is too narrow. 08:02 < dazo> because if they then do a new host lookup and find the new IP address of your webserver, they will hit that one ... and you will just get the attack via the VPN instead, or not? 08:03 < kungfupanda> What are you talking about? 08:03 < kungfupanda> The domain name points to their IP address. 08:03 < kungfupanda> Not mine. 08:03 < kungfupanda> And that box communicates with my box via OpenVPN... 08:03 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 08:03 < kungfupanda> So nobody ever sees it. 08:04 < mRCUTEO> hey hey :D 08:04 < dazo> exactly ... and since you want it transparent, the traffic will go from that site from the public Internet and into the VPN and then hit your web server again 08:04 < kungfupanda> Not sure what your point is... 08:05 < dazo> Okay ... say that www.example.com is the hostname of your web server 08:06 < kungfupanda> It has no hostname... 08:06 < dazo> www.example.com have for example 1.1.1.1 as IP address today 08:06 < kungfupanda> Only an IP address. 08:06 < kungfupanda> Well, it has right now. 08:06 < kungfupanda> But it won't have. 08:06 < kungfupanda> And if it has a hostname, it will be non-public. 08:07 < dazo> how will people surf your web server then? Are you distributing an IP address to all those you want to see your contents? 08:07 < kungfupanda> WTF?! 08:07 < kungfupanda> The domain name points to the IP address by the person/company that hosts the proxy. 08:07 < kungfupanda> It washes the traffic. 08:07 < kungfupanda> Sends it back and forth between my server in a tunnel. 08:07 < kungfupanda> What is unclear about this set-up? 08:08 < dazo> because already here, you have a proxy server, which you said you didn't have .... 08:08 < kungfupanda> No... that's the imagined setup... 08:08 < kungfupanda> That I am talking about. 08:08 < kungfupanda> Right now, it's just a Web server directly. Which is down due to DDoS. 08:09 < dazo> Exactly ... let's start from this point, shall we? 08:09 < kungfupanda> Okay? 08:10 < dazo> and your webserver have a hostname (hostname + domainname ... whereas 'www' is a hostname + domain name, f.ex. 'example.com' => www.example.com) ... or am I wrong now? 08:10 < kungfupanda> No, you're not wrong. 08:10 < dazo> good 08:10 < kungfupanda> I just don't see the point of talking about this current, bad setup. 08:11 < dazo> Because I want to get things clear the whole way through ... I've lost you several times already ... 08:12 * dazo is thinking 08:13 < dazo> okey ... your hostname will point at your new proxy server ... 08:13 < kungfupanda> Yes... 08:14 < dazo> you will, correctly assumed, need to establish a VPN between the proxy and your web server .... but to make things work, the proxy need then to use route the traffic via the VPN tunnel 08:14 < kungfupanda> I don't see what else it would do. 08:14 < dazo> this routing will need to be done on the proxy server 08:14 < kungfupanda> Since it's a proxy. 08:15 < dazo> but the thing is ... where you put your openvpn server .... will you run that on your web server? 08:15 < dazo> (this will make things a little bit simpler, regarding to routing) 08:15 < kungfupanda> The same box runs the OpenVPN server, of course. 08:15 < kungfupanda> It's just one box. 08:16 < kungfupanda> Web server. 08:16 < dazo> very good! 08:16 < kungfupanda> Now with OpenVPN. 08:16 < dazo> yes 08:16 < dazo> perfect 08:16 < kungfupanda> I have never used a tunnel which is why I am asking. I have only used a Web proxy which had many problems. 08:16 < kungfupanda> Such as no encryption, no way to detect HTTPS, etc. 08:16 < dazo> so when openvpn is running on both sides, you will have a VPN IP address, the proxy server will need to use your VPN IP address of your server side, being the web server 08:17 < kungfupanda> I suppose so. 08:17 < dazo> but since you have a proxy server which does in fact do the filtering of DDoS and so on ... this proxy server will do the decryption, and the traffic will again be encrypted from the proxy and to your web server 08:18 < kungfupanda> Why would it do the decryption? 08:18 < kungfupanda> You mean it cannot tell what kind of traffic is SSL traffic? 08:18 < dazo> because the proxy server will answer your queries 08:18 < dazo> Well, I've only experience with mod_proxy in Apache, and this is how that one works 08:19 < kungfupanda> Urgh... 08:19 < dazo> but again, this can also add encryption on the public side (https) on traffic which is not encrypted on the back side (http) 08:19 < kungfupanda> That sounds like a Web proxy. 08:20 < dazo> yeah 08:20 < kungfupanda> Which is what I don't want... 08:22 < dazo> The "proxy" as you call it which you want to use ... I presume it's a company providing this ... is this a public service of this company? 08:23 < kungfupanda> I won't be able to afford it from a big company, so I am asking random people if they can do this for me. 08:23 < dazo> will you provide that box? 08:23 < kungfupanda> ... what? 08:24 < dazo> sorry ... that came out too quickly 08:25 < dazo> you will have a box somewhere which will be the entry point for the traffic .... where the DDoS protection will be .... or how do you imagine this to work? 08:25 < dazo> I'm only interested in knowing about the remote side now ... 08:25 < kungfupanda> Yes! That's the proxy! 08:25 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 08:26 < kungfupanda> Which will only be a dumb slave, except for its firewall capabilities. 08:26 < dazo> who will set up that box? who will provide it? you? 08:26 < kungfupanda> If I did it, why would I need to do this? 08:26 < kungfupanda> Somebody else will provide it. 08:26 < kungfupanda> Or a company, but I can't afford from them. 08:27 < dazo> which means you will need to do quite some configuration in firewall rules on that box to make things as transparent as you want 08:27 < kungfupanda> Eh... 08:27 < kungfupanda> Why? 08:28 < dazo> since you want a port forwarding and not a proxy ... this is in Linux (and most probably BSD as well, others may correct me if I'm wrong) done by the kernel .... in Linux iptables' NAT setup 08:29 < kungfupanda> I use FreeBSD. 08:29 < kungfupanda> I get worried when you say "port forwarding". 08:30 -!- lilalinux is now known as LilaMac 08:30 < dazo> so you will need to provide a config file for a openvpn client ... then tell them to redirect all traffic from your new public IP address to the VPN IP address of your openvpn server 08:30 < dazo> well, redirect is the wrong term 08:31 < dazo> you must ask for port forwarding, with NAT from the public IP address to your VPN server side IP on the ports you want to make public available from that IP address .... so far, I've understood you need port 80 and port 443 08:32 < dazo> the other solution, is to use a web proxy, which you do not want ... but then you will avoid playing with NAT and port forwarding 08:33 < ecrist> kungfupanda: what's wrong with port forwarding on FreeBSD? 08:34 < dazo> ecrist: he will not be in charge of the box which needs to do the port forwarding 08:34 < ecrist> lol 08:34 * ecrist wonders where people come up with these crazy network setups 08:34 < ecrist> and it dawns on my why some websites are so fragile 08:35 < dazo> yep 08:37 < kungfupanda> What? 08:39 < dazo> the more complex the setup is to reach a web server, the more fragile it is .... if one part of the chain fails, the web server is unavailable 08:39 < kungfupanda> This isn't complex... 08:39 < kungfupanda> Or shouldn't be... 08:40 < dazo> it is much more complex than to have a box inside a DMZ locally 08:40 < dazo> because here you have a remote site receiving traffic and sending it to your web server via a VPN tunnel ... that is considerably much more complex 08:40 < kungfupanda> If I had the fat pipe and firewall, I wouldn't need this. 08:41 < dazo> but why not just setup a firewall in front of your web server? what kind of DDoS attack are you having issues with now? 08:42 < kungfupanda> BECAUSE MY PIPE IS VERY LIMITED AND I DO NOT HAVE A FIREWALL! GAAAAAAH! 08:42 < ecrist> RAAWWR! 08:42 < dazo> but why not just setup a firewall in front of your web server? ... you can set up this one! 08:42 < ecrist> LOUD NOISES 08:43 < dazo> lol 08:43 < kungfupanda> What the hell? 08:43 < dazo> I ask this question, being completely serious! 08:43 < ecrist> kungfupanda: unless you're running a warez site, or something simliar, I don't know what sort of DDoS you're expecting. 08:46 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 08:47 < dazo> heh 08:47 < dazo> touche? 08:47 < ecrist> lol 08:47 < dazo> or just too tough question? 08:47 < ecrist> /mode +b stupid_fuckers@* 08:47 < dazo> heh 08:47 * dazo wasted too much time on this nonsense 08:51 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 08:53 < dazo> hmmmm 08:54 * dazo notices kungfupanda's ID .... 08:55 < dazo> I know bredbandbolaget.se didn't provide less than 100Mbit when they did setups in Norway .... and his "PIPE IS VERY LIMITED" .... oh man! That gotta be a popular blog! 08:57 < ecrist> I've run a moderately used site for over 10 years with no DDoS problems. 08:58 < dazo> I've experienced one DDoS attack since I began working with such things back in 98 08:59 < dazo> and the service which got DDoSed was a payment site ... so that was pretty heavy ... but except for that, it's been smooth :) 08:59 < ecrist> heh, I was the first 768k/768k DSL customer in Minneapolis back in August of 1998 - it was *really* easy for me to DoS dial-up users. 09:00 < ecrist> that was back when a simple ping flood would work 09:00 < reiffert> glad I stopped reading after 3 lines. 09:00 < dazo> heh 09:01 < dazo> reiffert: you didn't loose much .... except for the last 10 lines of entertainment, perhaps :-P 09:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:35 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 09:49 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 09:50 < kungfupanda> Does anyone in here run an ISP or work at one? I would really need somebody for remote DDoS protection through an OpenVPN tunnel for my Web server. 09:52 < ecrist> kungfupanda: are you seriously running into DDoS problems? 09:52 < ecrist> why not get a $5/mo hosted website from godaddy or something? 09:53 < kungfupanda> ... 09:53 < kungfupanda> Quiet, troll. 09:53 < ecrist> fuck off 09:53 < dvl> OpenVPN will not protect you from DDoS. 09:53 < dvl> kungfupanda: well, that's one way to get advice. piss people off. 09:54 -!- mode/##openvpn [+o ecrist] by ChanServ 09:54 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 09:54 < dvl> thank you. 09:54 < dazo> dvl: he wants to have a box beside another network which can take the DDoS traffic ... and filter it ... so that he can sit and enjoy only the "proper" traffic ... 09:54 < dazo> :s/beside/behind/ 09:54 -!- mode/##openvpn [+b *!*@*.cust.bredbandsbolaget.se] by ecrist 09:55 -!- mode/##openvpn [-o ecrist] by ecrist 09:55 * dazo makes a note ... don't make ecrist angry ..... 09:55 < dvl> dazo: Yep, I understand that bit 09:55 < ecrist> nah, I'm a gentle teddy bear 09:55 < dazo> heh :) 09:56 < ecrist> just remember bears have big fangs. ;) 09:56 < dazo> dvl: well, probably a script kiddie which pissed some other people off .... and it's payback time 09:56 < ecrist> not as if this is the worst room to get a +b for. ~40 users 09:56 < ecrist> not like ##freebsd or #ubuntu 09:57 < dazo> hehe ... true enough :) 09:57 < ecrist> dazo: that's kind of what I was thinking. 09:57 < ecrist> our banlist is short, though 09:59 -!- alami [i=alami@unaffiliated/alami] has quit [Remote closed the connection] 10:19 -!- LilaMac is now known as lilalinux 10:21 -!- lilalinux is now known as LilaMac 11:06 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has joined ##openvpn 11:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- dazo is now known as dazoafk 11:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:33 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 11:50 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has quit ["Ex-Chat"] 11:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:55 < rubydiamond> How to run openvpn daemon 11:55 < rubydiamond> specially on gentoo machine 11:58 < ecrist> rubydiamond: read the howto 11:58 < ecrist> for the 100th time 11:58 < dvl> !howto 11:58 < vpnHelper> dvl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:58 < dvl> rubydiamond: see above line 11:58 < rubydiamond> okie 11:58 < dvl> *pat* *pat* 11:58 < rubydiamond> but .. what is the command to run daemon.. 11:58 < rubydiamond> I just wanted that urgently 11:59 < dvl> rubydiamond: No idea 11:59 < rubydiamond> is informing my boss at office 11:59 < dvl> rubydiamond: I'd have to read the howto.... 11:59 < rubydiamond> I am at home 11:59 < dvl> rubydiamond: great. I'm at work. 11:59 * dvl waves 11:59 * rubydiamond need to solve a production issue 12:00 < dvl> Great. Still can't help you. I've never used Gentoo. 12:00 < dvl> On FreeBSD, it's /usr/local/etc/rc.d/openvpn start 12:00 < dvl> or perhaps forcestart depending on how you have /etc/rc.conf configured. 12:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < Keizer> Damn I wish ipsec had an irc channel 12:11 < rubydiamond> Hi people 12:11 < rubydiamond> getting this error 12:11 < rubydiamond> https://gist.github.com/6d021d4b50951babb534 12:11 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:13 < rubydiamond> ecrist: do you know what is this error 12:15 < rubydiamond> ecrist: help 12:18 < rubydiamond> can anybody here tell 12:18 < rubydiamond> what is the error https://gist.github.com/6d021d4b50951babb534 12:18 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:44 < dvl> I see no error. 12:44 < dvl> I see warnings. 12:45 < rubydiamond> dvl: ? 12:49 < rubydiamond> ecrist: ? 12:49 < rubydiamond> dazoafk: ? 12:50 < rubydiamond> is this channel living? 12:51 < rubydiamond> dvl: ? 12:57 < reiffert> rubydiamond: STOP THIS! 12:57 < rubydiamond> reiffert: i am asking quesions for last some days 12:58 < reiffert> no, you are spamming. 12:58 < rubydiamond> this channel is not that much active 12:58 < reiffert> while asking questions try to read the answers. 13:03 < dvl> rubydiamond: there are no errors at that URL. There are warnings. Do you have a question? 13:03 < rubydiamond> dvl: but I am not able to connect.. 13:03 < rubydiamond> it keeps in connecting status 13:05 < reiffert> !logs 13:05 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:05 < reiffert> !configs 13:05 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:20 < ecrist> ? 13:26 < reiffert> ! 13:27 < ecrist> Keizer: I'd try to help you here, but I'm on my way out. 13:28 * ecrist fairly OK at IPsec on cisco hardware 13:30 -!- LilaMac is now known as LilaLinux 13:41 < Keizer> Sauce 13:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:42 < reiffert> why didnt he give us more details? 13:53 < dvl> reiffert: he sounds newb, quite. 14:06 < krzee> he asked for help days ago 14:06 < krzee> never posted his configs 14:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:06 < krzee> or his server log 14:06 < krzee> *shrug* 14:10 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Client Quit] 14:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:14 -!- Determinist [n=lior@unaffiliated/determinist] has left ##openvpn ["Leaving..."] 14:15 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 14:52 -!- dazo [n=David@r10ln174.net.upc.cz] has quit [Read error: 60 (Operation timed out)] 14:53 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 16:31 < dazo> Does anyone here know how it is with the Posix compliance in openbsd? ... I'm especially interested in Posix Message Queue and Posix Semaphores ... 16:31 -!- chris_hat_irc [n=chris@v1465.vanager.de] has joined ##openvpn 16:34 < chris_hat_irc> hi all. I am trying to use ekiga (sip client for gnome) through my own vpn. When I start the client, I can connect but can not telephone. I get the following error and they recommend, that I do port forwarding (http://wiki.ekiga.org/index.php/Enable_port_forwarding_manually). My question is, whether the problem was caused by the vpn and how I can forward these ports? iptables? 16:34 < vpnHelper> Title: Enable port forwarding manually - Ekiga (at wiki.ekiga.org) 16:35 < chris_hat_irc> I configured my vpn like recommended in the official openvpn wiki: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways using TCP 16:36 < vpnHelper> Title: Konfiguration eines Internetgateways - OpenVPN Wiki (at wiki.openvpn.eu) 16:36 * dazo notices he was on the wrong open* channel ..... 16:37 < chris_hat_irc> ah sry, not the offical openvpn wiki, but here you find my configuration 16:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:21 -!- chris_hat_irc [n=chris@v1465.vanager.de] has quit [Read error: 113 (No route to host)] 17:57 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has joined ##openvpn 18:11 < zzattack> i'm trying to find out if it's really necessary to change my entire network to use a different ip range, both locations i plan om working from work on a 192.168.1.0/24 range, will this definitely result in problems? 18:17 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has quit [Nick collision from services.] 18:17 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 18:17 -!- dazo [n=David@r10ln174.net.upc.cz] has quit ["Leaving"] 18:35 < krzee> zzattack, yes and no 18:35 < krzee> theres another way, but its NOT the right way 18:36 < krzee> its setting up a ugly NAT 18:37 < krzee> just change the netblock 18:43 -!- LilaLinux is now known as lilalinux 18:43 < zzattack> can you tell me more about tihs ugly way? 18:44 < zzattack> it's quite a hassle changing the netblock 18:56 -!- worch [n=worch@battletoad.com] has joined ##openvpn 19:09 < dvl> zzattack: how many hosts in each location? 19:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:10 < zzattack> about 15 19:10 < worch> I want to connect a couple LANs together with openvpn such that from any lan I'm able to access any other device via its hostname. How should go about this? Can this be done without using ethernet bridging? The only way I see how to do this is to bridge everything to create a single ethernet, and then have a single DHCP and DNS server. Is it possible to do this with routing? 19:12 < worch> If the vpn uses routing, can the hostnames to ip mappings be pushed to other lans somehow? 19:12 < worch> to the lans' dns servers, that is 19:16 < dvl> zzattack: do the ip addresses collide? 19:16 < dvl> distinct? 19:18 < Tykling> worch if you decide on an internal dns structure like host1.site1.mylan.local etc. then you make a fully routed vpn and setup dns servers on each lan to slave the others zones 19:19 < dvl> Tykling: that sounds relatively simple. 19:19 < Tykling> it is 19:19 < dvl> I mean, even *I* understood it. 19:21 < Tykling> I am using it with five mates to setup a vpn between all of us, works like a charm 19:22 -!- ropetin_ is now known as ropetin 19:23 < dvl> Tykling: so everyone trusts every I take it? 19:23 < Tykling> yes, all personal friends :) 19:24 < Tykling> a few of us with fat links at home so we can stream movies from eachother and so on, very cool 19:24 < dvl> My use of OpenVPN stemmed from frustration with a dynamic IP address. I have servers out there which I need to check on (nagios, etc) and having my address at home change periodically, made that and things like backups more difficult. The VPN solves all that. 19:25 < Tykling> right, clever 19:25 < dvl> And here, at the GFs, I have complete access to all the boxes at home, directly, with ssh gateway, ssh next box, etc. 19:28 < Tykling> :) 19:32 < dvl> I no longer have to run stunnel. Don't have to update my firewall rules on three servers for any IP address change at home. 19:35 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 19:43 < worch> what dns daemons do you guys use or recommend to set up the dns structure as you mentioned, Tykling? I haven't had any experience setting up dns server outside of basic stuff on cheap routers. 19:43 < dvl> worch: I use bind 19:44 < Tykling> I use bind 19:44 < Tykling> :) 19:44 < worch> thanks :] 20:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:24 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has quit ["Client exiting"] 20:47 < tjz> anyone around 22:30 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:34 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:35 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? --- Day changed Sat Jan 10 2009 00:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has left ##openvpn ["Leaving..."] 00:14 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has quit [] 00:31 < simplechat> tjz, i'm sure somebody has 00:32 < tjz> need to find out how is it going 00:51 < reiffert> !local 00:51 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 00:51 < reiffert> forget that 00:52 < reiffert> --local host 00:53 < reiffert> Local host name or IP address for bind. If specified, OpenVPN 00:53 < reiffert> will bind to this address only. If unspecified, OpenVPN will 00:53 < reiffert> bind to all interfaces. 00:55 < tjz> cool 00:56 < tjz> is that setup in server.conf ? 00:56 < reiffert> Yes. 00:57 < tjz> hmm 00:58 < tjz> is this this? 00:58 < tjz> # Which local IP address should OpenVPN 00:58 < tjz> # listen on? (optional) 01:02 < reiffert> I see 2 lines of comments, so I guess not. 01:02 < tjz> and.. 01:02 < tjz> ;local a.b.c.d 01:03 < reiffert> Looks more like it 01:03 < tjz> cool 01:10 < ecrist> grr 01:10 < ecrist> what do I need to change Fn+Down-arrow to to equal pg-down 01:10 * ecrist is too lazy to pull out his own machine, where it's all re-mapped 01:10 < tjz> sound complicated .. 01:10 < tjz> lol 01:11 < ecrist> naw 01:11 < ecrist> just can't remember 01:11 < ecrist> ok, got it 01:12 < ecrist> got it 01:13 < ecrist> page-up should be mapped to [esc]5~ and page-dwon should be [esc]6~ ([esc] shows up as \033) 01:13 * ecrist puts it in the SCN wiki 01:13 < reiffert> ecrist: within X app's, Console, xterm ... where? 01:15 < ecrist> Terminal.app 01:15 < ecrist> 10.5 Terminal.app > iTerm 01:16 < reiffert> well, fn+up/down arrows is page up/down by default for me 01:16 < ecrist> 10.[1234] Terminal.app < * 01:16 < tjz> reiffert: doesn't work. it still show the server public ip 01:16 < tjz> not another unique IP i assign to the server.conf file 01:16 < reiffert> !configs 01:16 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:16 < ecrist> hrm, no, not in irssi and some other Terminal apps. 01:17 < ecrist> I guess, not as transmitted across an ssh session. 01:17 < reiffert> ecrist: then it's shift+fn + up/down 01:17 < reiffert> ecrist: that got nothing to do with ssh but with terminal settings :) 01:17 < reiffert> terminal as in tty 01:20 < ecrist> reiffert: reiffert the shift+fn+up/down does work, that shouldn't really be the way it works 01:21 < ecrist> adding shift to key combo is too much, imho. 01:21 < ecrist> my powerbook G4 show up/down as secondary pg_up/pg_dwn, so I map thing accordingly. 01:21 < ecrist> only makes sense. 01:22 < ecrist> if you have use, http://www.secure-computing.net/wiki/index.php/Mac_OS_X --feel free to add things my retarded ass could use. ;) 01:22 < vpnHelper> Title: Mac OS X - Secure Computing Wiki (at www.secure-computing.net) 01:25 < ecrist> tjz: what're you having problems with tonight? 01:26 < reiffert> Going to help a girl setting up the kitchen, bbl 01:26 < ecrist> l8r reiffert 01:43 * ecrist gloats 01:44 < ecrist> I like seeing folks like McGraw-Hill use my website as a reference. 01:44 < ecrist> I think i've probably got one of the most complete OpenLDAP authentication HowTo's on the Net. 01:52 < ecrist> ping krzee 01:53 < ecrist> can you email me information for the folks who are building various linux packages for ssl-admin? 01:53 < ecrist> it's about time I make the package a bit more official and create a real page for it and market it as such. 02:07 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 02:18 -!- lilalinux is now known as LilaLinux 02:23 < tjz> ecrist:.. 02:23 < tjz> have you tried tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:50 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:54 < ecrist> tjz: yes 03:54 < ecrist> and it works fine. 03:55 < tjz> hmmm 03:55 < tjz> care to guide me.. 03:55 < tjz> what extra steps to configure.. 03:56 < ecrist> well, I'd need to know what you have/haven't done 03:57 < tjz> i got a working openvpn 03:57 < tjz> now...trying to setup another instance of openvpn having it's own unique IP public 03:57 < tjz> :) 03:57 < ecrist> ok 03:58 < tjz> wonder how to configure the 2nd instance to use the new unique public IP 03:59 < ecrist> need to know if the current is grabbing all addresses (*.*) or specific? 04:00 < tjz> hmmm... 04:00 < tjz> current one is grabbing all address 04:00 < ecrist> first, fix that 04:01 < tjz> ok.. 04:01 < tjz> how to we configure the 1st instance to use a specific ip? 04:01 < tjz> is it under "local a.b.c.d" 04:01 < ecrist> yes 04:02 < ecrist> and that's all you need for the second, as well (aside from certificates/etc) 04:03 < tjz> i actually did an experiment 04:05 < tjz> a.b.c.d is my public IP.. 1.2.3.4 is the secondary IP that i recently added to the server.. 04:05 < tjz> i try configure my 1st instance to use the secondary IP.. 04:05 < tjz> local 1.2.3.4 04:06 < ecrist> ok... 04:07 < tjz> when i conntacted to my openvpn.. 04:07 < tjz> my public IP shown up as a.b.c.d 04:07 < ecrist> that's different. 04:08 < tjz> any idea what i did wrong? 04:08 < ecrist> when you connect to OpenVPN, any connection from that machine out to the internet will show the IP of the primary interface. You can change this using policy-based routing, through iptables/pf/etc. 04:08 < tjz> ok.. 04:08 < ecrist> lemme draw a diagram 04:09 < tjz> we don't have to setup "local" afterall... 04:09 < ecrist> um, for different instances of openvpn, you do. 04:10 < tjz> i think we can just change the udp port for different instances.. 04:14 < ecrist> that's another option... 04:15 < ecrist> my example was http://skitch.com/ecrist/by2pq/untitled 04:15 < vpnHelper> Title: Skitch.com > ecrist > Untitled (at skitch.com) 04:16 < ecrist> in that, although there are three IPs to the internet, only the default will really be used, unless a source address is explicitly used, or policy-based routing is used. 04:33 < tjz> wow 04:33 < tjz> did you draw that ? 04:33 < ecrist> yes - OmniGraffle Pro FTW 04:34 < tjz> OMG!!! 04:34 < tjz> very nicely drawn 04:34 < ecrist> if by draw you mean drag/drop. ;) 04:34 < tjz> LOL 04:34 < tjz> so easy? 04:34 < tjz> lol 04:34 < ecrist> yeah 04:34 < ecrist> you can download trial 04:35 < ecrist> like $199 for Pro version. 04:35 < ecrist> I've got 1 or 2 versions old at this point. 04:36 < tjz> ok 04:36 < tjz> about your drawing.. 04:36 < tjz> the route is start from "client" 04:36 < tjz> right? 04:36 < tjz> or from "internet"? 04:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:37 < ecrist> well, client connects to firewall via OpenVPN - gets private/vpn IP address. 04:37 < ecrist> NAT on firewall applies IP address to private IP on outgoing connections. 04:37 < ecrist> by default, vpn client will get default IP address. 04:37 < ecrist> *but* that can be fixed with proper rules on firewall 04:38 < tjz> ah 04:38 < tjz> yayyyayaya 04:38 < tjz> is that the correct way to distiribute the ip.. 04:38 < ecrist> yes 04:40 < tjz> ok.. 04:40 < tjz> do you know how? 04:40 < tjz> hehe 04:41 < ecrist> of course 04:41 < tjz> OmniGraffle Pro is for mac.. 04:41 < tjz> x_x 04:41 < ecrist> and I'm willing to point you in the right direction so you can learn how 04:41 < ecrist> yep 04:41 < ecrist> Mac, FTW 04:41 < tjz> <-- win xp 04:41 < tjz> same as jeff 04:41 < tjz> jeff is using mac too 04:41 < ecrist> yep 04:41 < tjz> x_x 04:41 < tjz> two mac fans here 04:41 < tjz> hehehe 04:41 < ecrist> I don't even have a system I own using windows 04:42 < ecrist> 100% of work/home machines are Mac (5%) and FreeBSD (95%) 04:42 < ecrist> Mac = pretty FreeBSD 04:42 < ecrist> ;) 04:42 < tjz> lol 04:44 < tjz> teach me how to route using iptables.. 04:44 < tjz> x_x 04:46 < ecrist> cant' do that, unfortunately. not a linux guy 04:46 < tjz> lol 04:47 < ecrist> switch to FreeBSD and I can work circles. I've never even seen a man page for iptables. 04:49 < tjz> lol 04:49 < tjz> x_x 04:49 < tjz> i gonna have a quick dinner 04:49 < tjz> brb 04:50 < ecrist> I'm gonna have a quick night of sleep. 04:50 < ecrist> g'night. 04:50 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:06 < tjz> nite ecrist 05:23 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:24 < mRCUTEO> hiya all 05:24 < mRCUTEO> hiya krzee :D 05:25 < tjz> yoooooooooooooooooooooooooooo 05:25 < tjz> LOL 05:25 < mRCUTEO> y0 tjz 05:25 < mRCUTEO> howya doin dude :D 05:25 < mRCUTEO> happy new ya man 05:26 < tjz> hehe 05:26 < tjz> happy new year 05:27 < mRCUTEO> :D 05:27 < tjz> Have you run two instances of openvpn on the same server (each with own public IP) before? 05:27 < mRCUTEO> yes thousand of times :) 05:27 < mRCUTEO> i play with NATs too 05:27 < mRCUTEO> :D 05:28 < mRCUTEO> i even run multiple clients in 1 server 05:28 < mRCUTEO> openvpn = everything possible :D 05:28 < mRCUTEO> thats why i like openvpn more than PPTP 05:28 < mRCUTEO> :D 05:28 < tjz> wa 05:28 < tjz> power 05:29 < tjz> how to configure each openvpn instance to use specific IP? 05:29 < mRCUTEO> the client or server? 05:29 < tjz> the server 05:29 < tjz> two instances of openvpn with their own unique public IP 05:30 < mRCUTEO> yerp 05:30 < mRCUTEO> you have to compile it on different folder 05:31 < mRCUTEO> and set the local IP to be different one 05:31 < mRCUTEO> you can also use SNAT at the iptables 05:31 < tjz> i tried using the "local a.b.c.d" 05:31 < tjz> a.b.c.d is the secondary ip 05:32 < tjz> but it still show the primary server ip.. 05:32 < mRCUTEO> do you have two differnet folders compiled? 05:32 < tjz> hmm 05:32 < tjz> i actually did an experiment 05:32 < mRCUTEO> do you have two differnet folders compiled? eth0:2 ? 05:32 < tjz> hmm 05:32 < tjz> where to include the eth0:2.. 05:32 < mRCUTEO> if you run the from the same folder then you have to SNAT 05:33 < tjz> the secondary ip is using eth0:2 05:33 < tjz> from what i see 05:33 < mRCUTEO> create a new tap 05:33 < mRCUTEO> dev tap2 05:33 < mRCUTEO> set to config --: dev tap2 05:33 < tjz> ok 05:33 < mRCUTEO> and then set NAT to SNAT the tap local ip to a unique public IP 05:34 < mRCUTEO> iptables -t nat -A POSTROUTING -s -j SNAT --to-source 05:34 < mRCUTEO> save firewall and restart 05:34 < mRCUTEO> you're done :) 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D 05:35 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 05:35 < mRCUTEO> but i prefered to create another folder so it doesnt get mix up.. 05:35 < tjz> ya 05:35 < tjz> i want to create another folder.. 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D (must have 2 differnt config file) 05:35 < tjz> not so confusing 05:35 < mRCUTEO> or for convinient use 2 different config server file 05:36 < mRCUTEO> create server.conf and server2.conf 05:36 < mRCUTEO> one set to: dev tap 05:36 < error404notfound> I have openvpn configured on one machine and I copied the same config to another to get it on vpn as well. But the buddy who owns the server said that its not a good approach, atleast I should change the key on second client. any idea what that is ? :p 05:36 < mRCUTEO> and 2nd server set to :dev tap2 05:36 < tjz> i think it is better to create another folder 05:36 < tjz> won't get confuse.. 05:37 < mRCUTEO> okie tjz :) 05:37 < tjz> x_x 05:37 < tjz> hehe 05:37 < tjz> do we still need iptables -t nat -A POSTROUTING -s -j SNAT --to-source ? 05:37 < mRCUTEO> error404notfound it doesnt make any different actually .. the same key is copied to the new machine with same security 05:38 < mRCUTEO> yes tjz 05:38 < mRCUTEO> the new server will be using tap2 05:38 < tjz> ok.. 05:38 < tjz> i will try 05:38 < mRCUTEO> so you have to configure an IP for tap2 05:38 < tjz> err 05:38 < mRCUTEO> and then use SNAT to source it to oublic ip 05:38 < error404notfound> mRCUTEO: so what do I change regarding certificates that nothing needs to be changed on server and both clients work? coz right now vpn works on only one client... 05:39 < tjz> how to configure an Ip for tap2? 05:39 < mRCUTEO> tjzL: server 10.8.0.0 255.255.255.0 05:40 < tjz> ohh 05:40 < tjz> you mean confifgure the lan ip.. 05:40 < tjz> hehe 05:40 < mRCUTEO> ah yes the key 05:40 < tjz> ok, let me try 05:40 < mRCUTEO> error404notfound: you need to create a new key if you change client 05:41 < error404notfound> mRCUTEO: hmmm, is this available on openvpn howto? 05:41 < tjz> talking about the key.. how to stop the previous client to use your openvpn again? 05:41 < mRCUTEO> tjz: try to kill it :) 05:42 < tjz> let's say we are using "client1".. , we go to re-generate a new ca for "client1"? 05:42 < mRCUTEO> tjz: since its using a new dev tap2 it will not interfere the the another client 05:42 < tjz> on the server side.. 05:42 < mRCUTEO> ic 05:42 < mRCUTEO> yes u may generate or just use the same ca.. from my experience it works both 05:43 < tjz> ok 05:43 < tjz> i will try also 05:43 < tjz> hehe 05:43 < mRCUTEO> :D 05:45 < mRCUTEO> error404notfound: try build-key csr file from the NEW client, upload it to the server .. build a key again in the server and get the .crt file and .ca from the server and copy it to your client. 05:45 < mRCUTEO> configured your .conf according to created key and crt file.. 05:46 < mRCUTEO> im sure there is a howto from the website 05:46 < error404notfound> mRCUTEO: if you could provide me a link I would be really greatful, I don't know this black magic stuff :P 05:46 < mRCUTEO> hold on let me google a little 05:46 < mRCUTEO> :) 05:47 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:47 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:49 < mRCUTEO> error404notfound: http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation-and-configuration-guide/ 05:49 < vpnHelper> Title: OpenVPN and CentOS 5 Installation and Configuration Guide | Throx Blog (at www.throx.net) 05:49 < mRCUTEO> :) 05:49 < mRCUTEO> hope this help 05:49 < mRCUTEO> where u from error404notfound? 05:49 < tjz> .pk is from pakistan? 05:49 < error404notfound> mRCUTEO: thaaaaaaaaaaanks :D 05:50 < error404notfound> tjz: yup 05:50 < error404notfound> mRCUTEO: as tjz said... 05:50 < mRCUTEO> ic :) 05:50 < tjz> ^_^ 05:50 < error404notfound> tjz knows /whois :P 05:51 < mRCUTEO> hehe haha huhu :D 05:51 < tjz> LOL 05:52 < error404notfound> okay guys, thanks, I will be doing some reading then... 05:52 < mRCUTEO> okay dokay enjoy reading 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:00 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl, tjz 06:00 -!- Netsplit over, joins: tjz, dvl, smk 06:01 < tjz> my a$$ got split 06:02 < tjz> LOL 06:02 < mRCUTEO> haha 06:02 < tjz> if i set: server 10.8.0.0 255.255.255.0 06:02 < tjz> i will get a random lan IP for my openvpn.. 06:02 < tjz> am i right? 06:02 < mRCUTEO> yerp 06:03 < mRCUTEO> use a /29 06:03 < mRCUTEO> opps 06:03 < mRCUTEO> use /24 on the SNAT 06:03 < mRCUTEO> so it will source all the /24 IPs to the public IP 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 64.235.47.2 06:04 < mRCUTEO> something like this 06:04 < mRCUTEO> and 1st openvp ip 10.8.0.0 255.255.255.0 06:04 < tjz> ok 06:04 < mRCUTEO> and 2nd openvp ip 10.9.0.0 255.255.255.0 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to-source 64.235.47.3 06:04 < mRCUTEO> something like this 06:04 < tjz> ok 06:04 < tjz> got it 06:04 < mRCUTEO> :D 06:04 < tjz> i will try now 06:06 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:06 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:22 < tjz> mRCUTEO : do you know what is the command to flush all the iptables rules? 06:23 < mRCUTEO> yerp 06:23 < mRCUTEO> iptables -t filter -F; iptables -t nat -F; iptables -t mangle -F 06:25 < tjz> thx 06:26 < tjz> hmm 06:26 < tjz> do you know what is the reason for this problem? 06:26 < tjz> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 06:27 < mRCUTEO> hmm maybe port colission 06:27 < mRCUTEO> not sure 06:27 < mRCUTEO> its from the server? 06:27 < tjz> ah 06:27 < tjz> i found out 06:27 < mRCUTEO> whats the prob? 06:32 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:32 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:39 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 06:41 -!- LilaLinux is now known as lilalinux 06:46 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit [Connection timed out] 06:48 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 07:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:21 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 08:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 08:29 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:32 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 131 (Connection reset by peer)] 08:36 -!- lilalinux is now known as LilaLinux 08:43 -!- mode/##openvpn [-r] by ChanServ 09:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:11 -!- bootlaces [n=david@83.228.22.19] has joined ##openvpn 10:13 * bootlaces humbly asks for some help to do with routing, I'm trying to sort it out, but need some last bits of the puzzle 10:13 < bootlaces> I've read the FAQs (as far as I can understand), but still can't seem to ping into the network I'm joining via the vpn 10:14 < bootlaces> If someone can spare some moments to help, I would appreciate it. 10:17 < krzee> !route 10:17 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:17 < krzee> check that out, should answer any questions about joining LANs 10:18 * bootlaces thanks krzee from the bottom of his cockles :) 10:18 < krzee> hehe np 10:19 < ecrist> I gave my wife something this morning from the bottom of my cockles... 10:20 < krzee> how is the wifey 10:21 < ecrist> doing great - starting to get out of the whole morning-sickness thing 10:21 < krzee> nice 10:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:24 < bootlaces> Hmm, still no joy. 10:25 < bootlaces> Can I paste in my routes from the client and server and the server.conf to pastebin for someone to have a look? 10:25 < krzee> !configs 10:25 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:25 < krzee> !logs 10:25 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:26 < krzee> disclaimer, if the answer is clearly spelled in !route i may simply just say that 10:26 < krzee> cause people often skim over it instead of reading to understand 10:40 < bootlaces> Okay, I've done it : http://www.pastebin.ca/1305195 10:40 < bootlaces> If I've omitted anything, please do say 10:41 < bootlaces> and yes, if I've missed it from !route, then please do just say that and I'll scratch my "cockles" for some more :) 10:42 < krzee> ahh 10:42 < krzee> your problem is they are on the same network 10:42 < krzee> both on 192.168.1.X 10:42 < krzee> one side must be changes 10:42 < krzee> changed 10:42 < bootlaces> which "they" are on the same network? 10:42 < bootlaces> the openvpn box and the rest of the network? 10:43 < bootlaces> (not the client, surely (don't call me surely...))? 10:43 < krzee> server and client are using ips on same networks 10:43 < krzee> as in, both use 192.168.1.x locally 10:43 -!- AndyML is now known as AwayML 10:43 < krzee> right? 10:43 < bootlaces> looking and thinking 10:44 < krzee> oh sorry, im wrong there 10:44 < bootlaces> How come the client has an ip address of 172....x 10:44 < krzee> 1 Client on subnet 172.16.167.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> 10:44 < krzee> 1 Server on subnet 192.168.1.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> i missed that 10:44 < krzee> hehe 10:44 < bootlaces> *phew* :) 10:45 < bootlaces> If I look at the client route when vpn'ed 10:45 < krzee> ohh 10:45 < krzee> is the server the router for its network? 10:45 < bootlaces> it seems to tell me that all traffic for 192.168.1.x goes to 10.0.0.5 10:45 < bootlaces> no, the server is just a box on a network 10:45 < bootlaces> the router is an adsl router 10:46 < krzee> see the bottom of !route 10:46 < krzee> below the picture 10:46 < bootlaces> looking 10:46 < bootlaces> reading 10:49 < bootlaces> Don't follow. The openvpn server has an ip of 192.168.1.2, the df gw is 192.168.1.1 (the adsl router). The openvpn isn't on any other subnet (192.168.2.x) so, surely the openvpn server should "know" about other 192.168.1.x machines on its work? 10:50 < bootlaces> In the example below the picture, the server is on a different subnet 10:51 < bootlaces> s/work/network 10:53 < krzee> umm 10:53 < krzee> in both examples the server is on lan 192.168.2.x 10:53 < krzee> it is .2.10 in bottom 10:53 < krzee> anyways 10:53 < krzee> do you want a lan behind client, or just client to connect to server lan? 10:54 < bootlaces> just want my client to connect into the remote lan and see all the machines in there. 10:55 < krzee> then the remote lan must have a route to the VPN network 10:55 < krzee> easiest added to the router if supported 10:55 < bootlaces> ah, are you saying the remote lan (the 192.168.1.x) must be able to route back to 10.0.0.x? 10:56 < krzee> yes 10:56 < bootlaces> I see 10:56 < bootlaces> yes, that makes sense now 10:56 < krzee> for the reason explained at bottom of !route 10:57 < bootlaces> Can't do it in the router, so will have to use iroute on the openvpn server to do this? 10:58 < krzee> you totally did not read !route 10:58 < krzee> !iroute 10:58 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:58 < bootlaces> You are right, I skimmed over it 10:58 < bootlaces> I should pay more attention in future 10:58 < bootlaces> You are right to chastise me 10:58 < krzee> why do people always do that!? 10:58 < krzee> you arent alone 10:58 < bootlaces> laziness 10:59 < krzee> most people skim it then ask the questions that it explained 10:59 < bootlaces> people (including myself) are inherently lazy 10:59 < krzee> you dont realize that to understand something is MUCH lazier than asking everytime you need to do something? 11:00 < bootlaces> Part of human nature I think. Perhaps we like to ask a real person from time to time rather than reading a technical document. Sometimes we can arrive at an answer quicker 11:00 < krzee> not in the long run 11:00 < bootlaces> (unless you are some type of AI) :) 11:00 < bootlaces> Well, I do *appreciate* your effort and I'm very sorry for upsetting you. It must be very fustrating for you 11:00 < krzee> and you will find that in most help channels, when you are pointed to a doc with your answer, and you fail to read it, that you will have a hard time getting further help 11:01 < krzee> im not upset 11:01 < krzee> and you're welcome =] 11:01 < krzee> here on the internet we do prefer to help those who are willing to help themselves tho 11:01 < krzee> im always willing to just set stuff up for people, but i would have to charge for that 11:03 < bootlaces> Naturally 11:03 < bootlaces> Time is a precious commodity 11:03 < bootlaces> and you have wasters like me taking your time 11:03 < krzee> haha no worries man 11:03 < krzee> where are you from? i like how you talk 11:04 < bootlaces> I'm from a lot of places. I've been coloured by my adventures in life. I wouldn't like to say I'm from "one" place, for that is very limiting. 11:05 < bootlaces> I'm a person of the world if you like. 11:05 < krzee> right on 11:05 < krzee> anyways 11:05 < krzee> you asked for the alternative way 11:06 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:06 < krzee> no its not iroute 11:06 < krzee> its the 2nd to last line in !route 11:06 < bootlaces> krzee, I'll try to figure the rest out now - for it's better to waste my time than yours :) I'll let you know (eventually) when I figure it out 11:06 < krzee> when you read docs, think about how long they took to write 11:06 < troy-> how long will an openvpn client retry connection for? 11:07 < krzee> troy-, forever unless you tell it otherwise 11:07 < bootlaces> Your time + the accumulative time of those who have come before you. 11:07 < troy-> krzee, i wish it was still trying :/ 11:07 < troy-> gotz no packets on interface tun0 11:07 < krzee> the time spent reading docs is NOTHING compared to the time spent writing them 11:08 < krzee> packets dont happen on tun0 till a connection is made 11:08 * bootlaces has been suitabily slapped on the wrists (but bring more on if you want) and will now go into the corner and sob quietly 11:08 < bootlaces> *sob *sob *sob 11:09 < krzee> lol 11:09 < krzee> troy-, 11:09 < krzee> !configs 11:09 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < krzee> !logs 11:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:10 < troy-> krzee, i cant access the client, its behind nat 11:10 < troy-> there is nothing wrong with the running-config 11:10 < krzee> welp, this isnt the right time to ask for help then 11:10 < troy-> yeah.. i need someone to console it and reinitialize 11:23 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 11:29 < bootlaces> In the router, I can define static routes. I've put this in (destination ip) 10.0.0.0 (netmask) 255.0.0.0 (gateway ip) 192.168.1.2 [<-- ip of the openvpn server] and lastly 0 (metric) 11:30 < bootlaces> so, I'm telling my adsl router that if it gets an ip request from 10.0.0.0/8, it should pass them to 192.168.1.2 11:30 < bootlaces> sounds about route? 11:30 < bootlaces> tee hee (right) 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 < krzee> you need to tell your router: 11:38 < krzee> that if it gets a request FOR 10.0.0.0 255.255.255.0 11:38 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 11:38 < krzee> (no reason for /8, your vpn is only /24) 11:38 < krzee> to pass it to .1.2 (like you said) 11:39 < krzee> main difference being, you said from, but hopefully meant for 11:39 < krzee> since its its truely from, you should just let the packets go to their destination 11:40 < krzee> if its 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:11 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has joined ##openvpn 13:12 < bmolloy> Hey guys, 13:12 < bmolloy> Has anyone seen a problem with the ovpn service crashing on xp pro due to msvcrt.dll? 13:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:51 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 13:52 -!- Netsplit over, joins: dvl, smk 14:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:07 -!- bootlaces [n=david@83.228.22.19] has quit [] 14:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:26 -!- Keizer [n=keizer@216.45.246.60] has quit [Read error: 110 (Connection timed out)] 15:38 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:06 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has left ##openvpn [] 16:17 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:17 -!- smerz_ [n=daniel@smerz.demon.nl] has joined ##openvpn 16:18 -!- smerz_ [n=daniel@smerz.demon.nl] has quit [Client Quit] 16:29 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:43 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 104 (Connection reset by peer)] 17:04 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:34 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:49 -!- AwayML is now known as AndyML 19:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 19:26 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has left ##openvpn ["openvpn"] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 < sauce> hey everyone, can anyone point me in the right direction on traffic shaping vpn traffic ? 19:43 < sauce> err, shaping vpn traffic sounds better 19:43 -!- sauce is now known as samoshit 19:48 < dvl> I would shape the traffic using third party tools, not OpenVPN. 20:15 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has joined ##openvpn 20:20 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 20:38 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:51 < Solarbaby> I guess im not asking an easy question to answer 20:51 < Solarbaby> Im pretty confused myself 20:58 < dvl> Solarbaby: it is Saturday night.... few people around. Try the mailing list. 20:58 < Solarbaby> good advice 20:58 < Solarbaby> i dont have a life 20:58 < Solarbaby> im so close but so far 21:07 < simplechat> dvl, its sunday morning 21:07 < simplechat> lol 21:07 < simplechat> Solarbaby, whats the issue? 21:07 < Solarbaby> Hello Simplechat 21:07 < Solarbaby> Thanks for getting back to me 21:07 < simplechat> hey 21:07 < simplechat> ? 21:07 < simplechat> sorry 21:07 < simplechat> i've been stuck with my own issues for awhile 21:08 < simplechat> whatsup :) 21:08 < Solarbaby> Im going to try to restate the question, did you read what I alredy asked up top? 21:08 < simplechat> nah, i wasn't there 21:08 < Solarbaby> ok 21:08 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 21:10 < Solarbaby> so its setting up a virtual network for the tap interface 21:10 < Solarbaby> I have no idea how to do that with out that Linksys firmware 21:16 < simplechat> hmmm. 21:17 < simplechat> so atm your on Openwrt and your not sure how to set up a vpn? 21:17 < simplechat> is that the issue? 21:18 < Solarbaby> Yes and No.. I have setup OpenVPN on the same router.. and it seems to work.. But I am also setting up OpenVPN on a Nslu2, which is inside the home network under the router 21:19 < Solarbaby> I need to make sure that my install on the Nslu2 is working properly.. and to do that I need the router to not only forward the port, which I've asked it to do.. but it also has to create that virtual network cause thats the way things are setup to work 21:19 < Solarbaby> I can show you the document I followed for the Linksys firmware if that helps 21:22 < Solarbaby> http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 21:22 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 21:22 < Solarbaby> down where it sez configuring the router 21:41 < Solarbaby> tuff one isn't it? 21:41 < Solarbaby> sorry 21:48 < simplechat> sorry, back 21:48 < simplechat> Solarbaby, i've never done that 21:52 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 21:58 < Solarbaby> yeah its a bit specific 22:44 < samoshit> anyone have any docs on shaping VPN traffic ? 22:48 < krzee> its the same as shaping any other traffic if you use firewall 22:48 < krzee> or you can play with --shaper in 2.1, which is pretty new 22:52 < samoshit> awesome 23:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:01 -!- Solarbab1 [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 23:10 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has quit [Read error: 145 (Connection timed out)] 23:10 -!- Solarbab1 is now known as Solarbaby 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:18 -!- samoshit [i=sauce@ool-18be2518.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 23:34 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 23:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:41 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn --- Day changed Sun Jan 11 2009 00:01 < ropetin> Hey guys, whats up in here tonight? 00:04 < Solarbaby> ropetin: one of thee days intead of being the guy who has always tried to make openvpn work, i'll actually get to use it 00:04 < Solarbaby> ropetin: i must be pretty close by now 00:04 < ropetin> Hehehe, what's your issue now? 00:04 * ropetin just reinstalled earlier and had it working in about 20 minutes... 00:05 < Solarbaby> I sorta had it working before I rebooted my client 00:06 < Solarbaby> it connected.. it said it had a hard time establishing a security of some sort, and defaulted to using ssl something rather 00:06 < Solarbaby> anyways after a reboot of the client it just reads UDPv4 [ECONNREFUSED]; connection refused (code=111) 00:09 < Solarbaby> I'm not sure there will ever be a day that im done trying to make this work, and get to use it.. haha 00:09 < Solarbaby> i feel like an idiot 00:09 < Solarbaby> they just need to make this work for people like me 00:10 < ropetin> Not at all! 00:10 < ropetin> It's all a learning experience isn't it? 00:11 < ropetin> What does teh server say? 00:12 < Solarbaby> the openvpn-status.log is no help at all.. it never gets updated 00:14 < ropetin> And you've restarted the service on teh server? 00:15 < Solarbaby> i'll double check now 00:16 < Solarbaby> yes same exact error 00:16 < Solarbaby> you got yours working in 20 min huh? I envy you 00:16 < ropetin> Presumably if nothing is even getting to the server, it's a firewall or connectivity issue? 00:16 < Solarbaby> even a reinstall in 20 min would be a blessing 00:16 < ropetin> Heheheh 00:17 < ropetin> If it makes you feel any better the server I reinstalled has now died on me, for a totally unrelated hardware reason 00:17 < Solarbaby> not at all 00:17 < Solarbaby> you have no idea how hard i've worked 00:18 < Solarbaby> i just dont understand this.. im going to post my configs on pastebin.ca 00:19 < ropetin> OK 00:28 < krzee> --log file 00:29 < Solarbaby> http://pastebin.ca/1305759 00:29 < Solarbaby> ropetin: sorry about that wait 00:29 < ropetin> No wories :D 00:30 < ropetin> worries even 00:31 < Solarbaby> OpenVPN is setup on a device inside my under the firewall 00:31 < ropetin> Which makes me think it's a connectivity issue or firewall issue 00:32 < ropetin> Do you have the appropriate port forwarded, NATd or whatever? 00:32 < Solarbaby> I've asked the router to foward port 1194 and I executed route add -net 192.168.10.0 netmask 255.255.255.252 gw 192.168.1.1 dev br0 on my openwrt router 00:33 < Solarbaby> maybe theres a firewall problem on the server.. its also running openwrt 00:34 < krzee> why dev tap? 00:34 < Solarbaby> I can't answer that 00:34 < Solarbaby> I dont understand anything 00:34 < krzee> use dev tun 00:34 < krzee> (on both) 00:34 < Solarbaby> Ok 00:34 < ropetin> Also, did you port forward udp or just tcp? 00:35 < krzee> tap encapsulates using ethernet frames, tun with IP traffic 00:37 < krzee> know that your server will need ip forwarding enabled, and NAT setup too 00:37 < krzee> are those 2 boxes on the same LAN? 00:37 < Solarbaby> yes 00:37 < krzee> k 00:37 < krzee> the pushing dns thing... 00:37 < krzee> !pushdns 00:38 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 00:38 < Solarbaby> Thanks 00:38 < krzee> np 00:38 < krzee> !logs 00:38 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:39 < Solarbaby> for one thing.. the servers firewall was accepting tcp 1194 00:39 < krzee> ahh good call ropetin 00:40 < Solarbaby> problem is still the same error 00:40 < ropetin> :D 00:40 < Solarbaby> hmmmm 00:40 < krzee> !logs 00:40 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:41 < Solarbaby> Ok 00:41 < Solarbaby> the server never makes a log file though.. 00:41 < krzee> sure it does 00:41 < Solarbaby> verb 6 00:41 < Solarbaby> syslog 00:41 < krzee> you told it to goto syslog 00:42 < krzee> check /var/log/messages 00:42 < Solarbaby> in var i have lastlog but not syslog 00:42 < krzee> syslog is the app that handles system logging 00:42 < Solarbaby> OpenWrt is so fucking crazy I can't find any syslog 00:42 < krzee> which you told openvpn to send its logs to 00:42 < krzee> ohh 00:43 < krzee> !router 00:43 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 00:43 < Solarbaby> thanks but I knew that 00:43 < krzee> unless ropetin happens to know how, you need to find out how to turn on logging 00:43 < Solarbaby> it logs other stuff.. 00:43 < krzee> #openwrt would know im sure 00:44 < krzee> 2 other easy ways actually 00:44 < krzee> remove syslog line 00:44 < Solarbaby> ok 00:44 < krzee> replace it with log 00:44 < krzee> other way is just start openvpn in the foreground 00:45 < krzee> dont forget to turn logging off when we're done 00:45 < krzee> cause your router cant log long before running out of filesystem 00:47 < ropetin> Sorry, I was getting annoyed by someone in anothe room. What'd I miss? 00:47 < ropetin> Not logging to syslog? 00:47 < krzee> hes on openwrt 00:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:49 < Solarbaby> just a few minutes 00:49 < krzee> on route 00:50 < krzee> whats vpn_gateway 3 00:50 -!- ropetin is now known as mclovin 00:50 -!- mclovin is now known as ropetin 00:50 < krzee> it should route through the vpn gateway without that 00:50 < krzee> kclovin! 00:51 < krzee> mclovin! 00:51 < ropetin> :D 00:51 < ropetin> Was checking if it's registered ;D 00:51 < krzee> also feel free to remove cipher BF-CBC 00:52 < krzee> since thats blowfish, the default 00:52 < Solarbaby> alright 00:59 < Solarbaby> http://pastebin.ca/1305774 00:59 < Solarbaby> that was from my client 01:00 < krzee> !learn mail http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Invalid arguments for learn. 01:00 < krzee> !learn mail as http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Joo got it. 01:01 < Solarbaby> the server doesn't seem to be logging anything 01:04 < Solarbaby> Oh I found the server.log it was in /etc/init.d 01:04 < Solarbaby> weird 01:04 < ropetin> :D 01:06 < Solarbaby> http://pastebin.ca/1305779 01:07 < Solarbaby> thats the server log.. there isn't much to it though cause for some reason the client isn't scrolling the screen with information like it used too 01:07 < Solarbaby> rebooting the client 01:15 < Solarbaby> maybe now that im using tun instead of tap.. it might be kicking me off the wireless network 01:15 < Solarbaby> or maybe its because I added the log file in the client 01:15 < Solarbaby> im just not sure 01:17 < krzee> the wifi is a lower level 01:18 < krzee> ya i want the log to include the client trying to connect.. 01:21 < Solarbaby> I dont know why the client just sits there now.. it used to actually do things 01:21 < Solarbaby> im changing back to tap 01:21 < krzee> post the new config 01:22 < krzee> tap is for tunneling ethernet frames 01:22 < krzee> you only need to tunnel ip if you're just securing your wireless 01:23 < krzee> unless you are using a protocol that needs that over the vpn, it is a waste of overhead 01:24 < krzee> and when using routed with tap the only reason ive seen could be for broadcasts 01:27 < krzee> because ethernet frames work based on mac address, so without using routed you would use bridged, then youd be bridging the layer2 (talks by MACs) from each side to other 01:27 < krzee> aka, you dont want tap ;] 01:27 < Solarbaby> my ip changed 01:27 < Solarbaby> my internet ip changed 01:27 < krzee> that'll do it 01:27 < krzee> use dyndns for that if you like 01:27 < krzee> then you can connect based on hostname 01:27 < Solarbaby> i just need to get the script working 01:30 < krzee> what script... 01:30 < Solarbaby> dyndns script 01:30 < krzee> o 01:33 < Solarbaby> its still just sitting there 01:33 < Solarbaby> somehow i broke it 01:33 < krzee> look at logs... 01:34 < krzee> just sits trying to connect? 01:34 < Solarbaby> the server log looks identical as what I posted you 20 min ago 01:34 < Solarbaby> yeah 01:34 < krzee> if so, either firewall or port forwarding problem 01:34 < Solarbaby> well not idental it sez tun0 opened 01:35 < Solarbaby> ok 01:35 < Solarbaby> Firewall 01:35 < krzee> client is trying to connect i assume... 01:37 < Solarbaby> i think so but it used to scroll the screen with stuff 01:37 < Solarbaby> now it doesn't say a damn thing at all 01:37 < Solarbaby> this is a huge nightmare.. Im so very lost 01:44 < Solarbaby> Im sorry.. I just dont know what to do anymore 01:44 < Solarbaby> I broke it 01:51 < Solarbaby> im sorry.. i can't get any further 01:51 < Solarbaby> this sucks.. this current config took me 2 weeks to get this far.. only to completely die 01:54 < krzee> have you read the howto or just googled? 01:55 < Solarbaby> I dont understand alot of what I read 01:56 < Solarbaby> the mini howtos seemed easier because they know you haven't gone to school to learn networking 01:56 < Solarbaby> which of course I am in that category.. everything is another language 01:56 < krzee> so you're setting up an advanced networking component hoping to find a page that will let you follow their steps instead of trying to learn the topic 01:58 < Solarbaby> 2 weeks.. I didn't try for a single second.. come on.. I've been bleeding this 01:58 < krzee> mini-howto's arent the way 01:59 < Solarbaby> you sometimes forget what that howto looks to someone who doesn't understand how to read it 01:59 < krzee> try bridging instead maybe 01:59 < krzee> no i remember 01:59 < krzee> thing is, vpns are advanced networking, so to learn them you need to learn about the stuff around them too 01:59 < krzee> for exampe 02:00 < krzee> example 02:00 < krzee> you'll need NAT configured 02:00 < krzee> so client is a wifi client, server is the wireless router, you are securing the wireless over openvpn and not allowing inet over the standard wireless? 02:02 < Solarbaby> I think something happend on my client 02:02 < krzee> check its connecting to the right ip / port / proto 02:20 < Solarbaby> what should I type on the client to make it log? 02:21 < Solarbaby> log client.log just makes it choke 02:33 < Solarbaby> forget it 02:36 < Solarbaby> 4 1/2 hours later I think i've repaired the damage up until the point that we started talking.. so now all I have to do is get back to the original problem I had before all this 02:36 < Solarbaby> yay 02:36 < Solarbaby> and thats why it took me 2 weeks to get this far 02:36 < Solarbaby> im talking 8 hours a day 2 weeks 02:36 < Solarbaby> yeah im some kinda idiot 02:44 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 02:44 < krzee> no you're just learning a lot at once 02:45 < krzee> what did you change to 'repair the damage'? 02:48 < Solarbaby> I think i corrupted the client.conf by adding the log 02:49 < krzee> !man 02:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:49 < krzee> use a full path 02:49 < Solarbaby> ok 02:49 < krzee> reference for commands: manpage 02:52 < Solarbaby> so now i gotta figure out why im getting the connection refused 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 03:04 < Solarbaby> rebooted my router 03:05 < krzee> ya you wont need to add any routes to it 03:05 < Solarbaby> ok 03:06 < Solarbaby> well im plagued with connection refused code 111 03:06 < krzee> firewall 03:06 < Solarbaby> i tried 03:06 < Solarbaby> i added a port forward 03:06 < krzee> well 03:07 < krzee> on same lan shouldnt need port forward 03:07 < krzee> that was unknown back when we said that 03:07 < krzee> (vpn is much more common on seperate lans) 03:07 < Solarbaby> as far as I know.. if its going to penetrate my routers firewall and then go to the nslu2 which has openvpn installed to it.. it needs a port forward 03:08 < krzee> isnt the server on the router? 03:08 < Solarbaby> no 03:08 < Solarbaby> it was 03:08 < Solarbaby> it is.. but that one is disabled 03:08 < krzee> but dude 03:08 < krzee> thats the problem 03:08 < krzee> you have 2 seperate lans 03:09 < krzee> your traffic wont just simply jump across them 03:09 < krzee> or does it normally? 03:09 < krzee> can you ping the vpn server box...? 03:09 < Solarbaby> i could try 03:10 < krzee> why are you using openvpn...? 03:10 < krzee> i figured to secure your wifi 03:10 < Solarbaby> ping 192.168.10.0 Destintion unreachable 03:10 < krzee> but if its not going to router... thats not it 03:10 < krzee> ya man, thats your problem 03:11 < krzee> you're trying to connect to something you cant connect to 03:11 < krzee> (part of networking unrelated to a vpn) 03:12 < Solarbaby> ok my router is 192.168.1.1 255.255.255.0 right? then i created a route Destination LAN Ip 192.168.10.0 255.255.255.252 with a default gateway of 192.168.1.1 03:12 < Solarbaby> and I think I have to keep on typing in route everytime i reboot my router 03:13 < Solarbaby> i'll create a script for that 03:13 < krzee> isnt 192.168.10.0 the vpn network? 03:13 < Solarbaby> YEs 03:13 < krzee> what good will that route do you? you cant even make the connection 03:13 < krzee> those ips dont exist til the vpn is running 03:14 < Solarbaby> oh 03:14 < Solarbaby> that makes sense 03:14 < krzee> and those packets will be encapsulated over traffic flowing same as your ping did 03:14 < krzee> !vpn 03:14 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:14 < krzee> that is the idea of what a vpn is 03:15 < krzee> what is your real goal? 03:15 < Solarbaby> file sharing and the ability to be able to goto a coffee shop and use their unsecure wifi to connect to my secure network and do private web and network stuff 03:16 < Solarbaby> i want to use samba over my vpn 03:17 < krzee> hehe 03:18 < krzee> we shoulda started with that 03:18 < Solarbaby> sorry 03:18 < krzee> ok the port forwarding will be correct 03:18 < krzee> but not for what you're doing now 03:18 < krzee> for now, get yourself on the same lan 03:19 < Solarbaby> alright 03:19 < krzee> so if router is 192.168.1.1, be on that network 03:19 < krzee> that is why you have the local flag 03:19 < krzee> when you go remote, you must remove local from redirect-gateway 03:19 < krzee> !local 03:19 < Solarbaby> so i should just tell my router to accept port 1194 and do nothing with it? 03:19 < vpnHelper> krzee: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 03:19 < krzee> you tell your router to send it to the openvpn server 03:20 < Solarbaby> thats what I did 03:20 < krzee> but that wouldnt solve your old problem 03:20 < krzee> thats for when you goto the coffee shop 03:20 < krzee> for now (testing im guessing) 03:20 < krzee> get on the same lan 03:20 < Solarbaby> it was forwarding port 1194 to the real network address of the openvpn server 03:21 < krzee> the ONLY thing you change to go out in the wild when done testing is remove local from redirect-gateway 03:21 < krzee> but you must get on same network if you wanna be working with 1 router 03:21 < krzee> you mentioned samba 03:22 < krzee> you mean windows filesharing or samba running on linux/bsd? 03:23 < Solarbaby> mostly i'll have samba running on the same device as the openvpn 03:23 < krzee> nice 03:23 < Solarbaby> on the other side in the wild sometimes samba will connect sometimes windows xp 03:24 < krzee> k, well if you can handle doing it by ip you save yourself some trouble 03:24 < krzee> other option is to run wins 03:24 < krzee> which is a 1-liner in samba 03:24 < Solarbaby> cool 03:24 < krzee> well with that few machines, 3rd option exists 03:24 < krzee> windows has a hostfile, as does linux 03:25 < krzee> you just enter it in there, host -> ip 03:25 < krzee> then you dont need to bother bridging 03:25 < Solarbaby> i removed push dredirect-gateway local def1 but i still get the same error 03:25 < krzee> no no 03:25 < krzee> whyd you remove that? 03:25 < Solarbaby> I thought you told me too 03:25 < krzee> take the client machine 03:26 < krzee> put it on the 192.168.1.x network 03:26 < krzee> if that means plugging it in, do that 03:26 < krzee> until you are on that network, everything else is pointless 03:26 < Solarbaby> ok 03:26 < Solarbaby> i'll setup the client on a computer thats plugged in 03:28 < krzee> k 03:38 < Solarbaby> okay everything is setup on a computer locally 03:39 < Solarbaby> same error 03:40 < krzee> it can ping now...? 03:40 < Solarbaby> what address shall I ping? 03:41 < krzee> what address is the computer running the server on? 03:41 < krzee> LAN address 03:41 < Solarbaby> 192.168.1.77 03:41 < krzee> ping that 03:41 < Solarbaby> that pings 03:42 < krzee> change your remote statement in the config 03:43 < Solarbaby> same error 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294530 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294561 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1 03:44 < krzee> show me the configs now 03:44 < Solarbaby> ok 03:47 < Solarbaby> http://pastebin.ca/1305826 03:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:49 < krzee> comment out the route 03:49 < krzee> and delete the #route 192.168.10.0 line 03:50 < krzee> what is the ip of the client machine? 03:53 < Solarbaby> 192.168.1.179 03:55 < Solarbaby> same error 04:01 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 60 (Operation timed out)] 04:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:17 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:05 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 05:05 < Solarbaby> krzee: it took me about an hour to figure out why after a reboot I couldn't get back onto the internet 05:05 < Solarbaby> krzee: i had to uninsall openvpn to do it 05:06 < krzee> you were connected? 05:06 < Solarbaby> krzee: i dunno how much patience I have left, but i surely appreciate yours 05:07 < Solarbaby> yeah 05:07 < krzee> cause that is what should happen when you got connected 05:07 < krzee> until you setup NAT 05:07 < Solarbaby> i was connected with no internet 05:07 < krzee> yup 05:07 < krzee> your router does NAT for 192.168.1.1 05:07 < krzee> so you have inet from that ip 05:07 < krzee> but when you come in from starbucks, or test like this 05:07 < krzee> you are using 192.168.10.x 05:08 < Solarbaby> ok 05:08 < krzee> and that network needs a NAT just like .1.x has 05:08 < krzee> !nat 05:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 05:08 < krzee> #1 and #3 05:09 < Solarbaby> ok i reinsalled openvpn 05:09 < Solarbaby> i still have the same config file 05:09 < Solarbaby> lets go to town 05:09 < krzee> you didnt have to uninstall 05:09 < krzee> you just had to kill the process 05:09 < krzee> lol 05:10 < Solarbaby> I didn't know how to boot up.. deleted most of my networking 05:10 < Solarbaby> i tar'd the stuff i deleted though 05:10 < krzee> haha 05:10 < Solarbaby> seriously i need some real hand holding here 05:12 < Solarbaby> where are we at? 05:13 < krzee> you're teaching yourself how to setup a NAT in linux 05:13 < krzee> !linnat 05:13 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:13 < Solarbaby> You are about to delve into the fascinating (and sometimes horrid) world of NAT: Network Address Translation, and 05:14 < Solarbaby> do you realise it sez welcome and horrid 05:14 < Solarbaby> thats scary 05:14 < Solarbaby> *cry* 05:14 < krzee> bbl 05:14 < krzee> happy reading 05:14 < Solarbaby> thanks for everything 05:14 < Solarbaby> ok 05:14 < krzee> np 05:23 < Solarbaby> this is too complex 05:23 < Solarbaby> i'll never understand nat 05:23 < Solarbaby> i just want to make this work 05:24 < Solarbaby> i curse technolagy 05:25 < Solarbaby> fuck this is only pissing me off 05:26 < Solarbaby> i dont want to mangle packets I want a vpn 05:27 < Solarbaby> i guess i'll look for more walkthoughs 05:27 < Solarbaby> this sucks 05:28 < Solarbaby> krzee: this shit doesn't make sense to me 05:33 < Solarbaby> i dont understand 05:35 < Solarbaby> ropetin: i've moved like 2 minutes in 8 hours, but are you still here? 05:35 < Solarbaby> ropetin: now that i've deleted whta i want to do with openvpn it connects.. but now what? 06:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 06:15 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 06:16 < mlaci> hey guys! i've created an openvpn tunnel and it seems to work. the log says: "Initialization Sequence Completed", but i cannot ping through the tunnel. what could be the problem? 06:19 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 06:24 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Client Quit] 06:51 < reiffert> !def 06:51 < vpnHelper> reiffert: Error: "def" is not a valid command. 06:51 < reiffert> !def1 06:51 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 06:51 < reiffert> !logs 06:51 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:51 < reiffert> !confgs 06:51 < vpnHelper> reiffert: Error: "confgs" is not a valid command. 06:51 < reiffert> !configs 06:51 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:51 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 08:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:45 < ecrist> reiffert: something specific you're looking for? 08:48 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 08:49 < ecrist> you're early. ;) 08:49 < my_math_stinks> Making sure things worked as expected 08:51 < my_math_stinks> Thanks for taking the time to do this! 08:51 < ecrist> np 08:51 < ecrist> pw? 08:52 < my_math_stinks> Hope you will understand that as a ... seasoned? ... couputer user I am pretty darn security conscious; and since our friendship is brand new, I will take president Reagan's advice from the nuclear disarmament treaty with the USSR: "Trust but Verify". 08:52 < my_math_stinks> So that I will have a record, and be able to learn something from watching what you do, could you please do: script ~/eric_ssh.txt immediately after you log in to your home directory? I will tail -f that file. 08:52 < ecrist> certainly 08:53 < my_math_stinks> is this a private enough channel to give you the login info AND pw? 08:53 < ecrist> no. I've login info - just need pw 08:53 < ecrist> this is a public room. 08:53 < my_math_stinks> OK, ip has not changed, password: ericcrist 08:54 < ecrist> my_math_stinks: there is no script in ~/eric_ssh.txt 08:55 < ecrist> is that script in *your* home dir? 08:55 < my_math_stinks> run the command "script eric_ssh.txt" that will create the file. 08:57 < ecrist> ok, 1 sec 08:57 < my_math_stinks> OK, I see you ran it and then exited. Don't exit till you're done. I'll see everything you do that way. 08:58 < my_math_stinks> Why do you need to connect to kenny.secure-computing.net 08:58 < ecrist> getting my .cshrc file for my environment 08:58 < my_math_stinks> ok, allowed 08:59 < ecrist> ok, got all that 09:00 < ecrist> no, refresh my memory, what user's directory are you looking at? 09:00 < ecrist> randi? 09:00 < my_math_stinks> yes, and why do you need to be logged in to 2 terminal sessions? :) 09:01 < ecrist> never used script, also doing a tail -f (I'm learning, too) :) 09:01 < ecrist> looks similar to the old 'watch' command, but not quite as powerful. 09:02 < my_math_stinks> it's useful in this situation so that I can watch in real time, and have a hard record. 09:02 < my_math_stinks> I can also see as you log in and out. 09:04 < ecrist> ok. looks like there's a difference of about 300MB between du -kd1 and repquota 09:04 < my_math_stinks> hmmm.2.34 and 2.37 interestingly close? 09:04 < ecrist> hrm. let's take this to a private room 09:04 < my_math_stinks> invite me 09:05 < my_math_stinks> need a "room key"? 09:06 < my_math_stinks> room is password protected 09:06 < ecrist> look at my command history - sent you message there. 09:06 < my_math_stinks> got it, invite again 09:37 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has quit [] 09:42 < mlaci> hi guys! i got this: "bad source address from client [10.8.0.2], packet dropped". i'm in pretty desperate and need some help 09:42 < ecrist> if you google "OpenVPN 'bad source address from client' 09:42 < ecrist> " 09:42 < ecrist> you'll get a ton of hits... 09:42 < ecrist> try reading 09:42 < ecrist> !route 09:42 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:42 < ecrist> that link ^^^ 09:43 < ecrist> you'll find an explaination of that error there. 09:44 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto 09:44 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 09:48 < mlaci> ecrist, i'm reading for more than two hours, but cannot figure out the exact solution 09:49 < ecrist> did you read the link vpnHelper posted above? 09:49 < mlaci> ecrist, i'm just reading it, sorry. give me some minutes 10:12 -!- AndyML is now known as AwayML 10:27 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 10:27 < phretor> hi 10:29 < phretor> I get tons of errors when I use easy-rsa scripts - http://pastie.org/358032 - could you please give help me on this? 10:36 < ecrist> phretor: what OS? 10:36 < phretor> ecrist: ubuntu server 10:37 < ecrist> what shell? 10:37 < phretor> ecrist: bash 10:40 < ecrist> well, easy-rsa sucks 10:40 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has joined ##openvpn 10:42 < wormdrink> hi 10:42 < wormdrink> im having some trouble connecting to vpn from behind firewall 10:42 < wormdrink> behind http proxy rather 10:42 < wormdrink> keep getting: Sun Jan 11 18:44:02 2009 us=959388 TCPv4_CLIENT link local: [undef] Sun Jan 11 18:44:02 2009 us=959473 TCPv4_CLIENT link remote: 153.88.253.11:8080 Sun Jan 11 18:44:53 2009 us=33897 Connection reset, restarting [0] Sun Jan 11 18:44:53 2009 us=34254 TCP/UDP: Closing socket Sun Jan 11 18:44:53 2009 us=34439 SIGUSR1[soft,connection-reset] received, process restarting Sun Jan 11 18:44:53 2009 us=34532 Restart 10:42 < ecrist> phretor: I don't have packages for ubuntu yet, but with a little effort, you can use ssl-admin 10:42 < ecrist> !ssl-admin 10:42 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 10:43 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 10:44 < ecrist> wormdrink: I don't know how you're going to use an http proxy to connect. I don't think it's supported 10:45 < wormdrink> im pretty sure it is 10:46 < wormdrink> # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] 10:46 < ecrist> have you looked at http://openvpn.net/index.php/documentation/howto.html#http 10:46 < vpnHelper> Title: HOWTO (at openvpn.net) 11:11 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 131 (Connection reset by peer)] 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:15 < zzattack> phretor: did you try using the 1.0 scripts? 11:15 < phretor> zzattack: why should I? 11:15 < zzattack> are you using that debian etch guide? 11:23 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has joined ##openvpn 11:24 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:24 < Semmi> hello, i have problem. i can't create a server key 11:29 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 11:29 < Semmi> i want to generate a certificate & key for a server, but i only got a message 11:30 < Semmi> that i "Finally, you can run this tool (pkitool) to build certificates/keys." 11:30 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 11:39 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has left ##openvpn [] 11:43 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 60 (Operation timed out)] 12:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:21 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 12:22 < mlaci> ecrist, thank you very much for the pointer to the wiki article about the setting up iroutes, it's working like a charm. i'd like to configure my server to forward packets to its lan. how can i do it? 12:26 < mlaci> /proc/sys/net/ipv4/ip_forward is set to 1 and forwarding doesn't work 12:35 < mlaci> looks like the server tries to forward the packets, but the server resides in a bigger network interconnected by routers and there's no answer coming back 12:35 < mlaci> am i missing something? 12:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:37 < mlaci> ah, i think i should masquerade the packets, or something like that 12:46 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has quit ["http://www.mibbit.com ajax IRC Client"] 12:59 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:02 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has quit [Read error: 54 (Connection reset by peer)] 13:08 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 13:08 < eliasp> hi 13:10 < eliasp> how do i change the IP of the server node? by default it gets 10.8.0.1/24 assigned (server 10.8.0.0 255.255.255.0) ... i want it to be 10.8.0.2/24 ... tried 'ifconfig 10.8.0.2 255.255.255.0' but it seems i was wrong... still got 10.8.0.1/24 ... 13:13 < krzee> why .2? 13:13 < krzee> and see this: 13:13 < krzee> !/30 13:13 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:14 < krzee> AND 13:14 < eliasp> because the usage of .1 would require heavy changes of the client configs due to network restructuring... just something i want to prevent ATM 13:14 < krzee> server statement expands to have ifconfig already in it 13:14 < krzee> see !man for details 13:15 < krzee> the avoidance of .1 would require heavy changes as well 13:15 < eliasp> but just on the server.... 13:15 < krzee> and you need to use an address from a /30 unless you use !topology 13:15 < eliasp> there's nowhere a reference to 10.8.0.1 in the client-config... 13:16 < eliasp> uhm, i don't really understand why this shouldn't be easily possible... will read the link above for some clarification.. thx ... seems i have to find a completely different way for this... 13:17 < krzee> ya that link will show why no server or client can use .2 13:17 < krzee> unless you use: 13:17 < krzee> !topology 13:17 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:17 < eliasp> ok, it doesnt need to be .2 .. could be anything else, just not .1 ;-) 13:17 < eliasp> k, thx 13:17 < krzee> see: 13:17 < krzee> !man 13:17 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:17 < krzee> and rebuild the server statement 13:18 < krzee> server expands to be a bunch of other statements 13:18 < krzee> rebuild it replacing ifconfig with what you want 13:19 < eliasp> yeah, read this part of the manpage already about the expanded 'server' option... going to re-read it... 13:59 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 14:04 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has quit [Read error: 113 (No route to host)] 14:35 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:39 -!- AwayML is now known as AndyML 15:10 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has joined ##openvpn 15:11 -!- LilaLinux is now known as lilalinux 15:13 < laggo> i've set up the vpn with close to default configs and i can ping the server across the tunnel. i'm having trouble with routing all client traffic through the server with redirect-gateway and iptables masquerade. is there some linux tool to diagnose whats happening with the packets (are they being received/forwarded by the server etc) 15:24 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 15:27 < disposable> ls 15:27 < disposable> oops 15:42 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:09 < disposable> i have a network 192.168.3.0/24 on which i have an openvpn server with tap device providing network 192.168.111.0/24. the server is configured like this: http://pastebin.com/d29031923 Problem is that I can ping the server from the client using both 192.168.111.1 and 192.168.3.118 address, but nothing else on the 192.168.3.0 network. what am i missing? 16:10 < disposable> i have issued "echo 1 > /proc/sys/net/ipv4/ip_forward" on te server, but it did not help 16:22 < disposable> pretty please? 16:29 < laggo> blah 16:29 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 16:40 < mlaci> guys, what's the best way to implement some hostname resolution mechanism that work with openvpn? 16:47 < krzie> huh? 16:47 < krzie> i dont get the question 16:49 < krzie> disposable: 3 things, 16:49 < krzie> # 16:49 < krzie> push "route 192.168.3.0 255.255.255.0" 16:49 < krzie> # 16:49 < krzie> route 192.168.3.0 255.255.255.0 16:49 < krzie> that never makes sense 16:49 < krzie> see !route 16:50 < krzie> odds are you are missing the routes outside of openvpn 16:50 < krzie> 2) you are using tcp, unless you have a reason to you should not be 16:50 < krzie> see this: 16:50 < krzie> !tcp 16:50 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:57 < disposable> krzie: thanks 17:06 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:07 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:11 < krzie> 3) you are using tap, but not bridging... there are few reasons to do this and unless you know why you are doing it you prolly want dev tun 17:12 < krzie> also, if you are using user/group you want some persist options 17:12 < bsdbandit> im running openvpn 2.0.9 on openbsd 4.4 but when trying to start openvpn it just hangs before trying to open up the tun0 interface how would i go about solving this issue 17:12 < bsdbandit> ? 17:12 < krzie> persist-key 17:12 < krzie> persist-tun 17:13 < disposable> krzie: looks like i have much more reading to do than i thought 17:13 < krzie> bsdbandit, sure you have tuntap in the kernel? 17:55 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 17:55 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 18:25 < reiffert> Hah, migrating a web n mailserver to my system within 30 minutes onthefly. 18:29 < krzie> nice 18:30 < krzie> i grabbed a fbsd vps for $84/yr last night 18:30 < krzie> was too good to pass up 18:31 < reiffert> how much hdd? 18:34 < reiffert> Need 100GB Backup Space with ssh+rsync and cryptfs. 18:35 < krzie> for the 84/yr only 5gb 18:37 < reiffert> good night, job's done here 18:37 < krzie> more than i need tho 18:37 < krzie> gnite reif 18:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 18:55 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:03 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 19:03 -!- Netsplit over, joins: dvl, smk 20:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 20:16 < Solarbaby> krzee: Hello 20:29 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Network is unreachable] 20:32 < krzie> hey 20:39 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 20:43 < Solarbaby> krzie: I ended up having a shitfit after you left... i guess my temper got the best of me 20:43 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 20:43 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:45 < krzie> lol 20:46 < Solarbaby> fortunately nobody was around to comment on any of it 20:46 < krzie> dont expect to read some walkthrough and magically understand networking 20:47 < Solarbaby> Im not sure I want to understand it, I want it to work 20:47 < Solarbaby> my network can't be so different then a few hundred million other networks 20:47 < krzie> what you ere trying when you started was impossible 20:47 < Solarbaby> its 2 config files.. and a few entries into your firewall and router 20:48 < Solarbaby> I appreciate you clearing that up 20:48 < Solarbaby> thanks 20:48 < krzie> yes, but what goes in those entries and configs differs based on your goal, and requires some knowledge of networking 20:48 < Solarbaby> nod 20:48 < Solarbaby> would you mind walking me through the rest of it? 20:49 < krzie> walking through, prolly 20:49 < krzie> but ill point to what to read if i know what you need to read 20:49 < krzie> last i saw you got it to connect fine 20:49 < Solarbaby> a little hand holding is required with my limited knowledge.. but im alot less impatient after a good nights sleep 20:49 < krzie> comment out the redirect-gateway line for now 20:49 < Solarbaby> ok 20:49 < Solarbaby> shall I re post the configs? 20:49 < krzie> ill help, but wont do it for you, if yanno what i mean 20:50 < krzie> well first comment the redirect-gateway line 20:50 < Solarbaby> Yeah.. I preffer you do it for me.. heeh.. 20:50 < Solarbaby> but any help is good 20:50 < krzie> (put a # in front of it) 20:50 < krzie> sure ill do it for you 20:50 < krzie> but ill charge $ for that 20:50 < Solarbaby> im tempted to pay 20:50 < Solarbaby> not that i have any money 20:50 < krzie> its better to learn 20:51 < Solarbaby> i agree.. i always prefer seeing something that works, then breaking it 20:51 < Solarbaby> see why it worked 20:51 < krzie> you learn more from breaking stuff and fixing it 20:51 < krzie> than from following some walkthrough off google 20:51 < Solarbaby> yeah 20:51 < Solarbaby> thats true.. apprently i've learned very little all this time 20:52 < krzie> to understand basically everything about ANY line in an openvpn config 20:52 < krzie> all you need is this: 20:52 < krzie> !man 20:52 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:52 < krzie> so anyways... 20:52 < krzie> comment the line i said to 20:52 < krzie> then stop both instances of openvpn 20:52 < krzie> then start the server 20:53 < krzie> then start the client 20:53 < krzie> tell me if it connects... 20:54 < Solarbaby> ok 20:55 < Solarbaby> it didn't stay connected 20:55 < Solarbaby> ill post the logs 20:58 < Solarbaby> http://pastebin.ca/1306234 21:02 < Solarbaby> http://pastebin.ca/1306238 21:11 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:12 < tjz> Hello everyone~ 21:13 -!- steveoooooooo [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 21:13 < Solarbaby> Hello tjz 21:14 < tjz> hey solarbaby 21:14 < tjz> did you manage to get your openvpn working? 21:14 < Solarbaby> tjz: not yet.. krzie has been helping me but its slow going 21:15 < steveoooooooo> im trying to setup a bridged openvpn setup, what interface do I bridge? the vpn is accepting connections on the internet, but the VPN should operate on 192.168 or 10. network... do I need to add a local net first, and bridge that? 21:15 < tjz> are you running a server or vps? 21:15 < Solarbaby> he managed to fix some issues that he told me will not work because they were totally wrong 21:15 < Solarbaby> im running openvpn on a linksys nslu2 21:15 < Solarbaby> running openwrt as an operating system 21:15 < Solarbaby> and the client is running on ubuntu 21:16 < steveoooooooo> Solarbaby, how does openwrt work? 21:16 < Solarbaby> steveoooooooo: it may just be the single most fustrating project i've ever taken on 21:17 < steveoooooooo> : ) 21:17 < Solarbaby> openwrt itself comes pretty close.. 21:17 < tjz> never use openwrt OS before 21:17 < steveoooooooo> im trying to get openvpn to work 21:17 < tjz> x_x 21:17 < steveoooooooo> im not sure how Im supose to bridge my adapters 21:18 < Solarbaby> its not bad if you dont want to play with it much.. but I had to get usb working and samba, and some other things.. including openvpn which is still unsolved 21:18 < ecrist> evening, bitches 21:18 < Solarbaby> Hello ecrist 21:18 < steveoooooooo> eth0 is the internet, so what do I bridge br0 to? 21:18 < ecrist> eth0 and tap0 21:19 < ecrist> erm 21:19 < ecrist> tap0 and whatever interface is your LAN 21:19 < ecrist> usually 21:20 < steveoooooooo> so if the only adapter I have in the machine is for the inet, I need to craete a vitual 10.* network first, then bridge tap0 to that? 21:20 < ecrist> wait 21:20 < ecrist> why are you doing a bridge network? 21:20 < ecrist> you're just trying to tunnel internet traffic? 21:21 < steveoooooooo> maybe I dont need one. I have a server, I'd like to be able to connect to it so it acts like a machine on my local net so I can use samba 21:21 < steveoooooooo> maybe I just need openvpn on the server and no bridge 21:22 < ecrist> samba... can be done over bridge or tun. I would recommend tun (easier to set up) 21:23 < ecrist> you'd have to access the share via IP or hostname, and it wouldn't be browsable, though. 21:23 < Solarbaby> good advice 21:23 < steveoooooooo> ecrist, no problem there 21:23 < Solarbaby> thats no fun 21:23 < ecrist> tun also makes things a tad easier to firewall, should the need arise. 21:23 < steveoooooooo> so if the server is running openvpn and I connect, the server will have a local net ip? 21:24 < Solarbaby> krzie: did my log files do you in? 21:25 < ecrist> the server will have a VPN-local net IP. 21:25 < ecrist> and as long as samba is listening to IN_ADDR_ANY, you're good to go 21:26 < Solarbaby> ecrist: you seem like the chief of the channel 21:26 < ecrist> ?? 21:26 < ecrist> lol 21:26 < ecrist> thanks. 21:26 < Solarbaby> ecrist: you just really sound like you know whats going on 21:27 < Solarbaby> ecrist: i might very well be the worst uneducated fool to setup openvpn yet 21:27 < Solarbaby> North and South here 21:27 < Solarbaby> hehe 21:28 < ecrist> steveoooooooo: if you follow the howto, or read through !freebsd (ignore OS-specific parts) you should be on the right path. 21:28 < ecrist> Solarbaby: what's your issue, before I go pay my wife some attention? 21:29 < Solarbaby> ecrist: It could take you all night.. im a beginner to neworking so just getting a basic vpn that shares my internet connection when im away from home, and my samba file shares is what i need.. 21:30 < ecrist> Solarbaby: read !freebsd, and !route 21:30 < Solarbaby> the samba server and the openvpn server are on the same openwrt device 21:30 < ecrist> that should get you down the right path. 21:30 < ecrist> if you're still having problems, hit me up between 0700 and 1500 CST 21:30 < Solarbaby> is it possibly over my head? 21:30 < ecrist> naw 21:30 < Solarbaby> I'll behere 21:30 < ecrist> !freebsd 21:30 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 21:30 < ecrist> !route 21:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:30 < Solarbaby> Thank You! 21:30 < Solarbaby> I'll look it over and see if i can figure anything out 21:31 < ecrist> I wrote OpenVPN Server and krzee wrote Routing - ask us if you don't understandsomething. 21:31 < ecrist> g'night 21:31 < Solarbaby> G'night 21:56 < Solarbaby> I dont understand why ecrist didn't include a client.conf to go with his server.conf 21:56 < Solarbaby> in his howto 22:04 < Solarbaby> he's gotta push route in his server.conf and I dont have one.. I have no idea if I need that 22:19 < dvl> Solarbaby: http://www.freebsddiary.org (my stuff) may have client conf. 22:19 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 22:19 < Solarbaby> Thanks! 22:20 < dvl> np 22:20 < dvl> using it here and now 22:20 < Solarbaby> I've been trying to make this work for weeks 22:20 < Solarbaby> its really really sad 22:22 < dvl> http://www.freebsddiary.org/openvpn-routed.php 22:22 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 22:23 < dvl> Now, what I'd do differently is have openvpn run not as nobody, but as a specialized user. 22:23 < Solarbaby> I liked that you gave credit to ecrist and krzie 22:23 < dvl> This would be a nice exercise I think. 22:23 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:23 < dvl> Thanks 22:24 < Ricoshady> do I need to create the tap interface dev, or is that created for me? 22:24 < Solarbaby> you need to have the library 22:24 < dvl> For you I think. You'll see. What OS are you using? 22:24 < dvl> For FreeBSD: kldload if_tap.ko 22:24 -!- AndyML is now known as AwayML 22:25 < dvl> or if_tap_load="YES" in /boot/loader.conf 22:27 < Ricoshady> what library? im using debian 22:27 < Solarbaby> I dont know what im talking about 22:28 < dvl> Solarbaby: try it without doing anything special, then you'll know. 22:28 < Solarbaby> dvl: maybe I should just use the config files you posted in here 22:28 < dvl> Solarbaby: if you're doing the same thing I am... 22:28 < Solarbaby> you've got things like client to client I dont have that in mine 22:28 < Solarbaby> your cetificates are in a different directory but thats easy to fix 22:29 < dvl> Yep. 22:29 < Solarbaby> you know i've read that generating the certs was the hardest part, but for me that was the easiest.. I did that in 1 day.. and everythign else in 2 weeks and I got not even a inch further 22:29 < Solarbaby> hehe 22:30 < Solarbaby> its really really sad 22:30 < Ricoshady> does anyone know how to create the tap device in linux? 22:30 < Ricoshady> debian 22:31 < dvl> Solarbaby: I've followed those directions for a few client machines now. 22:31 < dvl> Ricoshady: my sympathies. Sorry about Debian. ;) 22:50 < Ricoshady> what is the difference between tap and tun devices? 22:54 < Solarbaby> dvl: i dont have a group nobody on this openwrt system 22:54 < Solarbaby> Ricoshady: tun is better for alot of things.. like samba 22:54 < dvl> Solarbaby: interesting dilema 22:54 < dvl> and spelling. 22:54 < Solarbaby> Ricoshady: also Tun is more secure 22:55 < Solarbaby> dvl: hey look at me.. I answered a question right 22:56 < Solarbaby> TLS Error: cannot locate HMAC in incoming packet from 192.168.1.220:33078 22:56 < Solarbaby> how do you like that bag of worms? 22:57 < Solarbaby> as far as the nobody group.. I just edited that out.. 22:57 < Solarbaby> i'll work more on that part later 23:02 < Solarbaby> dvl: I still get the same errors with yours as I was getting with mine.. read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 23:05 < Solarbaby> dvl: i didn't notice any sections in your writing about firewalls or port forward 23:10 < dvl> Solarbaby: Sounds like there is nothing listening on that port. 23:17 < Solarbaby> Hmmm 23:19 < Solarbaby> it looks like its not making it through my routers firewall 23:19 < Solarbaby> OpenWrt is my router and firewall 23:20 < Solarbaby> I thought I knew what I was doing.. but obviously not 23:37 < Ricoshady> ive got a VPN up and running, the VPN stays open, but I loose ssh connections, any idea 23:37 < Ricoshady> they connect, just disconnects quickly there after 23:38 < Ricoshady> and does the client require the dos window? 23:38 < Ricoshady> id rather not have to keep that going 23:39 < Ricoshady> actually it looks like for whatever reason, the VPN closed the connetion and reopened 23:40 < Ricoshady> every few minutes the VPN resets 23:47 < Ricoshady> I even got samba to work over the VPN, but they VPN still resets every 2-5 minutes, killing all open connections 23:56 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Jan 12 2009 00:04 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has joined ##openvpn 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:07 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:34 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 00:34 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:17 < gdfgdfgdfgdfg> anyone know why the VPN cuts out every so often, seemingly randonly? it comes back up, but stuff like ssh dies out because the connection is dropped 01:34 < krzee> have a keep-alive? 01:34 < krzee> using tcp? 01:34 < gdfgdfgdfgdfg> what kind of keep-alive? 01:34 < krzee> any abnormal links involved? 01:34 < krzee> !man 01:34 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:34 < krzee> see --keepalive 01:35 < gdfgdfgdfgdfg> no abnoral links that I know of, one tun connection 01:35 < krzee> i mean like satelite or anything like that 01:35 < gdfgdfgdfgdfg> ohh, no cable 01:36 < gdfgdfgdfgdfg> other than this issue, the VPN is working GREAT! 01:37 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:40 < krzee> --keepalive n m 01:40 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 01:40 < krzee> For example, --keepalive 10 60 expands as follows: 01:40 < krzee> 01:40 < krzee> if mode server: 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 120 01:40 < krzee> push "ping 10" 01:40 < krzee> push "ping-restart 60" 01:40 < krzee> else 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 60 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 02:35 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:39 -!- dazoafk is now known as dazo 02:45 < krzee> !ssl-admin 02:45 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:46 < krzee> ecrist, 02:46 < krzee> [root@nfs /usr/ports/security/ssl-admin]# make 02:46 < krzee> ===> Vulnerability check disabled, database not found 02:46 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 02:46 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 02:46 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 02:52 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 03:02 < krzee> the file doesnt exist in that dir 03:04 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 145 (Connection timed out)] 03:35 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 03:41 < krzee> also ecrist, the svn ssl-admin is spitting errors at my freebsd 7 03:41 < krzee> with perl 5.8.8_1 03:41 < krzee> [root@nfs ~]# ssl-admin 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 366. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 409. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 477. 03:41 < krzee> syntax error at /usr/local/bin/ssl-admin line 199, near "$? else" 03:41 < krzee> Execution of /usr/local/bin/ssl-admin aborted due to compilation errors. 03:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:48 -!- krzee changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto manual: http://openvpn.net/man || LANs behind openvpn? see !route || Don't ask to ask, just ask, then wait. 04:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn --- Log closed Mon Jan 12 05:01:43 2009 --- Log opened Mon Jan 12 08:09:20 2009 08:09 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 08:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 08:09 -!- Irssi: Join to ##openvpn was synced in 17 secs 08:09 < ecrist> user-keys, yes 08:09 < ecrist> ssl-admin 08:09 < ecrist> !ssl-admin 08:09 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:09 -!- ecrist [n=r00t@mtka.claimlynx.com] has quit ["Leaving"] 08:10 -!- You're now known as ecrist 08:15 < krzee> ecrist, umm, but its not working 08:15 < krzee> the link takes you to trac, svn gives a broken version, ports doesnt have it 08:19 -!- zheng [n=zheng@58.33.126.221] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 08:23 < harpal> Hey is it Ok, to use certificates generated without openvpn's certificate generation method? Does it accepts it? 08:24 < krzee> openvpn's cert generation method? 08:24 < krzee> it just uses openssl to make certs 08:24 < krzee> easy-rsa and ssl-admin are both just frontends for running a series of openssl commands 08:25 < harpal> krzee: Ya, But I have created certificates in OpenSwan an IPSEC VPN. 08:25 < harpal> In that I have use Opelssl 08:25 < harpal> *openssl 08:25 < krzee> ipsec uses normal ssl certs for connecting? 08:26 < krzee> im thinking no 08:26 < harpal> krzee: no, It has CA authority and certs with password 08:26 < harpal> also selft-signed certs available 08:26 < krzee> sounds like thats normal ssl certs 08:26 < krzee> *shrug* maybe then 08:27 < krzee> i can garuntee that the clients / server will not interconnect to openvpn tho 08:27 < krzee> whether or not you can re-use the certs, i have no idea 08:27 < krzee> i dont use ipsec 08:28 < harpal> krzee: I think I have to test it and Lets see what happen :D 08:28 < krzee> you doing that so you dont need to re-deploy certs to all your clients? 08:30 < harpal> krzee: nope, dont re-create certs seperately for IPSEC and openvpn 08:30 < ecrist> oh, expect svn to be broken at any given time 08:30 < krzee> ecrist, but theres no tgz download 08:30 < ecrist> that's why I'm hoping, this week, to have a few various bundled releases. 08:30 < krzee> ahh 08:30 < ecrist> for the tgz 08:31 < krzee> new mods? 08:31 < ecrist> krzee - side affect of me having a day job, starting a small business, baby on the way, and remodeling my house. 08:31 < krzee> wow bro 08:31 < krzee> busy man 08:32 < ecrist> oh, and I'm still a reserve sheriff's deputy on the side of all that. 08:32 < ecrist> damn, I think I need to cut back. 08:32 < krzee> your biz all in person or you do anything online? 08:32 < ecrist> biz is all in person. security systems, cameras, that sort of thing 08:32 < ecrist> that's really my 'trade' is low-voltage wiring. 08:33 < krzee> werd 08:33 < ecrist> I managed to sucker my current employer into thinking I knew what I was doing behind a keyboard. 08:33 < krzee> we woulda done good as a team 08:33 < ecrist> aye 08:33 < krzee> i did phone systems and networks, never did the cabling or phys security 08:34 < krzee> although im fully capable of re-keying locks 08:34 < krzee> with a master key for the building 08:34 < krzee> and a grand-master for multiple buildings 08:34 < krzee> (i taught a locksmith some unix, he taught me how to key locks) 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 08:35 < ecrist> ah, I did that for a while - you familiar with Best locks? 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 08:35 < krzee> neg 08:36 < ecrist> I worked for them in their electronic access control division (worked for IR, too (owns Schlage)) - learned how to pin and combinate locks there 08:36 < krzee> ahh nice 08:36 < ecrist> learned how to pick and defeat locks there, too. 08:36 < krzee> schlage is good 08:36 < krzee> ya i taught myself that one 08:36 < krzee> i keep picks with me 08:37 < ecrist> taught my father-in-law over christmas how to defeat most padlocks with a piece of aluminum cut from a pop can. 08:37 < ecrist> he was stunned. 08:37 < krzee> http://www.lockpicks.com/browseproducts/Dyno-KWIK-Pick.html 08:37 < vpnHelper> Title: Dyno KWIK Pick (at www.lockpicks.com) 08:37 < ecrist> took me longer to cut the aluminum than to defeat the lock. 08:37 < krzee> thats what i keep on me 08:37 < krzee> ya 08:37 < krzee> done that 08:37 < krzee> but i actually bought pre-made picks of the same nature 08:38 < ecrist> it looks more bad-ass to mcguyver it. ;) 08:38 < krzee> the kind you just push in through the top, same method 08:38 < ecrist> yep 08:39 < krzee> haha thats true 08:39 < krzee> i had to pick my old house with paper clips 2x 08:39 < ecrist> doesn't work on the 'American' locks I was issued in the Army, or my 'Best' locks. 08:39 < krzee> locked myself out and didnt have my kwik pick yet 08:39 < krzee> so my picks were in the house 08:39 < krzee> schlage is pick resistant too cause of the bottom 08:39 < krzee> but you can bump it easy enough 08:39 < ecrist> lol 08:40 < krzee> bumping looks pretty mcguyverish too 08:40 < krzee> you know the technique im referring to? 08:41 < ecrist> when I worked for IR, I made a couple 040404 and 4040404 keys - our mech guy didn't realize why for a few minutes 08:41 < krzee> lol 08:41 < krzee> ok ya you know it 08:41 < krzee> lol 08:41 < ecrist> I've never been able to pick a Medecco lock, though 08:43 < krzee> well ya 08:43 < krzee> youd need to hack the rfid too 08:43 < krzee> which can and has been done 08:43 < krzee> but shit, it aint easy 08:43 < krzee> its more of POC 08:44 < krzee> whoa 08:44 < krzee> http://blog.wired.com/27bstroke6/2008/08/medeco-locks-cr.html 08:44 < vpnHelper> Title: Researchers Crack Medeco High-Security Locks With Plastic Keys | Threat Level from Wired.com (at blog.wired.com) 08:45 < ecrist> hrm 08:45 < ecrist> now, EAC systems I can crack. 08:46 < ecrist> ah, see, that still doesn't work on the Schlage high-security locks. 08:47 < ecrist> they have a second set of pins set at a 45* angle - keys have to be laser-cut. 08:47 < ecrist> |/ - like so 08:47 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:00 < krzee> always 45 degrees? 09:01 < krzee> sounds still bumpable if always 45 09:03 -!- kyrix [n=ashley@93-82-5-0.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:03 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 09:06 < ecrist> krzee: if you're on a freebsd system, why are you using the svn version, rather than ports? 09:07 < krzee> [10:18] the link takes you to trac, svn gives a broken version, ports doesnt have it 09:07 < krzee> [04:49] => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:07 < krzee> [04:49] => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:07 < krzee> [04:49] fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:07 < krzee> because ports cant get it 09:07 < krzee> and i cant put the tgz in distfiles, cause theres no tgz 09:09 < ecrist> oh, ports can get it now... 09:10 < ecrist> my FTP was broken, cause of my internet bill not being paid (truck seat gobbled it up last week) 09:10 < ecrist> it's paid now, after a friendly reminder from the disconnect fairy 09:10 < krzee> ahh nice 09:11 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:11 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:11 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:11 < krzee> => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. 09:11 < krzee> fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ssl-admin-1.0.tar.gz: File unavailable (e.g., file not found, no access) 09:11 < krzee> => Couldn't fetch it - please try to retrieve this 09:12 < krzee> => port manually into /usr/ports/distfiles/ and try again. 09:12 < krzee> btw, i was able to get into your ftp manually last night 09:12 < krzee> the file wasnt there 09:12 < krzee> well i think it was yours, it was late 09:12 < ecrist> fuck 09:12 < ecrist> lemme look 09:12 < krzee> oh no wasnt yours 09:13 < krzee> i still cant get in your ftp 09:13 < krzee> it was fbsd.org that didnt have it 09:14 < ecrist> there 09:14 < krzee> just tested your ftp from chicago and san diego 09:14 < krzee> no dice 09:15 < krzee> oh 09:15 < krzee> there it goes 09:15 < ecrist> my ftp daemon was listening to the old IP address 09:15 < krzee> ahh 09:15 < ecrist> must have missed it a couple weeks ago when I had to change ip space 09:15 < krzee> hehe done that before 09:17 < krzee> cool, bbiaf 09:17 < krzee> headed to the dentist 09:17 < krzee> while it generates my 4096bit keys 09:20 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 09:20 < krzee> Generating a 4096 bit RSA private key 09:20 < krzee> ....................................................++ 09:20 < krzee> ....................................................++ 09:20 < krzee> writing new private key to 'hash.key' 09:20 < krzee> that does NOT feel right 09:24 < ecrist> let me look at the source 09:24 < ecrist> that's not me. 09:24 < ecrist> that openssl - so if there's an error, it there. 09:26 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 131 (Connection reset by peer)] 09:29 -!- harpal [n=Harpal@122.169.108.195] has quit [Read error: 104 (Connection reset by peer)] 09:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:31 < ecrist> morning, plaerzen 09:31 < plaerzen> morning ecrist and the rest of ovpn 09:45 < tjz> tjz.ovpn enabled 09:45 < tjz> what's up? 09:45 * tjz connected... 09:46 < tjz> yes sir.. 09:48 < ecrist> sup? 09:51 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 10:00 < krzee> ya 10:00 < krzee> thats definatly openssl 10:00 < krzee> but i disagree about the no error thing 10:01 < krzee> there is no way this weak-ass box made a 4096 key that fast 10:04 < krzee> mornin plaerzen 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:10 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:20 < rubydiamond> Hi people 10:20 < rubydiamond> dazo: 10:20 < rubydiamond> Mon 01/12/09 09:53 PM: expected peer address: 61.8.142.106:11668 (allow this incoming source address/port by removing --remote or adding --float) 10:20 < rubydiamond> getting above error 10:20 < rubydiamond> ecrist: ^ 10:20 < krzee> same address, right? 10:21 < krzee> the peer really is at 61.8.142.106...? 10:21 < rubydiamond> hmm 10:21 < rubydiamond> krzee: dont know 10:21 < krzee> how dont you know? 10:21 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:21 < rubydiamond> krzee: oslo.mangospring.net 10:21 < rubydiamond> its this 10:22 < krzee> ok ya thats same ip 10:22 < krzee> add float 10:22 < krzee> !man 10:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:22 < krzee> --float 10:22 < krzee> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address s 10:22 < krzee> uch as a dial-in user or DHCP client. 10:22 < krzee> Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. 10:23 < rubydiamond> krzee: what exact line should I add? 10:23 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:23 < krzee> float 10:24 < rubydiamond> krzee: check pm 10:24 < krzee> why pm? 10:24 < krzee> add the word float 10:25 < rubydiamond> okay 10:25 < krzee> [12:28] *!rubydiam@unaffiliated/rubydiamond* added to ignore list. 10:25 < krzee> dont do that again 10:25 < krzee> !pastebin 10:25 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:25 < krzee> if you need to paste your config, do it that way 10:26 < rubydiamond> hmm 10:26 < rubydiamond> okay 10:27 < ecrist> you've been told that before, iirc 10:27 < rubydiamond> krzee: https://gist.github.com/768317f51404e11d5cf9 10:27 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:27 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:28 < krzee> [12:26] krzee: what exact line should I add? 10:28 < rubydiamond> krzee: nothing happens.. it stops there 10:28 < krzee> [12:27] float 10:28 < rubydiamond> sorry krzee 10:29 < krzee> hrm 10:29 < krzee> odd that youd get that error now 10:29 < krzee> did you kill openvpn and start it again? 10:29 < rubydiamond> krzee: on server? 10:29 < krzee> maybe forgot to put 1 side back up 10:30 < krzee> put float in whatever config was complaining 10:30 < krzee> kill both sides 10:30 < krzee> start server 10:30 < krzee> start client 10:30 < rubydiamond> krzee: I cannot kill the server side 10:30 < rubydiamond> its in my office 10:30 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:30 < krzee> it was client complaining? 10:31 < rubydiamond> krzee: yes 10:31 < krzee> ok 10:31 < krzee> add float 10:31 < krzee> kill client start client 10:31 < krzee> oh, do you have redirect-gateway in your config? 10:32 < rubydiamond> krzee: it stops here https://gist.github.com/768317f51404e11d5cf9 10:32 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:32 < krzee> no it doesnt 10:32 < krzee> it pauses there 10:32 < krzee> [12:34] oh, do you have redirect-gateway in your config? 10:33 < rubydiamond> krzee: here is my config https://gist.github.com/6d4cf59a469f1b6d47cd 10:33 < vpnHelper> Title: gist: 6d4cf59a469f1b6d47cd GitHub (at gist.github.com) 10:33 < rubydiamond> krzee: is there any redirect-gateway? 10:35 < rubydiamond> krzee: ? 10:35 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 10:36 < suprsonic> can I specify a subnet when creating a site to site vpn with ifconfig ? 10:38 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 10:38 < rubydiamond> krzee: could you please help 10:40 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:41 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:41 < krzee> rubydiamond, it would be in the server config 10:42 < krzee> suprsonic, a subnet? 10:42 < rubydiamond> krzee: oh sad 10:42 < suprsonic> yes 10:42 < krzee> for what use suprsonic 10:42 < suprsonic> site to site vpn 10:42 < suprsonic> right now I have two tunnel devices 10:42 < krzee> the subnet would be for what use 10:42 < suprsonic> each assigned a /24 range from what I can tell 10:43 < suprsonic> so like tun0 = 192.168.1.0/24 and tun1 = 192.168.2.0/24 10:43 < krzee> no, and what would be the point? 10:43 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:43 -!- AwayML is now known as AndyML 10:43 < suprsonic> so I don't blow a whole /24 subnet 10:43 < krzee> umm, i dont get it 10:44 < suprsonic> would prefer to subnet into /30 subnets 10:44 < krzee> you're talkin bout blowing 2 of them 10:44 < krzee> a site to site only uses 2 ips 10:44 < krzee> nothing but the 2 ips 10:44 < krzee> the /30 stuff is for server/client 10:45 < krzee> you're talkin point to point, only 2 ips, no /24's 10:45 < suprsonic> okay 10:45 < suprsonic> so ar eyou saying I can do this 10:45 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:45 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:46 < krzee> # 10.1.0.1 is our local VPN endpoint 10:46 < krzee> # 10.1.0.2 is our remote VPN endpoint 10:46 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:46 < krzee> (from the manual) 10:46 < krzee> (also in openvpn.net/examples.html 10:46 < krzee> ) 10:47 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:47 < suprsonic> are you saying I can do that? 10:47 < krzee> 2 tuns on same machine? 10:47 < suprsonic> yes 10:47 < krzee> lets say tun0 connects to box1 10:48 < krzee> tun0 would be 0.1 10:48 < suprsonic> agreed 10:48 < krzee> box1 would have a tun with 0.2 10:48 < krzee> lets say tun1 connects to box2 10:48 < suprsonic> agreed 10:48 < krzee> tun0 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < krzee> oops 10:48 < suprsonic> oh 10:48 < krzee> tun1 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < suprsonic> yeah 10:48 < suprsonic> okay 10:49 < krzee> dev tun 10:49 < krzee> remote mypeer.mydomain 10:49 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:49 < krzee> secret static.key 10:49 < krzee> thats an entire config 10:50 < suprsonic> keepalive? 10:50 < suprsonic> hehehhe 10:50 < krzee> other side would be the same, but remote to other box and ifconfig reversed 10:50 < krzee> ya keepalive is a good thing to add 10:50 < krzee> im just giving you the simplest example from the manual 10:50 < krzee> On may: 10:50 < krzee> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key 10:50 < krzee> On june: 10:50 < krzee> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key 10:51 < suprsonic> thanks for the help! 10:51 < krzee> yw 10:57 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:58 < krzee> !servercert 10:58 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 11:11 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 11:11 < suprsonic> krzee so can ospf be used between links? 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 11:20 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:22 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 11:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:36 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit [Connection timed out] 11:36 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has joined ##openvpn 11:45 < kyrix> inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 that does the p-t-p address stand for? 11:45 < kyrix> is that the server ip, or the client ip in the tunnel? 11:47 < kyrix> and when i set push route ... to allow access to the servers network, its set the gw to 10.8.142.5, but the server is 10.8.142.1, any ideas where i am messing up? 11:48 * dazo thought p-t-p links had 255.255.255.252 as netmask .... maybe he remembers wrong 11:51 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:52 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 11:56 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:56 -!- Netsplit over, joins: mcp, Typone 11:57 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:58 -!- Netsplit over, joins: mcp 11:59 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 12:07 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:11 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:11 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:12 < vladi> hi, i have multiple openvpn clients on the same machine whats the proper way to enable the management interface? 12:14 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:19 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:21 -!- dazo is now known as dazoafk 12:23 < xattack> hello guys , does any buddy has been succesfull to compile openvpn in windows , since rc13 and with the prebuilds ? 12:25 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has left ##openvpn [] 12:30 -!- AndyML is now known as AwayML 12:40 -!- jeiworth_ [n=jeiworth@189.163.173.75] has joined ##openvpn 12:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:42 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 12:44 < jeiworth_> hi @ll, i am currently implementing openvpn on ubuntu as testsystem for a company and so far everything seems to be working ok :-) anyway, it might be that i will have to traing somebody to manage the sevrer (primarily creating and distributing client-keys and installing and configuring openvpn on windows xp and vista boxes) so i am looking for a decent gui for the openvpn server. i am a bit worried about the links provided on the openvpn site since 12:44 < jeiworth_> they all seem to be quite old and no longer maintained, the webmin plugin might be a solution but webmin is no longer in the official repos of ubuntu, but then again neither are any of the guis... anyone got any tipps or recommendations? 12:45 -!- jeiworth_ is now known as jeiworth 12:48 -!- int [n=quassel@wikia/int] has joined ##openvpn 12:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:49 < jeiworth> !route 12:49 < vpnHelper> jeiworth: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:13 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 13:31 < reiffert> xattack: at least one guy ... 13:32 < reiffert> jeiworth: see that pic on openvpn.net? http://openvpn.net/images/webgui-screenshot.png 13:34 < jeiworth> hi reiffert, yep 13:36 < jeiworth> which one is that? 13:37 < reiffert> openvpn web gui 13:41 < jeiworth> reiffert: ok, is that built in? on openvpn.net i only find information about how to set up the management interface and when i go to the gui-link it only lists me external tools 13:41 < jeiworth> :-/ 13:43 < reiffert> it's not built in. 13:49 < jeiworth> well, thats what i thought, i already found it and latest version is 0.3 beta from september 2005 13:50 < reiffert> It's working quite well. 13:51 < reiffert> so why should one develop a working thing? 13:51 < reiffert> rename it to 1.0.0.0.__FINAL__.0.0.0? 13:52 < reiffert> after all the whole PKI stuff is some shell scripts, building and signing and key deployment is a three step thing. 13:52 < jeiworth> hehe ok, my concern here is more in the direction wether the webgui from 2005 supports all features of openvpn 2.1, that is all ;) 13:53 < xattack> reiffert : thks man , and do you know if he has some feedback about this work , or in this "system" ( I mean ms WIN) 13:54 < xattack> ;) 13:55 < reiffert> jeiworth: it supports PKI, thats all. 13:56 < reiffert> xattack: all I know is one can download the binary images from openvpn.net, did you try the mailinglist/author yet? 13:58 < xattack> not yet tried that , i have the binary prebuilds and the mingw environment , and when i tried to compile it , just fail !! 13:58 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:58 < phretor> hello 13:59 < phretor> I am having troubles using bridge-start/stop scripts 13:59 < xattack> well , not like that , something in the cryptoapi.c and wincrypt.h points an derror , but just in Win systems in all *nixes this works fine 14:00 < reiffert> Last time I tried myself on win32, I stopped after 2 hours with winsuck() switching to cygwin where everything looks fine again. 14:01 < jeiworth> reiffert: kk thanks, will give it a try 14:03 < phretor> this is my network scheme: Internet <---> DSL <----> [WAN:router:LAN 192.168.1.0/24] <---> [eth0(192.168.1.55):openvpn-server:tap0,br0] and this is the server config file: http://pastie.org/358935 14:03 < xattack> reiffert: thanks , jajaja im gonna still try this , I were succesfull to compile version 2.1_rc7 with MSVC express but not 2.1_rc13 with mingw and prebuilds 14:05 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:05 < phretor> here is the bridge-start http://pastie.org/358936 script 14:06 < phretor> is it correct that the script attempt to assign eth0's address to br0? 14:06 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 14:08 < phretor> any suggestion? 14:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:16 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has quit [] 14:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:17 < reiffert> xattack: rite, msvc express, should have mentioned that before 14:17 < xattack> ? 14:18 < reiffert> xattack: it exists, downloadable at m$.com 14:19 < xattack> yes , i have it installed in this computer , but as far as i have read the new compiling method is just with mingw , not msvc or any other , am I right ? 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:39 < reiffert> xattack: I have no idea. 14:49 < xattack> reiffert : ok thanks , im still looking for the solution for this , see ya later 14:49 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:35 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 15:44 < krzie> sup reif 15:59 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 17:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:51 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 17:51 < Ricoshady> are there any special things I can do to help optimize, stablize openvpn and samba? 17:53 < krzie> well 17:54 < krzie> if using tun, wins server helps 17:54 < krzie> if using tap, switching to tun and running wins 17:54 < krzie> (to have less overhead) 17:55 < krzie> if using tcp, going to udp will help big time 17:55 < krzie> and checking your MTU could help if its not optimal 17:56 < krzie> if you wanna know how or why for any of those, say so 18:36 < Ricoshady> what does the wins server do? basically, its a little choppy, its comes up, but if the vpn fails, and restarts, the share doesnt always pop back up right away 18:36 < Ricoshady> im on udp 18:37 < Ricoshady> using tun 18:37 < Ricoshady> not sure abut MTU, set to default whatever that would be 18:40 < krzie> Ricoshady wins is not part of openvpn 18:40 < krzie> but it may help you a bunch 18:40 < krzie> you could think of it as DNS for netbios 18:41 < krzie> and since samba is made to be a layer2 protocol, when you use it as layer3 you should run samba 18:41 < krzie> it should help them pop back up 18:41 < krzie> !mtu 18:41 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:41 < krzie> #2 is easiest way 18:46 < Ricoshady> dont mind giving it a try, what wins server do you recomend, linux? 18:46 < Ricoshady> do I need to configure samba to use the wins server? or how does it work? 18:46 < krzie> its a 1 line addition to your samba config 18:46 < krzie> samba is the wins server 18:47 < Ricoshady> wait, so i dont need to install anything? how do I turn on the wins server? 18:47 < krzie> nothing extra to install 18:48 < krzie> by adding a line to samba config 18:48 < Ricoshady> whats the line 18:48 < krzie> http://oreilly.com/catalog/samba/chapter/book/ch07_03.html 18:48 < vpnHelper> Title: [Chapter 7] 7.3 Name Resolution with Samba (at oreilly.com) 18:48 < krzie> ive never used samba 18:48 < krzie> but thats all you should need to know 18:49 < krzie> you cant use bcast 18:49 < krzie> but the other 3 methods should be fine 18:49 < krzie> lmhosts / hosts are static files 18:50 < krzie> wins option is dynamic 18:50 < Ricoshady> trying it out 18:50 < krzie> 7.3.3 Setting Up Samba as a WINS Server 19:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:52 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:58 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 19:58 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:05 -!- tjz [n=tjz@121.7.98.165] has joined ##openvpn 20:06 < tjz> wow 20:06 < tjz> my auto join works for openvpn channel now 20:06 < tjz> no idea what kind of changes is make on the irc server.. 20:11 < ecrist> evening, bitches 20:11 < krzie> tjz, all depends if your nickserv auths before trying to join 20:12 < krzie> may get lucky somtimes if your client doesnt have the option to wait 20:12 < ecrist> I removed the +r from the channel 20:12 < krzie> ahhh 20:12 < krzie> that woulkd do it too 20:12 < krzie> hehe 20:14 < tjz> eric!! 20:14 < tjz> no wonder it works now! 20:14 < tjz> hahahaha 20:15 < ecrist> we don't like you though, so.... 20:15 < krzie> lol 20:15 < tjz> x_x 20:15 < tjz> :( 20:15 -!- mode/##openvpn [+r] by ChanServ 20:15 < tjz> oh no 20:15 < krzie> poor tjz 20:15 < tjz> :P 20:15 < tjz> i have to do extra work 20:15 < tjz> like eg. type /join openvpn manually 20:15 < tjz> hehehehe 20:16 -!- mode/##openvpn [+o ecrist] by ChanServ 20:16 -!- mode/##openvpn [-r] by ecrist 20:16 -!- mode/##openvpn [-o ecrist] by ecrist 20:17 -!- mode/##openvpn [+o tjz] by ChanServ 20:17 -!- mode/##openvpn [+o krzie] by ChanServ 20:17 <@tjz> x_x 20:17 -!- mode/##openvpn [-o tjz] by krzie 20:17 < tjz> op is abusing the channel bot 20:17 -!- mode/##openvpn [-o krzie] by krzie 20:17 < krzie> hehe 20:17 < tjz> lol 20:18 < krzie> <-- bored 20:18 -!- mode/##openvpn [+o ecrist] by ChanServ 20:18 -!- krzie was kicked from ##openvpn by ecrist [ecrist] 20:18 -!- mode/##openvpn [-o ecrist] by ecrist 20:19 < ecrist> lol 20:19 < simplechat> what? 20:20 -!- simple_bot [n=betabot@betacorp.net] has joined ##openvpn 20:20 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 20:20 < tjz> oh man 20:21 < ecrist> <-- bored 20:21 < tjz> lol 20:21 < tjz> not another one 20:21 < tjz> lol 20:21 < tjz> <-- i'm alittle bored 20:21 < tjz> LOL 20:21 < ecrist> why is there another bot in here? 20:21 < krzie> another bot? 20:22 < tjz> don't think we have another bot.. 20:22 < tjz> chanserv is the only one around.. 20:22 < tjz> oh 20:22 < krzie> not true tjz 20:22 < tjz> we have brother vpnHelper 20:22 < tjz> ehhehe 20:22 < krzie> yup 20:22 < tjz> !help sex 20:22 < vpnHelper> tjz: Error: There is no command "sex". 20:22 < tjz> lol 20:22 < krzie> oh simple_bot 20:22 < krzie> hrm 20:23 < krzie> ... CTCP VERSION reply from simple_bot: xchat 2.8.4 Linux 2.6.27.9-73.fc9.i686 20:23 < krzie> [i686/2.39GHz/SMP] 20:23 < krzie> seems to just be the name 20:23 < simple_bot> what are you doing? 20:23 < simple_bot> krzee, ? 20:23 < krzie> trying to figure out if you were a bot, lol 20:24 < tjz> LOL 20:24 < simple_bot> of cource i'm not a bot 20:24 < tjz> omg 20:24 < simplechat> i'm just bounced 20:24 < ecrist> your nick would imply otherwise 20:24 -!- simple_bot is now known as simple_not_a_bot 20:24 < krzie> im sure you can see how the name would throw me off 20:24 < simple_not_a_bot> better? 20:24 < krzie> hahaha 20:24 < ecrist> much better 20:24 < tjz> sexual abuse the simple_bot 20:24 < tjz> hehehehe 20:24 < simple_not_a_bot> tjz, computer says no 20:24 < tjz> LOL 20:24 < simple_not_a_bot> :) 20:25 < simple_not_a_bot> ..... 20:25 -!- simple_not_a_bot [n=betabot@betacorp.net] has left ##openvpn ["Leaving"] 20:25 < ecrist> aw 20:25 < ecrist> he must not have liked my /ctcp simple_not_a_bot in_teh_butt 20:59 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit ["Ex-Chat"] 20:59 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:04 < krzie> sq 4595 21:04 < krzie> #4595: * krzee penetrates tdc's network * tdc is scared of krzee 21:04 < krzie> krzee stop haxing tdc haxing!? im 21:04 < krzie> having sexual relations with his network 21:04 < tjz> LOL!!! 21:04 * tjz rolling around.. LOL 21:04 < krzie> hehehe 22:41 -!- hackmykack2345 [n=neil@122.169.104.151] has joined ##openvpn 22:42 < hackmykack2345> hi Guys 22:43 < hackmykack2345> needed some help trying to connect to an openvpn server from multiple clients using the same key 22:43 < hackmykack2345> was wondering if that is even possible 22:44 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:49 < dvl> Why would you want duplicate keys? 22:49 < dvl> What is the problem? 22:49 < hackmykack2345> dvl: Hey dvl .. thnx for replying !!! 22:49 -!- tjz [n=tjz@121.7.98.165] has quit [Read error: 110 (Connection timed out)] 22:50 < hackmykack2345> dvl: i wanted multiple people to connect to my openvpn server 22:51 < hackmykack2345> dvl: should I just start multiple instances of openvpn with separate conf and key files? 22:51 < hackmykack2345> dvl: or is there an easier method ? 23:00 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has joined ##openvpn 23:00 < dvl> hackmykack2345: create one openvpn server, to which multiple clients can connect. 23:00 < Solarbaby> dvl: ready for round 2? 23:00 < dvl> http://www.freebsddiary.org has how I did it. 23:00 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 23:00 < dvl> Solarbaby: no, I'm ready for bed. 23:00 < Solarbaby> heheh I dont blame ya 23:00 < Solarbaby> I changed my router since the last time we spoke 23:01 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:01 < Solarbaby> dvl: thanks for the help the other day 23:03 < hackmykack2345> dvl: so the CA way is the way to go then ? 23:03 < hackmykack2345> dvl: shall read up on your link .. thnx so much for the help 23:04 < hackmykack2345> dvl: have a great evening / night 23:17 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 148 (No route to host)] 23:33 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Tue Jan 13 2009 00:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:11 -!- hackmykack2345 [n=neil@122.169.104.151] has left ##openvpn ["Leaving"] 00:30 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 00:32 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:33 < Ricoshady> in examples I read, after the vpn is up, they add a route... im not sure what this is for... the example added a route or 10.0.1.0, but I change the ip address to 10.108.42.1, so what route should I add and what is its purpose? 00:40 < Ricoshady> also, when I build the keys after a make-clean, are the keys going to be different if I put in same values when building te certs? 00:44 < krzee> same values for what 00:49 < Ricoshady> the cert values, common name, etc 00:49 < Ricoshady> or does build-dh create unique keys each time 00:50 < Ricoshady> im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 00:53 < Ricoshady> also, what if I want to create new client keys after I went thru the whole process 01:05 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has joined ##openvpn 01:05 < Jorj> !route 01:05 < vpnHelper> Jorj: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:10 < Jorj> I'm just starting to learn some things about openvpn and have a small question, the most configs I have seen seem to assume a local ip of the server. But I'm trying to configure the setup: internet on client is provided via cisco vpn, but I want to use an openvpn tunnel to access internet locations via a VPS, where the openvpn server should be hosted. 01:12 < krzee> the cisco vpn is totally seperate? 01:12 < Jorj> My VPS doesn't have a local ip though, only an external one, setting one in the config doesn't work. But I have I can already connect to the openVPN on the VPS. But I can't ping the virtual ip of the server (10.10.10.1 according to the ifconfig), neither can I access internet locations only accessable via the VPS. I know this is probably some firewall/routing problem, but I would appreciate any general guidelines. 01:12 < krzee> or you are hoping to hook openvpn up to cisco? 01:13 < Jorj> It should be configured such that all the internet is then routed via the openvpn. 01:13 < Jorj> Yes, I'm in a local network where the internet is provided through VPN. 01:13 < krzee> ok 01:13 < Jorj> (that cisco vpn). 01:13 < krzee> on the vps 01:13 < krzee> you put the ip it has 01:13 < krzee> if that is inet routable, so be it 01:14 < Ricoshady> does anyone ave suggestions on the server/client keys? what if after I've run build-dh I need more client keys? 01:14 < krzee> whatever local address it can bind to 01:14 < krzee> Ricoshady, make them...? 01:14 < krzee> [02:54] im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 01:15 < Jorj> krzee: Do you mean setting the local var in the server.conf, to the internet ip? 01:15 < Jorj> I'm not really experienced, sorry. :-) 01:15 < krzee> if that is the ip in ifconfig, yes 01:15 < Jorj> Well, I tried that, but I couldn't start the server. 01:16 < krzee> then you prolly have another problem, are you looking at your logs? 01:16 < Jorj> And I couldn't find an error. 01:16 < Jorj> Hm yeah, I tried looking in messages, where I could see other openvpn related error messages, but none showed up. 01:17 < krzee> Ricoshady, you would add the compromised keys to your CRL 01:17 < krzee> and build more keys 01:17 < krzee> as long as the ca.key is not compromised, your vpn is safe 01:17 < krzee> Jorj, 01:17 < krzee> !logs 01:17 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:17 < Jorj> Found the error. :P 01:17 < krzee> !configs 01:17 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:17 < krzee> ahh 01:17 < krzee> ill bbiad 01:17 < krzee> ill bbiaf 01:18 < krzee> getting smokes 01:18 < Jorj> Thanks for the help already. :-) 01:18 < Ricoshady> so I can continue to create more client keys without runnng build-dh? 01:18 < Ricoshady> im not sure what he CRL is 01:23 < Ricoshady> how do I put client keys in the CRL? 01:26 < Jorj> krzee: I have restarted the VPS openvpn-server with the local parameter set to the external/internet ip. The ip address of the tun adapter is 10.10.10.1 and the ip of the connected client is 10.10.10.6. I still can't ping the 10.10.10.1 (VPS virtual ip) from the client (or the other way around). I think I have to get this figured out before I have to add the route parameters, right? Since the routing will go through the virtual ip? : 01:27 < Jorj> 10.10.10.6 -> 10.10.10.1 -> "local": internet ip 01:33 < dazoafk> Ricoshady: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) ... that will create the CRL file for you 01:33 -!- dazoafk is now known as dazo 01:34 < dazo> Ricoshady: CRL = Certificate Revocation List ... contains certificates which has been revoked, and if a client tries to connect with a certificate which has been revoked (listed in the CRL), the user will be denied access immediately 01:34 -!- rodpod [i=rod@hick.org] has joined ##openvpn 01:37 < krzee> Jorj, if you have no errors, your problem could be that you have your inet over a vpn 01:38 < krzee> having not tested that myself, i cant say 01:39 < Jorj> Well, it's annoying that I don't have another connection to test, bleh. But in theory it should work I think. 01:41 < Jorj> It's so weird that I can't ping the connected client from the VPS... 01:41 < Jorj> client-to-client is enabled too. 01:44 < krzee> client-to-client has nothing to do with that 01:44 < krzee> if its not your firewall, its your vpn breaking the routing 01:44 < krzee> in fact it makes sense that the vpn would break the routing 01:45 < krzee> since openvpn reaches the vpn via routing table, which would break your cisco vpn connection even if it worked 01:45 < krzee> which would keep it from working even then 01:45 < krzee> since you have no inet without that 01:45 < krzee> so ya, my vote says it wont happen 01:46 < Jorj> Ha, yeah, could be. :P Problem is, my inet is filtered by the cisco vpn. I even had to run the openvpn at tcp instead of udp, because the cisco firewall blocks most udp connections. 01:47 < Jorj> But it also blocks certain websites and in general most ports, disabling online gaming and other uses the internet was intented for (;)). :P 01:48 < Jorj> I thought, I'll tunnel all that traffic so I can play a game, or just access unrestricted internet. 01:48 < krzee> socks 01:48 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:48 < krzee> or ssh tunnels 01:48 < Jorj> Yeah, but not for games, unless using a special program to let the game use the proxy? 01:49 < Jorj> Because I can't config socks/proxy for most games. 01:49 < krzee> i use proxifier to tunnel anything that uses tcp/ip through socks 01:49 < Jorj> Oh really, I tried proxifier actually. 01:49 < Jorj> I'll set up a simple socks proxy via ssh and try that, thanks. 01:49 < krzee> np 01:49 < krzee> note, this isnt a help channel for that, so i wish you good luck with it 01:50 < Jorj> Yes, I know, but you helped anyway. Thanks. :-) 01:51 < krzee> np 01:52 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 01:52 < krzee> also 01:52 < krzee> if those games communicate over lan normally (layer2) socks wont help you 01:52 < Ricoshady> dazo, thanks... so after I create the CRL, do I need to put something in the config? and copy the CRL somewhere? 01:53 < krzee> !man 01:53 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:53 < dazo> Ricoshady: 10 points! 01:53 < dazo> !crl 01:53 < vpnHelper> dazo: Error: "crl" is not a valid command. 01:53 < dazo> darn 01:53 * dazo wanted to be clever :-P 01:53 < krzee> --crl-verify crl 01:53 < krzee> Check peer certificate against the file crl in PEM format. 01:53 < krzee> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 01:53 < krzee> Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. 01:53 < krzee> The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:53 < krzee> dazo, good call tho 01:54 < dazo> :) 01:54 < krzee> !learn crl as --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:54 < vpnHelper> krzee: Joo got it. 01:55 < krzee> !learn crl as you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 01:55 < vpnHelper> krzee: Joo got it. 01:56 < Ricoshady> so revoke-full it will add to the CRL file, and I just make sure openvpn knows about it 01:56 < Ricoshady> knows where the current CRL file is I mean 01:56 < reiffert> !local 01:56 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:56 < krzee> rup reif 01:57 < reiffert> moin 01:57 < Ricoshady> I assume I need all the original key information as well 01:57 < dazo> Ricoshady: yup ... no more magic than that 01:57 < reiffert> But local is something different, --local 01:57 < Jorj> krzee: (this is somewhat ontopic) I still can't really comprehend why the traffic would still be blocked. I mean, I can setup a SSH connection, route encrypted/non-filtered traffic through there, so in theory it should be perfectly possible to route all traffic from a game through the tunnel and back, no? 01:57 < krzee> !forget local 01:57 < vpnHelper> krzee: Joo got it. 01:57 < dazo> Ricoshady: it's the CA which will create the CRL ... so the CA knows about the cert, yes 01:57 < krzee> reiffert, but nobody has ever had a question about --local before 01:57 < krzee> before tonight 01:57 < krzee> much more useful as is 01:58 < krzee> !learn local as a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:58 < vpnHelper> krzee: Joo got it. 01:58 < krzee> but without my typo ;] 01:58 < Ricoshady> will the easy-rsa directory work anywhere? would rather move it from the examples directory 01:58 < reiffert> yep 01:58 < Jorj> Ricoshady: yeah. 01:59 < krzee> --local is the ip to bind to, the only way to be confused by that is if you bypass ALL docs and just try walkthroughs 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 < dazo> Ricoshady: Have a look in the vars file inside the easy-rsa directory ... you can change the EASY_RSA variable to wherever your would like it ... and the same goes for the KEY_DIR as well 02:03 < dazo> you'll need to source this file (source ./vars) anyway whenever you call any of the scripts in this directory 02:04 < dazo> Ricoshady: you can also try to write "make" in that dir ... and you'll get a simple install instructions 02:05 < krzee> hah i never noticed there was a Makefile 02:05 < Ricoshady> thanks guys, seems to be working well, cool stuff... 02:05 < krzee> dazo, ever tried ssl-admin? 02:06 < dazo> krzee: nope ... I've been using tinyca one place where I wanted to be gui-lazy, though :-P 02:06 < krzee> haha werd 02:06 < krzee> this is the in-between 02:06 < dazo> krzee: ssl-admin .... any url? ... sounds interesting 02:06 < Ricoshady> can I route my vpn server address 10.? to the local net 192.? 02:07 < krzee> menu driven text based interface 02:07 < krzee> !ssl-admin 02:07 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:07 < Ricoshady> so I can ping other pcs 02:07 < dazo> TUI :-P 02:07 < krzee> there was an issue in svn this morning with r35 02:07 < krzee> but ports version worked fine 02:07 < krzee> but i told ecrist and he may have fixed it 02:08 < krzee> Ricoshady, 02:08 < krzee> !route 02:08 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:09 < krzee> ssl-admin is written in perl, and is the lazy text-based cert manager 02:10 < dazo> krzee: :) ... I'll have a look into that one, seems better ... 02:10 < krzee> right on 02:10 < krzee> what os do you use? 02:10 * dazo this reminds me to set up a proper off-line box for a proper CA 02:10 < dazo> krzee: Linux .... mostly Gentoo and Fedora 02:11 * dazo is scrapping Ubuntu soooon 02:11 < krzee> ahh cool, lemme know if ssl-admin is in emerge yet 02:11 * dazo is looking fwd to dhat 02:11 * dazo checks portage 02:11 < dazo> krzee: can't say I see ssl-admin in any obvious places, though :( 02:12 < dazo> emerge/portage - that is 02:12 < krzee> emerge --search ssl-admin 02:13 < dazo> as I said, not in any obvious places ;-) 02:13 < dazo> anyone volunteered for putting it into portage? 02:13 < Ricoshady> pretty impressed so far with openvpn! its cool 02:14 < dazo> Ricoshady: you can have a look at http://www.eurephia.net/ ... and you'll see even cooler things you can do with openvpn :-P 02:14 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 02:14 < krzee> dazo, well someone submitted it for me 02:15 < Ricoshady> cool I was wondering about username/passwords actually 02:15 < dazo> krzee: ahh ... goodie, then it'll show up at some point for sure :) 02:15 < krzee> cause I wrote the ./configure script that would setup the Makefile to install it for linux 02:15 < Ricoshady> is there a windows client that doesnt just open a dos window? 02:15 < Jorj> Openvpn gui. 02:15 < Jorj> www.openvpn.net 02:15 < krzee> but they didnt like that i used a configure script because it is better done by a proper Makefile 02:16 < dazo> Ricoshady: yeah ... you're using openvpn server on Windows? ... hmmm ... not sure how well eurephia will play then :( 02:16 < krzee> which is true, i just havnt gotten to it 02:16 < dazo> Jorj: Ricoshady: ... if you'll take the official openvpn from http://openvpn.net/ for windows, openvpn gui is included here, at least for the 2.1RC releases 02:16 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 02:17 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 145 (Connection timed out)] 02:18 < Ricoshady> i have openvpn gui, but it just opens little icon in the tray that doesnt have any options when I right click, like "about" 02:18 < dazo> krzee: http://bugs.gentoo.org/250611 02:18 < vpnHelper> Title: Gentoo Bug 250611 - [NEW EBUILD] net-misc/ssl-admin (at bugs.gentoo.org) 02:19 < Jorj> You have to paste the configuration files in the openvpn/config folder. 02:19 < dazo> Ricoshady: you haven't configured openvpn-gui correctly ... you'll need to place config files in a special folder and using the .ovpn extension 02:20 < Ricoshady> yea, i just found the readme, sorry for the dumb question 02:20 < dazo> Ricoshady: you'll also find the config folder via the Start menu as well .... start -> Programs -> openvpn ...something, don't remember now 02:21 < Ricoshady> any performance difference between dos window and gui? 02:23 < Ricoshady> damn eurephia looks cool 02:24 < Ricoshady> how easy to get going? 02:24 < dazo> Ricoshady: shouldn't be ... it's different processes, and I don't expect writing to log pipe from openvpn should make openvpn lag ... that'd be pretty lame 02:25 < dazo> Ricoshady: well, it's only tested on linux, that can be a downside .... I've never heard anyone trying it on Windows ... but if you have a linux box being a openvpn server, it shouldn't be too difficult 02:26 < dazo> Ricoshady: but be aware, it's beta still ... and the security regarding password hashing is pretty lame at the moment .... but I'm working on improving that nowadays 02:26 < Ricoshady> my vpnserver box is debian 02:27 < dazo> Ricoshady: have a look at the wiki, and you'll have the hard way to set it up ... the admin utils are able to help you out with some simple things when you first have added the first user manually into the database 02:27 < dazo> Ricoshady: debian should be no prob 02:28 < Ricoshady> the custom firewall rules are cool 02:28 * dazo hopes nobody here minds the eurephia discussion on ##openvpn .... 02:28 < dazo> Ricoshady: yeah, I'm using that pretty much as well, and it works like a charm :) 02:29 < Ricoshady> one other question on openvpn... in the server config config I use "ifconfig sip cip" what if I have multiple clients? 02:29 < dazo> Ricoshady: I have a setup with 3 different network segments ... and my users get only access to computers on the segment they are authorised for 02:29 < dazo> Ricoshady: you should probably use server-pool ... if I remember correctly 02:29 * dazo checks a config file 02:30 < dazo> Ricoshady: I'm using dev-type tap ... so I'm not using tun, first of all .... and then I'm using "ifconfig-pool" to have a fake DHCP server for the openvpn connections 02:32 < Ricoshady> does tun only allow one connection? 02:32 < Ricoshady> can I see your config? 02:32 < dazo> Ricoshady: Probably not, but I think it is more config work ... 02:32 < dazo> Ricoshady: sure .... just a sec 02:33 < Ricoshady> and why did you pick tap? does it require any extra work to use tap? 02:35 < dazo> Ricoshady: http://pastebin.com/d68527bbc 02:36 < dazo> Ricoshady: just because I like to be low-level on the interface .... I was also playing with some bridging, and it's just become my "default" setup, kind of 02:37 < dazo> Ricoshady: what this config do not do, is to prepare the vpn0 interface (I've also renamed the tap interface) .... so that's done via my distro's own network startup script ... but that could most probably also set up by using --server 02:41 < Ricoshady> i wonder tho, my tun0 device states both ips, the sip and cip, makes me think it only handle one connection 02:47 * dazo don't remember the gory details now ... too long ago since last time he tried tun devices 02:48 < dazo> Ricoshady: ahh! I think I also used tap to enable Windows clients ... I believe that it was some issues with Windows and tun devices ... but don't remember if this was just misinterpretation or if it was as reality 02:48 * dazo got it working with tap, and didn't think more about it 02:49 < Ricoshady> i like the keepaline and push statements in your config, im using em now 02:50 < Ricoshady> man this is the shit 02:51 * dazo wonders if shit == gold in this context :-P 02:53 * Ricoshady nods 02:55 < Ricoshady> if you put up a VPN on a port like 80, and routed inet traffic on the client thru the VPN, you could circumvent outgoing restictions in office firewalls huh? 02:56 < Ricoshady> assuming they didnt block my VPN 02:56 < Jorj> If you read some of my questions, I was trying the same thing. 02:56 < Ricoshady> i think its possible 02:56 < dazo> Ricoshady: yup, that is possible .... 02:56 < Jorj> Here: udp mostly blocked, all >1024 ports and I'm trying to play a game via my own openvpn on my vps. 02:57 * dazo is considering to test that to avoid his mobile company to overcharge non-port-80 traffic ..... 02:57 < Jorj> But for some weird reason I couldn't get the client and server to see eachother, but I also think it should be possible. Thing is, I'm also in a VPN with those restrictions. 02:57 < dazo> Ricoshady: for that to work ... you'll need 80/tcp .... 02:58 < Ricoshady> yea 03:00 < Ricoshady> does openvpn gui need to be installed? or does it just execute in its directory? I was think i could put it and the client keys on a USB drive. 03:00 < Ricoshady> actually thats probably a bad idea 03:00 * dazo dunno 03:00 < Ricoshady> i wouldnt want to run it on any random computer 03:00 < dazo> Ricoshady: if the USB is encrypted somehow ... or if you use pkcs12 with passwords, you'll be safer though 03:00 < reiffert> Ricoshady: or protect the keys with a password. 03:01 < Ricoshady> reiffert, how does that work? 03:01 < reiffert> !howto 03:01 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:01 < dazo> Ricoshady: I use pkcs12 mostly ... because in one file you'll find all certificates and needed keys ... and they are password encrypted 03:02 < reiffert> Ricoshady: If you would like to password-protect your client keys, substitute the build-key-pass script. 03:02 < dazo> Ricoshady: which I consider safe enough, as I'll have time to revoke certificates and blacklist them in eurephia if they are lost 03:02 < Ricoshady> reiffert, then what happens, when the vpn connects it asks for a password? 03:03 < reiffert> Ricoshady: yeah 03:03 < dazo> Ricoshady: but some of my other users are not too happy ... having username and 2 passwords (user account + certificate) to remember .... but they usually get over it after a little while 03:03 < dazo> Ricoshady: yeah, even before bringing up the connection to your server 03:03 < reiffert> You protect the use of the client key by a password 03:04 < reiffert> it's an openssl thing 03:04 < Ricoshady> what about reconnects? 03:05 < reiffert> What about them? 03:05 < Ricoshady> will it ask for the password again? 03:05 < reiffert> no. 03:05 < Ricoshady> just when you initally start the vpn 03:05 < dazo> Ricoshady: yeah 03:05 < Ricoshady> let me try 03:06 < reiffert> .oO It's all in the howto 03:08 < Jorj> Ricoshady: do you use a vps as your openvpn server? Just out of interest. 03:11 < Ricoshady> vps? 03:11 < Ricoshady> hell yea, password worked just fine 03:11 < Jorj> Virtual private server, but nvm. :-) 03:11 < Ricoshady> the I build the dh file, sometimes it takes forever, other it barely craetes a line of computing 03:13 < Ricoshady> you know what I mean? it says... this will take a long time... somettimes it does, other its really quick, should I be worried if its quick? 03:13 < dazo> Ricoshady: depends on how much random data which needs to be collected ... sometimes it takes a while to seed the RNG ... doing some disk access (find /, f.ex) may help 03:13 < dazo> Ricoshady: if the RNG is full of random data ... it can go quicker ... but if it needs to collect data, it'll go slower 03:14 < Ricoshady> man this is working great 03:14 < Ricoshady> better than I expected 03:15 < dazo> Ricoshady: nah ... you're using open source product, not microsoft product .... of course it works better than expected :-P 03:15 < thewolf> Hey, evening people 03:16 < Ricoshady> im all about opensource 03:16 < dazo> :) 03:16 < thewolf> I've got a problem: I can't ping my server (10.1.0.1) from my client (10.1.0.2), are there any common causes for this other than user (my) stupidity? 03:17 < reiffert> firewall, firewall, firewall. 03:17 < thewolf> This is my server config: http://pastie.org/359420 03:17 < thewolf> hmm 03:18 < thewolf> firewalls suck 03:18 < reiffert> and topology 03:19 < reiffert> http://netzdeponie.de/download/fun/movies/BegehbarerSchrank.avi 03:21 < dazo> :D 03:24 < Ricoshady> what does the gui change password feature do? 03:24 < reiffert> Guess. 03:25 < thewolf> reiffert: since I can't change my local firewall atm, would it be safe to run it on another port that I know is open? 03:25 < Ricoshady> reiffert, funny but what password? the cert password? 03:25 < Ricoshady> i dont have any other password 03:25 < krzee> lol reiffert 03:25 < krzee> Ricoshady, it changes the password you could set on your cert when making the cert 03:25 < krzee> as opposed to any password you could have on the vpn 03:26 < Ricoshady> oh, it changes the cert password, ok 03:26 < Ricoshady> sorry 03:27 < dazo> Ricoshady: yeah, only cert passwords ... it's not possible to change any other passwords from the client, afaik (like user-auth passwords) 03:40 -!- l11 [n=l@verhau.de] has joined ##openvpn 03:41 < Ricoshady> can I make a key only last so long? 03:42 < reiffert> || so long or | | so long? 03:47 < Ricoshady> can I make it so a cert expires 03:47 < l11> reiffert: hi 03:47 < reiffert> Yes, you can 03:47 < reiffert> l11: ! 03:48 < l11> reiffert: fritzbox firmware updaten :) or your mac will be slowed by it. 03:48 < reiffert> wtf? 03:49 < dazo> Ricoshady: expiry is set when creating the certs 04:12 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has quit [] 04:13 < reiffert> http://research.microsoft.com/en-us/um/redmond/projects/songsmith/videos/EveryoneHasASongInside.mov 04:13 < reiffert> ms using a macbook? 04:17 < l11> part 1 of embrace and extend 04:27 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 04:35 < dazo> reiffert: you know these new Intel based boxes now runs Vista .... we're soon to enter phase 2 of the EEE ... 04:52 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:53 -!- prxtien [n=pro@115.131.201.161] has joined ##openvpn 04:53 < prxtien> hey all 04:54 < prxtien> im looking at increased key sizes, does anyone know the performance impact on going from 1024 > 2048 > 4096bit certificates, and also performance decrease by increased dh key strength 04:54 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:03 < reiffert> I remember one guy unable to create a 4096 dh 05:04 < reiffert> some weeks ago. 05:04 < reiffert> prxtien: If you find something out, please let me know, sounds intresting. 05:04 < prxtien> well dh i was thinking of going from 1024 to 2048... and moving to maybe 2048 or 4096bit rsa certificates 05:05 < prxtien> dh 2048 took about 15 minutes on a tiny via c7 based server 05:05 < prxtien> on anything gutsy, less than 5 minutes youd think 05:31 -!- worch [n=worch@battletoad.com] has quit [Read error: 131 (Connection reset by peer)] 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:50 -!- worch [i=worch@battletoad.com] has joined ##openvpn 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 06:24 -!- prxtien [n=pro@115.131.201.161] has quit [Read error: 60 (Operation timed out)] 06:51 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:06 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 07:27 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:47 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 60 (Operation timed out)] 07:56 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:57 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 08:00 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 08:13 -!- worch [i=worch@battletoad.com] has quit [Read error: 113 (No route to host)] 08:32 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 08:42 < ecrist> who told me what? 08:45 < ecrist> oh, krzee, haven't fixed it yet. won't get to it until later this week. 09:13 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit ["Leaving"] 09:41 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:41 < plaerzen> morning ovpn'ers 09:44 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Connection reset by peer] 09:44 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 09:48 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 09:52 < ecrist> howdy plaerzen 09:54 < plaerzen> ecrist, how you doing ? 10:12 < ecrist> good, so far. it's early yet 10:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:23 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:23 < c64zottel> \ufeffmay i get trouble when i open a OpenVPN net with 10.10.254.0/24 when the whole network has 10.10.0.0/16? 10:26 < ecrist> yes 10:26 < ecrist> not even 'may,' you 'will' get in trouble 10:26 < c64zottel> ecrist: hm 10:27 < c64zottel> i knew it 10:27 < c64zottel> cause, i can't differentiate between them, when they get routed? right? 10:27 < dazo> c64zottel: does the VPN net really have to be within the 10.10.0/16? 10:28 < c64zottel> the server hast 2 nic's, one local net 10.10/16 and the internet 10:28 < dazo> c64zottel: well, it's almost impossible to get correct routing with overlapping nets ... even though, in theory it might work, but I think that will require much more work on all clients 10:28 < c64zottel> and i want connect from the net, sure 10:28 < ecrist> c64zottel: see !1918 10:28 < c64zottel> hm, but, how can i understand? 10:28 < ecrist> choose another range 10:29 < c64zottel> !1918 10:29 < vpnHelper> c64zottel: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 10:29 < dazo> c64zottel: yeah ... but I meant the VPN config .... 10:29 < dazo> c64zottel: choose an available segment listed above 10:30 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:30 < c64zottel> dazo: i will, but why do i get trouble? 10:31 < c64zottel> ecrist: thanks 10:31 < c64zottel> i read that, but i can't get a clue why it is so important 10:31 < dazo> c64zottel: because the routing from clients will get confused where the traffic should go 10:32 < c64zottel> dazo: but it's clear, in both cases it's routed to the ovpn, i could see the incoming icmp's over the tun0 10:33 < dazo> c64zottel: make it easier for your self, and avoid overlapping network segments .... and the really big troubles will come the day when a computer on your LAN grabs an IP in the 10.10.254.0/24 range ... then traffic from this box will go fine out of your network, but when going in, it will be routed to the VPN interface instead 10:33 < dazo> c64zottel: if you want to make the network transparent over the VPN .... you're probably looking for bridging 10:34 < ecrist> c64zottel: if it works for you, then why are you asking questions? 10:34 < c64zottel> dazo: i appreciate you advice, and i will follow, but i like to know what why .) 10:34 < c64zottel> maybe i need just more experiece 10:35 < c64zottel> ecrist: first, 6 sense, and second, there was a case with two routes, 10.10.254/24 and 10.10/16 wish made trouble, just with the route 10.10/16 it worked 10:35 < dazo> c64zottel: it's just kind of an unwritten rule .... keep your network segments clean, don't overlap segments, avoid several segments on the same physical network ... all to avoid network errors, even though it might work fine, but that's not given 10:36 < c64zottel> dazo: i read about bridging and so on... 10:36 < c64zottel> dazo: ecrist: thank you 10:37 < dazo> c64zottel: if you do not have a route for 10.10.254/24 sending traffic to your VPN tunnel .... I'm not sure your tunnel will work properly ... maybe it will work until the openvpn server, but most probably not beyond that box 10:39 < c64zottel> dazo, it will use the 10.10/16 route 10:39 < ecrist> c64zottel: if it works for you, fine, but, the odds are it's *not* going to work due to the overlapping route, unless your LAN is /16, but is further subnetted from there. 10:39 < c64zottel> ecrist: i got it, thanks 10:40 < dazo> c64zottel: say you have this on your openvpn box: eth0 on 10.10.0.1/16 ..... you have your tun0/tap0 on 10.10.254.1/24 .... (more to come) 10:41 < dazo> c64zottel: one VPN client, say 10.10.254.10 tries to connect to 10.10.0.40, which is on the eth0 side .... the packet goes fine all the way and reaches the server 10:43 < dazo> c64zottel: the server responds back to 10.10.254.10 ... but since that IP address is within the 10.10.0.0/16 network ... the result package from server will never leave the 10.10.0/16 network .... and it gets lost, since nobody is answering it ... but this packet should have been routed through the 10.10.0.1 gateway 10:44 < dazo> c64zottel: so it will work, if all boxes on the 10.10.0.0/16 has a route which says .... 10.10.254.0/24 must use the gateway 10.10.0.1 ... but unless that route exists, it will not work 10:46 < c64zottel> dazo that was great! 10:46 < c64zottel> thank you very much 10:46 < jeiworth> dazo: that is interesting and might as well solve a problem i have, but where do i need to set that oute? only on the openvpn-server or on all clients? 10:46 < dazo> c64zottel: but of course, I have now not touched much what happens if you then in your LAN gets a computer with the 10.10.254/24 address .... then the chaos is complete, because all boxes which have the route via 10.10.0.1 will go out on the VPN tunnel instead 10:46 * cpm boggles, , , but but but, 10.10.254/25 can't see 10.10.0.1 10:47 < cpm> 10.10.254/24 rather 10:47 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:47 < dazo> jeiworth: all clients would need to have this route ... default gateway will not work, since the networks overlap, you must explicit set the route on all boxes 10:48 < dazo> cpm: that's very true! But I thought that if a client computer on the LAN got an address which is in the 10.10.254/24 range, but with the /16 mask ... then it will see the 10.10.0.1 10:49 * dazo was thinking a scenario with a DHCP server with a /16 netmask on the dynamic IPs ... then this can happen more easily 10:51 < c64zottel> cpm: why? if the client has a route like 10.10/16? 10:51 < dazo> but as I said earlier ... such a topology is not even worth to consider ... because it will definitely create more troubles than what it solves in reality ... and it is a ticking bomb to have overlapping networks on different segments 10:52 < dazo> c64zottel: I think cpm was seeing a problem if the client on LAN had an IP address in 10.10.254/24 segment with a /24 netmask ... in this scenario, the client would not be able to see 10.10.0.1 at all 10:52 < c64zottel> dazo: is it not possible to avoid that via NAT? 10:53 < ecrist> c64zottel: just change your damn ip range 10:53 < ecrist> christ 10:53 < c64zottel> dazo true 10:53 < c64zottel> ecrist: i do, i promise .) 10:53 < c64zottel> but it's intressting 10:53 < ecrist> no, it's not, really 10:54 < dazo> c64zottel: I don't think so ... change the IP range ... that's my advice, don't try to hack around overlapping ranges ... it will for sure stop working some how one day ... and it will not be too easy to correct it later on with routing setup everywhere 10:54 < c64zottel> as i said, i do 10:54 * dazo is happy :) 10:54 < c64zottel> thanks a lot 10:54 < c64zottel> me too :D 10:54 < dazo> you're very welcome! 10:54 < c64zottel> thx 11:05 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit ["Leaving."] 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:16 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:22 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has joined ##openvpn 11:24 < kyrix> hi, i am trying to set up a routerd site to site vpn using debian etch/lenny. the vpn is working, but still can't ping the other networks 11:24 < kyrix> files: network data:http://pastebin.com/m302adf57 11:24 < kyrix> server.conf: http://pastebin.com/d7954076a 11:24 < kyrix> client conf: http://pastebin.com/d16c72eec 11:25 < kyrix> and i have set up iroute.168.7.0 255.255.255.0 file in ccd 11:26 < kyrix> ip fowarding is activated on both machines 11:27 < kyrix> but still no luck. anybody have any ideas? 11:29 < kyrix> !route 11:30 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:42 < kyrix> !configs 11:42 < vpnHelper> kyrix: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:44 < ecrist> kyrix: read the route entry above. 11:44 < kyrix> i did 11:45 < kyrix> i had already done everything 11:45 < ecrist> including iroute? 11:45 < kyrix> yup, that in the ccd file right? 11:45 < ecrist> and reconfiguring the gateways to redirect for the new VPN subnet? 11:45 < kyrix> yup 11:45 < ecrist> they you should ahve a working setup 11:45 < kyrix> hopefully correctly. 11:46 < kyrix> is there anything else i have to do on a linux box besides enabling ip foward? 11:47 < kyrix> i can ping 192.168.1.7 (the ip of my server) from the client. when i use push route. but no other machine. hold on, ill check the router 11:48 < kyrix> network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 11:49 < kyrix> this is what i need on the router right? 12:07 < krzee> [13:29] and i have set up iroute.168.7.0 255.255.255.0 file in ccd 12:07 < krzee> the line doesnt look like that, right...? 12:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < kyrix> iroute 192.168.7.0 255.255.255.0 12:09 < krzee> ok 12:11 < krzee> so .7.0 is behind client 12:11 < krzee> .1.0 is behind server 12:11 < krzee> [13:52] network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 12:12 < krzee> netmask should be 255.255.255.0 12:12 < krzee> also, you should have another entry for 192.168.7.0 12:12 < krzee> then on client side, entries for 192.168.1.0 and 10.8.142.0 12:15 < kyrix> i have the the 192.168.7.0, but dont understand the 255.255.255.0 12:15 < krzee> thats a netmask 12:15 < kyrix> if i ifconfig tun0 i have inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 12:15 < krzee> an ip means nothing without the netmask 12:16 < krzee> that is true, but you may have clients in server 10.8.142.0 255.255.255.0 12:16 < kyrix> oh 12:16 < krzee> you want to have a route to all of them 12:17 < kyrix> i need both then? 12:17 < kyrix> ah it works 12:18 < kyrix> that was it..... thx 12:18 < krzee> np 12:18 < kyrix> i was taking the value from ifconfig instead of the config file. 12:18 < krzee> its not really the value from either 12:18 < krzee> its just knowing what you need routed 12:19 < kyrix> well, it works in one direction well now. ill play with that on the other side for a while 12:20 < kyrix> its taken me two weeks to get to here :/ 12:20 < kyrix> thanks again! 12:20 < krzee> np 12:20 < krzee> ya 1 direction cause you only added on 1 router 12:20 < krzee> gotta go do this: 12:20 < krzee> on client side, entries for 192.168.1.0 and 10.8.142.0 in its router 12:20 < krzee> both with 255.255.255.0 12:29 -!- Dryanta [i=dryanta@66.252.23.192] has joined ##openvpn 12:30 < Dryanta> ok guys openvpn problem AGAIN 12:30 < Dryanta> another situation where nothing changed and it broke 12:31 < Dryanta> process is running on both machines and i cant ping from one side of the tunnel to the other 12:31 < krzee> !logs 12:31 < krzee> ... 12:31 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:32 < krzee> and by 1 side to other 12:32 < krzee> you mean like client cant ping 10.8.0.1 12:32 < krzee> and server cant ping 10.8.0.6 12:32 < krzee> or from 1 lan to other 12:32 < Dryanta> again i run peer to peer 12:32 < krzee> o 12:32 < krzee> i wont be memorizing that 12:32 < Dryanta> and cant ping 10.0.0.1/2 12:32 < krzee> you'll hafta say it every time :-p 12:32 < Dryanta> its only come up liek 20 times :P 12:33 < krzee> could a machine have rebooted and reset firewall rules? 12:33 < krzee> it will come up another 20 if you dont mention it when you have a new question :-p 12:33 < Dryanta> the machine rebooted, firewall rules are the same 12:35 < Dryanta> does log really have to be at 6? 12:36 < krzee> i you want it to be useful for me 12:37 < dazo> krzee: if he sets log level to 0 ... you can just say that logs look good, and there are no problems :-P 12:37 < krzee> hahah 12:37 < krzee> tru 12:42 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 12:43 < Dryanta> http://pastebin.ca/1307418 12:50 < Dryanta> well? lol 13:01 * ecrist punches someone's mother in the boob 13:03 < dvl> why? 13:04 < Dryanta> no love i guess 13:04 < Dryanta> /topic #openvpn post logs, we wont look at them.... kthxbai 13:08 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 13:09 < ecrist> dvl: because I'm bored, and I was hoping, like a 5 year-old child, to get a rise out of people. 13:10 < dazo> ecrist: your attack was not controversial enough 13:10 < Dryanta> lol 13:12 < krzee> ./topic #openvpn post logs, we will look at them when we feel like it.... kthxbai 13:13 < krzee> Dryanta, log from other side... 13:14 < krzee> we've done this enough times that if i come back 30min after asking for logs from both sides, there should prolly be logs from both sides 13:15 * krzee goes away for another X minutes 13:16 < Dryanta> http://pastebin.ca/1307441 13:16 < krzee> you stopped it too soon 13:16 < krzee> 1 second of logfile isnt very useful 13:16 < krzee> not a single entry past 11:12:46 13:17 < krzee> see how the first had like 2 minutes of logfile, error came 1.5 minutes into it 13:17 < krzee> that was useful 13:18 < ecrist> /mode Dryanta +douche_bag 13:18 * krzee wonders out loud if its harder to help a tech or a noob 13:19 < Dryanta> http://pastebin.ca/1307445 13:19 * ecrist elaborates that it's hardest to teach a noob that thinks their a tech. 13:19 < krzee> lol 13:19 < krzee> touche 13:20 < ecrist> s/their/they are/ 13:21 < krzee> ok, now ping from .1 to .2, show me logs from both sides at verb 6] 13:22 * ecrist punches dazo's mom in the dick 13:22 < ecrist> controversial enough? 13:22 < ecrist> :P 13:22 < krzee> hah 13:22 * dazo saw the attempt ... and that he missed big time and hurt his arm in broken window 13:23 < krzee> he missed your moms dick? 13:23 * krzee ponders 13:24 < krzee> both sides are writing to the tunnel, but barely reading 13:24 < krzee> but there is SOME reading 13:24 < krzee> which leads me away from firewall 13:24 < dazo> krzee: I think ecrist is just sexually frustrated .... 13:25 < krzee> dazo, i dont think so, his wife is pregnant and i hear preg women get seriously needy in that dept 13:25 < krzee> i think hes just bored 13:25 < dazo> krzee: well, I rest my case .... if he got a pregnant wife and bored at the same time .... it's not much she wants from him :-P 13:26 < Dryanta> is it this? Tue Jan 13 11:16:48 2009 us=504956 Inactivity timeout (--ping-restart), restarting 13:26 < krzee> dazo, work 13:26 < krzee> lol 13:26 < krzee> Dryanta, no, its whats causing that 13:27 < krzee> its something outside of openvpn 13:27 * dazo tries too :-P 13:27 < krzee> dazo, i mean hes at work 13:27 < krzee> hence, bored 13:27 < Dryanta> what do you mean outside of openvpn? 13:27 < krzee> umm 13:27 < krzee> like the link or something to do with the server 13:27 < dazo> krzee: don't you guys use openvpn and have home office? .... man! I thought you were serious about openvpn ..... :-P 13:27 < krzee> hows their ping/traceroute outside of ovpn 13:28 < Dryanta> what do you mean? 13:28 < krzee> dazo, im sure hes linked to his home network right now 13:28 < Dryanta> form pub ip to pub ip? 13:28 < krzee> Dryanta, yes 13:28 < dazo> krzee: hah! Accepted ;-) 13:30 < Dryanta> i cant traceroute because a router in between does not wantt to cooperate 13:30 < Dryanta> but ping is fine 13:30 < krzee> no packet loss on a large amount of pings? 13:30 < krzee> no large jitter? 13:31 < Dryanta> nope 13:31 < krzee> then im not sure what it is 13:31 < krzee> but i know its not part of openvpn thats the problem 13:31 < krzee> as long as the other config is = just ips reversed like you said 13:32 < krzee> you using a stateful firewall? 13:32 < krzee> one that keeps UDP state? 13:32 < krzee> (attempts to) 13:32 < Dryanta> ya it keeps state 13:32 < krzee> bypass that by just allowing * from each side to other 13:32 < krzee> see if that helps ya 13:33 < Dryanta> they both allow * to each other 13:34 < krzee> before any statefulness? 13:34 < krzee> packets ARE getting through 13:34 < krzee> but not all packets 13:34 < krzee> some are being dropped somewhere 13:34 < Dryanta> the hwole firewall ruleset is keep state 13:34 < krzee> well, over-ride that 13:34 < krzee> or dont 13:34 < krzee> *shrug* 13:35 < krzee> im just grasping at what it could be 13:35 < krzee> SOMETHING is stopping some but not all packets from getting through 13:35 < krzee> it could have just been a lucky guess you have a stateful firewall, that i will admit to 13:35 < krzee> i dunno what the problem is, but it could be that 13:36 < krzee> UDP keepstate is not perfect 13:36 < krzee> dont believe me, see if it works on tcp 13:36 < krzee> without changing a thing in the firewall 13:36 < krzee> but remember if you keep it there you have this problem: 13:36 < krzee> !tcp 13:36 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:38 < Dryanta> it didnt work with tcp last time i tried i think 13:40 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Connection timed out] 13:46 -!- aaasdasdasd [n=guest@195.24.76.252] has joined ##openvpn 13:47 < aaasdasdasd> hello world! How to configure openvpn so it will start script before starting tunnel? 13:47 < krzee> --up 13:48 < krzee> runs right after opening tunnel 13:48 < krzee> before connecting iirc 13:48 < krzee> !man 13:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:48 < krzee> lets see 13:48 < krzee> by opening tunnel i meant interface 13:48 -!- aaasdasdasd is now known as NinetendoWee 13:49 < krzee> NinetendoWee, what would your script do? 13:49 < NinetendoWee> And how about BEFORE tunnel? Because i have special route for my vpn server that deletes when vpn disconnects :( 13:50 < krzee> before would be a wrapper script 13:50 < krzee> a script that runs your command, then starts openvpn 13:50 < krzee> which you run to start openvpn 13:51 < NinetendoWee> it become inconsistent :(( some scripts are events from vpn client, some - wrappers. 13:51 < krzee> huh? 13:51 < NinetendoWee> if route is down - it just tryes to connect server forewer. what to do? 13:51 < krzee> you are saying you need to make a special route to reach the vpn server, right? 13:52 < krzee> and manually you add the route then start openvpn, and it works...? 13:52 < NinetendoWee> yes 13:52 < krzee> but you want to automate it 13:52 < krzee> #!/bin/sh 13:52 < NinetendoWee> yes, because when vpn disconnects accidentally - it removes this route automatically 13:52 < krzee> route command 13:52 < krzee> openvpn command 13:53 < NinetendoWee> so then i have to use up script because i have to set right default route 13:54 < NinetendoWee> how to make it exit on disconnect? 13:55 * ecrist cheers 13:55 < krzee> --ping-exit n 13:55 < krzee> should do that 13:55 < ecrist> I've got my FreeBSD file server running pam_ldap for authentication, and sudo, samba, afp all using ldap, too 13:56 < NinetendoWee> thank you for help 13:56 -!- NinetendoWee [n=guest@195.24.76.252] has quit ["Ex-Chat"] 13:58 < krzee> nice ecrist 14:01 < ecrist> someday, I might know what I'm doing 14:16 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Remote closed the connection] 14:18 -!- jeiworth [n=jeiworth@189.163.173.75] has joined ##openvpn 14:21 < ecrist> krzee: if you have the need: http://www.secure-computing.net/wiki/index.php/Apple_File_Sharing 14:21 < vpnHelper> Title: Apple File Sharing - Secure Computing Wiki (at www.secure-computing.net) 14:27 -!- psai` [n=Psai@91.91.252.105] has joined ##openvpn 14:27 < psai`> hi 14:27 < ecrist> hi 14:28 < psai`> is there a way to push redirect gateway only for some clients and not for all ? 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < ecrist> you bet 14:33 < ecrist> you need to set up client-config-dirs 14:33 < ecrist> read the man page or howto on that 14:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:34 < psai`> ok that's all i wanted to know :) 14:34 < ecrist> :D 14:34 < psai`> thank you i'll try this 14:56 -!- dazo is now known as dazoafk 15:10 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has joined ##openvpn 15:16 < FarrisG> Having an odd issue. I've done tons of openvpn setups, but have always done it with an internal and external nic. Trying to do it with one NIC, and it's working fine, except that after a couple of hours of being up, suddenly both my eth0 and br0 have the same IP address and the OpenVPN box can't access the outside world, only internal addresses. Confs are here: http://pastebin.ca/1307528 15:16 < FarrisG> !route 15:16 < vpnHelper> FarrisG: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:16 -!- psai` [n=Psai@91.91.252.105] has quit ["thanks !"] 15:18 < FarrisG> Any idea what could be causing it? 16:01 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 16:07 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 16:09 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Client Quit] 16:31 < jeiworth> FarrisG: this is my first openvpn installation and many thanks to your bridge script i finally found my error after half a day search :) 16:55 < ecrist> which bridge script? 16:57 < krzie> to both of you 16:57 < krzie> what exactly do you need that requires bridging? 16:57 * krzie grins at ecrist 17:12 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has quit [Remote closed the connection] 17:41 < krzie> !servercret 17:41 < vpnHelper> krzie: Error: "servercret" is not a valid command. 17:41 < krzie> !servercert 17:41 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 18:23 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:52 < ecrist> why are you grinning at me? 20:57 < ecrist> o.O 20:57 < ecrist> 39 hits today on my site from nat-pool-brq.redhat.com 21:08 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:10 * ecrist loves getting IPv6 hits to his sites 21:13 < ecrist> meh, so many hostnames in awstats - hard to know which are IPv6. don't want to write regex for IPv6 addresses 21:14 < tjz> hmmm 21:14 < ecrist> wouldn't bee *too* difficult 21:14 < tjz> they are switching to IPv6 because we are running out of ip for IPv4? 21:15 < ecrist> that and a few more features which are a bit more low-level 21:15 < ecrist> I've been supporting IPv6 on my network for about 3 years 21:16 < tjz> hmm 21:16 < tjz> why IPv6.. 21:17 < tjz> will the IP address look any different? 21:17 < ecrist> what do you mean? 21:17 < ecrist> you really don't know? 21:17 < tjz> never go and read up 21:17 < tjz> hehe 21:17 < ecrist> you should 21:17 < ecrist> like the DTV transition, it *is* eventually coming 21:18 < ecrist> DTV was supposed to come back in 2000 21:18 < ecrist> only 9 years late 21:18 < ecrist> 21:19 < ecrist> I've had about 15 or 20 hits to my main site this month from IPv6 addresses 21:20 < ecrist> 23 users have downloaded ssl-admin via IPv6 21:20 < ecrist> just this month 21:23 < ecrist> grr 21:24 < tjz> hmm 21:24 < ecrist> lots of latency on my wireless tonight 21:24 < tjz> what is sl-admin? 21:24 < tjz> ssl-admin.. 21:24 < ecrist> ssl-admin 21:24 < tjz> hehe 21:24 < ecrist> it's a script I wrote in perl because easy-rsa sucks some serious donkey balls 21:24 < tjz> lol 21:24 < tjz> haha 21:24 < ecrist> it's a menu-driven text-based SSL certificate manager 21:26 < tjz> cool 21:26 < tjz> will the IP address of IPv6 look any different ? 21:27 < ecrist> right now, it's strictly menu-driven, but if I either 1) find time or 2) get some *rich* interested parties, I'm going to build command line options, bulk generation, and LDAP certificate support 21:27 < ecrist> yes 21:27 < ecrist> IPv4 is 32-bit, in dotted-decimal notation 21:27 < tjz> how different.. 21:28 < ecrist> IPv6 is 128-bit, in quad-hexidecimal notation 21:28 < tjz> omg 21:28 < tjz> enough to support more IP 21:28 < tjz> how does quad-hexidecimal notation look like? 21:28 < tjz> eg. ? 21:28 < ecrist> for example, my website, www.secure-computing.net has the following two address (IPv4 and IPv6) 21:28 < ecrist> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:28 < ecrist> kenny.secure-computing.net has address 173.8.118.210 21:28 < ecrist> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:29 < tjz> coooooooooooooooool 21:30 < tjz> any web-tool to check the IPv6 address of kenny.secure-computing.net ? 21:30 < tjz> or linux command to do that? 21:30 < ecrist> read http://www.secure-computing.net/wiki/index.php/IPv6 and see if it helps at all 21:30 < vpnHelper> Title: IPv6 on FreeBSD 6.2 - Secure Computing Wiki (at www.secure-computing.net) 21:30 < ecrist> tjz, what do you mean? 21:30 < krzie> if your linux is ipv6 enabled host will tell you 21:30 < tjz> you know a noob asking noob question 21:31 < tjz> bear with me 21:31 < tjz> :P 21:31 < krzie> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:31 < krzie> kenny.secure-computing.net has address 173.8.118.210 21:31 < krzie> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:31 < krzie> that was /exec -o host www.secure-computing.net 21:32 < ecrist> IPv6 addresses are stored in DNS as AAAA records, whereas IPv4 records are stored as A records 21:32 < tjz> cool 21:32 < ecrist> you can check (whether your host is IPv6-enabled or not) for an IPv6 record with the dig command 21:32 < ecrist> dig -t AAAA 21:33 < ecrist> running both IPv4 and IPv6 is known as dual-stack 21:33 < krzie> ya i was actually wrong 21:33 < krzie> this box isnt ipv6 enabled 21:33 < krzie> its in the kernel, but i dont have an ipv6 tgunnel 21:33 < krzie> tunnel 21:34 < ecrist> until last month, I had native IPv6 to my ISP 21:34 < tjz> cool 21:34 < krzie> ya i had native long ago too 21:34 < ecrist> then I realized my ISP was run by a bunch of douche-bags 21:34 < krzie> a nice small dsl company in the bay area, CA 21:35 < ecrist> like my old ISP (a nice, small, ISP in Minneapolis, MN 21:35 < tjz> nothing wrong with a small isp 21:35 < ecrist> unless they're jewish 21:35 < tjz> as long as they are on the ball 21:35 < tjz> lol 21:36 < ecrist> I dropped ipHouse when they gave my colo (2 full racks) a $400/mo *surcharge* in the middle of a contract 21:36 < ecrist> they got around the contract by calling it a surcharge 21:36 < ecrist> that's pretty bullshit, IMHO 21:36 < krzie> umm 21:36 < krzie> illegal sounding 21:37 < tjz> why the subcharge? 21:37 < tjz> is it bandwidth overage? 21:37 < krzie> cause they needed $ im sure 21:38 < ecrist> I think you're on the 'money', krzie 21:38 < ecrist> but, they called it an electrical surcharge 21:38 < ecrist> it would cost us more to litigate than to pay to the end of our contract 21:58 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has joined ##openvpn 22:02 -!- AwayML is now known as AndyML 22:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:16 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 22:20 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 23:01 -!- mepholic [n=mepholic@star.emokid.nu] has joined ##openvpn 23:01 < mepholic> ok 23:01 < mepholic> openvpn on an ircd shell 23:01 < mepholic> possible? 23:05 -!- mepholic [n=mepholic@star.emokid.nu] has quit [Remote closed the connection] 23:06 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 23:19 < Solarbab1> mepholic: you want to run a irc client or server on openwrt? 23:30 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 23:33 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has quit [Remote closed the connection] --- Day changed Wed Jan 14 2009 00:00 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 00:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 00:02 < hiptobecubic> I'm trying to setup a vpn with ethernet bridging. I'm not able to physically access the machine that is going to be the server, but when i bridge eth0 and tap0, i can no longer use ssh, effectively orphaning the server. 00:02 < hiptobecubic> what can i do? 00:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:16 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:24 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has left ##openvpn [] 00:25 < hiptobecubic> If anyone is around, i'd love a hint here. 00:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:05 -!- dazoafk is now known as dazo 01:35 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:35 < steveoooo> if I change the password on a cert that I did not enter a passphrase in, will it enable a password? or does the cert have to have a passphrase frmo the beginning 01:36 < dazo> steveoooo: not sure ... but I believe you would enable the password actually 01:37 < dazo> hiptobecubic: how have you configured your bridge? 01:37 < steveoooo> can you explain the difference between tun and tap? 01:39 < dazo> steveoooo: oh .... well, tun is using point-to-point tunnelling, which means that it is bound to TCP/IP traffic .... while tap is going lower down in the OSI stack, so it is actually more a virtual network interface where all traffic is to the interface is routed via openvpn 01:40 < dazo> steveoooo: so, if you want to do bridging, use IPv6 or IPX or other non-TCP/IP (IPv4) traffic, you simply must use tap 01:40 * dazo looks for a better explanation 01:42 < dazo> http://en.wikipedia.org/wiki/TUN/TAP ... 01:42 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 01:43 < dazo> steveoooo: if you just google "tun or tap" ... you'll get more info, but the wikipedia actually says the same as all the google findings 01:43 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 01:45 < dazo> steveoooo: you can also have a look here: http://openvpn.net/index.php/documentation/faq.html#bridge2 01:45 < vpnHelper> Title: FAQ (at openvpn.net) 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 < steveoooo> ill take a look 01:48 < steveoooo> does tap require any extra configuration outside the openvpn configs? 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:53 < dazo> steveoooo: No, not really ... well, I'm not sure on the server side. I've only used Gentoo on the server side lately and I have preconfigured the tap0 interface before starting openvpn in some network scripts there 01:53 < dazo> steveoooo: but I think that the device needs to be setup before starting the openvpn daemon .... just remembered that I also do bridging on my openwrt based router 01:54 < steveoooo> what are you running openwrt on? 01:55 < steveoooo> (how do you like it?) 01:55 < dazo> steveoooo: but that could be to setup the bridge before starting openvpn, not sure .... anyway, you can create the tap device by calling: openvpn --mktun --dev tap0 --dev-type tap ... 01:55 < dazo> steveoooo: I'm running it on a Linksys WRT54GL ... nice little box, even though I'd like more flash on the box :-P 01:56 < steveoooo> thats funny, same exact one I have, but running the default software... which sucks... I was running ddwrt but I found some weird firewall rules in the iptables so I dumped it. 01:56 < steveoooo> I have the same exact one I mean 01:57 < dazo> steveoooo: that was exactly the same reason I scrapped ddwrt as well .... and I made some noise about it in the forums ... but they didn't seem to take my point regarding being open about it and tell clearly what to do to remove these rules 01:58 < dazo> steveoooo: I'm using the X-Wrt version of openwrt ... which gives you a simple but powerful webgui as well, which makes configuration a lot easier .... highly recommended! 01:58 < steveoooo> yea, i didnt post anything, but after that I dropped it. it was weird tho, is some versions they werent there, but in the openvpn version it was, so I couldnt trust it 01:59 < steveoooo> do you have a link? 01:59 * dazo looks it up 01:59 < dazo> http://x-wrt.org/ 01:59 < vpnHelper> Title: Web interface for OpenWrt and more - X-Wrt.org (at x-wrt.org) 01:59 < steveoooo> I remember going to frys in order to find the right linksys to fuck up 02:01 < dazo> steveoooo: what's neat about this one, is that it's not much applications installed by default ... but you can install the needed pieces on the fly via a click in the webgui, so when you want to configure software which is not installed, you can click install ... it gets installed and you can continue the configuration 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 < steveoooo> nice 02:05 < steveoooo> maybe ill flash it right now 02:05 < steveoooo> if you trusted ddwrt, which would you use 02:06 < dazo> I'm running the 0.9 (whiterussian) release .... but I see that they've started stabilising the Kamikaze versions (devel versions), so it might come a new x-wrt soon 02:07 < dazo> well .... ddwrt is easy to configure and gives a lot of things without even needing to think about going into a shell on the box ... so ddwrt is probably more easy to setup and configure 02:07 < krzee> !security 02:07 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 02:07 < krzee> (for something else) 02:08 < dazo> while x-wrt is more kind of detailed in configuration ... and you have much more power to safely do changes via the shell and web, as the web will not freak out or overwrite changes done via shell 02:09 < dazo> so I feel that x-wrt is much more flexible than ddwrt 02:09 < steveoooo> cool 02:10 < dazo> and another thing .... the iptables setup in x-wrt is really basic and easy to understand immediately, no strange chains or strange loops ... it's really transparent compared to ddwrt 02:10 < steveoooo> hmm, i dont see a pre built image for my router wrt54gl1.1 02:10 < dazo> huh? strange .... 02:10 < dazo> I'm pretty sure I also have the gl1.1 02:11 < steveoooo> whiterussian? or kamakaze 02:12 < dazo> I'm using whiterussian now 02:12 < dazo> http://downloads.x-wrt.org/xwrt/firmware_images/whiterussian/0.9/milestone-3-rc2/default/openwrt-wrt54g-squashfs.bin 02:12 < steveoooo> (have you used any cellphone wireless computer cards ?) 02:12 < steveoooo> thanks 02:13 < steveoooo> rc2 hrm. 02:14 < dazo> steveoooo: nope ... not cards ... I've only used USB and Bluetooth to my SE-K800i ... and that works like a charm for me (using UMTS or GPRS) 02:15 < dazo> steveoooo: that rc2 is the latest one of whiterussian ... and it was released august 2007, so it's getting old .... but on the other hand ... it's very stable .... 02:16 < dazo> steveoooo: and there are update functionality via the web-gui as well .... so they have released some updates which I could install after installing it 02:17 < dazo> oh, that was just updating of the webgui, I see now 02:17 < dazo> but you have some ipkg tools as well 02:20 < steveoooo> cool 02:20 < steveoooo> im going to flash it right now 02:21 < dazo> :) 02:21 < steveoooo> is a lot smaller than wwdrt 02:21 < dazo> yeah, but when you install openvpn and other goodies and needed parts .... it's easy to fill it up :-P 02:23 < steveoooo> ill be back, hopefully 02:23 < dazo> heh ... good luck! 02:23 < steveoooo> I have another router in the closet if anything goes wrong 02:23 < steveoooo> heh 02:24 < steveoooo> id be intereted on how the .bin files are compiled to work on the linksys routers 02:26 < dazo> steveoooo: quite simple ... cross compiled for the CPU platform ... and then things are put into a filesystem file (mounted as a loopback file probably) and then a this filesystem is "converted" to the proper format the device needs it ... then this file is written directly to the flash 02:27 < steveoooo> im a coder but ive never compiled for a hardware device other than pic chips 02:27 < steveoooo> and this little linux based computer I have 02:27 < dazo> I think I remember I read a little bit about it on the openwrt wiki .... 02:31 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 02:36 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:36 < steveoooo> should I reset to default settings? 02:37 < steveoooo> dazo, are you running the openvpn on the router? 02:37 < dazo> steveoooo: yup 02:37 < steveoooo> hmm, cool and build all the keys on the server? 02:37 < steveoooo> built 02:38 < steveoooo> thru ssh? 02:38 < dazo> steveoooo: yes ... You need to have the keys prepared somewhere else 02:39 < steveoooo> i c 02:39 < dazo> steveoooo: I'm using certificates in addition to static.key .... so I created the needed certs and keys on another box and used ssh and scp to get them into the router 02:39 < steveoooo> got it 02:39 < steveoooo> im using certs too 02:39 < steveoooo> not a static.key tho 02:40 < dazo> steveoooo: I use all security features available, as a default in my setups :) 02:40 < steveoooo> i dont even know what im not securing : ) 02:40 < steveoooo> ingorance is bliss 02:40 < dazo> Actually, I've stored config files, cert files and so on the nvram of the router ... not on the "filesystem" 02:41 < steveoooo> nvram? 02:41 < Dryanta> non volatile ram 02:41 < steveoooo> is it a mounted device? 02:41 < dazo> yeah .... kind of the "config" memory ... you'll have a nvram command ... 02:41 < dazo> nvram show .... will give you a lot of config settings 02:42 < dazo> and I used such hack as: nvram set ="`cat `" ... to store a file here .... 02:42 < dazo> but you must remember to do nvram commit .... to really save it nvram 02:43 < dazo> (I would not try this on a binary file though ........) 02:43 < steveoooo> nice, like how it shows that changes are being made! 02:43 < dazo> so I have my own openvpn_start.sh script .... which then pulls down all needed files from nvram and saves them under /tmp/openvpn .... and then openvpn is started from here 02:44 < steveoooo> i c, does the router do most of that for you? 02:45 < dazo> steveoooo: http://pastebin.com/d3e502198 02:45 < dazo> steveoooo: nope ... I hacked this myself .... as the webif only supports openvpn client, not server 02:46 < steveoooo> i c 02:47 < dazo> the pastbin contents, I've saved under /etc/openvpn_start.sh .... and then if you do this, nvram set ="`cat `" ... for all your openvpn files .... this should work pretty quickly for you 02:47 < steveoooo> ill get that going tomorrow 02:47 < dazo> :) 02:47 < steveoooo> pretty damn cool tho 02:47 < steveoooo> and your vpn network is in the same subnet as lan? 02:48 < steveoooo> with the brige? 02:48 < dazo> just one remark .... no not use nvram commit to much .... as such writes will exhaust the nvram over time ..... but if you do it once a day, somebody calculated that the nvram would last at least 5 years 02:48 < dazo> yes, I did it this way 02:48 < dazo> I 02:48 < dazo> I've also separated wlan and lan ... so that they have different network segments as well .... and vpn is on the lan range, not wlan 02:51 < steveoooo> why use nvram 02:52 < dazo> to avoid using space on the jffs2 filesystem, which is used by applications and ipkg .... and /tmp is a ram disk, so only temporarily 02:53 < dazo> and it was a lot of space available in nvram for these config files 02:53 < krzee> steveoooo, leaves less trace 02:53 < dazo> with my current config ... I have used about 9kb out of 32kb available in nvram 02:54 < steveoooo> backup your router and let me see it : ) 02:54 < steveoooo> just kidding 02:54 < dazo> heh ... sorry, don't trust you that much yet ;-) 02:56 < steveoooo> geez man all paranoid and shit 02:56 < steveoooo> heh 02:56 * dazo wonders if it would be possible to encrypt the openvpn config stored in nvram .... yeah, I know you would need to enter a password when starting openvpn 02:57 < krzee> instead of encrypting the config encrypt the cert keys 02:57 < dazo> btw! It's really easy to fill up your filesystem ... so be careful! really careful! or else you might in worst case need to reflash the device again 02:57 < dazo> krzee: yeah, I meant that .... for me keys are an important part of the config ;-) 02:57 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 02:58 < krzee> when making the certs you can set a pass on them, easy-rsa its something like make-cert-pass 02:58 < krzee> ssl-admin asks when you make any keys 02:59 < dazo> krzee: that's true ... 02:59 * dazo haven't woken up yet today ... 02:59 < dazo> maybe I could even use pkcs12 certs .... to have all in one file as well 03:31 -!- Dryanta [i=dryanta@66.252.23.192] has quit ["Changing server"] 03:33 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 04:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:26 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:29 < steveoooo> dazo, help me out tomorrow configuring all this shit 04:29 < steveoooo> that would be cool 04:30 < dazo> steveoooo: I'll try .... I'll be travelling somewhat tomorrow, leaving the office around 13:00 UTC ... so I might have it hectic, but in the evening it might be more easy again 04:30 < steveoooo> what do you do? 04:40 < steveoooo> night 05:32 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 05:58 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 06:00 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:15 -!- zug_|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 06:22 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 60 (Operation timed out)] 06:51 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has joined ##openvpn 06:53 < Naicamine> how can i get to my VPN server if it is on a dynamic address? 06:55 < Naicamine> is there a way i can get a free domain name and a free service that will point a domain name to a dynamic ip? 07:08 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has quit ["Leaving."] 07:38 -!- AukeF [n=folkerts@fury.science.uva.nl] has joined ##openvpn 07:39 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 07:41 < AukeF> Hi! I have an openvpn tap device (openvpn --mktun --dev tap0) bridged with my physical device (eth0). The tap device is used a the stub for Qemu's virtual network card, and has no IP on my host OS. This setup works; however, tcpdumping shows that not all traffic present on the eth0 device is also visible on my tap device. I think this is odd, given that they are bridged. Am I missing something? 07:41 < AukeF> (also, if this is not the right channel, my apologies, and please point me in the right direction) 07:42 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:44 < reiffert> AukeF: a bridge doesnt mean that all traffic passes both interfaces. 07:44 < reiffert> AukeF: routing still works and delivers packets to what interface matches best 07:44 < AukeF> aha 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 < reiffert> AukeF: a bridge allows to have broadcast/multicast packets to appear on both interfaces. 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:45 < AukeF> my understanding was that a packet that arrives on port1 is automagically duplicated on port2 07:45 < reiffert> AukeF: please check your understanding. 07:45 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:45 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:46 < reiffert> http://en.wikipedia.org/wiki/Network_bridge 07:46 < vpnHelper> Title: Network bridge - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:46 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:46 < reiffert> dvl: mind fixing your irc client please? 07:47 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:47 < reiffert> ecrist: r u around? 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:49 < reiffert> krzee: r u around? 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 < reiffert> dvl: 07:52 < AukeF> hm. it looks like /proc/sys/net/bridge/bridge-nf-* are getting in the way 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:55 < reiffert> sigh 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 < reiffert> dvl: 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 08:00 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:00 < dazo> dvl you got probs! 08:00 < dazo> dvl: please correct your client 08:01 < reiffert> Doubt he's reading that 08:01 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 08:01 < dazo> well ... on my screen, I saw you managed to catch him right after he "quit" ... so I hoped I could be quick enough now 08:02 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:03 < reiffert> brb kochen 08:06 < reiffert> dvl: u there? 08:27 < ecrist> reiffert: I'm around 08:27 < ecrist> what's up? 08:29 < reiffert> ecrist: how can I ban dvl so that he can fix his client meanwhile? 08:29 < ecrist> you just frustrated with the join/quits? 08:29 < ecrist> you can ignore those event from him, if you'd like 08:29 < ecrist> /ignore dvn JOINS PARTS QUIT 08:30 < reiffert> rite. 08:30 < reiffert> so everybody please type this, whatever your client understands. 08:31 < ecrist> if it starts up again, I can ban him, too 08:31 < ecrist> s/dvn/dvl/ 08:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 08:33 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has joined ##openvpn 08:34 < nn> hello all, i'm leaving tomorrow to a place i must connect home from, through a horribly draconian firewall which limits my usage to ports 80 (inspected to actually be HTTP) and 443, the network i want to connect to uses 10.0.0.0/8 - is there a way to make openvpn clients fall within 10.0.0.0 or should i just use 192.168.0.0/16 and bridging of eth1 (internal lan) and the openvpn interface? 08:35 < nn> it would be much simpler for my life if i could make the vpn fall under the 10.0.0.0/8 but not too sure how the routing would work out for that 08:35 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 08:36 < dazo> nn: don't try to overlap network segments ... don't think about it ... it'll backfire sooner or later and you'll just be frustrated about how it almost works 08:37 < dazo> !1918 08:37 < vpnHelper> dazo: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:38 < dazo> nn: you also don't need to bridge anything, routing is usually more than enough, as long as your network and firewall at your server side have a sensible firewall setup 08:38 < brewmaster_> this might be a silly question, but can an openvpn server share samba folders over the vpn? or do I need to run a separate openvpn client process? 08:39 < nn> dazo: im just wondering if it might be better off to adjust the routing on the router to use smaller subnets for the wireless, servers, vpn, etc then have the actual clients refer to the wider /8 subnet 08:39 < brewmaster_> using bridged network btw 08:39 < nn> dazo: ive got quite a few machines on the home side that will not play happy with 192.168.0.0/16 *and* 10.0.0.0/8 addresses trying to talk to them 08:40 < dazo> brewmaster_: if you use tap device, samba should not be any problems at all .... if you do bridging, it'll save you for some routing issues connected to browsing shares and servers 08:40 < nikk^> Hi! Could you please help me to "translate" this route into "linux": route add 192.168.2.0 mask 255.255.255.0 10.8.0.14 metric 1 ? 08:40 < nikk^> 192.168.2.0 is the Remote Lan, 10.8.0.14 is the VPN-IP of the Remote Client 08:41 < dazo> nn: as long as you have a default gateway at "home" ...which will have a route to your VPN segment, your VPN segment can have whatever IP address you want 08:41 < brewmaster_> dazo, ok. i'm running the server on a debian machine, i connected to the network from an xp box and an ubuntu box, they can both see each other but not the debian machine 08:41 < brewmaster_> i can't even ping the debian server 08:41 < dazo> brewmaster_: does the debian box also have samba running? 08:41 < brewmaster_> yes 08:42 < dazo> brewmaster_: ahh ... check your iptables on debian ... that might be the issue here 08:42 < nn> dazo: for example: networking kit on 10.1.0.0/16, servers on 10.2.0.0/16, 100mbit clients on 10.3.0.0/16, wlan on 10.4.0.0/16, and vpn say 10.5.0.0/16 08:42 < dazo> nikk^: route add -n 192.167.2.0 netmask 255.255.255.0 gw 10.8.0.14 metric 1 ... just a wild guess 08:42 < nn> since ive got about 500 machines on the network 08:43 < brewmaster_> dazo, just to be clear: i don't need to run a separate client process on the server? 08:44 < brewmaster_> dazo, yeah, i think i gotta open up the tap device in iptables 08:44 < dazo> brewmaster_: no, that's usually not needed .... you might want to explore DNS options in openvpn config .... to push correct WINS server to VPN clients ... that way they will know where to look up for window machines 08:44 < dazo> brewmaster_: that's most probably right 08:46 < dazo> brewmaster_: in some very few settings, it might be that you want to have a "resolver" running on the gateway for sending netbios broadcasts between the net-segments ... but that was usually not needed after WINS came ... so if you have a WINS server, point all your clients to that one, and it should be working 08:47 < dazo> nn: yeah, that sounds sensible ... and your openvpn server needs to have routes to all these networks ... and also correct firewall settings, and then it should work pretty easy 08:47 < nikk^> thanks dazo. will this route use 10.8.0.14 as gateway? 08:47 < nn> dazo: thanks 08:47 < nn> thankfully i have access to some wifi not on my network to test with, back in a bit :) 08:48 < dazo> nikk^: it will route the 192.168.2.0/24 network through that gateway 08:48 < dazo> nikk^: even though, this doesn't sound like the right way to do it .... but I might be wrong 08:49 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Read error: 104 (Connection reset by peer)] 08:50 < dazo> nikk^: it just depends on where you set this route ... if it is on a client, it is correct ... if it is on a gateway/router ... then it should be another IP address of the gateway, most likely 08:50 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 08:51 < nikk^> hm, problem is: ping remote client -> server lan = possible, ping from server lan -> vpnip remote client = possible, server lan -> client lan ip doesn't work 08:52 < nikk^> ping vpn server -> client lan ip also doesn't work 08:52 < dazo> nikk^: do you have access to tcpdump on your openvpn server? and default gateways (if it is not the same as openvpn server)? 08:53 < nikk^> it is the same, wrt router, but no tcpdump 08:53 < dazo> nikk^: I suggest using tcpdump on openvpn server on the different network interfaces .... and then do a ping ... then you'll see where the traffic goes ... if you see only echo request and not echo response, the package went in another direction 08:54 < dazo> aha 08:54 < dazo> which firmware? 08:54 < brewmaster_> dazo, not sure if i need to change my iptables: i don't have a firewall and am behind a router 08:55 < nikk^> it is dd wrt, but with optware openvpn server 08:56 < nikk^> DD-WRT v24-sp1 (08/19/08) std 08:57 < dazo> nikk^: Yeah, I know that one .... okey ... ddwrt uses bridging as default, as far as I remember 08:57 < nikk^> i use routing atm 08:57 < dazo> nikk^: can you post config ? (pastebin) 08:57 < nikk^> one moment please 08:58 < dazo> brewmaster_: are you running openvpn on your default gateway? 08:58 < dazo> brewmaster_: if you are, you need to make sure that nothing is blocking the traffic .... try to use tcpdump ... it'll help you see where the traffic goes or not 08:59 < dazo> nikk^: you are using that ddwrt box as a gateway to your giant 500+ computers network? 08:59 < dazo> s/to/for/ 09:01 < nikk^> 3 clients atm :) 09:01 < nikk^> http://pastebin.com/m2487b3a1 09:01 < dazo> nikk^: then I must have misunderstood you ... the gigant network you talked about .... how does this fit into the picture? 09:02 < nikk^> gigant network? 09:02 < dazo> nikk^: sorry! I mixed you with nn ..... to many chats in parallel :-P 09:02 < brewmaster_> dazo, not sure, what do you mean by default gateway? 09:02 < nn> heh 09:03 < nikk^> no problem dazo :) 09:03 < nn> rearranging and terrorizing my network presently 09:03 < nn> I is scared 09:03 < dazo> brewmaster_: default gateway is the box which sends all traffic which is not local (ie. Internet traffic) to larger networks 09:04 < dazo> nikk^: you have some things which don't match .... have a look here: http://pastebin.com/m6c3cb0f2 ... those highlighted lines must speak to the same network ranges 09:05 < dazo> nikk^: one of the routes needs to be your LAN/WLAN at home ... and the other one is the VPN 09:06 < dazo> nikk^: what's your IP range "at home"? 09:06 < nikk^> 192.168.88.0 09:06 < nikk^> remote site 192.168.2.0 09:07 < dazo> remote site is where you connect from? 09:08 * dazo begins to think if iroute might be the correct solution here 09:08 < dazo> !iroute 09:08 < vpnHelper> dazo: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:08 < dazo> nikk^: ^^^ 09:10 < brewmaster_> dazo, that would be my d-link router 09:11 < nikk^> i am on the lan site behind the vpn server/ wrt, remote site is a friend of mine which can connect into vpn network and into lan, behind the vpn server 09:11 < brewmaster_> dazo, openvpn is running on my debian machine behind that router 09:11 < nikk^> he can connect to an ftp behind the vpn server 09:11 < dazo> brewmaster_: so your openvpn server is just a "client" on the inside of the openvpn server? (dlink doing portforwarding for you) 09:12 < nikk^> i can not ping his lan adress, not from client and not from server 09:12 < brewmaster_> dazo, i think so 09:12 < dazo> yeah, that sounds like this issue with iroute, iirc .... krzee or ecrist might now more about this actually .... 09:13 * dazo does a try 09:13 < dazo> !route 09:13 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:13 < dazo> nikk^: ^^ 09:17 < dazo> brewmaster_: okey ... then I'm guessing you need to setup something in either the DHCP server config which adds a route to your VPN network going via the IP address of the debian box (the physical interface, not the VPN interface) 09:17 < dazo> brewmaster_: or you will need to go on all your clients in your internal network and add this route manually 09:18 < brewmaster_> dazo, yeah, i think i have that part working: i can connect from the outside world to the openvpn server without any issues, i just can't ping / access shared folders on the server once connected. 09:18 < brewmaster_> client to clients works for pinging / sharing files 09:19 < brewmaster_> here's my ifconfig output on the server: http://pastebin.ca/1308074 09:19 < dazo> brewmaster_: clients, here I meant those boxes internally on your network, controlled by your d-link box 09:19 < dazo> brewmaster_: only here ... I would say you can try with that box with the SMB shares first 09:23 < brewmaster_> dazo, shouldn't the server list the openvpn address (which should be 10.8.0.4) when i run ifconfig? 09:26 < dazo> brewmaster_: the openvpn box (debian) needs to have the route for both your VPN net and the physical network 09:26 < nikk^> thanks dazo 09:27 < dazo> brewmaster_: but you clients on the d-link network needs to know that they must contact your openvpn server to reach the VPN net .... or else the traffic will go to the default gw (your d-link router) and out on the internet 09:27 < dazo> nikk^: np! 09:29 < dazo> brewmaster_: so that's why I said this about the routing ... when the clients contact your openvpn (debian) box, this box will then know the rest of the route 09:37 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:43 < brewmaster> dazo, ok, thanks for the help, so how do i tell, say, a linux client to send all 10.8.0.0/24 traffic to my debian machine (192.168.0.103)? 09:43 < dazo> brewmaster: route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.103 09:45 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has quit [Read error: 145 (Connection timed out)] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:45 < ecrist> dazo, you should stick around, then I can just watch. :) 09:46 < dazo> ecrist: heh .... well, I'll step down when you get bored then :-P 09:46 < dazo> s/when/before/ 09:46 < brewmaster> dazo, thanks, what about the openvpn server? how will it know the rest of the route? 09:47 < dazo> brewmaster: you can check the route table on that box .... (/sbin/route -n) .... here it should list up all routes and you can see if it has your local network and your VPN network ... if that's done ... it should be set 09:49 < brewmaster> hmm, no mention of tap0 or 10.8.x.x ... 09:52 < dazo> brewmaster: then it is time to dig into you openvpn config files 09:56 < brewmaster> dazo, what about "clients" that aren't on the LAN? do I need to have a route command? 09:56 < brewmaster> i'm SSH to an outside box, and it has "10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0" in the route -n 09:57 < brewmaster> which looks correct (though I know nothing ;) 09:58 < dazo> brewmaster: hmmm .... all clients on "your" network (inside the d-link) which you want to have access to your VPN (or which you want to connect to via the VPN) must know about this route 09:58 -!- rarn [n=rarn@38.104.189.110] has joined ##openvpn 09:58 < brewmaster> dazo, yeah, that's no problem, but what about the outside world? 09:58 < dazo> brewmaster: that "outside box" .... if that is not inside your d-link network, it should not be needed at all 09:59 < brewmaster> ok 09:59 < dazo> but for that box to reach your d-link network ... you would need to setup an OpenVPN tunnel ... and then the correct route should appear here 09:59 < dazo> brewmaster: I think you might find a better description here on routing .... 09:59 < dazo> !route 09:59 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:00 * dazo needs to run ... back in some hours 10:01 -!- dazo is now known as dazoafk 10:04 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 10:04 < orbisvicis> to start a client: i do sudo openvpn client.opvn and to kill a client ^C 10:05 < orbisvicis> is there a softer/better way to shutdown openvpn ? 10:05 < l11> orbisvicis: you'd usually use the scripts in /etc/init.d 10:06 < l11> like /etc/init.d/openvpn start and /etc/init.d/openvpn stop 10:06 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has quit ["I-n-v-i-s-i-o-n 3.0 (March '08)"] 10:07 < l11> (assuming the client config has been put where it can be found w/o extra arguments) 10:09 < nn> next round of network hell and overhaul comes in rebuilding my lost setup of ldap and kerberos... meh 10:17 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit ["leaving"] 10:17 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and !logs || HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man || LANs behind OpenVPN? See !route || Don't ask to ask, just ask; then wait. 10:24 -!- rarn [n=rarn@38.104.189.110] has quit [] 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit [Client Quit] 10:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:31 < nn> oops 10:31 < nn> well.. for some reason, things are mostly working, except im getting the wrong IP 10:52 < orbisvicis> eh i guess its not a big deal ... i dont have any openvpn init scripts, but I took a look at one at one and it stops openvpnv by killing 10:54 < nn> probably with SIGTERM, no? 10:55 < ecrist> nn - that's how programs get killed in the unix world 10:57 < nn> ecrist: yes i know 10:57 * nn looks at iptables with the we about to fight look... 10:58 * ecrist looks at chanserv with the 'me about to win' look... 10:58 < ecrist> :P 10:59 < ecrist> regardless, the comment should have been directed to orbisvicis, not you, nn 11:03 < orbisvicis> what sigterm is ^C, 15 ? 11:05 < orbisvicis> or 9 11:05 < nn> im thinking SIGINT or SIGQUIT 11:06 < ecrist> SIGINT, iirc 11:09 < ecrist> --- Log closed Wed Jan 14 11:09:22 2009 --- Log opened Wed Jan 14 12:09:05 2009 12:09 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 12:09 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 12:09 -!- Irssi: Join to ##openvpn was synced in 1 secs 12:09 < ecrist> ugh 12:13 < reiffert> mahdi_ja: hi 12:13 < reiffert> mahdi_ja: You can have openvpn play the role of a vpn server, yes. 12:13 < reiffert> mahdi_ja: it has nothing to do with a domain controller, nor will openvpn replace a windows domain controller. 12:14 -!- jaysonsantos [n=jayson@189.102.240.246] has joined ##openvpn 12:18 < mahdi_ja> reiffert: in my company at this time use domain controller and i want use vpn server for operating independent reason. 12:19 < jaysonsantos> !route 12:19 < vpnHelper> jaysonsantos: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:19 < reiffert> mahdi_ja: sorry, I dont understand you. 12:20 < jaysonsantos> Hello people, I'm trying to connect via ssh from client to the vpn server and when (i think) i receive binary data, my connection stay frozed 12:20 < jaysonsantos> Maybe that is a route config ? 12:21 < mahdi_ja> reiffert: i am sorry my english is weak.i want know i can do task of windows domain controller with open vpn(create vpn server). 12:22 < reiffert> Who was that guy from that man-eating ape-island? 12:22 < reiffert> mahdi_ja: If I understand you right, a Windows Domain Controller can act as a VPN Server? 12:22 < mahdi_ja> reiffert: yes. 12:23 < reiffert> mahdi_ja: I see. Well Windows VPN is using L2TP or PPTP, right? 12:25 < mahdi_ja> yes this is true.i can use pptp in linux same windows. 12:26 < reiffert> mahdi_ja: openvpn is totally different and not compatible with l2tp not pptp. 12:26 < reiffert> mahdi_ja: but(!) openvpn runs on windows as well. 12:30 < mahdi_ja> yes,i know it.in a lot of company for restrict user to use a special application use domain controller. for example a user member of office1 domain can use office1 application an printer shared in this office an so on.i want know i can do this limitation with create a vpn server . 12:31 < reiffert> "this" as in share permissions and rights with the help of openvpn among domain users? 12:33 < mahdi_ja> reiffert: no,i want replace domain server and use openvpn for do task of domain controller. 12:34 < reiffert> mahdi_ja: sorry, but openvpn is a vpn server and not a domain controller. 12:34 < reiffert> !howto 12:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:37 < mahdi_ja> reiffert: thank you. 12:38 < reiffert> welcome 12:43 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 12:43 < meshuga> !route 12:43 < vpnHelper> meshuga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:51 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:21 -!- mahdi_ja [n=mahdi@80.191.138.7] has left ##openvpn [] 13:23 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 13:23 < Toinou_> hello 13:23 < ecrist> howdy 13:23 < Toinou_> Someone speak french or not? 13:24 < ecrist> probably not 13:24 < meshuga> so i'm having a problem where openvpn is only routing traffic to a few machines over the vpn. i am using /24's and only a few machines route 13:24 < ecrist> I understand and can speak very little, but we can try 13:24 < meshuga> all machines are pingable from each respective openvpn machine 13:24 < Toinou_> ecrist: ok thank 13:24 < ecrist> meshuga: see the channel topic 13:24 < meshuga> and i have turned off all firewalls and whatnot 13:25 < meshuga> ecrist: ya, i'm just doing static keys, and ccd shouldnt matter cuz some do pass 13:25 < Toinou_> I have problem to connect a client to my server 13:25 < ecrist> both of you, !configs and !logs 13:25 < ecrist> !configs 13:25 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:25 < ecrist> !logs 13:25 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:28 < Toinou_> Someone to help me to understand the error? 13:29 < ecrist> Toinou_: I need to see your log files, please? 13:30 < ecrist> we need to know what's not working and what your configuration is 13:30 < Toinou_> ecrist: which log files? 13:30 < meshuga> http://pastebin.com/m31f953f7 13:31 < meshuga> ecrist: there, I got the logs and the config in there 13:31 < meshuga> what i am doing is super simple 13:31 < meshuga> just trying to do a simple bi directional routed vpn 13:37 < ecrist> meshuga: you can't put a push "route" statement in a client config 13:37 < ecrist> you need to create a ccd, iirc 13:37 < ecrist> and set an iroute 13:37 -!- nn [n=irc@white.powder.nn2.us] has joined ##openvpn 13:37 < nn> how would i create a place-holder crl? 13:38 < ecrist> nn, let me get you the command 13:38 < ecrist> openssl ca -gencrl -out $crl -config $config 13:39 < nn> ahh thanks 13:39 < ecrist> $crl is the file name for the crl and $config is the openssl.conf file 13:39 < nn> i searched around the howto but windows is being hatefu 13:39 < nn> gotcha, thanks 13:39 < ecrist> that's not in the howto, iirc 13:39 < nn> next experiment will be making openvpn feed off ldap for certs ;) 13:40 < ecrist> let me know how that goes, and what you end up doing. 13:43 < nn> will do 13:43 < nn> i heavily use ldap+pkcs11 stuff here ;) 13:44 < meshuga> ecrist: well, then i cant use static keys and need to do tls and stuff like that. i've done this before with static keys 13:44 < meshuga> years ago 13:44 < meshuga> i dont care if i manually have to setup route lines 13:44 < meshuga> the odd part is, its only routing half of the traffic 13:45 < ecrist> I'm looking into the docs, but I'm sure it's the client lan that's not being routed, right? 13:45 < ecrist> oh, you can put iroute in the server conf, since static keys only have one client 13:46 < meshuga> here i'll go back to my config using just linux boxes (instead of the routers, which i ultimately want it to go on) 13:46 < meshuga> basically i have 192.168.0.x that has a dozen machines on it, and i can only ping like 4 of them thru the tunnel 13:47 < ecrist> ok, tcpdump may tell you where things are being dropped 13:47 < ecrist> if you can ping some machines, then the vpn portion is working 13:48 < nn> oie. windows 7 is having issues :( 13:49 < nn> it does not like the route stuff 13:50 < ecrist> windows 7 is in beta - expect spotty results 13:50 < Toinou_> ecrist: sorry to disturb you but i did know which files log you need to help me? 13:50 < nn> its working well except not liking the route set stuff ;) 13:50 < meshuga> http://pastebin.com/m7fe8195 13:50 < nn> it appears i may have remote the route push stuff and manually caress the routing table 13:50 < ecrist> Toinou_: are you running openvpn via the command line, or via init.d? 13:51 < meshuga> i ran 'arp' on the machine which .0.1 is connected too running openvpn, and then tried to ping the hosts from the other side of the tunnel 13:51 < nn> remove 13:51 < meshuga> and only half of them respond. no firewalls or anything blocking it 13:51 < meshuga> pasting in tcpdump now 13:51 < Toinou_> ecrist: command line 13:52 < ecrist> ok, I need to see all the output that comes on the command line. 13:52 < ecrist> first, though, I need to know your problem. 13:52 < Toinou_> ecrist: I can't connect to the server!! 13:52 < meshuga> tcpdump doesnt say where anything is dropped 13:52 < meshuga> i just pasted that into the same pastebin, at the top 13:53 < ecrist> Toinou_: ok 13:53 < ecrist> is it a server you made, or a company server? 13:53 < meshuga> its like .0.1 isnt responding for certain machines to forward traffic from 13:53 < meshuga> which doesnt make sense 13:53 < Toinou_> ecrist: it a server i made, it for a project 13:54 < ecrist> Toinou_: read the following link, and let me know if everything is setup correctly: 13:54 < ecrist> !freebsd 13:54 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:55 < Toinou_> ecrist: toinou@toinou-portable:/etc/openvpn$ cd /etc/openvpn && sudo openvpn client.conf 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_C 13:55 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 13:55 < ecrist> Toinou_: don't paste here, please 13:55 < ecrist> pastebin.com 13:55 < ecrist> ok, did you make a certificate? 13:55 < ecrist> meshuga: looks like some clients may not know how to route back to the vPN 13:56 < Toinou_> ecrist: sorry, i'm a noob!!! 13:56 < ecrist> ok!!!!1!1!! 13:58 < meshuga> ecrist: shouldnt the default gateway handle all of that? 13:58 < Toinou_> ecrist: I do 3 certificate : 1 it's the CA, 1 it's the server certificate and the last is the client certificate 13:58 < meshuga> oh, so i should change the subnet mask for them to 255.255.0.0 13:59 < ecrist> sorry folks, I've gotta get back to work. 13:59 < meshuga> thanks for your help man 14:00 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 14:21 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:38 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Ex-Chat"] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:07 -!- imbezol [i=imbezol@igloo.bigfiber.net] has left ##openvpn [] 15:17 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 15:20 < j_bsdxinu> hi, using FreeBSD VPN installed, when i run build-ca i get error: you must define KEY_DIR 15:32 < ecrist> j_bsdxinu: use ssl-admin instead 15:33 < ecrist> /usr/ports/security/ssl-admin 15:33 < ecrist> easy-rsa blows balls 15:33 < j_bsdxinu> i will try that 15:37 < j_bsdxinu> thanks 15:37 < ecrist> if you have questions, I"m the author 15:40 -!- andrer [n=andrer@200.130.18.1] has joined ##openvpn 15:40 < andrer> is there a way to use those usb security dongles (rsa keys) with openvpn? 15:41 < ecrist> yes and no 15:41 < andrer> ecrist: i can choose which answer I want? :) jk 15:41 < ecrist> you can write secondary authentication scripts for OpenVPN, usually for LDAP/etc. Just write one of those. 15:42 < andrer> but there is nothing built in... ok 15:45 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has joined ##openvpn 15:46 < El_Presidente> hello, i want to allow my cousin to surf over my box, so i established a server on my pc the vpn tunnel gets up but we cant set the default route 15:46 < El_Presidente> because his pc says the following 15:46 < El_Presidente> unable to redirect default gateway -- Cannot read current default gateway from system 15:47 < El_Presidente> he is online with an umts stick 15:48 < ecrist> google that error 15:50 < El_Presidente> i did ... 15:51 < El_Presidente> but i didnt find any suitable information for a windows pc ... 15:51 < El_Presidente> since my cousin uses windows 15:52 < ecrist> sorry, I've no idea 15:52 < El_Presidente> okay 16:04 < j_bsdxinu> ecrist, you are the author of ssl-admin? 16:04 < reiffert> El_Presidente: 16:04 < reiffert> !defl 16:04 < vpnHelper> reiffert: Error: "defl" is not a valid command. 16:04 < reiffert> !def1 16:04 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:05 < ecrist> j_bsdxinu: yes 16:05 < j_bsdxinu> ohh ok, thanks 16:06 < El_Presidente> reiffert, aha 16:06 < reiffert> !man 16:06 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:06 < reiffert> !howto 16:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < reiffert> also check 16:06 < reiffert> !topology 16:06 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:07 < reiffert> some intresting thing about windows and /30 subnet. 16:07 < El_Presidente> reiffert, i know ty ;) 16:07 < reiffert> however, adding def1 should fix the thing 16:07 < El_Presidente> you mean redirect-gateway def1 ... 16:07 < El_Presidente> ? 16:08 < reiffert> El_Presidente: I mean ... RTFM! 16:08 < El_Presidente> :D 16:08 -!- andrer [n=andrer@200.130.18.1] has quit ["Lost terminal"] 16:22 < krzie> lol 16:23 < El_Presidente> cu 16:23 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has quit ["Verlassend"] 16:27 < reiffert> You give em a hand, you point them to the right paragraph in the docs and all you get is "cu". And that's "lol"? Well. 16:28 < krzie> haha 16:28 < krzie> my lol was that he knew def1 goes with redirect-gateway and he couldnt just look at in in in the manual which you had linked him to 16:31 < j_bsdxinu> ecrist, i am kind of new what is this for? S) Create new Signed Server certificate. 16:31 < krzie> umm 16:32 < krzie> its for creating a new server cert, and signing it 16:32 < krzie> i dont know how to say it better 16:32 < reiffert> Add "Self-" in front of Signed. 16:33 < ecrist> no 16:33 < ecrist> reiffert: it's not a CA certificate, it's a server certificate 16:33 < j_bsdxinu> so for openVPN i create one? 16:33 < krzie> doesnt have to be self-signed 16:33 < reiffert> Oh, rite! 16:33 < reiffert> it's ca signed 16:34 < reiffert> krzie: remember that guy from korea with the T1 flat on a tree? 16:34 < krzie> tjz, right? 16:34 < krzie> or mrcuteo...? 16:34 < reiffert> Well .. I dont remember his nick ... 16:34 < krzie> i think twas tjz 16:34 < krzie> but ya 16:35 < reiffert> Which is what I'm looking for :) 16:35 < reiffert> l11: u there? 16:35 < krzie> ahh 16:35 < krzie> i think its tjz, but COULD be mrcuteo 16:35 < l11> reiffert: pong 16:35 < reiffert> May I introduce you? 16:35 < l11> female? 16:35 < l11> :D 16:36 < reiffert> Channel, say hi to l11, he's lesbian :) 16:36 < krzie> lol no 16:36 < krzie> sup l11 16:36 < krzie> im a dike trapped in a mans body 16:36 < l11> quoting marvin? 16:37 < l11> i suppose reiffert has a reason to introduce us. we just need to find out why 16:37 < reiffert> Hm, the no special reason reason! 16:38 < l11> he says that all the time 16:38 < krzie> 1lgot any problems with your vpn? 16:38 < l11> ehm .. no, not in particular. 16:39 < l11> doesn't run in the most efficient way but that's not the fault of openvpn 16:40 < l11> reiffert and you are online buddies? 16:41 < reiffert> I am online buddies? if so, how many? 16:41 < reiffert> body count! 16:43 < l11> he's dangerous. i remember when i happened to be in the same place, he almost subjected me to a radioactive particle beam. luckily there was 30 inches of lead in between :) 16:44 < reiffert> That was me, u sure? Maybe ran out of alc that time? 16:45 < l11> maybe it was because you *didn't* :P 16:46 < reiffert> Well, maybe that big electron beam which is everything but a radioactive particle beam and we may start discussing "particle" here :) 16:47 < reiffert> l11 is dangerous as well, dont get to him too close, he probably will ocnvert you into another forth zombie! 16:47 < reiffert> dont get too close to him sounds more english than vice versa 16:47 < l11> well, if throwing in a detector hamster fills the air with stench of roast meet it doesn't really matter whether it's electron beam or not (or the nature of particles) 16:47 < l11> meat 16:48 < l11> *fizzle* 17:04 < reiffert> krzie: did you record some movie of your naked girls yet^w^w^w^w beach sunrise yet? 17:04 < krzie> nah man im down to one girl for now 17:08 < reiffert> Lemme guess, wrong (=no) christmas presents? 17:09 < krzie> nah i think i fucked up by actually getting them gifts 17:10 < reiffert> which of them did you keep? 17:11 < krzie> my favorite 17:11 < krzie> #1 17:16 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 17:19 < reiffert> Good night (Gute Nacht in German) 17:19 < reiffert> Spoken like Goote Nucht 17:20 < reiffert> l11: krzie like to learn some german words for impressing his german neighbour 17:23 < l11> me too 17:26 -!- l11 is now known as Bushmills 17:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:05 < cylix> So I setup a vpn and it really isn't working. Yes there is no firewall and it does connect with no errors on log lvl 3. Configs here: http://solace.info/dump 18:05 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:06 < cylix> oops flood apparently 18:06 < cylix> sorry 18:06 < cylix> Anyway. I was just saying I setup a vpn. 18:06 < cylix> client and server connect. 18:07 < cylix> no errors in logs. 18:07 < cylix> yet I can only ping local devices. 18:07 < cylix> configs and logs at http://solace.info/dump 18:07 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:09 < cylix> every thing is exactly like the example configs except the remote ip of course and tcp not udp. Though I did try udp. 18:11 < cylix> Ah the server is on a one to one nat I should mention also. So it does have an external ip. 18:12 * cylix quits talking to himself... 18:12 < ecrist> give me a couple minuts to look, sheesh 18:12 < cylix> ecrist, thanks so much. 18:12 < cylix> :-) 18:14 < cylix> ah just renamed all files on webserver so they pull with correct mime type. Please reload directory. 18:15 < ecrist> ok, no errors in logs, as you said. what do you mean, you can only ping local devices? 18:16 < cylix> so the tun device on the client has the ip 10.254.1.6 18:16 < cylix> that I can ping from the client 18:16 < cylix> same with server. I can ping 10.254.1.1 18:16 < cylix> nothing else. 18:16 < ecrist> can you ping, from the client, to 10.254.1.1? 18:16 < cylix> no 18:16 < cylix> only from server. 18:16 < cylix> nothing is crossing the bridge. 18:17 < ecrist> sounds like a firewall issue. 18:17 < cylix> let me ask this then. does the client need an external ip? 18:18 < cylix> because I run and have tested the firewalls on bothsides and that is not an issue. 18:18 -!- AukeF [n=folkerts@fury.science.uva.nl] has quit [Read error: 145 (Connection timed out)] 18:18 < ecrist> no, the client doesn't need an external IP 18:18 < ecrist> what are you trying to ping from the client, the internet? 18:19 < cylix> I just want to ping the server over the bridge. so 10.254.1.1 18:19 < cylix> That would prove it was working. 18:19 < ecrist> ok, still sounds like a firewall issue 18:20 < cylix> would you like to look at my firewall also? :-) 18:20 < ecrist> nope 18:20 < cylix> There is none except on the cisco 2811 I have doing a 1 to 1 nat for the server. 18:20 < ecrist> I would recommend you take down your firewall for testing 18:20 < cylix> ok I'll try that. 18:21 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 18:22 < cylix> I was just supprised it could still be a firewall issue after the initial connection succeeds. 18:23 < ecrist> firewall on the server, as all vpn traffic will be encrypted and encapsulation 18:23 < ecrist> encapsulated* 18:23 < cylix> There is no firewall on the server. 100% disabled. 18:24 < ecrist> traceroute 10.254.1.1 from the client 18:27 < cylix> ok now thats weird. 18:27 < cylix> traceroute: unknown host 10.254.1.1 18:27 < ecrist> o.O 18:27 < cylix> routing table is just what I uploaded though. 18:27 < cylix> so it should at least get to the ppp tunnel. 18:27 < cylix> or at least the tun device. 18:30 < cylix> ok so with log lvl 5 started on the terminal. I at least see WR apear for every ping I send. 18:31 < ecrist> log level 6 show anything more? 18:31 < ecrist> tcpdump show the packets hitting the server? 18:31 < cylix> So it is getting to the tunnel at somepoint. Not getting anthing back though. 18:31 < cylix> I will check that now. lvl 6 then dump 18:34 < cylix> ok so it sends the ping then I get "TUN READ [84]" but no ping responce. setuping dump now. 18:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:46 < cylix> wow ok getting wireshark for windows. 18:47 < cylix> from the dump taken on the tun device on the client side though. It looks like all pings go out but none come back. 18:47 < ecrist> what do you see from a dump on the server side? 18:48 < cylix> I still working on that. just finished my wireshark download. one min. 18:52 < cylix> hmm well they are coming in on the server side but not going out. 18:52 < cylix> I guess this means the problem is on the server somewere. 18:53 < cylix> yes interesting. when I ping from the server it doesn't go accross the link. 18:53 < cylix> when I ping from the client it goes accross the link but the server isn't sending back. 18:54 < cylix> got to be a server config issue now what could it be... lol. Your right I would say firewall if I had one... 18:54 < ecrist> you're sure there's no firewall on the server? 18:57 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 18:57 < cylix> Well I'm checking again. :-) 19:00 < ecrist> I'm out for the night, I think. 19:01 < cylix> Well I do want to say a big thank you for your help. :-) 19:01 < cylix> Good night. 19:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:26 -!- jaysonsantos [n=jayson@189.102.240.246] has quit [Remote closed the connection] 19:49 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 19:52 < cylix> akk got it!!! 19:54 < cylix> Well if anyone else was reading and has had this problem please turn OFF the windows "routing and remote acess". 19:57 * cylix Dances a little jig 20:00 < krzie> where do they turn it off? 20:00 < krzie> in services? 20:01 < cylix> well you could. I just went to the administrative tools and disabled it on the server from there. It does shut down the service though. 20:01 < krzie> where in administrative tools? 20:02 < cylix> routing and remote access. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < cylix> Thats the name of the menu entry. 20:02 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < vpnHelper> krzie: Joo got it. 20:02 < krzie> thanx 20:04 < cylix> so did you log it for a faq or something whats that vpnHelper about? 20:04 < krzie> !winroute 20:04 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 20:05 < cylix> Ah I see cool. 20:05 < krzie> !factoids search win 20:05 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 20:05 < krzie> !wintaphide 20:05 < vpnHelper> krzie: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 20:05 < krzie> all kinds of info on that bot 20:05 < krzie> so us helpers can be lazy ;] 20:05 < krzie> also has stuff like this: 20:05 < krzie> !pastebin 20:05 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:05 < krzie> !logs 20:05 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:05 < krzie> !configs 20:05 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:06 < krzie> or my personal favorite... 20:06 < krzie> !insanity 20:06 < vpnHelper> krzie: "insanity" is doing the same thing over and over expecting different results 20:06 < cylix> LOL 20:06 < cylix> Being lazy is always a good plan when possible. :-) 20:09 < krzie> efficiently lazy as i like to call it =] 20:10 < cylix> Seems like your way is straight out of some unix books I read. 20:10 * cylix Likes unix. 20:10 < krzie> ya 20:10 < krzie> its how i thought before i got into unix 20:10 < krzie> but its a reason me and unix get along well ;] 20:13 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 20:46 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["got to run"] 21:16 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:16 < error404notfound> while creating certificates for openvpn using openssl, should I set passphrases on keys? 21:16 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:26 -!- bender[a] [n=OWinNOW@64.208.90.82] has joined ##openvpn 21:26 -!- bender[a] is now known as bender183 21:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 110 (Connection timed out)] 21:31 < ecrist> evening, bitches 21:31 < ecrist> error404notfound: personal preference 21:32 < ecrist> there's an added security to having a passphrase on the certificate key, but it's usually lost as people put the passphrase into a text file for automating startup/shutdown of the tunnel 21:33 < meshuga> msg drmctchr hey whats up? 21:33 < meshuga> er 21:38 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 21:38 < ecrist> wow, nmap 4.76 is really fast compared to older version 21:38 < ecrist> s 21:45 < krzie> agreed 21:46 < ecrist> I'm considering adwords for my wiki 21:47 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:47 < ecrist> ~88 unique ips/day, with ~466 page loads/day 21:48 < ecrist> 91039 page loads last year. not too high, but enough to maybe get me a hit. 21:49 < krzie> good idea 21:49 < krzie> but maybe you could leave it off the openvpn wiki 21:50 < krzie> since we're basically making it the unofficial (possibly official if that dude ever responds again) wiki 21:52 < ecrist> not a for sure thing at this point, but if I did it, I think it would be site-wide 21:53 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 104 (Connection reset by peer)] 21:54 < ecrist> I could pull a dick move and advertise my site with google for OpenVPN. lol 22:00 < krzie> haha 22:05 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:09 < ecrist> what is your objection to ads on the openvpn pages? 22:10 < ecrist> I don't think we're going to hear back from francis 22:11 < ecrist> 2.5% of my hits this month came from a search engine query 'openvpn routing' 22:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:25 < krzie> nice! 22:26 < krzie> people hitting my writeup 22:26 < krzie> =] 22:26 < ecrist> yep 22:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:26 < krzie> i guess if they were small an unobtrusive i dont have an objection, but i just like the idea of giving help without advertisements 22:27 < krzie> plus ads would take away some of the posibility of getting random others contributing i think 22:27 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 22:27 < krzie> but so far it seems to be us contributing to that and the forum anyways 22:28 < ecrist> yep 22:28 < ecrist> I haven't seen him in a while 22:28 < krzie> him? 22:28 < ecrist> guy doing the forum 22:29 < krzie> oh dougy 22:29 < krzie> ya hes MIA 22:30 < ecrist> !tcp 22:30 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:35 < ecrist> ~319 page loads/day for ovpnforum.com 22:35 < ecrist> 40 unique visitors/day 22:35 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Remote closed the connection] 22:36 < ecrist> don't have logging turned up on that domain, will have to do so tonight 22:36 < ecrist> I'm out - l8r krzie 22:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:50 < krzie> later 23:13 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 23:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 23:38 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:55 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn --- Day changed Thu Jan 15 2009 00:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:54 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:59 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:57 -!- dazoafk is now known as dazo 02:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:49 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 02:50 < metbsd> when i create server.crt, it's all empty 02:50 < metbsd> help needed 02:50 < reiffert> !howto 02:51 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:51 < reiffert> it? all in there 02:51 < metbsd> i used that howto, but the files index.txt, client.crt server.crt, are all empty with 0 size 02:51 < metbsd> is it normal? 02:56 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: dogmeat, disposable, disco-, zug_|work 02:56 -!- Netsplit over, joins: disposable 02:56 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 02:57 -!- Netsplit over, joins: disco- 02:57 < metbsd> where do i define common name? 02:57 < metbsd> in vars 02:57 < metbsd> i\u1e3f doing stuff all wrong 02:57 < metbsd> cuz i don know where to specify common name in vars 02:58 < reiffert> quoting the howto: 02:58 < reiffert> Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". 02:58 < metbsd> oh explicitly entered! 02:58 < reiffert> oh, it? all in the howto! 03:00 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 03:28 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 03:38 -!- zug_|work [n=zug_work@88.211.97.126] has joined ##openvpn 03:46 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 03:56 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 03:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 03:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 60 (Operation timed out)] 04:06 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 04:07 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 04:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 04:51 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 04:57 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 05:01 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [""I'll see you on the dark side of the moon...""] 05:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:37 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:48 -!- zug_|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 06:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 07:24 * ecrist wants to punch someone 07:26 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 07:27 < robert_> !route 07:27 < vpnHelper> robert_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:30 -!- dazo is now known as dazoafk 07:40 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 07:49 -!- dazoafk [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has quit ["Leaving"] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 08:15 -!- c64zottel [n=hans@62.12.218.111] has quit [Read error: 60 (Operation timed out)] 08:16 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 08:27 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 08:27 < mndo> !route 08:27 < vpnHelper> mndo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:30 < c64zottel> !water 08:30 < vpnHelper> c64zottel: Error: "water" is not a valid command. 08:32 < ecrist> what are you hoping to find with !water? 08:35 < tjz> lol 08:41 -!- fialar [n=v@spoon.pkl.net] has joined ##openvpn 08:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:00 < aar0n> !route 09:00 < vpnHelper> aar0n: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:04 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has joined ##openvpn 09:18 -!- c64zottel [n=hans@62.12.218.111] has left ##openvpn [] 09:20 < mart_ian> hi folks. i have a situation that's got me scratching my head. i have a server (A) and a remote client (B) that is behind a firewall. i havea two more clients (C & D laptops) that come and go. i want laptop C to be able to connect to any box on A's local net and B's local net. I want laptop D to only connect to A's local net. right now, i have everything going, except, i can't seem to prevent D from seeing B (and ... 09:20 < mart_ian> ... its local net). i have tried a variety of iptables rules on A and B, but nothing seems to reliably block D from B without blocking C (and A). any ideas on how to do this? 09:21 < fialar> A doesn't see traffic between B and C? 09:22 < ecrist> mart_ian: you need to set this up in one of two ways: 09:22 < mart_ian> i can't seem to get tcpdump/tshark to admit anything's going on. 09:22 < mart_ian> (on server A) 09:23 < ecrist> assign C an IP in a range that can see both networks via a push for each subnet or 09:23 < ecrist> use a firewall on the OpenVPN machine to restrict the access for specific clients 09:23 < fialar> ecrist: I think he's trying the latter 09:23 < fialar> machine A is the server, right? 09:23 < mart_ian> right. 09:23 < fialar> tcpdump running on machine A doesn't see traffic between B and C? 09:24 < mart_ian> correct. 09:24 < fialar> weird. 09:24 < fialar> does tcpdump not listen on tun0 properly in linux? 09:24 < mart_ian> ecrist: i was attempting your second idea, but can't seem to find the right foo to make it work. 09:26 < ecrist> do it in a couple steps. 09:26 < ecrist> 1) does the connection between A and B work flawlessly? 09:26 < mart_ian> yes 09:27 < ecrist> 2) does the connection between A, B, and C work flawlessly? 09:27 < mart_ian> yes 09:27 < ecrist> ok, so you must have client-to-client enabled within your server config, good. 09:27 < mart_ian> yes. 09:27 < ecrist> now, what OS are you running on the server? 09:28 < mart_ian> linux on all 09:28 < ecrist> the clients don't matter 09:28 < mart_ian> ok 09:28 < ecrist> I'm not going to be able to help you with firewall specifics, but you need to assign static IPs to your VPN clients (IPP is OK) and create a rule to block traffic on tun0 from D to B 09:29 < mart_ian> that's what i (thought i) did. 09:29 < ecrist> OpenVPN was written to allow kernel hooks into the tun driver, which would allow firewalls to operate correctly. 09:29 < mart_ian> but it didn't seem to block anything. 09:30 < mart_ian> when i run tcpdump on A, it doesn't seem to notice the traffic from D to B, even though it necessarily should be going through tun0 09:30 < ecrist> what interface are you watching traffic on? 09:30 < mart_ian> i've tried them all. 09:30 < fialar> tcpdump -i tun0 -n 09:30 < mart_ian> as well as tcpdump -n 09:33 < fialar> ecrist: OpenVPN uses star topography right? All traffic between clients has to pass through the server? 09:37 < ecrist> yes 09:40 < fialar> hmm tcpdump on openbsd works listening to tun1 (what I have openvpn running on) 09:40 < fialar> ecrist: what IPs would mart_ian have to block? 09:41 < fialar> because each client has its own /30 09:42 < ecrist> the client IPs - the rest don't matter 09:42 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 145 (Connection timed out)] 09:42 < fialar> not the P-t-Ps? 09:42 < fialar> ok 09:42 < fialar> mart_ian: might want to turn logging on those FORWARD rules 09:45 < fialar> I'd test here but can only connect one client to the openvpn server here 09:46 < mart_ian> i have FORWARD policy set to DROP with no exceptions. it's still passing through. 09:47 < fialar> I connected a client, then pinged .1 and got: 15:50:00.861173 10.0.51.6 > 10.0.51.1: icmp: echo request (DF) 09:47 < fialar> so that works 09:47 < fialar> that's tcpdump listening on tun1 09:50 < fialar> mart_ian: if you ping .1, does tcpdump on server A see it? 09:51 < mart_ian> from D? 09:52 < mart_ian> from D, it sees it on tun0 09:53 < mart_ian> that is, pinging from D, watching on A:tun0 09:54 < fialar> D pinging A (A= .1) 09:54 < fialar> ah ok 10:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 10:41 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:44 < ecrist> mart_ian: I think I figured out your problem 10:45 < ecrist> you're using linux 10:45 < mart_ian> that's usually my solution... 10:45 < ecrist> FreeBSD FTW 10:45 < mart_ian> not really an option. 10:48 < ecrist> why not? 10:49 < ecrist> I'm not actually suggesting you need to change your OS, keep in mind. 10:49 < ecrist> just making at dig at Linux's fail 10:49 < mart_ian> O_o 11:01 < ecrist> o.O 11:01 < ecrist> \o/ 11:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:30 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 11:33 < error404notfound> can someone tell me what's going wrong here: http://pastebin.com/m409260be 11:33 < ecrist> it's not able to verify the certificate 11:35 -!- nicon [i=n@tiberium.net.pl] has joined ##openvpn 11:35 < error404notfound> ecrist: both certificates were generated using the same ca 11:35 < nicon> Hi all 11:36 < nicon> I've got problem. I have server (on debian => openvpn) in one place and client (wrt54gl with tomato) in second place 11:36 < nicon> Everythings works almost fine... 11:37 < nicon> The problem is that I can't see computers in group at windowses in second place. 11:37 < nicon> I can "join" 'em only by typing the name of server by hand (for eg: \\name-of-computer) 11:37 < ecrist> error404notfound: probably a problem with the certificate generation or file format 11:38 < nicon> What did I make bad? 11:38 < ecrist> nicon, you need bridging rather than routed, and it's more complicated to set up 11:38 < error404notfound> anyone know of an easy method to this all openssl stuff? 11:38 < nicon> ecrist: it is seted to bridge 11:38 < nicon> not to route. 11:39 < ecrist> you local LAN and remote LAN need to use the same IP space 11:39 < nicon> ecrist: and yes, it use the same IP space (192.168.10.*) 11:39 < nicon> the srv is 192.168.10.1, the client is 192.168.10.2 11:40 < nicon> And it's in the same work group. 11:41 < nicon> I want computers from first place be viewed in second place and in retreat 11:41 < nicon> (in work group computers) 11:57 < nicon> Any idea? 12:08 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:11 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:11 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:14 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:15 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:20 < fialar> hey ecrist 12:20 < fialar> guess what? 12:20 < ecrist> what? 12:20 < fialar> openvpn bypasses iptables firewall on linux 12:20 < fialar> I just did some tests 12:20 < ecrist> lol 12:20 < fialar> my FORWARD policy is set to DROP 12:20 < fialar> yet vpn traffic is passed 12:20 < fialar> weird 12:20 < fialar> this doesnt happen on openbsd 12:20 < fialar> pf stops that stuff cold 12:20 < ecrist> or freebsd 12:20 < fialar> unless you let it in 12:21 * mart_ian whacks openvpn with a bsd slice 12:21 < mart_ian> *sigh* 12:21 < ecrist> must be how the linux kernel orders filtering 12:21 < fialar> wow.. talk about gaping network security hole 12:29 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Success] 12:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:34 < ecrist> wonder if it's something that changed in the linux kernel recently 12:34 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 12:36 < fialar> ecrist: with the insane kernel development model they got going these days, I wouldn't be surprised 12:36 * fialar preferred 2.4/2.5 separate branch type development.. at least back then things were more stable 12:36 < fialar> biggest mistake Linus ever did was merge stable and development (or -stable/-release and -current) 12:46 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:56 < ecrist> that, among other things, is why I'm not a linux user 12:58 < fialar> I'd run openbsd on this asus eee, but no support for wireless yet. 12:58 < fialar> damn atheros chipset 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 < nicon> no1 will help me? :P 13:16 -!- rodpod [i=rod@hick.org] has quit [Read error: 113 (No route to host)] 13:23 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has joined ##openvpn 13:23 -!- nicon [i=n@tiberium.net.pl] has left ##openvpn [] 13:25 < silver_hook> Hullo. I'm wondering what supposedly makes Hamachi superior to OpenVPN. 13:37 < cpm> didn't know it was. 13:38 < cpm> hamachi, closed ransomware, openvpn, , well, , , open. 13:38 < cpm> wasn't aware there was a comparison. 14:01 < silver_hook> Avahi/Zero-conf? 14:01 < silver_hook> P2P? 14:02 < silver_hook> I'm new to VPN, but I'd rather not use a closed-source application to handle such things... 14:05 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 14:14 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has joined ##openvpn 14:15 < nemo> Say folks. Does anyone know if it is feasible to setup Aventail w/ openvpn? 14:22 < nemo> hm. my bet is "no" on openvpn, from reading. 14:25 < ecrist> I don't know what Aventail is 14:27 < nemo> VPN solution, owned by SonicWall 14:27 < nemo> to their credit, they have a linux client 14:28 < nemo> I'd just like to integrate it with NetworkManager instead of using their client 14:28 < nemo> so far, haven't had much like w/ either nm-vpnc or nm-openvpn - just poking at various config params. 14:36 < ecrist> oh, no, OpenVPN is only compatible with OpenVPN 14:39 < nemo> got that impression from fact that it seemed to require a cert :) 14:39 < nemo> thnx. 14:39 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has left ##openvpn [] 14:40 < silver_hook> Alright. I'm still trying to figure out what added value of Hamachi should be over OpenVPN... Could it be the P2P and Zero-conf/Avahi support? 14:42 < ecrist> silver_hook: the advantage is marketing 14:42 < ecrist> that's all 14:42 < silver_hook> ecrist: Makes sense ;) Just as Skype over SIP :P 14:42 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has left ##openvpn [] 14:42 < ecrist> right 14:43 < silver_hook> Is there a HOWTO somewhere where how I can make a tunnel for filesharing with some other box? 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:03 < Bushmills> silver_hook: when you have setup openvpn to connect with another box, you *have* a tunnel. what kind of services you run over the tunnel, the tunnel doesn't care. 15:04 < Bushmills> i suppose you want to look into some sort of routing-howto 15:04 < silver_hook> Bushmills: So, basically the VPN just makes a tunnel and both boxes still need to run appropriate daemons and services? 15:05 < silver_hook> And VPN only makes sense, when one box is otherwise not directly accessible? 15:06 < Bushmills> silver_hook: that is correct 15:06 < Bushmills> first statement is. 15:06 < Bushmills> second is debatable 15:06 -!- Bausparfuchs [n=jochen@88.134.230.128] has joined ##openvpn 15:08 < silver_hook> Bushmills: What would say for for using VPN even when both boxen can communicate directly? 15:09 < Bushmills> elimination of man in the middle 15:10 < Bushmills> imagine using plaintext password on one machine from the other. 15:11 < silver_hook> Mhm... 15:11 < silver_hook> Where does then Avahi and P2P come in then? 15:12 < Bushmills> no idea. you tell me. 15:13 < Bausparfuchs> hi @all have a problem to set up a vpn cnnection via openvpn (actually with the networkmanager-vpn plugin of gnome) The problem is to undestand the different "connection types" and the files i have to create or specify in the gui. The only information that i got from my university for the vpn are a group passwort, a server address, a group name and a username + password. Additionally the connection is a "ipsec over tcp" connection. The TCP 15:13 < Bausparfuchs> Connection i can switch on in the options, but now i dont know which connection tyoe i have to choose and which file(s) i have to write 15:15 < Bushmills> Bausparfuchs: are you supposed to connect to an openvpn server? 15:16 < Bausparfuchs> Bushmills: no, i dont think so, the university provides only the cisco client for windows but the linux-version makes some trouble on my pc so i decided to try openvpn 15:17 < Bushmills> if there's no openvpn on the other end, you can't connect to it with openvpn on your box. 15:17 < silver_hook> Bushmills: I dunno. That's what I wonder about Hamachi ...it's supposed to be a Zeroconfig VPN and with some P2P stuff in between. 15:18 < Bushmills> try to connect with wolfenstein castle 15:18 < Bushmills> i guess the chances of success are comparable 15:19 < silver_hook> But, if I understand correctly so far ...it's just a VPN. Although I have no idea what Zeroconfig/Avahi and P2P have to do with VPN... 15:20 < Bushmills> silver_hook: "VPN" is a generic name. like "computer", but you appreciate that there are different kinds of (incompatible) computers? same with VPNs 15:21 < silver_hook> OK ...makes sense so far. 15:21 < silver_hook> Like with P2P there's many networks or with IP telehones, right? 15:21 < Bausparfuchs> Bushmills: oh so ovenvpn only works with openvpn. that was new to me. thanks 15:22 < Bausparfuchs> then i have to fall back with vpnc and hope it will work 15:22 < Bushmills> silver_hook: there's probably more types of VPN than there are of ip phones... 15:22 < silver_hook> And they're mostly incompatible? 15:23 < Bushmills> yes. that's more the rules than the exception. 15:23 < Bushmills> rule 15:24 -!- Bausparfuchs [n=jochen@88.134.230.128] has left ##openvpn ["Konversation terminated!"] 15:26 < silver_hook> OK. So far I understood that it's practical to have a tunnel when the other box is behind NAT or there are proxies in between. But what other middle man are you talking about? 15:27 < Bushmills> silver_hook: middle man as in eavesdropper 15:31 < silver_hook> Bushmills: Aha. What about TOR then in such cases? 15:33 < Bushmills> tor uses a different architecture. it has a different purpose too, that is, hiding the relation between origin and destination. 15:34 < Bushmills> openvpn doesn't hide the relation between server and client. but it obscures the nature and contents of traffic 15:35 < silver_hook> I know what TOR is for, but wonder why I'd use (Open)VPN instead for more security. 15:36 < silver_hook> Bushmills: Well, I think I understand things a lot better now, thanks :) 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:37 < Bushmills> you might have control over both ends of the connection, but not over the the path in between. that's where openvpn is more suited than tor. 15:39 < Bushmills> other uses are, you might want to connect to a mobile device, not matter where it connected. with openvpn, you can reach that device on a static ip address. 15:40 < silver_hook> Bushmills: Mhm, makes sense all of it so far.. 15:40 < Bushmills> and many folks love that connections over openvpn stay alive even if the physical connection was dis- and reconnected 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:52 < silver_hook> That also sounds pretty cool :] 15:53 < silver_hook> I think I'm packed with info for now ;) 15:57 < silver_hook> Thanks, Bushmills! Right now I don't seem to have dire need of VPN, but at least now I know enough to know when I will and where to look at then :) 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:22 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has quit ["studying law..."] 16:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 16:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 19:35 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 19:41 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 19:44 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:45 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 19:52 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 19:55 < ecrist> what's with all the dropped connections? sheesh 19:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:09 -!- rodpod [i=rod@hick.org] has joined ##openvpn 20:09 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has joined ##openvpn 20:12 < deltaray2> I am deploying some servers on different networks, but would like to have them use a private and secure network of their own to talk to each other in addition to having public IPs. Is openvpn the right solution for that or should I be looking at something else? 20:21 < reiffert> openvpn is your thing 20:21 < reiffert> !howto 20:21 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:22 < deltaray2> thank you 20:22 < deltaray2> I guess I think of VPN as something that home clients use to connect to work, but I suppose that's not much different than a server connecting into a larger network. 20:24 < reiffert> You can have a bridged and a routed setup 20:25 < deltaray2> Ok, so openvpn does either one? I thought it only did routing. 20:25 < deltaray2> I'm still reading through the FAQ 20:25 < reiffert> Welcome! 20:25 < reiffert> I'm off to bed, it's 03:30 here 20:31 < ecrist> deltaray2: what OS? 20:32 < ecrist> deltaray2: I suppose, regardless of OS, check out the following: 20:32 < ecrist> !freebsd 20:32 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:44 < cylix> Weird, Well I just found the source of my problems from yesterday. 20:44 < cylix> On windows 2003. when I get the vpn up it doesn't work. 20:44 < ecrist> firewall? 20:45 < cylix> nope 20:45 < cylix> it was routing 20:45 < cylix> the table was http://solace.info/dump/server.route.txt 20:45 < cylix> it needed one more entry 20:45 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 20:46 < cylix> that being 10.254.1.0 dest network 255.255.255.0 gateway 10.254.1.2 20:46 < cylix> I'm not sure why it wasn't put there by open vpn if its needed. 20:47 < cylix> windows routing put it there when I started it BUT didn't put it back after a reboot so it quit working. :-( 20:47 < cylix> It had me running circles. 20:49 < cylix> adding it as a static route seems to fix it with the reboot problem though. 20:50 < j_bsdxinu> ecrist, i installed openVPN and ssl-admin, i figure how to create client/signed certs, But how do a create a Server cert/signed? 20:53 < ecrist> there should be a menu option 21:09 < cylix> so is there an official mailing list for openvpn anymore? 21:10 < j_bsdxinu> ecrist, i get an error when selecting S) 21:10 < j_bsdxinu> Error Loading extension section server 21:15 < deltaray2> ecrist, CentOS Linux among others 21:17 < deltaray2> Actually, that howto will be useful because I do have one customer that uses FreeBSD. 21:17 < deltaray2> thanks 21:18 < j_bsdxinu> I am using FreeBSD 21:20 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 4. 21:25 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 21:25 < metbsd> hi need help about openvpn 21:25 < metbsd> if i want to connect two clients from two diff networks, what to put in server? 21:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 21:32 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 21:34 < j_bsdxinu> ecrist, this is what i get :( when using S) ... Error Loading extension section server 21:35 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 2 21:40 < ecrist> j_bsdxinu: I'll look into the error tomorrow. I'll let you know what comes of it. 21:40 < ecrist> cylix: yes, there is. 21:40 < ecrist> it's farily active, as I understand. 21:40 < ecrist> there's also a fairly new forum, ovpnforum.com 21:41 < ecrist> metbsd: client-to-client 21:41 < ecrist> g'night all 21:42 < j_bsdxinu> ok, thanks 21:48 < metbsd> vpn is so damn complicated 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 22:10 < metbsd> where do i put key file in windows openvpn? 22:15 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0, metbsd 22:15 -!- Netsplit over, joins: rodpod, pa, ebf0 22:16 -!- Netsplit over, joins: metbsd 22:17 < cylix> metbsd, where ever you have specified in the server or client config. 22:17 < cylix> se the ca, key, and cert options in your config. 22:20 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0 22:21 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: metbsd 22:22 -!- Netsplit over, joins: rodpod, pa, ebf0 22:46 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has left ##openvpn ["Leaving"] 23:31 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit [Remote closed the connection] --- Day changed Fri Jan 16 2009 00:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:55 < ricoshady> im using openvpn in openwrt and im having a cocnnection problem. the client hooks up to the server but then the handshake fails. 00:58 < ricoshady> http://pastebin.com/m33e95fd7 00:58 < ricoshady> client config 00:59 < ricoshady> i mean the first is the server config 01:01 < ricoshady> client config: http://pastebin.com/m57f3c4ff 01:03 < ricoshady> server error output http://pastebin.com/m1530bd2a 01:14 < ricoshady> any ideas? im using keys built and test on another server/client pair 01:14 < ricoshady> cause I cant build them on my server 01:46 < ricoshady> very similar to what this person is experiencing 01:46 < ricoshady> http://forum.openwrt.org/viewtopic.php?id=4925 01:47 < vpnHelper> Title: OpenWrt / OpenVPN Problem (at forum.openwrt.org) 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:00 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:00 < joelsolanki> Hi room 03:01 < joelsolanki> when i start openvpn service on my server it gets IP 10.8.0.1 with subnet 255.255.255.252 03:01 < joelsolanki> and on client machine it gets ip 10.8.0.6 with subnet 255.255.255.252 03:01 < joelsolanki> so when i ping from client to server or vice versa i cant ping 03:01 < joelsolanki> is this subnet mask problem ? 03:03 < joelsolanki> by the way this is on windows machines 03:28 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 03:34 -!- fialar [n=v@spoon.pkl.net] has left ##openvpn [] 04:13 < Bushmills> joelsolanki, yes. try 255.255.255.248 04:25 -!- worch [i=worch@battletoad.com] has joined ##openvpn 04:25 < worch> !route 04:25 < vpnHelper> worch: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:46 < worch> to my vpn server, two clients connect, which are my laptop and my home router. I've the router's subnet routed so that I can connect to other clients in my router's LAN from my laptop or server. Now when I'm home, my laptop is _also_ a client on my router's LAN in addition to my vpn. This is causing some problems, which I'm unsure how to resolve. For example, when I'm at home and I try to ping my laptop (as a client on the router via the ip on the router's 04:47 < worch> The result is that the server receives a packet from the laptop with a source ip that it does not expect, so it is dropped. How should I fix this? 04:48 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 04:48 < worch> It took me about half a day to figure out why things were acting so strangely :p 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 06:54 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 08:11 < ecrist> good morning, bitches 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 08:14 * j_bsdxinu celebrates as ecrist is here :) 08:14 < ecrist> uh oh 08:17 * j_bsdxinu is now disappointed uh oh does not sound good 08:27 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 08:31 -!- ebf0- [n=ebf0@87.238.45.168] has joined ##openvpn 08:40 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Read error: 113 (No route to host)] 08:40 -!- ebf0- is now known as ebf0 09:04 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 09:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 09:11 < S7> Hello, I can't get the openvpn client connect to the server, getting: us=21651 TLS Error: Unroutable control packet received from 84.108.127.43:1194 (si=3 op=P_CONTROL_V1) repeatadly 09:11 < S7> server: http://pastebin.com/m5759f6f7 (OpenVPN 2.1_rc15 amd64-portbld-freebsd7.1 [SSL] [LZO2] built on Jan 16 2009) client: http://pastebin.com/m59afd697(OpenVPN GUI 1.0.3) clocks seemes to be synched, openssl returns cert is ok 09:19 < ecrist> j_bsdxinu: why're you excited I'm here? 09:20 < ecrist> S7: what does google tell you about the error? 09:20 < S7> sync the clock. 09:20 < S7> it synced ;\ 09:24 < ecrist> S7: read this thread: http://osdir.com/ml/network.openvpn.user/2003-09/msg00010.html 09:25 < vpnHelper> Title: Re: TLS handshake failed?: msg#00010 network.openvpn.user (at osdir.com) 09:39 < j_bsdxinu> ecrist, im having problems creating a Server cert with ssl-admin :( -- i get this when sel menu S) 09:39 < j_bsdxinu> Error Loading extension section server 09:39 < j_bsdxinu> There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 3. 09:39 < ecrist> ok, let me look into it now. 09:40 < S7> ecrist, thanks 09:40 < S7> but it wasn't that 09:40 < S7> i've added 09:40 < S7> duplicate-cn and now it works 09:40 < ecrist> ah, see you left out important details. 09:40 < ecrist> mainly, you've got multiple clients sharing the same certificate 09:41 < nn> uhoh 09:41 < S7> well, i have one client 09:41 < S7> and one server 09:41 < S7> i don't know how it related 09:41 < S7> i've also had the server cert 09:41 < S7> as a client cert 09:41 < S7> fixed that now too 09:42 < S7> actualy that was the main problem 09:42 < S7> but just when i've added duplicate-cn i've seen the real error 09:42 < S7> before that just had that Unrouted stuff 09:42 < S7> after i've added duplicate-cn it told me the cert is wrong 09:43 < ecrist> my guess is your certificate setup is borked. 09:43 < ecrist> but, glad you got it working 09:44 < S7> i had troubles with the scripts, since they in bash, so i've made them manualy, maybe got something broken in the way 09:45 < ecrist> you on linux? 09:45 < S7> fbsd 09:45 < ecrist> ah, use ssl-admin 09:45 < S7> or i just could've install bash and save me the troubles =) 09:45 < ecrist> /usr/ports/security/ssl-admin 09:46 < ecrist> there's a problem with it, as j_bsdxinu has alluded to, which I'm working on now 09:46 < S7> i'll try that out, making certs by hand is kinda annoying 09:46 < ecrist> aye 09:47 < ecrist> I wrote ssl-admin - features/problems, let me know 09:49 < j_bsdxinu> yes i am using FreeBSD too. S7 even after i installed bash in fbsd then try their ez cert, it still did not work thats why i use ssl-admin 09:49 < ecrist> that's why I wrote ssl-adin 09:52 < ecrist> one of these days, I need to re-write this script. 09:52 < S7> j_bsdxinu, u can for now use sh 09:52 < ecrist> it currently uses system function to call the openssl program directly, whereas is should be using the perl SSL library 09:54 < S7> cd ~/easy-rsa/2.0/ ; mkdir ./keys/ ; touch ./keys/index.txt ; echo 01 > ./keys/serial ; sh ; . vars ; ./pkitool --initca ; ./pkitool --server server 09:55 < S7> it's very akward, but somehow worked at the end 09:57 < ecrist> ah, openssl.cnf is missing some things in the current port 09:58 < ecrist> I'll make available an updated version shortly and submit a pr to get the port updated. 10:00 < j_bsdxinu> S7, so thats how you can make it work with 'sh' 10:01 < ecrist> q 10:03 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 10:05 < ecrist> j_bsdxinu: fixed the problem. 10:06 < ecrist> I'll submit the PR shortly (takes a few days to update a port in freebsd repo), but you can download the one file that needs to be fixed at ftp://ftp.secure-computing.net/pub/ssl-admin/openssl.conf 10:06 < ecrist> put that file in /usr/local/etc/ssl-admin 10:06 < j_bsdxinu> ok, great thank you so much 10:07 < ecrist> np 10:15 < ecrist> krzie: hit me when you're around. I'm going to be working on some ssl-admin things today. Namely, build scripts for various OSes and some generic packaging. 10:32 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 10:42 -!- S7 [n=yury@84.108.50.0] has quit [] 10:52 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 10:52 < ashley_> !route 10:52 < vpnHelper> ashley_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:08 < ecrist> krzie: your Makefile breaks in freebsd ports build 11:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:43 < j_bsdxinu> ecrist, http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/index.html 11:43 < vpnHelper> Title: FreeBSD Porter's Handbook (at www.freebsd.org) 11:43 < j_bsdxinu> may be of some interest to you 11:45 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has left ##openvpn [] 11:53 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 12:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:04 < ecrist> j_bsdxinu: yeah, been there many times. 12:09 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:10 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 12:11 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 12:11 < kpoman> hello to all guys ! 12:12 < kpoman> I am having a very strange problem on a particular linux box openvpn client, but with exactly the same conf on windows it works out of the box. 12:12 < kpoman> On linux, it tries many times to connect, giving TLS HMAC authentication errors (a random amount of times) then connects 12:12 < kpoman> and stays connected 12:15 < kpoman> I get this: TLS Error: incoming packet authentication failed from 12:15 < kpoman> then Fatal TLS error (check_tls_errors_co), restarting 12:15 < kpoman> and this: SIGUSR1[soft,tls-error] received, client-instance restarting 12:16 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 12:16 < bigjohnto> can you have openvpn gui execute a batch script after it completes the connection to a vpn process? 12:17 < kpoman> can someone help me please ? I recompiled openssl, openvpn, both sides, same version of all, and still get it. The problem is sometimes it connects really fast (first try) and others it tries during more than one hour 12:19 < ecrist> bigjohnto: that's a function of OpenVPN, yes. 12:19 < ecrist> the GUI isn't what does it, it's the main binary 12:19 < ecrist> this is defined with --up and --down in your config file 12:20 < ecrist> see the howto for more information 12:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:30 < bigjohnto> ecrist thanks :) 12:30 < tjz> any idea beside port 1194 udp ..what other port should i open in my firewall? 12:32 < j_bsdxinu> ecrist, i created a serv cert thanks, by the way at first i try to change all indexes to 01 so it will restart the count but fail each time. once i deleted and re-installed ssl-admin it worked correctly 12:32 < ecrist> um, you don't want to re-start the index counter. 12:33 < j_bsdxinu> yes, i figure that the hard way :( 12:33 < ecrist> if you do that, and re-use the same certificate, you have duplicate certificate IDs out there, and it's impossible to discretely revoke them. 12:35 < j_bsdxinu> ok, good thing i had only created two which are now deleted from clients then recreated with the new install ;) 12:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:44 < ecrist> j_bsdxinu: it's going to be a bit before I send fbsd pr. 12:44 < ecrist> I've got some major ports building fun to read up on 12:47 < kpoman> any idea about my problem ? 12:47 < kpoman> thank you ! 13:02 < ecrist> kpoman: I need logs, please 13:07 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 13:08 < Kobaz> okay, so what's the proper subnetting for routed (tun) clients 13:08 < Kobaz> i see in the faq that each client gets a /30 13:09 < Kobaz> but with all my setups so far i've only left space for 2 ips per client (the client ip and the server endpoint ip) 13:10 < Kobaz> like 10.1.2.1 is the server, and then i would do "ifconfig-push 10.1.2.3 10.1.2.4" on each client 13:10 < Kobaz> is that proper 13:11 < ecrist> no 13:11 < ecrist> a /30 has 4 ips, not 2 13:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@123.236.183.158] has joined ##openvpn 13:22 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:22 < El_Presidente> hello 13:22 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit ["Spare me some sleep, please."] 13:24 < El_Presidente> i have a problem setting up my vpn properly i have my pc 192.168.178.23 my router 192.168.178.1 and my cousins pc that should be allowed to surf on my internet, my pc should be the vpn server since i use a fritzbox and dont want to flash it with an openvpn firmware 13:24 < El_Presidente> this is my server config 13:24 < El_Presidente> http://pastebin.ca/1310252 13:25 < El_Presidente> and here comes my client config 13:25 < El_Presidente> http://pastebin.ca/1310273 13:25 < El_Presidente> the vpn connection builds up 13:25 < El_Presidente> but i cant ping him or he cant ping me nor surf 13:25 < El_Presidente> any suggestions? 13:25 < ecrist> 1) do you have client-to-client? 13:26 < El_Presidente> do i need that if my local pc is just the server ? 13:26 < El_Presidente> and there is just one client 13:26 < ecrist> if you want VPN clients to ping eachother, you need it 13:26 < ecrist> and, for the vpn clients to get access to the internet, you need to have a properly configured NAT 13:27 < El_Presidente> okay ... 13:27 < El_Presidente> 1. to client-to-client 13:27 < El_Presidente> server config? 13:28 < ecrist> yep 13:28 < El_Presidente> okay done 13:28 < El_Presidente> so now to the nat 13:28 < El_Presidente> what do i need to do there 13:29 < El_Presidente> i openend port 10000 on my router for my pc to enable the vpn connection 13:29 < El_Presidente> what else do i need 13:29 < ecrist> openvpn doesn't do NAT. for that, you need another piece of software. your gateway may be able to handle that for you. 13:30 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:30 < ecrist> if I were you, i'd setup a bridged VPN, rather than routed, and assign IPs from your lan subnet 13:30 < El_Presidente> what gateway? 13:30 < ecrist> then your NAT setup is already done 13:30 < El_Presidente> isnt my config bridged? 13:30 < El_Presidente> because it says that i bridge tap0 with eth0 13:30 < ecrist> oh, yeah it is. 13:31 < ecrist> why are you 'push route 0.0.0.0 0.0.0.0 192.168.178.1'? 13:31 < El_Presidente> dont i need that? 13:31 < ecrist> for what? 13:31 < El_Presidente> 192.168.178.1 is my router to get my pc to internet 13:32 < ecrist> does your setup work? 13:32 < El_Presidente> what setup? 13:32 < ecrist> nevermind 13:32 * ecrist goes away 13:32 < El_Presidente> :( 13:32 < El_Presidente> well my pc is 192.168.178.23 13:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:35 < reiffert> El_Presidente: 13:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:35 < reiffert> server.config. remove # 13:35 < reiffert> push "route 0.0.0.0 0.0.0.0 192.168.178.1" 13:35 < El_Presidente> i did that now 13:36 < reiffert> El_Presidente: please show us the script that set's up your bridge 13:36 < El_Presidente> you mean myroute.cmd ? 13:37 < reiffert> You are using dev tap which is for using a bridged setup. Show us how the bridge get's setup on the server side please. 13:37 < El_Presidente> you want the server config? 13:37 < El_Presidente> http://pastebin.ca/1310252 13:37 < reiffert> Your server config is at http://pastebin.ca/1310252 13:38 < El_Presidente> yes ... 13:38 < reiffert> Why are you using "dev tap"? 13:38 < El_Presidente> well i thought its right 13:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:39 < reiffert> El_Presidente: please step back to http://openvpn.net/index.php/documentation/howto.html and reread the parts that are talking about tun vs. tap 13:39 < vpnHelper> Title: HOWTO (at openvpn.net) 13:39 < El_Presidente> kk 13:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:40 < reiffert> El_Presidente: and if you still think that ethernet bridging is best for you, follow the "Ethernet bridging" link 13:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:40 < reiffert> Also check out http://openvpn.net/index.php/documentation/faq.html#bridge1 13:40 < vpnHelper> Title: FAQ (at openvpn.net) 13:41 < reiffert> That faq brings up the differences between routing and bridging. 13:48 -!- Nucular [n=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:55 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit [Nick collision from services.] 13:55 -!- Nucular is now known as El_Presidente 13:55 < El_Presidente> ok back 13:56 < El_Presidente> reiffert, you were right i forgot to bridge both connections on my pc 13:56 < El_Presidente> now i did 13:57 < El_Presidente> but now i get an error when i try to start the server 13:57 < El_Presidente> Fri Jan 16 20:58:22 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 13:57 < El_Presidente> 65-8ACD-6DAB95ECC17C} 13:58 < reiffert> the bridging takes place on the server side. 13:59 < El_Presidente> yes 14:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:01 < El_Presidente> i bridged my tap0 with my lan connection to my router 14:01 < El_Presidente> thats right reiffert ? 14:02 < reiffert> Was it explained like this in the howto? 14:02 < El_Presidente> yes 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:02 < reiffert> sounds like windows, try a reboot. 14:03 < El_Presidente> kk 14:03 < reiffert> and remove the redirect-gateway for a while from the server config. 14:04 < reiffert> You can add that later 14:06 < El_Presidente> ok 14:07 < El_Presidente> its really strange that the tap device doesnt go up 14:07 < El_Presidente> brb 14:07 -!- El_Presidente [n=Martin@p5798F5A5.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 14:10 < kpoman> hey guys 14:10 < kpoman> someone knows about HMAC tls problems authenticating ? 14:11 < kpoman> please, need help, is been 1 week trying to diagnose 14:11 < kpoman> recompiling tls, etc... 14:12 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 14:12 < El_Presidente> reiffert, same error 14:13 < reiffert> once again pls 14:14 < kpoman> I have the same bug as this guy had: http://openvpn.net/archive/openvpn-users/2005-04/msg00455.html 14:14 < krzee> !hmac 14:14 < vpnHelper> Title: [Openvpn-users] Just another "Authenticate/Decrypt packet error: packet HMAC authentication failed" (at openvpn.net) 14:14 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:14 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:14 < kpoman> please need somehelp 14:14 < krzee> comment tls-auth to prove it is the real problem or not 14:15 < El_Presidente> reiffert, what once again? 14:15 < reiffert> Paste the error message, maybe someone else already knows about it 14:17 < El_Presidente> ok 14:17 < El_Presidente> it seems openvpn doesnt find the tap device 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 TAP-WIN32 device [tap-bridge] opened: \\.\Global\{D0A9B 14:17 < El_Presidente> A3A-874F-4865-8ACD-6DAB95ECC17C}.tap 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 14:17 < El_Presidente> 65-8ACD-6DAB95ECC17C} 14:19 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 14:19 < reiffert> give that a try: Delete the bridge, remove all tap adapters with the help of those shell scripts that came with openvpn (delinterface.bat or similar, have a look in the bin directory), uninstall openvpn and install openvpn once again. 14:19 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit ["Leaving"] 14:20 < El_Presidente> reiffert, i think its because the tap device is not in my "ipconfig" anymore 14:20 < El_Presidente> it just shows the bridge 14:21 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 14:21 < kpoman> krzie: thanks ! I commented tls-auth etc... it works well without tls-auth. However it works well on windows with tls-auth, but not on linux 14:22 < kpoman> I mean the client 14:22 < kpoman> i got all the time HMAC auth errors 14:34 < ecrist> hrm, krzee, you done any upgrades from fbsd 6.3 to 7.1? 14:34 < ecrist> I've got one system now, out of 7 upgraded, that coredumps sshd after the upgrade. 14:43 < krzee> nope 14:44 < krzee> i never upgrade across major versions 14:44 < krzee> ever since fbsd4 14:44 < krzee> i still have that stuck in my head 14:44 < krzee> even tho its much easier than it was from 4 to 5 14:44 < ecrist> 4 to 5 was easy, imho. it was 5 to 6 that blew 14:45 < krzee> either way, nope, i just reinstall 14:46 < krzee> same with osx / windows even 14:46 < krzee> major version upgrades are my excuse for a format 14:48 < bigjohnto> ok something really weird, i have a batch script that runs when openvpn connects, this batch script finds the vpn ip and then sets a variable with that ip address.... what is weird is that whether from the cmd prompt or from the batch script, if the vpn is up and running, the setx command hangs..... once i disconnect the vpn session and the lan connection for the vpn shows as "cable disconnected" the setx command works perfectly.. 14:49 < El_Presidente> reiffert, i think the problem is gone now 14:49 < reiffert> El_Presidente: how is that? 14:49 < El_Presidente> i told the tap adapter that its always connected 14:50 < El_Presidente> now i get the connection up 14:50 < reiffert> Ah, so back to ...? 14:50 < El_Presidente> but my cousin has to leave now so i will continue tommorrow 14:50 < reiffert> :) 14:50 < El_Presidente> did you found any other errors i should know? 14:51 < reiffert> Not that I know of any.. 14:52 < El_Presidente> ok ty 14:53 < reiffert> welcome 15:28 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 15:28 < bigjohnto> ok why does my batch script run before the connection is up? 15:29 < bigjohnto> i have at the end of the config file up script.bat 15:30 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:30 < rawDawg> is it possible to use a linksys router as a site to site endpoint with this server? 15:37 < reiffert> Yes it is possible, but you will have to exchange the default linksys firmware by openwrt 15:37 < reiffert> #openwrt 15:39 < ecrist> yes 15:39 < ecrist> DD-WRT 15:40 < ecrist> like reiffert said 15:45 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 15:48 < heirrook> I have been stumbling over a problem for some time now and am looking for advice. I have an openvpn server setup that is on a seperate server behind my wan gateway. The wan gateway controls the 192.168.22.0/24 subnet. My machine my vpn server is on has an ip of 192.168.22.138. The vpn server uses 192.168.10.0/24 for its subnet. 15:49 < heirrook> Currently I am sitting at an ip from subnet of 24.158.0.0/255.255.0.0. 15:49 < heirrook> I can connect just fine to my vpn, I can ping machines fine on 192.168.22.0/24. I can browse the internet fine. 15:50 < heirrook> BUT, I am trying to make it so the hosts.allow config file on a machine on the 192.168.22.0/24 only allows machines from 192.168.10.0/24 15:51 < heirrook> The only thing the hosts.allow will accept, is my current location ip (24.158.) even though i am on my vpn. 15:52 < heirrook> It seems routing is fine because I can ping the 192.168.22.0/24 machines 15:58 < heirrook> I know when I at least browse the internet throught the vpn and go to "whatismyip.com" I get the ip I should the wan gateway on the 192.168.22.0/24 has. Here is my server config file http://pastebin.com/d40840316 16:09 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has quit ["Leaving"] 16:13 < El_Presidente> reiffert, still here? 16:14 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 16:15 < reiffert> El_Presidente: no 16:15 < El_Presidente> ;) 16:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:19 < El_Presidente> im trying with an other pc right now 16:19 < El_Presidente> the bridge seems to work 16:19 < El_Presidente> iam able to ping to the pc 16:19 < El_Presidente> but internet isnt routed over my pc 16:20 < reiffert> !def1 16:20 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:21 < El_Presidente> thats what i have reiffert 16:21 < reiffert> !configs 16:21 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:21 < reiffert> please add ipconfig /all from both, server and client 16:21 < El_Presidente> okay 16:21 < reiffert> as well as route -n print 16:21 < El_Presidente> ok 16:21 < reiffert> (or netstat -nr) 16:23 < El_Presidente> http://pastebin.ca/1310402 server.config 16:24 < reiffert> # 16:24 < reiffert> proto tcp-server 16:24 < El_Presidente> yes ... 16:24 < reiffert> wtf? 16:24 < El_Presidente> shall i use udp? 16:25 < reiffert> either udp or tcp, but not tcp-server 16:25 < El_Presidente> true 16:25 < El_Presidente> i mixed up the line 16:26 < El_Presidente> http://pastebin.ca/1310406 16:26 < El_Presidente> client 16:26 < reiffert> just remove "-server" 16:26 < El_Presidente> yes 16:27 < reiffert> I have no idea how "local" will influence what you are trying to achieve. 16:27 < El_Presidente> i just tested that 16:27 < El_Presidente> if it helps 16:29 < El_Presidente> im getting the routes on my friends pc 16:30 < reiffert> Then be sure to remove local. 16:30 < El_Presidente> i did 16:33 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 16:36 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 16:38 < El_Presidente> okay here is the route 16:38 < El_Presidente> http://pastebin.ca/1310415 16:38 < El_Presidente> he cant surf right now 16:39 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 16:39 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 16:40 < El_Presidente> but it seems he is routed to my pc 16:42 < El_Presidente> reiffert, what else do you need? 16:43 < reiffert> get wireshark, let it run on your PC's and have some pinging 16:44 < reiffert> off to bed, n8 16:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 16:45 < El_Presidente> n8n8 17:09 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 17:10 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 17:13 -!- rodpod [i=rod@hick.org] has joined ##openvpn 17:25 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit ["Verlassend"] 17:38 -!- mndo [n=mndo@81.84.221.128] has joined ##openvpn 17:41 * ecrist ponders +b for El_presidente 18:09 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 18:11 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 18:12 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 18:32 < rawDawg> reiffert or ecrist: i have dd-wrt vpn installed 18:33 < rawDawg> how do i configure a site to site vpn between openvpn and dd-wrt? 19:10 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 19:14 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 19:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:22 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 21:32 < rawDawg> bbl 21:33 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 22:07 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 22:11 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 23:13 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn --- Day changed Sat Jan 17 2009 00:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 00:11 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 01:00 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:33 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:03 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 03:34 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has joined ##OpenVPN 04:03 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:15 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 06:06 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 145 (Connection timed out)] 06:18 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has quit ["Client exiting"] 06:35 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 07:12 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 07:12 -!- Netsplit over, joins: troy- 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 07:56 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 08:20 -!- mndo [n=mndo@81.84.221.128] has quit [Connection timed out] 08:40 -!- S7 [n=yury@84.108.50.0] has quit [] 08:47 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 10:40 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 10:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:00 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:11 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 11:24 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has joined ##openvpn 11:28 < rawDawg> i want to set up multiple site to site vpns, one end point being openvpn server, the others will all be dd-wrt routers 11:28 < ecrist> sounds fun 11:28 < rawDawg> possible? 11:33 < ecrist> sure, why not? 12:02 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has joined ##openvpn 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has left ##openvpn [] 12:08 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 12:18 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 12:37 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 12:43 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:04 -!- robert_ [n=hellspaw@objectx/robert] has quit [Remote closed the connection] 13:07 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:13 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 13:19 < pkemx> hello 13:20 < pkemx> I'm trying to install OpenVPN on Fedora but am having trouble understanding all the different terminology 13:20 < pkemx> Currently I'm getting the error: 13:20 < pkemx> Cannot load certificate file /etc/openvpn/keys/mfed.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:23 < pkemx> when using `service openvpn start` 13:30 < pkemx> !route 13:30 < vpnHelper> pkemx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:31 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has joined ##openvpn 13:47 -!- nn [n=irc@white.powder.nn2.us] has left ##openvpn [] 13:55 -!- pkemx [n=pkemx@62.24.239.184] has quit [Read error: 60 (Operation timed out)] 14:02 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 14:09 -!- pkemx [n=pkemx@62.24.239.184] has quit [] 14:42 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has joined ##openvpn 14:43 < hiptobecubic> Can someone explain to me the theory behind the last routing step on the openvpn static key mini howto? I don't understand what's going on there. 14:43 < hiptobecubic> !route 14:43 < vpnHelper> hiptobecubic: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:09 < hiptobecubic> but does that work with a static vpn? i just tried 'pushing' and i didn't see a change in my routing table on the client 15:50 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 16:46 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 17:03 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 17:03 -!- Netsplit over, joins: troy-, troy- 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 17:07 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has joined ##openvpn 17:10 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 17:43 -!- Maguila [n=Tu_Padre@189.173.115.160] has joined ##openvpn 17:49 -!- Maguila [n=Tu_Padre@189.173.115.160] has left ##openvpn [] 17:50 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 17:59 < reiffert> moin 18:04 < ecrist> hey, reiffert 18:05 < ecrist> freebsd is kicking my ass today 18:05 < ecrist> lost my entire saturday to system upgrade problems 18:05 * ecrist is standing in a data center as he types this. 18:05 < ecrist> :( 18:08 < reiffert> Moin ecrist, how r u? 18:09 < reiffert> FBSD Upgrade problems? How's that? 18:10 < ecrist> have a host that didn't upgrade right, about ready to punt and reinstall the whole thing 18:11 < ecrist> it won't even boot 18:11 < ecrist> and this isn't my first rodeo 18:13 < reiffert> "didnt upgrade right" .. ? 18:15 < ecrist> did a source upgrade for a system, jails won't start, PAM stack is fubar. 18:15 < ecrist> I've done 10 out of 35 upgrades so far. 8 went smooth. the last two, PAM stack won't use LDAP correctly, and one of the two, just flat out won't boot into multi-user. 18:20 < [aaron]> eww! bsd! 18:21 < reiffert> PAM foobar sounds nice 18:22 < reiffert> what about it? 18:22 < ecrist> /mode +b [aaron] 18:23 < [aaron]> :) 18:24 < [aaron]> what version are you running? 18:28 < ecrist> 6.3 on some servers, 7.0 or 7.1 on most 18:28 < ecrist> couple old ones around on 4.11 18:31 < [aaron]> :/ 18:31 < [aaron]> best of luck with the upgrades mang. 18:34 < [aaron]> not a bsd person, but i know that i hate upgrades of any sort. 18:36 < reiffert> I like Debian for Upgrade just working! 18:40 < [aaron]> heh, I AM a deb guy :) 18:40 < [aaron]> and it works perdy well 19:06 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:13 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 19:13 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 19:41 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:47 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 20:13 -!- Alien_Freak [n=user@38.106.150.41] has joined ##openvpn 21:19 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 21:21 -!- Alien_Freak [n=user@38.106.150.41] has left ##openvpn [] 22:20 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 22:20 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 22:20 -!- tarbo2 is now known as Guest64229 22:21 -!- Guest64229 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has quit [Client Quit] 22:22 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 23:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sun Jan 18 2009 00:11 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has quit ["Leaving"] 00:31 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has joined ##openvpn 00:49 < kreg_lt> trying to get a hang of push "dhcp-option DNS x.x.x.x" 00:49 < kreg_lt> when my windows clients connect (tap) they conenct fine with all the routes 00:49 < kreg_lt> they even get the dns ip assigned 00:50 < kreg_lt> but their initial dns query uses the primary dns they already had. 00:51 < kreg_lt> names don't resolve with the internal intranet 01:20 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has quit ["Leaving"] 01:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:52 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 02:28 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 02:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:08 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 04:13 < krzee> !factoids search win 04:13 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 04:16 < krzee> !/30 04:16 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:16 < krzee> !topology 04:16 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:30 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 06:09 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 06:29 < reiffert> ![!] 06:29 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![[!]] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![][][][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![!][!][!][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![?][!][!][!] 06:30 < vpnHelper> reiffert: Error: "?" is not a valid command. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: You've attempted more nesting than is currently allowed on this bot. 06:31 < reiffert> !"[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" 06:31 < vpnHelper> reiffert: Error: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" is not a valid command. 07:25 < tjz> .... 07:27 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:13 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 08:15 < ecrist> reiffert: wtf? 08:18 < tjz> lol 08:19 < tjz> he screw up the bot 08:19 < tjz> actually.. 08:19 < tjz> sexually abuse the bot 08:19 < tjz> :P 08:19 < tjz> lol 08:53 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 08:56 -!- hiptobecubic^ [n=john@nateres205.tel.miami.edu] has joined ##openvpn 08:57 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 11:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 12:18 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:58 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 13:29 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 13:29 < Dougy> hey kids 13:29 < Dougy> !form 13:29 < vpnHelper> Dougy: Error: "form" is not a valid command. 13:29 < Dougy> !forum 13:29 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 13:32 < krzee> lol reiffert 13:47 < Dougy> hey hey 13:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 13:56 < reiffert> ![[[ 13:56 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 14:01 < Dougy> sup reiffert 14:01 < reiffert> ![!] 14:01 < vpnHelper> reiffert: Error: "!" is not a valid command. 14:01 < reiffert> ![form] 14:01 < vpnHelper> reiffert: Error: "form" is not a valid command. 14:01 < reiffert> ![forum] 14:01 < vpnHelper> reiffert: Error: ""forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com" is not a valid command. 14:02 < reiffert> "is not a valid command"? 14:07 < krzee> hehe 14:07 < krzee> well 14:07 < krzee> the output of !forum is what went in to the new command 14:07 < krzee> example: 14:07 < krzee> !learn test1 as this is a test 14:07 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !learn test2 as [test1] for reiffert 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !test2 14:08 < vpnHelper> krzee: "test2" is "test1" is this is a test for reiffert 14:08 < krzee> !forget test1 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !forget test2 14:08 < vpnHelper> krzee: Joo got it. 14:20 < Dougy> hmm 14:20 < Dougy> freebsd is pissin me off today 14:39 < reiffert> ![freebsd] 14:39 < vpnHelper> reiffert: Error: ""freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server" is not a valid command. 15:09 -!- hiptobecubic^ is now known as hiptobecubic 16:00 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 16:03 < lonel> hi,is it possible to have openvpn configured without certificate authentication? 16:03 < lonel> like user/pass? 16:05 * plaerzen 's office is a sauna 16:21 < Bushmills> strange place to pick for an office. imagine one wants to hip to the kitchen for a tea - will you have to dress first? 16:21 < lonel> hey 16:22 < lonel> you guys aware of any metods to avoid cert authentication in the client? 16:22 < lonel> *methods 16:22 < Bushmills> hm.. not connecting to the server is one. 16:31 < Dougy> lol 16:55 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:16 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:17 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 17:24 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has joined ##openvpn 17:25 < andrew867> hi all, I'm having a bit of trouble configuring openvpn. I want to create a bidirectional VPN, right now I have it setup and it is working like this: 17:26 < andrew867> my machine/network (server 192.168.0.0/24) ---- NAT --- INTERNET ---- NAT ---- other machine/network (client, 10.0.0.0/24) 17:26 < andrew867> he can ping and access anything on my network but how would we be able to set it up so I can access his network too 17:26 < andrew867> just then I though maybe the client-client setup might work 17:27 -!- thewolf is now known as Groktopus 17:30 -!- Groktopus is now known as thewofle 17:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:31 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:35 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:35 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 17:50 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has quit ["Leaving"] 18:06 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:32 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:45 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:47 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:50 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 18:51 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 19:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:05 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 19:22 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 21:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 22:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 22:41 < cylix> so does anyone know. Is is reasonable to assume a deticated openvpn server could serve 100 clients at an average of 30Mbits/sec per client. 22:41 < cylix> oh wow that was so wrong. 22:41 < cylix> I mean 3Kbits/sec 22:41 < cylix> Aak, 30Kbits/sec 23:09 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 23:12 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 23:54 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn --- Day changed Mon Jan 19 2009 00:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:12 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:25 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:26 -!- cyberjames [n=james@unaffiliated/cyberjames] has joined ##openvpn 00:42 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:43 < cyberjames> Hi everyone. I have this kind of network setup {http://rootshell.be/~james/network/networksetup.jpg}. Is it possible to make openVPN to run on different network segment like 192.168.2.0/24 under in one ethernet interface card only and all connected clients be able to reach the 192.168.1.0/24? 00:44 < cyberjames> !route 00:44 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:44 < cyberjames> !configs 00:44 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:57 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["good night"] 01:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:32 -!- Phase [n=Phase@unaffiliated/phase] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 01:33 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 01:34 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:38 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 02:17 < lonel> hi 02:17 < lonel> is it possible to asetup openvpn without certificates in the client side? 02:19 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:20 < hiptobecubic> lonel, static key? 02:20 < hiptobecubic> but then you can only have one client i think 02:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 02:22 < lonel> hiptobecubic: so multiple clients are not possible with ovpn 02:22 < lonel> using simple user/pass? 02:23 < hiptobecubic> lonel, no. but it's pretty easy to set up. 02:23 < hiptobecubic> !static-key 02:23 < vpnHelper> hiptobecubic: Error: "static-key" is not a valid command. 02:23 < hiptobecubic> !static 02:23 < vpnHelper> hiptobecubic: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 02:23 < hiptobecubic> hmmm 02:23 < hiptobecubic> !howto 02:23 < vpnHelper> hiptobecubic: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:24 < hiptobecubic> lonel, http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 02:24 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 02:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:07 < c64zottel> hello 03:07 < c64zottel> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 03:07 < c64zottel> inet addr:10.23.0.1 P-t-P:10.23.0.2 Mask:255.255.255.255 03:07 < c64zottel> what is the meaning of P-t-P:10.23.0.1 ? 03:07 < c64zottel> aehm: 10.23.0.2 03:07 < c64zottel> i know, 0.1 is my server 03:07 < c64zottel> when i connect, via ovpn, i get a random ip-address from a pool, so what does P-t-P:10.23.0.2 stand for? 03:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:36 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:52 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:55 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:01 < c64zottel> dumdidum 04:11 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:15 -!- dazo [n=dazo@nat/redhat/x-b537f1a7f630183a] has joined ##openvpn 04:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:27 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 04:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 05:07 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has joined ##openvpn 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:09 < svoop> is it possible to use openvpn to connect to a sonicwall vpn (ipsec/ike)? i'd go for opens/wan, but the hosting provider doesn't allow anything but userspace tools. 05:10 < dazo> svoop: nope ... openvpn can only talk to openvpn :( 05:10 < svoop> dazo: hmmm, too bad 05:11 < dazo> svoop: I know ... but it's using it's own protocol ... but that's why it's easier to implement and use compared to ipsec/openswan/etc 05:12 < svoop> dazo: ic. well, the only alternative i see is vpnc, maybe i have more luck there :-) 05:13 < dazo> svoop: hmmm ... I think you will hit the same with vpnc, just that's using Cisco's proprietary protocol .... but here I might be wrong, as I don't know much about vpnc 05:15 < svoop> dazo: gosh, i start to hate these virtuozzo servers. it's so limiting if you can't even use kernel modules on guest servers - and many providers are reluctant to help. on my gentoo box, i'd have the vpn up and running with opens/wan in minutes :-( 05:17 < dazo> svoop: Well, the biggest difference between ipsec/openswan ... is that it requires kernel modules, as that implementation needs to do things in kernel space to work .... while openvpn use user space only, which is (IMHO) why openvpn is safer and simpler ... and when you chroot and make openvpn run as a unprivileged user, you'll have a very different security layer, compared to those products depending on running code in kernel space 05:19 < svoop> dazo: it seems like quite a difference, though, that opens/wan does talk to hardware vpn endpoints while openvpn doesn't 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 < dazo> svoop: I don't know all the gory details about ipsec ... except that it really need to have parts in kernel space .... which freaks me out, as if a bug appears or a security breach ... you'll be in a pretty bad shape ... that's why I do like that openvpn can rely on user space (even though it do need the tun/tap module to create the virtual interface) 05:22 * dazo needs to go for lunch .... back in an hour 05:39 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:40 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 05:53 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:59 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 06:05 * dazo is back 06:08 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 07:10 < ecrist> morning, bitches 07:10 < c64zotte2> ecrist: nice to here that from e-crist 07:11 < ecrist> don't know what that means. 07:12 < c64zotte2> ah, i am thinking alway on christ, when i read your name 07:14 < reiffert> moin ecrist little suck0r! 07:17 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has left ##openvpn [] 07:28 < ecrist> I'm a nice guy, c64zotte2, but I'm not *that* nice 07:31 < c64zotte2> damn, i thought i could ask you a favor... like lottery numbers for next week 07:32 < ecrist> sure 3, 6, 422 07:32 < ecrist> good luck 07:34 < c64zotte2> ok, now i believe it, cause lottery has 6 numbers plus a special one 07:55 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 07:55 -!- kaii [n=kai@ciphron.de] has quit [Read error: 104 (Connection reset by peer)] 08:07 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:47 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 08:48 < robert_> can I override my settings in my server's openvpn.conf by specifying a client configuration file? 08:49 < ecrist> um, maybe 08:49 < ecrist> what are you trying to override? 08:49 < robert_> the address it assigns you 08:49 < ecrist> no 08:49 < ecrist> you can't do that 08:50 < robert_> yeah, it's assigning me a 10.2 address when it should be assigning me a 10.4 address 08:50 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 08:50 < ecrist> well, fix it on the server 08:51 < doke> hello people 08:51 < ecrist> hello other people 08:51 < robert_> that was why I asked "can you override the address openvpn assigns you when you connect by specifying said override inside the client-specific config?" 08:51 < doke> Any howto on authenticating openvpn client via username / password? I can't use ca authentication no more because some of my client can not adjust their time via ntp... therefore ca doesn't work 08:52 < robert_> okay 08:52 < ecrist> robert_: ah, you mean from on the server - yes, you can do whatever you want. though, it needs to be routable 08:52 < robert_> yeah 08:52 < robert_> can I assign you different dhcp subnets by specifying said proper configuration parameters? 08:53 < robert_> e.g. two people connect to my server 08:53 < robert_> one gets a 10.3 address, and the other, a 10.4 address 08:53 < ecrist> doke, you are *required* to use ssl certs with OpenVPN if you have more than a server and one client 08:53 < ecrist> robert_: sure 08:53 < ecrist> it's covered in the howto 08:53 < ecrist> !hotwo 08:53 < vpnHelper> ecrist: Error: "hotwo" is not a valid command. 08:53 < ecrist> !howto 08:53 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:53 < doke> thanks a lot ecrist 08:53 < robert_> I'm triyng, but it's not working 08:53 < robert_> oh 08:54 < robert_> can I "ifconfig-push 10.8.1.1 10.8.1.0" ? 08:55 < ecrist> um, no 08:56 < robert_> how do I make the server assign two people different dhcp subnets? 08:56 < dazo> doke: you might want to have a look at http://www.eurephia.net/ as well 08:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 08:56 < ecrist> robert_: look at the howto 08:56 < ecrist> what you're asking is covered there. 08:58 < ecrist> dazo: nice link 08:58 < dazo> ecrist: my little side project ... a work in progress :) 08:59 < robert_> ecrist, "Configuring client-specific rules and access policies" only covers static addresses, and "Pushing DHCP options to clients" doesn't cover dhcp ip assignment from openvpn itself 08:59 < ecrist> dazo: LDAP support? 09:00 < ecrist> what you're asking, if I understand correctly, cannot be done 09:00 < robert_> for him, or for me? 09:00 < ecrist> you'd have to run multiple OpenVPN servers, varying the port 09:00 < dazo> ecrist: hmmm ... not at the moment ... but I see why not, I have had that thought as well ... but I'm not big friends with LDAP yet 09:00 < ecrist> you, robert_ 09:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:01 < ecrist> dazo: I'm a friend of LDAP, if you need some input 09:01 < robert_> so it's static or nothing 09:01 < ecrist> robert_: in your case, probably, unless you went bridged and did something with a DHCP server on the host system 09:02 < ecrist> dazo: added a link to http://www.secure-computing.net/wiki/index.php/OpenVPN 09:02 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 09:02 < dazo> ecrist: I'm not sure how big difference it will be to "twist" the SQL queries over to LDAP queries ... that's probably the biggest challenge 09:02 < ecrist> dazo: LDAP != SQL, they are very different beasts 09:03 < dazo> ecrist: thanks for the link! .... but eurephia is spelled with "small e" ;-) 09:03 < robert_> heh 09:03 < robert_> euphoria's a strange language :P 09:03 < ecrist> dazo, fixed 09:04 < dazo> ecrist: I know ... that's why it needs quite some tuning here ... but as the db-driver in eurephia do not take queries but rather "commands" of what to check, it should be possible to write a separate LDAP driver 09:04 < dazo> ecrist: thanks! :) 09:06 < ecrist> why'd you have to patch OpenVPN? 09:07 < dazo> ecrist: because I map user accounts (username / passwords) against a specific SSL certificate .... and to do that in a safe manner, I use the SHA1 fingerprint in the certificate ... and that's not provided as default 09:07 < ecrist> why can't you use the CN? 09:08 < dazo> ecrist: actually, it uses CN, O, emailAddr and fingerprint .... 09:08 < ecrist> !static 09:08 < vpnHelper> ecrist: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 09:08 < ecrist> !static-key 09:08 < vpnHelper> ecrist: Error: "static-key" is not a valid command. 09:09 < ecrist> !lears static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: "lears" is not a valid command. 09:09 < ecrist> !learn static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:09 < ecrist> GRR 09:09 < ecrist> krzee: fix my access to the bot, please 09:09 < reiffert> ![greee] 09:09 < vpnHelper> reiffert: Error: "greee" is not a valid command. 09:09 < reiffert> ![static] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:09 < reiffert> !["static"] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:10 < reiffert> ![!static] 09:10 < vpnHelper> reiffert: Error: "!static" is not a valid command. 09:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 09:19 < plaerzen> morning irc 09:19 < ecrist> heya, plaerzen 09:19 < plaerzen> how was the weekend? 09:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:20 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 09:20 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 09:24 < ecrist> dazo: looking briefly at the code in 2.0.6, it appears as though the key fingerprint, and other data, is available for client certificates upon connection. 09:25 < dazo> ecrist: In 2.0.6? .... yeah, it is there ... but not passed over to the plugin .... so my patch takes the fingerprint and passes it over to the plugin via environment variable 09:26 < dazo> ecrist: I've seen there's been some changes lately to the environment variables in rc15 ... but I have not dug to deep here yet ... if it has come in, this patch will not be needed 09:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:27 < dazo> ecrist: anyway, I've done this now strictly 2.1 .... as the names on some env. variables have changed since 2.0 09:28 * dazo hopes there are no old references to 2.0 left 09:36 -!- Phase [n=Phase@unaffiliated/phase] has quit [] 09:38 < krzie> !man 09:38 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:38 < krzie> ecrist lazier link to the manuals ;] 09:38 < krzie> and good morning 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:45 < reiffert> reiffert: !man 09:48 < plaerzen> g'morning krzie 09:49 < reiffert> vpnHelper: !man 09:49 < vpnHelper> reiffert: Error: "!man" is not a valid command. 09:49 < reiffert> That bot's driving me crazy!# 09:49 < reiffert> !learn bot as vpnHelper sucks0rs! 09:49 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:49 < reiffert> !factoids.learn foo as bar 09:49 < vpnHelper> reiffert: Error: "factoids.learn" is not a valid command. 09:50 < krzie> vpnHelper man 09:50 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:50 < krzie> dont need ! when you adress him by name 09:50 < reiffert> vpnHelper: [man] 09:50 < vpnHelper> reiffert: Error: ""man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!" is not a valid command. 09:50 < reiffert> :p 09:51 < krzie> !learn reiffert as wo[man] 09:51 < vpnHelper> krzie: Joo got it. 09:51 < krzie> !rei 09:51 < vpnHelper> krzie: Error: "rei" is not a valid command. 09:51 < krzie> !reiffert 09:51 < vpnHelper> krzie: "reiffert" is wo "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:51 < krzie> lol 09:52 < krzie> !forget reiffert 09:52 < vpnHelper> krzie: Joo got it. 09:53 < reiffert> Allright, so how's that grep command using []'s again? 09:53 < reiffert> !configs 09:53 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:54 < krzie> its not 09:54 < krzie> i got around that 09:54 < reiffert> grep -vE '^[#;]' 09:54 < reiffert> jay, how's that? 09:54 < krzie> right 09:54 < krzie> by making the regex not use [] 09:55 < krzie> it can to simplify it, but doesnt need to 09:55 -!- W0rmFood [n=wormfood@219.134.136.50] has joined ##openvpn 09:56 < reiffert> Ah well, but using []'s would make so much fun if the bot would allow so. 09:56 < W0rmFood> it is openvpn, or x-wrt that is making it a god damn pain in my ass to forward ports? 09:56 < krzie> openvpn cant have anything to do with that 09:56 < reiffert> W0rmFood: this is #openwrt, so please go to #x-wrt or #dd-wrt 09:56 < W0rmFood> I don't run dd-wrt 09:56 < reiffert> Well then it's your fault. 09:57 < krzie> this is #openwrt? 09:57 < dazo> reiffert: is this #openwrt .... I need to rejoin #openvpn 09:57 < reiffert> krzie: it's not? 09:57 < W0rmFood> god damn. wrong channel 09:57 < W0rmFood> I do use openvpn 09:57 < W0rmFood> but I don't have problems with it ;) 09:57 < reiffert> and your openvpn question is? 09:57 < krzie> he was asking if it was openvpn's fault 09:58 < krzie> right answer is no 09:58 < W0rmFood> no 09:58 < W0rmFood> I said wrong channel 09:58 < reiffert> Yeah, this is #openwrt! 09:58 < reiffert> Like I said, wrong channel. 09:58 < krzie> if this is #openwrt i need to reconfigure my bot 09:58 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jpalmer 09:58 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:58 * dazo is getting confused 09:59 < reiffert> The plan starts working... 09:59 < plaerzen> SA's aren't too bright. 09:59 * dazo wonders who that one was aimed at ...... 09:59 < reiffert> bright SAturdays? 09:59 * plaerzen nods. 10:00 < reiffert> Well, it's Wednesday! 10:00 < krzie> lol 10:00 < krzie> if its wednesday i need to reconfigure my calendar 10:00 < plaerzen> I thought it was hanukah 10:00 * krzie reconfigures his life 10:00 < reiffert> A Hanumag? 10:01 < plaerzen> Is the hanumag responsible for my routing of bad packets? 10:01 < reiffert> plaerzen: doh!!! It's already march, hanukah is over! 10:02 < reiffert> http://en.wikipedia.org/wiki/Hanomag 10:02 < vpnHelper> Title: Hanomag - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:02 * dazo wonder if my clock is correct? 10:03 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:03 < reiffert> W0rmFood: it's all pegasos-rider's fault! 10:04 < plaerzen> lol. Silliness, back to troubleshooting groupware. 10:04 < reiffert> egroupware? 10:04 < plaerzen> communigate 10:04 < W0rmFood> no, it is my fault 10:04 < W0rmFood> I'm a fuckup 10:05 < reiffert> plaerzen: use their support? 10:06 < plaerzen> reiffert, I could. But it's a simple problem. Someone just isnt receiving mail from a whitelisted (mailwatch) sender. Probably just accidentally deleted it or something 10:06 < reiffert> Ignore him. 10:06 < reiffert> Problem solved. 10:07 < ecrist> building PR now for ssl-admin updates 10:07 < plaerzen> just uninstall outlook. Problem solved. 10:07 < reiffert> And implement and reinvent the shared file folders of egroupware and/or horde for me. 10:08 < reiffert> Ah, a brand new porsche museum in Stuttgart! 10:09 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Excess Flood] 10:10 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:11 < lonel> hi i asked this before 10:12 < reiffert> And our previous answer was? 10:12 < lonel> like ovpn can accept client logings using user/pass except for certificates 10:12 < lonel> reiffert: :) 10:12 < lonel> answer was kind of no 10:12 < lonel> reiffert: is that possible? 10:12 < reiffert> lonel: Your questions does not parse, please explain. 10:13 < ecrist> lonel: you where in here as someone else, right? 10:13 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 10:13 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 10:13 < lonel> reiffert: normally what we do is ,issue the client cert to clients to login ,instead of that using user/pass 10:13 < lonel> ecrist: aah ok,let em look that 10:13 < lonel> ecrist: no i didnt 10:13 < lonel> same nick only 10:14 < pegasos-rider> Could somebody prompt if message digest algorithm change has affect before TLS handshare is done? 10:14 < reiffert> ecrist: intresting mind you have ... parsing stopped for me after the 2nd word. 10:14 < dazo> lonel: you want to only have username/password auth without SSL certs? 10:15 < lonel> exactly 10:16 < dazo> lonel: you can use static key ... and probably the auth-pam module .... that should give you that feature ... 10:16 < lonel> dazo: cool,so can i use ldap as well 10:16 < lonel> ? 10:17 < dazo> lonel: if you find a ldap auth-plugin for openvpn, yes 10:17 < ecrist> there's one in freebsd ports 10:17 < lonel> oh cool 10:17 < lonel> this world is nice 10:17 < lonel> :) 10:17 < ecrist> there's an auth-pam module you can use, part of the openvpn distribution in sample-scripts directory - if your ldap is authenticated through PAM 10:17 < reiffert> Gimme that drugs! 10:18 < dazo> lonel: but on the other side ..... I would recommend you to reconsider not using SSL key/certs ... 10:18 < lonel> dazo: i use it myself for years,and i never bothered to look for any other authentications 10:18 < lonel> but this client wants that :) 10:19 < dazo> lonel: well, it's more prune for getting hacked if the static key file gets "stolen" 10:19 < lonel> yeah :( 10:21 < dazo> lonel: and if noticed ... it'll be quite a job to distribute new static keys .... Well, if you're client only have 2 users it's not so risky, as its easy to have the overview .... but if he got 30-40 users or more, it'll be a nightmare 10:22 < reiffert> dazo: Take a look at openvpn web gui, I can klick and get a working config, all required keys together in a zip file and there you go 10:23 * dazo do not use Windoze .......... 10:23 < reiffert> That zip and config part got to be implemented yourself, but it's worth it. 10:23 < reiffert> dazo: tar or whatever you like 10:24 < dazo> reiffert: I don't follow you at all .... are you talking about redistributing keys? 10:25 < reiffert> dazo: yep 10:25 < dazo> reiffert: if you are .... anyway, it'll just be more hassle than to just revoke one SSL certificate and create a new one 10:25 -!- W0rmFood is now known as WormFood 10:25 < reiffert> when you click "revoke" the cert is added to the crl (cert revoke list) automatically 10:26 < reiffert> dazo: when you click "new cert" you enter some details like common name, after that you can click "zip" and get a working config file together with all the required keys that a client will need 10:26 < dazo> reiffert: the VPN connection will be useless for all other users in the time before get distributed new static.key to all users 10:26 < ecrist> reiffert: that's the kind of stuff ssl-admin does. 10:26 < reiffert> ecrist: have a look at openvpn web gui 10:27 < reiffert> dazo: pardon, one static key for 40 users? 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:27 < reiffert> ecrist: it would be nice to combine ssl admin with openvpnwebgui 10:27 < dazo> reiffert: that was what lonel was asking about (but he didn't mention # of users) 10:28 < reiffert> Allright! 10:29 < dazo> reiffert: I'm paranoid enough .... I'm using openvpn over udp with static key, SSL certs and user/pwd authentication 10:36 -!- W0rmF00d [n=wormfood@219.133.100.202] has joined ##openvpn 10:41 < krzie> reiffert, agreed 10:41 < krzie> a nice lil lan-only web based gui with all ssl-admin features would be pretty cool 10:42 < dazo> krzee: ssl-admin is perl, isn't it? .... embedded web server in Perl maybe? 10:44 < reiffert> php 10:44 < reiffert> at least what openvpn web gui need 10:44 < reiffert> s 10:51 -!- WormFood [n=wormfood@219.134.136.50] has quit [Read error: 110 (Connection timed out)] 10:55 -!- W0rmF00d [n=wormfood@219.133.100.202] has quit [Read error: 113 (No route to host)] 11:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Connection timed out] 11:05 < reiffert> Anyone living in the .us who can give me a fast proxy for http://www.fox.com/fod/play.php?sh=twentyfour 11:05 < vpnHelper> Title: FOX on Demand (at www.fox.com) 11:05 < reiffert> ? 11:07 < ecrist> sorry, not I 11:09 < cyberjames> strange, the client is not properly assigned subnet mask and default gateway under windows xp... 11:09 < cyberjames> !route 11:09 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:21 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 11:21 < assasukasse> hello everyone, i am having some issues in starting openvpn 11:21 < assasukasse> i get this error: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 11:23 < krzie> dazo, yup its perl 11:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:26 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 11:26 < bigjohnto> anyone know how to stop a batch script from popping up the cmd window when starting openvpn connection? myconn_up.bat 11:26 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 11:27 -!- dazo is now known as dazo_gone 11:38 < SgtPepperKSU> Is there any word on whether there will be a 2.1rc16? Or is 2.1 final expected next? 11:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:38 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:39 < ecrist> I don't know, sorry. 11:39 < ecrist> assasukasse: looks like your SSL certificate doesn't exist. 11:39 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:46 < reiffert> SgtPepperKSU: check the mailinglist archives for that ... 11:47 < reiffert> SgtPepperKSU: (there will be another rc) 11:50 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 11:51 < assasukasse> ecrist: i fixed i dunno why it was not generated the first time..strange 11:54 < bigjohnto> anyone on that cmd window issue? 11:55 < ecrist> bigjohnto: google that. 11:56 < ecrist> it's not really an openvpn question, more a windows scripting question 11:57 < cyberjames> !config 11:57 < vpnHelper> cyberjames: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 11:57 < cyberjames> !config server.conf 11:57 < vpnHelper> cyberjames: Error: 'supybot.server.conf' is not a valid configuration variable. 11:57 < cyberjames> !config server 11:57 < vpnHelper> cyberjames: Error: 'supybot.server' is not a valid configuration variable. 11:58 < ecrist> !configs 11:58 < cyberjames> !configs 11:58 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < bigjohnto> ecrist alright, thanks anywho 12:06 < reiffert> !config time 12:06 < vpnHelper> reiffert: Error: 'supybot.time' is not a valid configuration variable. 12:06 < reiffert> !config autoreconnect 12:06 < vpnHelper> reiffert: Error: 'supybot.autoreconnect' is not a valid configuration variable. 12:06 < reiffert> !config auto* 12:06 < vpnHelper> reiffert: Error: 'supybot.auto*' is not a valid configuration variable. 12:07 < reiffert> vpnHelper: help supybot 12:07 < vpnHelper> reiffert: Error: There is no command "supybot". 12:09 < lonel> whu user/pass type auth using open vpn is vulnerable,?ssh is also user/pass? 12:09 < lonel> *why 12:10 < reiffert> lonel: says who? 12:12 < lonel> reiffert: 12:12 < lonel> < dazo> lonel: and if noticed ... it'll be quite a job to distribute new 12:12 < lonel> static keys .... Well, if you're client only have 2 users it's 12:12 < lonel> not so risky, as its easy to have the overview .... but if he got 12:12 < lonel> 30-40 users or more, it'll be a nightmare 12:12 < lonel> sorry for that 12:14 < reiffert> dazo_gone: ? 12:15 < lonel> hehe 12:16 < lonel> actually what hemeant? 12:16 < lonel> *he meant 12:16 < lonel> in open vpn are we not going to use a user/pass manually..rather it is stored ina key file 12:16 < lonel> ? 12:16 < reiffert> no 12:16 < lonel> i am talking about --client-cert-not-required 12:17 < lonel> reiffert: ? 12:17 < reiffert> I have no idea bout that, sorry 12:21 < bigjohnto> alright, i specify --route-up "C:\program files\mydir\script.bat" 12:21 < bigjohnto> but it only tries to execute c:\program, and leaves the rest how come? 12:23 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has left ##openvpn ["I \u2665 Debian"] 12:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 12:45 < ecrist> lonel: what's your question about that options? 12:45 < ecrist> bigjohnto: you need to escpape the space in program files 12:46 < ecrist> so, do C:\\program\ files\\mydir\\script.bat" 12:46 < ecrist> or, "C:\PROGRAM~1\mydir\script.bat" 12:46 < ecrist> again, non-openvpn stuff 12:47 < lonel> ecrist: why it is unsecure if i am using login/pass..its pretty same with that of ssh if it uses keybd auth? 12:49 < ecrist> it's less secure than user/pass+certs 12:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:02 < lonel> cwhich one 13:10 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 13:13 < ecrist> lonel: just user/pass authentication is less secure than user/pass with certs 13:30 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 13:40 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 110 (Connection timed out)] 14:10 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 14:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:11 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 14:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:16 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:17 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:19 < suprsonic> push "route " should push a route to the client correct? 14:22 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:49 -!- kaii_ [n=kai@ciphron.de] has left ##openvpn [] 14:49 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 14:52 < kaii> what could be the reason for a random failure in key RE-negotation (Symptom: key negotiation failed to occur within 60 seconds)? 14:52 < kaii> it fails 1/3 or 1/2 of the time .. (default: 3600 sec re-neg time) 14:52 < kaii> the tunnel works fine for an hour or two, then key re-neg fails and a SOFT RESET occurs 14:53 < kaii> OpenVPN 2.0.9 i386-unknown-openbsd4.3 14:53 < kaii> ^^ 14:56 < ecrist> krzie/others: I've submitted a PR for freebsd/ssl-admin 14:56 < ecrist> update to current version in SVN 15:26 -!- test [n=test@h697179-171.picriverisp.net] has joined ##openvpn 15:26 < test> anyone know if you can push a metric value with openvpn to a windows machine? 15:27 < reiffert> You cant. What you can do is have a client connect batch file do whatever it takes on the client side. 15:27 < test> k 15:28 < suprsonic> what about pushing a route? 15:28 < test> when mobile machine connects to internal network the metric forces the traffic through vpn.. it's still quick but a lot of encryption and forwarding for nothing 15:28 < reiffert> suprsonic: what about it? 15:28 < suprsonic> link is up, but server didn't put a route to the client 15:28 < suprsonic> push 15:28 < test> openvpn rocks 15:29 < test> but what stops someone from stealing the certs off the computer and throwing it on another? 15:29 < reiffert> suprsonic: are your sentences related to test? 15:29 < suprsonic> nah, new one 15:29 < reiffert> test: the cert password. 15:29 < suprsonic> push "route " should push a route to the client correct? 15:29 < reiffert> test: 15:29 < reiffert> !howto 15:29 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:29 < test> i tried that but how do you auto vpn with openvpn service? 15:30 < reiffert> suprsonic: amazingly yeah! 15:30 < suprsonic> netstat -r on the client system doesn't yield a new route. 15:30 < reiffert> test: what is it you want, security or encryption or both? 15:30 < test> for domain machines I like to have openvpn running when the system boots.. 15:30 < suprsonic> its a tunnel 15:31 < reiffert> suprsonic: have fun: 15:31 < reiffert> !configs 15:31 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:31 < reiffert> !logs 15:31 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:31 < reiffert> I'm off for TV 15:32 < test> encryption is security for me.. just need to be aware that stolen certs might occur 15:35 < test> the traffic is layer 2 and have mac addresses in the frames? 15:35 < test> even though you can spoof a mac can you build an acl based on mac addresses? 15:40 < suprsonic> oddly enough the documentation is correct, but my scenerio is still wrong. 15:43 < test> what are you trying to do 15:44 < test> are you bridging? 15:44 < suprsonic> just a simple tunnel between server and client 15:45 < suprsonic> client connection isn't applying the push route from the server. 15:48 < test> check the log to make sure the connection was successful 15:49 < suprsonic> oh its sucessuful, I can ping the other side 15:49 < suprsonic> can ssh too 15:49 < test> and if you add the route manually it works? 15:49 < suprsonic> yes 15:49 < test> check your versions 15:49 < test> the windows version is the same as the linux version? 15:49 < suprsonic> all freebsd 15:49 < test> oh 15:49 < suprsonic> freebsd to freebsd 15:50 < test> the route command maybe differs than 15:50 < suprsonic> ah 15:50 < test> google "openvpn push freebsd problem" 15:50 < test> or something 15:51 < test> might be a problem because of that if-up scripting architecture in linux distro's 15:52 < test> when the interface goes up a bunch of scripts run in linux 15:55 < suprsonic> I can add the route to the client config 15:55 < suprsonic> but apparently I can't push it from the server 15:55 < suprsonic> odd 16:09 < test> not enough of a pro to tell you why 16:09 < test> just started using openvpn the other day between debian and windows 16:09 < test> gotta go 16:09 -!- test [n=test@h697179-171.picriverisp.net] has left ##openvpn [] 16:32 < dvl> suprsonic: http://www.freebsddiary.org has the docs I wrote for getting my stuff running. Sample configurations. 16:32 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 16:32 -!- thewofle is now known as thewolf 16:33 < suprsonic> you the owner of freebsddiary.org? 16:35 < dvl> Yes 16:37 < suprsonic> well, I personally want to thank you for providing me with a wealth of information on FreeBSD. You've been a great resource for me. 16:37 < dvl> Thank you. Send $. Thanks. ;) 16:38 < dvl> Some of it is getting dated (for older versions), but I still use some of the articles on a regular basis, such as /makeworld-script.php 16:38 < suprsonic> have you seen growth in the community based off of hits on the website? 16:39 < dvl> http://www.freebsddiary.org/stats/ 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - Last 12 Months (at www.freebsddiary.org) 16:39 < dvl> I'm not sure if I have stats for previous years easily to hand. 16:39 < dvl> Oh yes: http://www.freebsddiary.org/stats/usage_200201.html 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - January 2002 (at www.freebsddiary.org) 16:40 < dvl> hits per day in 2002 was 9127 16:40 < dvl> in 2009, it's 23515 16:40 < suprsonic> awesome 16:40 < suprsonic> donations coming in? 16:41 < dvl> freshports.org 114475 in 2009 16:41 < suprsonic> oh you host freshports also? 16:42 < suprsonic> I looked at your openvpn post and its exactly what Im doing, but apparently Im still doing something wrong. 16:42 < dvl> In 2003 for freshports, it was 40258 16:42 < suprsonic> cause the route isn't showing up. 16:42 < dvl> suprsonic: Yes, I wrote FreshPorts. 16:42 < dvl> Few donations come in. :) 16:43 < dvl> The ad revenue generates enough cash to pay for gasoline. 16:43 < suprsonic> rofl 16:44 < suprsonic> I even placed the push at the end of the config like you have it in case that was the cause. 16:44 < dvl> restarted? 16:44 < suprsonic> yup 16:44 < dvl> Dunno 16:47 < suprsonic> it must have to do with it being a point to point tunnel 16:47 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 16:53 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:59 < dvl> Try my entire config. 17:05 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 17:22 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has quit [] 17:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:53 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 131 (Connection reset by peer)] 17:55 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 17:58 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:01 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 18:02 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:14 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:15 < test> anyone else get bad source ip address errors with just a peer to peer setup? 18:28 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has left ##openvpn [] 18:39 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has joined ##openvpn 18:40 < d0wNsYs> can anyone answer a quick question? 18:41 < d0wNsYs> Options error: --server and --secret cannot be used together (you must use SSL/TLS keys) 18:41 < d0wNsYs> get that when trying to start openvpn 18:46 < krzie> !sample 18:46 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:48 < krzie> thats how you use --server 18:49 < krzie> --secret is for a ptp setup where you use ifconfig on both sides 19:07 < d0wNsYs> so when i make the shared.key i shouldnt use the --secret option 19:28 -!- tomfmason [n=tom@unaffiliated/tomfmason] has joined ##openvpn 19:35 < tomfmason> I am trying to forward all client connections through the server and am having some issues. My configs are http://pastebin.com/m7672da21 . I can connect to the vpn server fine but if I try to change the default gateway on the client I lose my main connection. 19:49 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 20:22 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 20:23 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has joined ##openvpn 20:24 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has left ##openvpn [] 20:43 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has quit ["Leaving"] 20:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:15 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 21:26 * cyberjames strange... After restarting the openvpn service, the host xen can't able to reach from the guest system. 21:31 < cyberjames> !logs 21:31 < vpnHelper> cyberjames: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:40 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has joined ##openvpn 21:41 < lfaraone> Hi, I built a open VPN tunnel and am able to connect, now how cna I route all of my outbound traffic throug the tunnel rather than unencrypted via the normal eth0? 21:43 < tomfmason> ifarone: push "redirect-gateway def1" 21:44 < tomfmason> on the server and redirect-gateway on the client 21:45 < tomfmason> I am a complete newb so I would keep that in mind if you follow any of my advice :P 21:46 < tomfmason> I am trying to do the same thing and the issue I am having now is DNS not being pushed to clients 21:49 < lfaraone> tomfmason: I'm thinking this is a routes problem. Maybe I should respeficy: I'm trying to create a route to do that. 21:53 -!- rodpod [i=rod@hick.org] has joined ##openvpn 21:54 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:56 < tomfmason> lfaraone not sure if it will help any but here is my simple client/server config http://pastebin.com/m1748ea66 . It connects to the vpn fine and sets the default gateway/route but I still haven't quite figured out how to get dns working 21:58 < tomfmason> figure out, even 22:00 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 22:01 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 22:18 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 22:23 < tomfmason> anyone awake that can give a few suggestions as to what I may be doing wrong? My config is http://pastebin.com/m5d7b50fe. I am not seeing any errors anywhere but I am not able to resolve anything. I have the output from tcpdump in that paste as well. 22:23 < krzie> !pushdns 22:23 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 22:27 < tomfmason> krzie: I have push "dhcp-option DNS 205.234.170.215" on the server but ipconfig /all on the windows box doesn't show the dns address. Would clearing the cache solve that? 22:27 < krzie> see the link in #2 22:33 < ecrist> evening, bitches 22:33 < krzie> sup man 22:33 < krzie> <-- tired 22:33 < ecrist> me too. going to bed soon 22:33 < ecrist> http://www.freebsd.org/cgi/query-pr.cgi?pr=130754 22:33 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 22:36 < krzie> nice 22:36 < tomfmason> I don't get it. It appears that the request(when looking at tcpdump) is being sent but I never get a reply to my pings on the client. 22:36 < krzie> and does the client see pings coming in? 22:36 < tomfmason> That link suggests that I need to clear the cache. I did that but stil no change 22:37 < krzie> (tcpdump or R's if using verb 6) 22:37 < krzie> also, first part of topic is a strong possibility 22:37 < krzie> do the pings work by ip? 22:38 < tomfmason> I can't ping the client from the server but I can ping the server from the client. All other pings from the client time out 22:39 < krzie> firewall 22:41 < krzie> (on the client it sounds like) 23:07 < tomfmason> krzie: you were correct. Well, that was part of the problem. I had the incorrect subnet mask in iptables on the server as well. 23:07 < tomfmason> It is still not setting the dns on the client but I did it manually and it works fine 23:10 < tomfmason> is just push "dhcp-option DNS 205.234.170.215" on the server enough or do I need something on the client side as well? 23:51 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 23:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:57 < lonel> hi got a doubt 23:57 < lonel> my internal network is in the range 192.168.1.0/24 23:57 < lonel> got ovpn server inside 23:58 < lonel> so when a client connects from outside..does he will be assigned by an ip in the range 192.168.1.0/24? 23:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Tue Jan 20 2009 00:04 < lonel> krzee: any idea about tun/bridge interface? 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:24 < krzee> lonel, tun isnt bridge 00:24 < krzee> tun is for routed 00:31 < lonel> krzee: thanks 00:31 < lonel> thsi is my question 00:31 < lonel> my internal network is in the range 192.168.1.0/24 00:32 < lonel> so when a client connects from outside..does he will be assigned an ip in 192.168.1.0/24? 00:32 < lonel> i am using tun interface? 00:50 -!- WormFood [n=wormfood@58.60.118.83] has joined ##openvpn 00:50 < krzee> !howto 00:50 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:51 < krzee> im really tired so im not gunna walk you through it much 00:51 < krzee> but reading the howto will greatly help you 00:51 < krzee> !man 00:51 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:51 < krzee> manual is GREAT reference 00:52 < krzee> short answer, client should get a lan ip private to the vpn (sample configs use 10.8.0.0/24) 00:52 < krzee> !sample 00:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:52 < krzee> theres some samples from me 00:52 < krzee> and if you plan on connecting a lan on any side of the vpn to communicate through the vpn see this: 00:52 < krzee> !route 00:52 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:52 < krzee> goodnight =] 00:56 < reiffert> Moin moin 01:03 < lonel> krzee: thanks 01:03 < lonel> let em read all those 01:08 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:33 -!- WormFood [n=wormfood@58.60.118.83] has left ##openvpn ["Leaving"] 01:33 < lonel> hi 01:33 < lonel> my internal network ,which is running ovpn server is 192.168.64.0/24 01:40 < lonel> and the clients network is in 192.168.1.0/24 01:40 < lonel> and this is my ovpn config 01:40 < lonel> server 192.168.0.0 255.255.255.0 01:40 < lonel> push "route 192.168.64.0 255.255.255.0" 01:40 < lonel> push "route 192.168.1.0 255.255.255.0" 01:40 < lonel> route 192.168.1.0 255.255.255.0 01:41 < krzee> !route 01:42 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:42 < krzee> i made a detailed writeup with everything you need to know for that goal 01:42 < krzee> reiffert, moin 01:42 < lonel> krzee: yeah i tried the same 01:42 < lonel> let em check 01:42 < krzee> also 01:43 < krzee> you dont wanna use 192.168.0.0 most likely 01:43 < krzee> unless there will never be mobile clients 01:43 < krzee> cause thats such a common subnet 01:44 -!- dazo_gone is now known as dazo 01:45 < lonel> krzee: do i need to mention iroute in client config 01:45 < lonel> ? 01:45 < krzee> dont skim my writeup 01:45 < krzee> read it fully 01:46 < krzee> !forget route 01:46 < vpnHelper> krzee: Joo got it. 01:46 < krzee> !learn route as http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:46 < vpnHelper> krzee: Joo got it. 01:51 < lonel> krzee: working on it 01:56 < lonel> krzee: 01:56 < lonel> Tue Jan 20 08:58:08 2009 vais/69.93.37.142:2807 SENT CONTROL [vais]: 'PUSH_REPLY,route 192.168.64.0 255.255.255.0,route 192.168.1.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 01:56 < lonel> looks like the route added 01:56 < krzee> you wont have users connecting from other lans? 01:57 < krzee> like possibly a laptop? 01:57 < krzee> (out roaming around for example...) 01:57 < lonel> yes the server i am working on is a remote one 01:57 < krzee> i see you are connecting 2 lans... 01:57 < lonel> oh my bad 01:57 < krzee> will you also connect from outside of them? 01:58 < krzee> or just connecting them 01:58 < lonel> krzee: sec,i will be back 01:58 < krzee> [03:46] also 01:58 < krzee> [03:46] you dont wanna use 192.168.0.0 most likely 01:58 < krzee> [03:47] unless there will never be mobile clients 01:58 < krzee> [03:47] cause thats such a common subnet 01:59 < lonel> sure i will change it 01:59 < krzee> if you ever try to connect from a lan using 192.168.0.0 you will not be able to connect to the vpn right 01:59 < krzee> it would break routing 01:59 < lonel> i will look into it,and i made a mistake in push,my server subnet is not 192.168.64.0/24 01:59 < lonel> it is 192.168.168.0/24 01:59 < lonel> i am changing it,and gonna connect again 02:02 < lonel> MULTI: bad source address from client [192.168.1.2], packet dropped 02:02 < lonel> i guess i am on the track now 02:02 < lonel> :) 02:02 < krzee> ya except i think you didnt fully read my doc still 02:02 < lonel> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:02 < lonel> where is that? 02:03 < krzee> whereever you make it... 02:03 < lonel> in the client or server? 02:03 < lonel> let me figure it :) 02:03 < krzee> IT SAS 02:03 < krzee> SAYS 02:03 < krzee> second sentance 02:04 < krzee> well, first sentence rather 02:05 < lonel> client-config-dir 02:05 < lonel> what is ccd then? 02:05 < krzee> !man 02:05 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:05 < krzee> look at --client-config-dir 02:06 < lonel> sec 02:09 < lonel> oh in the server di i need to create a directory,in that it should contain a file with cn as that of the client? 02:09 < lonel> and need to specify iroute their? 02:09 < lonel> do i* 02:09 < krzee> right 02:12 < lonel> krzee: i got an issue here.i am using pam auth here 02:12 < lonel> not certificates 02:12 < lonel> so how should i know the name of the client network 02:12 < krzee> in manual see --username-as-commonname 02:12 < lonel> or it dosent matter 02:13 < lonel> ok already got that in my config)copied from somewhere) ;) 02:14 < lonel> krzee: one mre question 02:14 < lonel> my user is lonel 02:14 < lonel> i created a directory lonel 02:14 < lonel> and i created a file called lonel.conf 02:14 < lonel> and put iroute 192.168.1.0 255.255.255.0 02:14 < krzee> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:14 < krzee> In this example lets assume the client owning the network 192.168.1.0 has a common-name of client1. In ccd/client1 He should have the following: 02:15 < lonel> ok :) 02:15 < krzee> i took a lot of time making that doc nice, i hate when people just skim it 02:16 < krzee> instead of reading to understand 02:17 < lonel> krzee: true 02:17 < lonel> sorry for that 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 < lonel> krzee: still cant ping 02:19 < lonel> but no errors 02:20 < lonel> SENT CONTROL [lonel]: 'PUSH_REPLY,route 192.168.168.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 02:20 < krzee> what cant you ping 02:20 < lonel> got a web server 02:20 < lonel> in 192.168.168.0/24 02:20 < lonel> on .90 02:20 < krzee> READ MY WHOLE DOC 02:20 < krzee> im leaving 02:20 < krzee> goodnight 02:21 < lonel> so that will help me? 02:21 < krzee> nothing can help you if you are unwilling to read 02:21 < krzee> pay someone to set it up for you maybe 02:22 < lonel> ok got it 02:22 < lonel> ROUTES TO ADD OUTSIDE OF OPENVPN 02:22 < lonel> :)p 02:24 < lonel> krzee: 02:24 < lonel> If this needs clarification ask me about it and I will update this page after discovering how to make it clearer. 02:24 < lonel> :) 02:24 < lonel> help me 02:24 < lonel> b/w changing the ip from 192.168.0.0 02:28 < lonel> krzee: the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work. 02:29 < lonel> soif i add a route to default gateway,,that would work? 02:49 < lonel> ok i need to add a route in the router 02:49 < lonel> to the tunnel's ip 02:56 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 04:04 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 04:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:25 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 04:25 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 113 (No route to host)] 04:26 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:20 < assasukasse> anyone? 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 06:13 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has joined ##openvpn 06:13 < SURFkees> Anyone know what's the cause of this: "WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576" 06:20 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 06:32 < pegasos-rider> assasukasse: use client-config-dir to specify directory of client-specific configurations, and specify ifconfig-push client_IP peer_IP for each client there 06:32 < assasukasse> pegasos-rider: do u have a guide for that? 06:33 < pegasos-rider> Indeed I do, it's openvpn(8) manual page :) 06:51 < assasukasse> pegasos-rider: i can't find on the website how to get the manual (page 8) 06:56 < pegasos-rider> If you're on some POSIX system, man 8 openvpn will help you :) Otherwise check web site one more time :) 06:57 < pegasos-rider> And by the way, 8 means section of the manual page, not page of some manual, search for client-config-dir and ifconfig-push there instead 06:58 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 06:58 < dazo> assasukasse: google: man openvpn .... it usually gives a clear hit 07:18 < ecrist> SURFkees: look into the howto and/or man pages and read up on MTU 07:18 < ecrist> oh, and good morning, bitches 07:40 < assasukasse> well i found i have to make a ccd directory and put a file with the name of the machine i want to edit.. 07:40 < assasukasse> is not very clear in the examples i found 07:41 < ecrist> have you read the howto? 07:41 < assasukasse> ecrist: yesser 07:41 < ecrist> it states *exactly* what you have to do. 07:41 < assasukasse> i configurated everything tru the howto 07:41 < ecrist> so this isn't any 'not very clear' if you read that 07:42 < assasukasse> ecrist: i was reading this part Expanding the scope of the VPN to include additional machines on either the client or server subnet. 07:44 < assasukasse> however i can't find exactly what i need, i found alot about connecting to networks behind the client and such 07:49 < ecrist> :\ 07:49 < ecrist> search the how to for the section called "Configuring client-specific rules and access policies" 07:50 < ecrist> don't know how much more obvious it needs to be 07:52 < assasukasse> ecrist: assuming i have to give the client 1 always the same ip 10.8.0.2. i create a dir /etc/openvpn/ccd and a file inside the dir called client1 and put ifconfig-push 10.8.0.2 10.8.0.1 (where 10.8.0.1 is my server virtual ip?) 07:52 < ecrist> assasukasse: did you read the section I mentioned? 07:52 < assasukasse> ecrist: yes 07:52 < assasukasse> that's why i am questioning u 07:52 < ecrist> ok, then you know the answer to your question is no 07:53 < assasukasse> cuz it says: Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. 07:53 < ecrist> correct 07:53 < ecrist> but the addresses you mention aren't correct 07:53 < ecrist> they list out a bunch of examples. 07:53 < ecrist> right in that section 07:54 < ecrist> each /30 uses 4 IPs, not just two 07:57 < lonel> hey 07:57 < assasukasse> oh i got..so i put ifconfig-push 10.8.0.1 10.8.0.2 and this causes client 1 to take ip 10.8.0.2 07:58 < lonel> hey any one know the name of bridge module in the linux? 07:58 < lonel> add bridge failed: Package not installed 07:58 < assasukasse> and ifconfig-push 10.8.0.5 10.8.0.6 would cause client1 to take ip 10.8.0.5? and what about server. from the client side will still be 10.8.0.1? 07:58 < lonel> i guess in my machine bridge is compiled as module 07:58 < ecrist> lonel, sorry, no, I use a *real* OS. ;) 07:58 < lonel> which one? 07:59 < lonel> :) 07:59 < ecrist> FreeBSD, lonel 07:59 < ecrist> assasukasse: the 'server' end of the ip addressing is only virtual. the server's IP really remains at .1, but for a /30, you need an endpoint for the PPP connection. 08:00 < assasukasse> ecrist: thanks, i just should first learn what is a /30 :D i will try to find smth on the net 08:01 < ecrist> good luck 08:02 < assasukasse> ecrist: so openvpn is a ppp vpn? is not smth like the ones integrated in the routers (cisco, zyxel)? 08:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:04 < ecrist> assasukasse: no 08:06 < SURFkees> ecrist, I took a look at the tun-mtu option and defined it at both my client and server the same way. Still no luck 08:06 < ecrist> krzee is the expert here, ask him 08:06 < assasukasse> thanks ecrist one last question, is it possible to route all my port 110 25 and 119 tru my server to make it look like it was originating from it? so i can check email from the client wherever i am 08:10 < SURFkees> krzee, any idea? 08:19 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:23 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has left ##openvpn [] 08:26 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Remote closed the connection] 08:39 < ecrist> assasukasse: sure 08:49 < dazo> lonel: I thing the bridging tool is called bridge-utils-*.tar.gz .... and the kernel module I believe is bridge.ko 08:52 < dazo> s/thing/think/ 08:57 < lonel> dazo: worked :) 08:57 < lonel> dazo: when i am starting vridge-start script through ssh console 08:57 < lonel> everything is locked up 08:58 < lonel> and need to reboot teh machine again to make it access thru ssh 08:58 < dazo> lonel: whoops 08:58 < lonel> iptables permissions? 08:59 < dazo> dazo: well ... if I do a wild guess ... I believe it could be that kernel gets confused reg. to the routing between the interfaces and which interfaces sshd is listening to ... but I've never tried to start up bridging via ssh 08:59 * dazo goes to a meeting now ... back in an hour 08:59 < lonel> ok 08:59 < lonel> :) 09:03 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 09:03 < MMN-o> !route 09:03 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:04 < dazo> lonel: not sure if you've seen this one ... but you might find this one interesting .... http://www.linux.com/base/ldp/howto/BRIDGE-STP-HOWTO/index.html (now I'm really going for meeting) 09:04 < vpnHelper> Title: Linux.com :: Everything Linux and Open Source (at www.linux.com) 09:05 < lonel> dazo: thx 09:25 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 09:31 < MMN-o> I'm having a curious problem with iptables (I think). I'm forwarding traffic from two external IPs to each internal VPN network on two separate physical machines 09:32 < MMN-o> from what I can tell the two separate machines (arti and gurk) have the same configurations with same openvpn version - but one is Debian (testing) and one is Ubuntu (intrepid server) 09:32 < MMN-o> Urr. gurk is debian lenny, and arti is ubuntu intrepid. 09:33 < MMN-o> [gateway] -> OpenVPN -> arti, gurk 09:34 < MMN-o> arti works fine, with iptables rerouting gateway:8080 to arti-on-vpn:80 09:34 < ecrist> I'd help, if I could, but not a linux guy, sorry. 09:35 < MMN-o> gurk doesn't. Traffic seems to stop at the gateway, but I can access it _from_ the gateway (using vpn IP) 09:36 < MMN-o> ip_forward is off on both arti and gurk, and neither have iptables rules, and they both listen (lighttpd) on 0.0.0:80 and 0.0.0.0:8080 respectively 09:37 < dazo> MMN-o: hold on about an hour, and I'll see if can help you out (I'm in a phone meeting now) 09:37 < MMN-o> the gateway has identical setups (ordinary NAT) with iptables for them, except the external IP. (which are eth0 aliases eth:2 and eth:3 respectively) 09:37 < MMN-o> dazo: Sure. 09:38 < MMN-o> TUN interfaces by the way 09:38 < MMN-o> Either gurk doesn't accept the traffic through tun0, or gateway doesn't forward correctly. I'm gonna check (again) for overlapping iptables rules 09:44 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 09:48 < MMN-o> Hm, I found a legacy change that caused gurk not to function. redirect-gateway wasn't activated 09:49 < MMN-o> I'm curious over which route settings I'd have to set to enable this without redirect-gateway 09:50 < MMN-o> Right now I have to move myself physically to another computer which abruptly got disconnected. (openvpn client seems to stop/crash when server is stopped?) 09:55 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has joined ##openvpn 10:08 < dazo> MMN-o: would you mind showing your iptables rules on pastebin (or PM if really needed) ... you replace your public IP addresses with something else (public_1, public_2, etc) 10:08 < dazo> MMN-o: and the same with the route -n 10:09 < dazo> MMN-o: please dump the iptables via the iptables-save command ... easier to parse for me 10:24 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 10:26 < krzee> [10:10] krzee is the expert here, ask him 10:26 < krzee> lol 10:26 < krzee> ecrist, tired? 10:30 < SURFkees> :) 10:31 < krzee> whats the question? 10:32 < SURFkees> MTU problems 10:32 < krzee> lonel, why are you using bridge now? 10:33 < SURFkees> I'll show you a snippet of the logs 10:33 < krzee> SURFkees, did you try --mtutest? 10:33 < krzee> !mtu 10:33 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:33 < krzee> --mtu-test i mean 10:34 < SURFkees> I'll give that a shot. The thing is, I've never had problems with MTU's on this line 10:34 < krzee> then why are you changing it? 10:35 < SURFkees> I'm receiving this error on my client: 10:35 < SURFkees> WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576 10:35 < SURFkees> which then suggests it has something to do with the MTU 10:35 < krzee> !configs 10:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < krzee> put mtu-test in the client config 10:36 < krzee> then connect 10:36 < krzee> then post configs 10:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:46 < SURFkees> is mtu-test still useful if I'm running a tcp-server/tcp-client config? 10:48 < krzee> yes, but why would you use tcp? 10:48 < krzee> !tcp 10:48 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:48 < krzee> if you're talking about playing with mtu, you should first use --mtu-test 10:48 < krzee> http://www.latimes.com/news/nationworld/nation/la-na-airline-felonies20-2009jan20,0,5468299.story 10:48 < vpnHelper> Title: In-flight confrontations can lead to terrorism charges - Los Angeles Times (at www.latimes.com) 10:49 < SURFkees> DEBUG /usr/sbin/openvpn --config /var/lib/surfids/openvpn.conf --mtu-test --dev tap0 --writepid /var/lib/surfids/tunnel.pid 10:49 < SURFkees> ERROR /usr/sbin/openvpn died with error code 1, see log for details 10:49 < krzee> omg you're using tap AND tcp? 10:49 < krzee> lol 10:50 < krzee> you hate a good connection or something? 10:50 < krzee> !factoids search tun 10:50 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers 10:50 < krzee> hrm 10:50 < krzee> !factoids search bridge 10:50 < vpnHelper> krzee: 'bridge', 'bridge-dhcp', 'fbsdbridge', and 'bridge-fw' 10:51 < SURFkees> Well, I know I need to use tcp, but what's wrong with tap? 10:52 < krzee> !learn tunortap as you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 10:52 < vpnHelper> krzee: Joo got it. 10:52 < krzee> tap encapsulates ethernet frames over ip 10:52 < SURFkees> Yep, which is what I want 10:52 < krzee> you have a reason for doing that? 10:52 < SURFkees> analyzing layer 2 attacks 10:53 < krzee> gimme an idea of your goal...? 10:53 < SURFkees> we use openvpn to connect our sensors to our server where the detection stuff is located 10:53 < krzee> you plan on detecting arp poisoning from remote instead of locally? 10:53 < SURFkees> basically, a distributed honeypot, in short 10:54 < ecrist> krzee: aye. getting support-burnout, I think 10:54 < SURFkees> yea 10:54 < krzee> haha 10:54 < krzee> ecrist, understandable 10:54 < ecrist> considering ##openvpn hiatus 10:54 < krzee> i was DEFINATELY there yesterday 10:54 < krzee> im gunna be on online hiatus for a little 10:55 < krzee> im headed to usa, brazil, peru 10:56 < krzee> SURFkees, ok so you do want tap 10:56 < krzee> likely not tcp 10:56 < lonel> krzee: hi,i dont have the passowrd for the router to add a ststic route to it 10:56 < krzee> and have you done mtu-test yet, and posted configs to me yet? 10:56 < krzee> lonel, LOL 10:57 < lonel> :) 10:57 < krzee> reset it 10:57 < SURFkees> it doesn't want to let me do the mtu-test 10:57 < SURFkees> Options error: --mtu-test only makes sense with --proto udp 10:57 < lonel> krzee: so no other go? 10:57 < krzee> SURFkees, didnt i already say you should be using udp? 10:57 < lonel> else need to manually add routing table as per the doc :) 10:57 < SURFkees> http://pastebin.com/m58192235 10:57 < krzee> good job lonel, you actually read the doc this time 10:58 < krzee> i noticed that after i stopped answering questions you started answering them yourself, i thought that could have been from actually reading that doc i spent so much time on 10:58 < lonel> thanks lol :) 10:58 < lonel> krzee: need help 10:59 < krzee> reset your routers pw 10:59 < krzee> and do it the right way instead of trying to use a bridge cause you dont know your routers password 11:00 < krzee> you were finished with the openvpn setup, but decided to start over because of a missing router pw 11:00 < krzee> LOL 11:00 < lonel> hehe :( 11:00 < krzee> go back to how it was after i helped you last night 11:00 < krzee> then reset the router pw (and write it down this time) 11:01 < lonel> because 70 people are working under it 11:01 < lonel> its arouter/modem 11:01 < lonel> dont know teh isp pss as well 11:01 < krzee> theres no way you're the head tech at a company with ~70 people 11:02 < lonel> i am a fighter 11:02 < lonel> :) 11:02 < krzee> like boxing? 11:02 < lonel> kind of..boxing with nterwebs 11:02 < krzee> umm 11:02 < lonel> i know a lot of things,but dont know nothing 11:02 < krzee> whatever thats supposed to mean 11:03 < lonel> i hate reading rtfm 11:03 < plaerzen> ... 11:03 < lonel> oaabama 11:03 < lonel> well krzee 11:03 < lonel> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript 11:03 < krzee> good luck lonel 11:03 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 11:03 < lonel> thanks 11:03 < krzee> you ran out of krzee-help last night 11:04 < krzee> wassup plaerzen 11:04 < lonel> when i execute bridge-start..all my network goes down? 11:04 < lonel> need to reboot he machine to make it right 11:04 < krzee> you shouldnt be bridging anyways 11:04 < plaerzen> krzee, the usual. Trying to see if we should use CX4 or glass for our new backbone. 11:04 < krzee> mmmmm glass 11:05 < plaerzen> it's only a 10M run though, glass might be overkill 11:05 < krzee> oh 11:05 < ecrist> but, once it's in, you can upgrade speed easy 11:05 < krzee> how much bw? chance of needing more bw in future? 11:05 < plaerzen> yeah. I've heard some people have had issues with CX4 too. 11:05 < krzee> doh ecrist stole my train of thought ;] 11:06 < plaerzen> 10gbit 11:07 < plaerzen> and it's like a 3G price difference... 11:07 < krzee> thats all? 11:07 < plaerzen> roughly 11:07 < krzee> even after the endpoints for the fiber? 11:08 < plaerzen> they're just modules in our procurves 11:08 < krzee> then dude 11:08 < krzee> worth it! 11:08 < plaerzen> lol I need some more measurable metrics to justify it 11:09 < plaerzen> "krzee off IRC said do it!" 11:09 < krzee> copper you may need to dig it up one day to replace with faster 11:09 < krzee> fiber once its there its there forever 11:09 < plaerzen> I am leaning towards glass though too, for that reason. 11:09 < krzee> (assuming we're talking dark) 11:10 < ecrist> krzee: copper doesn't get 'faster' 11:10 < krzee> when you say krzee said 11:10 < krzee> your boss might say OMG YOU KNOW HIM!? 11:10 < plaerzen> lol 11:10 < krzee> ecrist, ok, to put in more copper 11:10 < ecrist> the only thing that may need to occur is putting heavier-guage wiring in, whereas fibre is fibre 11:11 < ecrist> where copper is < fibre is in throughput capabilities over a distance 11:11 < plaerzen> yeah, I know that part. But it's only 10m between two procurves 11:11 < ecrist> you can push high bandwidth over fibre for hundreds of KM before repeaters are needed, copper not so much 11:11 < krzee> fiber has other benefits 11:11 < plaerzen> even if we buy another floor, we can use one of the procurves as a bridge 11:11 < krzee> but you already know them 11:12 < ecrist> plaerzen: 10 meters? 11:12 < krzee> miles 11:12 < plaerzen> meters 11:12 < ecrist> oh, do fiber 11:12 < krzee> WHAT!? 11:12 < krzee> lol 11:12 < plaerzen> :P 11:12 < plaerzen> yep 11:12 < ecrist> meters? do copper 11:12 < krzee> ya i was way off 11:13 < krzee> 3g price diff for a 10 meter run 11:13 < krzee> screw that 11:13 < ecrist> don't mess with fibre unless you're going between places in a large building, or between buildings 11:13 < ecrist> and, there's nothing to 'dig up' 11:13 < ecrist> lol 11:13 < krzee> totally 11:13 < plaerzen> yeah we have a core drilled in the cement in our new building between the two server rooms 11:14 < ecrist> distance? 11:14 < plaerzen> on top of each other 11:14 < ecrist> wire-run distance, not crow-fly distance 11:14 < plaerzen> 10meters, tops 11:14 * krzee dumps the core 11:14 < ecrist> oh, copper 11:14 < ecrist> don't fuck with fibre for that 11:14 < krzee> i now agree, coper 11:14 < krzee> copper 11:14 < krzee> i totally thought that was 10 miles 11:14 < plaerzen> yeah, sorry 11:14 < krzee> ie: digging and whatnot 11:15 < krzee> and the other side benefit i like of fiber is lost too 11:15 < ecrist> anymore more than a few hundred yards, you need to do fibre for real connectivity 11:15 < lonel> krzee: any idea why my network goes down..when i start the bridge interface? 11:15 < krzee> (cant tap a fiber line) 11:15 * plaerzen nods. 11:15 < krzee> lonel, 11:15 < krzee> [13:07] you ran out of krzee-help last night 11:15 < lonel> one more chance lol 11:16 < krzee> you're not even doing it right 11:16 < krzee> you shouldnt even be bridging 11:16 < krzee> which i said 2 or 3 times already 11:16 < plaerzen> Well, I need to do a little more digging. I have heard people have connectivity issues with CX4 on even short distances. (not as short as ours, but we have to have 100% confidence it will be ok here) 11:17 < SURFkees> Thanks for the help so far, krzee. I'll look into it some more myself tomorrow :) 11:17 < krzee> SURFkees, np, you prolly wanna lose all mtu related stuff in the config 11:17 < krzee> and frag stuff 11:17 < krzee> but since you still didnt post configs i can help more 11:17 < ecrist> plaerzen: any *real* switch can do port trunking, just run 2 or 3 of those connections and trunk the ports 11:18 < krzee> SURFkees, plus you want udp 11:18 < SURFkees> I did krzee, but my time is up now. I'll check again tomorrow 11:18 < plaerzen> ecrist, oh, we have some real switches. 11:18 < krzee> right on SURFkees 11:18 < lonel> why udb? 11:18 * krzee pictures plaerzen in a low rider with hydrolics when he says that 11:18 < ecrist> !tcp 11:18 < lonel> udp even 11:18 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:19 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has quit ["Leaving"] 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:19 < lonel> ecrist: krzee: any idea why my network goes down..when i start the 11:19 < lonel> bridge interface? 11:19 < lonel> :P 11:19 -!- mode/##openvpn [+o lonel] by ChanServ 11:19 < krzee> oh surfkees did post his configs 11:19 < krzee> i missed it 11:19 <@lonel> thanks 11:20 < ecrist> bastard 11:20 < krzee> oh noes 11:20 < krzee> dont ban me! 11:20 <@lonel> more powers more responsibility 11:20 <@lonel> i know that 11:20 <@lonel> hehe 11:20 < ecrist> /kick lonel 11:20 < ecrist> 11:20 -!- ##openvpn You need to be a channel operator to do that 11:20 < ecrist> :( 11:20 -!- mode/##openvpn [+o ecrist] by lonel 11:20 < krzee> hehe 11:21 <@ecrist> /kick lonel muahahah! 11:21 -!- mode/##openvpn [-o ecrist] by ecrist 11:21 -!- mode/##openvpn [-o lonel] by ChanServ 11:21 < lonel> /mode +v krzee 11:22 < krzee> /devoice krzee 11:22 < ecrist> hah, I was getting +o and you only got +V 11:22 * ecrist > krzee 11:22 < krzee> lol 11:22 * ecrist does a dance. 11:22 < krzee> good point! 11:22 < ecrist> back to work for me. 11:23 < krzee> ecrist, how long til the 3 wise men visit? 11:23 < ecrist> o.O 11:23 < lonel> !help bridgekillsinterface 11:23 < vpnHelper> lonel: Error: There is no command "bridgekillsinterface". 11:23 < lonel> :) 11:24 < krzee> !dontusebridgeforthe5thtime 11:24 < vpnHelper> krzee: Error: "dontusebridgeforthe5thtime" is not a valid command. 11:24 < lonel> ok let me do some googling 11:24 < lonel> thank :P 11:24 < lonel> s 11:24 < krzee> google this: 11:24 < krzee> DONT USE BRIDGE 11:27 < lonel> hehe ok 11:30 < lonel> krzee: why router vpn >> bridged? 11:30 < lonel> s/router/routed 11:30 < krzee> less overhead, easier to setup 11:30 < lonel> apart from that? 11:30 < krzee> you're talking about using ethernet frames over ip just because you forgot the password to your router 11:31 < krzee> you should have the password anyways 11:31 < krzee> fix the real problem 11:31 < krzee> you will have a faster vpn with tun 11:31 < lonel> i see 11:32 < lonel> i will look towards it 11:32 < krzee> !tunortap 11:32 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:34 < lonel> oh tap is under layer 2,and tun is using layer3 11:34 < krzee> someone skipped the howto that i linked him to 11:34 < krzee> (shocking) 11:35 < lonel> o_o 11:36 < krzee> but yes 11:36 < krzee> tap is layer2 tun is 3 11:36 < lonel> so ip over ip is tehbest? 11:36 < lonel> the best 11:36 < lonel> tahn frames over ip? 11:36 < krzee> better than ethernet over ip when you arent tunneling layer2 protocols 11:36 < krzee> for obvious reasons 11:37 < lonel> alright 11:38 < lonel> i will do the stuff related with it using the router after office time 11:38 < lonel> krzee: thanks very much for your time :) 11:38 < lonel> laters 11:38 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 11:39 < krzee> for the record, i started off nice to him 11:47 < assasukasse> is there any GUI for controlling openvpn? like adding or removing clients and settings options 11:47 < dazo> assasukasse: which OS? 11:47 < assasukasse> linux 11:47 < dazo> assasukasse: Do you use NetworkManager? 11:47 < krzee> !ubuntu 11:47 < vpnHelper> krzee: "ubuntu" is dont use network manager! 11:47 < krzee> hehe 11:47 < dazo> assasukasse: there are some plugins for that 11:48 < assasukasse> no i don't use ubuntu nor network manager 11:48 < krzee> theres some php web based gui app 11:48 < krzee> and theres ssl-admin 11:48 < dazo> krzee: Ubuntu used NetworkManager since 7.10 (Gutsy Gibbon) at least .... but I uninstalled it because it was crappy 11:48 < krzee> as for settings, i dont think so 11:48 < assasukasse> im on debian lenny 11:49 < krzee> adding clients = ssl certs 11:49 < assasukasse> uhm... 11:49 < krzee> ssl-admin is nice 11:49 < assasukasse> only for adding clients.. 11:49 < krzee> !ssl-admin 11:49 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:49 < bigjohnto> any way to see currently connected VPN users? 11:49 < krzee> management interface 11:50 < krzee> i have no idea how, but it can 11:50 < dazo> bigjohnto: krzee: If you have configured management interface in OpenVPN ... you can basically telnet to the address:port you set up .... and call the "help" command .... I believe connections is found by the "status" command 11:51 < krzee> right on 11:51 < krzee> ill play with that some day 11:51 < assasukasse> oh yea i tried the telnet one 11:52 < assasukasse> well, in short openvpn works really well, but i find it not really easy to configure..might be cuz i am not strong in routing stuff 11:52 < dazo> assasukasse: routing can be tricky ... but you can't blame that on OpenVPN unfortunately ;-) 11:52 < krzee> having a problem configuring something specific? 11:54 < assasukasse> actually yes, i am using ssh to tunnel my email and smtp and nntp connection from work to my home server..and it works..but is bothersome, i wish i could simply do with openvpn (just set up a rule on my client to forward port 25 110 119) 11:54 < assasukasse> i fiddled a couple of hours in the config 11:54 < assasukasse> but i am missing smth 11:54 < bigjohnto> krzee, dazo, maybe i should i wrote a script and logged openvpn connections but i would like something more clean 11:54 < krzee> bigjohnto, you could make a web interface to the management interface 11:55 < krzee> in fact the management interface was designed to be used by scripts / external apps 11:55 < bigjohnto> right on 11:55 < krzee> less designed to be used by hand 11:55 < bigjohnto> i guess i got myself a project 11:55 < krzee> assasukasse, im thankful openvpn doesnt handle that stuff 11:55 < dazo> bigjohnto: what's your requirements regarding the security? ... if you want to use both SSL certs and username/password ... you can use the eurephia auth module, which do session logging also to a database (SQLite for the moment) 11:55 < krzee> it lets the os handle things that belong to the os 11:56 < bigjohnto> dazo, can you customize it? add to it? 11:56 < krzee> and port based routing doesnt really exist, but can be hacked up through firewall rules prolly 11:56 < dazo> bigjohnto: http://www.eurephia.net/ 11:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 11:56 < bigjohnto> thanks you have been wonderful 11:56 < dazo> bigjohnto: depends on what you mean with customize 11:56 < krzee> assasukasse, email/smtp/nntp are on the same box? 11:56 < bigjohnto> dazo, own scripts etc.. etc.. 11:57 < bigjohnto> nothing major 11:57 < bigjohnto> i'll play around with it, guess thats the best way to find out 11:57 < assasukasse> krzee: my email provider is pretty bothersome..if i don't connect from my home dsl it doesn't let me send or check email... 11:57 < assasukasse> if i want to check from work i need to tunnel the connection to home 11:57 < krzee> assasukasse, just add routes 11:58 < krzee> route ip netmask 11:58 < krzee> in the config that is on the machine that needs the route added 11:58 < assasukasse> krzee: but route can be limited for ports? 11:58 < krzee> no 11:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:58 < krzee> for ips 11:58 < krzee> it just adds a route the the kernel routing table 11:58 < krzee> you gunna connect to the mail server for something other than mail? 11:58 < assasukasse> nop 11:59 < assasukasse> sending and fetching 11:59 < krzee> then why do you care about the port? 11:59 < krzee> just route to the ip over the vpn 11:59 < dazo> bigjohnto: no, the eurephia do not add anything like that .... sounds more like you just want to investigate the --tls-verify or similar hooks 11:59 < dazo> bigjohnto: --learn-address is another hook 12:01 < bigjohnto> dazo thanks :) 12:01 < dazo> bigjohnto: np 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:12 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has joined ##openvpn 12:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < gnashi> hello... I have my VPN running just fine - bridging server, linux client - unfortunately it seems that my client's default gateway is being overridden on connect by default. Config is http://pastebin.com/d42806d9c 12:17 < gnashi> I just want the client to have a route to the VPN subnet and to use the VPN's DNS. 12:24 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has joined ##openvpn 12:25 < thx2000> Can anyone recomend a download for an OpenVPN GUI that works w/ Vista x64? I've tried just about every version I can find, and they all try to install v8 of the TAP-Win32 driver which I can't get working. 12:27 < gnashi> thx2000: I've had the same problem. No solution yet that I've found. 12:31 < thx2000> I've got it working on one machine...but I installed it a year ago and can't remember what the heck I did 12:31 < thx2000> Definitely don't remember it being this tricky 12:32 < gnashi> hmm. 12:35 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has quit ["Ex-Chat"] 12:54 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 13:05 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has left ##openvpn [] 13:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 14:06 -!- Netsplit over, joins: kaii 14:17 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 14:18 < fbond> Hi. With certificate-based auth, the OpenVPN server does not allow the same client to connect twice. Will it allow this if I use username & password auth? 14:18 < fbond> I'd like to use the same credentials from multiple machines. 14:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:25 < ecrist> fbond: read the how to 14:25 < ecrist> you *can* allow multiple connections from a single certificate with the duplicate-cn option, but it's not recommended for security reasons. 14:26 < fbond> ecrist: Ah, okay, thanks. 14:28 < fbond> ecrist: That topic doesn't seem to be covered in the howto, but I assume I can simply turn that on and continue using cert-based auth, right? Does this break ifconfig-pool-persist? 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < fbond> Nevermind, I see http://openvpn.net/archive/openvpn-users/2005-02/msg00231.html. 14:34 < fbond> Thanks! 14:49 < bigjohnto> :) finished my perl script to email FAILED and Initiated vpn access sessions :) w00t w00t :P 14:59 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < reiffert> Using status file_ 15:11 < reiffert> ? 15:12 < ecrist> fbond: yes, it will break ifconfig-pool-persist 15:16 < bigjohnto> reiffert, nope just regular old open handlers and regular expressions 15:25 < reiffert> handler on what file? 15:25 < reiffert> syslog? 15:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:26 < bigjohnto> reiffert, openvpn.log 15:26 < bigjohnto> i have it doing the logging for openvpn service 15:27 < reiffert> Ah, great! 15:27 < bigjohnto> this is in in ther server.conf file --> log-append /var/log/openvpn.log 15:28 < bigjohnto> so basically the crond perl script checks every week and then sends of an email and rotates it, 4 rotations 15:29 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has quit ["I \u2665 Debian"] 15:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:32 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 15:43 < ecrist> bigjohnto: why not do it more often than once per week? do it real time. 15:50 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 145 (Connection timed out)] 16:53 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has quit [Remote closed the connection] 17:07 < bigjohnto> ecrist, ????? via cron? 17:14 < ecrist> what we do at my office is have a perl script which is tail -f the log file, sends notices for failures and keeps a small web applet we've got updated with current connections, etc. for the web applet, we compare current/incoming connection information against the status file to flush out any stale connection data 17:16 < bigjohnto> ah 17:16 < bigjohnto> yea thats a good idea too 17:16 < ecrist> krzee: PR13075 (http://www.freebsd.org/cgi/query-pr.cgi?pr=130754) committed 17:16 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 17:16 < bigjohnto> but there are only 3 people who vpn here, so that would be overkill :) 17:16 < ecrist> we only have 12 17:17 < bigjohnto> heh guess security would be awesome with that 17:17 < bigjohnto> well thanks, I really appreciate that 17:18 < bigjohnto> I will modify my script to do that, not to many people share ideas these days 17:18 < bigjohnto> maybe make a perlmodule or something for people to use for it 17:18 < ecrist> there you go 17:19 < ecrist> I"m out - time for some beer. 17:19 < bigjohnto> thanks, and have fun 17:27 < krzie> Severity:serious 17:27 < krzie> it was a good update, but serious? 17:42 -!- Bushmills1 [n=nl@verhau.de] has joined ##openvpn 17:48 -!- Bushmills [n=l@verhau.de] has quit [Nick collision from services.] 17:48 -!- Bushmills1 is now known as Bushmills 18:00 -!- jrk [n=jrk@unaffiliated/jrk] has joined ##openvpn 18:00 < jrk> hi 18:01 < jrk> if I want to have certificate usable only by clients connecting using openvpn I assume that following certificate parameters should be enough to enforce it? 18:01 < jrk> X509v3 Basic Constraints: critical 18:01 < jrk> CA:FALSE 18:01 < jrk> X509v3 Key Usage: critical 18:01 < jrk> Digital Signature 18:01 < jrk> X509v3 Extended Key Usage: critical 18:01 < jrk> TLS Web Client Authentication 18:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:06 -!- thewolf is now known as Supotcog 18:07 -!- Supotcog is now known as elongatednipple 18:08 -!- elongatednipple is now known as friedtoe 18:08 -!- friedtoe is now known as sorryiamaknob 18:11 -!- sorryiamaknob is now known as thewolf 18:25 < krzie> anyone here use facebook? 18:25 < krzie> looking to get 5 people to install a FB app my friend made so it can get approved 18:25 < krzie> jrk no idea 19:32 < ecrist> i do 19:33 < ecrist> krzie: just create 5 accounts with throw-away emails 19:49 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:53 < krzie> http://apps.facebook.com/my_files/ 19:53 < vpnHelper> Title: Login | Facebook (at apps.facebook.com) 19:58 < ecrist> what personal data does it pull? 19:58 < ecrist> who is patrick boden? 19:58 < ecrist> sounds familiar 20:13 < krzie> not sure, for all i know it could be my friends name 20:13 < ecrist> lol. requires signup on their site, so I opted out 20:15 < krzie> lol 20:17 < ecrist> krzie: ssl-admin is at 1.0.1 in ports tree now 20:18 < krzie> ya i saw =] 20:19 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:20 -!- DPA [n=DPA@89.124.68.18] has joined ##openvpn 20:21 < ecrist> my next big commit I think is going to be to migrate to ssl perl library 20:21 < ecrist> get rid of some of the system calls 20:22 < krzie> ahh nice 20:23 < krzie> why do you depend on zip? 20:37 < ecrist> because of the zip function 20:38 < krzie> lol, right 20:38 < krzie> but how bout tar for no DEPs? 20:38 < ecrist> because windows doesn't do tar 20:38 < ecrist> and, like it or not, there are lots of windows clients out there 20:38 < krzie> oh ya windows 20:38 < krzie> does it do zip by default? 20:38 < ecrist> yep 20:39 < krzie> (i guess so or you wouldnt have said anything bout tar) 20:39 < ecrist> 'splorer can do that 20:39 < krzie> ahh 20:39 < ecrist> it can't zip file up, but it can unzip them, like I unzipped your mom last night. 20:39 < krzie> heh 20:39 < krzie> dude my moms kinda old 20:39 < ecrist> old == experienced 20:40 < ecrist> ;) 20:40 < ecrist> I've had a few. can ya tell 20:40 < krzie> so it was good? 20:40 < ecrist> oh yeah. 20:40 < krzie> lol ya 20:40 < krzie> but its all in fun ;] 20:41 < krzie> besides i was with mrs crist while you were with my mom, so i figure its a fair trade 20:41 < krzie> kinda like swinging, but a lil diff 20:41 < ecrist> of course. gonna read the kid a story and wrestle with my dogs for a bit. 20:41 < ecrist> krzie: did she wear the gimp ball for ya? 20:41 < ecrist> sheh said she was gonna. 20:41 < krzie> nah but she liked the new vibe cockring 20:42 < ecrist> oh, and your ma said that it's OK with her if the four of us get together, she mentioned something about 'my boy's been in there once before, so nothing too new' or something like that 20:42 < krzie> ya i was in there for like 9mo 20:42 < ecrist> seriously, my ol' lady *LOVES* the vibe cock rings 20:43 < krzie> ya my #1 loves it too 20:43 < krzie> is it wrong i use it with others too? 20:43 < ecrist> of course not 20:43 < krzie> werd 20:43 < ecrist> we share here, so why shouldn't others? 20:44 < ecrist> well, I'm off. tomorrow, man. going to work some serious on ssl-admin in the next couple weeks. 20:44 < krzie> right on, gnite 20:44 < ecrist> a php/perl front end (html) has been suggested. 20:44 < krzie> ooo 20:44 < krzie> would be dope 20:44 < krzie> dunno if ild use it, but it would be liked by many 20:44 < ecrist> gonna get rid of the system() calls, first 20:45 < ecrist> then, maybe for 2.0 20:45 < ecrist> it would be nice to implement a secure certificate file transfer via the ssl-admin package 20:45 < krzie> hrm, its doable 20:45 < ecrist> but, dunno 20:45 < ecrist> more to talk about. 20:45 < ecrist> l8r 20:45 < krzie> peace 20:52 -!- DPA [n=DPA@89.124.68.18] has quit ["Leaving"] 21:01 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 21:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:53 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 23:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Jan 21 2009 00:17 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 104 (Connection reset by peer)] 00:17 -!- robert__ [n=hellspaw@r-butler.net] has joined ##openvpn 00:55 < reiffert> Moin 00:57 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 00:58 < lonel> hi 00:58 < lonel> any one around? 00:59 < lonel> looking for some one to test the ovpn setup i ahd here 00:59 < lonel> no burden of certicicate based login 00:59 < lonel> just user/pass 01:11 -!- robert__ [n=hellspaw@r-butler.net] has quit [Client Quit] 01:18 -!- neeku [n=neeku@89.165.69.15] has joined ##openvpn 01:31 -!- neeku_ [n=neeku@89.165.65.9] has joined ##openvpn 01:39 < neeku_> hi 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:40 < neeku_> i want to use openvpn as a client, so that i can connect to a specified server. what should i do in suse 11.1 for this? 01:40 -!- neeku [n=neeku@89.165.69.15] has quit [Nick collision from services.] 01:40 -!- neeku_ is now known as neeku 01:42 < dazo> neeku: First a really dumb question - You do know you need openvpn on both sides? One on your client side and one on your your network/server you want to connect to 01:44 < neeku> dazo: i'm not an expert. in windows i just created a connection, a vpn connection to do this, but in linux i don't know how to do that 01:44 < dazo> neeku: aha ... so you already got a working connection in Windows, is that correctly understood? 01:44 < neeku> dazo: the server is a vpn one and i have the IP and username and password to connect to that 01:45 < dazo> neeku: and you used OpenVPN in Windows as well? 01:45 < neeku> dazo: no, because i could do it just with creating a connection from the network manager 01:45 < dazo> openvpn clients will only work against openvpn servers 01:46 < dazo> neeku: usually you need more than just a username/pwd and IP to get openvpn working ... you usually need some kind of static encryption key and/or SSL certificates in addition to config 01:47 < dazo> neeku: what kind of VPN server are you connecting to? 01:47 < neeku> dazo: well... then let me ask another question. i've got a VPN account (as i mentioned the username , password and the IP). now what should i do in order to connect to that? 01:47 < neeku> dazo: um... i don't really know! just use it to change the IP 01:48 < dazo> neeku: well, I need to know what kind of VPN server you are connecting to ... because if the server you are connecting to is not an OpenVPN server .... the openvpn client will not work, that's guaranteed 01:49 < neeku> oh... 01:49 < dazo> neeku: but if you did create a connection in Windows without installing any programs, just doing network setup with VPN ... I'm guessing you'll need to use the PPTP protocol .... and there are some other Linux clients (which I don't know much about) which supports the PPTP protocol .... 01:49 < neeku> then i should ask this from my friend. i really can't understand these VPN issues... :-S 01:50 < neeku> dazo: don't you know the names? 01:50 < dazo> neeku: http://pptpclient.sourceforge.net/ ... this is a simple PPTP client which I would guess is available via the Yast2 software install 01:50 < vpnHelper> Title: PPTP Client (at pptpclient.sourceforge.net) 01:52 < neeku> thanks dazo :) i hope i can do this 01:53 < dazo> neeku: I don't know much about PPTP ... I've tried it once ... and that was 4-5 years ago ... PPTP is not as good or secure as openvpn, and I've been controlling both server and client side, so I could therefor decide what I wanted to use ... but if you only are a client user, go ahead and try this, it might work for you then :) 01:53 < reiffert> neeku: in Windows, did you choose "Automatic", "L2TP" or "PPTP"? 01:54 * dazo didn't think about IPsec ... doesn't that also require certificates to be installed? 01:54 < neeku> reiffert: let me check it in vbox and tell you 01:54 < neeku> i think automatic 01:55 * neeku is checking... 01:57 < neeku> reiffert: there's no such a thing. i go to new connection creation part, then create a VPN account, i enter the IP and then the username and password. that's it! 01:57 < neeku> oh yes, that's automatic in ptions tab i checked reiffert 01:58 < dazo> sounds like pptp to me ... but I can be pretty much wrong 01:59 < neeku> ok, then let me confirm it with my friend tonight and then come back here 02:05 < dazo> neeku: well, you can try to install pptpclient in your SuSE distro and try to configure it ... if it works, it'll work most probably almost out of the box immediately 02:06 < dazo> neeku: which suse version are you running? 02:06 < neeku> hmm... ok, i'll try that 02:06 < neeku> 11.1 02:08 < dazo> neeku: http://www.l4l.be/docs/server/network/pptpclient.php (in Dutch, but you might manage to catch the different commands being run here and see the screen shots) 02:08 < vpnHelper> Title: PPtP client onder OpenSUSE 11.1 (at www.l4l.be) 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:09 < dazo> neeku: even better ... google translated: http://translate.google.cz/translate?hl=en&sl=nl&u=http://www.l4l.be/docs/server/network/pptpclient.php&sa=X&oi=translate&resnum=10&ct=result&prev=/search%3Fq%3Dpptpclient%2Bopensuse%2B11.1%26num%3D100%26hl%3Den%26sa%3DG 02:09 < vpnHelper> Title: Translated version of http://www.l4l.be/docs/server/network/pptpclient.php (at translate.google.cz) 02:09 < neeku> oh thanks a lot dazo :) 02:09 < dazo> what you can't find on google isn't worth finding ;-) 02:42 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:42 < joelsolanki> Hi friends 02:42 < joelsolanki> i have a running vpn server. and clients are also connecting. 02:42 < joelsolanki> but on one machine which is out of my physical and remote reach is creating problem. 02:43 < joelsolanki> it says TLS Error: TLS object -> incoming plaintext read error on the client machine. 02:43 < joelsolanki> the same vpn clients files is working on my test linux machine which any problem. it is connecting vpn server 02:43 < joelsolanki> what could be the problem ? 02:43 < joelsolanki> unfortunately i dont have physical or remote access to this machine:( 02:45 < joelsolanki> any hints plz 02:46 < joelsolanki> on server side it give below message 02:46 < joelsolanki> Jan 21 08:49:27 lake ovpn-lake[29693]: 59.180.149.206:50707 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity 02:48 -!- jrk [n=jrk@unaffiliated/jrk] has left ##openvpn [] 02:51 < joelsolanki> anybody please ? 02:51 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:55 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:34 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 04:37 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:48 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 05:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 05:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:54 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:03 -!- neeku [n=neeku@89.165.65.9] has quit [Read error: 104 (Connection reset by peer)] 06:05 < MMN-o> dazo: Regarding my problem yesterday. 'redirect-gateway def1' on gurk enables through-VPN service routing, but disables anything incoming from the LAN 06:06 < MMN-o> dazo: While 'redirect-gateway' only on gurk acts the same as before but also kills existing connections (of course) 06:07 < MMN-o> dazo: And leaving it out alltogether simply leaves me with (what I suspect) trying to route the intra-VPN connection through my default (LAN) gateway on gurk. 06:08 < MMN-o> Just mentioning that it's probably not the existing iptables rules at least. However, maybe that's what I have to use to have both VPN and LAN services enabled, or a smart 'route' line. 06:09 < MMN-o> Though I'll most likely be off for the rest of today. 06:11 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 06:11 < dazo> MMN-o: hmmm ... have you also looked into the use of iroute? ... that might be what you need as well 06:12 < dazo> instead of a route option to the client 06:12 < dazo> IIRC ... krzee knows much more about such routing issues 06:26 < MMN-o> I thought iroute was to specify which subnets a client routes to. 06:26 < MMN-o> But perhaps 'iroute [gurk LAN]' and then have the gateway --to-destination [gurk LAN IP]? 06:26 < MMN-o> Hm, I'll look into it and experiment. 06:28 < dazo> MMN-o: you are right ... and I might not have the complete overview over your network setup .... this might my problem now 07:20 < ecrist> good morning, bitches 07:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:05 -!- MMN-o [n=mmn@barjack.com] has quit ["leaving"] 08:05 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 09:00 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:00 < nadley_> hi 09:01 < nadley_> I would like to know how to connect multiple client to a vpn server with a static key share 09:02 < nadley_> actualy I can connect 1 client to the vpn server 09:02 < nadley_> but If i want to connect another client I can 09:03 < nadley_> can't 09:08 < dazo> nadley_: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html ... this should get you started 09:08 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 09:19 < nadley_> dazo: thx for the link but I have use it and it explain just how to connect 1 client to the server 09:19 < nadley_> I don't know how to configure the server to allow multiple connection 09:21 < dazo> nadley_: that's easy .... replace the ifconfig in the server config with ifconfig-pool .... and remove the ifconfig from the client config ... that should be all 09:22 < nadley_> oki oki 09:22 < nadley_> thanks 09:22 < dazo> nadley_: np! 09:22 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:23 < nadley_> juste for precision : in client config i have to add "pull" ? 09:23 < dazo> nadley_: no, not at all nothing at all ... just take away the ifconfig line 09:24 < nadley_> oki thx 09:24 < dazo> nadley_: the client will then get the IP automatically from the openvpn server 09:24 < nadley_> oki I try it know 09:24 < dazo> nadley_: On second thought .... you will still need the ifconfig in the server config as well ... my fault 09:25 < nadley_> could you give me an example please 09:25 < nadley_> because I'm a little bit lost now 09:26 < dazo> nadley_: ifconfig 10.8.0.1 255.255.255.0 09:26 < dazo> nadley_: ifconfig-pool 10.8.0.10 10.8.0.100 255.255.255.0 09:26 < dazo> nadley_: as an example for your server config 09:27 < nadley_> oki thx 09:28 < dazo> np 09:28 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 09:29 < ecrist> dazo: you plan on hanging out in this chan often? 09:30 < dazo> ecrist: it's not carved into stone .... but I see no reason why not to hang out here, not at least as long as I'm actively developing eurephia 09:30 < dazo> ecrist: am I too noisy? ;-) 09:30 < ecrist> pm? 09:33 < nadley_> dazo: when I do the modification and restart the server it failed 09:34 < dazo> nadley_: can you add verb 4 to your config and have a look here? And then maybe put the log data to pastebin? 09:34 < dazo> !pastebin 09:34 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 09:36 < nadley_> dazo : I can't pastbin but I have look on the log file and the error is : ifconfig-pool require mode server 09:37 < nadley_> but when I add mode server another error occurs : " mode server require tls" 09:37 < dazo> nadley_: ahh ... sorry .... just add that into your server config .... mode server 09:37 * dazo is surprised .... 09:37 < dazo> nadley_: I honestly thought it was possible to configure server mode without tls .... 09:37 < nadley_> I hope so 09:38 < ecrist> I don't believe it is possible. 09:39 < dazo> nadley_: I'm sorry, but I think you then need to bite into the TLS apple :( 09:39 < dazo> nadley_: it's not that hard .... and ecrist / krzee have this perl script called ssl-admin which can help you out doing that more easily 09:40 < nadley_> is it just a tls key or a with certificat ? 09:41 < ecrist> nadley_: see http://openvpn.net/archive/openvpn-users/2006-11/msg00030.html for more information 09:41 < vpnHelper> Title: [Openvpn-users] static key mini howto works, but client/server doesn't. version 2.0.9 (at openvpn.net) 09:41 < dazo> nadley_: you'll need 3 files .... a CA certificate, a server key and a server certificate .... the server certificate must be signed by the same CA which signed the CA certificate 09:42 < nadley_> and with a share key there is no other solution 09:44 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:45 < dazo> nadley_: nope, seems so :( 09:46 < nadley_> oki so what I have to do ? 09:51 < dazo> ecrist: is ssl-admin available as a package for download? 09:52 < nadley_> dazo: with a tls server each client needs his own certificate and key ? 09:53 < dazo> nadley_: for the best security, yes ... but it's not a must ... you can use the same certs and key files on all clients 09:53 < dazo> nadley_: it basically runs down to the wanted security level you want 09:54 < ecrist> dazo, not at this time. I don't have any linux systems to test/build packages. 09:54 < dazo> ecrist: pitty ... okey ... then entering SVN mode :-P 09:55 < nadley_> oki dazo i'll test it 09:55 < dazo> nadley_: you'll need SVN installed now .... and then you can run: svn co https://www.secure-computing.net/svn 09:55 < vpnHelper> Title: svn - Revision 38: / (at www.secure-computing.net) 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:00 < ecrist> dazo, it is in freebsd ports tree 10:01 < dazo> ecrist: hmm ... didn't know ... I'm Linux :-P .... and I believe nadley_ is too? 10:01 < ecrist> yeah, i'll work on it 10:02 < dazo> ecrist: too bad it wasn't just to copy ssl-admin out into bin ... bec of the sed'ing 10:03 < dazo> ecrist: there's a typo in the Makefile ..... SEDCMD -> $SEDCMD ? 10:06 < ecrist> lemme look into it, but I don't think so. 10:06 < ecrist> a lot of what's in svn right now is setup for programatic builds 10:06 < ecrist> dazo: Makefile in the root? 10:07 * dazo double checks 10:07 < dazo> ecrist: yes 10:10 < dazo> ecrist: are some more issues as well :-P 10:11 < dazo> nadley_: The good util ssl-admin .... is not in the very best shape right now unfortunately .... 10:12 < ecrist> dazo: it's in great shape, just needs to be configured for linux 10:12 < nadley_> dazo: I'm using the tools include with openvpn 10:13 < dazo> ecrist: you'll need to check in this fix ;-) http://pastebin.com/d55f92f02 10:15 < ecrist> dazo: a bit embarrassing, but svn isn't always current. that fix is already due to be committed. 10:15 < dazo> ecrist: :) 10:15 < ecrist> done. 10:16 < ecrist> re: Makefile - you're seeing an artifact from the FreeBSD ports build process, which hasn't cleanly been merged with our attempts at making the install process more linux friendly. 10:16 < ecrist> a lot of big changes coming for ssl-admin in the next couple weeks. 10:17 < ecrist> I'm going to 1) build a tarball which can be configured, made, and make installed on linux systems 10:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:18 < ecrist> depend management is where I'm uncertain, so I'm going to simply look for perl, and look in common places for the Crypt:SSLeay library. 10:18 < ecrist> not using SSLeay yet, but that's the second big change. getting rid of all the backticks and system() calls, in favor of better perl built-ins 10:19 < ecrist> so, now that I'm at 1.0.1, I'm working on cleaning things up for install, will still be 1.0.x, and 1.1 is going to eliminate those other nasties 10:20 < dazo> ecrist: I oversaw the ./configure script ... when I ran that ... it was very fine! 10:20 < ecrist> that's all krzee's handy work. 10:20 < dazo> heh :) 10:20 < ecrist> oh, last I heard, gentoo was working on a package for ssl-admin, too 10:20 < ecrist> be back in a while 10:20 < dazo> yeah, I've heard that ... I'd love that, as my servers are Gentoo based 10:21 * dazo needs to go shopping and then home .... might get online a little bit later 10:38 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 10:40 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Client Quit] 10:59 < plaerzen> morning folks 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:24 < nadley_> dazo: I have configure my openvpn server to use TLS but when I connect an other client it disconnect the other 11:47 -!- NK` [i=niko@minithins.net] has joined ##openvpn 11:47 < NK`> hi 11:47 < NK`> is it possible to have several client using the same crt ? 11:54 < cpm> think about it. 11:54 < cpm> in other words, sure, kinda defeats the purpose, but you can, just not at the same time. 11:55 < cpm> certificates identify hosts 11:55 < cpm> that's their job. 11:55 < cpm> folks do it though, or at least, that's what I've read. 12:00 < NK`> ok fine that the answer I'll like to heard :) 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:35 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 12:46 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 12:50 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 12:50 < ozirus> is it possible to limit openvpn connection with a time period? i'm trying integrate openvpn to a rezarvation system. people will book the remote 'lan' and vpn to it. vpn disconnect when time exceeds 12:52 -!- ozirus1 [n=caliskan@81.214.150.105] has joined ##openvpn 12:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:02 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:04 -!- ozirus7 [n=caliskan@81.214.150.105] has left ##openvpn [] 13:05 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:10 -!- ozirus7 [n=caliskan@81.214.150.105] has quit [] 13:13 * plaerzen just got a new server. 13:13 * plaerzen dances. 14:03 < ecrist> plaerzen: gratz 14:07 < plaerzen> ah, thanks. 14:12 < ecrist> what kind of server, and for what? 14:15 < plaerzen> hp DL380: 1(2)P quad core 2.66 ghz, 4(8)dimm 6 gb, 3x72G 15k sas raid 5, 4 gig-e ports - windows 2008 server and communigate groupware 14:16 < plaerzen> esx server with 1 initial guest vm (for win2k8 server) 14:16 < ecrist> sweet 14:17 < ecrist> ozirus1: yes, simply build an SSL certificate, which will expire at the time required, and write a script which checks for connected clients and reboots them at their expiry 14:18 < plaerzen> yeah, it's a cool little machine. downloading esx server right now. 14:23 < ecrist> we got a new server back in November for our backups. I love that box. 14:24 < ecrist> uber fast, lots of storage 14:34 < ecrist> plaerzen: you prefer HP to Dell? 14:34 < plaerzen> So far, it seems ok. All our other servers are dell and they seem meh. 14:34 < ecrist> meh? 14:34 < plaerzen> One of them even randomly pops a drive out of raid on reboot 14:35 < ecrist> weird 14:35 < plaerzen> They're OK. But we haven't ran this hp server yet. The front panel is more informative, that's for sure. 14:35 < ecrist> I've got lots of Dell, love them. We explored HP for this last purchase, but their online pricing sucks, so I didn't bother. 14:35 < plaerzen> We just have a vendor we use. 14:36 < ecrist> ah 14:36 < plaerzen> I call them and say "Get us a quote on a HP DL380 with the following specs - blah blah - But use your judgement, if something has a better price point, get that instead" 14:36 < plaerzen> And we get decent deals. 14:53 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:36 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 15:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:45 -!- ozirus1 [n=caliskan@81.214.150.105] has quit [] 16:45 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 16:52 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has left ##openvpn [] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:05 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has joined ##openvpn 17:10 < SanityInAnarchy> It typically takes anywhere from 10 to 30 minutes to establish a connection. Usually hangs after "Initial packet from ", then retries after tls-timeout, until I get lucky and it works. 17:11 < SanityInAnarchy> What settings should I look at? I know this particular network is slow and unreliable, however, this is the norm, even over very fast connections. 17:13 < krzie> check out #2 17:13 < krzie> !mtutest 17:13 < vpnHelper> krzie: Error: "mtutest" is not a valid command. 17:13 < krzie> err 17:13 < krzie> !mtu 17:13 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 17:14 < SanityInAnarchy> MTU on which interface? I know the VPN itself is using 1500. 17:16 < SanityInAnarchy> I'm not on Windows. 17:16 < krzie> #2 17:16 < krzie> (#2) 17:16 < krzie> you can just use --mtu-test on the client as well 17:17 < SanityInAnarchy> If this is the issue, would the actual connection be slower? 17:18 < krzie> wanna argue or test it? 17:18 < krzie> seems like a waste of time to talk about it instead of trying it 17:18 < SanityInAnarchy> No, I want to understand it. 17:18 < krzie> well test it, then understand based on results of test 17:19 < krzie> im not saying it IS your problem 17:19 < krzie> im saying test it 17:19 < krzie> and since testing it requires 1 line addition to 1 config, i dont see why you wouldnt 17:20 < SanityInAnarchy> Probably worth testing anyway -- I just found something 17:20 < SanityInAnarchy> I'd set tls-timeout absurdly high. 17:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 < SanityInAnarchy> Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 17:26 < krzie> ok so thats good 17:26 < krzie> did the thing you found help you? 17:26 < krzie> if not, 17:26 < krzie> !configs 17:26 < SanityInAnarchy> Yes. 17:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:26 < krzie> oh ok cool 17:26 < SanityInAnarchy> I had tls-timeout 120 17:26 < SanityInAnarchy> I'm not really sure what I was thinking 17:27 < SanityInAnarchy> The MTU test looks useful, though. Is the idea that the tunnel MTU should be <= the actual MTU? 17:34 < krzie> its for settings internal to openvpn 17:35 < krzie> --mtu / --fragment stuff 17:35 < krzie> but with yours dont adjust that 17:35 < SanityInAnarchy> Ah. 17:35 < krzie> becomes useful over ppp / sat links and whatnot 17:35 < SanityInAnarchy> That's probably why I had this setting, actually -- I had borrowed a satellite connection 17:36 < krzie> i dont think the tls-timeout woulda helped much on the sat connection, mtu and frag woulda prolly been more useful 17:36 < krzie> but *think* is the main word there 17:38 < SanityInAnarchy> Well, I think the idea was that 2 seconds was nowhere near enough time to complete the tls auth 17:38 < SanityInAnarchy> Nor the default 60 seconds enough time for the handshake 17:38 < SanityInAnarchy> In both cases, it worked, more or less, once I had a connection 17:41 < krzie> well the important part is problem solved ;] 17:43 < SanityInAnarchy> Yep. Actually switched over to it already... 17:43 < SanityInAnarchy> I like to run a screen'd irssi on the server 17:48 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has quit ["leaving"] 18:03 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 18:34 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy-, pa, dazo, ebf0, jpalmer, kaii 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: smk, dogmeat, Bushmills 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: intralanman, krzie, vpnHelper, cyberjames, Pagautas, tarbo2, ikevin, o[80, trifler 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, tomfmason, worch, thewolf, eliasp, kala, reiffert, (+4 more, use /NETSPLIT to show all of them) 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: MMN-o, justdave, disco-, disposable, Typone, lonel, krzee 18:50 -!- Netsplit over, joins: smk 18:50 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:50 -!- Netsplit over, joins: troy-, MMN-o, krzee, disco- 18:51 -!- Netsplit over, joins: dazo, ebf0, pa 18:51 -!- Netsplit over, joins: kaii, reiffert 18:51 -!- Netsplit over, joins: intralanman, vpnHelper, ikevin, Bushmills, fbond, o[80, tomfmason, eliasp, cyberjames, tarbo2 (+10 more) 18:51 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 18:51 -!- Netsplit over, joins: lilalinux, kala 18:51 -!- Netsplit over, joins: disposable 18:53 < reiffert> Wow, I was on ##openvpn when not beeing identified to the nickservice... 18:55 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 18:59 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 18:59 < Bushmills> 'morning reiffert 19:00 < reiffert> hello Bushmills ! 19:05 < ecrist> good evening, bitches 19:06 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 19:20 < dvl> openvpn++ 19:24 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 19:24 < test> is there a way to have a different cipher for clients? 19:24 < test> client1 has blowfish, client2 is cipher none? 19:36 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 19:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit [Client Quit] 19:39 < dvl> test: well, where is cipher chosen? 19:42 < krzee> i dont think its possible 19:43 < krzee> but --client-config-dir shows that --config can be used in a ccd entry 19:43 < krzee> so thats your only chance, to have a seperate config to include for diff clients, not use --cipher in server.conf, and use --cipher in the --config file thats in the ccd entry 19:44 < krzee> never tried it, if you make it work report that back 19:46 < test> cipher doesn't work in the client directive 19:46 < test> bummer 19:49 < dvl> ouch 19:51 < lonel> hi 19:59 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:15 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [] 20:41 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 20:47 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has joined ##openvpn 20:48 < NBrepresent> hey, how can i tell whether a connection from the openvpn cli client to the server is successful? I'm trying to ping boxes on my work network but not getting anything. The status messages after I ran the command to connect all sounded pretty positive... " Initialization Sequence Completed" etc. 20:49 < dvl> NBrepresent: follow the logs 20:50 < NBrepresent> where is the logs dir? i looked in /etc/openvpn 20:51 < dvl> on decent systems, /var/log 20:52 < NBrepresent> no openvpn log in /var/log 20:57 < krzee> i didnt say in the ccd file 20:57 < krzee> i said in the included --config that you put in the ccd entry 20:58 < krzee> but prolly same deal 20:59 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 21:03 < NBrepresent> It looks like this is the problem: http://paste2.org/p/133706 . Permissions? 21:29 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has joined ##openvpn 21:30 < phobik> i'm having trouble on my openvpn 2.0 setup that when connecting as a client from windows my route works fine but when using linux or mac my servers do not know how to route back to my client machine 21:43 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 21:49 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has left ##openvpn [] 23:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:31 -!- thewolf is now known as ehtwolf 23:31 -!- ehtwolf is now known as thewolf 23:58 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:59 < mRCUTEO> hiya ecrist --- Day changed Thu Jan 22 2009 00:05 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:01 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 01:17 -!- nsar [n=nsar@121.1.18.241] has joined ##openvpn 01:18 < nsar> hello 01:18 < nsar> what do you mean We prefer to help those who help themselves? 01:18 < nsar> to help my self? 01:24 < krzee> like when someone says "hey read this" 01:25 < krzee> then 2 minutes later you ask another question that was clearly explained in the link you were given 01:25 < krzee> thats a good example of not helping yourself 01:26 < nsar> ok 01:27 < nsar> what i want to ask is that the provider had closed completly access as a server to my machine if i put for example an ftp server no body will be able to reach it so the solution is as a client to connect to openvpn server ? 01:29 -!- luck00 [n=luck00@86.122.10.202] has joined ##openvpn 01:30 < krzee> if you can reach the openvpn server, you can default route over the vpn server to reach anything the vpn server can 01:30 < krzee> but the vpn server will need to NAT the internal vpn ips to its external ip 01:30 < krzee> using iptables or whatever your OS uses 01:33 < luck00> hi all 01:33 < luck00> i have a little problem 01:33 < luck00> i try to make a vpn tunel site to site over two routers 01:34 < luck00> on one router i have vpn ip-s 10.8.0.1 10.8.0.2 and on the other one 10.8.0.6 10.8.0.5 01:34 < luck00> is that ok? 01:35 < luck00> or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:35 < luck00> i can ping computers behind server but cannot ping computers behind client 01:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:41 -!- o[80 is now known as oc80z 01:43 < nsar> luck00 did you setup the route correctly ? 01:44 < luck00> i have ping over peer to peer connection on both ways 01:44 < luck00> so the tunnel it is ok 01:44 < nsar> me i had this problem and somehow i solve it with routing software 01:44 < luck00> i think the problem it is on the server 01:45 < luck00> the packets are not routed right 01:45 < nsar> pass a route thru a point-to-point connection /32 mask? 01:46 < nsar> linux is the os? 01:47 < nsar> sorry on the clients what is the os? 01:49 < krzee> [03:39] or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:49 < krzee> correct 01:49 < krzee> [03:39] i can ping computers behind server but cannot ping computers behind client 01:49 < krzee> either ipforwarding or firewall 01:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:50 < luck00> linux on both sides 02:08 < reiffert> oin 02:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:23 -!- nsar [n=nsar@121.1.18.241] has left ##openvpn [] 02:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:45 < lolipop> !route 02:45 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:46 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 02:46 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < ykut_johny> hi 02:50 < ykut_johny> having problem to establish connection from this scenario pcA(10.0.9.1)->openvpn-clientA(10.99.99.10) --->openvpn-server(10.99.99.1)---pcB(10.0.7.5). pcA can ping pcB, but pcB can't ping pcA. 02:52 < lolipop> !route 02:52 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:00 < ykut_johny> lolipop: indeed i read it before.. 03:01 < lolipop> lol.....i just want to get the url.... sorry 03:01 < ykut_johny> lolipop: i have configure my ccd/myclient1 (on openvpn server ) to have iroute .. 03:01 < ykut_johny> lolipop: no worries man..:) 03:02 < lolipop> u ping by using eth0 ip or tap or tun ip ? 03:02 < ykut_johny> lolipop: it used to works this morning, and i just change the server vpn to client-vpn by just copying the whole config from server vpn..and somehow, it's not working..:(... 03:03 < lolipop> check firewall ? 03:03 < lolipop> maybe ur firewall is blocking ur ICMP request 03:03 < ykut_johny> lolipop: i did check firewall..and on pf i pass in/out all for tun0..and nothing about block rules 03:04 < lolipop> now ur openvpn-server cant ping openvpn client? 03:04 < lolipop> but they r connected? 03:05 < ykut_johny> lolipop: if from pcA i can ping to pcB..so firewall is not blocking any icmp...:) 03:05 < ykut_johny> lolipop: seem like openvpn server didn't know how to forward the traffic back 03:05 < lolipop> when pcB ping on pcA, firewall on pcA might block :P 03:05 < lolipop> oh 03:06 < lolipop> u r trying to ping the lan behind openvpn server? 03:06 < ykut_johny> lolipop: yupe...openvpn-serber can't ping openvp client.. 03:06 < ykut_johny> lolipop: from openvpn client to openvpn server it just working 03:06 < ykut_johny> lolipop: i'm suspecting something todo with routing table on openvpn's server..but didnt have any clues.. 03:07 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 03:07 < ykut_johny> lolipop: from client behind openvpn client, i managed to ping client behind openvpn server... 03:07 -!- Netsplit over, joins: kaii 03:08 < lolipop> oh, i'm not pro in openvpn, but maybe u can show me your config 03:10 < ykut_johny> lolipop: but, from openvpn server i just can't ping client behind openvpn client 03:10 < ykut_johny> lolipop: which config do want.?..server eh..? 03:20 < dazo> ykut_johny: you most probably need to have a look at the "iroute" statement .... please read this link _carefully_ 03:20 < dazo> !route 03:20 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:21 < dazo> ykut_johny: you will find more info about iroute here ... and in the man pages of openvpn 03:21 < ykut_johny> dazo: indeed...the iroute was configure correclly.. 03:21 < ykut_johny> dazo: i was reading it before...:)..and thanks for the pointer.:) 03:22 < dazo> ykut_johny: what kind of OS is on the client? Firewall allows traffic in that direction? 03:22 < ykut_johny> openbsd 3.9 for openvpn server and openbsd 4.2 for openvpn client 03:22 < ykut_johny> and firewall is PF for both end 03:23 < dazo> ykut_johny: okey ... I'm not familiar with *bsd ... but I believe ecrist and krzee knows much more about that platform 03:23 * dazo is Linux user 03:24 < ykut_johny> dazo: :)..kewl 03:24 < dazo> ykut_johny: just a few checks .... can you ping the VPN interface on the client from your server? And if yes, can you ping the eth interface on the client from the server? 03:25 < ykut_johny> dazo: i can see traffic is coming from siteA to siteB on openvpn server machine..but i notice that openvpn server didn't know how to forward the packet to siteB 03:26 < dazo> ykut_johny: sounds like you're also missing a route on the server side then .... do you have a "normal" route defining the clients network on your VPN server? 03:27 < ykut_johny> dazo: yes..since from siteA to openvpn server i got reply from openvpn server 03:28 < dazo> ykut_johny: I'm suggesting this the other way around .... that you are on the server .... and try to ping the client ... to see if the packages gets lost or comes back 03:29 < dazo> ykut_johny: have you tried tcpdump on the client (siteB, afaiu) ... to see if the ping traffic goes back to the VPN tunnel? 03:29 < dazo> tcpdump -n -i 03:33 < ykut_johny> dazo: nothing.. 03:33 < dazo> ykut_johny: you did not see any traffic whatsoever on the client when pinging it from the server? 03:34 < ykut_johny> dazo: seem like openvpn server didn't know how to forward the traffic... 03:34 < dazo> ykut_johny: check the routing table on the server .... I'm sure it's just a minor mistake in the routing on the server side 03:34 < ykut_johny> dazo: but if i ping the ip addresses given by vpn network , it reached to the client 03:35 < dazo> ykut_johny: that means that the server know the route for the VPN tunnel .... but not the clients network behind the VPN tunnel 03:35 < ykut_johny> dazo: seem like it... 03:37 < dazo> ykut_johny: I'm pretty sure it's in either the routing or firewall rules on the server ... that's usually the biggest bummers which is easy to commit ... if struggling, please pastebin your configs and routing table .... it'll be easier to look at it then 03:38 < ykut_johny> dazo:indeed..i'm thinking maybe some routing or my dumbass skill on firewalling is the issues..:) 03:39 < dazo> ykut_johny: is it an option for you to take down/turn off/open up completely the firewalling for a few minutes and try the ping test again? 03:40 < dazo> just to get indication if it is firewall and/or routing issue 03:40 < ykut_johny> dazo: yeah..will try to..:).but prefer not to for now..:) 03:40 < dazo> np! :) 03:41 < lolipop> last time my case is cant ping from lan behind client to lan behind server, but i used NAT masquerade to solve it 03:41 < lolipop> kakaka 03:42 -!- luck00 [n=luck00@86.122.10.202] has quit ["Leaving"] 03:43 < ykut_johny> lolipop: hehe..:D.. 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has joined ##openvpn 04:06 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 04:09 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 04:36 < ykut_johny> MULTI: bad source address from client [10.0.11.102], packet dropped ...either than problem with iroute, what is the other posibilities that can cause this problem..? 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:08 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has joined ##openvpn 05:11 < _markh_> I'm setting up a VPN server. How can I get the server to allow some 'clients' to connect using certificates only and others to require certificates AND a user password. I know how to do both but not how to specify for each cleint. I've tried placing the line 05:11 < _markh_> plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn 05:11 < _markh_> in /etc/ccd/openvpn/mark (where 'mark' is the name of the user's pv) but it seems to be ignored... 05:13 < dazo> _markh_: I don't think this is possible ... you'll need to have two different openvpn processes running with a different config file and ports 05:15 < _markh_> dazo: I'd already figured that was a solution, but it adds complexity beacuse of ipaddresses/routes etc. 05:17 < dazo> _markh_: yeah, I know ... but I haven't seen anything in the config docs that it is possible to have different authentication schemes for user connections 05:17 < dazo> :( 05:19 < _markh_> Shame because I have a couple of servers that need to connect, plus a bunch of users. The users will auth using one time passwords but the servers can't ... :( 05:19 < _markh_> Oh well... 05:41 -!- NK` [i=niko@minithins.net] has left ##openvpn [] 05:59 < krzee> [05:38] dazo: but if i ping the ip addresses given by vpn network , it reached to the client 05:59 < krzee> just realized 05:59 < krzee> thats right 05:59 < krzee> actually wait, i may be wrong 05:59 < krzee> was thinking it could have to do with it being ptp 05:59 < krzee> but im not sure 05:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:02 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:02 < joelsolanki> Hi all. 06:03 < joelsolanki> i have setup vpn on windows xp. and enabled the ipenablerouter to 1 with regedit in winxp 06:04 < joelsolanki> but i am not able to access the lan. 06:04 < joelsolanki> any hints plz ? 06:04 < joelsolanki> this configuration was working but change is of just a vpn server hardware thats it. 06:05 < joelsolanki> problem is xp is not forwarding it. 06:11 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 06:13 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 < dazo> krzie: yeah, the whole ptp thing confuses me ... because his end-points on both sides had completely different IP addresses (.1/.2 on server and .9/.10 on client) ... and server could ping client end point and vice versa ... 06:53 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:53 < joelsolanki> !route 06:53 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:04 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:06 < joelsolanki> !configs 07:06 < vpnHelper> joelsolanki: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:06 < joelsolanki> Hi all. i have below config 07:07 < joelsolanki> winxp-vpnclient --> openvpn-server ---> lan 07:07 < joelsolanki> i want have winxp communicate with my lan. 07:08 < joelsolanki> so winxp(10.8.0.6) -> openvpn-server(10.8.0.1) --> lan ip range is 192.168.0.0/24 07:08 < joelsolanki> i read the http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:08 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 07:08 < joelsolanki> so i just need to add this line to openserver server.conf push "route 192.168.1.0 255.255.255.0" 07:09 < joelsolanki> sorry " route 192.168.0.0 255.255.255.0 " 07:09 < joelsolanki> is this correct ? 07:09 < joelsolanki> that should make the trick ? 07:10 -!- Gray9Mar_ [i=surf___@gateway/tor/session] has joined ##openvpn 07:13 < joelsolanki> anybody please? 07:14 < ecrist> good morning, bitches 07:15 < Gray9Mar_> hi. i have lots of "ERROR: Random number generator cannot obtain entropy for PRNG" lines in my openvpn log. openvpn seems to work anyways. but shows no log lines except the prng error. does anyone have an idea whats wrong here? 07:15 < ecrist> joelsolanki: yes, that's correct. 07:15 < ecrist> ***BUT, you're probably going to run in to problems, if the LAN where the winxp system is uses the same IP range as the remote VPN LAN 07:16 < joelsolanki> ok cool. let me test it then :) 07:16 < ecrist> Gray9Mar_: what does google say about the error? 07:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 07:18 < Gray9Mar_> 4 links to crypto.c from openvpn source 07:18 < Gray9Mar_> which i doesnt understand 07:18 < ecrist> what version are you running? 07:19 < Gray9Mar_> OpenVPN 2.0.7 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 11 2008 07:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:19 < ecrist> ok, run something more current, first. 2.0.9 is out for 2.0, and 2.1 is up to RC15 07:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 07:22 < Gray9Mar_> k, will try that right now 07:22 < Gray9Mar_> btw i wonder why 2.0.7 is gentoo default 07:23 < ecrist> no idea 07:46 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 08:45 < dazo> Gray9Mar_: I'm running 2.1_rc15 without any problems on Gentoo 08:45 < dazo> that is - rc15 in production 08:46 < dazo> Gray9Mar_: I don't think Gentoo maintainers give openvpn too much love and care ..... or they are just too picky about getting things QAed first 08:47 * dazo might be able to dig up a openvpn-2.1_rc15 ebuild file .... if Gray9Mar_ is interested 08:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:08 < _markh_> I have two openvpn servers running on a host - one implememnting 10.8.0.0/24 and the other 10.9.0.0/24 . How do I allow systems authenticated to 10.8.0.0 to communicate with systems authenticated to 10.9.0.0/24 ? 09:13 < MMN-o> I'd probably use "push route 10.8.0.0/24" (in server config) to the 10.9 net, and vice versa 09:13 < MMN-o> I'd also check: 09:13 < MMN-o> !route 09:13 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:14 < MMN-o> which cleared stuff up for me at least. 09:14 < ecrist> _markh_: you need to push the routing. 09:15 < MMN-o> _markh_: Syntax error on my push line, look up the quoting. 09:26 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has joined ##openvpn 09:27 < patrik> Hi, I'm having some trouble with my tun tunnel. client can ping server, server can ping client, but client cant ping computers on the servers subnet. ip_forward is set to 1. 09:28 < patrik> the subnet lan computers receive data from the vpn client but whey the try to respond they get unreachable host. 09:30 < ecrist> !route 09:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:30 < ecrist> read that, patrik 09:30 < ecrist> your lan is missing the route to your vpn subnet 09:30 < patrik> ok, thanks 09:41 < patrik> ecrist: I have the client on the same subnet as the servers subnet, is this a bad thing? Since I only want to have one vpn client I didn't wanna make a complete subnet for it. 09:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:47 < ecrist> patrik: yes, it's bad 09:48 < patrik> ecrist: ok I'll put it on a separate subnet then 09:52 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has quit ["Leaving"] 09:58 < plaerzen> morning irc 10:11 < ecrist> heya plaerzen 10:20 < plaerzen> ecrist, So. Tell me a story? 10:20 < ecrist> o.O 10:22 < plaerzen> ok, fine. 10:48 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 10:55 -!- mk101mx [n=mgarciav@148.233.37.38] has joined ##openvpn 10:56 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:10 < patrik> ecrist: Cool, I got it working, thanks! 11:11 < ecrist> no problem 11:11 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has quit ["Ex-Chat"] 11:40 < _markh_> still struggling with the routing for 2 openvpn servers on my host implementing 10.1.0.0/24 and 10.2.0.0/24. I've pushed 10.1.0.0./24 onto the client that connects to 10.2.0.0/24 and vice-versa. the routing tables on the clients look good - http://pastebin.com/d5cfb0436. And the routing table on the server looks OK too - http://pastebin.com/m4309f153 11:40 < _markh_> Do I need to tell the server to link the two (I have client-to-client set). !route isn;t quite discussing my scenario I think so I don;'t think I need iroutes ??? 11:41 < dazo> _markh_: are the network on your server side accessing the network behind your openvpn client? 11:43 < _markh_> dazo: No 11:43 < _markh_> Just the openvpn client itself 11:43 < dazo> _markh_: then you are right, iroute is not needed .... and the client should be able to see both ways 11:44 < dazo> _markh_: are you using ptp (tun interface) or tap devices? 11:44 < _markh_> dazo: tun 11:45 * dazo wonders why everyone using tun ends up with routing issues .... ;-) 11:46 < dazo> _markh_: I'm not so strong at tun, unfortunately .... most of the networks I've setup have used tap ... but of course you'll need to choose what's right for you 11:46 * dazo needs to setup a test network with tun to get more experience here 11:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:47 < _markh_> dazo: but tap isn't so good for WAN's I think as there's more traffic? 11:48 < _markh_> Summarizing I have A (10.1.0.6) <-> (10.1.0.1) OVPN (10.2.0.1) <-> B(10.2.0.6) 11:48 < _markh_> And I need a to talk to B 11:48 < dazo> _markh_: maybe ... I'm using it over GPRS without any big problems .... but true, I haven't tried tun yet 11:50 < _markh_> dazo: I'll enable some debugging and see what I can learn... 11:50 < dazo> _markh_: good luck :) 11:51 * dazo needs to go home and get some dinner 11:52 -!- rubydiam_ [n=rubydiam@123.236.183.184] has joined ##openvpn 11:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- rubydiam_ is now known as rubydiamond 12:05 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 12:06 < lclimber> hello guys, is there an existing stable project installing a opnvpn client on a pda? 12:11 < lclimber> sorry, let me refraze, is there an existing stable project for installing a opnvpn client on a pda? 12:24 < _markh_> dazo: Needed the following 12:24 < _markh_> # echo 1 > /proc/sys/net/ipv4/ip_forward 12:24 < _markh_> # iptables -A FORWARD -i tun+ -j ACCEPT 12:24 < _markh_> # iptables -A INPUT -i tun+ -j ACCEPT 12:24 < _markh_> All in the HOWTO ... ;) 12:27 -!- rodpod [i=rod@hick.org] has joined ##openvpn 12:37 -!- rodpod [i=rod@hick.org] has quit [Success] 12:39 < reiffert> lclimber: to help you rephrase: Did anyone port openvpn for PDA which has the following Processor architecure: 12:39 < reiffert> lclimber: you may want to ask that on the mailinglists. 12:40 < lclimber> well thanx reiffert, i am looking on the mail archives 12:40 < reiffert> Looking is ok .. asking is better :) 12:43 < lclimber> you are right, i found some posts of people with the solution, thanx for your advices 12:58 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 13:28 -!- joelsolanki [i=joelsola@123.237.172.68] has joined ##openvpn 13:28 < joelsolanki> Hi friends 13:29 < ecrist> howdy 13:29 < joelsolanki> i have a working vpn server 13:29 < joelsolanki> :) 13:29 < ecrist> congrats 13:29 < joelsolanki> there are 2 clients connected to it. 13:29 < joelsolanki> i can ping client1(10.8.0.6) and client2(10.8.0.10) from vpn server 13:30 < joelsolanki> but client1 cant ping client2 and vice versa 13:30 < ecrist> in the server, add client-to-client 13:30 < joelsolanki> hmm. let me do that 13:36 < joelsolanki> that worked :) 13:36 < joelsolanki> tahnks ecrist 13:36 < joelsolanki> thanks 13:37 -!- joelsolanki [i=joelsola@123.237.172.68] has quit [] 13:42 -!- mk101mx [n=mgarciav@148.233.37.38] has left ##openvpn [] 13:54 -!- rubydiamond [n=rubydiam@123.236.183.184] has quit [Read error: 104 (Connection reset by peer)] 13:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:05 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:09 -!- aar0n is now known as aar0n_ 14:09 -!- aar0n_ is now known as aar0n_sleeping 14:32 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:54 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 15:54 < bigjohnto> how does openvpn know to give the same ip address to a specific user each time they log in? ipp.txt has different ip's for that user so i know its not ipp.txt 15:56 < bigjohnto> even though i have ipconfig-per on and shows file as ipp.txt 16:00 < ecrist> bigjohnto: ipp.txt, or client configs 16:01 < bigjohnto> nothing in the client side configs 16:01 < bigjohnto> and ipp.txt has a complete different ip then what i am getting 16:01 < ecrist> why does it matter? 16:01 < bigjohnto> ecrist just curious really, how it shows one thing in ipp.txt but gives something different 16:01 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 16:01 < ecrist> I'm guessing you have two clients connected with the same certificate 16:02 < bigjohnto> nope, each client has their own cert 16:02 < bigjohnto> and i for sure am using my own cert 16:02 < bigjohnto> my ip .15 ipp.txt shows .8 16:02 < bigjohnto> weird :) 16:05 < grendal_prime> I have an openvpn server setup works great..but i need for one box to connect witha static ip address. I was told that i can setup the client to just use a specific address when it connects...i cant find an example of a static ip client config though? 16:05 < ecrist> grendal_prime: there are lots of examples out there. 16:06 < ecrist> try the openvpn howto 16:06 < ecrist> !howto 16:06 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < grendal_prime> im looking at it now.. 16:06 < ecrist> trust me, it's there. 16:06 * bigjohnto sees ipp.txt was last accessed with last vpn'd user but still wonders why ip's are wrong.... 16:07 * ecrist goes out to shovel his driveway. 16:09 < grendal_prime> i still cant find anything 16:10 < ecrist> if I find it, can I ask a chan op to ban you? 16:12 < grendal_prime> ? 16:12 < grendal_prime> wtf 16:12 < grendal_prime> ? 16:12 < ecrist> ? 16:12 < grendal_prime> sure ask one...i mean i would hope they wouldnt do it.. 16:12 < grendal_prime> now im affraid to ask anything. 16:13 < bigjohnto> ifconfig-push 10.8.2.1 10.8.2.2 16:13 < bigjohnto> i think 16:13 < ecrist> what you want is at http://openvpn.net/howto.html#policy 16:13 < grendal_prime> by the way ive looked for some time before i camehere... 16:13 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:13 < bigjohnto> change to what you want 16:13 < grendal_prime> thats to push one from the server.. 16:13 < bigjohnto> ah 16:13 < ecrist> grendal_prime: it's a bad idea to statically assign yourself an IP from the client side. 16:14 < ecrist> 1) your math will be off and you'll clobber the tunnel server endpoint, or similar 16:14 < ecrist> 2) the OpenVPN server may clobber you while assigning an IP to another client 16:15 < grendal_prime> hmm so i do need to push it from the server then. 16:15 * ecrist really goes and really shovels his driveway now. 16:15 < bigjohnto> or ipp.txt for that users cert 16:15 < bigjohnto> ecrist shouldn't that work? 16:16 < grendal_prime> well that was my other question can i just reserve an ip for a certain cert? 16:16 < bigjohnto> in ipp.txt 16:16 < bigjohnto> certname,ip 16:16 < bigjohnto> its "supposed" to work, but isn't for me anyways 16:17 < grendal_prime> well...thats for a disconnect...and reconnect i think... 16:17 < bigjohnto> grendal yea, but it sitll is completely wrong :) 16:18 < bigjohnto> for me that is 16:18 < grendal_prime> i mean...it seems to me that iti does get the same ipaddress assigend..but my thinking is that is not written in stone, and i dont want there to be a problem 16:18 < grendal_prime> I just wish there was a reservaction file somewhere. 16:22 < bigjohnto> & my ipp.txt for some reason has multiple ip's for the same cert "user" 16:22 < bigjohnto> how dumb 16:29 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:32 < grendal_prime> thats ok i just looked in mine...there is nothing listed in it 16:33 < grendal_prime> what does it normally look like...syntax wize... certname=10.8.0.5 something like that? 16:33 < ecrist> grendal_prime: I pointed you to the link in the howto 16:33 < grendal_prime> yes ecrist thank you 16:33 < ecrist> the reservation is with the client config 16:34 < bigjohnto> certname,10.8.0.5 16:34 < bigjohnto> ecrist, if i have bob,10.8.0.5 and on the next line bob,10.8.0.10 .... what would cause that? 16:35 < bigjohnto> openvpn service maintains the ipp.txt file 16:36 < ecrist> bigjohnto: see http://openvpn.net/howto.html#policy - the IPs your assigning in ipp.txt don't line up with proper /30 subnets 16:36 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:36 < grendal_prime> i just thought it was odd that the ipp.txt file on my server...has nothing in it..and im pretty sure the server.conf specifys that it is to keep track of that info.. and yes im quite certain that there are clients connected 16:37 < grendal_prime> ecrist...there is no ccd dir on my openvpn installation, I can create that and point the server to that correct? 16:37 < ecrist> yes 16:38 < grendal_prime> and then i just create the files withen there just the same way it is illustrated there..i dont have to worry about setting up iptables rules in my case..not that i can see anyway. 16:38 < grendal_prime> ill test in in the vm test enviro first.. 16:49 -!- Plouj [n=Plouj@red.cs.yorku.ca] has joined ##openvpn 16:49 < Plouj> hi 16:50 < Plouj> can you guys recommend to me any easy to use and maintain Free/OpenSource Software storage+vpn complete "solutions"? I'm looking for something like opennas or freenas but with vpn manageability built in. 17:00 < grendal_prime> ya i keep getting assigend something else 17:00 < grendal_prime> following the #policy 17:01 < grendal_prime> well actually im following the config in the test server enviro that i have. It actually had some comments that explained how to do this (the production server didnt) 17:02 -!- Hyphenex [n=scott@203.219.38.207] has joined ##openvpn 17:02 < grendal_prime> but the match up with the howto.html file.. but i still cant get it to assign a specific ip address. Im using the common name of the client. I tried the cert name as well and got nothing with it. 17:02 < Hyphenex> Hey, is there a way to set up 'quota' limits for users? 17:02 < ecrist> for bandwidth? 17:06 < Hyphenex> yeah 17:06 < Hyphenex> say, if we were to create a VPN on a uni network for peeps on campus to join 17:06 < Hyphenex> but we don't want them stealing all our downloads 17:06 < Hyphenex> so we set up a 'quota' 17:06 < reiffert> Hyphenex: the manpage knows it all. 17:07 < reiffert> Hyphenex: for openvpn-2.1 17:09 < Hyphenex> reiffert: is that speed or amount limit? 17:11 < reiffert> Hyphenex: the very first 4 words explain it. 17:12 < Hyphenex> reiffert: I'm lost, where exactly am I looking? 17:13 < reiffert> Hyphenex: at a computer monitor, maybe a LCD. 17:13 < reiffert> !man 17:13 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:16 < Hyphenex> reiffert: yeah, I mean where abouts in the manual 17:17 < dvl> Hyphenex: look for shaper 17:17 < reiffert> DOH! 17:17 < dvl> Hyphenex: FWIW, I searched for bandwidth 17:17 < reiffert> dvl: I was about to teach him that easy step, now you told him for nothing. 17:17 < dvl> reiffert: if you want to teach, you have to give hints. 17:18 < dvl> My hint was what to search for: bandwidth. Yeah, I know I gave him the keyword. 17:18 < reiffert> dvl: he already knows for what he is searching, namely: bandwidth. 17:18 < Hyphenex> Shaper is kind of what I want, but not exactly, I mean, in Australia we buy 20GB of data, we want to split that up between users 17:19 < dvl> Hyphenex: well, perhaps you need to do this outside of OpenVPN 17:19 < Plouj> is there any package/application/whatever that can simplify my OpenVPN setup/maintenance if I'm only planning to have 1 or 2 clients? 17:19 < reiffert> Hyphenex: the status log also records the amount of bytes transferred on a per user basis. 17:19 < Hyphenex> oahh, have the OS do it? any hints dvl? 17:19 < Hyphenex> reiffert: I think there is a webmin module 17:20 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 17:20 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 17:20 < Plouj> I'm on a tight budget, so paying a professional would probably cost more than buying some proprietary user-friendly solution. 17:20 < reiffert> Hyphenex: you can easily read that file on a regular basis and calculate if a particular user is allowed to transfer another byte. 17:20 < Plouj> dvl: the things is I don't know much about iptables, nor about the details of tunneling/routing. 17:20 < dvl> Hyphenex: I am not a mind reader, I have no idea what OS you are using. :) But if you were using a real OS, it would have some kind of traffic shaper in it. I would use pf. Not available outside BSD 17:21 < dvl> Plouj: I know nothing about iptables either. That's some kind of linux-specific thing isn't it? ;) 17:21 < Hyphenex> dvl: Thanks, I'll look up installing pf on openBSD... or would netBSD be better? 17:21 < Plouj> dvl: yeah, I guess it is. 17:22 < dvl> Plouj: the URL I gave you has nothing to do with iptables, I promise. :) 17:22 < dvl> Hyphenex: FreeBSD would be my recommendation. 17:22 < Plouj> humm 17:25 < grendal_prime> ok got it working 17:26 < grendal_prime> sooo now that it is pushing that ip address for that cert, it will not assign another box that ip address correct? 17:26 < grendal_prime> ecrist: that question was for you 17:50 < Plouj> the ssh -w option is only for tunnelling (in other words Windows shared folders won't be accessible over such a VPN), right? 17:50 < Plouj> can OpenVPN easy be setup to allow clients to connect only through ssh? 17:54 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 17:55 < Jason404> are there any issues with running OpenVPN in a virtual machine on the LAN? 17:55 < Jason404> is it ok to use a VM? 17:55 < Jason404> any possible problems with doing that? 18:00 < dvl> Jason404: tried it? 18:00 < Jason404> no, not yet 18:00 < Jason404> i just want to know if it worth doing it first 18:01 < Jason404> and I might not be able to see any possible issues until it is too late if there were any 18:05 < Jason404> like there could be an issue with routing, I imagine, with the host 18:07 < dvl> Dunno, no idea. 18:08 < Jason404> I suppose I'll have to just try it 18:08 < Jason404> I have not used OpenVPN before. 18:09 < dvl> Everyone's a virgin at one time. 18:11 < Jason404> how long did it take you to get to grips with it? is it hard to configure? 18:11 < dvl> I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:11 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:11 < dvl> That should get you going easily. but we'll see. 18:11 < Jason404> cheers dvl 18:12 < Jason404> what's that link about vpnHelper? 18:12 < Jason404> is vpnHelper a bot? 18:12 < dvl> yes 18:12 < Jason404> ok 18:13 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 18:15 < Plouj> I wish there was a bot which would setup openvpn for me 18:15 < dvl> It's called a consultant 18:15 < dvl> They cost 18:15 < Plouj> yeah 18:16 < Plouj> too bad they would probably cost more than some windows based vpn thingy 18:16 < Plouj> and since I'm setting up VPN for a friend, he would probably choose the windows based solution because of price 18:16 < Plouj> and because he'd be able to configure it (at least to some extent) 18:19 < Jason404> maybe he should try Hamachi. you cant get much simpler than that 18:20 < Plouj> yeah, that's an option 18:23 < Plouj> dvl: I guess iptables was a wrong example in my earlier statement. 18:24 < Plouj> dvl: I meant that I don't really have time to figure out all of the deep details of tunneling/bridging. This seems like it has some useful diagrams: http://openmaniak.com/openvpn.php , but how useful would they be when something goes wrong? 18:24 < reiffert> Plouj: how much time you got? 18:25 < dvl> Plouj: I just handed you a step-by-step set of instructions. :) 18:25 < dvl> Plouj: are you saying you're a pillock? ;) 18:25 < Plouj> dvl: I know. Thank you. I'll read it when it comes time to try openvpn. 18:25 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:25 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:25 < dvl> Plouj: OK, then stop yer whining. :) 18:25 < Plouj> reiffert: Lets say one week not counting occasional monthly checkups that I would have to do (I guess). 18:26 < reiffert> Plouj: just follow the official openvpn howto then. 18:26 < Jason404> pillock. you in the UK as well? 18:26 < reiffert> It's a matter of 2-3 hours. 18:26 < Plouj> heh 18:26 < dvl> Jason404: No, I am merely multi-vocabulary. 18:26 < Jason404> ic 18:26 < dvl> reiffert: No, not the how-to. Way TMI. 18:27 < reiffert> dvl: I'm sure as hell. 18:27 < Plouj> reiffert: maybe for someone who does IT for a living. 18:27 < Jason404> yeah, the official webiste has made it seem pretty daunting to me, and I'm a hardcore power user 18:27 < Jason404> ;P 18:27 < reiffert> Plouj: I guess you didnt read further than the caption? 18:28 < Plouj> I recall trying to setup openvpn for myself 2 years ago. Although I spent more than 3 hours, I couldn't figure out what I was doing wrong so it didn't work. 18:28 < dvl> Jason404: ditto. Been writing docs for 11 years... lots of info in there. 18:28 < Plouj> I just read this: "This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS names, netmasks, subnets, IP routing, routers, network interfaces, LANs, gateways, and firewall rules." 18:29 < dvl> What new people need is a simple step by step practical example to get them going. Lower the barrier to entry. Keep It Simpl. 18:29 < dvl> +e 18:29 < Plouj> IP routing, and firewall rules I wouldn't know without reading tutorials 18:29 < dvl> While the HOWTO contains many great pieces of information, it is far TMI for an OpenVPN novice. 18:29 < Plouj> dvl: not really, I think the problem (don't take this as a criticism) is that there is a lot of choice (eg bridging/tunneling). 18:30 < dvl> Once you get up and running with a simple setup, then you can move to other stuff. 18:30 < dvl> Plouj: that is what I mean. 18:30 < Plouj> dvl: if all I had to do was enter a password and choose a subnet address, that would be easy. 18:30 < Plouj> plus, you would know that if something's broken is because the software is malfuncioning 18:30 < Plouj> or the VPN setup that it provides isn't suitable for your usage 18:31 < Plouj> that's how I imagine it 18:31 < Plouj> (when I compare OpenVPN to hamachi) 18:33 < Plouj> makes sense? 18:35 < Plouj> I found this: http://en.wikipedia.org/wiki/Socialvpn 18:35 < vpnHelper> Title: Socialvpn - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:35 < Plouj> which is sort of what I'm looking for in terms of easy setup 18:35 < Plouj> but not tied to a social network, heh... 18:37 < Jason404> i'm behind NAT. does this make things more difficult, apart from having to forward port(s)? 18:37 < Jason404> (with openvpn) 18:38 < Jason404> dvl: you behind NAT 18:38 < Jason404> ? 18:38 < Plouj> humm: http://www.vmware.com/appliances/directory/822 18:38 < vpnHelper> Title: PhoneHome - an openVPN appliance | Virtual Appliance Marketplace (at www.vmware.com) 18:39 < Plouj> and some more: http://www.rpath.org/search?type=Products&search=openvpn 18:39 < vpnHelper> Title: rBuilder Online - Search Results (at www.rpath.org) 18:43 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 18:48 < dvl> Jason404: I am behind NAT, but the OpenVPN server is not. 18:48 < Jason404> will being totally behind NAT be a problem for me? 18:49 < Jason404> surely there would be no problem with the port(s) forwarded to OpenVPN? 18:51 < grendal_prime> im trying ssh-copy-id to ...well do what i does..i keep getting an error about "no identities found" if created the keys wiith ssh-keygen. what the hell am i doing wrong? 18:57 < grendal_prime> nevermind i figured it out...thanks anyway 19:01 < grendal_prime> Jason404: you are behind a nat (the client?) if the client is behind a nat than no..thats the whole point...the server behind a nat then yes you will need to forward ports. 1194 i think is the only one though. 19:03 < Jason404> cheers. forwarding ports is no problem. i was just wondering if there would be any further complications. 19:07 < ecrist> Jason404: shoud be no other problems. 19:08 < Jason404> cool 19:23 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 19:23 -!- mRCUTEO is now known as John 19:23 -!- John is now known as mRCUTEO 19:27 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:27 < mRCUTEO> !configs 19:27 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:30 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 19:31 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 19:53 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 20:12 -!- int [n=quassel@wikia/int] has quit [Excess Flood] 20:12 -!- int [n=quassel@wikia/int] has joined ##openvpn 20:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:31 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has left ##openvpn ["Ex-Chat"] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-f308901d65b6993a] has quit [Remote closed the connection] 20:58 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has joined ##openvpn 22:31 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 22:35 -!- littlerock [n=littlero@219.236.170.71] has joined ##openvpn 22:37 < littlerock> can I connect to openvpn server without installing third-party software in windows XP ? 22:39 < muxpux> openvpn client 22:41 < littlerock> muxpux: can I use software in windows instead of installing openvpn, is it possible 22:49 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:49 < ricoshady> hey dazo, you around? 22:49 < ricoshady> im working on my open-wrt openvpn config 22:59 < cyberjames> littlerock: if you can do that, let me know too :) 23:22 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:27 < ricoshady> anyone know what this mean? http://pastebin.com/m29641edb 23:33 < littlerock> I need to issue CA, KEYs etc to openvpn clients, how to disable a *specific* user in openvpn ? 23:49 < ricoshady> revoke the key you gave to whichever client you want to stop --- Day changed Fri Jan 23 2009 00:18 < littlerock> ok I will try 00:48 < ricoshady> im trying to get my server to dish out ips, im using --ifconfig-pool in the server config, but when I connect the client doesnt get an ip and I get the error " no --ifconfig-pool netmask parameter is available to push to" 01:05 < ricoshady> how do I get the client to automatically get one of the ips from the ifconfig-pool option?? 01:30 < ricoshady> shit, now this is a DEAD fucking room 01:33 < ykut_johny> dazo: i managed to get it working for my vpn yesterday. what i did was, changing the openvpn server to latest version and and the old version 2.0.6 to become client and whoola, everyhing working just fine..:) 01:48 < ricoshady> ykut_johny, are you using ifconfig-pool? 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:50 < ricoshady> anyone know how to configure openvpn? 01:50 < ricoshady> i have a question with ifconfig-pool 01:51 < krzee> whats the question 01:51 < ricoshady> the client connects but does not aquire an ip from the openvpn server 01:51 < ricoshady> im using ifconfig-pool 01:52 < ricoshady> I got it working with server ip netmask, but I want to use same ip for the local net and vpn 01:52 < krzee> !configs 01:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:52 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:52 < onats> hi guys, 01:52 < onats> on an ubuntu system, where does the easy-rsa directory get installed into? 01:52 < onats> i installed openvpn using package manager 01:53 < krzee> find / -name easy-rsa 01:53 < onats> ty 01:53 < ricoshady> http://pastebin.com/m1b6be7cf 01:53 < ricoshady> thats my server config 01:54 < ricoshady> does the vpn server need to be a different ip and subnet from the lan interface? 01:54 < krzee> ricoshady, why dev tap? 01:54 < krzee> ricoshady, yes 01:54 < ricoshady> its bridged 01:54 < ricoshady> so it has to be on a complely different subnet too? 01:54 < krzee> umm 01:55 < krzee> you use --server-bridge to bridge 01:55 < krzee> --server-bridge gateway netmask pool-start-IP pool-end-IP 01:55 < ricoshady> well with tun, it seemed I could only connect one client at a time 01:55 < krzee> no, you can connect many with tun 01:55 < krzee> why are you bridging? 01:56 < ricoshady> with tun tho, my interface came up, it maps one ip to the other 01:56 < ricoshady> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 01:56 < ricoshady> inet addr:10.108.42.1 P-t-P:10.108.42.2 Mask:255.255.255.255 01:57 < ykut_johny> ricoshady: yeah..i did disable it and reenable it as well..seem like openvpn cache the routing 01:57 < ricoshady> 42.1 => 42.2 01:57 < ricoshady> or is that just because I didnt craete a pool 01:59 < krzee> ricoshady, thats normal 01:59 < krzee> !/30 01:59 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:00 < krzee> ricoshady, 02:00 < krzee> !tunortap 02:00 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 02:02 < krzee> onats, np 02:04 < onats> krzee, when maintaining multiple vpn networks ( i need to generate some client keys once in a while), do you just keep copies of their key directory individually? 02:04 < krzee> yes, you may also find ssl-admin useful 02:04 < krzee> !ssl-admin 02:04 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:04 < ricoshady> how do I create my tun device 02:05 < krzee> ricoshady, if you have tuntap loaded in kernel (which you do) it should be made on demand 02:05 < krzee> but you can make it stay with --mktun 02:05 < krzee> openvpn --mktun will create it for good 02:06 < krzee> if you are in windows, it will just work 02:06 < krzee> tap driver does tun mode 02:06 < ricoshady> ic, this is pretty cool, so once I have the VPN up, on the other subnet, I'll need to route traffic to the lan 02:06 < krzee> !route 02:06 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:08 < ricoshady> that is weird, from the VPN, I cant ping the client 02:09 < ricoshady> isnt that becase of the tun interface? 02:09 < krzee> are both sides using tun? 02:10 < ricoshady> yup 02:10 < krzee> repost server conf pls 02:12 < ricoshady> http://pastebin.com/m2b8754d server 02:12 < ricoshady> client http://pastebin.com/mc9bbab7 02:12 < krzee> remove tls-server 02:13 < krzee> and 02:13 < krzee> grep -vE '^#|^;' client.conf 02:13 < krzee> then repost client pls 02:16 < ricoshady> the windows client is windows 02:16 < ricoshady> duh, the client is windows 02:16 < krzee> ok, well remove comments 02:16 < ricoshady> i dont have grep 02:17 < krzee> oh nm you can leave --tls-server in there 02:17 < ricoshady> http://pastebin.com/m60230ab8 02:17 < krzee> my bad, was thinking tcp-server 02:18 < krzee> these machines are on the same lan? 02:19 < krzee> if you have --tls-server the client should have --tls-client 02:20 < ricoshady> yes, same lan 02:20 < krzee> why? 02:20 < krzee> securing wifi? 02:20 < ricoshady> testing 02:21 < krzee> you wont be able to test lan related stuffs 02:21 < krzee> like the stuff in !route 02:21 < krzee> if you have an external box somewhere you can test with that tho 02:21 < ricoshady> k 02:21 < krzee> when it works you use that config on your laptop 02:21 < krzee> doesnt matter what os 02:22 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:33 < krzee> ricoshady, do they connect or give an error? 02:42 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: krzie, trifler, tarbo2, Pagautas, bigjohnto, ikevin_, vpnHelper, Bushmills 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, disposable, tomfmason, worch, thewolf, cyberjames, eliasp, (+6 more, use /NETSPLIT to show all of them) 02:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:55 -!- Netsplit over, joins: bigjohnto, ikevin_, disposable, vpnHelper, Bushmills, fbond, oc80z, tomfmason, eliasp, cyberjames (+11 more) 02:55 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 02:55 -!- Netsplit over, joins: lilalinux, kala 03:13 -!- aar0n_sleeping [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:22 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:43 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has quit ["ChatZilla 0.9.83 [Firefox 3.0.5/2008120122]"] 03:44 -!- littlerock [n=littlero@219.236.170.71] has left ##openvpn [] 03:50 -!- Hyphenex [n=scott@203.219.38.207] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- ledoktre [n=ledoktre@67.224.62.214] has joined ##openvpn 03:50 < ledoktre> good morning. Anyone got time for a quickie? 03:52 < ledoktre> question is : my openvpn-status.log file is not accurately reflecting the connection status of my client pc. it says it is still connected, yet when I check on the client side, it is no longer connected. I wanted to write a script to monitor the connection, and run a script once it is disconnected, however this is going to be difficult, if I cannot seem to get the status log file to update. Any thoughts? 03:56 < dazo> ledoktre: which openvpn version are you using? 04:08 -!- meturaf [i=meshuga@lenin.ww88.org] has joined ##openvpn 04:08 -!- meshuga [i=meshuga@lenin.ww88.org] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has joined ##openvpn 04:35 < rio_> hi, a question: how can i change IFCONFIG_POOL_MAX variable value in ovpn 2.0.9? 04:35 < rio_> i need to use a /B class range 04:37 < rio_> do i have to recompile ovpn modifying pool.h? 04:40 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:51 < dazo> rio_: I vaguely remember this being discussed in the openvpn-devel mailing list last autumn ... maybe check that? 04:52 < rio_> dazo thanks for reply but is not a problem, i just modified pool.h and recompiled :) 04:52 < dazo> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 04:52 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:53 < dazo> rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 04:54 < rio_> btw i think it should be overwritable with some ovpn.conf var 04:55 * dazo think he found the mail thread .... reading .... 04:55 < dazo> http://sourceforge.net/mailarchive/forum.php?thread_name=44e5dffd0806200615r65f02642hc7fd04d35d2b2a89%40mail.gmail.com&forum_name=openvpn-devel 04:55 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:55 < dazo> no clear conclusion .... except you have the same findings .... 04:56 < dazo> rio_: would you mind sending this question also to openvpn-devel mailing list? .... you may add your patch as well, would be nice to get this clarified why this limit exists 04:57 < rio_> well, i could do such thing but i'm a bit overloaded nowadays 04:58 < rio_> i'm not subscribed to maillist aswell :D 04:59 < dazo> rio_: ahh ... I see ... but you had problems with nets bigger than /24 or /16? ... because up to /16 should be supported ... btw, which version are you running? 04:59 < rio_> now 2.1 rc15 04:59 < dazo> rio_: and you had that limitation also in rc15? 05:00 < rio_> tbh i don't know, i modified pool.h before compiling 05:01 < rio_> so now works but pool.h was already modified 05:01 < dazo> rio_: oki ... I see 05:01 < rio_> and i need more that 254 subnets, this is the reason i need a B class 05:01 < rio_> (potentially more than 254) 05:02 < dazo> #define IFCONFIG_POOL_MIN_NETBITS 16 << default in rc15 05:03 < rio_> i think it does not matter 05:03 < dazo> rio_: I follow ... well, I have no problems catching that ... even though, it's quite a lot of nets for a VPN tunnel ;-) 05:03 < rio_> :P 05:03 < dazo> rio_: just out of curiosity .... what change did you do? 05:04 < dazo> the #define I pointed at? 05:05 < rio_> hm 05:05 < rio_> just a sec 05:06 < rio_> in /usr/src/openvpn-2.1_rc15/pool.h @ #define IFCONFIG_POOL_MAX 65536 05:06 < rio_> changed in #define IFCONFIG_POOL_MAX 16777216 05:07 < dazo> hmmm ... interesting .... you opened for more IP addresses then actually ... 05:07 < rio_> yes, i opened for 256*256*256 ip address, a B range 05:08 < rio_> it should be simply overwritable using a conf that, if exists, change this value 05:08 < dazo> that's an A range isn't it? As here you have /8 bit mask .... 05:08 < reiffert> yep 05:09 < rio_> yes, sry 05:09 < rio_> A range 05:09 < rio_> 65536 was already a B range 05:09 < rio_> :P 05:09 < dazo> okey! Then I understand ... but I would still expect that you also would need to change the POOL_MIN_NETBITS as well to 8 ... 05:09 < rio_> dazo i didn't change thats tbh, but it works... 05:10 * dazo not sure if it will always work that nicely 05:10 < dazo> but that depends where the check against IFCONFIG_POOL_MIN_NETBITS is done 05:11 < rio_> dazo im going to update IFCONFIG_POOL_MIN_NETBITS too 05:12 < rio_> hm 05:12 < rio_> dazo var is IFCONFIG_POOL_MIN_NETBITS 05:12 < rio_> MIN 05:12 < rio_> strange, should be named "max" 05:12 < rio_> no, is ok min :P 05:12 < dazo> no, MIN is correct .... minimum 8 bits 05:13 < dazo> :) 05:13 < rio_> ye ye, is ok 05:13 < rio_> modified and compiled 05:14 < rio_> it works as well as before 05:22 < krzee> ledoktre, why use status file to see if its connected? 05:22 < krzee> maybe ping would be a better option 05:23 < krzee> or better yet, if that script is going to reconnect it, use a keepalive instead 05:25 < krzee> and classful networking went out in the mid 90's guys 05:26 < krzee> /8 /16 /24 :-p 05:26 < krzee> s/networking/subnetting 05:26 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 05:27 < krzee> also, if you need that many ips, you should be using: 05:27 < krzee> !topology 05:27 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:28 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 05:28 < joelsolanki> Hi friends 05:28 < joelsolanki> i have been struggling from last 2 days to fix a openvpn client at remote location. 05:28 < joelsolanki> the system is ubuntu 05:28 < krzee> [02:57] rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 05:28 < joelsolanki> and while connecting to openvpn server i am getting this errors 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS handshake failed 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: 59.180.130.198:44463 write UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < dazo> krzee: yes? 05:29 < krzee> dazo, the internal routing of stuff in openvpn can start to melt with that gue of clients 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:29 < krzee> s/gue/huge/ 05:29 < krzee> joelsolanki, you have access to both sides? 05:30 < joelsolanki> i checked on windows system using openvpn and it got connected but in ubuntu linux it gives this trouble. 05:30 < rio_> krzee interesting but now i'm ok 05:30 < joelsolanki> i have access to vpn server. 05:30 < dazo> krzee: yeah, but I'm ignorant to mention that fact ... as I would expect a person setting up this really would not expect it to work flawlessly .... with theoretically 16mill clients ... 05:30 < joelsolanki> i dont have control over vpn client. but a guy is there who gives me the output of any command we asked him. 05:31 < joelsolanki> if it was local system it would be easy to fix. 05:31 < joelsolanki> iptables is not installed so firewall is not an issue 05:31 < joelsolanki> even i checked /selinux/enforce that file also doesnt exist. 05:31 < joelsolanki> so i am doubting what is creating problem 05:31 < dazo> krzee: anyway .... if you get openvpn running with more than 4-500 simultaneously clients on one openvpn server process with a decent throughput ... I would consider it to be a miracle 05:31 < joelsolanki> i can get the logs of openvpn if you want 05:32 < krzee> !configs 05:32 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:32 < krzee> !logs 05:32 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:32 < krzee> with those we may get an idea 05:32 < joelsolanki> hmm let me do that 05:33 < krzee> also give a shot at 1 run on he client with mtu-test in the config 05:33 < krzee> just to rule out mtu issues 05:33 < joelsolanki> ahh how to do that 05:33 < joelsolanki> ? 05:33 < krzee> dazo, agreed, but the amount of ips he wanted to allocate made me think he didnt think the same 05:34 < krzee> how to do what? 05:34 < krzee> how to add the line mtu-test into the client config? 05:34 < krzee> umm, with a text editor i guess 05:34 < krzee> ubuntu comes with nano i believe 05:35 < krzee> should have vi as well 05:35 < joelsolanki> oh ok. i just need to add mtu-test 05:35 < joelsolanki> hold let me have it done and see 05:35 < krzee> oh i shoulda said with --mtu-test to be clearer 05:35 < joelsolanki> ok :) 05:36 < krzee> i just made it to west coast so its really 7:40am for me right now, lol 05:36 < krzee> jet lag and all 05:36 < dazo> krzee: true .... but I expected it to be some kind of subnetting included ... to spread things out .... and to make OpenVPN work with multiple segments over a range larger than /16 can provide, you'd need to patch it ... but I do not say I understand the need for it 05:37 < krzee> if thats what he was aiming for, each process should give a diff subnet and push routes for the others 05:37 < krzee> and any with lans behind go on a seperate one so they can get same 05:38 < krzee> then each client that may connect to others get blocks 05:38 < krzee> so it can try next, next, next til one is cool 05:38 < krzee> and each server gets max-clients statement 05:38 < krzee> then it just works (tm) 05:49 < krzee> dazo, know what i mean? 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has quit [Remote closed the connection] 05:57 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has joined ##openvpn 05:59 < muxpux> hi krzee 06:00 < muxpux> <--lonel 06:23 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 06:29 < Super_Cat_Frog> hi - i have openvpn running on a server, with seperate physical network interfaces for internal and external. We're having strange network problems which the people in the data center are blaming on us having multiple default routes 06:30 < Super_Cat_Frog> sounds reasonable to me - i'm not a networking guy, but when i remove either of the default routes, the vpn fails to route traffic 06:30 < Super_Cat_Frog> any ideas? 06:31 < dazo> krzee: Yes, I do ... and I agree :) 06:33 < dazo> krzee: but we can tell him how to do it when he comes back to us, crying, because openvpn collapses because of his infrastructure :-P 06:40 < Super_Cat_Frog> is there anything i should read / google for to find some more info ? 06:40 < Super_Cat_Frog> the people in the data centre are worried it will cause traffic to loop 06:48 -!- polaru_ [n=polaru@193.33.154.198] has joined ##openvpn 06:49 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 06:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:02 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 07:12 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:20 < Super_Cat_Frog> ah, i'm a tard 07:20 < Super_Cat_Frog> there is only one default gateway, and its working, strange 07:20 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 07:25 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has left ##openvpn ["aloha"] 07:30 < plaerzen> morning irc 07:45 -!- Plouj [n=Plouj@red.cs.yorku.ca] has quit ["bah, red going down for UPS replacement.................."] 07:49 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:56 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 07:59 < ozirus> is it possibile to limit vpn connection with time? say, i want to integrate openvpn server with a rezarvation system and users will book the remote lan and connect to it via vpn. when time expires, openvpn server kills the client connection? 08:03 < dazo> ozirus: not out of the box .... but .... it is possible to write such a plug-in for OpenVPN 08:08 < dazo> ozirus: another approach ... is to write an own connection checker, which uses the management interface of the openvpn-2.1 series 08:32 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 08:52 < ecrist> good morning, bitches 08:59 < plaerzen> hey ecrist 08:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:59 < plaerzen> ecrist, tell me a story please. 09:02 < reiffert> Once upon a time I was born when my parents were on a journey. 09:03 < reiffert> They stood on a potato acre, which wasnt one of ours, which was irrelevant to me as of then. 09:15 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 09:15 < prxtien> hey all 09:15 < prxtien> im running an openvpn instance as privledged user openvpn:openvpn, tunnel works fine on start, but on restart, tunnel fails with SIOCSIFMTU: Operation not permitted 09:15 < plaerzen> reiffert, I like your story 09:22 < prxtien> !configs 09:22 < vpnHelper> prxtien: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:25 -!- polaru__ [n=polaru@93.113.192.70] has joined ##openvpn 09:27 < ecrist> prxtien: the proper way to do that is to run as root, allowing openvpn to su down to an *un*privileged user, such as openvpn 09:27 < prxtien> yes 09:27 < prxtien> thats what i am doing mate 09:27 < prxtien> but when i -HUP it for example 09:27 < prxtien> it crashes out 09:37 -!- polaru_ [n=polaru@193.33.154.198] has quit [Read error: 110 (Connection timed out)] 09:40 < Jason404> does anybody run OpenVPN in a virtual machine? 09:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:48 < ecrist> Jason404: lots of people 09:48 < ecrist> what problems are you having? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 09:49 < Jason404> ecrist: none. I was just wondering if there were any potential problems with doing that. Like the routing to the host machine would be fine etc..? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < Jason404> ecrist: ...and when using virtual NICs and stuff 09:51 < Jason404> i am new to OpenVPN, so I have not actually set it up yet. 09:51 < Jason404> if there were problems regarding VMs, it woudl be better yo know now, other than trying to figure out why its not working, being new to this 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 < MMN-o> Jason404: A NIC that's visible as a "real" NIC (emulated by the host) will work as a real NIC. 10:18 < Jason404> MMN-o: so no issues with virtual NICs? cool thanks 10:35 < dazo> Jason404: just make sure that your firewalling and routing on all your network routers are correct ... and it should work like a charm .... and tcpdump or wireshark will be your best debugging friend 10:37 < Jason404> dazo: okay thanks. I'll make a note of those 10:38 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:42 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 10:42 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 10:42 < RUS> hi all 10:48 < RUS> i have installed openvpn on my server. trying to use build-ca script and see error: you must define KEY_DIR 10:48 < RUS> how i can define it ? 10:50 < dazo> RUS: have you remembered to edit the ./vars file .... and done: source ./vars ? 10:51 < RUS> no. not yet. 10:51 < RUS> i must edit ./vars file ? 10:51 < dazo> RUS: that's needed to make those scripts work 10:51 < dazo> RUS: and you do need to source that file first 10:52 < RUS> it mus be edited before ./make and ./install ? 10:53 < dazo> RUS: no, just edit it .... do: source ./vars ... in your shell (or . ./vars in some shells) ... and then try ./build-ca 10:53 < RUS> ok , thanks. will try now 11:09 < RUS> i have edited my ./vars file, but when i start ./clean-all i see error again. 11:09 < RUS> all scripts /etc/openvpn/easy-rsa 11:09 < RUS> key dir /etc/openvpn/keys 11:09 < RUS> ./vars file have a string: 11:09 < RUS> xport D=`/etc/openvpn` 11:09 < RUS> but doesn't work. 11:10 < RUS> maybe 11:10 < RUS> when i try ../vars i see premission denied 11:11 < RUS> no 11:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 11:16 < dazo> RUS: you must do vars ... | . ./vars | 11:17 < dazo> RUS: can you please pastebin your ./vars file .... and the errors you get? 11:17 < dazo> RUS: I believe there is also a README file in that dir ... I presume you've looked at that one as well 11:18 < RUS> ../vars is not correct. i have vars file in easy-rsa dir 11:18 < RUS> and i try ./vars then ./clean-all 11:19 < dazo> RUS: ... I do not say /vars .... I say /vars .... do you see the difference? 11:20 < dazo> (in some shells {filename} means the same as: source {filename}) 11:20 < RUS> yes 11:20 < RUS> will try 11:20 < RUS> . ./vars 11:20 < RUS> -bash: /etc/openvpn/easy-rsa/: is a directory 11:20 < RUS> NOTE: when you run ./clean-all, I will be doing a rm -rf on /keys 11:22 < RUS> good 11:22 < RUS> that's work after source ./vars 11:22 < RUS> what it mean source ./vars ? 11:24 < dazo> RUS: that means to read and parse and execute the given file, and export all exported variables into the current shell .... man bash might give you a more comprehensive explanation of the 'source' command 11:24 < RUS> thanks dazo 11:26 < dazo> RUS: but I believe you still have something not correct in that ./vars file .... it should give a better response than that on the path to /keys .... unless you tweaked your output here 11:27 < RUS> maybe :)_ 11:27 < RUS> but ./clean-all work well 11:27 < RUS> and i have new error 11:27 < RUS> ./build-ca 11:27 < dazo> RUS: okey ... you might now find your key storage on /keys .... on your filesystem 11:27 < RUS> yes 11:28 < RUS> well. there is 2 files 11:28 < RUS> dir 11:28 < RUS> index.txt serial 11:28 < dazo> yes? 11:29 < RUS> yes 11:29 < RUS> and i have new error after ./build-ca 11:29 < RUS> error on line -1 of /openssl.cnf 11:29 < RUS> No such file or directory:bss_file. 11:29 < RUS> much more errors :) 11:29 < dazo> exactly ... as I anticipated .... you have wrong path on KEY_CONFIG in the vars file 11:30 < RUS> hm... 11:30 < RUS> what's wrong there ? 11:30 < dazo> RUS: from the README file .... (please!! read that one) 11:30 < dazo> 3. Set KEY_DIR to point to a directory which will 11:30 < dazo> contain all keys, certificates, etc. This 11:30 < dazo> directory need not exist, and if it does, 11:30 < dazo> it will be deleted with rm -rf, so BE 11:30 < dazo> CAREFUL how you set KEY_DIR. 11:31 < RUS> ok. i go to read 11:31 < RUS> it 11:32 < dazo> sorry ... I mixed point 2 and point 3 .... point 2 covers the error you see ... but still, read all of it ... and you'll be safe 11:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:42 -!- polaru__ [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:43 -!- ido-- [n=wtf@212.199.189.65] has joined ##openvpn 11:43 < ecrist> afternoon, bitches 11:44 < ido--> i have a client connected to a server, which has a server 10.10.10.0 255.255.255.0 11:44 < ido--> how can i connect to a different network over that link ? 11:44 < ido--> eg, 192.168.0.X 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:45 < ecrist> ido--: !route 11:46 < ido--> yeah, but you could be more specific 11:46 < ido--> if its not too much trouble 11:46 < ido--> i've man'd route already 11:49 < dazo> ido--: that's not the man page .... 11:49 < dazo> !route 11:49 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:49 < ido--> you know what i mean 11:50 < dazo> ido--: it's all about setting up the correct routes .... and if the server side of openvpn wants to access the network behind the client, the clients needs to set iroute ... 11:50 < dazo> ido--: and then it is firewalling ... that's basically all the magic 11:53 < ido--> hrm. 11:53 -!- RUS [n=Mirc@88.214.199.147] has quit [Read error: 113 (No route to host)] 11:53 < ido--> i'm a bit confused about the route 11:53 < ido--> sec 11:53 < ido--> iroute 11:54 < dazo> ido--: see it from the client side .... the client receives a lot of routes .... and then it gets the iroute ... (read it as "I route") ... which means the client will route the given net through the tunnel on request 11:59 < ido--> cool. itworked. thanks 11:59 < ido--> oh wait. it didnt 12:00 < dazo> heh 12:23 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:32 < ido--> back. wasn't here 12:33 < ido--> the server sits on a 192.168 lan 12:33 < ido--> and i've added the push command to its conf 12:33 < ido--> the client now routes to 192.168 network. and i can access the server via its 192 ip 12:33 < ido--> however it wont ping other nodes on the network 12:34 < ido--> the proc>>ip_forward is set to 1 12:34 < ido--> what else should i do ? 12:34 < ecrist> ido--: your other machines need to be able to route the VPN subnet back to the VPN server. 12:35 < ido--> oh. right 12:35 < ido--> its not done via masquarading 12:35 < ido--> how do i do that ? 12:35 < ecrist> well, one of two ways 12:35 < ecrist> 1) have your openvpn box be your network gateway (easiest) 12:36 < ecrist> 2) add a static route to your LAN machines for the VPN subnet, routing to the OpenVPN box. 12:36 < ido--> can i add a route net 10.10.x to the openvpn server on the default gateway of the 192.168 network ? 12:36 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has joined ##openvpn 12:38 < prufrocks> if i'm trying to configure both openvpn and ipsec/l2tp on my server, would each have to provide ip addresses in a different subnet? 12:38 < ecrist> prufrocks: you're missing a lot of data there. 12:38 < prufrocks> ? 12:42 < dazo> ido--: you may try to do that ... but I cannot guarantee that it'll work, I've struggled with that one earlier in life (could be my inexperience at that point, of course).... setting up static routes on those boxes which you want to route that net to, is probably quicker and easier 12:43 < dazo> ido--: or, try static routes first ... and see that it works ... then you can try the other approach, to see if that works for you as well 12:43 < dazo> ido--: and as always .... if you have tcpdump and/or wireshare .... they'll help to see if the routing goes right or not by looking at the different nets you have available 12:44 < ecrist> ido--: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true 12:54 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has quit [] 12:59 < ido--> dazo, that routing thingy worked. 12:59 < ido--> another question though 12:59 < ido--> running tcpdump on the server shows me this 12:59 < ido--> 21:55:48.206748 IP 10.10.10.6.47429 > HOME.12345: UDP, length 14 12:59 < ido--> 21:55:48.206829 IP HOME > 10.10.10.6: ICMP HOME udp port 12345 unreachable, length 50 12:59 < ido--> that ip is the clients ip 13:00 < dazo> ido--: what do you have on port 12345? 13:00 < ido--> hrm. not sure 13:00 < dazo> ido--: or ... which port do you use for openvpn ? 13:00 < ido--> the server was originally on 12345 13:00 < ido--> then moved it to port 80 13:01 < dazo> ido--: and the 10.10.10.* net is your VPN channel? 13:01 < dazo> ido--: and HOME is the public address of your server at home? 13:01 < ido--> oh wait 13:01 < ido--> sorry, the server is on 12345 13:01 < ido--> its being port forwarded from 80 to 12345 13:02 < ido--> because the server is behind firewall. 13:02 < ido--> HOME is the ovpn server name 13:03 < dazo> ido--: ahh ... which IP range do you use for VPN and at home? 13:03 < dazo> (inside the fw) 13:04 < ido--> 192 13:04 < ido--> 192.168.x 13:11 < ido--> dazo ? 13:12 < dazo> ido--: I don't follow this .... you use 192.168.x at home ... and your VPN tunnel is 10.10.10.x ? 13:12 < ido--> yes 13:13 < dazo> ido--: then I don't understand that traffic at all .... which interface where you listening to when you did that tcpdump? eth0 or tun0/tap0 13:13 < ido--> listening on tun0 on the server 13:14 < ido--> i get this: http://www.pastebin.ca/1316218 13:14 < dazo> ido--: that makes more sense .... then I woud check the netstat on your VPN client ... to see which program which tries to connect to your server on port 12345 via the tunnel 13:15 < ido--> 3 types of traffic (what i pasted goes in a loop..) 13:15 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 113 (No route to host)] 13:16 < ido--> the traffic on port udp 9442 13:16 < dazo> ido--: yeah ... multicast traffic is one thing, and can be ignores mostly ... and that covers to of the patterns I see 13:16 < ido--> multicast 13:16 < dazo> ido--: are you sure your tunnel works right now? 13:16 < ido--> my tunnel does work.. 13:17 < dazo> ido--: do you use --redirect-gateway ? 13:17 < ido--> whats that multicast traffic used for ? who is generating it ? 13:17 < ido--> whats --redirect-gateway ? 13:17 < ido--> I'm not using it 13:18 < dazo> multicast traffic is kind of traffic to all available clients ... and can be used for service broadcast ... like pulseaudio server, ssh services, VNC etc ... to tell other boxes that these services are availabe .... in Linux, it's mostly avahi/msDNS which makes use of this 13:18 < ido--> oh wait 13:18 < ido--> its multicast that comes from the server.. 13:18 < ido--> hrm. i need to block this 13:18 < ecrist> ljkjksadfladfsjklas;df 13:18 < ido--> no iptables installed. ugh. 13:18 < ido--> ok 13:18 < dazo> ecrist: something is wrong with your rot13 scramber 13:18 < ido--> i'll deal with that later 13:19 < dazo> ido--: if you don't need such service broadcast ... you can stop the avahi service on the server 13:19 < ido--> back to the port 12345 thingy 13:19 < ido--> openvpn runs on port 12345 tcp, not udp 13:19 < ecrist> ick 13:20 < ecrist> tcp vpn 13:20 < ecrist> why not port 1194? 13:20 < ido--> going through a http proxy.. 13:20 < ido--> they allow only port 80 13:20 < ido--> and 443 13:20 < dazo> thats interesting .... just another reason to check netstat on your VPN client ... to see what kind of programs which is responsible for that 13:21 < dazo> ecrist: I hope you figured he does port forwarding on his router from 80 -> 12345 13:21 < dazo> ido--: but you can use 1194 on the inside without any problem 13:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:22 < ido--> no hrm 13:23 < ido--> hrm 13:23 < ido--> ok, found out what it was 13:23 < ido--> old instances of openvpn, before i changed config 13:24 < ido--> can i make openvpn run only once ? (so i wont be able to make two instances likei had now) 13:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < dazo> ido--: well, afaik, there are no such limitations possibility 13:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Log closed Fri Jan 23 14:32:40 2009 --- Log opened Fri Jan 23 14:55:43 2009 14:55 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:55 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 14:55 -!- Irssi: Join to ##openvpn was synced in 0 secs 14:57 < ricoshady> i have a route that sends all 192.168.109.0 traffic to the tun ptp device 192.168.109.2, but i cant ping the client 14:57 < ricoshady> here are my routes 14:58 < ricoshady> http://pastebin.com/m4f30a8c1 15:02 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:05 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:07 < sparkymakry> hi everyone 15:07 < sparkymakry> can someone help me with some setup problems? 15:08 < sparkymakry> I am having problems receiving pings from the server computer.. 15:10 < sparkymakry> 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:10 < sparkymakry> 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:10 < sparkymakry> that is a tcpdump from the client that I'm pinging from to the server. 15:11 < sparkymakry> it says that there was a reply, but ping says no reply 15:11 < sparkymakry> I have the vpn up and working, but just suddenly the connection died. 15:13 < sparkymakry> hello??? anyone here?? 15:15 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 15:17 < _Sam--> hey ive been running openvpn for about 3 years now....im currently running 2.0.9. recently, every few days VPN connections from outside our lan become terribly slow (not related to bandwidth or server resources) and im having a hard time getting them back to speed. what has worked has been restarting openvpn on the server, and letting the clients sit for like 10 minutes.... 15:17 < _Sam--> i cant continue to do that -- my employees are hating me now already.....any help in tracking down the problem would be appreciated. ive already used all the standard tools like logging, tcpdump, checked firewwalls, etc etc etc. 15:17 < _Sam--> like i said, its been running fine for 3 years, until the past month. 15:18 < ecrist> something changed 15:18 < _Sam--> i wish that were the case, sincerely. 15:18 < _Sam--> what has changed in that time, has been that we've added a few more remote clients. 15:18 < _Sam--> but as i stated, im positive its not bandwidth reltaed. 15:19 < _Sam--> or resources related. 15:19 < ecrist> how many clients, total? 15:19 < _Sam--> actively connected to VPN or certs issued? 15:20 < ecrist> actively connected 15:20 < _Sam--> small number, maybe 10 MAX. 15:20 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 15:20 < ecrist> the 'sitting for 10 minutes' thing doesn't make sense. 15:21 < ecrist> udp? 15:21 < _Sam--> yes, udp. 15:21 < ecrist> you live in Canada? 15:21 < _Sam--> no i dont, im close to philadelphia, USA 15:21 < ecrist> sounds like bandwidth throttling. 15:21 < _Sam--> its not. ive taken down the entire firewall. 15:21 < _Sam--> no shaping or rules. 15:22 < ecrist> on the ISP side, not yours 15:22 < _Sam--> if that were the case, then it would still be fast when i go over the internal network to the external VPN port....but that is slow too. 15:22 < _Sam--> LAN--> WAN port 15:22 < _Sam--> not on internet, differnet NIC, same box. 15:22 < ecrist> udp is used for bittorrent, different ports, but it's become common for ISPs to send RST packets to throttle down connections. 15:23 < ecrist> _Sam--: then you may have a hardware problem with your VPN server 15:23 < _Sam--> other connections out the same NIC, non VPN, work at full speed fine. 15:23 < _Sam--> its definitely related explicitly and specifically to my openvpn. 15:23 < _Sam--> but i cant figure out how or why. 15:23 < ecrist> then something changed. 15:23 < ecrist> code doesn't just 'stop working' 15:24 < _Sam--> my config hadnt changed since like late 07. the server itself was also compiled in 2007. 15:24 < _Sam--> so while i appreciate your theory, i respectfully disagree. 15:24 < ecrist> so, upgrade to 2.1rc15 and see if that fixes your problem. 15:25 < sparkymakry> I have very little experience, but had similar one - ended up that my wireless link was unstable, and openVPN is much more sensitive to out of sequence packets 15:25 < _Sam--> i may do that. id be more intersted in trying any solutions or answers that may fix my current problem. id be willing to pay, because its that important, and because ive done all the diagnostics i can do. 15:25 < ecrist> and, regardless what you think, code doesn't just stop working. something else is the culprit. maybe you updated a linked library, or you've got an intermittent memory problem. 15:26 < ecrist> _Sam--: either 1) try a different piece of hardware, or 2) try 2.1rc15 15:26 < _Sam--> k. ive alrady swapped out the switch that NIC is connected to. 15:26 < ecrist> no, try a different server 15:27 < _Sam--> yeah i could also do that, im sure. but that would require reconfiguring all my clients. 15:27 < ecrist> no it wouldn't 15:27 < _Sam--> i guess not, now that i think. 15:27 < ecrist> you seem unwilling to accept my knowledgable advice... 15:27 < _Sam--> i would have to reconfigure the clients to connect to the new host. 15:27 < ecrist> no you wouldn't 15:27 < _Sam--> unless i did some port forwarding on the old host 15:28 < _Sam--> tell me what you're thinking 15:28 < ecrist> put the new host in place of the old one 15:28 < ecrist> pretty simple concept 15:28 < _Sam--> oh if you are talking about replacing our production server...thats not feasible. its expensive, reliable, and relatively new. 15:28 < _Sam--> i was talking about moving the openvpn service to a diff. server 15:29 < ecrist> during tcpdump, did you see any rejects on your end? what did you see? 15:29 < _Sam--> no rejects, nothing funny...just a LONG delay between for example when i would click on http items, and when data would start moving either on screen or via tcpdump. 15:30 < ecrist> ok, so to rule in/out openvpn server process, move it to another host. 15:31 < _Sam--> yeah i already have openvpn server setup on another box. but tell me exactly what i am trying to see or determine. i already know that if i connect to this other vpn server, that my data works fine. 15:31 < _Sam--> same version of openvpn. 15:31 < _Sam--> same client and server configs. 15:32 < ecrist> we'll you seem convinced it's the openvpn process. 15:32 < ecrist> change it. 15:32 < _Sam--> alright. in order to update to the RC15 version, no changes to any configs? 15:33 < ecrist> nope 15:33 < _Sam--> thank you very sincerely for your time and knowledge. though i seem like a know it all attitude, its very much appreciated. 15:33 < ecrist> uh huh 15:34 < sparkymakry> ecrist, did you read my messages before? 15:34 < sparkymakry> about 15:34 < sparkymakry> [15:16] 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:34 < sparkymakry> [15:16] 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:34 < sparkymakry> [15:17] that is a tcpdump from the client that I'm pinging from to the server. 15:35 < ecrist> sparkymakry: what's your problem? 15:35 < sparkymakry> I know this is not specifically openvpn, or can you direct my to another channel? 15:35 < sparkymakry> that's the output of tcpdump, but ping still says no response 15:35 < sparkymakry> vpn will not connect 15:36 < ecrist> !logs 15:36 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:36 < sparkymakry> messages log? 15:36 < sparkymakry> i'm a newb to linux 15:36 < ecrist> openvpn log files 15:36 < sparkymakry> OK, will try get that.. 15:37 < sparkymakry> thanks 15:37 < _Sam--> ecrist : if making from source (my last bin was a debian package)....a simple configure with no options will make what i need? 15:37 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 15:37 < ecrist> should, yes 15:37 < ricoshady> how come when I flashed the router with openvpn it didnt reset everything? 15:37 < _Sam--> krzie: i dont know what options the debian package may have used. 15:37 < _Sam--> damn nick completion. 15:37 < _Sam--> thanks. 15:38 < ecrist> ricoshady: no idea what you're talking about 15:38 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has left ##openvpn [] 15:38 < _Sam--> sounds like WRT54 question 15:38 < ecrist> I know, wanted him to say that. 15:38 < ecrist> so I could tell hime to join another channel 15:38 < _Sam--> fair enough, tough love! 15:41 -!- sparkymakry [n=mark@200.32.232.82] has quit [Read error: 104 (Connection reset by peer)] 15:41 * ecrist goes away 15:42 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:48 < _Sam--> ecrist : feel free to throw a 'told ya so' out there. i put the new openvpn bin in place, and same thing. however, if i let the clients sit for 10 minutes, they will come back fast! 15:51 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:24 < ecrist> _Sam--: I'm guessing either ISP bandwidth throttling, or hardware/memory issue. 16:27 < sparkymakry> Does this mean that there is traffic between vpn? 16:27 < sparkymakry> Fri Jan 23 16:24:34 2009 us=628069 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742595 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742917 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623274 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623520 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:28 < ecrist> can you ping the VPN server? are there any firewalls in between the client and vpn server? 16:28 < sparkymakry> actually I can't even ping the vpn ip addresses 16:28 < ecrist> start there. 16:28 < sparkymakry> there is a firewall, but 1194 is open, and also pings give replies 16:29 < sparkymakry> actually pings do not give replies from a to b 16:29 < sparkymakry> but I'm at location c, and I can nicely ping a and b 16:29 < ecrist> read !route 16:31 < sparkymakry> the problem I have is not vpn related at all 16:32 < sparkymakry> I don't know where else to post this though, -- if you can direct me to another channel 16:32 < ecrist> read !route 16:32 < sparkymakry> server side 16:32 < sparkymakry> 192.168.111.2 * 255.255.255.255 UH 0 0 0 tun0 16:32 < sparkymakry> 200.32.230.32 * 255.255.255.248 U 0 0 0 eth0 16:32 < sparkymakry> 192.168.2.0 * 255.255.255.0 U 0 0 0 tun0 16:32 < sparkymakry> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 16:32 < sparkymakry> default span-access-dsl 0.0.0.0 UG 0 0 0 eth0 16:33 < ecrist> sparkymakry: did you go read the link available in !route? 16:33 < sparkymakry> client side 16:33 < sparkymakry> sorry, I don't know what you mean 16:33 < ecrist> !route 16:33 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:33 < ecrist> follow that link, read it 16:34 < sparkymakry> but I can't even ping from a to b public to public ip address 16:34 < sparkymakry> so it's before vpn problems 16:34 < ecrist> then you have other issues 16:35 < ecrist> this isn't ##fix-all-my-network-issues 16:36 -!- easymac [i=uminac@users.easymac.org] has joined ##openvpn 16:36 < sparkymakry> I know. 16:37 < sparkymakry> I'm just totally stumped as to what I can do 16:37 < sparkymakry> will look for other chanel maybe 16:37 < easymac> hey guys, i've got an issue with assigning static ips to clients, error says i'm misusing the ifconfig-push command. i've tried ifconfig-push ip subnet and i've tried ifconfig-push ip router-ip 16:37 < easymac> the error remains with both 16:38 < easymac> Options error: Unrecognized option or missing parameter(s) in ccd/uminac:1: ipconfig-push (2.0.6) 16:39 < _Sam--> ecrist :thank you again for all of your time and wisdom. you have finally convinced me of that which you first said -- it aint openvpn or its binary. thanks again. 16:39 < ecrist> first, upgrade to 2.0.9, next read the howto page, read the section on controlling access based on cn 16:39 < ecrist> _Sam--: np 16:43 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 16:45 < easymac> oh, 2.0.9 is required? why the hell is the FreeBSD port so far behind? 16:45 < easymac> heh 16:45 < ecrist> easymac: 2.0.9 isn't required, but it's recommended 16:45 < ecrist> 2.0.6 on freebsd works OK. 16:45 < ecrist> and, if you're on FreeBSD, read my writeup 16:45 < ecrist> !freebsd 16:45 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:45 < easymac> yea, it works fine.. and i've read the howtos 16:47 < easymac> cool, i'll give that a read, but it doesn't appear to show an example of what i'm trying to do, only what i've successfully done. i do like your ssl admin thing though 16:47 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 16:47 < easymac> that looks nifty 16:48 < _Sam--> ecrist : i asked #apache this same thing, but being as that you are all-knowing, i figure its worth a shot.... 16:48 < _Sam--> hey all im having an unusual problem where apache is terribly slow over a single interface , our VPN ip. the box has maybe 3-4 different ips that apache listens on...wan, lan, vpn, etc....but only the VPN apache connections are terribly slow to return data.... 16:48 < _Sam--> we've been running both the same vpn and apache versions for quite some time, and this problem has just arisen recently, with no changes in any config, hardware, or server software. 16:49 < ecrist> could it be faulty hardware? (and, I'm not all-knowing) 16:49 < _Sam--> if it were hardware or memory, one would expect to see symptoms arising in other places besides just the one thing. 16:50 < _Sam--> not saying that you're not correct, just seems that it would manifest itself in more ways. 16:50 < ecrist> seems to me it's arisen in both VPN and apache. 16:50 < easymac> heh 16:50 < _Sam--> i think more accurately, it seems to be EITHER vpn OR apache. and in my research and testing, i have proven its not VPN. 16:50 < _Sam--> i can move data from vpn host to vpn host just fine. 16:50 < _Sam--> just only when i try over http , no go. 16:51 < _Sam--> the same box, http over non-vpn -- same content, same pages...loads faster than fast. 16:51 < _Sam--> http over vpn...same content, same box, same apache, same pages....slower than slow. 16:52 < ecrist> _Sam--: in that case, during the request, watch the filesystem. 16:52 < ecrist> you could be running into raid errors, or other problems. 16:52 < _Sam--> it does run hardware raid, but there is nothing shown or reported as wrong in any logs. 16:52 < _Sam--> and its reading the SAME DATA....whehter over vpn or non vpn 16:53 < _Sam--> but when it reads the files over vpn http...SLOW 16:53 < _Sam--> so that last theory of yours doesnt seem to hold. 16:53 < _Sam--> if it were filesystem...anytime the file was needed to be accessed, a problem would occur. 16:53 < _Sam--> im accessing it fine over non vpn. 16:53 < ecrist> _Sam--: check your MTU, then. 16:54 < ecrist> there's a config option in OpenVPN, --test-mtu or something 16:54 < ecrist> !mtu 16:54 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 16:54 < _Sam--> ive already done much testing with many of those parameters: #tun-mtu 1500 16:54 < _Sam--> #tun-mtu-extra 32 16:54 < _Sam--> #fragment 1450 16:54 < _Sam--> #mssfix 1450 16:55 < _Sam--> no apparent effect. 16:58 < _Sam--> i could tell you even more stuff that would only confuse and cloud things further. its really frustrating and confusing. 17:05 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 17:08 < zoredache> are there any things I should watch out for when I am trying to run 2 openvpn server daemons with different settings on a single machine? 17:11 < zoredache> for example, can I share the subnet that I have provided on my 'server 10.n.n.n' between two daemons? 17:13 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:14 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 17:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 17:44 -!- sparkymakry [n=mark@200.32.232.82] has quit [Remote closed the connection] 17:46 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:48 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 17:54 -!- bigjohnto is now known as bigjohnto_away 18:01 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has joined ##openvpn 18:05 < thei0s> hi, can someone point me to the openvpn protocol specification? 18:08 < thei0s> (the udp and tcp version, because there seems to be an incompatible difference that disallows simply "forwarding/redirecting" tcp packets to udp) 18:14 < zoredache> how would you forward something from tcp to udp.... 18:19 < thei0s> listen on tcp and send everything over a udp socket and vice versa 18:28 < ricoshady> so I finally got my vpn up, I can ping the server from client, and client from server.the vpn is on 10.4.4.0 and my local lan is 10.4.5.0. the vpn is also the gateway for the lan 18:28 < ricoshady> how do I connect them? 18:28 < ricoshady> so I can ping my local lan from the vpn client 18:30 < zoredache> !route 18:30 < vpnHelper> zoredache: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:32 < ricoshady> i know ive read that im still having problems... 18:32 < ricoshady> cause that is more complicated than I need I think 18:39 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 < ricoshady> im pushing the route to the client saying route all lan traffic thru the vpn... do I need anything else cause i still cant get thru 18:43 < zoredache> it doesn't seem like you should need anything more... But then i don't really know 18:46 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:32 < ecrist> thei0s: you can't do that 19:33 < thei0s> am.. I can, but the openvpn ignores such packets (no replys) :) 19:34 < thei0s> therefore I am asking if there exists a document with the openvpn protcol specification that I could look at to see if it is really not compatible or I just need to manipulate the contents a little to make it work 19:41 < ecrist> check the mailing list 19:57 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has joined ##openvpn 20:20 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has quit [Remote closed the connection] 20:20 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:40 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 20:46 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has quit ["Leaving."] 20:49 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has quit [Remote closed the connection] 20:59 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit ["leaving"] 21:17 -!- ledoktre [n=ledoktre@67.224.62.214] has quit [] 21:17 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has joined ##openvpn 21:57 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["[BX] Reserve your copy of BitchX-1.1-final for the Atari 2600 today!"] 22:01 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 22:03 < onats> !sampleconfig 22:03 < vpnHelper> onats: Error: "sampleconfig" is not a valid command. 22:03 < onats> !configs 22:03 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:04 < onats> what's the shortcut for krzie's sampleconfig again? 23:05 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 23:06 < ricoshady> can someone here help me with firewalls/routing? 23:07 < ricoshady> i cant get my vpn client to talk to the local lan. 23:17 < ricoshady> basically the vpn clients are on 10.4.4.0 and the local lan is 10.4.5.0. I puhed a route to the client in order to move traffic from the lan to vpn 23:35 -!- Seb [n=Seb@untangle/dev/seb] has joined ##openvpn 23:35 < Seb> hi fellows 23:36 < Seb> so, if my client is doing "redirect-gateway def1", but also dropping privileges, then I can't expect to have the static route removed form my routing table after I stop openvpn ? 23:37 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Jan 24 2009 00:12 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 00:15 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:18 * tjz swim in 00:55 -!- iamamoron [n=Miranda@210.238.181.187] has joined ##openvpn 00:55 < iamamoron> hi there 00:55 < iamamoron> ho can i migrate all my certs in my new server? 00:55 < iamamoron> any ideaS? 00:58 < iamamoron> ? 02:27 < tjz> is there a newsletter which give us immediate update when there is a new beta/release 02:50 < onats> youreamoron, you can just copy the certs right? 03:32 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has joined ##OpenVPN 03:37 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 03:44 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 04:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 145 (Connection timed out)] 04:23 -!- iamamoron [n=Miranda@210.238.181.187] has quit [Read error: 54 (Connection reset by peer)] 04:42 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 04:42 < ricoshady> hello 05:10 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has joined ##openvpn 05:10 < altus-dominus> hey guys 05:11 < altus-dominus> I been having some issues with openvpn recently, when i run openvpn --config myfile.ovpn i get this eror msg 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Error opening file lwadmin.p12 (OpenSSL) 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Exiting 05:11 < altus-dominus> any ideas ? 05:47 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has quit [Remote closed the connection] 05:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:59 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has joined ##openvpn 06:09 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 06:09 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has quit [Remote closed the connection] 06:17 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has joined ##openvpn 06:36 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 07:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 07:44 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 09:28 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 10:17 < Jason404> i am having problems in making an SSL cert 10:17 < Jason404> been follwing these intructions; 10:17 < Jason404> http://www.freebsddiary.org/openvpn-easy-rsa.php 10:17 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 10:18 < Jason404> but i am using WIndows x64, so I had to change the HOME directory in the vars batch file 10:18 < Jason404> then I ran vars 10:18 < Jason404> no feedback 10:19 < Jason404> ah, i just realised that I did not run it in the CD 10:24 < Jason404> no, still an error 10:24 < Jason404> about openssl.cnf not being found in usr 10:25 < Jason404> but it does not say anything about making that file before running build-ca 10:25 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:25 < Jason404> is there a similar step by step available anywhere for Windows? 10:26 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 10:32 -!- ozirus [n=Furkan@81.214.150.105] has quit ["Kopete 0.12.7 : http://kopete.kde.org"] 10:37 < Jason404> oh what?? Is OpenVPN even supprted on Win x64 ??? 10:39 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:42 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [Client Quit] 10:43 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has left ##openvpn [] 10:44 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- muxpux [n=muxpux@soup.capital-today.net] has quit ["Lost terminal"] 10:53 < Jason404> ok. i found this: http://www.runpcrun.com/howtoopenvpn 10:53 < vpnHelper> Title: OpenVPN Windows HowTo | IT Support London - runPCrun (at www.runpcrun.com) 10:54 < Jason404> you could ave told me about that earlier bot 10:54 < Jason404> what is the point of this bot if it just shows you links you have just mentioned? 10:57 < jpalmer> Jason404: too many people on IRC toss random links out, with no explanation of what it is. the bot grabs the title, so you can determine if it's of interest. 10:58 < Jason404> ah ok. maes sense 10:58 < jpalmer> example: I IRC from work, and don't follow random links, because I don't want porn, or objectionable material popping up. 10:58 < Jason404> of course 10:59 < Jason404> http://www.google.com 10:59 < vpnHelper> Title: Google (at www.google.com) 10:59 < Jason404> ic. it works with any link 11:01 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 11:22 < ecrist> Jason404: that bot doesn't just tell you page titles for links 11:22 < ecrist> it's got shortcuts to various information we have to shell out to nearly everyone that joins this channel 11:23 < Jason404> ic. i have onnly seen it gove link titles, and I thought it was working on keywords that it found in the URLs 11:24 < Jason404> and then gives out the exact same link by coincedence 11:24 < Jason404> that link I found makes setting up openvpn a lot easier 11:25 < Jason404> uses the GUI 11:41 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:41 < joelsolanki> !route 11:41 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:43 -!- Dopefish [i=dopefish@unaffiliated/imk] has joined ##openvpn 11:49 -!- Dopefish [i=dopefish@unaffiliated/imk] has left ##openvpn [] 11:50 -!- Seb [n=Seb@untangle/dev/seb] has left ##openvpn [] 11:53 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 12:00 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has joined ##openvpn 12:01 < sasimo> hello 12:01 < sasimo> do know someone if the openvpn also can comunicate with a nortel router directly? 12:08 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has left ##openvpn [] 13:32 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 14:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:51 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:07 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 17:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:51 -!- Bushmills [n=nl@verhau.de] has quit [Read error: 60 (Operation timed out)] 17:52 -!- Bushmills [n=nnl@verhau.de] has joined ##openvpn 19:01 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 19:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 19:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:09 -!- MRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 20:10 -!- MRCUTEO is now known as mRCUTEO 20:12 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:12 < mRCUTEO> hiya all 20:12 < mRCUTEO> happy chinese new year 20:13 < sasimo> hy everyone. in the listings it is only the answer that openvpn can set up a preshared key. have i an optin to set self a preshared key what will be then made in the key file? 20:13 < onats> kiong hi huat chai! 20:14 < mRCUTEO> :) onats 20:19 < sasimo> someone alive? 20:29 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 20:41 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 110 (Connection timed out)] 20:41 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:42 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 20:51 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has joined ##openvpn 20:52 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has quit [Remote closed the connection] 20:56 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 20:59 -!- blk_ice [n=devnull@bas8-montreal02-1096627565.dsl.bell.ca] has quit [] 20:59 < dvl> your mom! 21:04 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 21:18 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:15 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:26 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 110 (Connection timed out)] 22:47 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:48 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 22:59 < reiffert> no, your mom! 23:24 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 23:24 < joelsolanki> HI all 23:24 < joelsolanki> how much openvpn will support traffic 23:25 < joelsolanki> i want to know is it possible to have 10 Mbps traffic to be passing thru openvpn server and openvpn client ? 23:25 < joelsolanki> for us bandwidth is not an issue but will openvpn accept 10 mbps traffic without any problem ? 23:26 < joelsolanki> any suggestions / recommendation ? 23:33 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has joined ##openvpn 23:33 < frankS2> Sun Jan 25 06:35:42 2009 VERIFY ERROR: depth=1, error=certificate is not yet valid 23:33 < frankS2> anyone know how i can fix this? 23:41 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 23:46 < onats_> !dbf 23:46 < vpnHelper> onats_: Error: "dbf" is not a valid command. 23:56 < frankS2> Certificate is to be certified until Jan 23 05:59:51 2019 GMT (3650 days) 23:56 < frankS2> WTF! 23:56 < frankS2> i want it certified now --- Day changed Sun Jan 25 2009 00:03 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 01:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 02:42 < MMN-o> frankS2: You will have to sign a new one, 02:43 < MMN-o> But "until" means that it will _be_ certified including now _until_ that date. 02:44 < MMN-o> ...urr. I hope. I'm not sure on the exact terminology of openssl's messages 02:45 < MMN-o> In either case, openssl can print certificate sign- and expiration date 02:45 < MMN-o> frankS2: But most important, double-check your local time. Preferrably keep it synchronized with ntp. 02:48 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:50 < MMN-o> Anyway, counting 2019-01-23 minus 3650 days would be correct (jan 25 2009) according to your log timestamp 03:18 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 03:23 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 03:35 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 05:20 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 104 (Connection reset by peer)] 05:21 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 05:21 < MMN-o> bah 05:33 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 06:35 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:47 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:53 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 08:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:01 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 09:03 < aar0n> tjz: yeah 09:03 < tjz> Hello aaron 09:04 < aar0n> tjz: hi 09:04 < tjz> we will copy the .ca and the .ovpn files to library > openvpn 09:04 < tjz> and we are ready to connect , right? 09:05 < aar0n> .ovpn files are for the windows client, tunnelblick will use them also ... 09:06 < aar0n> you will also need the cs the dhXXXX.pem 09:06 < aar0n> cs == ca (sry) 09:06 < aar0n> and of course the certificate 09:06 < tjz> ok 09:06 < tjz> look good 09:07 < tjz> i have the same files copy to config directory for windows xp system 09:07 < tjz> works fine. 09:07 < aar0n> tjz: also be sure that the file path in the .conf or .ovpn is relative to the config file 09:07 < tjz> ah 09:07 < tjz> you are right, aaron 09:07 < tjz> what is the path for mac os? 09:08 < tjz> i am using ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" for windows xp 09:08 < aar0n> tjz: tunnelblick will use the path of the .ovpn | .conf file as a relative base ... 09:08 < tjz> oh 09:08 < tjz> so.. 09:08 < tjz> i will use: 09:08 < tjz> ca ca.crt 09:08 < tjz> am i right? 09:08 < aar0n> yes if the ca and the conf are both in ~/Library/openvpn/ 09:08 < tjz> ok 09:08 < tjz> let me try 09:09 < tjz> should i put : 09:09 < tjz> ca "ca.crt" 09:09 < tjz> or 09:09 < tjz> ca ca.crt 09:09 < aar0n> that doesnt matter 09:09 < tjz> ok 09:10 < aar0n> but its generaly a good idea to put the certs and the ca in a subfolder so that you have something like ca SUBFOLDER/ca.crt in the conf, that comes in handy if you have more than one openvpn server to connect to and need to add more ca.crt files to the directory 09:12 < tjz> ok 09:23 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has left ##openvpn ["Leaving"] 09:50 -!- aar0n is now known as aar0n_away 10:02 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has joined ##openvpn 10:02 < El_Presidente> hi 10:09 < ecrist> hi 10:11 < El_Presidente> ecrist, you remember my vpn problems? i set up a linux system 10:11 < El_Presidente> with an openvpn server on the router 10:12 < El_Presidente> server config: http://pastebin.com/m1b310221 10:12 < El_Presidente> firewall script: http://pastebin.com/m3977f879 10:12 < ecrist> El_Presidente: I don't remember your specific problems, though I think I remember you. 10:13 < El_Presidente> kk 10:13 < El_Presidente> tcpdump: http://pastebin.com/m67ce1b88 10:13 < El_Presidente> right now my vpn clients dont get an ip address from my local dhcp server 10:14 < El_Presidente> dhcpd config 10:14 < El_Presidente> http://pastebin.com/m39951496 10:14 < El_Presidente> the tunnel seems to be up 10:15 < ecrist> ok, what's your problem? 10:16 < El_Presidente> 1st the vpn clients dont get an IP adress 10:17 < ecrist> why are you using tcp? 10:17 < El_Presidente> shall i use udp? 10:18 < ecrist> it is ideal. I'm sure you've been told that before. 10:18 < El_Presidente> well they told me that its not important 10:18 < ecrist> also, what makes you think, from looking at your server config, your clients would get an IP? 10:18 < ecrist> who told you that? 10:18 < ecrist> that has never been said in here, by anyone knowledgable. 10:18 < El_Presidente> someone here in the chat 10:19 < ecrist> !tcp 10:19 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:19 < El_Presidente> okay ty 10:19 < ecrist> to my other question, why do you think you should be getting an IP on the VPN? 10:19 < El_Presidente> i followed the howto for bridging 10:20 < El_Presidente> http://openvpn.net/faq.html#bridge-addressing 10:20 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 10:20 < ecrist> well, the line that would assign an IP to vpn clients is commented out in the config you posted. 10:20 < El_Presidente> and did the second variant 10:20 < El_Presidente> because first did not work 10:20 < El_Presidente> and i find the second variant more appealing 10:21 < ecrist> what's more appealing? 10:22 < El_Presidente> that my local dhcp distributed the ip addresses 10:22 < El_Presidente> to the vpn 10:22 < ecrist> you want to use your LAN dhcp server 10:22 < ecrist> OK 10:22 < El_Presidente> yes 10:22 < ecrist> do you have your bridge built? 10:23 < El_Presidente> yes 10:23 < El_Presidente> with bridge-start 10:23 < El_Presidente> i changed the script according to my needs 10:23 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:23 < joelsolanki> Hi friends 10:23 < joelsolanki> hey ecrist :) 10:24 < joelsolanki> how are you ? 10:24 < El_Presidente> hello joelsolanki 10:24 < joelsolanki> Hi E1 10:24 < joelsolanki> just wanted to know can i have a vpn client to connect to 2 different vpn server. vpn clien is windows based sysem. 10:24 < joelsolanki> system 10:25 < El_Presidente> joelsolanki, create 2 tap devices 10:25 < El_Presidente> and 2 client configs 10:25 < joelsolanki> ok so same openvpn installation will take care of 2 client configs right ? 10:26 < El_Presidente> ecrist, http://pastebin.com/m50e9104 bridge-start 10:27 < ecrist> sorry, gotta go. 10:28 < El_Presidente> okay ty 10:28 -!- onats_ [n=onats@122.53.136.244] has quit [Remote closed the connection] 10:30 -!- aar0n_away is now known as aar0n 10:33 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:22 -!- joelsolanki [i=joelsola@123.237.173.217] has left ##openvpn [] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:52 -!- mcp [n=mcp@wolk-project.de] has quit [Remote closed the connection] 11:52 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 11:53 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 12:00 -!- emcepe is now known as mcp 12:07 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Konversation terminated!"] 12:30 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 12:41 < ozirus> how can i provide an "vpn connection time expire" thing. say, our client book the vpn connection for 1 hour and when 1 hour finishes, server kill the client's vpn connection. (ps: i'm trying to create an e-learning system) 12:44 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 12:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:59 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 12:59 < El_Presidente> http://pastebin.com/m29c1a193 13:00 < El_Presidente> server config: http://pastebin.com/m1b310221 13:00 < El_Presidente> client : http://pastebin.com/m4b763acc 13:00 < El_Presidente> any suggestions? 13:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:17 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:19 < _Sam--> hi, i have 2 hosts, A (openvpn server) and B (windows openvpngui). they are connected over WAN (public internet). when pinging/mtr/traceroute/whatever from either host in either direction OUTSIDE the vpn, there is no packet loss, latency or connectionquality issue of any kind. when i do the same test to the vpn ip of both hosts, i end up with major packet loss and latency as soon as data starts to move over the vpn connection 13:20 < RUS> !configs 13:20 < vpnHelper> RUS: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:21 < _Sam--> thank you...just a min or two. 13:23 < ecrist> _Sam--: did you rule out hardware problems? 13:24 < _Sam--> ecrist : no i havent. 13:24 < _Sam--> but the prblems are only occurring, over the vpn. 13:24 < _Sam--> here is the server 13:24 < _Sam--> port 1194 13:24 < _Sam--> proto udp 13:24 < _Sam--> dev tap 13:24 < _Sam--> ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt 13:24 < _Sam--> cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt 13:24 < _Sam--> key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key 13:24 < _Sam--> dh dh1024.pem 13:24 < _Sam--> ifconfig-pool-persist ipp.txt 13:24 < _Sam--> server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 13:24 < ecrist> _Sam--: pastebin 13:24 < _Sam--> client-to-client 13:24 < _Sam--> keepalive 10 120 13:24 < _Sam--> comp-lzo 13:24 < _Sam--> persist-key 13:24 < _Sam--> status openvpn-status.log 13:24 -!- mode/##openvpn [+o ecrist] by ChanServ 13:24 < _Sam--> log-append openvpn.log 13:24 -!- mode/##openvpn [+b *!*n=sam@*.kneedraggers.com] by ecrist 13:25 -!- mode/##openvpn [-o ecrist] by ecrist 13:25 < RUS> hi all 13:25 < RUS> what i doing wrong ? do it with HOWTO installation guide. but have error. 13:25 < RUS> openvpn /etc/openvpn/server.conf Sat Jan 24 15:55:01 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Jan 22 2009 13:25 < RUS> Sat Jan 24 15:55:01 2009 Diffie-Hellman initialized with 1024 bit key 13:25 < RUS> Sat Jan 24 15:55:01 2009 Cannot load certificate file /etc/openvpn/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:25 < RUS> Sat Jan 24 15:55:01 2009 Exiting 13:26 < ecrist> RUS: pastebin, please 13:26 < RUS> bin ? 13:26 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 13:26 < ecrist> RUS pastebin.com 13:26 < RUS> hm nice. wait plz 13:27 < RUS> http://pastebin.com/m10a97cb 13:27 < ecrist> but, it doesn't matter, as your server.crt file doesn't exist, or is in an incorrect format 13:27 < RUS> ecrist that file is ecsist. 13:27 < RUS> exist 13:27 < RUS> maybe its now PEM _ LIB ? 13:27 < RUS> where i can find and install it ? 13:28 < RUS> now = no 13:28 -!- mode/##openvpn [+o ecrist] by ChanServ 13:28 -!- mode/##openvpn [-b *!*n=sam@*.kneedraggers.com] by ecrist 13:28 -!- mode/##openvpn [-o ecrist] by ecrist 13:28 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:28 < _Sam--> sincere apologies to every for my mistake. im not a retard, just sometimes. 13:28 < ecrist> RUS, read through the following document, see if there are steps you missed. 13:28 < ecrist> !freebsd 13:28 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !freebsd 13:29 < vpnHelper> RUS: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !centos 13:29 < vpnHelper> RUS: Error: "centos" is not a valid command. 13:29 < ecrist> RUS, read the link under freebsd. 13:29 < _Sam--> this is my current server.conf http://pastebin.com/me2786ae 13:30 < ecrist> it only mildly OS-specific 13:30 < ecrist> _Sam--: as I mentioned the other day, either you have a hardware/processor problem, or you have an ISP who's throttling your udp connections 13:30 < ecrist> why are you messing with mtu? 13:31 < _Sam--> because i was seeing if it had any noticeable difference if i tried adjusting it. 13:31 < _Sam--> it did seem to help a little. 13:31 < ecrist> have you looked at the mtu testing built in to openvpn? 13:31 < ecrist> !mtu 13:31 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 13:32 < _Sam--> if i could also give just a few more details , if i traceroute/ping/mtr to hother hosts on the vpn i dont have packet loss, and data flows fine. but to the one particular host which is the vpn server, packet loss occurs. 13:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 13:33 < ecrist> so, pings between clients aren't affected? 13:33 < ecrist> or one client? 13:34 < _Sam--> ecrist : the former. pings, data, packet loss, all perfect between and among all other hosts on the vpn, except for if one of those hosts is the vpn server. 13:36 < _Sam--> i dunno. i have to think you are correct and maybe i am just seeing anomolies in the external network out of my control. but it just doesnt seem it. 13:36 < _Sam--> like you said, isp throttling UDP, prob. 13:37 < _Sam--> its odd that they would do that to our connection after having the same conenctivity with them for 4 years, and having had the vpn fine for the last 2.5 13:37 < ecrist> udp throttling is a recent addition to ISP networks. 13:38 < _Sam--> that amkes sens, cause i remember some network disruption in december when their router was down, at least the one we connect to. matybe they upgraded. 13:38 < ecrist> have you tried switching to TCP, to see if it mitigates your problem? 13:39 < _Sam--> no i havent...but i might do that now. if it does in fact fix it, what is the easiest way to fix the configs of the remote clients? 13:40 < ecrist> ship a new config to your clients and have them install it. 13:40 < ecrist> read !tcp for more info on TCP, though 13:40 < El_Presidente> ecrist, wb 13:40 < _Sam--> yeah. put it on our external site, have them grab it...could be worse. 13:40 < _Sam--> !tcp 13:40 < vpnHelper> _Sam--: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:42 < _Sam--> thank you again for mostly your patience with me, and also your advice, as always. 13:42 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 13:47 < _Sam--> you are RIGHT again. the vpn packet loss and latency only happens between certain routes, and certain ISPs. 13:49 < _Sam--> do some people run 2 different servers listening on both tcp and udp at the same time? 13:49 < ecrist> it can be done, I don't know of anyone who's doing it. 13:50 < _Sam--> while i may sound a bit crazy, i spent a lot of time tracking down this particular problem. it would be cool to maybe compile a list of known throttlers. 13:50 < _Sam--> in my case, its verizon fios. 13:51 < _Sam--> i have to do some more reserach to confirm 100% its them. 13:56 < _Sam--> might you have any suggestion for if i wanted to run another process listening on TCP just to test with, so i dont have to disrut the other actively connected folks? will it complain that its already running? 13:56 < ecrist> different protocal, shouldn't complain. 14:01 < El_Presidente> ecrist, can you please take a look at my second post? 14:02 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 14:02 < El_Presidente> http://pastebin.com/m29c1a193 14:02 < El_Presidente> server config: http://pastebin.com/m1b310221 14:02 < El_Presidente> client : http://pastebin.com/m4b763acc 14:02 < El_Presidente> i was able to get dhcp working 14:03 < ecrist> El_Presidente: did you read the logfile? 14:03 < ecrist> it tells you what you're missing... 14:04 < ecrist> Sun Jan 25 17:20:06 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing 14:05 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has quit [Read error: 145 (Connection timed out)] 14:24 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 14:26 < El_Presidente> ecrist, yes but i supply it ... 14:26 < El_Presidente> in the server config 14:26 < El_Presidente> push " redirect gateway def1 14:26 < El_Presidente> " 14:27 < El_Presidente> ecrist, and i followed the howtos and they say just the 2 options are needed 14:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:30 < El_Presidente> ecrist, http://openvpn.net/index.php/documentation/howto.html#redirect 14:30 < vpnHelper> Title: HOWTO (at openvpn.net) 14:36 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:42 < ecrist> El_Presidente: look up --route-gateway in the howto 14:43 < El_Presidente> i did 14:43 < ecrist> go here: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 14:43 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 14:43 < ecrist> search the page for --route-gateway 14:44 * ecrist goes away 14:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:54 -!- RUS [n=Mirc@88.214.199.147] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 15:41 -!- ozirus [n=Furkan@81.214.150.105] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 16:01 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:02 -!- Plecebo [n=larry@64.62.119.142] has joined ##openvpn 16:05 < Plecebo> I'm using bridge mode and am having trouble pinging other computers on my local network from my client. 16:06 < Plecebo> example: vpn server ip: 192.168.16.55 non vpn machine ip: 192.168.16.5 vpn client ip: 192.168.16.200 16:07 < Plecebo> from the client I can not ping 192.168.16.5 16:07 < Plecebo> I'm connecting ok though (or so the status messages indicate) 16:14 < _Sam--> ecrist : thanks again. tcp is 0% packet loss, all fine. but i wouldnt go so far to say its definitely verizon fios hassling the UDP, im not sure exactly who. 16:14 < _Sam--> but its definitely something UDP related. 16:15 < _Sam--> maybe with this economy, more torrents flowin. dunno! 16:35 < deh> Noob at openvpn. I can ping my server via a client on another machine on the lan; a friend can ping via internet from his house. However, when one pings it appears to lock out the other, and we can't ping each other. Does this make sense? 16:40 < _Sam--> i really dont know much about that kind of stuff, but it might be that both you and your friend are using the same certificate, and maybe even are assigned the same vpn ip....and the vpn server may not know how to route the packets. 16:40 < _Sam--> like i said, i dont know alot, though. 16:42 < deh> Sam: The certificates are definitely different, but it does look like they are being assigned the same vpn ip. Not sure how to correct the latter. 16:43 < _Sam--> well, i believei t would depend on your config, whether you are bridging or not. 16:43 < _Sam--> but there's a setting to assign IPs, and which to assign. 16:46 < deh> Sam: It is set up for routing, i.e. tun 16:47 < _Sam--> well, you would either have some line like this: server 10.8.0.0 255.255.255.0 16:47 < _Sam--> or, server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 16:47 < _Sam--> but prob. not both. 16:47 < _Sam--> therein are the ips for assignment 16:53 < deh> Sam: Thanks for the thoughts. I have to break for dinner. Here is my line in the server config file 'server 10.143.15.0 255.255.255.0'. Maybe it has to do with my connecting to the server from the lan. 16:54 < _Sam--> there are also some settings that tell it to remember your ip based on certificate, and assign it to you again. 17:01 -!- zoredache_ [n=zoredach@c-76-121-86-209.hsd1.wa.comcast.net] has joined ##openvpn 17:01 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 17:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:24 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has quit ["Verlassend"] 17:47 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 18:08 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["BitchX: the ONLY three day cure!"] 18:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 18:16 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Connection timed out] 18:23 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 18:38 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:40 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Leaving"] 18:49 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 18:54 < frankS2> Sun Jan 25 19:58:00 2009 WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0] 18:54 < frankS2> what does this mean? 19:32 < aar0n> frankS2: that your physical local lan network addresses / netmask might colide with the vpn's internet network addresses / netmask 19:34 < frankS2> aar0n, thank you - I have another question for you if thats ok 19:34 < frankS2> aar0n, when i connect to my VPN (tun0 gets up good with ip address and all (192.168.0.5, gw is 192.168.0.1) i am not able to ping 192.168.0.1 19:35 < frankS2> 192.168.0.0/24 is VPN 19:35 < frankS2> Internal network is 10.0.0.0/24 19:36 < aar0n> frankS2: mhh the gateway shouldn't be 192.168.0.1 unless you realy want this ... have you checked iptables on the servers tun0 interface ? 19:37 < aar0n> it must accept INPUT and OUTPUT of traffic 19:37 < frankS2> it should work.. i run pfsense 19:37 < frankS2> with the vpn pacakge 19:37 < frankS2> and i followed the manual of pfsense 19:37 < aar0n> frankS2: i don't know it ... maybe you find a pfsense irc channel 19:38 < aar0n> frankS2: the openvpn howto on openvpn.org is also a good resource 19:39 < frankS2> aar0n, ok thank you 20:10 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has joined ##openvpn 20:11 < QuiescentW> i'm having problems with openvpn. once i get connected to my server i can't get on the internet locally 20:12 < QuiescentW> until i bring tap0 down 20:12 < aar0n> QuiescentW: make sure that the networks do no overlap 20:13 < QuiescentW> my local network is 192.168.1.0 and the openvpn server is on network 192.168.56.0 20:18 < QuiescentW> hmm 20:18 < QuiescentW> something is completely borked 20:18 < QuiescentW> even after it's disconnected now i can't get online 20:18 < QuiescentW> well 20:18 < QuiescentW> i can't resolve any ips 20:19 < aar0n> make sure the netmask is both 24 bit 20:19 < aar0n> eg. 255.255.255.0 20:22 < QuiescentW> they are 20:22 < aar0n> are you pushing any routes dns server or other options in the ccd or config file 20:23 < QuiescentW> do i need this bridge no 20:23 < QuiescentW> ... i mean, no 20:24 < QuiescentW> do i need this server-bridge line in here if I just use brctl to add tap0 to the lan bridge on my openvpn server? 20:25 < QuiescentW> i manually added tap0 on the server into a bridge and when i connect with the client i get a dhcp address outside the range of what is defined with server-bridge in the config file 20:25 < QuiescentW> i tried with that line commented out and not 20:26 < QuiescentW> still i get the same thing where i can't access the internet once i'm connected 20:26 < QuiescentW> i'll pastebin my configs 20:30 < QuiescentW> server: http://pastebin.com/f7c63ddbf client: http://pastebin.com/f3d2bac7c 20:30 < QuiescentW> the server is running on openwrt, i've been manually adding tap0 to the br-lan bridge 20:31 < QuiescentW> then connecting the client 20:31 < QuiescentW> and doing sudo ifconfig tap0 up; sudo dhclient tap0 20:31 < QuiescentW> then my internet breaks 20:31 < QuiescentW> the firewall on the server is completely off and it's connected directly to a modem 20:32 < QuiescentW> and i can't ping my local gateway or the gateway over the vpn 20:34 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 20:39 < aar0n> QuiescentW: sry, would love to help ... but i'm to tired right now ... i'm going to bed 20:40 < QuiescentW> thanks anyway 20:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit ["Read error: Connection reset by peer"] 20:51 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has joined ##openvpn 21:00 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Read error: 60 (Operation timed out)] 21:01 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has quit [Remote closed the connection] 21:01 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has joined ##openvpn 21:38 -!- Plecebo [n=larry@64.62.119.142] has quit [Remote closed the connection] 21:57 -!- easymac [i=uminac@users.easymac.org] has left ##openvpn [] 22:19 -!- zoredache_ is now known as zoredache 22:55 < QuiescentW> does openvpn run the bridge-start and bridge-stop scripts or do i need to do that manually? 22:57 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:58 < onats> hi 23:59 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has quit ["Leaving"] --- Day changed Mon Jan 26 2009 00:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 00:08 < joelsolanki> hey guys 00:08 < joelsolanki> can tcpwrappers gives trouble for connecting openvpn from client machine 00:08 < joelsolanki> my friend has ubuntu 8.0.4 and but vpn is not working 00:09 < joelsolanki> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 00:09 < joelsolanki> this error i recieve on server side. 00:09 < joelsolanki> but the same keys work on windows xp 00:09 < joelsolanki> and even on other linux machine 00:09 < joelsolanki> so does /etc/hosts.allow come in picture for openvpn connecting ? 01:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 02:13 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 101 (Network is unreachable)] 02:21 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:21 < joelsolanki> hello anybody around? 02:22 < joelsolanki> from last 3 to 4 days my friend is facing problem in openvpn on ubuntu 8.0.4 02:22 < joelsolanki> so for checking perfectly i installed ubuntu 8.0.4 on my test machine. 02:22 < joelsolanki> installed openvpn and kept the keys and stuff but i also see it is not working. 02:23 < reiffert> joelsolanki: answer is no, /etc/hosts.allow on the client machine is not responsible. 02:23 < joelsolanki> yes it doesnt seem to be tcp wrappers issue. 02:23 < joelsolanki> it is something different. 02:24 < joelsolanki> ca.cert client.conf joel_vista.cert joel_vista.csr joel_vista.key files are working on my redhat and debian os 02:24 < joelsolanki> but today i installed ubuntu 8.0.4 and copied all this files and started openvpn but it gives error. 02:24 < reiffert> !iptables 02:24 < vpnHelper> reiffert: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 02:25 < joelsolanki> iptables input,output,forward are all set to ACCEPT as default policy 02:25 < joelsolanki> so no firewall 02:25 < joelsolanki> let me pastebin the output in verb 6 02:26 < reiffert> ACCEPT and empty? 02:26 < joelsolanki> yes all is set to ACCEPT and there is no firewall rules 02:27 < joelsolanki> http://pastebin.ca/1318393 02:27 < joelsolanki> this the output of client machine 02:28 < joelsolanki> this is the output of server machine http://pastebin.ca/1318394 02:28 < joelsolanki> see if you find something. 02:30 < reiffert> You mixed up the certificate stuff. See 02:30 < reiffert> !howto 02:30 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:30 < joelsolanki> can you explain me ? 02:30 < reiffert> !configs 02:30 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:31 < joelsolanki> ok 1 sec 02:31 < joelsolanki> http://pastebin.ca/1318395 02:31 < joelsolanki> this is the client config 02:32 < joelsolanki> on my vpn server there are already 4 to 5 users connected. 02:32 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has left ##openvpn [] 02:32 < joelsolanki> maybe i have missed something on client config 02:34 < joelsolanki> this same files. ca.cert, client.conf, joel_vista.cert, joel_vista.csr, joel_vista.key i kept on debian OS before and it connected. same with fedora 5 02:34 < joelsolanki> but on ubuntu 8.0.4 it didnt worked. 02:34 < joelsolanki> not able to understand what is causing problem. 02:35 < joelsolanki> reiffert: still do you think it is certificate stuff ? 02:36 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:37 < joelsolanki> reiffert: you there ? 03:07 < cyberjames> /wi/wind6 03:07 < cyberjames> ops 03:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:53 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 05:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:22 < c64zottel> hello, 05:22 < c64zottel> is it possible, that the user get automatically a ticket from a kerberos server, when he logged in via OpenVPN? 05:25 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 06:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:11 < dazo> c64zottel: I don't know ... but it's an interesting approach .... if you have user/auth authentication enabled in OpenVPN ... you could probably manage to write a script which does the authentication and then issues a request for a ticket ... BUT ... I don't think it will work, since that ticket will only be valid on the OpenVPN server, it will not be "exported" to the client, afaik 06:12 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [Client Quit] 06:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 06:24 < brain0> hi 06:24 < brain0> what ways are there to reduce openvpn server memory usage? 06:25 -!- skx [i=skx@unaffiliated/skx] has joined ##openvpn 06:26 < brain0> with one connected client, it uses almost 7MB of memory, which is pretty much if you have 16MB memory 06:27 < brain0> will the memory usage be reduced with --max-clients 1 or with --mode p2p instead of --mode server? (and will I be able to use push-directives in --mode p2p?) 06:27 < skx> Hello, I would like to set up openvpn tunnel to a computer at home, which does not have public ip address (nor can I forward any ports). However I can create an ssh tunnel to the appropriate port -- can openvpn work in this configuration? 06:29 < brain0> this is my configuration: http://pastebin.com/d503bb027 but I only connect rarely and only with one client, so if there is anything I can do to reduce memory usage, I'd really appreciate it :) 06:29 < dazo> skx: yes, OpenVPN can work as long as you can get access to it via Internet 06:29 < skx> dazo, and ssh tunnel will do? 06:30 < dazo> skx: How is it that you can ssh to the box? if you can SSH to your box ... it's the same for openvpn, just different port numbers 06:30 < skx> it's called reverse ssh tunnel iirc 06:30 < skx> I can ssh to the box by routing this connection through another machine 06:30 < dazo> skx: ahh ... that explains 06:31 < dazo> skx: I've not tried openvpn over ssh tunnel .... it requires openvpn to be in TCP mode ... in theory this should work .... but how well it will work, regarding throughput, I have no idea 06:32 < skx> ok, thanks, will try that then 06:33 < dazo> skx: be aware that you might need to have a closer look on the MTU parameters for this to work as well ... you might need to decrease the MTU values to make it work as well 06:33 < skx> MTU and tcp modce 06:33 < skx> ok 06:33 < skx> I'll probably be back anyway 06:34 < dazo> skx: and since you have the traffic encrypted via SSH first ... I would probably consider not to use encryption in OpenVPN, or a weak one, to avoid CPU time spent on trying to encrypt and compress encrypted data 06:34 < dazo> skx: but if you are paranoid and want to be 100% the data transfer is safe .... use double layer encryption too :) 06:35 < skx> but only traffic between the routing machine and my home box is encrypted 06:35 < dazo> skx: oh true ... good point 06:35 < skx> traffic from my laptop to the routing machine would be in plain text 06:35 < dazo> skx: I thought that this ssh server was on a local network of yours 06:56 < c64zottel> dazo, thx, at least now i know that i understand the stuff right 06:57 < dazo> c64zottel: np! :) 07:02 < c64zottel> but its possible to run a script if openvpn authenticated successfully, so this could be the script to authenticate against kerberos, but, how can i distribute the credentials to it? 07:06 < dazo> c64zottel: well, I was only thinking about the server side ... I don't know how this could work on the client side ... if you use something like --up scripts or similar 07:06 < ecrist> morning, bitches 07:07 < c64zottel> mornich christ 07:07 * ecrist looks around for christ 07:07 * dazo do not acknowledge ecrist as christ .... not before I've seen some miracles .... 07:08 < dazo> c64zottel: but I don't think there are any mechanisms in krb to distribute the credentials .... but I don't know krb so well 07:08 < c64zottel> dazo, right 07:08 < c64zottel> morning, main-bitch 07:11 < ecrist> dazo, I can turn wine into pee... 07:11 < dazo> ecrist: heh ... so can I :-P 07:46 -!- Sir_J [n=Sir_J@86.57.159.207] has joined ##openvpn 07:51 < plaerzen> morning irc 07:55 < ecrist> good morning, plaerzen 07:56 < plaerzen> how was your weekend? 07:56 < ecrist> cold. 07:56 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Pagautas 07:56 < ecrist> played a lot of rock band and sat around the house. 07:56 -!- Netsplit over, joins: Pagautas 07:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:11 < plaerzen> ecrist, yeah, it's been cold here too. 08:12 < plaerzen> ecrist, But, up here, if you hate the cold, you're living in the wrong city. I woke the sun on sunday morning with my cajoling. 08:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has quit ["leaving"] 08:35 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:35 -!- Sir_J [n=Sir_J@86.57.159.207] has quit [Read error: 131 (Connection reset by peer)] 08:38 < ecrist> plaerzen: where's 'up here'? 08:39 < plaerzen> calgary, canada 08:39 < plaerzen> ecrist, 08:55 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 09:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 < ecrist> lol: http://www.i-hacked.com/content/view/274/1/ 09:57 < vpnHelper> Title: I-Hacked.com Taking Advantage Of Technology - Inside Programmable Road Signs (at www.i-hacked.com) 09:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:04 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 10:04 < muxpux> hi..this is my network support 10:04 < muxpux> like 10:05 < muxpux> we have a router/modem 10:05 < muxpux> under it got a server dmzed 10:05 < muxpux> openvpn server running on it 10:07 < muxpux> so the server got private i[ 10:07 < muxpux> ip 10:07 < muxpux> so can i use bridged vpn on that server 10:07 < muxpux> ? 10:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:23 < ecrist> sure, why not? 10:28 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has quit [Read error: 60 (Operation timed out)] 10:30 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 10:30 < mmcgrath> I've got a client that keeps reconnecting to our vpn server. When I ping it (via vpn) it gets about 50% packet loss over time. When I ping it directly (not over vpn) I get 0% packet loss. 10:30 < mmcgrath> the logs on both servers don't really show much but I am seeing: 10:30 < mmcgrath> SIGUSR1[soft,ping-restart] received, process restarting 10:31 < mmcgrath> which almost, to me anyway, implies that something is restarting vpn. 10:31 < ecrist> mmcgrath: tcp or udp? 10:31 < mmcgrath> udp 10:31 < mmcgrath> I used iperf to test udp traffic between the two. I didn't see any errors though it wasn't as fast as I'd thought. 10:31 < dazo> mmcgrath: could it be some mtu issues? 10:32 < mmcgrath> It could be. I've got lots of servers on this LAN (both the client and server are on a LAN) but this is the only host I'm seeing it on. 10:32 < dazo> mmcgrath: which versions (openvpn) are you using on server and client? 10:33 < mmcgrath> openvpn-2.1-0.29.rc15.el5 10:33 < mmcgrath> both 10:33 < mmcgrath> one other thing I've considered is that another host accidently has this hosts certs and is trying to connect as it. 10:33 < dazo> mmcgrath: that should be very fine ... I'm running a similar setup myself, without issues ... even though I haven't benchmarked it yet ... as it seems to be reliable enough 10:34 < mmcgrath> but I thought that would show up in the server logs. 10:34 < dazo> mmcgrath: yeah, that should pop up in logs 10:34 < dazo> mmcgrath: tls enabled? ... or only shared static.key? 10:35 < mmcgrath> tls 10:35 < mmcgrath> is the "SIGUSR1[soft,ping-restart]" entirely generated by openvpn? 10:36 < dazo> mmcgrath: this is really odd ... I'd try a few different mtu values .... to see if that could be the reason 10:36 < mmcgrath> k 10:36 < dazo> mmcgrath: yeah, SIGUSR1 is internally in the openvpn process .... unless you have a third-party application doing kill -USR1 .... or something playing with the management interface, if that's enabled 10:38 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:39 < mmcgrath> OH! 10:39 < mmcgrath> interesting. 10:39 * dazo gets curious now ... 10:39 < mmcgrath> I missed it earlier. I have two tun devices up right now, tun0 and tun1. Both with the vpn IP address. 10:39 * mmcgrath wonders why both of those are up. 10:40 < dazo> both with the same IP addresses? 10:40 < mmcgrath> yeah, its almost as if two openvpn procs are running 10:40 < mmcgrath> and yes, right now two of them actually are running. Most curious. 10:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:42 < dazo> mmcgrath: that can cause such "ping-restart" requests yes ... if the one of the processes don't get the expected response in time 10:43 < mmcgrath> Yeah, it looks like one is just up and running (from like 3 weeks ago or so) and the other one keeps restarting. 10:43 < mmcgrath> I ended up killing the old one and everything is fine now. I'm trying to go through my logs to see what might have caused it. 10:49 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has joined ##openvpn 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:20 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 11:35 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 11:39 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has quit [Remote closed the connection] 11:46 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has quit [Remote closed the connection] 11:48 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has joined ##openvpn 11:48 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:48 < joelsolanki> Good morning guys 11:49 < joelsolanki> i have a strange problem in openvpn. 11:49 < joelsolanki> .key .csr .cert ca.cert all are working well on redhat and debian linux 11:49 < joelsolanki> but all same stuffs on ubuntu 8.0.4 is giving error 11:50 < joelsolanki> let me pastebin the client output of syslog. 11:51 < joelsolanki> http://pastebin.ca/1318736 11:51 < dazo> joelsolanki: the problem is not openvpn ... it's ubuntu :-P 11:51 < joelsolanki> that is what i thought. but i just really dont know how to figure it out. 11:52 < joelsolanki> i have tried my best to solve but no luck. 11:52 < joelsolanki> iptables firewall is OFF. tcpwrappers is OFF. 11:52 < dazo> joelsolanki: install Fedora? :-P 11:52 < joelsolanki> there is no other vpn software on ubuntu too. 11:52 < joelsolanki> naah. i cant do that :( 11:52 < dazo> joelsolanki: well seriously .... the problem is here: VERIFY X509NAME ERROR: /CN=lakefront.countersnipe.com, must be lakefront.countersnipe.com 11:53 < joelsolanki> what is that problem ? 11:53 < dazo> joelsolanki: it's a mismatch between certificate and expected hostname .... are you using tls-verify? 11:54 < dazo> joelsolanki: sorry ... tls-remote 11:54 < joelsolanki> yes this is client.conf http://pastebin.ca/1318739 11:54 < joelsolanki> and it seems it is set perfect in client.conf. take a look at pastebin abov 11:54 < joelsolanki> above 11:56 < dazo> joelsolanki: okey ... I'm guessing the Subject field in your certificate have become screwed up somehow .... Try to create a new certificate ... it's failing on the certificate validation 11:57 < dazo> joelsolanki: the log you sent ... was that from server or client? 11:57 < joelsolanki> log is from client 11:57 < joelsolanki> man i created more than 4 certificate. all are failing. 11:58 < joelsolanki> :) 11:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Success] 11:58 < dazo> joelsolanki: aha .... okey ... which openvpn and openssl version are you using? 11:58 < joelsolanki> let me check 12:01 < dazo> joelsolanki: also check one thing with your certificate .... can you share the result of this command line? -> openssl x509 -noout -subject -in {certfile} 12:01 < dazo> Just to check that the cert looks reasonable 12:02 < joelsolanki> openssl Version: 0.9.8g-4ubuntu3 12:02 < joelsolanki> openvpn Version: 2.1~rc7-1ubuntu3 12:03 < joelsolanki> ok let me see 12:03 < dazo> joelsolanki: both your client cert and the ca.cert 12:04 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 12:04 < joelsolanki> client is subject= /CN=delhi 12:04 < joelsolanki> server is subject= /CN=CounterSnipe openvpn CA 12:04 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:05 < dazo> joelsolanki: and what about the ca.cert ? 12:05 < dazo> joelsolanki: it should be 3 certificates ... client, server and ca 12:05 < boneybastard> Keep getting Connection Refused (code=111) 12:05 < boneybastard> http://paste.debian.net/26965/ 12:05 < joelsolanki> honeybastard: same with me :) 12:06 < boneybastard> thought it was the firewall at first but the ports are forwarded, outgoing udp is allowed 12:06 < boneybastard> and tun0 accepts traffic 12:06 < boneybastard> joelsolanki any success ? 12:06 < aar0n> hi 12:06 < aar0n> i have a strange problem 12:07 < joelsolanki> i gave you client and ca.cert 12:07 < joelsolanki> i m looking for server file. dazo 12:07 < dazo> joelsolanki: just take the ca.cert which you point at in the client config 12:07 < joelsolanki> dazo: what would be file name 12:08 < joelsolanki> oh k 12:08 < aar0n> i have 2 openwrt routers one running an openvpn server one is running a openvpn client ... they both brigde tap0 to the bridge ... until recently this setup gave both networks a transparent connection - but know i can only ping from one site of the network to the other ... the other way around the icmp packets never find the destination 12:08 < joelsolanki> subject= /CN=CounterSnipe openvpn CA 12:08 < joelsolanki> dazo: same results 12:09 < dazo> boneybastard: for me it seems like you might block outgoing traffic on your server .... missing a -m state --state RELATED,ESTABLISHED -j ACCEPT rule in output? 12:09 < dazo> joelsolanki: that' the problem .... openvpn expects lakefront.countersnipe.com ... not CounterSnipe openvpn CA .... 12:09 < boneybastard> hm, its going over udp which is stateless 12:10 < boneybastard> -m state --state RELATED, ESTABLISHED still needed? 12:11 < dazo> joelsolanki: I'm afraid to say, that you most probably should try to setup your CA once again .... create CA key and cert, then create server.key and server.crt ... and then client.key and client.crt .... common_name on server and client must be their hostnames .... common_name for CA can be whatever else 12:12 < joelsolanki> dazo: how come it works in redhat and debian ? 12:12 < joelsolanki> ok 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:12 < dazo> boneybastard: I would expect so, yes .... and if that's not the case .... the traffic is blocked on the client .... again, typical state issue 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:13 < boneybastard> ill snoop around a little, thanks for the help dazo 12:13 < dazo> joelsolanki: that's a good question ... you can try that openssl command on those boxes as well and see what they say .... because I would actually expect this to fail as well 12:13 < dazo> boneybastard: np! 12:13 < joelsolanki> ok let me check 12:14 < joelsolanki> it says same result subject= /CN=CounterSnipe openvpn CA 12:14 < joelsolanki> then it should fail on redhat too 12:14 < dazo> and your client config also says tls-remote? 12:14 < joelsolanki> you want to see the log of redhat ? 12:14 < joelsolanki> yes 12:14 < dazo> please 12:15 < dazo> and config 12:15 < joelsolanki> ok let me do 12:15 < dazo> this is really odd ... 12:17 < joelsolanki> http://pastebin.ca/1318749 12:17 < joelsolanki> take a look 12:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:19 < joelsolanki> sorry verb 6 is not active. let me do and send you logs again 12:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 12:21 < donavan> !route 12:21 < vpnHelper> donavan: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:21 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 12:22 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=1, /CN=CounterSnipe_openvpn_CA 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY X509NAME OK: /CN=lakefront.countersnipe.com 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=0, /CN=lakefront.countersnipe.com 12:22 < joelsolanki> this shows in client 12:22 < boneybastard> dazo nah, -m state --state ESTABLISHED,RELATED -j ACCEPT didnt do the job ;( 12:22 < dazo> joelsolanki: ahh ... I might have missed one thing in the client log .... 12:23 * dazo double checks 12:23 < joelsolanki> what ? 12:24 < dazo> joelsolanki: okey ... you are using the same certificate for server and ca on your server most probably ... or you have a mixture here ... 12:25 < dazo> joelsolanki: and most probably you have managed to flip certs around so it is correct on your RH boxes 12:25 < joelsolanki> ok 12:25 < joelsolanki> it even works on windows xp 12:25 < dazo> joelsolanki: make sure that the ca.cert file is the same on all boxes ... and named as ca.cert ..... the server.cert should be unique/different from ca.cert on ... and only on the server 12:26 < dazo> joelsolanki: and the clients should only have ca.cert and it's own client.cert 12:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 < joelsolanki> yes thats what it is 12:26 < dazo> joelsolanki: you have perfect match on the ca.cert in Ubuntu as well .... but it fails on the validating the server cert 12:26 < joelsolanki> this is not the single box. 12:27 * dazo don't follow 12:27 < dazo> not single box? 12:27 < joelsolanki> my friend was having problem on ubuntu 8.0.4 so i thought he might be doing mistake but then i installed ubuntu on my test machine but it happend same to me so i was shokcked 12:27 < dazo> this gets even more fun 12:27 < joelsolanki> :) 12:28 < joelsolanki> do you use ubuntu ? 12:28 < dazo> joelsolanki: where and when have you created the certificates? On ubuntu/debian ? 12:28 < joelsolanki> debian 12:28 < dazo> joelsolanki: unfortunately, I have one ubuntu box .... will upgrade it when I get time to Fedora 10 12:29 < dazo> joelsolanki: was that before or after this nasty openssl exploit last year? 12:29 < joelsolanki> i think before 12:29 < dazo> joelsolanki: that might be the reason .... you have a vulnerable SSL certificate in that case .... and ubuntu and newer debian clients have checks for this .... 12:30 < joelsolanki> ahh but i installed debian 4 also and it worked on it. 12:30 < dazo> joelsolanki: the openssl bug corrupted the random generator .... so you can easily create a "fake" certificate which will easily be replaced 12:30 < joelsolanki> hmm 12:30 < dazo> debian 4 ... how old/new is that one? 12:31 < joelsolanki> i downloaded before 1 onth 12:31 < joelsolanki> month 12:31 < dazo> that box is safe .... but your ssl certs might be at risk 12:32 < joelsolanki> will upgrading openssl fix the problem ? 12:32 < dazo> I know ubuntu have hacked the openssl library afterhand ... if the certificate is one of x number of known hashes, it will reject any usage of that one 12:32 < joelsolanki> oh 12:32 < dazo> joelsolanki: openssl is fixed .... but your certificates might have the wrong hashes .... 12:32 < joelsolanki> hmm 12:33 < dazo> I might be wrong again here ... but I just have seen such issues as well 12:33 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 12:33 < joelsolanki> i understand 12:33 * dazo had generated ssl certs on ubuntu with this error and needed recreate a lot of certificates and ssh keys 12:40 -!- bny [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:43 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 12:44 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has quit [Remote closed the connection] 12:46 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has joined ##openvpn 12:46 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 13:17 < bny> is there any openvpn switch i can use to specify with outgoing IPaddress it should use? 13:20 < dazo> bny: nafaik :( ... it will listen to all interfaces (server mode) and it will take the suitable one in client mode, depending on IP address 13:20 < bny> crap :E 13:21 < bny> i have 2 external IPs on the same ethernet port 13:21 < dazo> bny: you can probably hack this around with some NAT rules .... 13:21 < bny> clients connect to one of the IPs but get replies from the other IP, hence dropping the packets 13:21 < bny> yea i can probably SNAT outgoing frattic on port 1194 13:22 < dazo> bny: that sounds like misconfig of the DNAT actually .... 13:22 < dazo> bny: using iptables? 13:24 < bny> yup 13:24 < bny> hm are u sure that snat isnt supposed the be used? 13:26 < bny> dazo wanna help me define the rules? 13:26 < dazo> bny: if you are doing port natting on your firewall/entry point ... you'll need to use DNAT in the PREROUTING chain .... --to-destination : 13:26 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:26 < bny> only been using iptables for a week or so :( 13:26 < dazo> bny: np! :) 13:26 < bny> sweet :) 13:27 < dazo> bny: you seem to do pretty well, if this tricky thing is what you're fighting against now :) 13:27 < bny> hehe yea it took quite a while to figure it out i must say 13:28 < dazo> bny: well, but when you've gone through that ... the rest will go like a breeze :) 13:28 < bny> check this out: iptables -t nat -A PREROUTING -p udp -d $MIP (one of the ext interfaces) --dport 1194 -j DNAT --to 192.168.200.1:1194 13:28 < bny> looks ok? 13:29 < dazo> bny: at first sight, this looks very fine .... I can double check it against some of my rules 13:30 < dazo> bny: yeah, looks right :) 13:30 < bny> cool, ill try it then :) 13:31 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:33 -!- whits_ [n=jim@209-20-87-215.slicehost.net] has joined ##openvpn 13:34 < bny> nop, that wasnt enough 13:34 < dazo> bny: are you doing MASQUERADING ? 13:34 < bny> i need the clients to think that the packets are coming from $WIP and not $MIP 13:34 < bny> yea i MASQUERADE the local nets 13:35 < dazo> bny: would you mind sharing a iptables-save on pastebin? 13:35 < dazo> just replace your public IP addresses with something we can understand is public 13:35 < bny> hm, i rather paste portions of the file if its ok 13:35 < bny> some info in it that i dont want disclosed :( 13:36 < dazo> bny: sure! ... and it's the NAT table which is interesting 13:36 < dazo> bny: I just need to see enough to understand why things are getting out wrong 13:37 < bny> think i figured it out, sec 13:37 < dazo> dazo: I only use DNAT in PREROUTING .... and -o -j MASQUERADE in the POSTROUTING table ... and that works like a charm 13:39 < bny> i dont want to masq the whole interface though :P 13:39 < bny> i just need one of the nets to masq on 1194 13:39 < bny> the port that is 13:40 < dazo> bny: aha ... then you need SNAT in addition on the POSTROUTING .... before any masq rules 13:41 * dazo did that some years ago ... don't remember completely now .... 13:41 * dazo tries to remember 13:41 < bny> its kinda tricky 13:42 < bny> does the -s switch only accept host/subnet? 13:44 < bny> it would be pretty solid if you could do iptables -t nat -A POSTROUTING -s IP:port -o $WIF (ext int) -j SNAT --to $WIP (ext IP) 13:44 < dazo> bny: -s is only --source address 13:44 < bny> instead of -s host/subnet 13:44 < bny> yea i know thats the tricky part i want to work around 13:45 < bny> instead of source address i just want the rule to apply when a certain rule is used 13:45 < dazo> bny: but you do that .... with --sport / --dport .... that's more flexible 13:45 < bny> aha! 13:47 < bny> wanan show me an example rule? 13:47 < dazo> bny: misunderstand me correctly please .... you need -s/-d for host/subnet .... and --sport/--dport for ports 13:48 * dazo tries to find some SNAT examples 13:49 < bny> :P 13:49 < ecrist> bny: you can specify what address openvpn listens to. 13:49 < bny> what i want to do is that all traffic going from $MIP:1194 to appear as $WIP:1194 13:49 < bny> only on that particular port 13:50 < dazo> but isn't this what you are achieving already? 13:50 < ecrist> bny, that won't work. 13:50 < bny> why not? :( 13:50 < dazo> bny: are $MIP and $WIP both public facing IP addresses? 13:51 < bny> yea 13:51 < dazo> bny: why do you want to do this? 13:51 * dazo suddenly saw a light 13:51 < bny> they go inside the same physical interface 13:51 < bny> and that messes up openvpn 13:51 < bny> traffic coming on on $WIP and leaving on $MIP 13:52 < dazo> bny: aha! It's one physical interface with two IP addresses? ip aliases? 13:52 < bny> yes! :) 13:52 < bny> that results in no client beeing able to connect 13:53 < dazo> bny: openvpn will never send traffic out on the "wrong" ip address .... if it gets traffic in on $WIP it will send out on $WIP ... unless there are some NAT rules which changes this behaviour 13:53 < ecrist> bny: with TCP, you can't set all outgoing traffic as 1194 if your openvpn instance is listening to 1194 13:54 < bny> its udp :) 13:54 < ecrist> ok, you can't do it with udp, either 13:54 < dazo> bny: one more question .... openvpn is running on the same box as your firewall? Or a separate box? 13:54 < bny> same box 13:54 < ecrist> unless openvpn is listening on udp, and your port mapping is for tcp 13:54 < bny> WIP and MIP are only ipaddreses both coming in on WIF 13:55 < bny> ip aliasing 13:55 < bny> hm i dont follow? 13:55 < dazo> bny: WIF ... what is that? ... the physical interface? 13:55 < bny> yea 13:56 < dazo> bny: so WIP is the IP address of WIF .... and MIP is the IP address of WIF:1 ... (or similar)? 13:56 < bny> yea 13:56 * dazo just needs to be sure now 13:57 < dazo> bny: bring up that DNAT rule once more .... 13:57 < dazo> bny: We need to tweak this one 13:58 < bny> iptables -t nat -A PREROUTING -p udp -d $MIP --dport 1194 -j DNAT --to 192.168.200.1:1194 13:58 < dazo> bny: 192.168.200 ... which network is this? an internal one? 13:58 < bny> yea the gateway 13:58 < bny> should i set it to the external ip? 13:59 < bny> $WIP that is 13:59 < dazo> gateway? ... no it should be the IP address to where openvpn listens .... try localhost 13:59 < bny> oh my bad, its the box where vpn listens 13:59 < dazo> dazo: but it might be that this needs to be supported by a SNAT rule ... but that's not often 13:59 < dazo> yeah 14:02 < bny> any clues? 14:03 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 14:03 < dazo> bny: did you try the DNAT rule and just chaning 192 addr to 127.0.0.1? 14:04 < QuiescentW> can someone help me configure openvpn on openwrt. i'm having problems. I have the firewall on my router opened all the way up and when i connect i get an IP address but it cuts all my internet connection off and i can't even ping any of the remote computers 14:04 < ecrist> QuiescentW: your' probably using a conflicting IP range on the vpn subnet and/or your using redirect-gateway without proper NAT on the server end. 14:04 < ecrist> try reading through the following: 14:05 < ecrist> !route 14:05 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:05 < QuiescentW> i'm using ethernet bridging and the remote LAN subnet is different 14:05 < bny> dazo yea same problem 14:06 < dazo> bny: a possible attempt on SNAT ..... iptables -t nat -I POSTROUTING -p udp -s 127.0.0.1 --dport 1194 -o $WIF --to-source $MIP 14:06 < dazo> bny: but you need to experiment with the --to-source .... --to-source $MIP:1024-65535 ... might be another attempt 14:10 < dazo> QuiescentW: be aware that openwrt uses bridging as default .... and you might want to bridge tap0 to br0, where you have your internal network 14:10 < QuiescentW> i have tap0 bridged with br-lan which has all the eth adapters except wan in them 14:11 < QuiescentW> let me get my configs on pastebin if someone will please look at them for me 14:12 < bny> nah still same 14:12 < dazo> QuiescentW: I needed to do /usr/sbin/openvpn --mktun --dev tap0 --dev-type tap ... and then /sbin/ifconfig tap0 0.0.0.0 promisc up ... and then brctl addif br0 tap0 before I could start openvpn 14:12 < bny> can you try to explain what that rule does dazo? :) 14:12 < dazo> bny: the SNAT rule? 14:12 < bny> yea 14:13 < QuiescentW> i' 14:13 < QuiescentW> i'll try that 14:14 < dazo> bny: it takes all UDP packages coming from 127.0.0.1 with destination port 1194 going out on the $WIF interface and rewrites the source address to $MIP with a dynamic port ranges as source port 14:15 < bny> kk 14:15 < bny> adn the DNAT rules we wrote before is still needed? 14:15 < dazo> bny: yes ... because that does almost the "opposite" 14:16 < dazo> bny: the DNAT rule takes the packages to $MIP at destination port 1194 and rewrite destination to localhost:1194 14:17 < dazo> and then the kernel takes this package and sends it through the routing layer in the network 14:17 < dazo> while SNAT rules are picked up after the kernel have done the package routing 14:18 < dazo> so DNAT is the first pass from outside to inside .... and SNAT is the last pass from inside to outside 14:19 < bny> hm still swrong ip when i do tcpdump :( 14:19 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 14:20 < dazo> bny: I'm worried I'm not able to help you completely out ... since I don't know if you have any other conflicting rules in your chains 14:22 < bny> yea its ok 14:22 < bny> ill dig into it tomorrow 14:22 < bny> thanks a lot for your help though 14:22 < dazo> bny: np! :) 14:22 < bny> amma head out for a while, cya 14:23 < bny> been working with this darn setup for several hours 14:24 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:24 < QWonder> i'm getting this: 'private key password verification failed'... i'm using PKI but no passwords anywhere 14:25 < dazo> QWonder: you have some issues with your private key ... that's for sure ... try to remove the password with some openssl commands (don't remember them now) 14:26 < QWonder> i'm just going to delete all my config and pki files and start over 14:27 < QWonder> i must have done something wrong 14:34 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 14:38 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 15:01 < brain0> hi. I was here before but nobody answered :) ... I want to know if I can reduce the memory usage of openvpn. this is my configuration: http://pastebin.com/d503bb027 ... I only need support for one client, will p2p mode use less memory? any other tricks? 15:27 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 15:28 < nullboy> hey is the 'extra' challenge password something that should be set or should not be set? 15:28 < nullboy> what are the ramifications of not setting it? 15:28 < nullboy> this is during the build-key-server 15:30 < skx> I have openvpn server on freebsd using tap, how can I change MTU? 16:10 < ecrist> evening, bitches 16:29 < ecrist> skx: 16:29 < ecrist> !howto 16:29 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:35 < nullboy> lol 16:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:13 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 17:35 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 17:49 -!- brain0 [n=brain0@archlinux/developer/brain0] has left ##openvpn [] 18:05 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:08 < plaerzen> !plaerzen 18:08 < vpnHelper> plaerzen: Error: "plaerzen" is not a valid command. 18:08 < plaerzen> :( 19:07 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 19:08 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 21:01 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has quit [Remote closed the connection] 21:01 -!- needo [n=needo@superhero.org] has joined ##openvpn 21:02 < needo> I am attempting to setup OpenVPN 2.0.9 on CentOS 5. However when I connect to the VPN I get assigned the address .6 and my gateway is .5. Shouldn't it be .1? 21:06 < ecrist> needo: no, it shouldn't. 21:06 < ecrist> the addressing you're seeing is correct 21:07 < muxpux> hi,i am doing bridge-mode vpn,so inorder access the machines on the same network of teh server,do i need to add extra push route or something? 21:07 < needo> ecrist: Why? Should I be able to ping .5? 21:08 < ecrist> needo: tun mode of OpenVPN assigns a series of /30 subnets (one for each client). Internally, OpenVPN responds for it's end of the /30 PPP link, but doesn't actually assign the address to its interface 21:08 < ecrist> no, you shouldn't be able to ping .5 21:09 < needo> Thanks. 21:09 < ecrist> muxpux: you need to make certain that your LAN on the OpenVPN server side is assigning IPs to the vpn clients, or that the OpenVPN instance is assigning address from the same range as what's available on the LAN 21:11 < muxpux> ecrist: yeah suppose the dhcp in my network is 192.168.1.0/24 21:11 < needo> Now its time to futz with the iptables. Woohoo. :) 21:12 < muxpux> and in ovpn ,if i give arange from .128 - .254,thats okay? 21:12 < ecrist> yep 21:13 < muxpux> alright :) 21:14 < muxpux> ecrist: one more q 21:14 < muxpux> push "redirect-gateway" 21:14 < ecrist> should be push "redirect-gateway def1" iirc 21:14 < muxpux> will redirect the gateway as well,and enables all web browsing of the client through server? 21:14 < muxpux> def1? 21:14 < ecrist> aye 21:14 < ecrist> read the manual 21:14 < muxpux> ok :) 21:41 < needo> I am having a really hard time getting my iptables right. I want everything that comes in through the VPN (tun0) to have access to the Internet via eth1. 21:42 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 21:42 < mepholic> ok 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit [Read error: 104 (Connection reset by peer)] 21:43 < mepholic> is there a way to have a client or server use 2 tap interfaces 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 21:44 < mepholic> i don't mean virtual interfaces like tap0:0 21:44 < mepholic> unless you can bridge that and still be able to use tap0 on the host 21:45 < mepholic> my issue is that i have an openvpn server running on the host computer of an openvz vps node 21:46 < mepholic> and i need to bridge a vps's ethernet adaptor to an openvpn adaptor 22:03 -!- needo [n=needo@superhero.org] has left ##openvpn [] 22:15 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 22:16 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 22:27 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit ["leaving"] 22:46 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:46 < onats> hi guys 22:46 < onats> i have a question. if i have 2 site to site routers connected via vpn, i have to create /ccd/ entries for the router/clients right? 22:47 < onats> for a remote worker client, which gets an ip of say 10.0.66.x, what do i need to do in order for me to be able to ping devices behind the other routers? 22:47 < onats> i mean other clients? 22:47 < onats> krzie are you there? 22:54 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:54 < grendal_prime> hey guys. 22:56 < grendal_prime> I have a situation where we have several openvpn servers with several CA's and we have been looking for a way to sort of cluster them together so we have one server with the certs and keys. We already have a way of backing that up off site. However i have contrived a way of connecting several other servers to the primay server to use the keys on that server. This way we only have to create credentials in one loaction. 22:58 < grendal_prime> Ive tested it and it works. Im just wondering if there is a product out there that already does this...or if there is some sort of configureation that i overlooked for doing this sort of thing? 23:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, dogmeat 23:05 -!- Netsplit over, joins: muxpux 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, justdave, meturaf 23:05 -!- meshuga [i=meshuga@65.23.153.3] has joined ##openvpn 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mcp, Typone 23:05 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:06 -!- Netsplit over, joins: mcp 23:06 < QWToo> alright, i have this crap working 23:06 < QWToo> the problem was 23:06 < QWToo> i guess 23:06 < QWToo> i was bringing up tap0 on the client and then running dhclient 23:07 < QWToo> and it was supplying a gateway 23:07 < QWToo> or something 23:07 < QWToo> and breaking my internet 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: whits_, QWToo, roentgen, smk 23:07 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: MMN-o, whits 23:07 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn --- Log closed Mon Jan 26 23:07:53 2009 --- Log opened Mon Jan 26 23:09:13 2009 23:09 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, disco-, grendal_prime 23:09 -!- Irssi: Join to ##openvpn was synced in 14 secs 23:09 -!- WHATEVER [n=evaldo@207.192.75.23] has joined ##openvpn 23:09 -!- Netsplit over, joins: grendal_prime 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: reiffert, kaii 23:09 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 23:09 -!- Netsplit over, joins: int 23:09 < grendal_prime> QWToo: ? not sure what you mean....you cant push them a gateway? 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposable, kaii_, mcp, donavan, MMN-o 23:10 -!- disposab1e [i=disposab@blackhole.sk] has joined ##openvpn 23:10 -!- mcp [n=mcp@78.46.210.50] has joined ##openvpn 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, aar0n, onats 23:10 < QWToo> they don't need a gateway 23:11 < QWToo> i don't really know how this works 23:11 < QWToo> what happens is that the clients connect 23:11 -!- Netsplit over, joins: MMN-o 23:11 < QWToo> and their default internet gateway is changed to a different address 23:11 < QWToo> then they can't get online 23:11 < QWToo> because the gateway is an address in a different network 23:11 < QWToo> somewhere else 23:11 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposab1e, krzie, trifler, ikevin_, MMN-o, smk_ 23:12 -!- Netsplit over, joins: trifler 23:12 < grendal_prime> ok wait wait..i think you are thinking about this wrong 23:12 -!- munga` [n=munga@81.194.35.9] has joined ##openvpn 23:12 -!- Netsplit over, joins: MMN-o 23:12 -!- krzie [i=krzee@66.11.114.210] has joined ##OpenVPN 23:12 < grendal_prime> the vpn is to connect you to the vpnserver..if you want to route out past that, you need to set up the vpn server for routing. if you want to use the vpn as a sort of gateway to the internet. 23:12 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 23:13 < QWToo> no 23:13 < QWToo> i don't want to use it as a gateway 23:13 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: tarbo2, bigjohnto_away, mmcgrath_, plaerzen 23:13 < QWToo> the problem was 23:13 < grendal_prime> ok so what your saying is when you connect your client no longer uses its configured gateway.. 23:13 < QWToo> yeah 23:13 < QWToo> i was using dhclient on the tap adapter 23:13 < grendal_prime> ok that is a setting ithink you have to set up in windows. 23:14 < QWToo> and it changes the default gateway to the address in the other network, which it can't get to without going through my local gateway. in turn my internet is broken 23:14 < QWToo> no 23:14 < QWToo> it's all linux 23:14 < grendal_prime> like set default gateway or something like that...i dont use windows...in any capacity at all so im not sure.. 23:14 < QWToo> i did until maybe six months ago 23:14 < grendal_prime> ok 23:14 < QWToo> so i'm pretty new to all this 23:15 < grendal_prime> so when your linux client connects it looses its default gateway? 23:15 -!- nullboy [n=nullboy@97-94-107-72.static.mtpk.ca.charter.com] has joined ##openvpn 23:15 -!- Netsplit over, joins: tarbo2 23:16 < QWToo> yeah 23:16 < QWToo> it changes to the default gateway of the openvpn server 23:16 < grendal_prime> thats pretty odd...now i do know when i connect to my work openvpn, i get a...its like a confused state every now and again...but it usually figures it out in a min. 23:16 < QWToo> i mean, when my linux client connects the tap0 adapter is down 23:16 < QWToo> i don't have a startup script yet 23:16 < grendal_prime> ya see i dont use tap devices with linux 23:17 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 23:17 < QWToo> so i was doing this: sudo ifconfig tap0 up; sudo dhclient tap0; 23:17 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:17 -!- disco- [i=disco@discomb0bulated.com] has joined ##openvpn 23:17 < QWToo> and dhclient was changing the default gateway address 23:17 -!- smk [n=scott@64.90.184.122] has joined ##openvpn 23:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:17 < QWToo> on the local machine to an address that isn't on this network 23:17 < QWToo> heh 23:17 < grendal_prime> sounds like yoru server is pushing a route that may be messing with that 23:18 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 23:18 < QWToo> i don't know 23:18 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:18 < grendal_prime> you using ubuntu? 23:18 < QWToo> nothing should be routed 23:18 < QWToo> yeah 23:18 < grendal_prime> do you have controle of the server? 23:18 < QWToo> i don't think anything should be routed 23:18 < QWToo> yeah 23:18 -!- ikevin_ [n=kevin@90.33.40.180] has joined ##openvpn 23:18 < QWToo> it's right here 23:18 < QWToo> it's all bridged 23:18 < QWToo> because i didn't know how to do the routing 23:19 < grendal_prime> did you do the quicksetup illustrated on the openvpn.net site? 23:19 < QWToo> i used some bridged howto on the openwrt site 23:19 < grendal_prime> the reason i ask is that has proven to be pretty failproof and..well it does not illustrate using the tap device. 23:19 < QWToo> which is what the server is running on 23:19 < grendal_prime> o 23:19 < grendal_prime> so you need it to be bridged? 23:20 < QWToo> at least i've figured out what's wrong 23:20 < QWToo> i dont' need it bridged 23:20 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 23:20 < QWToo> i just didn't want to deal with setting up routes 23:20 -!- disposable [i=disposab@92.240.234.34] has joined ##openvpn 23:20 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 23:20 < QWToo> and i have all the machines i want accessible to the vpn clients in their own vlan 23:20 < grendal_prime> ya...you should try that howto..it sets up what your looking for i think...and...well it should work for openwrt as well. 23:21 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 23:21 < grendal_prime> http://openvpn.net/index.php/documentation/howto.html#quick 23:21 < vpnHelper> Title: HOWTO (at openvpn.net) 23:21 < grendal_prime> its never failed... 23:21 < grendal_prime> well its never failed me anyway 23:21 < grendal_prime> i got to roll good luck 23:21 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 23:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:23 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits, deever, thewolf, trifler, worch, dazo, bny, donavan, skx, eliasp, (+5 more, use /NETSPLIT to show all of them) 23:23 -!- MMN_o [n=mmn@barjack.com] has joined ##openvpn 23:23 -!- whits_ [n=jim@jim.505.ru] has joined ##openvpn 23:23 -!- udk [i=evaldo@freenode/staff/udontknow] has joined ##openvpn 23:23 -!- Netsplit over, joins: huslu 23:23 -!- dazo [n=dazo@nat/redhat/x-ec6c25d10518a59b] has joined ##openvpn 23:23 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 23:23 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:24 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits_, nullboy, int, skx, munga`, mepholic, QWToo, troy-, plaerzen, boney, (+18 more, use /NETSPLIT to show all of them) 23:25 -!- QWToo [n=Quiescen@71.122.68.221] has joined ##openvpn --- Log closed Mon Jan 26 23:28:20 2009 --- Log opened Mon Jan 26 23:28:31 2009 23:28 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:28 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 23:28 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 23:28 -!- Irssi: Join to ##openvpn was synced in 13 secs 23:28 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:29 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 23:29 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 23:30 -!- jpalmer [n=jpalmer@fl-209-26-20-205.sta.embarqhsd.net] has joined ##openvpn 23:31 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 23:31 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:33 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 23:33 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: skx 23:33 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 23:33 < muxpux> hi 23:33 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 23:33 -!- Netsplit over, joins: skx 23:33 < muxpux> my ovpn-bridge is up and fine 23:33 < muxpux> now i need to route all the internet traffic 23:34 < muxpux> since my vpn is bridge ,there is no need for me to do nating in the linux machine right? 23:34 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 23:37 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has joined ##openvpn 23:37 -!- tomfmason [n=tom@tomfmason.net] has joined ##openvpn 23:38 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 23:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 23:55 -!- Gray9Mar [i=surf___@gateway/tor/session] has quit [Nick collision from Idoru.] 23:56 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn --- Day changed Tue Jan 27 2009 00:07 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:20 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 01:22 < nullboy> hello, i'm using wireshark on a client system that is connected to an openvpn server. the client and the server are on the same lan and i have used push "redirect-gateway local def1" in the server's config but i can see DNS queries being leaked in wireshark 01:55 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:58 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has left ##openvpn ["Leaving"] 03:17 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 03:22 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:22 < muxpux> hey 03:22 < muxpux> ovpn is pptp or l2tp ? 03:23 < floyd_n_milan> neither 03:23 < floyd_n_milan> ssl 03:24 < muxpux> alright 03:55 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:59 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:06 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 04:06 < joelsolanki> Hi dazo 04:06 < joelsolanki> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 04:06 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 04:09 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 04:38 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:47 -!- udk [i=evaldo@freenode/staff/udontknow] has quit ["leaving"] 05:01 < muxpux> hi 05:02 < muxpux> is it possible to make mac osx 10.5 as a n openvpn client? 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 < whits_> 1:32 -!- ERROR Closing Link: [85.91.225.194] Z:Lined (Transitive external IP range - InetC) 05:28 < whits_> oops 05:28 * dazo is not sure if "duuhh" ... is a proper answer 05:28 < dazo> muxpux: sure ... that's just to use a client configuration file instead of a config which prepares the openvpn process to act like a server 05:58 < muxpux> dazo:/win 10 05:58 < muxpux> hehe 05:58 < muxpux> dazo: i mean ,ovpn port of mac is also there? 06:14 < ecrist> muxpux: google code for tunnelblick 06:14 < ecrist> you know, that question is easily answered by a google search 06:46 < muxpux> yeah 06:46 < muxpux> i sen that name 06:46 < muxpux> seen 06:46 < muxpux> thought like a3rd part product 06:50 -!- innni1 [n=andre@92.2.28.116] has joined ##openvpn 06:51 < innni1> can people at home behind local routers create a VPN 06:52 < innni1> for example create a VPN so that three people can play a game 06:53 < dazo> innni1: Without going deep ... yes, that's the main purpose of VPN, to create a virtual private network 06:54 < innni1> dazo: even though each local box has a dynamic IP? 06:54 < dazo> innni1: I presume that you mean that there are 3 different persons, sitting behind each their router 06:54 < innni1> yes 06:55 < innni1> this is the normal setup too, I assume 06:55 < dazo> innni1: yes ... but in this case, I would recommend to also sign up for a dyndns/dynalis/etc service ...so you do have a hostname to a dynamic ip address 06:55 < dazo> innni1: the reason I asked was because it sounded like they were behind the same router ... which would make the use of VPN pretty unneeded ;-) 06:56 < innni1> good call 06:57 < dazo> innni1: one of these three locations needs to provide the openvpn server somehow ... the two others connect to the server as clients ... and if you enable client-to-client in the openvpn config, those clients can also see eachother on the VPN 06:57 < dazo> innni1: pretty basic setup, actually 06:58 < innni1> I am in UK, got a mate in Siberia :) 06:58 < dazo> innni1: even this is not a problem :) 06:58 < innni1> I wanna do the VPN more than any game really 06:59 < dazo> heh 06:59 < dazo> good approach! 06:59 < dazo> ;) 06:59 < innni1> maybe today 06:59 < innni1> I have done the crypto stuff 07:00 < innni1> need to create the config files 07:00 < dazo> innni1: have a close look at the different docs available for openvpn ... howto's etc ... it's not that difficult 07:00 < dazo> !howto 07:00 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:01 < dazo> innni1: and you will be pretty good if you manage this without trampling into routing issues .... :-P 07:01 < innni1> I expect I will have issues 07:03 < dazo> innni1: routing is not difficult ... if you have a little bit overview over how basic networking routing works .... mostly it is just minor details, not reading docs/howto's well enough, rushing into things without making sure all those small and gory details are right 07:03 < innni1> what does a \ufeffsign up for a dyndns/dynalis/etc get me 07:03 < innni1> presumably the missing link in my thinking as to how this all works 07:04 < dazo> innni1: it gives you a hostname .... f.ex. mybox.dyndns.org .... and you will have a client running on your box, which will then update this DNS record whenever your IP changes 07:04 < dazo> innni1: and it's only needed for the server 07:04 < dazo> innni1: but you might want to have a look into the --float option in openvpn as well 07:04 < innni1> what you are saying will take time to sink in 07:04 < innni1> I am probably 80% savvy 07:05 < innni1> maybe 70% 07:05 < dazo> innni1: just don't rush :) Take your time and let it sink in .... then it'll work, I'm sure 07:05 < innni1> :D 07:05 < dazo> "Nothing is impossible, it just take a little bit longer time" 07:06 < innni1> I will have to teach my 0% savvy friend all this too :D Gonna be fun 07:08 < dazo> innni1: no, not really ... if you manage to setup a good server config ... you can just send him key files and configuration .... and then he just unpack this in a directory and starts openvpn as root .... and that's all 07:09 < dazo> innni1: the key is if you manage to provide a good client config file for her/him or not 07:10 < dazo> innni1: which OS are you deploying this on? what do you and the others use? 07:10 < innni1> we are both ubuntu boys 07:11 < dazo> innni1: okey .... be aware of some issues with openvpn on ubuntu and certificates ..... https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 07:12 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 07:14 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has joined ##openvpn 07:15 < innni1> dazo: thanks. Anything else I should know? 07:17 < dazo> innni1: grab a lot of what ever you like to drink when hacking on your computer ... maybe add some snacks .... relax and have fun digging into the wonderful world of openvpn! :) 07:17 < bender183> hey guys 07:17 < innni1> i got food and drink stocks 07:17 < innni1> hi bender 07:18 < bender183> hows it going? 07:20 < innni1> i am cool thank bender :) u? 07:22 < bender183> not too bad, worked out this morning.....im always happier when i work out in the mornings :> 07:23 < bender183> anyways i have an issue with openvpn....i have no knowledge of openvpn, and ive been franticaly rtfm'n ....the client can ping the openvpn server but the server cant ping the client side 07:23 < ecrist> good morning, bitches 07:23 < bender183> here are the pastebins 07:23 < innni1> people say to me "do you work out" :) I never done any exercise in my life 07:23 < bender183> server = http://pastebin.com/m4ed98aa 07:23 < bender183> client = http://pastebin.com/m2b31c2ab 07:23 < bender183> server logs = http://pastebin.com/m375bc965 07:24 < innni1> <- this slut is no bitch 07:24 < ecrist> bender183: client can ping server IP, but server can't ping client IP? 07:24 < bender183> you know they say that working out makes your iq higher' 07:24 < bender183> yes 07:24 < ecrist> that doesn't make sense. 07:24 < bender183> i know ... 07:24 < ecrist> have you checked the firewall on the client side? 07:25 < bender183> yes i have ... 07:25 < bender183> outbound is set to accept 07:25 < bender183> errr 07:25 < bender183> wait 07:25 < bender183> hold on 07:25 < bender183> hehe 07:25 < bender183> i hope thats the problem ;D 07:26 * ecrist points to the chan topic 07:26 < bender183> yes i know ... 07:26 < bender183> but if you take a look at the logs 07:27 < bender183> that i pasted 07:27 < bender183> *cough* 07:27 < bender183> you can see they are speaking to each other 07:27 < ecrist> right, but you're talking about two different things. 07:27 < ecrist> most firewalls allow outgoing connections without problem 07:27 < dazo> bender183: yeah ... but firewalling also means firewalling on the VPN net as well ...... 07:28 < ecrist> that would be the case on your VPN client. 07:28 < ecrist> however, my guess is that your client is blocking incoming (unsolicited) ICMP packets. 07:28 < ecrist> ICMP = Ping 07:28 * dazo seconds that 07:28 < bender183> interesting 07:28 < bender183> i think you may of nailed it 07:29 < bender183> and you did 07:30 < bender183> gratzi 07:30 < ecrist> np 07:30 < bender183> now i can finally finish up my nagios install :> 07:31 < bender183> well i always could, i was just checking the tunnel the incorrect way 07:31 < bender183> hehe 07:33 < ecrist> with nagios, I've found pings are the best method to test openvpn tunnels 07:33 < bender183> my friend suggested check_tcp 07:33 < bender183> but i could see why you would say that 07:33 < ecrist> could do some parsing of the openvpn-status log, but there's potential for stale files 07:33 < ecrist> bender183: anyone who knows better, who can, runs OpenVPN over udp 07:34 < bender183> ohhhhhh 07:34 < bender183> i wish you could tell that to my middle earth former co-worker 07:35 < ecrist> !tcp 07:35 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:35 < ecrist> point him there ^^^ 07:35 < bender183> it makes sense 07:36 < ecrist> to sum it up, problems with the tcp window size 07:36 < bender183> interesting 07:36 < ecrist> 5lbs of shit in a 5lb bag that's already filled with 1lb of shit. 07:38 < dazo> ecrist: nice link! 07:38 < ecrist> that was krzee's find 07:38 < bender183> seems like this dude didnt make any iptables rules to allow the vpn to pass through other clients either 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:11 < ecrist> um, a program doesn't catch a sig 11. 08:11 < ecrist> the kernel catches sig 11 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:12 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:13 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:17 < ecrist> ebf0: make up your mind 08:19 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Read error: 104 (Connection reset by peer)] 08:20 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:21 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:22 < ecrist> ebf0: stop the join/part 08:33 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:37 < ecrist> /kick ebf0 08:37 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 08:37 < Federico2> hi guys 08:38 < ebf0> ey... dont 08:38 < ebf0> I got the ppl to stop :) 08:38 < Federico2> is in normal that I cannot ping the VPN endpoints on the virtual interfaces (tun0)? 08:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:39 < ebf0> found a nice error in ircproxy... might even be sploitable :) 08:55 -!- innni1 [n=andre@92.2.28.116] has quit ["Leaving."] 09:03 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 60 (Operation timed out)] 09:03 < dvl> ebf0: dircproxy? 09:05 < dvl> ircproxy seems to be a generic name, not a particular applicatoin. 09:06 < ecrist> Federico2: yes 09:07 < muxpux> hi 09:07 < muxpux> i am getting Bad LZO decompression header byte: 42 09:07 < muxpux> what that means 09:07 < muxpux> i am trying to connect from a mac machine using viscosity 09:08 < muxpux> any ideas? 09:09 < ecrist> wtf is viscosity 09:09 < muxpux> client for mac 09:09 * ecrist looks it up 09:09 < ecrist> the recommended mac client here is Tunnelblick, not heard of Viscosity 09:12 < ecrist> Tunnelblick is free 09:15 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 09:15 < ebf0> dvl: http://www.night-light.net/ircproxy/ 09:15 < vpnHelper> Title: Night Light IRC Proxy "Bouncer" (ircproxy) (at www.night-light.net) 09:16 < ecrist> muxpux: that's a pretty smooth looking client 09:17 * ecrist wonders if he can weasle a free copy of viscosity from the dev... 09:17 < ecrist> weasel* 09:25 < muxpux> heeh 09:25 < muxpux> ecrist: i am using tunnelblick 09:25 < muxpux> now 09:25 < ecrist> $9 after 30 days 09:25 < muxpux> it says an error 09:25 < muxpux> like this ca_cert can only be specified in tls mode 09:26 < muxpux> so do we have any options' 09:26 < ecrist> muxpux, need to see your client config. both viscosity and tunnelblick are simply front-end parsers for the standard config file and openvpn binary 09:27 < muxpux> ecrist: the same configs works for win/linux machines 09:27 < muxpux> i mean the client config 09:28 < muxpux> sec i will paste 09:29 < muxpux> http://pastebin.com/m2ccbf4fc 09:30 < ecrist> looking 09:31 < muxpux> thanks :) 09:31 < ecrist> and your logfiles, please? 09:32 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:32 < muxpux> in client it said ca_cert can only be specified in tls mode 09:33 < muxpux> thinking like is it an issue with my client settings 09:33 < muxpux> works perfectly with linux and windows 09:34 < ecrist> same error in viscosity and tunnelblick? 09:35 < muxpux> viscosity was connecting,getting an ip etc 09:35 < muxpux> but didnt able ping anything 09:35 < muxpux> and the serevr is in vpn-bridge mode 09:35 < muxpux> able to* 09:37 < plaerzen> morning guys 09:38 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:38 < ecrist> hey plaerzen 09:39 < ecrist> muxpux: can you paste your logfiles, please? 09:41 < muxpux> ecrist: nothing much 09:41 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:41 < muxpux> thats it 09:42 < ecrist> muxpux, if you're not going to pastebin your entire log file from tunnelblick, I'm not going to be able to help you. 09:42 < ecrist> if you knew what you were looking for, you wouldn't be asking here. 09:42 < ecrist> also, what version of tunnelblick? 09:42 < muxpux> ecrist: sec 09:48 < muxpux> ecrist: cant see any logs in tunnelblick 09:48 < muxpux> :( 09:49 < ecrist> if you select Details from the drop-down menu, you'll see the logs. 09:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:58 -!- MMN_o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 10:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 * ecrist gives up 10:18 < muxpux> ecrist: 10:19 < muxpux> i was working with a client who was with his osx(you know whats that means),finally gives up atm trying with macosx client 10:19 < muxpux> i am sorry 10:30 < ecrist> muxpux: don't really bother me. 10:30 < ecrist> for your edification, if you need it, I just wrote the following: http://www.secure-computing.net/wiki/index.php/Tunnelblick 10:30 < vpnHelper> Title: Tunnelblick - Secure Computing Wiki (at www.secure-computing.net) 10:32 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 10:51 -!- randra [n=sleepkno@200.215.81.98] has joined ##openvpn 10:56 -!- skx [i=skx@217.17.32.190] has quit ["changing servers"] 11:04 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has joined ##openvpn 11:05 < rwaite> hi everyone, i'm trying to setup openvpn on windows to connect my work lan with my home lan and i'm way past confused at this point 11:06 -!- randra [n=sleepkno@200.215.81.98] has quit ["tra"] 11:07 < rwaite> !route 11:07 < vpnHelper> rwaite: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:08 * rwaite off to read 11:11 < muxpux> ecrist: nice odc thanks 11:15 < muxpux> doc 11:15 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 11:34 < rwaite> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing << 11:34 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 11:34 < rwaite> in this document, when they say "2 client with lans behind them" 11:35 < rwaite> are those two clients assumed to be the routers for their respective lans? 11:35 < ecrist> rwaite: basically, yes. 11:36 < ecrist> but, with some advanced networking and routing, they don't have to be the gateways for those lans. 11:36 < rwaite> so if i had a machine behind a soho router, i'd need to enable some sort of routing on the soho? 11:36 < rwaite> well, my main issue is the openvpn server and the openvpn client are both behind a soho router on their networks 11:37 < dazo> rwaite: In this case, the usual approach is to put up the route on each the machine which should be reachable on the inside ... if setting up the routing in the soho router doesn't work 11:38 < rwaite> so make some sort of batch file to setup the routes. that would work. would i also need to enable routing on the client, too, then, for that to work? 11:39 < rwaite> this is a windows machine, fyi. (i think im in a bit over my head here, i need to learn how this routing works exactly) 11:39 * rwaite smacks face. hold up, i missed the 'routes to add outside of openvpn' section 11:40 < dazo> rwaite: look at it like this: A user on your "openvpn server side" with IP address 172.16.10.50 (example) accesses 192.168.10.10 (example) which is routed via the VPN (10.8.0.1) ... the package reaches 192.166.10.10 ... and it responds to it ... but since it do not know about the 172.16.10.* network, it will send this traffic to the default gateway instead of your openvpn client router 11:42 < rwaite> i see, so the default gateway must know to send traffic for the client network back to the vpn 11:44 < rwaite> so i think i am thinking of this wrong - what i really want is two servers that act as clients to each other. 11:44 < dazo> rwaite: yeah, but to reroute traffic through another router on the same network as the package came from (192.168.10.*) might cause the package to get dropped by the default router .... that's why it's clever to set up this route explicit on the "servers" on the openvpn client side as well 11:45 < dazo> rwaite: and in the openvpn world ..... that's doable with openvpn server on one side and openvpn client on the other side 11:46 < rwaite> dazo: but if i want the machines on the server side to also be able to reach the machines on the client's side, too? 11:46 < dazo> rwaite: what makes it difficult for you now, is that you do not have the openvpn client as a router between your internal network and your default gateway 11:46 < rwaite> hmm. 11:47 < dazo> rwaite: when the openvpn client (server too actually) is located as a "normal" box, on the internal network ... all clients usually do need to have explicit routes to the other network, which points at the openvpn box in the local network 11:49 < rwaite> ok ok. but then it seems (and i think the doc says to) that i should be able to add a route to the other network to the soho router/gateway, which points at the local client (server) 11:50 < rwaite> as long as the two networks are different (192.168.1.0 vs 192.168.2.0) this should work 11:51 < rwaite> i think a big part of what i was misunderstanding too was i wasnt aware of the purpose of the "vpn network" (the 10. one) 11:51 < dazo> rwaite: if that works, you're lucky :) ... but I know some routers rejects such routes .... some routers do not know how to handle the traffic when the next router is on the same network as the package came from 11:51 < rwaite> oh i see, that's what you meant before 11:52 < rwaite> the easiest setup, then, would be openbsd as the gateway with openvpn on it on both sides :) 11:52 < rwaite> which i wish i could do, but alas, im the only one here who would spring for a homemade router 11:52 < dazo> rwaite: that's right :) 11:53 < rwaite> well thank you, i think i know enough now to read thru all the documentation without scratching my head every 5 seconds 11:54 < dazo> rwaite: well .... you can always aim for such Linksys router or similar ones, which can run openwrt or x-wrt or similar Linux based firmwares .... I'm using x-wrt as a openvpn server to "phone home" myself 11:54 < rwaite> oh they come with openvpn on them? 11:54 < dazo> rwaite: but the more usual part is to use such routers as a client against another server 11:55 < dazo> rwaite: yeah, well, you install this x-wrt firmware .... go to web admin, click on openvpn and it ask you if you want to install it 11:55 < dazo> rwaite: when that's done .... it's configure time 11:55 < rwaite> our router here has dd-wrt, but i dont see anything about openvpn. maybe i will check out x-wrt 11:56 < dazo> rwaite: dd-wrt have it's own vpn enabled one as well .... but I stopped using dd-wrt when I found some iptables/firewall rules which opened it up from some hard coded IP addresses 11:57 < dazo> rwaite: then I went over to x-wrt .... and I'm a happy camper 11:57 < rwaite> my dream would be to get a soekris device and get something setup on it 11:58 < dazo> nice one 11:59 < dazo> rwaite: any idea what these boxes costs? 11:59 < rwaite> it depends on what is included, the one i was looking at before had 4 ethernet ports and was around ~280 with the enclosure 11:59 < rwaite> us $ 12:00 < dazo> rwaite: that's not too bad 12:00 < rwaite> not at all, and considering what it can do. you can put linux, freebsd, or openbsd that i know of. probably more 12:00 * dazo would like such one with eSATA or Firewire interface as well 12:02 < dazo> (to be released 2009) "net6501, a faster and more advanced mainboard, up to 1.5 Ghz CPU, 2 Gbyte DRAM, 4 Gigabit Ethernet ports and PCI Express expansion." 12:02 < dazo> PCI Express expansion .... my dream might come true .... 12:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:07 < rwaite> heh, that thing is beefier than my old workstation i used to run xp on 12:07 < dazo> heh 12:07 < dazo> I just noticed that even the old 5501 got traditional PCI slot as well .... 12:08 < dazo> maybe my dream is closer than I thought .... 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < rwaite> thanks for all the help 12:16 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has quit ["Leaving"] 12:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:24 -!- joelsolanki [i=joelsola@124.125.148.121] has joined ##openvpn 12:24 < joelsolanki> dazo: HI 12:24 < joelsolanki> my problem got fixed by installing the lastest version from openvpn.net 12:24 < joelsolanki> there was a bug in openvpn package for ubuntu 8.0.4 12:25 -!- joelsolanki [i=joelsola@124.125.148.121] has quit [Client Quit] 12:28 < krzee> !wz 92109 12:28 < vpnHelper> krzee: Error: "wz" is not a valid command. 12:28 < krzee> !weather 92109 12:28 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 56.7F (10:29 AM PST on January 27, 2009). Conditions: Scattered Clouds. Humidity: 58%. Dew Point: 42.8F. Pressure: 30.38 in 1028.7 hPa (Rising). 12:29 < dazo> krzee: cool ... support for for non-us areas as well? 12:30 < krzee> no idea, welcome to try 12:31 < dazo> !weather Brno 12:31 < vpnHelper> dazo: The current temperature in Brno / Turany, Czech Republic is 33.8F (7:00 PM CET on January 27, 2009). Conditions: Mist. Humidity: 80%. Dew Point: 32.0F. Pressure: 29.92 in 1013 hPa (Rising). 12:31 < dazo> !weather Dehli 12:31 < vpnHelper> dazo: Error: HTTP Error 500: Server Error 12:32 < dazo> !weather CPH 12:32 < vpnHelper> dazo: The current temperature in Copenhagen, Denmark is 35.6F (7:20 PM CET on January 27, 2009). Conditions: Overcast. Humidity: 75%. Dew Point: 28.4F. Windchill: 32.0F. Pressure: 30.06 in 1018 hPa (Steady). 12:32 < dazo> !weather HKG 12:32 < vpnHelper> dazo: The current temperature in Victoria Peak, Hong Kong, Hong Kong is 49.8F (2:36 AM HKT on January 28, 2009). Conditions: Mostly Cloudy. Humidity: 92%. Dew Point: 48.2F. Windchill: 50.0F. Pressure: 29.93 in 1013.4 hPa (Steady). 12:32 < dazo> krzee: it takes airport codes .... perfect! :-P 12:34 < krzee> =] 12:45 -!- lvtn [n=azambuja@189.32.146.89] has joined ##openvpn 12:48 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:57 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has joined ##openvpn 13:11 < krzee> !weather 92109 13:11 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 59.0F (11:14 AM PST on January 27, 2009). Conditions: Mostly Cloudy. Humidity: 45%. Dew Point: 37.4F. Pressure: 30.36 in 1028.0 hPa (Rising). 13:20 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:21 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 13:25 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:03 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Read error: 104 (Connection reset by peer)] 14:04 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:21 < huslu> !weather TLN 14:21 < vpnHelper> huslu: The current temperature in Hyeres, France is 46.4F (9:00 PM CET on January 27, 2009). Conditions: Clear. Humidity: 53%. Dew Point: 30.2F. Windchill: 42.8F. Pressure: 29.65 in 1004 hPa (Steady). 14:21 < huslu> !weather TLL 14:21 < vpnHelper> huslu: The current temperature in Tallinn, City center, Estonia is 32.5F (10:15 PM EET on January 27, 2009). Conditions: Overcast. Humidity: 90%. Dew Point: 30.2F. Windchill: 32.0F. Pressure: 29.97 in 1014.8 hPa (Steady). 14:21 < ecrist> krzee: did you fix my perms on the bot? 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < huslu> too bad it doesn't give temperatures in celsius 14:23 < ecrist> nobody that matters uses celcius 14:23 < ecrist> celsius even 14:23 < ecrist> see? it's not even important enough to spell correctly 14:27 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 14:29 < techqbert> I was using a wireless router earlier. Now I'm using ethernet hooked up right up to the cable modem. I can nmap my VPN server, mount shares, but no longer can I ls those shares, SSH to the box, or go to http://x.x.x.x:8080 What do you think is going on? Does OpenVPN require a NAT? Is the ISP blocking certain packets? 14:31 < techqbert> As well, scp no longer works to the network even when not on the 10 subnet, just WAN. What the hell? 14:32 < techqbert> Yet filezilla can move the files, even on the same 32 port for WAN. 14:33 * ecrist is lost 14:34 < ecrist> you don't give us any real details, so nobody can help you. 14:34 < techqbert> ecrist: might I need to supply. I'm just as bankrupt for ideas. 14:34 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 14:35 < techqbert> What might I need to supply? * 14:37 * ecrist points to channel topic 14:40 < techqbert> !route 14:40 < vpnHelper> techqbert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:41 < techqbert> Ecrist: thanks for the help. I have no firewall and I need not set up lans behind openvpn. 14:42 < ecrist> ah, but you missed the 'We need !configs and !logs' part? 14:43 < techqbert> !configs 14:43 < vpnHelper> techqbert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:45 < techqbert> ecrist: may I ask you a simple question before I embark on gathering logs and config files. Should an openvpn VPN work regardless of whether the VPN client is behind a router or hooked directly to the ethernet port of the router? 15:03 < ecrist> yep 15:04 < ecrist> gotta go. bbl8r 15:14 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 15:14 < techqbert> Hey guys I went from wireless LAN to direct ethernet to router on my client side and now my machine won't access NFS shares on the VPN, or go to VPN web sites. I can only ping. 15:14 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 15:14 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has quit [] 15:21 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has joined ##openvpn 15:25 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has quit [Client Quit] 15:39 -!- neverblue [n=jezus@unaffiliated/neverblue] has joined ##openvpn 15:39 < neverblue> get out! 15:39 < neverblue> you guys have your own channel :D 15:40 < neverblue> but, the question is, is anyone around to answer questions 15:41 < neverblue> when I edit my .conf.ovpn file, in Wordpad, then save it, i lose associations with the .ovpn extension to openvpn 15:42 < neverblue> how can I repair this ? 16:58 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:37 -!- Netsplit over, joins: aar0n 17:40 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:40 -!- Netsplit over, joins: aar0n 18:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:29 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 18:29 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Client Quit] 18:29 < hardwire> any idea how to assign static ip's (pushed) per client? 18:30 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:31 < hardwire> other than using DHCP 18:32 < hardwire> ah 18:32 < hardwire> client-config-dir 18:32 < hardwire> woota 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 19:51 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:27 < ecrist> evening, fuckers 20:29 < muxpux> hi 20:29 < muxpux> lol 20:50 < ecrist> neverblue: what do you mean that you lose associateions with the .ovpn exension? 23:35 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Wed Jan 28 2009 00:59 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 01:36 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:54 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 -!- casa0816 [n=casa@193.197.157.150] has joined ##openvpn 02:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 02:20 < QWToo> neverblue, right click the ovpn and click open with -> custom -> then select or browse for openvpn and make sure you tick the "always open with this program" checkbox and click okay 02:21 < QWToo> your associations should stay with openvpn unless you follow that process with wordpad 02:29 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 02:29 < nullboy> !route 02:29 < vpnHelper> nullboy: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:36 < QWToo> just bridge 02:38 < Rawplayer> so why is there an iptables exampe in the freebsd openvpn ports?:) 02:38 < Rawplayer> *example 02:41 < nullboy> QWToo: was that for me? bridging over routing? 02:42 < QWToo> yeah 02:42 < QWToo> cause screw iptables 02:43 < nullboy> so routing method done properly would require nat, is that correct? 02:44 < QWToo> i don't really know anything about networking 02:44 < nullboy> does this directive apply to bridge mode as well as route mode? push "redirect-gateway local def1" 02:44 < QWToo> stop being an ass 02:45 < nullboy> wtf? 02:45 < QWToo> oh, nevermind then 02:45 < QWToo> sorry 02:45 < Rawplayer> nullboy: which bridging you can make 2 seperate locations into one broadcast domain 02:45 < QWToo> my point was that i don't know anything about networking 02:45 < QWToo> but that i didn't have to 02:46 < QWToo> because there isn't much to configure if you use briding 02:46 < nullboy> Rawplayer: the problem I'm having with route mode is that the vpn server is on the same lan as the vpn client so some things are leaking out into the lan that should be in the tunnel 02:46 < nullboy> i think it's a route issue 02:46 < QWToo> oh yeah, you can't bridge if you do that 02:47 < nullboy> i can kill the real subnet's default gw but if you kill the route to the real subnet's network everything dies 02:47 < Rawplayer> nullboy: draw your setup 02:47 < nullboy> k 02:47 < Rawplayer> nullboy: is the client getting his IP from dhcp? 02:47 < Rawplayer> you can also handout /30 netmasks 02:47 < nullboy> clkient gets real subnet's ip from dhcp and also gets vpn ip from vpn dhcp 02:48 < Rawplayer> ok, what should the client do in his "real" subnet 02:49 < nullboy> let me get all artsy 03:04 < nullboy> http://home.pacbell.net/morticus/openvpn.diar.1.jpg 03:05 < Rawplayer> nullboy: so what are you trying to achieve? 03:06 < Rawplayer> remind that you need to explain something who does not know how your network looks like.. 03:06 < Rawplayer> + to someone 03:06 < nullboy> what is not explained in that? did you read the box? 03:07 < nullboy> why are some packets being leaked into the real lan? 03:07 < Rawplayer> nullboy: vpn ip's should not reach interl ip's from real subnet? 03:08 < nullboy> dns, icmp echo req/reply, some aim traffic, that should be using the vpn is hitting the real lan plaintext 03:08 < nullboy> http goes down it though 03:08 < Rawplayer> nullboy: the reason is that your real ip is direct connected 03:09 < Rawplayer> that is preferred instead of using the vpn connection 03:09 < nullboy> i understand that part but if you kill the real route you loose vpn connectivity 03:09 < nullboy> so how can i really force everything down the vpn? 03:09 < Rawplayer> nullboy: setup /30 dhcp entries 03:10 < nullboy> where? on the vpn or the lan? 03:10 < Rawplayer> then you have 2 usable ip's in your subnet 03:10 < Rawplayer> 1 for the lan client 03:10 < Rawplayer> 1 for the other end 03:10 < nullboy> then use host routes? 03:10 < Rawplayer> and then firewall the routing between the subnets on your router 03:11 < Rawplayer> then it works fine 03:11 < nullboy> got it thanks 03:11 < Rawplayer> because you can only reach two ip's when you are not connected to the vpn 03:11 < Rawplayer> instead of the whole subnet 03:12 < nullboy> wait... 03:12 < nullboy> you mean turn the whole physical lan into a a /30? 03:12 < nullboy> this is a diagram showing a particular situation that includes a whole LAN 03:12 < nullboy> not just 3 devices 03:14 < nullboy> i think moving the vpn server to the border router would be better 03:14 < Rawplayer> nullboy: you want to reach the other lan clients over the vpn right? 03:14 < Rawplayer> instead of direcT? 03:15 < nullboy> i don't think you and me are on the same channel here 03:16 < nullboy> i'll mess with the /30 thing though 03:17 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["battery died"] 03:17 < Rawplayer> nullboy: that is what i mean with " remind that you need to explain something who does not know how your network looks like.." 03:17 < Rawplayer> what a ass 03:30 -!- mahdi_ja [n=chatzill@212.50.230.204] has joined ##openvpn 03:31 < mahdi_ja> hi all. 03:31 < mahdi_ja> can i use openvpn for share internet connection. 03:35 < dazo> mahdi_ja: ehhh .... not sure what you really are asking about now 03:37 < mahdi_ja> dazo: i have one server and i have one internet connection.if create a vpn server in my system and another user connect to this,they can use internet. 03:39 < dazo> mahdi_ja: openvpn will not change things for other users ... depending on how you setup openvpn and how your openvpn server is located in your network, your clients might get access to the VPN network itself too, but the basic Internet communication for other users should not break if things are done properly 03:46 < mahdi_ja> dazo: i have a system with windows 2003 server with 2 nic card one connect to lan an other to the adls modem.user with vpn connect to this and use internet( i share internet).i want change this server to linux and openvpn .can i do it with openvon 03:47 < dazo> mahdi_ja: sounds like a good approach ... yes, you can! :) in fact, this is a very common configuration 03:48 < mahdi_ja> dazo: do you have any resource for this ? 03:49 < dazo> mahdi_ja: what kind of experiences do you have with topics like Linux, networking, iptables and VPN? 03:49 * dazo just needs to know this to find good resources 03:50 < mahdi_ja> in linux and vpn and network good but iptable no. 03:51 < dazo> mahdi_ja: that sounds good! ... iptables is not difficult. I would then recommend you to just setup a default setup, install iptables, but make sure it is completely open in the beginning ... 03:51 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:51 * dazo looks for resources 03:52 < onats> !iroute 03:52 < vpnHelper> onats: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 03:52 < onats> !ccd 03:52 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 03:52 < onats> !route 03:52 < vpnHelper> onats: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:52 < mahdi_ja> dazo: thank you. 03:53 < dazo> mahdi_ja: np! ... any experience with openvpn? 03:54 < mahdi_ja> dazo: i read this now reading this book:OpenVPN 03:54 < mahdi_ja> Building and Integrating Virtual Private 03:54 < dazo> mahdi_ja: I haven't read it myself ... but I believe that can be a good starting point 03:55 < mahdi_ja> dazo: it is simple and useful. 03:57 < mahdi_ja> dazo: have a nice day,bye.\ 03:57 < dazo> mahdi_ja: I'm not done 03:57 < dazo> mahdi_ja: I'm still looking for your info 04:00 < mahdi_ja> dazo: in "Linux Networking Cookbook" chapter 9 there is a good tutorial for creating vpn network with open vpn.step by step. i read this,and it is very usefull. 04:01 < dazo> mahdi_ja: nice .... does it also cover iptables? 04:01 < mahdi_ja> dazo: yes. 04:01 < dazo> mahdi_ja: then you have all you need already 04:02 * dazo stops searching 04:03 < mahdi_ja> dazo: i test this and i disturb you again. 04:04 < dazo> mahdi_ja: sure! :) 04:04 < mahdi_ja> dazo: thank you my firend 04:05 < mahdi_ja> dazo: thank you my friend i see you again. 04:05 < dazo> mahdi_ja: np 04:05 -!- mahdi_ja [n=chatzill@212.50.230.204] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 04:10 < onats> anyone up? 04:11 < onats> i'm having issues on a windows XP box.. route is not working. 04:11 < onats> The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP address table for the machine 04:11 < onats> krzie are you tehre? 04:15 < dazo> onats: have you studied the --ip-win32 argument? 04:15 < dazo> onats: and --route-method 04:16 < onats> dazo, not familiar with those two 04:16 < onats> yet 04:16 < onats> can you enlighten me? 04:16 < onats> im just having issues with a windows xp client 04:16 < onats> with the exact same configurations, on a win2k3 server box, it connects properly 04:16 < onats> !ip-win32 04:16 < vpnHelper> onats: Error: "ip-win32" is not a valid command. 04:17 < dazo> those sets how openvpn will interact with the IP layer in Windows ... which is different in the different windows versions 04:17 < dazo> !man 04:17 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:17 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Remote closed the connection] 04:18 < dazo> onats: but it can also be that the TAP device is wrongly created, or you have some mismatch between tap indexes and the available tap devices 04:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 04:18 < onats> dazo, but i installed openvpn using the installer with openvpngui 04:18 < dazo> onats: I believe --show-adapters can help you figure out that 04:19 < dazo> onats: yeah, but that's not for sure it always works perfect ..... 04:20 < onats> oh boy 04:20 < onats> the problem is the client device isnt in front of me... gahh... 04:20 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 110 (Connection timed out)] 04:21 < onats> dazo, what information can i derive from show adapters? 04:21 < onats> should i reinstall the application then? 04:21 < onats> or recreate the tap drivers? 04:21 < dazo> onats: I don't remember, just reading man pages and throwing out ideas .... 04:21 < dazo> onats: I'd create to recreate tap devices ..... 04:22 * dazo checking on a winxp box now .... to see if he sees something clever 04:23 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 04:24 * dazo sees that --show-adapters gave less info than anticipated 04:24 < ohzie> If I /etc/init.d/openvpn start and I get a fail on the startup, is there anywhere more detailed than 'error' so that I know what I'm supposed to fix? 04:24 < ohzie> Even asking a question about it, I have to know why it's failing first. :P 04:24 < onats> i think you can set verbosity of logs and a log file in the config? 04:24 < onats> #status /tmp/openvpn-status.log #log /tmp/openvpn.log 04:25 < onats> add those to your config file 04:25 < onats> without the comment outs of course 04:25 < ohzie> Well my problem is I don't know where it's putting this error. All I see is "* Autostarting VPN 'server' ..............................[fail]" 04:25 < ohzie> [shell] 04:25 < onats> also set "verb 9" 04:26 < ohzie> Do you know where the default log is? 04:27 < onats> my best bet is to specify a log file 04:28 < ohzie> and that's just " log /path/to/log.file" 04:28 < ohzie> ? 04:28 < onats> yeah 04:28 < onats> but you have to set a verbosity level too 04:28 < dazo> ohzie: default is system logger if openvpn is started as a daemon .... console if not 04:28 < onats> oh that im not sure.. basta thats how i use the log file.. 04:29 < dazo> verb 9 is very verbose ..... you might catch alot with verb between 4-6 04:29 < ohzie> Yeah log /path/to/file.name doesn't work 04:29 < ohzie> Anyone else know how I can find or specify a log file? I don't know where 'system logger' would be 04:29 < ohzie> like where I'd read that stuff. 04:30 < dazo> ohzie: which OS? 04:30 < ohzie> ubuntu 04:30 < dazo> ohzie: /var/log/messages most probably 04:31 < dazo> ohzie: if you do ls -ltr /var/log .... in the bottom of this list, you will always find the last changed files 04:31 < ohzie> There's a lot of stuff there, but nothing from openvpn 04:32 < dazo> ohzie: grep openvpn /var/log/* ? 04:33 < ohzie> I found it 04:33 < ohzie> It was putting them in daemon.log 04:33 < ohzie> What a fucking jerk program 04:33 < dazo> onats: you may also check out --show-net ... that gave some info about adapters and their indexes as well 04:33 < ohzie> Okay that's weird "Unrecognized option or missing parameter(s) 04:33 < onats> which is a jerk program? openvpn? 04:33 < onats> heheh 04:34 < ohzie> Yes. 04:34 < ohzie> Okay so if it says server.conf:2 04:34 < ohzie> that means line 2, right? 04:34 < dazo> ohzie: I would guess so, yes 04:35 < ohzie> And now I know what the problem was 04:35 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:36 < ohzie> The dick who wrote this sample from his home network used a rich text editor like word. Everything is capitalized properly, at the beginning of a new line. Every single config option in the config file. 04:37 * dazo would never trust people who use rich text editors for writing config files ....... 04:37 < dazo> that's like using canons for fishing 04:40 < ohzie> Or a metal spatula in a nonstick pan 04:40 < ohzie> Thanks for the help, I couldn't have figured it out without you. :D 04:43 * dazo shrugs 05:21 -!- neverblue [n=jezus@S0106001a706142cc.gv.shawcable.net] has joined ##openvpn 05:27 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has joined ##openvpn 05:27 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has joined ##openvpn 05:28 < indra> hi all 05:28 < indra> I installed openvpn in my debian and and configured everything 05:28 < indra> everything is working fine 05:29 < indra> I am using 192.168.53.111 as my vpn server, 05:29 < gfolkert> !route 05:29 < vpnHelper> gfolkert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:29 < indra> now, i want another ip address in 52 domain, like 192.168.52.111 also to act as the vpn server 05:29 < indra> juts adding a eth1:1 to the 52.111 ip is not working 05:29 < indra> is there anything else to be configures 05:30 < indra> configured to work with multiple ip address as vpn server 05:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 104 (Connection reset by peer)] 05:48 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 05:49 < tjz> Hello 05:49 < Rawplayer> hi 05:51 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has quit ["http://www.mibbit.com ajax IRC Client"] 05:54 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has left ##openvpn [] 05:54 < tjz> i am getting this error on windows vista system: 05:54 < tjz> openvpn route gateway is not reachable on any active network 05:57 < aar0n> !weather 05:57 < vpnHelper> aar0n: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < aar0n> !weather braunschweig 05:57 < Rawplayer> !weather 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < vpnHelper> Rawplayer: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < Rawplayer> only for us? 05:57 < aar0n> !weather germany 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < Rawplayer> !weather netherlands 05:57 < vpnHelper> Rawplayer: Error: HTTP Error 500: Server Error 05:57 < aar0n> lame! 05:58 * Rawplayer nullroutes vpnHelper 05:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:23 < dazo> !weather FRA 06:23 < vpnHelper> dazo: The current temperature in Mrfelden-Walldorf, Germany is 39.4F (1:00 PM CET on January 28, 2009). Conditions: Scattered Clouds. Humidity: 73%. Dew Point: 32.0F. Windchill: 33.8F. Pressure: 30.04 in 1017.2 hPa (Steady). 06:23 < dazo> Rawplayer: ^ ^ ^ .... try airport codes .... 06:30 < ecrist> good morning, bitches 06:31 < tjz> good morning 06:31 < tjz> haha 06:44 < tjz> happy chinese new year~~~~~~~~~~ 06:56 -!- casa0816 [n=casa@193.197.157.150] has quit ["Verlassend"] 07:04 < tjz> anyone into starcraft? 07:07 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:08 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:08 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:12 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 07:13 < ecrist> dvl, what sort of nastiness are you up to? 07:19 < dvl> ecrist: what were you seeing? 07:19 < ecrist> 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:20 < dvl> ecrist: Oh, that was dueling IRC sessions. On on each laptop. 07:20 < ecrist> ah 07:20 < dvl> each one trying to get control of the BNC 07:20 < ecrist> BNC? 07:20 < dvl> And I did not notice it. 07:20 < dvl> I call it a BNC, don't know why. 07:20 < ecrist> the mask? 07:21 < dvl> mask? 07:21 * ecrist is confused 07:21 < dvl> http://www.gotbnc.com/ 07:21 < dvl> Call it a proxy, that holds my connection when I close my IRC client. 07:22 < ecrist> ah 07:22 < ecrist> I have a solution for that, irssi and screen on one of my servers. 07:22 < dvl> Advantages: logs while I'm away.... keeps my nick.. 07:23 < dvl> ecrist: That would work. But I use xchat in a gui. And my solution will with with any IRC client. It is client agnostic. 07:23 < dvl> I do like screen though. 07:23 < dvl> It also means if the kiddies want to flood me, they'll flood my server, not my home connection, or the office, etc. 07:24 < ecrist> I like xchat, but the aqua version hasn't been updated in quite a while, and I've found irssi is more than sufficient. 07:24 < dvl> I prefer mIRC, but it's not available on all my OS now. 07:25 < ecrist> ick 07:25 < dvl> On the topic of cars? Who said cars. 07:25 * cpm wonders why one would get themselves in a place where 'the kiddies want to flood me' was a real possibility. 07:25 < dvl> Considering buying a new Subaru (would be my 3rd). drove an Outback XT Limited last night. 07:25 < dvl> cpm: Kids acting up in a channel, you kick them out... etc 07:25 < ecrist> where did the car topic come from? 07:26 < cpm> 3rd in how long? 07:26 < dvl> cpm: I've been flooded for having the nick 'dvl' 07:26 < ecrist> my wife has a 2000 2.5RS 07:26 < dvl> cpm: current car is a 2001 Legacy wagon. Bought it new. 07:26 < dvl> cpm: before that, was a '91 used Wagon, sold it because I moved across the pacific. 07:26 < dvl> ecrist: It didn't. ;) 07:28 < mRCUTEO> hiya tjz 07:28 < dvl> cpm: the wife's car, is that a Legacy? what? I do not know it. 07:28 < mRCUTEO> :D 07:28 < ecrist> dvl, are you on drugs? 07:29 < cpm> dvl, well, I sure like subies, I've got just under $300K on my legacy outback. Not sure I'd buy another one, don't care for the new ones so much. but I'll hate it if this one ever goes. She's been fighting off the rust so far, as long as she doesn't get rust, I'll keep fixing her. 07:31 < dvl> ecrist: no, why do you ask? :) 07:31 < dvl> cpm: Mine has 100k miles just now. 07:31 < cpm> what year? 07:32 < cpm> '01? 07:32 < cpm> yer good to go! 07:32 < dvl> cpm: I wanted to upgrade, newer features. That's all. Plus, needs new tires, making some new sounds from the rear. And I have the cash now. 07:32 < ecrist> my wife's next car is going to be an STi 07:32 < dvl> cpm: yes, very reliable car. May see if one of my friends wants it. 07:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 07:33 < dvl> Heard aobut them. 07:33 < dvl> ecrist: It's too small for me. I do a bit of mountain biking, so I need the room to carry the bike in the back if there's salt on the roads, and room for gear on longer trips. 07:36 < dvl> ecrist: I just started my caffeine drip... does that count as drugs? 07:40 < ecrist> prehaps. ;) 07:42 -!- Guest96894 [n=Anon472@86.99.102.197] has joined ##openvpn 07:42 < Guest96894> general ssl question (not related to openssl) 07:42 < Guest96894> i generated a CSR in IIS win 2k3. and have a cert signed from my provider 07:43 < ecrist> ok 07:43 < Guest96894> but, between that period, i deleted the pending request 07:44 < Guest96894> so, now, i'm afraid the CSR also includes a private key?? 07:44 < ecrist> what do you mean? 07:44 < Guest96894> it's all in IIS, u familiar with it? 07:44 < ecrist> with a CSR, you generate the request, as well as a matching key. 07:44 < ecrist> the signed certificate is worthless without the key 07:44 < Guest96894> matching key == private? 07:44 < ecrist> yep 07:44 < Guest96894> well, i went into that interface and clicked on "Delete pending request" 07:45 < ecrist> well, sounds like you deleted the key 07:45 < Guest96894> ways to retreive it? 07:46 < ecrist> none that I know of. 07:46 < ecrist> I'm not familar with the IIS certificate tools, so would be hard to help you there. 07:46 < ecrist> recover it from the backups I'm sure you're making... 07:46 < Guest96894> i think you are right that it's deleted 07:46 < Guest96894> nah, no backup for this i'm damn sure 07:46 < Guest96894> so i need to have another CSR again? 07:46 < ecrist> first mistake, there. ;) 07:47 < ecrist> yep 07:47 < Guest96894> 1st mistake, production environment!! 07:47 < Guest96894> 2nd point: do CAs provide resigning a request without considring it as a totally new request? 07:47 < Guest96894> i don't want to pay twice! 07:47 < ecrist> yes, they should support you. I know godaddy does. 07:48 < ecrist> just tell them you need to rekey your certificate. 07:48 < ecrist> they revoke the current one and will issue you a new one. everything in the CSR needs to be the same, aside from your private key (same CN, etc) 07:48 < Guest96894> alright.. 07:49 < Guest96894> thsi is releifing!! 07:49 < Guest96894> the director is involved.. 07:49 * dazo hopes Guest96894 is having a cooperative CA ... 07:49 < Guest96894> dazo: nah, sadly... 07:50 < Guest96894> there is no reason why we don't have 07:50 < ecrist> really, it's Guest96894's fault to begin with for not having backups. 07:50 < Guest96894> yeah... 07:50 < Guest96894> it's my stupid mistake 07:50 < dvl> Guest96894: For backups, I recommend http://www.bacula.org/ 07:50 < vpnHelper> Title: Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, and Windows (at www.bacula.org) 07:51 < dazo> Guest96894: dvl: http://www.boxbackup.org/ << my recommendation ;-) 07:51 < vpnHelper> Title: Box Backup (at www.boxbackup.org) 07:52 < dazo> (not as heavy and enterprisey as bacula ... even though bacula is good as well) 07:52 < dvl> dazo: I use Bacula to backup my systems at home and abroad. Just me, nobody else. No enterprise here. 07:53 < dazo> dvl: mm ... well, I do the same with boxbackup ... but the footprint of boxbackup is much smaller .... and a lot easier to setup 07:54 < Guest96894> dazo: i'm using windows 07:54 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 07:54 < dazo> Guest96894: I'm sorry for you 07:54 < Guest96894> this is funny 07:55 < dazo> ;-) 07:55 < Guest96894> i'm sad about this case 07:55 < Guest96894> sighhhh :( 07:55 < Guest96894> wondering what message to deliver to my boss hehehehe 07:55 < Guest96894> "i deleted private key, sorry" 07:55 < dazo> dvl: and the feature I like is that it have some kind of file/directory based raid solution embedded ... so it spreads the backup data on the storage server over three directories ... and can then easily be rsynced to 3 different locations and your backup data will not be compromised if one part is lost 07:56 < dazo> Guest96894: you can ALWAYS blame it on bad security in Windows :-P 07:56 < Guest96894> dazo: oh man... he is PRO windows!! 07:56 < Guest96894> dazo: he makes fun out of me when talking of open source stuff 07:56 < dazo> Guest96894: now I really, sincerely feels sorry for you 07:56 < Guest96894> dazo: he calls stupid complixity "unix-like stuff" 07:56 < dvl> dazo: I don't understand why that's in your backup solution and not in your filesystem solutoin. 07:56 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has joined ##openvpn 07:57 < Shadowcat> how long does it usually take to generate dh parameters? 07:57 < dazo> dvl: off-site backup .... to do that in an secure way 07:57 < Guest96894> dazo: i didn't know that windows deletes private key when CSR is deleted!!!!! 07:57 < Guest96894> private key is different than CSR >_< - what i know 07:58 * dazo never deletes things if I do not need to delete it 07:58 < Shadowcat> dazo: rm -rf / ;) 07:58 < Guest96894> dazo: there was a need. iis was down, and to bring back the self signed cert i had to delete it 07:58 < Guest96894> dazo: thanks to window's narrow minded gui! 07:58 < Shadowcat> why are you using the GUI if you're managing a windows server? 07:58 < dazo> Guest96894: yeah ... I use to move files away to another directory 07:59 < Guest96894> dazo: it's locatioin is not in a directory i guess 07:59 < Guest96894> dazo: i should have used mmc to back it up 07:59 < dazo> Guest96894: aha ... well, I'm not pro-windows ..... you probably noticed :-P 07:59 < Shadowcat> Guest96894: and what's wrong with Windows Explorer? 07:59 < Shadowcat> if it's a key file just copy the file 07:59 < Shadowcat> not very hard 07:59 < Guest96894> Shadowcat: i'm talking about IIS 07:59 < dazo> Shadowcat: it's a key in the certificate register 08:00 < Shadowcat> regedit 08:00 < Shadowcat> :) 08:00 < Guest96894> regedit is ugly 08:00 < Shadowcat> regedit works 08:00 < Guest96894> but ugly and creepy hidden below stuff 08:00 < Guest96894> stuff like i don't know 08:00 < Guest96894> i hope, just hope, my CA will rekey it :( 08:00 < Shadowcat> ok..... so export the entire tree 08:01 < Shadowcat> it's very hard to miss something if you export the entire tree 08:01 < Guest96894> i have no luck 08:01 < Guest96894> see you tomorrow 08:01 < Guest96894> bye 08:01 -!- Guest96894 [n=Anon472@86.99.102.197] has quit ["leaving"] 08:01 < Shadowcat> it'll give you a 100mb txt file, but it'll be there 08:01 < Shadowcat> ... 08:02 < ecrist> what will be there? 08:09 < dvl> pr0n 08:09 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:13 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:28 < tjz> hahahaha 08:37 < dvl> ASCII pr0n 08:38 < tjz> oh 08:38 < tjz> hahaha 08:39 < cpm> 100mb acsii porn file? 08:39 < cpm> need a hi speed dot matrix with a good tractor feed to print. 08:41 < ecrist> and triplicate tractor-feed forms. 08:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 08:43 < tjz> hAHAHHAHA!! 08:49 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has joined ##openvpn 09:04 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 09:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:30 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:39 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 09:39 < frankS2> /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf where can i get this file? its not there 09:40 < frankS2> all the other files are there except whichopensslcnf 09:40 < frankS2> (openbsd) 09:42 < kyrix> well i dont know in openbsd 09:43 < kyrix> http://www.netfrag.org/cgi-bin/dwww/usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf 09:43 < vpnHelper> Title: /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf (at www.netfrag.org) 09:43 < kyrix> probably similar to that one 10:07 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:12 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:19 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has quit [Read error: 131 (Connection reset by peer)] 10:31 < fbond> Hi, I am assisting someone remotely who is running OpenVPN 2 on a Windows server with the firewall disabled. We are unable to connect to the OpenVPN server at all (Connection refused). We are using port 443 (at his request), and `nc [ip address] 443` gives Connection Refused. Directly on the server, `telnet localhost 443` also gives Connection Refused. Any ideas? 10:32 < krzee> windows firewall 10:33 < krzee> also 10:33 < krzee> it may not be listening on localhost depending on config 10:33 < krzee> !configs 10:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:33 < dazo> fbond: check with netstat .... if you have something listening on port 443 10:35 < fbond> dazo: Um, does Windows have netstat? 10:35 < dazo> fbond: well, I believe I've used that on winxp .... yes 10:35 < fbond> krzee: I've been told that Windows firewall is disabled. 10:35 * dazo don't have windows access right now ... so he can't check 10:36 < fbond> !configs 10:36 < vpnHelper> fbond: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < fbond> Oh, right. 10:36 < fbond> Where do I paste? 10:37 < dazo> !pastebin 10:37 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:37 < krzee> pls remove comments 10:40 < fbond> http://www.pastebin.ca/1320751 10:40 < fbond> That's the server config. 10:40 < fbond> I'm not even using a client yet since I can't connect to the port. 10:41 < fbond> Microsoft Windows [Version 5.2.3790] 10:44 < neverblue> QWToo it doesn't 10:45 < neverblue> QWToo: the extension association, done that way, associates which 'editor' the .ovpn will use. My issue is that the context menu doesnt have the 'Use OpenVPN with this config' 10:45 < neverblue> so it is a bit different 10:46 < krzee> netstat -a 10:46 < krzee> do you see * 443 UDP LISTEN ? 10:46 < krzee> something like that 10:46 < krzee> (no windows here to see exact) 10:47 < krzee> !winfw 10:47 < vpnHelper> krzee: Error: "winfw" is not a valid command. 10:47 < krzee> !factoids search win 10:47 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 10:47 < krzee> hrm 10:47 < fbond> krzee: Yep, waiting for a response on that... 10:52 < krzee> also, i dont think nc uses udp by default 10:57 -!- lvtn [n=azambuja@189.32.146.89] has left ##openvpn [] 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 < fbond> krzee: Agh, my fault. 11:31 < fbond> I was using udp but then testing with telnet/nc over TCP. His firewall, meanwhile, was only port-forwarding TCP. 11:31 < fbond> krzee: Is there a good reason to prefer UDP? 11:31 < krzee> yes 11:31 < krzee> !tcp 11:31 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:34 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 11:35 < Cope> !route 11:35 < vpnHelper> Cope: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:36 < Cope> hmm 11:36 < Cope> ok - if I have a user with a home network on 192.168.0.1/24 and an office network on the same subnet, how can I route packets reliably between the 2 networks? 11:37 < krzee> by changing one of the subnets 11:37 < Cope> surely on home.lan if I try to hit 192.168.0.31, it won't know which subnet to use? 11:37 < Cope> krzee: is tehre no other way? 11:37 < dazo> Cope: nope 11:37 < Cope> bugger 11:37 < krzee> theres another way involving nat, but its the wrong way 11:37 < krzee> and i wont help with it 11:38 < krzee> just change 1 side 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:48 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:55 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 12:04 < fbond> krzee: Can using TCP cause immediate connection reset after authentication? 12:05 < fbond> krzee: I don't see auth errors in the server log... 12:09 < krzee> verb 6 12:09 < krzee> !logs 12:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:13 < fbond> I think I have verb 8 right now, acceptable? 12:13 < fbond> krzee: Getting new logs is a round trip to my remote friend... 12:14 < krzee> thats why i never help people who cant access both sides themselves 12:14 < krzee> but im making an exception cause im bored til my friend gets here to pick me up 12:14 < krzee> which is soon now 12:18 < fbond> krzee: Thanks... 12:20 < krzee> np 12:21 < fbond> krzee: http://www.pastebin.ca/1320851 12:23 < krzee> try to disable all packet filtering in firewalls for that port udp 12:23 < ecrist> will someone make a vpn for me on my network? 12:23 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 12:24 < fbond> krzee: We're using TCP right now... 12:24 < krzee> !tcp 12:24 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:24 < fbond> krzee: Yes, I was wondering if this problem can be caused by using TCP... 12:24 < fbond> krzee: Do you think that that is the cause? 12:25 < krzee> no 12:25 < krzee> unless your firewall is playing with packets 12:25 < krzee> im not used to verb 8 logs 12:25 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 12:26 < fbond> I don't think the firewall is doing any packet filtering on that port. 12:26 < krzee> friends here 12:26 < fbond> Ack, okay. 12:26 < fbond> Thanks for your help. 12:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:26 < kyrix> !route 12:26 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:27 < kyrix> i always forget this link 12:30 * dazo wonders if vpnHelper is becoming a public bookmark storage :-P 12:30 * dazo goes home 12:48 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 12:53 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:14 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:21 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Connection reset by peer] 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 13:42 < krzee> !weather 92109 13:42 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 61.5F (11:44 AM PST on January 28, 2009). Conditions: Partly Cloudy. Humidity: 40%. Dew Point: 37.4F. Pressure: 30.23 in 1023.6 hPa (Falling). 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:47 < kyrix> oh boy, ashley is getting mad at krzee 13:48 < kyrix> !weather a-1150 13:48 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:48 < kyrix> didnt expect it to work 13:48 < kyrix> ;) 13:48 < reiffert> !weather netherlands 13:48 < vpnHelper> reiffert: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather austria 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather AT 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> doesnt matter, its far worse than in san diego 13:52 < reiffert> :) 13:57 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:57 -!- worch [i=worch@battletoad.com] has joined ##openvpn 14:00 < krzee> airport code works 14:01 -!- troy- [n=troy@worldnet.tauri.ca] has quit [SendQ exceeded] 14:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 14:02 < kyrix> hehe 14:03 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 14:05 < ecrist> will someone make a vpn for me on my network? 14:05 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 14:06 < krzee> wassup eric 14:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:06 < ecrist> sup krzee 14:07 < krzee> not much man 14:07 < krzee> im gunna head into florida to send out those servers 14:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:08 < ecrist> sweet. 14:10 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 14:10 < bigjohnto> on my windows xp box, i have openvpn setup and config sets.... i also have it on a laptop... the laptop works fine and resolves the hostname on the desktop which is also windows xp... it gives Cannot resolve hostname.... i can ping the host but for some reason something is blocking it.... any ideas? 14:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:14 -!- kreg is now known as Kreg-Work 14:20 < bigjohnto> norton internet security seems to be the issue 14:20 < bigjohnto> any specific rules to be placed ? 14:22 < kyrix> sorry, dont use norton security, dont use windows. but try checking if there is something where you can allow opening outgoing "ports" 14:22 < bigjohnto> kyrix, 1194? 14:22 < kyrix> well, yes. but outgoing. 14:22 < kyrix> and try just turning it off and seeing if it works 14:23 < kyrix> ah hold on... 14:23 < kyrix> the desktop cant even resolve the hostname. 14:24 < bigjohnto> kyrix, desktop can, but openvpn can't when internet security is on... if i disable it, it works, but i want to see if i can with it enabled.... 14:24 < bigjohnto> 1194 outgoing doesn't seem to have resolved it.... is there a binary "/bin" on the openvpngui that does the resolving? 14:25 < kyrix> cant help you really with the windows port 14:25 < kyrix> i could probably barely help you with the linux port ;) 14:25 < bigjohnto> np 14:26 < kyrix> isnt there a list of apps trying to get out? or try adding all the apps under openvpn to the whitelist of your firewall 14:26 < bigjohnto> ok thanks, away for abit while i try 14:29 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:54 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:56 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:50 -!- kaii [n=kai@ciphron.de] has left ##openvpn [] 15:50 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 15:55 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 16:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:10 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 16:20 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 16:25 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:26 < neverblue> guys, having an issue with using OpenVPN in Vista. Is there any common resolutions to fix issues (I have the latest release of OpenVPN installed) 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:37 < reiffert> neverblue: start by reading logs. 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit [Client Quit] 17:01 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:02 < ocuevas> hello 17:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:02 < ocuevas> hello 17:03 < ocuevas> Does anybody know what's the best way to revoke a vpn user? 17:04 < reiffert> revoke the certificate. 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 17:12 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:14 < ocuevas> yeah but from the pfsense we don't have the certs on it. 17:14 < ocuevas> how do I create a pem clr list is maybe a better question 17:15 < reiffert> !howto 17:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:17 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:24 < plaerzen> ugh. 17:28 < ecrist> oh, that command should be in 17:28 < ecrist> !crl 17:28 < vpnHelper> ecrist: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with 17:28 < vpnHelper> ecrist: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 17:28 < ecrist> grr 17:28 < ecrist> krzie: fix my damn bot perms 17:28 < ecrist> lemme get the command for you 17:29 < ecrist> openssl ca -gencrl -out CRL.pem -config openssl.cnf 17:30 < reiffert> why not read it up in the howto? 17:31 < ecrist> reiffert: not everyone uses ssl-admin or easy-rsa. 17:31 < reiffert> ecrist: can we assume that everyone uses openvpn that comes to that channel? 17:32 < ecrist> nope 17:32 < ecrist> we get a fair amount of traffic here on general SSL stuff 17:32 < reiffert> ecrist: can we assume further that the official openvpn howto will be valid for all openvpn users that ask questions about openvpn on ##openvpn? 17:32 < ecrist> get up on the wrong side of the bed today, reiffert? 17:33 < reiffert> ecrist: cant remember, just like every other day I guess. 17:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:38 < reiffert> ecrist: maybe it's that I like much more a general approach than a particular solution. The general approach here might help the guys solve a whole bunch of problems alltogether... 17:39 < reiffert> at once 17:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:49 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:52 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:55 < ecrist> ouch, my wiki is a bit out of date. 17:56 < ecrist> I think I'll update it tomorrow. 17:56 < dvl> slacker 17:56 < dvl> sitting around on IRC all day.... 17:56 < ecrist> MediaWiki 1.10.0, current is 1.13.1 17:57 < ecrist> that cuts deep, dvl 17:58 < dvl> ecrist: I can see the sadness in your face. 17:58 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:59 < dvl> That said, my openvpn is running flawlessly. 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 18:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:33 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit ["Leaving"] 19:04 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has joined ##openvpn 19:21 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:22 -!- muxpux [n=muxpux@soup.capital-today.net] has left ##openvpn [] 19:30 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 < shadowhywind> hay all, i just installed the openvpn plugin for knetworkmanager, in my config I have it setup to route all my traffic throught the vpn, Can i still do that with the knetworkmanager - openvpn? 19:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:59 -!- sputnick [n=sputnick@unaffiliated/sputnick] has joined ##openvpn 19:59 < sputnick> hi there 20:09 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has left ##openvpn [] 20:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Client Quit] 20:28 -!- sputnick [n=sputnick@unaffiliated/sputnick] has left ##openvpn ["bip...bip...bip...krssh!...beep...beep...beep"] 20:32 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:50 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 20:53 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:54 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 20:55 < WebGuest> anyone know openvpn well? 20:56 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:57 < tjz> yes, sir! reporting in!! 20:57 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has quit [Remote closed the connection] 20:57 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:59 < krethan> i want the server part to see the client's computers 20:59 < krethan> how do i do that 21:02 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has quit [Client Quit] 21:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:27 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 21:50 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 21:50 < prxtien> hey all, does anyone have binaries for powerpc 21:50 < prxtien> i need a binary for a dreambox ;) 21:50 < ecrist> prxtien: there are some out there. 21:50 < ecrist> go to Tunnelblick website (use google to find) and download an old copy of their program. 21:51 < ecrist> actually, a new copy may work, as well. 21:51 < prxtien> i just cant compile it 21:51 < prxtien> no space to compile on this system 21:51 < ecrist> follow my directions above, you should be fine 21:51 < prxtien> /dev/root 3.9M 3.9M 0 100% / 21:51 < prxtien> /dev/mtdblock/1 2.8M 900.0k 1.9M 32% /var 21:52 * ecrist goes to bed. 21:52 < prxtien> okay 22:13 < frankS2> http://pastebin.com/m7985a474 <-- hello i am having problems with that clients connected to the server can not assign the internal network, this is my config file anyone that could help me? :) 22:27 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 22:30 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 22:35 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 60 (Operation timed out)] 22:44 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:44 < grendal_prime> im looking for info on usning one CA for several open vpn servers. 22:45 < grendal_prime> this is probably a simple thing to do..but im unable to locate anything that sounds like what im trying to do. 22:45 < grendal_prime> basically we want one ca where we generate all the certs and keys and the other vpn servers to use those keys and certs. Is this possible with openvpn2.0 ? 22:46 < grendal_prime> we dont want to have to replicate the credentials to the other servers. 22:46 < grendal_prime> does that make any sence? 23:09 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:49 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] --- Day changed Thu Jan 29 2009 00:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 00:00 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 00:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:38 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 00:46 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 01:04 < reiffert> moin 01:29 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 01:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:41 < tjz> i sense a chinese.. 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:47 -!- zheng [n=zheng@218.82.136.169] has quit ["Leaving"] 02:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:41 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 03:48 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:55 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 03:58 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 04:06 < nobody999> hi 04:06 < nobody999> I'm trying to establish a vpn roadwarrior connection. 04:06 < nobody999> the client is a windows vista machine and the server is a linux machine. 04:06 < nobody999> Both machines are behind a router. 04:06 < nobody999> The openvpn client tells me that the connection is established but a ping from client to server doesn't give an answer. 04:06 < nobody999> I think I have a routing problem. 04:06 < nobody999> Is ther someone who can help me? 04:10 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:12 < nobody999> my routing tables --->http://pastebin.com/d5a3b20bf 04:13 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 04:13 -!- kaii [n=kai@ciphron.de] has quit [Read error: 60 (Operation timed out)] 04:14 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:15 < dazo> nobody999: do you have some configs as well? 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:16 < dazo> nobody999: at first glance, it looks like you are missing a ' push "route " ' statement in your server config .... I can't say I see any routing being pushed to your internal network behind the server on your client 04:18 < nobody999> can you tell me how the route should look like? 04:19 < dazo> nobody999: I would presume .... route 192.168.0.0 255.255.255.0 04:23 < nobody999> my server.conf -->http://pastebin.com/d5881fb3c 04:24 < nobody999> you think the route 192.168.0.0 is wrong? 04:25 < dazo> nobody999: seems you have the route here .... did you modify the config before posting it? .... this route should show up in your windows box .... 04:25 < dazo> nobody999: are you running openvpn with privileges? It needs administrator (or maybe networking is enough) privileges to be able to add that route on your client 04:26 < dazo> nobody999: check your log files carefully for errors .... use verb 3 in client config to find most obvious failures 04:27 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:28 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 110 (Connection timed out)] 04:29 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 04:30 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:33 < nobody999> I didn't modify the configs 04:34 < nobody999> openvpn is running as root 04:34 < nobody999> and I have verb 3 in client conf but I don't see an error:( 04:36 < dazo> nobody999: but is openvpn running with admin privileges on your windows box? 04:36 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 04:37 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:37 < nobody999> yes it is 04:37 < nobody999> client logfile --->http://pastebin.com/d54278110 04:37 * dazo needs to catch a tram in 5 min 04:38 < dazo> client log looks fine .... it claims to have the route setup OK .... 04:38 * dazo don't understand why it do not show up with the route command 04:39 < nobody999> are you sure there is a route missing? 04:39 < dazo> nobody999: I'm so so so sorry! I see the route now .... 04:39 < dazo> 192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 31 04:39 < nobody999> :) 04:40 * dazo is blind 04:40 < dazo> but needs to run now 04:40 < nobody999> but I get no answer when i send a ping 04:40 < nobody999> iptables on server is disables 04:41 < nobody999> on windows firewall is also disables 04:41 < nobody999> disabled 04:42 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:54 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 06:17 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 06:47 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 06:47 < metbsd> this channel is my last hope.. 06:48 < metbsd> my client can connect from nic1 1.2.3.4/255.255.255.0, but cannot ping 5.6.7.8/255.255.255.192 06:48 < metbsd> how should i config them 06:51 < reiffert> so you have a working openvpn setup, means client connects to server? 06:51 < metbsd> yes 06:51 < metbsd> this pc has two nics, two networks 06:51 < metbsd> 1.2.3.4/255.255.255.0 is where client connect openvpn 06:51 < reiffert> all you want is to have the client get routing information like: send all the stuff that belongs to 5.6.7.8/6 directly over the openvpn 'wire'? 06:52 < metbsd> 5.6.7.8/255.255.255.192 is at nic2 06:52 < metbsd> i need this client to ping 5.6.7.1/255.255.255.192 06:52 < reiffert> nic2 of what host? 06:53 < metbsd> nic1 and nic2 are on same pc 06:53 < reiffert> server or client? 06:53 < metbsd> server 06:53 < metbsd> nic1 and nic2 are on same server 06:53 < reiffert> have push "route 5.6.7.0 255.255.255.192" in your server config 06:53 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:53 < metbsd> yes did that 06:53 < reiffert> great. 06:54 < metbsd> it's wrong? 06:54 < reiffert> no. 06:55 < metbsd> what should i put for 'server' 06:55 < reiffert> sorry? 06:55 < metbsd> for the option "server ...." 06:55 < reiffert> 13:55 < reiffert> so you have a working openvpn setup, means client connects to server? 06:55 < reiffert> 13:55 < metbsd> yes 06:55 < reiffert> dont change anything but add a single line: 06:55 < reiffert> 13:58 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:56 < reiffert> the option "server ..." does not change. 06:56 < metbsd> ok 06:57 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 06:57 < reiffert> to pastebin.ca 06:58 < metbsd> ok 07:00 < metbsd> nic1 for internet: 192.168.1.118/255.255.255.0 07:00 < metbsd> nic1 for internet vpn client: 192.168.1.118/255.255.255.0 07:00 < ecrist> good morning, chicken fuckers! 07:00 < metbsd> nic2 for LAN: 10.100.1.8/255.255.255.192 07:02 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 07:02 < metbsd> reiffert: can you plz help me 07:02 < reiffert> 14:01 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 07:02 < reiffert> 14:02 < metbsd> ok 07:02 < reiffert> 14:02 < reiffert> to pastebin.ca 07:02 < reiffert> still waiting for that. 07:03 < metbsd> ok it's coming 07:03 < metbsd> thanks for help 07:05 < metbsd> http://pastebin.ca/1321713 07:06 < metbsd> plz help me out 07:06 < reiffert> Let's fix the conversational problems first: 07:07 < reiffert> a "routing table" is what you get by entering the command: netstat -nr 07:07 < reiffert> what you got me is the openvpn logfile 07:07 < metbsd> ok 07:07 < metbsd> wait plz 07:08 < metbsd> i'm on windows.. 07:08 < metbsd> ok asking client to send it over 07:09 < reiffert> !configs 07:09 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:09 < reiffert> gonna need that as well. 07:12 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 07:13 < metbsd> http://pastebin.ca/1321720 server/client conf file 07:15 < reiffert> looks ok, but we still need the clients routing table. 07:16 < reiffert> open a dosbox (start->run->cmd enter), type netstat -nr 07:17 < reiffert> the client logfile would be nice to have as well 07:18 < metbsd> ok 07:19 < metbsd> http://pastebin.ca/1321725 netstat 07:21 < reiffert> As we can see from line 14, the push "route 10.100.1.0 255.255.255.192" worked. 07:22 < metbsd> but he cannot ping 10.100.1.1 from nic2(10.100.1.8/255.255.255.192) 07:22 -!- nobody999 [n=bla@89.246.131.77] has quit [] 07:22 < reiffert> does ping 10.100.1.8 work? 07:22 < reiffert> on the client 07:23 < metbsd> yes 07:23 < reiffert> whats the default gateway of the 10.100.1.0/26 net? 07:24 < metbsd> empty 07:24 < metbsd> i didn't set it 07:24 < metbsd> wait 07:24 < metbsd> i set it 07:24 < metbsd> 10.100.1.1 07:24 < reiffert> how should 10.100.1.1 know where to send packets to that should get outside of 10.100.1.0/26 then? 07:25 < reiffert> ah, so 10.100.1.1 is the default gw for that net? 07:25 < metbsd> for nic2, 10.100.1.8/255.255.255.192 as netmask, and default gateway is 10.100.1.1 07:25 < metbsd> yes 07:25 < reiffert> what kind of operating system is running on 10.100.1.1? 07:25 < metbsd> linux 07:25 < metbsd> redhat 07:25 < reiffert> great. go to that computer and add a route: 07:26 < metbsd> ok 07:26 < reiffert> route add -net 10.100.2.0 255.255.255.0 gw 10.100.1.8 07:26 < reiffert> wait 07:27 < reiffert> route add -net 10.100.2.0/24 gw 10.100.1.8 07:28 < reiffert> then from the commandline of 10.100.1.1 type: ping 10.100.2.5 07:30 < metbsd> it works 07:30 < metbsd> but why though 07:30 < reiffert> look: 07:31 < reiffert> packets that come from the client have the source IP 10.100.2.5, right? 07:31 < metbsd> yes 07:32 < reiffert> they come to the openvpn server. the server knows: ah, the destiantion PC, 10.100.1.1 is on NIC2, so I pass the packet to that interface 07:32 < reiffert> the packet reaches 10.100.1.1 who then sends a ping reply to 10.100.2.5, which he knows can be reached at 10.100.1.8 07:33 < metbsd> i see 07:33 < metbsd> thanks alot man 07:34 < reiffert> when you send a ping packet to 10.100.1.200, that machine will send the ping reply packet to 10.100.1.1 who tells the 10.100.1.200 machine: hey dude, the 10.100.2.0 net can be reached on 10.100.1.8, and 10.100.1.200 will follow that 07:34 < metbsd> oh, 07:34 < reiffert> oh? 07:34 < metbsd> and after that? 07:35 < reiffert> machine 10.100.1.200 will send the ping reply to 10.100.1.8 which is your openvpn server, which sends the packet to the openvpn client. 07:35 < metbsd> ah 07:35 < reiffert> cool, eh? 07:36 < metbsd> yah, networking is ,, fantastic 07:36 < metbsd> how do you get so good 07:36 < reiffert> I call that basic concepts of networking. 07:36 < metbsd> ok thanks man 07:36 < metbsd> i'm vpn newbie 07:37 < metbsd> i don't know how it works 07:37 < metbsd> good night 07:37 < reiffert> welcome 07:37 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 07:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:11 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:16 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:21 -!- c64zottel [n=hans@141.37.33.125] has quit [Client Quit] 08:21 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has joined ##openvpn 08:21 < aurel42> Ah, that's nice. 08:21 < aurel42> !route 08:21 < vpnHelper> aurel42: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:25 < aurel42> That doesn't seem to help. 08:25 < ecrist> aurel42: we need more information to help you. 08:26 < aurel42> I'm trying to tunnel a routed network (non-RFC 1918), I'd like to know whether OpenVPN has special provisions for handling the default route. 08:26 < ecrist> I don't know what you're asking, specifically. 08:26 < reiffert> !redirect 08:26 < vpnHelper> reiffert: Error: "redirect" is not a valid command. 08:26 < aurel42> In a perfect world, it would set up a new default route when establishing the tunnel, and revert to the "old" default route when the tunnel went down. 08:27 < ecrist> there is a lot of information on the howto on setting default routes 08:27 < aurel42> Uhm. Lemme go back there. 08:27 < reiffert> aurel42: check out the manpage, --redirect-gateway with option def1 in particular. 08:27 < ecrist> aurel42: that topic is covered well on the howto 08:27 < aurel42> reiffert: thanks, I'll look in the howto specifically for --redirect-gateway 08:28 < aurel42> I mainly checked the FAQ and the man page and was looking for a term like "default route" ;) 08:28 < reiffert> aurel42: which leads you to --redirect-gateway def1 08:28 < reiffert> at least for my 2.1 manpage. 08:29 < aurel42> Now that I know what I was looking for, I can clearly see it's there. 08:29 < aurel42> I bet you won't believe me that it wasn't, before. :D 08:30 < reiffert> selfadjusting manpage, nice one 08:31 < ecrist> I hate when that happens. 08:31 < aurel42> 0.0.0.0/1 - what a neat trick, I would've never thought of that. 08:32 < reiffert> ecrist: it happens when I read C library manpages and after that look at example code. 08:33 < aurel42> Well, if it works, I'm probably going to timeout now. 08:36 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 08:43 < reiffert> outtiming is one thing ... 08:43 < reiffert> not coming back the other ... 08:43 < ecrist> hehe 08:54 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 08:54 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 08:56 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 09:03 -!- Bushmills [n=nnnl@verhau.de] has left ##openvpn ["Leaving."] 09:09 < nobody999> hi 09:09 < nobody999> I have a established roadwarrior connection. 09:09 < nobody999> if the roadwarrior send a ping to the vpn server or another client on the server side I get an answer. 09:09 < nobody999> But if I try to access a website nothing happens.Only websites on the vpn server can be accessed, but not on the other machines in the same subnet. 09:09 < nobody999> how can that be? 09:14 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 09:23 < ecrist> nobody999: you need to setup a proper default route, and NAT from the VPN server out to the internet for VPN clients. 09:27 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:28 < nobody999> I think i have:) 09:28 < nobody999> and a ping is working to all machines 09:28 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 09:29 < nobody999> but I have no access via http to the router for example 09:30 < ecrist> I'd check your firewall, then. 09:40 < nobody999> oh I see the firewall tells me "LAN-side SYN Flood" 09:44 < nobody999> ok it was the IP Flood Detection 09:44 < nobody999> thanks:) 09:46 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 09:46 < clustermagnet> gents, question :) 09:46 < clustermagnet> i've been using openvpn for quite some time, for small tasks 09:47 < clustermagnet> im about to roll out a bigger VPN network, and need your advise 09:47 < clustermagnet> lets say there is an office, with a NAS, exporting CIFS and NFS... 09:47 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 09:47 < clustermagnet> lets say that network is 10.10.10.20/24 09:47 < ecrist> nobody999: np. Our chan topic is usually accurate... 09:47 < clustermagnet> if you have road warrior VPN clients and macbook pros running openvpn clients 09:48 < clustermagnet> can they easily mount to these cifs/nfs exports via openvpn? :) 09:48 < ecrist> clustermagnet: yes, but I'd recommend soft mounts for NFS 09:48 < clustermagnet> ecrist: awesome :) 09:48 < clustermagnet> ecrist: the tunnel configuration on the clients.... should it be TUN or TAP? 09:48 < ecrist> hard mounts, if the connection goes down, will hang the client machine. 09:49 < ecrist> clustermagnet: I recommend TUN, unless you have a legit reason for needing TAP. 09:49 < clustermagnet> ecrist: perfect 09:49 < ecrist> i.e. a non-IP protocol 09:49 < ecrist> like NetBIOS 09:49 < clustermagnet> ecrist: i'm having issues now with NFS, thats why i asked :( 09:49 < clustermagnet> ecrist: thanks :) 09:49 < ecrist> clustermagnet: i'd recommend against NFS shares over a VPN 09:49 < clustermagnet> ecrist: do you mind looking into my current issue as well? :) 09:49 < ecrist> use something more fault tolerant 09:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < clustermagnet> right now, I have a VPN server, im hosting it az an instance on EC2 :) 09:50 < clustermagnet> so there are 2 clients connecting, one from home, other from office 09:50 < clustermagnet> home client has an NFS server with some music 09:50 < clustermagnet> i'd love to mount the same export in the office 09:50 < clustermagnet> ]thats not working :( 09:52 -!- nobody999 [n=bla@89.246.131.77] has quit [] 09:52 < ecrist> clustermagnet: why not use MacFUSE or something similar? 09:52 -!- Gorkhaan [n=Administ@87.229.108.75] has joined ##openvpn 09:53 < ecrist> absolves the need for a VPN all together, really. 09:53 < ecrist> complicated != better 09:53 < clustermagnet> ecrist: macfuse, as in ssh mounts? 09:54 < clustermagnet> ecrist: now, there is a larger task, reason why it has to be NFS 09:54 < clustermagnet> essentically the NAS is configured to export the same files via CIFS and NFS :) 09:54 < clustermagnet> thats why i have to stick to NFS 09:54 < clustermagnet> in anycase, do you know why i cant mount up NFS in such fashion? :) 09:54 < ecrist> nope 09:55 < clustermagnet> ecrist: you sure i can mount up NFS/CIFS with road warriors then? 09:55 < ecrist> don't know why you couldn't. 09:55 < ecrist> I do it here on occasion 10:00 < clustermagnet> ecrist: do you mount NFS or CIFS, or both 10:01 < ecrist> NFS 10:02 * dazo uses CIFS over VPN from time to time as well 10:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:05 < clustermagnet> dazo: ecrist thanks guys 10:08 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 10:13 < reiffert> well, CIFS was designed to play a role in LANs. 10:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:37 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 104 (Connection reset by peer)] 10:41 < dvl> anyone seen a traffic shaper for LInux that limits incoming bandwidth? Say so your client doesn't upload more than 100KB/s for example. 10:41 < dvl> I'm *told* they exist only for outgoing connections. 10:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:45 < reiffert> dvl: so it is. 10:46 < reiffert> dvl: there is some igress shaping concept but it doesnt work well as part of IP. http://lartc.org for better understanding. 10:46 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org) 10:46 < reiffert> damn, thats linux. 10:47 < ecrist> dvl: pf can limit in both directions, works best with a bridging gateway with in inbound and outbound NIC 10:47 < ecrist> I've got a wiki page on it, let me find it 10:47 < dvl> reiffert: some people keep asking for traffic management as part of Bacula. Most devs say no, we won't do it. 10:47 < ecrist> http://www.secure-computing.net/wiki/index.php/Traffic_Shaping_with_pf/ALTQ 10:47 < vpnHelper> Title: Traffic Shaping with pf/ALTQ - Secure Computing Wiki (at www.secure-computing.net) 10:47 < dvl> ecrist: Yes, to pf, I know that solution, but this guy needs linux. 10:48 < ecrist> oh, linux FTL 10:48 < reiffert> dvl: http://lartc.org/howto/lartc.adv-qdisc.ingress.html 10:48 < vpnHelper> Title: Ingress qdisc (at lartc.org) 10:48 < ecrist> dvl, you could probably hack something together with a gif interface and limit traffic between eth0 and the gif 10:48 < reiffert> dvl: there is nice and working approach: have a real interface and a virtual one. The ingress on the real interface is egress heading to the virtual one, and that one can be shaped. 10:49 < reiffert> dvl: was doing this once, let me get some details. 10:49 < ecrist> hah reiffert! I beat you to it. 10:49 * ecrist > reiffert (today anyway) 10:49 < dvl> reiffert: nice. 10:50 < reiffert> dvl: it called imq 10:50 < reiffert> http://snap.reifferscheid.org/imq.sh.txt 10:51 < reiffert> well thats what's left in my projects/ folder, I remember it was working :) 10:52 < reiffert> and here is more about it http://lartc.org/howto/lartc.imq.html 10:52 < vpnHelper> Title: The Intermediate queueing device (IMQ) (at lartc.org) 10:52 < reiffert> ecrist: time to show up now. 10:53 * ecrist slinks away 10:54 < reiffert> dvl: I remember I had to try several kernel versions until I got a working module ... 10:54 < reiffert> dvl: back in 2.6.1x times. 10:57 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 11:01 < ecrist> dvl: bacula doesn't have a means to throttle backup bandwidth? 11:11 < dvl> ecrist: correct, by design. 11:22 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 11:22 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:24 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:25 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 11:43 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 11:54 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 12:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:01 < ecrist> dvl, seems like a missing feature to me. 12:01 < ecrist> it uses rsync and similar protocols, doesn't it? 12:07 < dvl> ecrist: it does not. 12:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 12:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:39 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:43 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has joined ##openvpn 12:43 < dgodfather> Hi to all 12:44 < ecrist> dvl, seems like a missing feature to me. 12:44 < dgodfather> i can't succeed configuring my openvpn i dont know why anymore. i read the articles and followed it 12:44 < ecrist> what articles? 12:45 < dgodfather> still can't. when i tried to use a tap interface and bridge it, it failed mostly because of the bridging itself 12:45 < dgodfather> ecrist, sorry bad choise of words, meant the tutorial in openvpn site 12:46 < dgodfather> and when trying to work with tun, i get the new network for the vpn connection but cant even ping between hosts with that address 12:46 < dgodfather> can you please help me, it's very important and please guide me with what ever you need for that 12:46 < dgodfather> i will supply all relevant files and configurations i have 12:47 < dgodfather> except the .key .crt files etc :) 12:47 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:47 < ecrist> read channel topic 12:47 < dgodfather> i waisted my whole day on that and still it doesn't work 12:47 < dgodfather> yeh i see you need configs and logs 12:48 < dgodfather> where are the logs? 12:48 < ecrist> ::gran:: 12:48 < ecrist> !logs 12:48 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:48 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:48 < ecrist> !configs 12:48 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:48 < dgodfather> i am exactly now pasting the .conf files 12:48 < dgodfather> OK that will take a few 12:49 < dgodfather> Linux debian 2.6.26-1-amd64 12:49 -!- xattack [n=xattack@132.248.108.239] has joined ##openvpn 12:52 < dgodfather> ecrist, server.conf -> http://pastebin.com/m4b287db3 12:55 < ecrist> dgodfather, with tun, were you able to get a working VPN, where the client could connect to and ping the VPN server? 12:56 < dgodfather> nope 12:56 < dgodfather> it can't even ping the server 12:56 < dgodfather> sending the client config 12:56 < dgodfather> clinet config -> http://pastebin.com/m6740ba0e 12:57 < dgodfather> though i got to say it doesn't feel to good exposing the whole structure of my vpn 12:57 < ecrist> lol, you're nothing special 12:57 < ecrist> you're not revealing anything that couldn't be found out in other ways 12:57 < dgodfather> yeh i know and yet many people just like to ruin other peoples lives for fun 12:58 < dgodfather> true, that is because i am trying not to :) 12:58 < ecrist> first problem, dev needs to match between client and server 12:58 < ecrist> your client config show tap, server config tun 12:58 < dgodfather> they are both dev tun 12:58 < dgodfather> ohhhhh well it was changed now 12:58 < dgodfather> sec let me check again 12:58 < ecrist> well, then pastebin.com changed it on you 12:59 < dgodfather> nope, i changed it trying to make things work from one form to the other 13:00 < dgodfather> last time i forgot to return it, non the less still i cant ping the server 13:00 < dgodfather> by the way the debian is for the server 13:00 < ecrist> now, you could have changed the remote address to not reveal that. ;) 13:00 < dgodfather> the client is on windows 13:00 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 13:00 < ecrist> I gathered that part. 13:00 < dgodfather> ohhhhhhh shit 13:00 < dgodfather> well i will change that 13:00 < ecrist> too late 13:01 < dgodfather> ecrist, well you are kind of making me worrie 13:01 < ecrist> lol 13:01 -!- Gorkhaan [n=Administ@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 13:01 < dgodfather> well how can i make my vpn work? 13:02 < ecrist> dgodfather: with the client config set to tun, your client should be able to connect, if the local statement in your server config and your server-side firewall are setup correctly 13:02 < ecrist> why do you have local ? 13:02 < dgodfather> what do you mean my local statement? 13:02 < dgodfather> ohhhhhh just because i tried that too. 13:02 < ecrist> line one of your server.conf: local 192.168.2.100 13:02 < dgodfather> remove it? 13:03 < ecrist> yes 13:03 < ecrist> and restart openvpn on the server 13:04 < dgodfather> OK, still no ping 13:04 < ecrist> hang on. I didn't tell you to connect yet, did I? 13:05 < dgodfather> no you didn't 13:05 < dgodfather> disconnected 13:05 < ecrist> after a restart, is openvpn on the server listening to the public IP of the server? 13:06 < dgodfather> well i am behind a router so i guess it should be listening to the router address? 13:06 < dgodfather> and how do i establish if that is the case? 13:08 < dgodfather> ecrist, are you here? 13:09 < ecrist> dgodfather: yes, I'm here, but I have a job that pays me to be somewhere else, too. be patient 13:09 < dgodfather> it's OK, i am waiting just didn't know where you went 13:09 < ecrist> dgodfather: is your openvpn server on a machine physically behind your LAN gateway? 13:10 < dgodfather> yes 13:11 < ecrist> ok, do you have a proper port-forwarding rule setup on your internet gateway to redirect udp port 1194 to your openvpn server? 13:12 < dgodfather> yes 13:13 < dgodfather> other wise the client will not have been able to successfully connect 13:22 -!- Federico2 [n=Fede@193.200.193.239] has quit ["Leaving"] 13:25 < ecrist> you didn't tell me it successfully connected. 13:27 < dgodfather> yes i did, i said it's connected only it doesn't ping the server 13:27 < dgodfather> and the server can't ping it as well 13:28 < ecrist> 13:04 < dgodfather> OK, still no ping 13:28 < dgodfather> yep no ping 13:28 < dgodfather> what do i do to make it work 13:28 < dgodfather> ? 13:28 < ecrist> I need to see you client logs 13:28 < dgodfather> where can i find them? 13:29 < ecrist> !logs 13:29 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:29 < dgodfather> yes well it doesn't really give me the location does it?! 13:29 < dgodfather> but i found them 13:30 < dgodfather> it's in the logs directory of the installation in windows 13:33 < dgodfather> ecrist, http://pastebin.com/m3963e177 13:34 < ecrist> dgodfather: is that a recent log? 13:34 < ecrist> says 6:55AM today 13:35 < ecrist> not sure what timezone you're in 13:35 < dgodfather> sec 13:35 < dgodfather> im fromisrael 13:36 < ecrist> ok 13:37 < dgodfather> i will send another one which i think is the correct one 13:37 < dgodfather> sorry for the hassle 13:37 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has left ##openvpn [] 13:37 < dgodfather> http://pastebin.com/m27b473b8 13:38 < ecrist> still shows you using a tap device 13:38 < ecrist> thought we were doing tun here. 13:39 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 13:39 < dgodfather> wait i changed it. you now what, i am deletng all log files reconnecting and sending you the log 13:40 < ecrist> I'm sorry, but I've gotta get back to some of my own work. I'll be on still in about an hour, if you wait, otherwise someone else can help you. 13:40 < dgodfather> well i will be here in an hour then thank you 13:40 < dgodfather> unless some else want's to help me? 13:48 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 13:54 < krzee> whats the problem? 13:54 < krzee> if it doesnt take long ill help 13:54 < krzee> (im on vacation) 13:55 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:55 < krzee> looks like you cant connect, or can connect but no ping 13:55 < krzee> (from a quick scroll-up) 13:56 < krzee> dgodfather 13:58 < dgodfather> krzee, YES SORRY 13:58 < dgodfather> krzee, yes i connect but no ping 14:00 < dgodfather> it's very important to me cause it's for school stuff. i want any remote connection to my pc to be secure and heard openvpn is very much so 14:00 < dgodfather> but i can't succeed in making it work for me. not tun nor tap configuration 14:00 < dgodfather> krzee, are you still here? 14:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Remote closed the connection] 14:18 < krzee> !logs 14:18 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:18 < krzee> !configs 14:18 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:19 < krzee> so the goal is to access files on your home server while outside the house 14:19 < krzee> possibly to upload homework, that sort of thing... 14:20 -!- xattack [n=xattack@132.248.108.239] has quit [] 14:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:47 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has joined ##openvpn 14:47 < MTecknology> anybody have experience setting up ovpn on pfsense? 14:57 < krzee> MTecknology, isnt pfsense just freebsd bundled with some tools and a web gui? 14:59 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [] 15:01 < dgodfather> krzee, hi, 15:02 < ecrist> krzee: yes. 15:02 < ecrist> MTecknology: see here: 15:02 < ecrist> !freebsd 15:02 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:02 < dgodfather> krzee, not only, i need to give access to a friend to my network 15:02 < dgodfather> ecrist, hi 15:02 < dgodfather> would you like to help me now? 15:03 < dgodfather> ecrist, keep on going where we stopped 15:04 < ecrist> dgodfather: switch your server and client back over to tun 15:04 < dgodfather> ecrist, they are in tun 15:04 < dgodfather> i can send the latest log 15:04 < ecrist> you've got about 10 mins before I go out to the living room and grab a beer. 15:04 < ecrist> please do so 15:05 < dgodfather> client log ->http://pastebin.com/m686a6c80 15:05 < ecrist> ok, from the client, you should be able to ping 10.8.0.1 15:06 < dgodfather> ecrist, well i can't 15:06 < ecrist> then the server has a firewall, blocking the traffic 15:06 < dgodfather> i get request timed out 15:07 < ecrist> on the server, what are the contents of openvpn-status.log? 15:07 < dgodfather> i will delete all firewall rules 15:08 < dgodfather> http://pastebin.com/m76b7a3f 15:09 < ecrist> ok, without the firewall rules, does ping work? 15:10 < dgodfather> well b4 it didn't now it does 15:10 < dgodfather> that's good but that is not all 15:10 < ecrist> ok, now what? 15:10 < dgodfather> my lan has different ip 15:10 < krzee> hah now he posts those 15:11 < krzee> i was waiting for !logs !configs for awhile 15:11 < dgodfather> i want my server address processes to be available to someone connected from the vpn 15:11 < ecrist> krzee: it's been an up-hill battle 15:11 < dgodfather> say my ip is 192.168.2.100 15:11 < krzee> i see 15:11 < dgodfather> my vpn ip is 10.8.0.1 15:11 < krzee> dgodfather, 15:11 < krzee> !route 15:11 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:12 < krzee> or is the server process on the same machine? 15:12 < dgodfather> it is on the same machine 15:12 < dgodfather> on the server of the ovpn 15:12 < ecrist> dgodfather: the server running openvpn is the system with the files you want to share, right? 15:13 < dgodfather> yes 15:13 < ecrist> then you don't need to worry about the other network 15:13 < dgodfather> and processes i want to share access to 15:13 < krzee> push a route 15:13 < ecrist> if they're all on the vpn server, then that's all you need. 15:14 < krzee> then you will be able to access it by lan ip of vpn server over the vpn 15:14 < dgodfather> now isn't it better and more correct to use tap and bridging? 15:14 < ecrist> dgodfather: not if everything you want to share is on the vpn server 15:14 < krzee> negative 15:14 < krzee> !tunortap 15:14 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:14 < ecrist> tap is for ethernet protocols, tun is for IP protocols 15:14 < dgodfather> i will be able to use the 192.168.2.100 from the 10.8.0.6 client? 15:14 < ecrist> NO 15:14 < ecrist> use 10.8.0.1 15:14 < krzee> if you push a route 15:15 < dgodfather> wait if i push a route i can use 192.168.2.100 and if not i can use 10.8.0.1 only but it's the same result? 15:15 < krzee> if the route is pushed, i think he can access either interface, more correct is to access 10.8.0.6 15:16 < krzee> assuming firewall allows and ip_forward is enabled 15:16 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has left ##openvpn [""http://profarius.com/""] 15:16 < dgodfather> but a push is towards the client not other way around isn't it? 15:16 < krzee> right, the client needs the route to server's lan ips 15:16 < krzee> so the server pushs the route to the client 15:17 < krzee> as if you were going to access the lan behind the vpn server 15:17 < dgodfather> so the server pushes the route to the client, and the client can now use the 192.168.2.100 to access the server 15:18 < dgodfather> great thank you guys 15:18 < dgodfather> you where a big help 15:18 < krzee> np 15:19 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has quit ["Leaving"] 15:20 < ecrist> *bang* *bang* 15:21 * ecrist drinks beer 15:29 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 15:29 < Rawplayer> !bridge 15:29 < vpnHelper> Rawplayer: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 15:29 < vpnHelper> Rawplayer: where the protocol uses MAC addresses instead of IP addresses. 15:29 < Rawplayer> !alive 15:29 < vpnHelper> Rawplayer: Error: "alive" is not a valid command. 15:29 < Rawplayer> hey, i have freebsd with openvpn(works fine) 15:30 < Rawplayer> but for some reason i wont get the default gw pushed 15:30 < Rawplayer> the thing is, the tap0 interface and a fysical interface are in bridge1 15:30 < krzee> you're bridging? 15:30 < krzee> ya you dont push gateway like that in bridge mode 15:30 < Rawplayer> the only ip i have used is on bridge1 15:31 < krzee> why are you using bridge? 15:31 < Rawplayer> to connect my wifi network to my wired network 15:31 < Rawplayer> and to use windows networking on a nice way 15:31 < Rawplayer> but that is not the point 15:32 < Rawplayer> how can i get a gateway on my client? 15:32 < krzee> hah 15:32 < krzee> bridging in same lan with openvpn? 15:32 < Rawplayer> yes 15:33 < krzee> using same ips as wired lan? 15:33 < Rawplayer> yes, the same subnet 15:33 < krzee> err same subnet 15:34 < Rawplayer> i was thinking about setting up a normal dhcp server instead of using the dhcp from openvpn 15:34 < krzee> then you shouldnt need to push any gateway 15:34 < Rawplayer> krzee: sure i do, how can i otherwise get on the internet 15:34 < Rawplayer> with my clients 15:34 < krzee> let it get its ip from the lan dhcp server 15:37 < krzee> http://openvpn.net/index.php/documentation/install.html?start=1#dhcp 15:37 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 15:37 < krzee> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 15:39 < Rawplayer> krzee: so the push default-gateway is only for routed mode? 15:39 < krzee> im not very familiar with bridging, havnt done it in a long time, but you should be able to add a route with bridged mode too 15:39 < krzee> you would just use the route command on the client 15:41 < krzee> you would just use something like route 0.0.0.0 192.168.2.1 15:52 -!- infinity_ [i=brendon@saleen.netcal.com] has joined ##openvpn 16:25 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:42 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:08 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 17:09 < MrTelephone> anyone have trouble with windows machines losing openvpn connection and when it tries to reauthenticate it is using the default gateway of the stale TAP32 adaptor? 17:12 < infinity_> can someone help get around this error? 17:12 < infinity_> http://pastebin.com/m12f4bada 17:21 -!- tomfmason [n=tom@unaffiliated/tomfmason] has quit [Read error: 110 (Connection timed out)] 17:30 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 60 (Operation timed out)] 17:34 -!- thewolf [n=rowan@67.207.129.26] has left ##openvpn ["WeeChat 0.2.6"] 17:46 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:33 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 110 (Connection timed out)] 18:44 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has joined ##openvpn 18:46 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 18:47 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Client Quit] 19:10 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 19:10 -!- Netsplit over, joins: jfkw 19:15 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 19:20 < ecrist> infinity_: it looks like ou've got an invalid server certificate. 19:48 < mepholic> guess wat dshocker comin' 19:52 < dvl> eh? 19:52 -!- Huza [n=kvirc@78.96.46.99] has joined ##openvpn 20:10 < infinity_> ecrist: i got past that 20:10 < infinity_> ecrist: finally... and now i can't ping through the openvpn server 20:11 < infinity_> i can ping the lan interface, but not other computers. not sure what the problem is yet 20:11 < infinity_> i checked ip_forward and i added a route the the shitty netopia. 20:34 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:42 < infinity_> think i got it 20:44 -!- mepholic_ [n=mepholic@209.17.190.90] has joined ##openvpn 20:56 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 20:56 < krzee> infinity_, 20:56 < krzee> !route 20:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:04 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has joined ##openvpn 21:04 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 54 (Connection reset by peer)] 21:05 < rickb|server> Hello, I am trying to create a new vpn server, I don't know the port for management and there was nothing in the documentation about it. I need that to give webmin control over clients. Any ideas? 21:06 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has quit [Client Quit] 21:11 < infinity_> any idea how to do netbios DNS without doing bridge mode 21:29 < krzee> infinity_, WINS 21:29 < krzee> which i recommend over bridging 21:31 < infinity_> krzee: ack. i don't have a wins server 21:32 < infinity_> maybe i'll just do hosts file 21:32 < infinity_> anyway, once i disconnect, when i reconnect, i can't ping through the vpn. i have to reboot the winXP box (vpn client) 21:33 < krzee> linux samba server? 21:34 < infinity_> krzee: yea. possibly. 21:34 < krzee> has wins server built in 21:34 < infinity_> anyway. any idea whats up with this stale vpn connection 21:35 < infinity_> i just rebooted the xp box. going to see if i can ping 21:36 < infinity_> when it doesn't work, it takes a long time for the client ot get an IP 21:36 < infinity_> yup. doesn't work. very strange. 21:38 < infinity_> oh weird. the vpn client said it gave me an ip, but ipconfig says 0.0.0.0 21:42 < infinity_> thats weird. my a bucnh of automatic services aren't running on my windows client 21:43 < infinity_> strange 21:43 < infinity_> works now :) wonder if its SP3 related 21:52 < ecrist> windows is the debil 21:53 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has joined ##openvpn 21:59 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:01 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 22:21 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 22:21 -!- Netsplit over, joins: jfkw 22:40 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 22:43 < ecrist> oh, and evening fuckers 22:47 -!- mRCUTEO [i=info@58.26.212.3] has joined ##openvpn 22:47 < mRCUTEO> hiya all :D 22:48 -!- mRCUTEO [i=info@58.26.212.3] has quit [Client Quit] 23:05 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 23:06 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 23:06 -!- rmull [n=rmull@acsx02.bu.edu] has joined ##openvpn 23:07 < rmull> Hi gents, I see the crowd hasn't changed much :D 23:08 < tjz> darn 23:08 < tjz> yea 23:09 < tjz> 50% of them should be robots 23:09 < tjz> oh, and evening fuckers <-- LOL 23:09 < rmull> I used to be around these parts a lot during the summer 23:10 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:20 < ecrist> yeah you did. 23:20 < ecrist> how goes, rmull? 23:24 < rmull> ecrist: yoyo! 23:24 < rmull> It goes well. 23:24 < rmull> Busy busy with school. 23:24 < rmull> How about yourself? 23:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 23:35 < ecrist> busy busy with work, and life in general 23:36 < ecrist> omw to bed now. been working on a server OS upgrade since 9PM 23:36 < ecrist> FreeBSD 6.3->7.1, + 9 jails to update 23:36 < ecrist> mergemaster can be a bitch 23:38 < ecrist> well, g'night folks 23:38 < ecrist> see you tomorrow 23:40 < rmull> Have a good one 23:40 < rmull> I'm off to hit the hay too. 23:45 -!- mepholic_ is now known as mepholic --- Day changed Fri Jan 30 2009 00:10 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 00:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:43 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 00:49 < metbsd> reiffert: hi 00:49 < metbsd> can you explain to me again about yesterday problem? 00:51 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 01:03 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 01:15 < huslu> i'm seeing that ovpn for the --up script doesn't pass correct 'remote_1' variable 01:16 < huslu> both 'local_1' and 'remote_1' are the same (but they shouldn't as configuration defines them different) 01:16 < huslu> known bug? 01:22 < krzee> ive never seen those, you got them from the manual? 01:22 < krzee> !man 01:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:52 < reiffert> moin 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:43 -!- Huza [n=kvirc@78.96.46.99] has quit ["When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net"] 03:32 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has joined ##openvpn 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:15 -!- whits_ [n=jim@jim.505.ru] has quit ["leaving"] 04:16 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 04:17 < ScribbleJ> Hey folks, been using openvpn forever, love it to death. This is not absolutely an openvpn question - I set up a new openvpn server, but found I could not connect with --float because it responds on udp 1024 instead of 1194. Any ideas why? 04:21 < ScribbleJ> I'm sorry, could not connect /without/ --float. tcpdump on server indicates the packets goout as port 1024; not like a firewall in-between is munging them. 05:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 06:03 -!- int [n=quassel@int.matrixtelecom.net] has quit [SendQ exceeded] 06:25 -!- int [n=quassel@wikia/int] has joined ##openvpn 06:37 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:39 < c64zottel> hello 06:40 < c64zottel> i have some trouble reaching the servers wins-server through openvpn 06:41 < c64zottel> i found some information about it, but is there a detailed tutorial around the internet? 06:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:49 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 06:57 < ecrist> morning, bitches 07:02 < c64zottel> mornig ecrist 07:19 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has joined ##openvpn 07:51 < ecrist> man, I LOVE CARP (Common Address Redundancy Protocol) 07:51 < ecrist> instant failover support 07:51 < ecrist> zero downtime 07:55 -!- zheng_ [n=zheng@218.82.143.81] has joined ##openvpn 07:59 -!- zheng [n=zheng@218.82.136.169] has quit [Read error: 60 (Operation timed out)] 08:47 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has joined ##openvpn 08:47 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 08:48 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 09:14 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:24 < reiffert> c64zottel: reaching by ping ip works? 10:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:27 < c64zottel> reiffert: thx, i solved it 10:27 < reiffert> what was it? Config of WINSS? 10:28 < c64zottel> i think a couple of thinks, first the config, then there are few master-browsers in the lan, and i can just see them 10:28 < c64zottel> and broadcastings are not routed 10:28 < c64zottel> but, another question 10:28 < reiffert> broadcast relay, comes with pptp 10:29 < c64zottel> how can i configure a for my smbtree to use a special wins-server only? 10:29 < reiffert> it's part of a dhcp option. 10:29 < reiffert> option netbios-name-servers ip-address [, ip-address...]; 10:30 < reiffert> The NetBIOS name server (NBNS) option specifies a list of RFC 10:30 < reiffert> 1001/1002 NBNS name servers listed in order of preference. NetBIOS 10:30 < reiffert> Name Service is currently more commonly referred to as WINS. WINS 10:30 < reiffert> servers can be specified using the netbios-name-servers option. 10:30 < reiffert> or to speak in openvpn: 10:30 < c64zottel> i am just using linux 10:30 < reiffert> --dhcp-option WINS addr 10:30 < c64zottel> the option is pushed 10:30 < c64zottel> but how can i use it under linux? 10:30 < reiffert> set it in a file 10:30 < reiffert> have smb.conf include that file 10:30 < reiffert> ; wins server = w.x.y.z 10:31 < c64zottel> i did that 10:31 < reiffert> have a shell script write the setting into that file 10:31 < reiffert> done 10:31 < c64zottel> but its not working 10:31 < reiffert> it's not working aint no error message. 10:31 < c64zottel> ok, i will check it 10:31 < reiffert> be sure to run a broadcast relay. 10:33 < c64zottel> its not working, i can see via tshark that the msg reaches the server 10:34 < c64zottel> and that is all what the server responses: 4525.613222 10.23.0.1 -> 10.23.0.2 NBNS Name query response unknown 10:34 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 10:35 < c64zottel> may that be a problem with the firewall? ... but when i shut down, the local wins-server here, i can smbtree over the ovpn without problems 10:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:40 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 < ecrist> fyi, I'm taking my website down for a few minutes to upgrade freebsd 6.3 to 7.1 10:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:02 < ecrist> ugh 11:02 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Connection timed out] 11:03 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 11:11 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 11:24 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 11:30 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 11:32 < hellham> good morning all, im new to openvpn, what is the best new user tutorial for both unix/linux and wondows? for someone who knows very little? thank you 11:40 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit ["thanks for your time"] 11:47 < c64zottel> i have written in my config file push "dhcp-option WINS 10.23.0.1" 11:47 < c64zottel> whereas 10.23.0.1 is my openvpn-tunnel end to server, its a routed tap device 11:47 < c64zottel> but it has no effect on windows 11:47 < ecrist> but, is your openvpn-tunnel server also a WINS server? 11:47 < c64zottel> i guess its because there is a master-browser around here 11:47 < c64zottel> ecrist: it is 11:49 < c64zottel> is there a way to enter the wins server manually 11:49 < c64zottel> question-mark 11:54 < c64zottel> ok, i found it 11:54 < c64zottel> but now it is just showing the network. openvpn 11:55 < c64zottel> which is the domain of my ovpn-server 11:55 < c64zottel> and the domains behind the ovpn server are still hidden 12:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:11 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:18 < ikarius> oops. I just blowed up my home linux server's networking. guess I won't get openvpn properly set up today 12:18 < ikarius> ... damn me for misconfiguring bridging. 12:22 < ikarius> and for not reading the docs completely before editing /etc/network/interfaces 12:23 < ikarius> ok, so I've got a question about OpenVPN in the meantime 12:23 < ikarius> if I set up bridging/tap.... will clients automatically get IPs from the DHCP server on the subnet? 12:26 < dazo> ikarius: VPN clients no ... local clients yes 12:27 < ikarius> ok, so then I'd need to set the openvpn up to operate as a DHCP server? 12:27 < ikarius> to the VPN clients? 12:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:30 < dazo> ikarius: if you use ifconfig-pool or whatever the right option is again ... you'll have that automatically 12:30 < ikarius> ah, ok 12:31 < dazo> ikarius: openvpn will be the DHCP "server" for VPN clients only .... and the real DHCP server on your local net just needs to be told to stay away from the IP range you've given to openvpn 12:31 < ikarius> ok 12:32 < ikarius> I'll just double check the bootp range set on the DHCP server and set something different for the ovpn DHCP range 12:33 < ikarius> also... there's no reasonable way to set up DNS so that if I'm on some local network, which has a local DNS server, when I connect to ovpn, I use a DNS server across the VPN *only* for a particular domain, is there? 12:34 < ikarius> ... I think that's not configurable with out-of-the-box DNS resolver libraries on most OSes 12:35 < dazo> ikarius: nope, nafaik 12:37 < ikarius> k. that's what I thought. It's suboptimal, but it's rather a limitation of the OSes. To work around it the ovpn client would need to pretend to be a DNS server, look at requests, and forward them to the desired DNS server 12:37 < ikarius> and you probably aren't interested in building that functionality into the ovpn client 12:42 < ScribbleJ> Hey, any tips/ideas/pointers on why my Openvpn UDP server responds with a source port of 1024 rather than 1194 (causing my clients to require --float to succesfully connect)? port option in server config is 1194 as expected. 12:43 < ScribbleJ> I confirmed via tcpdump it's happening on the server machine itself; not like a device in-between the client and server that nats the ports. 12:57 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 13:00 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:41 < c64zottel> name_query failed to find name SOMENAME 13:41 < c64zottel> does it look like a routing problem or more a problem with the samba proxy server? 13:42 < ecrist> c64zottel: this isn't #NetBIOS 13:42 < ecrist> sorry 13:42 < c64zottel> true 13:43 < c64zottel> but there is no netbios... 13:44 < ecrist> 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:45 < ecrist> just don't want you to be like others and become a PITA when we don't know/don't care to answer your netbios questions. 13:46 < c64zottel> i meant, there is no channel, i thought it is maybe a routing problem und OpenVPN, but ok, i try #samba 13:48 -!- ohzie [n=ohzie@24.174.3.123] has quit [Read error: 110 (Connection timed out)] 13:48 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 14:13 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 14:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 14:18 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 14:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 14:36 < dazo> ecrist: pm 14:40 -!- dazo [n=dazo@nat/redhat/x-5b79a3572794935f] has quit ["Leaving"] 16:00 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:02 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: worch, c64zottel, ScribbleJ, temba 16:02 -!- Netsplit over, joins: temba, ScribbleJ, c64zottel, worch 16:13 -!- Kreg-Work is now known as soberbit 16:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:41 < krzee> !route 16:41 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:47 < krzee> !factoids search wins 16:47 < vpnHelper> krzee: No keys matched that query. 16:47 < krzee> !factoids search lin 16:47 < vpnHelper> krzee: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 16:47 < krzee> !samba 16:47 < vpnHelper> krzee: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:50 < krzee> !learn shorewall as http://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls. 16:50 < vpnHelper> krzee: Joo got it. 16:52 < krzee> !learn wins as http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:52 < vpnHelper> krzee: Joo got it. 16:57 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 17:00 -!- Janos [n=cramos@190.10.52.104] has joined ##openvpn 17:01 < Janos> hey there, anyone knows if it's possible to assign static ip address using ifconfig-push and client-config-dir directives in a bridged openvpn enviroment, the example only mentions tun servers and i can't get it to work 17:10 < Janos> or any other way to assign a static ip addres in a openvpn bridged enviroment 17:14 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:23 < krzee> why are you bridging? 17:27 < reiffert> because routing is boring. 17:28 < Janos> nvm i found the problem, ifconfig-push and client-config-dir do work you just have to add the client directive to the client file so it pulls the config from the server :) 17:28 < krzee> actually, pull 17:28 < krzee> which is implied along with other stuff by client 17:28 < Janos> i'm bridging because i want my vpn user to be on the same network as my internal network 17:29 < Janos> yeah pull not pulls, syntax error :P 17:30 < krzee> you're using layer2 protocols over the vpn (besides netbios for windows shares)? 17:31 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:32 < Janos> pretty much every windows software use broadcast to do everything ( go figure ) so yeah that's the reason, besides, why not ?, it works great, i do use tun for lan to lan vpns though 17:34 < krzee> umm 17:34 < krzee> windows needs broadcasts for normal stuff other than NetBios? 17:34 < Janos> so most of the time i have bridged server for users and a routed server for remote offices 17:35 < krzee> interesting 17:35 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has quit ["Leaving."] 17:35 < krzee> thats extra overhead that you likely dont need to use 17:35 < krzee> but you sound comfortable with it 17:35 < krzee> and sounds like you know how to use it well 17:36 < reiffert> moin 17:36 < reiffert> hi krzee 17:36 < krzee> remember you open your network up to layer2 vulns over the bridges when you design your network 17:36 < krzee> wassup reiffert! 17:36 < krzee> moin moin 17:36 < reiffert> yeah, moin moin! 17:36 < reiffert> how is life? 17:39 < Janos> well yeah i've been using ovpn for a long time so i know my way around, and yes you might have a point that there is no need to use bridged mode, but i'm pretty sure a lot of things will stop working on the MS world, so i guess i'll give it a try and let you know the details :) 17:39 < krzee> nah main thing is just NetBios 17:39 < krzee> which you use WINS for 17:39 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 17:39 < krzee> the broadcasts is how windows deals with not having a WINS server to contact 17:39 < Janos> yeah but most of the time you don't even have a wins server 17:39 < krzee> reiffert, very good 17:40 < reiffert> krzee is right. 17:40 < krzee> Janos, right, but you save overhead by having one 17:40 < krzee> and if you use samba, it is SIMPLE 17:40 < krzee> !wins 17:40 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:40 < reiffert> there is broadcast relay 17:40 < reiffert> it's a software 17:40 < reiffert> it comes with pptp 17:40 < krzee> that too 17:40 < krzee> although quite often just WINS is good enough for your avg people 17:41 < reiffert> !learn broadcast-relay as it's a software that comes with pptp. use it when needing wins/samba and/or broadcasts. 17:41 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:41 < reiffert> fuck u 17:41 < krzee> in fact i know of people that recommend using WINS even if bridging 17:42 < krzee> !learn broadcast-relay as a software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough. 17:42 < vpnHelper> krzee: Joo got it. 17:47 < Janos> krzee: i agree if you are the one that designed the whole network things would be very nice, i have a samba running as DC with an LDAP backend replicated to other 5 remote samba servers, centralized auth for proxy, mail, windows and linux logons, wins server (sadly it can't be replicated yet), dns, dhcp, ddns and much more :). But most of the time people don't know what they are doing and are afraid to change anything so telling them that you will have to 17:47 < Janos> add a netbios-name-servers option to their dhcp server scares them to hell 17:48 < Janos> that assuming they have a dhcp server :) 17:49 < Janos> so the simple vpn server project that cost $x ends up costing $xxx cuz you had to redesign their whole network 17:50 < krzee> once you are vpn'ed in you should be able to make that change :-p 17:52 < Janos> lol yeah well like i said i'll give it a try and let you know the details 17:55 < Janos> later thanks for the help 17:55 -!- Janos [n=cramos@190.10.52.104] has quit ["Ex-Chat"] 18:04 < reiffert> you are typing way too fast for mee... 18:04 < reiffert> ah, he quit. next. 18:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:08 < reiffert> next 18:40 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:45 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 18:48 < downhill_> Why would dropping the permissions after the daemon starts (config options "user nobody" and "group nogroup") on a Debian host cause me to get the error MULTI: bad source address from client ... packet dropped? 18:49 < downhill_> And actually, everything works fine on the LAN-side if I use an IP of .6, instead of the configured .21. Anybody have any idea what might be going on? 18:50 < downhill_> (that's with the permissions dropped. not dropping them allows everything to work as it should) 18:51 < reiffert> downhill_: the prior got nothing to do with dropping permissions. 18:52 < downhill_> but it doesn't happen when I don't drop permissions. 18:52 < downhill_> please elaborate. 18:53 < reiffert> sorry, gone to bed. 18:54 < downhill_> >.< 19:00 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has quit ["Ex-Chat"] 19:04 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 19:28 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 19:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 20:06 -!- zheng_ [n=zheng@218.82.143.81] has quit ["Leaving"] 20:43 < ScribbleJ> Hah 20:43 < ScribbleJ> Downhill, I suspect you are having the same issue as me. 20:43 < ScribbleJ> Well, more or less. 20:43 < ScribbleJ> YOu are using UDP, not TCP. 20:44 < ScribbleJ> YOu need to take a look at your network traffic - while you are trying to connect to .21, the replies are coming from another address than that, I bet, and your client wants to reject them because it's not where they hsould be coming from 20:45 < ScribbleJ> If it's not another IP, I bet it's an odd source port (I had the first problem, now I moved on to the second, personally) 20:49 < downhill_> ScribbleJ; TCP 20:50 < downhill_> I'm using TCP, and yeah, I can take a more in-depth look, but it still doesn't explain why dropping the privs causes this. 20:51 < downhill_> uncommenting "user nobody" and "group nogroup" makes it happen, commenting them fixes it. you can't possibly tell me it's unrelated :) 20:51 < ScribbleJ> Haaa, suppose I can't 20:51 < ScribbleJ> I wonder if that would solve my problem. 20:52 < ScribbleJ> I'm stumped - I'm using UDP and right now if I connect, let's say clientip:clientsource -> vpnserver:1194 I'd expect the traffic back to look like vpnserver:1194 -> clientip:clientsource 20:52 < ScribbleJ> But it does /not/ the traffic back all has a source port of 1024. 20:53 < downhill_> interesting 20:53 < downhill_> at this very moment I can't look, but thanks for the tip :) 20:53 * downhill_ scribbles a note 21:27 -!- [intra]lanman [n=Raymond@99-196-39-200.cust.wildblue.net] has joined ##openvpn 21:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 23:49 -!- ohzie [n=ohzie@24.174.3.123] has quit ["Leaving"] --- Day changed Sat Jan 31 2009 00:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:04 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:23 -!- c64zottel [n=hans@p5B178936.dip0.t-ipconnect.de] has joined ##openvpn 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:00 < ropetin> Evenin'! 04:01 < downhill_> heya 04:02 < ropetin> How's it going in here lately? It's been FOREVER since I manged to get on IRC 04:25 -!- bandini [n=bandini@host64-111-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:33 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 145 (Connection timed out)] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 05:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 05:45 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 05:48 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:29 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:45 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 07:46 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:06 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:14 < ecrist> fuckers 08:17 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 08:17 < tjz> hi 08:22 < tjz> Hello 08:22 < tjz> anyone... 09:14 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:31 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:25 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:42 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 11:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tarbo2, infinity_ 11:51 -!- Netsplit over, joins: infinity_ 11:52 -!- Netsplit over, joins: tarbo2 12:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn --- Log closed Sat Jan 31 13:04:12 2009 --- Log opened Sat Jan 31 18:54:15 2009 18:54 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 18:54 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 18:54 -!- Irssi: Join to ##openvpn was synced in 1 secs 19:08 < ecrist> fuckers --- Log closed Sat Jan 31 19:44:41 2009 --- Log opened Sat Jan 31 22:27:41 2009 22:27 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 22:27 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 22:27 -!- Irssi: Join to ##openvpn was synced in 1 secs 22:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 22:47 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 60 (Operation timed out)] --- Day changed Sun Feb 01 2009 00:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:09 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 01:39 -!- ikarius [n=ross@216.27.182.3] has left ##openvpn [] 02:42 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has joined ##openvpn 02:56 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:00 -!- rubydiam_ [n=rubydiam@123.236.183.30] has joined ##openvpn 03:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 03:50 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:56 -!- rubydiam_ [n=rubydiam@123.236.183.30] has quit [Read error: 110 (Connection timed out)] 05:30 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 07:12 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 07:26 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:36 -!- cb22 [n=cb22@moinmoin/developer/federico] has joined ##openvpn 07:37 -!- countd [n=quassel@unaffiliated/countd] has joined ##openvpn 07:39 < cb22> Hi, is it possible to get two VPNs connecting to the same server to speak to each other? 07:40 < cb22> As in -> (server) <- . VPN 1 can ping server, and the same for VPN 2, but they cannot ping each other, even though I think i've got all the routes needed 07:44 < ecrist> yep 07:45 -!- countd [n=quassel@unaffiliated/countd] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:46 -!- countd [n=countd@cpc3-lewi3-0-0-cust928.bmly.cable.ntl.com] has joined ##openvpn 08:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has quit ["Leaving."] 09:09 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:16 -!- tjz [n=tjz@bb116-15-71-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 09:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 10:34 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 10:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:50 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn 10:50 -!- smk [n=scott@cobra.httpd.org] has quit [Read error: 104 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 11:09 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has left ##openvpn [] 11:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 12:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 12:27 -!- eddieb [n=eddieb@eddieb.xs4all.nl] has joined ##openvpn 12:28 -!- eddieb [n=eddieb@unaffiliated/eddieb] has left ##openvpn ["Leaving"] 12:42 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 13:29 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 13:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:45 -!- c64zottel [n=hans@141.37.33.125] has quit ["Leaving."] 14:06 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- ikevin [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 14:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:06 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 15:08 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 15:09 < Spockz|servert> I tried the introduction setup on a OS X machine and I am now at the point of testing the install 15:09 < Spockz|servert> but as soon as I connect I get these errors: 15:10 < Spockz|servert> http://spockz.pastebin.com/m261e532c 15:10 < Spockz|servert> Does anyone know what this means? 15:12 < Spockz|servert> those errors are server-side 15:26 < disco-> Hi all, the shaper option in OpenVPN seems to have no effect when I put it in a ccd file. Is it ok to do this, and if so, any ideas why it isn't working? 15:45 < ecrist> Spockz|servert: you need to run as root 15:46 < Spockz|servert> ecrist: I do, sudo, but I run bridged. 15:46 < ecrist> disco-: I don't generally use the shaper in OpenVPN. we could help more if you provided logs. 15:46 < ecrist> the vpn client, as well as the scripts for the bridging, need to be run as root. 15:46 < disco-> ok ecrist, I'll see if I can get anything relevant 15:47 < Spockz|servert> ecrist: ah, the bridge-start/stop scripts don't work on OS X :( 15:47 < ecrist> disco-: I'm leaving for a superbowl party, so I won't be around now, until late tonight. 15:48 < disco-> ecrist: Ah ok, have fun :) 15:49 < ecrist> Spockz|servert: why not? 15:49 < ecrist> they should. OS X uses FreeBSD user-land. 15:49 < ecrist> write some that *do* work. 15:49 < Spockz|servert> ecrist: brctl: command not found 15:51 < ecrist> ::sigh:: 15:51 < Spockz|servert> *grin* 15:51 < ecrist> Spockz|servert: what bridging scripts are you using? 15:51 < Spockz|servert> ecrist: the ones from the sample dir 15:51 < ecrist> write your own, that use the proper tools. 15:53 < Spockz|servert> the problem is that I don't know which tools those are 16:05 < ecrist> Mac OS X is the server? 16:08 < Spockz|servert> ecrist: yes 16:09 < Spockz|servert> I tried ifconfig tap0 bonddev en0 but that fails. And I read in the man pages that it would render en0 useless 16:12 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 16:39 < Spockz|servert> ecrist: I can't find a method to bridge the connections. Do you have any hints? 16:41 -!- Spockz [n=info@71pc198.sshunet.nl] has joined ##openvpn 16:50 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:53 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:53 -!- rmull [n=rmull@acsx02.bu.edu] has quit ["leaving"] 17:11 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 17:53 -!- Spockz [n=info@71pc198.sshunet.nl] has quit [] 18:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 18:40 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 19:12 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [] 19:58 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:20 -!- phr0st_e [n=phr0st@76.252.191.193] has joined ##openvpn 20:25 < phr0st_e> am currently using openvpn 2.x on current version of ubuntu, bridged connection, with one interface. When I make the vpn connection, I get a "no route to host" (error code 64 and 65). I can no longer ping the server once the connection is made. I think it's because I only have one interface. I'm trying to set up an alias ip, but it's not coming up at boot. Any ideas? 20:42 < dvl> that indicates to me there is no route. netstat -nr will show you. 20:49 < phr0st_e> that makes sense, what would a good route look like? here's my netstat -rn: 20:51 < phr0st_e> default 192.168.2.1 UGSc 23 640 en1 20:51 < phr0st_e> 127 127.0.0.1 UCS 0 0 lo0 20:51 < phr0st_e> 127.0.0.1 127.0.0.1 UH 2 170 lo0 20:51 < phr0st_e> 155.79.11/24 link#9 UC 1 0 tap0 20:51 < phr0st_e> 155.79.11.19 link#9 UHRLW 1 24 tap0 13 20:51 < phr0st_e> 169.254 link#6 UCS 0 0 en1 20:51 < phr0st_e> 172.16.80/24 link#7 UC 1 0 vmnet8 20:51 < phr0st_e> 172.16.80.255 link#7 UHLWb 1 4 vmnet8 20:51 < phr0st_e> 192.168.2 link#6 UCS 8 0 en1 20:51 < phr0st_e> 192.168.2.1 0:0:c0:87:7:eb UHLW 15 65 en1 1155 20:51 < phr0st_e> 192.168.2.3 0:c0:4f:14:1:de UHLW 24 415 en1 1154 20:51 < phr0st_e> 192.168.2.20 0:b:db:70:45:e7 UHLW 1 1007 en1 928 20:51 < phr0st_e> 192.168.2.32 0:d:93:64:99:2e UHLW 0 11 en1 1098 20:51 < phr0st_e> 192.168.2.143 127.0.0.1 UHS 0 0 lo0 20:51 < phr0st_e> 192.168.2.173 0:1a:e9:83:9f:19 UHLW 0 0 en1 716 20:51 < phr0st_e> 192.168.2.255 link#6 UHLWb 2 27 en1 20:51 < phr0st_e> 192.168.187 link#8 UC 1 0 vmnet1 20:51 < phr0st_e> 192.168.187.255 link#8 UHLWb 1 4 vmnet1 20:51 < phr0st_e> where I'm currently at home behind 129.168.2.x 20:52 < phr0st_e> and my server has a single IP address of 155.79.11.19 21:02 < phr0st_e> just curious...would this be more likely to work if I throw in a second nic? 21:32 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 113 (No route to host)] 21:59 < dvl> phr0st_e: 2nd nic not required. 22:00 < dvl> routing shows your server is on tap0, so that should work. What is the output of ifconfig tap0 ? 22:00 < dvl> I bet it is 155.79.11.19 22:01 < dvl> But that's supposed to be the server you say. It appears to be local, not remote. 22:19 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:19 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:19 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:19 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:19 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:19 < phr0st_e> collisions:0 txqueuelen:100 22:19 < phr0st_e> RX bytes:0 (0.0 B) TX bytes:100173 (100.1 KB) 22:23 < phr0st_e> yeah...tap0 has no ip address 22:24 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:24 < phr0st_e> netstat -rn on my server looks like this: 22:25 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:25 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:25 < phr0st_e> ifconfig on my server looks like this: 22:26 < phr0st_e> br0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 < phr0st_e> inet addr:155.79.11.19 Bcast:129.79.11.255 Mask:255.255.255.0 22:26 < phr0st_e> inet6 addr: 2001:18e8:2:11:211:43ff:febd:b8e1/64 Scope:Global 22:26 < phr0st_e> inet6 addr: fe80::211:43ff:febd:b8e1/64 Scope:Link 22:26 < phr0st_e> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 22:26 < phr0st_e> RX packets:2299 errors:0 dropped:0 overruns:0 frame:0 22:26 < phr0st_e> TX packets:1051 errors:0 dropped:0 overruns:0 carrier:0 22:26 < phr0st_e> collisions:0 txqueuelen:0 22:26 < phr0st_e> RX bytes:254738 (254.7 KB) TX bytes:188688 (188.6 KB) 22:26 < phr0st_e> eth0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 -!- phr0st_e [n=phr0st@76.252.191.193] has quit [Excess Flood] 22:26 -!- phr0st_e [n=phr0st@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] has joined ##openvpn 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> collisions:0 txqueuelen:100 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> RX bytes:0 (0.0 TX bytes:100173 (100.1 KB) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:28pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> yeah...tap0 has no ip address 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> netstat -rn on my server looks like this: 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:30pm 22:29 -!- mode/##openvpn [+o ecrist] by ChanServ 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 -!- phr0st_e was kicked from ##openvpn by ecrist [ecrist] 22:30 <@ecrist> dvl he been doing that long 22:30 <@ecrist> ? 22:33 -!- mode/##openvpn [+b *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] by ecrist 22:33 -!- mode/##openvpn [-o ecrist] by ecrist 22:33 < ecrist> g'night 22:52 < dvl> ecrist: no, just once. 23:15 < ykut_johny> !route 23:15 < vpnHelper> ykut_johny: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:33 < ecrist> dvl, sorry I wasn't around to kick him out when he started it. --- Day changed Mon Feb 02 2009 00:05 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 00:06 < renic> having issues getting the gui client to work in VISTAx64 - any advice? this is my current problem: 00:06 < renic> Sun Feb 01 22:08:14 2009 CreateFile failed on TAP device: \\.\Global\{5BFF639A-C56D-4CC1-96EB-3BE76AD88045}.tap 00:06 < renic> Sun Feb 01 22:08:14 2009 All TAP-Win32 adapters on this system are currently in use. 00:06 < renic> Sun Feb 01 22:08:14 2009 Exiting 00:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit ["i upgraded to the release candidate, and it fixed the problem"] 00:49 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 03:07 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:22 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 04:30 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 04:38 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 04:50 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has joined ##openvpn 04:50 < jolelion> hello 04:52 < jolelion> I don't understand the differences between "server/client mode" and "p2p mode"? 04:53 < jolelion> and I didn't find answer on the openvpn Website. Does anyone can help me? 04:57 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Read error: 104 (Connection reset by peer)] 05:23 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:29 < kyrix> jolelion: p2p means peer 2 peer. you will probably want server/client mode, what do u want to do 05:43 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 05:49 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 06:28 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 06:33 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 06:40 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 06:59 < jolelion> kyrix: the vpn-clients need to talk together 07:14 < ecrist> morning, bitches 07:14 < reiffert> $100/kiss each. 07:23 < ecrist> o.O 07:28 < ecrist> http://www.explosm.net/comics/1543/ 07:28 < vpnHelper> Title: Comics - Explosm.net (at www.explosm.net) 07:33 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:47 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 07:57 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 07:59 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:07 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:08 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 08:14 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 08:16 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:22 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:41 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:50 -!- dim [n=Dimitri@83.167.62.196] has joined ##openvpn 08:53 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 09:32 < ecrist> it's too quiet in here. 09:37 < kyrix> the weather in Vienna is .... :) 09:38 < kyrix> on the other hand, it means the openvpn networks out there are working fine probably :) 09:39 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 09:43 < ecrist> very true 09:44 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has quit ["leaving"] 09:49 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 09:58 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:58 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 09:58 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 09:59 < ikarius> hey, looking for some help. I've installed openvpn on my unbuntu 8.0.4 server edition, and I'm trying to set up the PKI stuff. I'm following the how-to on the openvpn site, but when generating keys, a couple things appear to be going wrong 10:00 < ikarius> the scripts are complaining about "index.txt" not existing, and no server.crt file gets generated. It appears to generate server.key just fine though 10:01 < ikarius> I've tried using the build-key-server script, as well as the pkitool script 10:03 < reiffert> then you probably missed sourcing vars.bar. 10:03 < ikarius> nope, did that 10:03 < ikarius> and verified via the "env" command that it set appropriate variables 10:04 < reiffert> or missed init-config. 10:04 < reiffert> that index file missing sounds like you are using a different openssl.cnf file other than the one that ships with easy-rsa. 10:05 < ikarius> init-config? 10:06 < ikarius> init-ca is shown in the instructions and the usage for pkitool, but not init-config 10:06 < reiffert> !howto 10:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:07 < reiffert> "Generate the master Certificate Authority (CA) certificate & key" 10:08 < ikarius> init-config didn't come in the openvpn package distributed for ubunty 10:09 < ikarius> ubuntu even 10:09 < ikarius> the instructions indicate it's just supposed to copy the config files into the right places 10:09 < ikarius> but... openssl.cnf, it appears I'm not getting that correctly 10:09 < ikarius> let me dig into that bit 10:11 < ikarius> no, I'm getting the openssl.cnf distributed with openvpn 10:11 < reiffert> export KEY_DIR="$EASY_RSA/keys" 10:12 < ikarius> that's already there 10:12 < reiffert> find that in your vars file? 10:12 < reiffert> cause 10:12 < reiffert> openssl.cnf: 10:12 < reiffert> dir = $ENV::KEY_DIR # Where everything is kept 10:12 < reiffert> database = $dir/index.txt # database index file. 10:12 < ikarius> yes, those lines are in the openssl.cnf I have 10:12 < reiffert> However, follow the howto again please and paste what you get from the beginning and we'll see. 10:13 < reiffert> outforasmoke 10:13 < ikarius> how critical should init-config be? 10:13 < reiffert> forget init-config. 10:13 < ikarius> ok 10:13 < ikarius> I'll restart and paste 10:14 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 < ikarius> AH. found the problem. 10:16 < ikarius> I did not run clean-all to begin with. That initializes index.txt and serial 10:17 < reiffert> welcome 10:18 < ikarius> I skipped it because I'd done a "mkdir" on keys, so I didn't think anything needed to be deleted... 10:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:18 < ikarius> the name is slightly misleading; I expect "clean" to simply remove any traces of a previous config...but thank you 10:22 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:23 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 10:25 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 10:29 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:38 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 10:38 < Federico2> hi guys 10:39 -!- wonko [n=wonko@wiggum.4amlunch.net] has joined ##openvpn 10:39 < wonko> ugh, i think i'm missing something stupid silly 10:41 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:41 < ecrist> what's that? 10:48 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:55 < plaerzen> hello irc 11:05 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has joined ##openvpn 11:06 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has left ##openvpn [] 11:10 < wonko> ecrist: hey there 11:10 < wonko> i'm trying to do a basic two private networks behind both client and server vpn end-nodes 11:10 < wonko> and it's just not behaving at all 11:12 < wonko> all the routing table entries point to the IP on the "near" side of the vpn tunnel, but i can't ping/ssh/anything to that IP, I need to go against the IP on the "far" side of the tunnel, which works 11:12 < wonko> but i can't set my routing tables to use that 11:16 < ecrist> !configs 11:16 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:16 < wonko> ah, yes, that would likely help. :) 11:19 < Federico2> guys 11:19 < Federico2> afaik there is no simple way to let an unprivileged user create and deploy certificate files for openvpn clients 11:20 < Federico2> I'm writing something to invoke easy-rsa, build a certificate, package it in a zip file as well as configuration file, openvpn installer, guide... 11:20 < Federico2> am I reinventing the wheel?bd 11:20 < ecrist> yes 11:20 < ecrist> !ssl-admin 11:20 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:22 < ecrist> Federico2: the documentation on the site isn't that great for ssl-admin 11:22 < ecrist> that does a lot of what you're asking 11:22 < Federico2> so I reinvented the wheel.... 11:23 < ikarius> hmm. is there a particular verbosity level where I should see DHCP requests come from a client? 11:23 < Federico2> thanks a lot 11:23 < ikarius> I *think* I have DHCP configured properly on the server side, but the client is always getting 169.254.8.126, which I think is a private "fallback" IP 11:24 < ikarius> if I can set the verbosity to see DHCP requests, and no DHCP request shows up, I'll know my problem is client-side 11:25 < wonko> http://sial.org/pbot/34850 11:25 < vpnHelper> Title: Paste #34850 from "wonko" at 147.140.233.16 (at sial.org) 11:27 < ecrist> Federico2: that project is on-going, and in active development, so if there's something you'd like to see, feel free to request it or contribute it. 11:28 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:29 < Federico2> ecrist, I wrote something more specific for a different use case 11:30 < Federico2> I want an unprivileged user to be able to create certificates and deploy a .zip file containing the openvpn installer as well 11:31 < Federico2> ssl-admin is almost there - it could be tweaked a bit to prevent the user to tweak with other parameters 11:32 < Federico2> uh... it's run by root! 11:35 < Federico2> crazy 11:37 < ecrist> ssl-admin, in it's current inception, is root-only, but it's a very minor tweak to change that 11:37 < ecrist> could be easily geared toward checking for a specific group membership 11:37 < ecrist> my point for pointing it out is, it's *almost* what you need. 11:37 < ecrist> just have to add in the remaining bits 11:38 < Federico2> I already wrote mine - so right now I'll use it - but it's a pity not to have a complete solution 11:38 < ecrist> ok 11:38 < Federico2> minor tweak? 11:38 < ecrist> aye 11:39 < Federico2> there could be a lot to change if you want to run it without root privs 11:40 < wonko> ecrist: get a change to look at my paste? 11:41 < ecrist> wonko, looking now 11:41 < ecrist> wonko, no 11:42 < ecrist> chmod -R a+rwx ssl-admin/* 11:42 < ecrist> and one line in the code, iirc 11:45 < ecrist> wonko: I'm guessing your firewall for ping failures. 11:45 < ecrist> client should be able to ping 172.20.1.1 11:47 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 11:47 < ecrist> it can ping .6 because that's it's own address. 11:49 < wonko> the client can't ping .6, it can only ping .1 (dunkirk is the client) 11:49 -!- dim [n=Dimitri@83.167.62.196] has quit [Remote closed the connection] 11:50 < wonko> firewall is disabled 11:59 < ecrist> so it *can* ping .1? 11:59 < ecrist> PING 172.20.1.1 (172.20.1.1): 56 data bytes 11:59 < ecrist> --- 172.20.1.1 ping statistics --- 11:59 < ecrist> 2 packets transmitted, 0 packets received, 100.0% packet loss 11:59 < ecrist> your notes seem to indicate otherwise 12:00 < wonko> that's from the server 12:00 < wonko> if you look down at the bottom of the paste 12:01 < wonko> the last ping is the ping from the client to 172.20.1.1 12:01 < ecrist> oh, ok. 12:03 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has joined ##openvpn 12:03 -!- kyrix [n=ashley@91-115-186-194.adsl.highway.telekom.at] has joined ##openvpn 12:04 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has left ##openvpn [] 12:07 < Federico2> bye 12:07 < ecrist> wonko: you're not going to be able to ping the .5 or the .2 ips 12:07 < ecrist> just FYI 12:07 < wonko> yeah, but i should be able to ping the .1 and .6 from both ends 12:08 < ecrist> to recap here, the client *can* ping 172.20.1.1, and can the server ping 172.20.1.6? 12:08 < wonko> the part that really confuses me is that i can ping the IP on the *remote* machine 12:08 < ecrist> doesn't appear to 12:08 < wonko> the client can ping .1 (which is on the server) and the server can ping .6 (which is on the client) 12:08 < ecrist> ok, but they can't ping themselves? 12:08 < wonko> nope 12:09 < ecrist> weird, should be able to. let's just pretend they can. 12:09 < ecrist> can they ping the remote networks, then? 12:09 < wonko> no since the routes for those networks point to the local IPs 12:12 < ecrist> the the VPN client can't ping itself? 12:12 < ecrist> that doesn't make sense. 12:13 < wonko> i know 12:14 < wonko> that's why I was hoping I was doing something stupid in the config files. :) 12:15 < wonko> and to top it off, (in an unrelated project) the F5 load balancers have decided to start kicking my ass today as well 12:15 < wonko> it's *gotta* be monday 12:15 < wonko> ;) 12:21 < ecrist> lol 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: bandini, dvl 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, justdave, clustermagnet, meshuga, disco-, rubydiamond, pa, skx, disposable, aar0n, (+22 more, use /NETSPLIT to show all of them) 12:22 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: donavan, Federico2, krzie, kaii, dogmeat, munga, cpm, huslu, troy-, techqbert 12:26 < ecrist> 12:41 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has joined ##openvpn 12:41 -!- Netsplit over, joins: dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22, [intra]lanman (+33 more) 12:47 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, donavan, Federico2, justdave, krzie, clustermagnet, meshuga, disco-, rubydiamond, pa, (+34 more, use /NETSPLIT to show all of them) 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:58 -!- Netsplit over, joins: kyrix, dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22 (+34 more) 13:03 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] --- Log closed Mon Feb 02 13:04:19 2009 --- Log opened Mon Feb 02 13:04:22 2009 13:04 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:04 -!- Irssi: ##openvpn: Total of 49 nicks [0 ops, 0 halfops, 0 voices, 49 normal] 13:04 -!- Irssi: Join to ##openvpn was synced in 19 secs 13:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has quit [Nick collision from services.] 13:04 -!- You're now known as ecrist 13:06 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:40 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:50 < wonko> hmmm, i seem to have stumped you 13:50 < wonko> i wish that meant I won 13:50 < wonko> ;) 13:52 < ecrist> sorry 13:52 < wonko> it's ok 13:52 < wonko> i'm just being a dick. :) 14:06 < ecrist> you're good at it. 14:09 < wonko> i know 14:09 < wonko> ;) 14:09 < plaerzen> ecrist, what is openvpn ? 14:11 < ecrist> plaerzen: it's this thing you put in your mom's butt. 14:13 < ecrist> rather, a thing *I* put in your mom's butt. 14:13 -!- mode/##openvpn [+o ecrist] by ChanServ 14:13 -!- ecrist was kicked from ##openvpn by ecrist [quit talking about plaerzen's mom!] --- Log closed Mon Feb 02 14:13:49 2009 --- Log opened Mon Feb 02 14:13:57 2009 14:13 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:13 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 14:13 -!- Irssi: Join to ##openvpn was synced in 1 secs 14:14 < ecrist> sorry about that 14:14 < plaerzen> lol 14:15 < ecrist> w00t, my writeup for disk quotas on os x got a mention on macosxhints.com 15:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 16:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has joined ##openvpn 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 16:06 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:11 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has quit [Read error: 60 (Operation timed out)] 17:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has quit ["Leaving."] 17:17 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 17:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 17:34 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 17:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:38 < ScribbleJ> This is driving me bananas... openvpn on debian etch, server set for udp, 'port' and 'lport' both set to 1194; it always sends it's traffic as lport 1024 though. 17:38 < ScribbleJ> Any ideas what I did/should do? 17:44 < ScribbleJ> openvpn is clearly /listening/ on 1194. iptables has no rules that are related. netcat will happily let me send traffic with sport of 1024, but 1194 I can't since it's bound for openvpn 17:46 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 17:46 < cj> hey all 17:46 < cj> I need some help setting up a mitm proxy 17:47 < cj> I want to pcap an ssmtp session I'm initiating. I'd like to set up a proxy on localhost which talks to smtp.foo.com:ssmtp and listens on localhost:smtp 17:48 < cj> I'll have mutt use smtps://user:pass@localhost:25/ at which point I can `tcpdump -i lo -w session.pcap port 25` 17:48 < cj> anyone know of a tool I can do the listening on? 17:49 < cj> stunnel seems to do the opposite 17:49 < krzee> umm, ssh i think 17:50 < cj> oooh 17:50 < krzee> but definately not openvpn 17:50 < ikarius> ssh and port forwarding should be able to do what you want, but unless you're running as root, you'll probably need to set it to listen on a port higher than 1024 17:50 < cj> well, I'm asking here 'cuz folks have domain experience, not because I'd use openvpn. sorry for being OT :) 17:51 < krzee> ikarius, im not sure about all os, but in fbsd you can give a diff user access to open a lower port 17:51 < krzee> cj, np 17:51 < ikarius> krzee: I think you're right, but I think you need root to grant that access in the first place.... I think. 17:52 < krzee> oh yes 17:52 < krzee> well depends 17:52 < krzee> you need root to grant the access, but after that the user doesnt need to start as root then drop privs 17:52 < ikarius> disclaimer: I am not liable if my half-remembered tips cause your computer to eat your family dog and light the house on fire 17:52 < krzee> hahah 17:53 < krzee> ya that goes for me too 17:53 < cj> okay, so -L 127.0.0.1:25:smtp.foo.com:465 would forward the port without tls... 17:53 < ScribbleJ> cj, are you trying for an mitm proxy, or do you just want to decrpyt and read the ssl traffic? 17:53 < cj> how do I add the tls encapsulation? 17:53 < cj> ScribbleJ: the latter 17:54 < ScribbleJ> cj, I'll tell you what I'd do, just pcap the traffic with tcpdump as normal, then read the log into wireshark which I beleive has an option to decrpyt and ssl strem provided the key 17:54 < ecrist> rawr 17:54 < cj> okay. where do I get the client key for mutt? :) 17:55 < krzee> wassup eric 17:55 < ScribbleJ> Got me, I was expecting you had the server key. :) 17:55 < ecrist> sup krzee 17:55 < krzee> lol 17:55 < krzee> not much man 17:55 < krzee> getting ready to leave vegas 17:55 < cj> ha. if I use stunnel, I do! Thanks :) 17:55 < krzee> headed to the bay area 17:58 < krzee> ecrist, howd ya like the superbowl? 18:03 < plaerzen> oh shit. I missed the superbowl. 18:04 < krzee> lol 18:08 < cj> ScribbleJ: do you happen to know what arguments to use to specify the ssl key? 18:08 * cj asks #wireshark 18:09 < ScribbleJ> cj, I don't, but earlier when I googled wireshark decrypt ssl, the first guide that came up had some nice pictures of where to put it in the gui. 18:09 < cj> cool beans 18:09 < cj> oh, wait... I was hoping for tshark 18:09 < cj> anyway, I'll copy the ssl key to the windows box... 18:10 < ScribbleJ> Yeah, I typically use tcpdump then wireshark, can't help with tshark. 18:10 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 18:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:24 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 18:26 < grendal_prime> ok we have several of these machines now really digging them...however the window it guys are iffy because they have no tool to really monitor what is happening and who is loged in. I have showed them the terminal based tools but they are not very inpressed(windows guys) Sooo is there some sort of windows openvpn management utill? Web based would be fine. I looked at the webmin tool but openvpn has to be installed with the webmin tool and 18:26 < grendal_prime> besides it doesnt offer much more than the terminal. 18:41 < ecrist> ::yawn:: 18:41 < ecrist> grendal_prime: afaik, there's nothing at this time. 18:42 < ecrist> feel free to write one, though 18:50 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has quit [Remote closed the connection] 19:00 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 19:17 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:51 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:55 < grendal_prime> well..like i say there is the webmin module....unfortunatly the way that it works is somewhat, disfunctional for existing openvpn installations. 19:56 < grendal_prime> in fact it breaks existing connections. 19:57 < grendal_prime> the entire server because it rewrites the server.conf. 20:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:49 -!- tjz [n=tjz@bb121-7-26-157.singnet.com.sg] has joined ##openvpn 20:50 * tjz reporting in, sir! 20:53 -!- wonko [n=wonko@wiggum.4amlunch.net] has left ##openvpn [] 21:03 < tjz> is it possible to auto generate the .ca ,crt with a click /command? 21:13 < grendal_prime> click command? 21:14 < grendal_prime> like with a mouse type deal? 21:15 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 21:29 < tjz> in centos server.. 21:34 < tjz> i don't have to hit "enter" manually.. 21:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:48 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit ["Lost terminal"] 21:49 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 22:09 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 22:15 -!- smk_ is now known as smk 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has quit [Client Quit] 22:20 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:22 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 22:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:28 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:45 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 22:50 < ikarius> freaking FINALLY 22:51 < ikarius> man, it took a lot of digging to come up with the right way to configure Ubuntu to do a bridged OpenVPN 22:52 < ikarius> http://openvpn.pastebin.com/m50d387de - interfaces file 22:54 < ikarius> then some scripts to add tap devices to the bridge when openvpn needs them 22:59 < ikarius> there were a lot of obsolete instruction sets.... which did not work --- Day changed Tue Feb 03 2009 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 00:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 01:14 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 01:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:39 < reiffert> moin 02:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 02:25 -!- MehdiAK [n=Mehdiak@94.101.188.97] has joined ##openvpn 02:26 -!- MehdiAK is now known as Inil 02:29 < Inil> i want use ldap authentication in openvpn but plugin can't connect ldap server and i have password error? 02:29 < Inil> encryption type must be change 02:29 < Inil> on ldap authentication plugin?! 02:32 < Inil> any idea? 02:34 < reiffert> you could use pam authentication and have pam do the ldap stuff, I guess you already have pam_ldap auth on your system? 02:47 < Inil> reiffert: document or manual ? :) 02:54 < reiffert> pam_ldap or openvpn->pam? 02:55 < reiffert> /openvpn-2.1~rc11/plugin$ ls auth-pam/ 02:55 < reiffert> Makefile README auth-pam.c pamdl.c pamdl.h 02:58 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-b90fc6b3825fe6e1] has joined ##openvpn 02:58 < Natilous> Hi Inil ... 02:58 < Natilous> Hi reiffert 03:00 < Inil> reiffert: i have ldap server &it's OK! , and i want run openvpn server that use ldap for Authentication & installed openvpn-uth-ldap plugins and want use it but have problems! 03:00 < Inil> hi Natilous :) 03:01 < reiffert> Inil: You already said that. 03:01 < Natilous> reiffert: the plugin can't bind with ldap. 03:02 < reiffert> Natilous: my proposal was: 03:02 < reiffert> have pam do the ldap stuff and use the pam auth that comes with openvpn. 03:02 < reiffert> Natilous: as my question was: I guess you already have pam_ldap auth on your system? 03:03 < reiffert> Natilous: which add ldap auth to pam. 03:03 < Natilous> reiffert: are you hve a document to explain how can I do ? 03:03 < Natilous> I don't know .. ldap admin not here right now. 03:04 < reiffert> pam_ldap pam_auth_ldap 03:04 < reiffert> common packagename on various unix distriubtions. 03:05 < reiffert> you'll need the ldap admin and a guy who cares about the pam stuff. 03:05 < reiffert> you running a unix server dont you? 03:06 < Natilous> reiffert: If we have pam_ldap,what we should do to use it ! 03:07 -!- Llama [n=bogdan@84.201.239.103] has joined ##openvpn 03:07 < Llama> hello 03:07 < Natilous> reiffert: we haven't pam_ldap , our sever use auth_ldap 03:08 < reiffert> Natilous: openvpn source code, plugin directoy, auth-pam directory. 03:08 < Llama> I need custon firewall settings for each openvpn client. How could I implement this using openvpn on linux ? 03:08 < reiffert> well whatever, you dont seem seem to refuse to answer my questions. have fun. 03:09 < Natilous> reiffert: we use this configuration on /openvpn/server.conf to use ldap authentications: "plugin /usr/local/lib/openvpn-auth-ldap.so "/etc/openvpn/config"" 03:10 < Natilous> please give me a sample user information on ldap directory to work with openldap. 03:10 < reiffert> Natilous: question: are you running unix(linux etc)? 03:11 < Natilous> sure. openvpn (debian) , ldap-server (redhat) 03:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 03:13 < reiffert> Natilous: does the debian system use pam? 03:13 < Natilous> reiffert: no we don't use pam. 03:13 < reiffert> ls /etc/pam.d/ 03:14 < Natilous> reiffert: yes . but we don't have /etc/pam.d/openvpn 03:14 < reiffert> Natilous: does the debian system authenticate against your ldap server? 03:14 < reiffert> for ssh, login etc 03:15 < Natilous> ls /etc/pam.d/ contain these: atd chfn chsh common-account common-auth common-password common-session cron login newrole other passwd run_init sshd su 03:15 < reiffert> ls /etc/*ldap* 03:16 < Natilous> ls /etc/ldap/ : ldap.conf sasl2 schema slapd.conf slapd.conf.gforge-new 03:16 < reiffert> Natilous: my proposal is: configure pam to authenticate against your ldap server 03:16 < reiffert> Natilous: after that, let openvpn authenticate against pam. 03:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:20 < reiffert> Natilous: you approach: use openvpn-auth-ldap. "It is not working" is a very bad starting point. Come up with something useful. 03:20 -!- ghahremani [i=d9dbf418@gateway/web/ajax/mibbit.com/x-96316112d2f31d1f] has joined ##openvpn 03:21 < ghahremani> reiffert: Tanks for your help .. I'm Natilous. but disconnected from Internet. 03:21 < ghahremani> reiffert: Have a naci time .. 03:21 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-b90fc6b3825fe6e1] has quit ["http://www.mibbit.com ajax IRC Client"] 03:21 -!- ghahremani [i=d9dbf418@gateway/web/ajax/mibbit.com/x-96316112d2f31d1f] has left ##openvpn [] 03:23 < reiffert> nazi with z, idiots. 03:34 -!- Inil [n=Mehdiak@94.101.188.97] has left ##openvpn [] 04:14 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 04:20 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:20 < T0aD> lo all 04:21 < T0aD> I have some issues with my vpns using openvpn 04:23 < T0aD> sometimes my internet connection restarts (dont know exactly why) and it sometimes (not at every lost of internet connection) makes some VPN link to fail. they dont seem to be able to communicate anymore, until I change the remote port on the client and server's configurations. 04:24 < T0aD> Im thinking its maybe linked to my cheap router (edimax br6104k) but really I have no idea, no firewall between them except for the router (doing nat), the openvpn is using tun/udp and the ISP has no filter on UDP according to what they say 04:25 < T0aD> !configs 04:25 < vpnHelper> T0aD: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:30 < T0aD> http://bin.cakephp.org/view/666050690 04:30 < vpnHelper> Title: CakeBin : Pastes (at bin.cakephp.org) 04:30 < T0aD> here you go 04:32 * T0aD lights a candle and prays his voice will be heard 04:32 < T0aD> otherwise Ill just sc*** it and buy another router :) 04:43 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##OpenVPN 04:44 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: krzie, munga, ScribbleJ, troy-, huslu, donavan, techqbert, kaii 04:45 -!- Netsplit over, joins: ScribbleJ, troy-, techqbert, kaii, huslu, donavan, munga 04:47 < kala> T0aD: if you restart your router, does the connection succeed? 04:49 < T0aD> kala, I didnt try that 05:55 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 06:07 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 06:08 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 06:25 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has quit ["Leaving"] 06:26 -!- xAFFE [i=tim@charlie333.server4you.de] has joined ##openvpn 06:27 < xAFFE> !route 06:27 < vpnHelper> xAFFE: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:27 < xAFFE> hi folks 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:04 < xAFFE> thanks, that solved my problem :) 07:28 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 07:28 < RUS> hi anybody 07:30 -!- cpm [n=Chip@wgw1.avitecture.net] has joined ##openvpn 07:30 < ecrist> hi 07:31 < tjz> Hello 07:45 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit ["Leaving."] 07:48 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 08:12 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:17 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 08:31 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:51 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 08:53 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Success] 08:53 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 08:58 -!- mauro_ [n=mauro@213-156-44-184.ip.fastwebnet.it] has joined ##openvpn 09:03 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 60 (Operation timed out)] 09:06 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:13 < tjz> must we really run ". ./vars" ? 09:14 < tjz> can we run the full path ? eg. /root/openvp-r4/easy-rsa/2.0/vars 09:14 < dvl> Why ask? Just try. :) 09:18 < tjz> i want to socialise more 09:18 < tjz> hahah 09:42 < reiffert> You source the file. 09:45 < ecrist> tjz: the first dot sources the file, as reiffert said 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:48 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:48 < plaerzen> morning irc 09:49 < ecrist> morning plaerzen 09:50 < plaerzen> how's it going? Do you know anything about routing ecrist (I am so tired I find myself trying to tab-complete dictionary words today) 09:53 < ecrist> plaerzen: yes, I know a bit about routing 09:54 -!- dako [n=dako@193.93.114.245] has joined ##openvpn 09:55 < dako> hi all 09:56 < ecrist> howdy 09:58 < dako> i find the best to link one virtual interface (eth1:0) to anotner nat 09:58 < dako> like server-nat-----olsr wireless network-----router 10:00 < dako> i have also one tun between "server" and "router" 10:00 < dako> my problem is tath i need to atribute a second public ip to "server" 10:01 < ecrist> ? 10:01 < ecrist> I'm confused 10:01 < dako> so i create eth1:1 with second public ip (no problem) to the router 10:02 < dako> and now i need to say tun0 in "server" is relied to eth1:1 10:03 < dako> tath my only one problem 10:04 < dako> to attribute public ip to server 10:05 < dako> the first public ip on the "router" is already in use ( on eth1 ) 10:06 < dako> https://193.93.114.245/rc/vpn.png 10:07 < tjz> reiffert, do you mean searching for the "vars" file? 10:17 -!- Llama [n=bogdan@84.201.239.103] has quit [Read error: 104 (Connection reset by peer)] 10:17 < ecrist> tjz, you need to source the file. 10:17 < ecrist> that's what the first dot does in ". ./vars" 10:18 < ecrist> . ./vars doesn't work if your shell is csh, though 10:18 < ecrist> man source for more information 10:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:23 < tjz> ok 10:23 < tjz> thanks 10:25 < dako> ecrist: maybe with this new schema https://193.93.114.245/rc/vpn1.png 10:28 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 10:30 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:33 < dako> maye i take the second public ip to tun0 with openvpn option ? 10:33 < dako> it is possible? 10:33 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 10:35 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:42 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:45 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 10:46 < reiffert> tjz: no, I mean "Sourcing a file", see man bash, paragraph: source filename [arguments] 10:47 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:49 -!- ikarius [n=ross@216.27.182.3] has quit [] 10:52 < reiffert> tjz: the alias for source is a dot "." 10:57 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:09 -!- mndo [n=mndo@a83-132-150-111.cpe.netcabo.pt] has joined ##openvpn 11:09 < mndo> !configs 11:09 < vpnHelper> mndo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < mndo> !logs 11:09 < vpnHelper> mndo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:10 < mndo> !route 11:10 < vpnHelper> mndo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:26 < tjz> thx v 11:26 < tjz> thx reiffert 11:26 < tjz> :P 11:27 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 11:29 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:36 -!- mauro_ [n=mauro@213-156-44-184.ip.fastwebnet.it] has quit ["Ex-Chat"] 11:52 -!- RUS [n=Mirc@88.214.199.147] has quit [Read error: 113 (No route to host)] 11:54 -!- tjz [n=tjz@bb121-7-26-157.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:57 -!- fsckedagain [n=fsckedag@71.154.139.61] has joined ##openvpn 11:58 < fsckedagain> ok 11:58 < fsckedagain> everything on my bridge is connecting to one port, so none of my clients can connect to anything. 11:58 < fsckedagain> Anybody have an idea how to troubleshoot this? 12:02 -!- fsckedagain [n=fsckedag@71.154.139.61] has left ##openvpn ["Leaving"] 12:12 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:30 < ikarius> well, I finally got openvpn bridged working properly to my server at home. Finding the "right" way to configure bridged on ubuntu server edition was rather difficult, as the first several instruction sets I found were obsolete and/or incorrect 12:31 < ikarius> so, now that I got it working, I updated the Ubuntu Wiki with a nicer up-to-date set of instructions- https://help.ubuntu.com/community/OpenVPN 12:31 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 12:32 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:35 -!- xAFFE [i=tim@charlie333.server4you.de] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 12:36 -!- cj [n=cjac@66.152.65.2] has quit [Remote closed the connection] 12:39 < reiffert> ikarius: please have it link the official openvpn howto, that comes with all the stuff about briding and scripts. 12:39 < ikarius> reiffert: hokay, I can do that 12:41 -!- alexkuebo [n=alexkueb@p548BE2EB.dip.t-dialin.net] has joined ##openvpn 12:42 < alexkuebo> I am using auth-user-pass-verify via-env, but there is no $password for my script available 12:42 < alexkuebo> $username is there 12:42 < reiffert> ikarius: 12:42 < reiffert> !howto 12:42 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:44 < ikarius> yes, I read that in detail 12:44 < ikarius> it's instructions on setting up bridging on linux were a bit sparse 12:45 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has joined ##openvpn 12:46 < nschembr> hello I need help with default routing issue 12:47 < ikarius> ok, link to the official openvpn howto added. It's at the bottom of the page with the other links. 12:47 < nschembr> I have one server and two modems 12:47 < nschembr> Can I balance the traffic 12:48 < nschembr> I've tested two servers and two openvpn. one for each modem 12:49 < nschembr> this works well but has added extra hardware 12:49 < alexkuebo> I think script-security will solve my problem 12:49 < nschembr> the modems act as a firewall 12:50 < nschembr> I have a port fw rule to the server. 12:50 < nschembr> the returning udp packet allways go's out the same modem. 12:51 < nschembr> Can you have two default routes? 12:53 < ikarius> the setup I ended up using on Ubuntu sets it up so at boot, a bridge device "br0" is brought up with a static IP and eth0 is added as it's only member. When OpenVPN needs a tap interface, it has scripts which add the tap interface to the bridge and set eth0 to promiscuous mode. When tap interfaces are no longer needed, it removes them from the bridge and removes promiscuous mode from eth0. 13:00 < nschembr> ikarius: was your last comment form me? 13:01 < ikarius> nschembr: nope. 13:01 < nschembr> Thank you for your time, I'll keep digging :) 13:01 -!- alexkuebo [n=alexkueb@p548BE2EB.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 13:01 < reiffert> nschembr: linux? 13:01 < ikarius> nschembr: as to your question, load-balancing is hard to do- and generally can't be done by routing. You'll probably need to look at bonding to do load-balancing 13:02 < nschembr> reiffert: yes I run openvpn on linux. It has worked well for years. 13:03 < reiffert> nschembr: lartc.org 13:03 < reiffert> dive in link 13:03 < nschembr> comcast will not bind the modems 13:03 < ikarius> nschember: you *may* be able to use bonding on linux to bind devices at a higher level 13:08 < nschembr> ikarius I only have access to one side of the network I'm not bridging between two server with static ip address. 13:09 < nschembr> If I have two nic's in the server can I have two default routes 13:09 < nschembr> one for each subnet 13:10 < ikarius> nschembr: you can, but routing generally will pick one and use it. the various routing schemes generally don't do load-balancing, even if they see two routes 13:11 < reiffert> lartc.org 13:14 < nschembr> what about iptables. can Iptables see the source port and send the packet to modem A 13:24 < nschembr> reiffert I looking over the lartc.org info. I'm not sure what I should focus on.:) 13:26 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:26 < nschembr> thank you for your help, I'll keep digging. 13:30 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has quit ["leaving"] 13:31 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has joined ##openvpn 13:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:36 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 13:42 < ecrist> heya, krzee 14:01 < krzee> hey 14:01 < krzee> im sitting in the brazillian consulate 14:01 < krzee> waiting to apply for a visa 14:02 < krzee> this is gunna take FOREVER 14:02 < krzee> glad i brought the laptop in 14:03 -!- disco- [i=disco@discomb0bulated.com] has quit [Remote closed the connection] 14:05 -!- disco- [n=disco@discomb0bulated.com] has joined ##openvpn 14:09 -!- mndo [n=mndo@a83-132-150-111.cpe.netcabo.pt] has quit [Read error: 60 (Operation timed out)] 14:09 -!- disco- [n=disco@discomb0bulated.com] has quit [Remote closed the connection] 14:11 -!- disco- [i=manje@discomb0bulated.com] has joined ##openvpn 14:13 < ScribbleJ> That reminds me of the joke, headline says "Three Brazillian Soldiers Killed in Conflict" - GW Bush says, "Wow... three brazillion, that's a lot." 14:18 -!- disco- [i=manje@discomb0bulated.com] has quit [Remote closed the connection] 14:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:35 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 14:44 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 14:44 -!- disco- is now known as disco 14:44 -!- disco is now known as disco- 14:50 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 14:51 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 14:58 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 14:59 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 15:05 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 15:06 < traceroute> Hi 15:12 < cb22> is it possible to specify the UDP port that the openvpn client recieves responeses on? 15:12 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has quit [Client Quit] 15:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:32 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:35 < ScribbleJ> cb22, lport, rport 15:39 < cb22> ScribbleJ, thanks 15:45 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 15:46 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:54 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 15:55 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:57 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 15:59 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 16:00 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 16:01 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 17:01 -!- mndo [n=mndo@a83-132-0-144.cpe.netcabo.pt] has joined ##openvpn 17:49 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has left ##openvpn [] 17:53 -!- nschembr is now known as nschembr-food 18:49 -!- mndo [n=mndo@a83-132-0-144.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 19:39 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:53 -!- nschembr-food is now known as nschembr 20:16 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 20:24 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 21:02 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has quit ["leaving"] 21:03 -!- Criggie [i=foobar@203-97-119-201.cable.telstraclear.net] has joined ##openvpn 21:03 < Criggie> Hi all - I'm speccing some firewalls for a custy... How much CPU do you reckon 300 simultaneous active openvpn sessions will use? 21:17 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 21:24 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 21:24 -!- ScribbleJ [n=nsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 21:34 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 21:36 < jpalmer> Criggie: depends on how much traffic is going over the link. if it's 300 idle connections, a p2 400 could handle it. 21:47 < Criggie> jpalmer: yeah - 21:47 < Criggie> customers tend to lie^Wexaggerate requirements 21:47 < Criggie> I'm thinking a spanked up dual quad will be massive overkill 23:26 < Criggie> thanks jpalmer 23:26 -!- Criggie [i=foobar@203-97-119-201.cable.telstraclear.net] has left ##openvpn [] 23:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:33 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] --- Day changed Wed Feb 04 2009 00:19 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 00:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:49 < reiffert> moin 00:58 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 02:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:56 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:03 -!- ribasushi [n=rabbit@dslb-084-063-082-094.pools.arcor-ip.net] has joined ##openvpn 03:03 < ribasushi> hi 03:04 < ribasushi> the -crldays setting to openssl - will OpenVPN consult it at all? I just made a CRL and it says Next Update: Mar 6 09:05:03 2009 GMT 03:04 < ribasushi> will openvpn refuse to use this CRL after this day? 03:04 -!- diazepam1 [n=trent@121.216.118.172] has joined ##openvpn 03:05 < diazepam1> hi all i have openvpn running but i am finding that it only accepts one user at a time - assigned the same ip address to every new user that logs in any suggestions 03:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:29 -!- diazepam1 [n=trent@121.216.118.172] has left ##openvpn [] 04:12 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 04:25 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:53 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 04:54 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 05:05 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 05:15 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Remote closed the connection] 05:15 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 05:19 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 05:20 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:29 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Read error: 104 (Connection reset by peer)] 06:29 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 06:31 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:32 < sigius> Is it possible to configure openvpn (temporarily) such that it skips authentication and accepts all incoming connections ? 06:46 < sigius> Is it possible to configure openvpn (temporarily) such that it skips authentication and accepts all incoming connections ? (sorry for repeating myself, was offline for a bit) 07:02 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 07:24 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 07:40 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:01 -!- daktari90 [n=Forensic@p57B5F84F.dip.t-dialin.net] has joined ##openvpn 08:04 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 08:14 -!- daktari90 [n=Forensic@p57B5F84F.dip.t-dialin.net] has left ##openvpn ["Leaving."] 08:18 < ecrist> sigius: no 08:33 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:40 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 09:06 < sigius> Ok, thanks for clearing that up. Is it then possible to have the openvpn server disregard the period in which a key is valid ? 09:06 < sigius> and connect anyway 09:08 < ecrist> no 09:08 < ecrist> you can set the date on the server back, to allow authentication from expired certificates, I think. 09:10 < reiffert> and on the client in parallel. 09:11 < sigius> reiffert, how does it matter what the time on the client is ? 09:12 < reiffert> I think openssl will check this and compare(). 09:13 < sigius> reiffert, so if client has a key valid since 2009 and the client thinks its 1990 then ssl will be trying to set up a connection to the ovpn server ? 09:14 < sigius> Sorry, then ssl will NOT be trying to set up a connection to the ovpn server ? 09:14 < sigius> is what I meant to say 09:14 < reiffert> sigius: it will be trying but it might fail. 09:14 < ecrist> sigius: how about you tell us what you're trying to accomplish? 09:16 < sigius> Well, I have a remote client that is not connecting. From the server side I can see it trying but somehow the connection is not created. 09:16 < reiffert> Thats where logfiles help. 09:16 < ecrist> ah, so, rather than fucking with all the other stuff, why don't you share those logs with us 09:16 < ecrist> perhaps we can tell you what *is* broken? 09:17 < sigius> just a sec. 09:17 < reiffert> !logs 09:17 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:19 < reiffert> oh and !configs 09:19 < reiffert> !configs 09:19 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:23 < sigius> My log (verb 4) is at http://pastebin.com/m37a3cf81 . Weird thing is that I just discovered that (3 hours late) it did succesfully make a connection. 09:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:24 < sigius> Not sure what the difference is with earlier attempts (nothing changed on my side) !? 09:24 < reiffert> let me buy a crystal ball. 09:27 < reiffert> crystall balls are sold out ... 09:27 < sigius> reiffert, thats ok, ill come back and bother you when its automagically broken again. 09:27 < sigius> im sure this will come back and haunt me but for now thanks, reiffert , ecrist 09:28 < reiffert> no logfile, no fix. 09:30 < sigius> reiffert, you did notice i pasted my logfile earlier ? http://pastebin.com/m37a3cf81 09:30 < reiffert> sigius: no. verbose level 6? 09:30 < reiffert> client log? 09:34 -!- cb22__ [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 09:36 < sigius> reiffert, the one I posted is at level 4. I have an old log one at verb 9 , but no client log (as the client is a small embedded device that has no space to keep logs. WIll that do ? 09:37 < reiffert> the more the better. level 6 is enough. 09:38 < reiffert> What does the embedded device think about time, does it know the current time? How about storing the logfile on a remote filesystem like e.g. nfs? 09:46 < sigius> reiffert : http://pastebin.com/d52652100 line 2 list the ip of the device trying to connect, all lines are related to this device (i.e. no other connection are logged in this particular sample) 09:48 < sigius> reiffert, right after boot it goes out on the internet and find the time using ntp_client. One theory of mine was that this steps fails and consequently the login fails. 09:49 < sigius> login--->connection to the openvpnserver 09:50 < sigius> reiffert, about log, log is only usefull when connection fails (and nfs is unreachable) but maybe I should indeed consider a small rotating logfile 09:52 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:16 -!- cb22 [n=cb22@dsl-245-136-200.telkomadsl.co.za] has joined ##openvpn 10:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:34 -!- cb22__ [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:37 < sigius> reiffert, anything that jumps out from the log ? 10:46 -!- ikarius [n=ross@216.27.182.3] has quit [] 10:46 < ecrist> ew, NFS over vpn? 10:50 < reiffert> ecrist: nfs to get a logfile out of an embedded device. 10:51 < reiffert> sigius: please give us a log level 6 logfile of the openvpn server. 10:51 < reiffert> !logs 10:51 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:53 -!- cb22 [n=cb22@dsl-245-136-200.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 10:55 < sigius> sorry I only have the level 9 pasted above ( http://pastebin.com/d52652100 ) . I can not reproduce the problem to create a level 6 currently 10:57 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 10:57 < reiffert> sigius: I cant see a single line on log 9 that says: error or fail 11:04 < reiffert> or warn 11:05 < reiffert> sigius: I'd probably stop openvpn on the client, set the time to 1970, start the openvpn client and have it watch fail to connect. 11:08 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:14 < sigius> reiffert, good point, I checked and there isnt a error fail or warn in the larger file either (of which I pastebinned an excerpt), wierd. Your experiment makes a lot of sense but the problem is I can only connect to the client ... over ovpn. Anyway have to be off, thanks a lot for your help 11:14 < reiffert> no rs232? 11:15 < sigius> no its really is remote i.e. somewhere else 11:15 < reiffert> badbadbad. 11:15 < reiffert> lemme know how the story continues. 11:15 < sigius> sure, eventually I'll get to the bottom of it. 11:16 < sigius> thanks again 11:16 < sigius> cya 11:24 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 11:25 < Kobaz> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NY/L=New_York/O=org/CN=org_ca/emailAddress=admin@foo 11:25 < Kobaz> i keep getting that 11:25 < Kobaz> i've generated countless certificates for other systems and everything works fine 11:25 < Kobaz> now it's complaining it's self signed? 11:28 < ScribbleJ> Is it self-signed, or did you sign it with a ca like is proper? 11:29 -!- kyrix [n=ashley@93-82-12-202.adsl.highway.telekom.at] has joined ##openvpn 11:30 < Kobaz> it's been signed by a ca, that i created with build-ca in easy-tsa 11:31 < Kobaz> easy-rsa 11:31 < ScribbleJ> Well, that's about how I always do it too without a problem. 11:32 < Kobaz> yeap 11:32 < Kobaz> haven't had a problem until now 11:32 < Kobaz> i'm using a new easy-rsa 11:32 < ScribbleJ> Ah, I still use the old one 11:32 -!- ribasushi [n=rabbit@dslb-084-063-082-094.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 11:32 < Kobaz> i think the new one is broken 11:39 < Kobaz> yeah 11:39 < Kobaz> i regenerated the keys with easy-rsa 1.0 11:39 < Kobaz> and now everything works 11:39 < Kobaz> grrr 11:39 < Kobaz> wasted 2 hours on this pos 11:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:41 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 11:51 < Kobaz> hmm 11:51 < Kobaz> so easy-rsa 2.0 does work 11:51 < Kobaz> you can't use the default CN it gives you for the CA cert 11:51 < Kobaz> otherwise openvpn will complain it's self signed 11:51 < Kobaz> even though it isn't 12:01 < reiffert> Kobaz: did you try to change the CN of the server cert? 12:03 < reiffert> Kobaz: please show us the exact place in the official howto where you did change foo to bar. Thanks. 12:03 -!- wonko [n=wonko@wiggum.4amlunch.net] has joined ##openvpn 12:04 < wonko> is there some sort of silly secret to running OpenVPN with OpenBSD as both tunnel endpoints that I'm completely unaware of? 12:04 < wonko> i've got this working between OpenBSD <-> Solaris and Windows <-> Linux 12:04 < wonko> but i can't make OpenBSD <-> OpenBSD work 12:04 -!- ashley_ [n=ashley@91-115-180-110.adsl.highway.telekom.at] has joined ##openvpn 12:04 < reiffert> wonko: a firewall. 12:05 < wonko> the only firewall between the boxes is one way, the client can contact the server 12:06 < reiffert> wonko: "does not work" doesnt look like a good start here, try to track down the prob, thanks. 12:06 -!- kyrix [n=ashley@93-82-12-202.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:12 < ecrist> wonko, having seen your logs and configs the other day, I'm guessing firewall, as well. 12:15 < reiffert> ecrist: we should add the bot a user -> [ problem ] -> various notes table to be able to keep track of what's already done and what is not. 12:16 -!- ashley_ [n=ashley@91-115-180-110.adsl.highway.telekom.at] has quit ["Leaving"] 12:17 < Kobaz> reiffert: ? 12:18 < Kobaz> reiffert: i changed the CN of the CA cert to be empty, and now openvpn doesn't complain about self signed anymore 12:19 < ecrist> reiffert: aye 12:19 < ecrist> I don't control the bot, that's krzee 12:19 < ecrist> he locked me out of it, because I tought the bot to say krzee's mom was hot or something 12:19 < ecrist> :( 12:20 < ecrist> next time I see him, I'll bring it up. 12:20 < ecrist> if there isn't a module, I'll try to get one written for it. 12:21 < reiffert> ecrist: krzees mom is hot? 12:21 < reiffert> send pixx 12:21 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:21 < ecrist> I was assuming. Many moms are of the hot variety. 12:22 < ecrist> one nice thing about moms, you know they put out. ;) 12:22 < reiffert> :) 12:22 < reiffert> my dict's giving me 3.000 explanations for "to put out" ... 12:32 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:34 -!- aar0n is now known as aar0n-san 12:40 < wonko> ecrist: yeah, but which firewall? the one on the openbsd machines? 12:43 < wonko> ecrist: i removed all the routing stuff from the openvpn configs 12:43 < wonko> so it's just the bare vpn tunnel 12:43 < ecrist> ok 12:45 < wonko> i can still ping the remote end of the tunnel, but not the local end of the tunnel 12:46 < ecrist> have you used google to see if it's a bug in the openbsd networking stack? 12:46 < wonko> i've used google to search on openvpn and openbsd and haven't come up with anything that gives me any place to look 12:52 < wonko> do you see anything in this guy's server config file that might jump out at you for things i might want to look at? I don't want to just randomly start cramming options into the config 12:52 < wonko> http://daemonforums.org/showthread.php?t=527 12:57 < wonko> and i find no reason for this to not work 12:57 < wonko> bah 12:58 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:00 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:00 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 13:07 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:08 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 13:08 < ecrist> wonko: looking 13:09 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:12 < ecrist> wonko: I don't know. Only used openbsd once, and very briefly, since freebsd got pf shortly after 13:16 < wonko> well, if i pretend that OpenVPN works just right, put the routing rules back into the config and point boxes to the openbsd boxes as gateways it just works 13:16 < wonko> even though i don't understand why 13:16 < wonko> at this point, i don't really care 13:16 < wonko> ;) 13:19 < wonko> except that if I re-configure it to daemonize and restart things it doesn't actually work 13:19 < wonko> gah 13:25 < wonko> and this is what I see in the log on the server (but only when pinging from the network behind the client) 13:25 < wonko> Feb 4 14:28:42 sanrep-dbsi openvpn[25300]: dunkirk.scott.tju.edu/10.160.12.13:26886 MULTI: bad source address from client [172.30.1.204], packet dropped 13:25 < wonko> hmmm 13:26 < wonko> google says iroute 13:26 < wonko> but that's setup 13:26 < wonko> foo 13:26 < wonko> hmmm 13:27 < wonko> i bet i know what it is 13:27 < wonko> but, meeting time! 13:33 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:34 -!- protocols [n=protocol@ip-88-153-196-33.unitymediagroup.de] has joined ##openvpn 13:35 -!- rubydiamond is now known as intelligent 13:39 < wonko> ah ha! 13:39 < wonko> i was right! 13:40 < wonko> it had no idea where my ccd directory was 13:40 < wonko> i needed an absolute path in the config file 13:40 < wonko> and that was it the whole time 13:40 < wonko> grrrr 13:43 < reiffert> sounds like it was his firewall. 13:44 < ecrist> yep 13:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:47 -!- intelligent [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < reiffert> krzee: I've heared that your mom looks very hot and is in bed with aliens? 13:54 < krzee> lol 13:54 < krzee> howd you know? 14:14 < ecrist> krzee, we're looking for a module for the bot so we can link certain users with their problem. 14:14 < ecrist> to track whether they've been helped or not 14:14 < ecrist> reiffert's idea 14:14 < krzee> ahh, like a ticketing system 14:14 < krzee> they have one in #freeswitch 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- kyrix [n=ashley@91-115-180-110.adsl.highway.telekom.at] has joined ##openvpn 14:38 < krzee> i dont know if supybot actually has that or not 14:38 < krzee> that might be a good idea for another bot, one that can post to some sort of administration website or something for example 14:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:18 < Kobaz> any idea why when in windows, i connect to a pptp vpn using the built in windows vpn connection, it will start blocking openvpn traffic 15:20 -!- dako1 [n=dako@16.192-64-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 15:36 -!- dako [n=dako@193.93.114.245] has quit [Read error: 113 (No route to host)] 16:03 < wonko> is it possible to run openvpn without any cipher at all? 16:06 < Kobaz> i think so 16:08 < ScribbleJ> Kobaz, routing? Same destination networks? 16:19 < Kobaz> nope, networks completely different 16:19 < Kobaz> openvpn is 10.3.2.0 and pptp is 192.168.24.0 16:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:26 < ecrist> Kobaz: it's probably got to do with your routing tables 16:27 < ecrist> wonko: what do you mean by 'without any cipher at all?' 16:27 < wonko> plaintext, no encryption on the tunnel 16:27 < ecrist> no, it's not 16:27 < ecrist> if you're going to do that, run pptp 16:27 < wonko> ok, so the default blowfish is going to be my best performer then? 16:28 < ecrist> more than likely 16:28 < wonko> GRE 16:28 < wonko> can't use IPSEC or GRE 16:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:42 < skx> I am using routed openvpn to redirect traffic through a remote server. This server has multiple ip addresses, how to make it use only one for openvpn? I know how to change the listening address, what about other? 17:18 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 17:29 -!- ScribbleJ [n=nsj@c-67-172-6-141.hsd1.il.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:30 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 17:45 < kyrix> listening address makes it only use that ip/port 17:53 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 18:00 -!- ikevin [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 18:00 -!- ikevin [n=kevin@ANancy-256-1-30-107.w90-26.abo.wanadoo.fr] has joined ##openvpn 18:14 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 18:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:24 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:45 -!- kyrix [n=ashley@91-115-180-110.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 19:50 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 20:19 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 20:26 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:45 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 21:26 -!- dako [n=dako@243.192-67-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 21:27 -!- dako1 [n=dako@16.192-64-87.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 22:19 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:27 -!- protocols [n=protocol@ip-88-153-196-33.unitymediagroup.de] has quit ["Leaving"] 23:34 -!- ikevin [n=kevin@ANancy-256-1-30-107.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 23:35 < reiffert> http://www.youtube.com/watch?v=9isKnDiJNPk 23:35 < vpnHelper> Title: YouTube - Cloning passport card RFIDs in bulk for under $250 (at www.youtube.com) 23:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 23:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn --- Day changed Thu Feb 05 2009 00:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:06 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:06 < lolipop> I have problem setting up openvpn with ldap 01:13 -!- upb [i=cmpxchg@closet-core1.ge1-0s3.cust1000158.rev.prq.se] has joined ##openvpn 01:13 < upb> hi, i have a q, what could be wrong when the settings read from client config dir do not depend o nthe CN in client cert? 01:13 < upb> example http://rafb.net/p/76ts7f83.html 01:14 < vpnHelper> Title: Nopaste - No description (at rafb.net) 01:20 < upb> :( 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 < upb> anyone alive ? 02:53 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:59 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 02:59 < tjz> reporting in, sir!! 03:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:19 < upb> what could be wrong when the settings read from client config dir do not depend o nthe CN in client cert? 03:19 < upb> http://rafb.net/p/76ts7f83.html 03:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 03:59 -!- aar0n-san [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 04:08 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:13 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:14 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has joined ##openvpn 04:14 < jolelion> hello everybody 04:15 < jolelion> I'm trying to use the "up" options to update the resolv.conf on my debian , when I restart I get the following error : openvpn_execve: external program may not be called due to setting of --script-security level 04:16 < jolelion> what should I do ? 04:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:43 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 04:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:56 < jolelion> I fund the options that enable the script "script-security 2 execve" but still my resolv.conf is not updated when I restart openvpn, any idea ? 05:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:28 < upb> jolelion: put some debug in the script 05:59 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 05:59 < RUS> hi everybody 06:01 < tjz> hi 06:04 < reiffert> jolelion: quote: < jolelion> I'm trying to use the "up" options to update the resolv.conf 06:04 < reiffert> jolelion: how? 06:05 < jolelion> in the client.conf : up /etc/openvpn/update-resolv-conf 06:06 < reiffert> pl paste that script to pastebin.ca 06:07 < reiffert> upb: what is it you are trying to accomplish? 06:11 < reiffert> jolelion: whatever goes wrong, it's that /etc/openvpn/update-resolv-conf script which is doing bad. 06:18 < jolelion> I think yes 06:19 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 06:42 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 07:14 < ecrist> good morning, fuckers 07:14 < ecrist> I laugh at you all as I'm on vacation for the next four days, and you need to go work. 07:14 < ecrist> muahahaha! 07:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:25 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:43 -!- TB-Master [n=toni@pD9505392.dip0.t-ipconnect.de] has joined ##openvpn 07:45 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:45 -!- eliasp [n=quassel@78.43.213.203] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:45 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 07:48 -!- ikarius [n=ross@216.27.182.3] has quit [] 08:00 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:16 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:19 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has quit ["leaving"] 08:21 -!- dako1 [n=dako@91.177.118.147] has joined ##openvpn 08:22 -!- dako [n=dako@243.192-67-87.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 08:24 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 08:33 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 08:40 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:40 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 09:04 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 09:10 < upb> reiffert: you still here _ 09:10 < upb> ? 09:10 < upb> i'm trying to use per client configuration 09:10 < upb> using the 'ccd'/'client config dir' 09:11 < upb> but openvpn server doesnt take the CN from the client cert as the 'ccd' 09:11 < ecrist> yes it does 09:11 < ecrist> you might have things configured wrong 09:12 < ecrist> you need an option in your server config, client-config-dir, which defines a directory where client configs exist 09:12 < upb> what might be configured wrong ? 09:12 < upb> bash-3.1# grep client-config-dir /etc/openvpn/static.conf 09:12 < upb> client-config-dir /etc/openvpn/ccd 09:12 < ecrist> then, you need a file within that directory, named the same as the client CN in their certificate, with their vpn options 09:12 < ecrist> looks right 09:12 < ecrist> now, what's in there? 09:13 < upb> -rwx------ 1 openvpn openvpn 38 2009-02-05 09:16 /etc/openvpn/ccd/t43 09:13 < ecrist> ok, and is that user's CN in their certificate t43? 09:14 < upb> client side: 09:14 < upb> C:\Program Files\OpenVPN\config>openssl x509 -inform PEM -noout -text -in t43.crt 09:14 < upb> Certificate: 09:14 < upb> .... 09:14 < upb> Subject: CN=t43 09:14 -!- RUS [n=Mirc@88.214.199.147] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 09:14 < upb> server log: 09:15 < upb> http://rafb.net/p/oX4hBG17.html 09:15 < vpnHelper> Title: Nopaste - No description (at rafb.net) 09:17 < ecrist> I see a line, directly above that, for a different user, looks like the same IP 09:18 < upb> what do you mean above that 09:18 < upb> first line ? 09:18 < ecrist> aye 09:18 -!- bandini [n=bandini@host64-111-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 09:18 < upb> heh, thats the cert chain root 09:19 < upb> the first two lines are basically openssl's verify hook output or smth, standard stuff 09:19 < ecrist> can I see the entire connection log? 09:19 < upb> but im wondering why the CN doesnt make it to the ccd line 09:19 < upb> ok sec 09:20 < upb> http://rafb.net/p/OEplKS24.html 09:20 < vpnHelper> Title: Nopaste - \nopenvpn stuff (at rafb.net) 09:23 < ecrist> it appears that there's something broken with the certificate 09:24 < ecrist> it's missing data 09:24 < ecrist> Thu Feb 5 17:22:21 2009 us=221194 217.159.232.50:1274 [] Peer Connection Initiated with 217.159.232.50:127 09:24 < upb> but which fields? 09:24 < ecrist> that line, the CN should be between the square brackets 09:25 < ecrist> your client certificates should have all the fields your server certificate does, C, ST, L, O 09:25 < upb> hmm ? 09:25 < ecrist> actually, with my setup, I've just got C, ST, and O 09:25 < upb> why's that 09:25 < ecrist> City, State, Organization, and I'm getting matches. 09:26 < ecrist> not sure, I haven't looked into the openvpn source. 09:26 < upb> if it is so, thats a really fucked up scheme because openvpn verifies it ok 09:26 < upb> but i'll try 09:26 < ecrist> it would appear that the openssl routines (the VERIFY OK part) is working, but openvpn's logic can't parse the CN without the other fields. 09:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:28 -!- bandini [n=bandini@host154-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 09:29 < ecrist> well, I'm out. COD4 is calling me 09:30 < upb> OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/t43 09:30 < upb> and it is indeed so 09:30 < upb> thanks for the hint, i would not have thought of that, ever :D 09:30 < ecrist> np 09:32 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 09:33 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has quit [Read error: 60 (Operation timed out)] 09:35 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:39 -!- Tonik [n=tonik@89.208.9.66] has joined ##openvpn 09:51 < upb> bug found & fixed ;P 09:52 < upb> makes me a bit suspiscious about the rest of the crypto code there tho :/ 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:38 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 10:38 < xanthus> hi all 10:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:42 < xanthus> I have 4 vpns with 2 o 4 nodes each, all is working well. There is a thing I couldn't get to work, all the machines set the REMOTEHOST variable when connecting with telnet to the other nodes except the machines where Openvpn is running. In that case the REMOTEHOST variable is set with the hostname of the remote lan's router. Is there a fix for that? 10:43 < xanthus> Example: A -> B -> vpn <- C - D when A connects with C or D the REMOTEHOST is set to A, when B connects with C or D the REMOTEHOST is set to C 10:53 < reiffert> REMOTEHOST is set where exactly? bash environment after loggin in? 10:53 < reiffert> logging in with telnet? 10:54 < xanthus> yep 10:54 < reiffert> sounds like you are doing double nat then. 10:54 < xanthus> is set by telnet after logging in 10:55 < xanthus> reiffert: how is that? 10:55 < reiffert> after logging in, when you enter the command 'who', what remote IP do you get, lan router? 10:55 < reiffert> xanthus: how is that? Man I my crystall ball is broken, I dont know *anything* about yout topology! 10:57 < xanthus> sorry reiffert, i didn't meant it, i wanted to ask something like "Do you mean i am doing nat twice?" (I'm not a native english speaker) 10:58 < reiffert> xanthus: I have no clue if you *are doing* nat in both directions, but when your openvpn server *thinks that you are connecting from the lan gateway* it sounds like it. 10:58 < xanthus> the remote ip is the ip of the lan remote router 10:59 < tjz> bb guys 10:59 < tjz> love you all 11:00 < tjz> i am not gay 11:00 < tjz> lol 11:00 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:04 < T0aD> that was pretty gay 11:07 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 11:10 < xanthus> thanks very much reiffert 11:10 < xanthus> it was the problem 11:26 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit ["Leaving"] 11:32 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 54 (Connection reset by peer)] 11:37 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 11:41 -!- Cisien [n=e@208.79.15.102] has joined ##openvpn 11:41 < Cisien> Does OpenVPN GUI work with windows 7 beta? 11:41 < reiffert> there was some bla bla on the mailinglists about that. check them. 11:43 < Cisien> not quite sure how to view the mailing lists without first being part of the mailing list. 11:45 < reiffert> start a browser, go to google and enter: openvpn mailing lists 11:45 < Cisien> ok 11:46 < reiffert> there are two of em, openvpn-users and openvpn-devel, you'd better check both. 11:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 11:55 < Cisien> i got it installed, it's just not connecting. I have the firewall disabled. and am using the latest windows binary release. Any ideas? 12:14 < Cisien> ok, maybe it's just really slow to connect - i let it sit, it connected, but didn't apply any routes - access denied, so i'm trying with admin privs now. 12:15 < Cisien> tls key negotiation failed to occur within 120 seconds 12:16 < Cisien> satellite link, sometimes it's just stupid slow :P 12:24 -!- Cisien [n=e@208.79.15.102] has quit [] 12:24 -!- Cisien [n=e@208.79.15.102] has joined ##openvpn 12:29 -!- Cisien [n=e@208.79.15.102] has quit [Client Quit] 12:29 -!- Cisien [n=e@vps.exoronet.net] has joined ##openvpn 12:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:30 < Cisien> it connected this time, however, it failed to set the IP address on the TAP interface, After I set the address manually, it worked. 12:34 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:43 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:44 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:44 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 13:44 -!- Cisien [n=e@vps.exoronet.net] has quit [Read error: 60 (Operation timed out)] 13:51 -!- xattack [i=xattack@132.248.108.239] has quit [Remote closed the connection] 14:35 -!- kyrix [n=ashley@93-82-13-205.adsl.highway.telekom.at] has joined ##openvpn 15:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:23 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 15:24 < plaerzen> hello there 15:35 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 15:35 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 16:16 -!- kyrix [n=ashley@93-82-13-205.adsl.highway.telekom.at] has quit [Remote closed the connection] 16:27 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has joined ##openvpn 16:34 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 16:49 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:02 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 17:13 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 17:19 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has left ##openvpn ["http://getsatisfaction.com/boxee/topics/add_more_canadian_content"] 17:36 -!- qmr [n=user@208.119.128.251] has joined ##openvpn 17:36 < qmr> Hi hi 17:36 < qmr> I have absolutely no idea what I'm doing 17:36 < qmr> http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html Trying to follow that 17:36 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 17:37 < qmr> the server is debian linux, and the laptop I'm on is windows xp using openvpn gui 17:37 < qmr> I get message "Thu Feb 05 18:36:31 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE)" when I Try to connect from windows 17:37 < qmr> my config files are pretty much what the example says to create .. 17:39 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:50 < qmr> anybody? 17:51 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:53 < bneff> qm: what is the ip of your primary interface? 17:56 < qmr> bneff lolwut 17:56 < qmr> Primary interface? 17:56 < qmr> my LAN connection on the windows? 17:56 < bneff> yes 17:56 < qmr> 192.168.1.122 17:57 < bneff> what did you configure yoru server.conf with?? the ifconfig line? 17:57 < qmr> exactly like the link says 17:57 < bneff> ok 10.8 17:57 < qmr> ifconfig 10.8.0.1 10.8.0.2 18:00 < bneff> and you've tried turning off the firewall? 18:02 < qmr> Yes 18:02 < qmr> firewall is off 18:03 < qmr> Thu Feb 05 19:08:11 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE) 18:04 < bneff> on your windows box..if you do a netstat -a do you see something using port 1194? 18:05 < qmr> hm 18:05 < qmr> yes 18:05 < bneff> theres a starting point anyways 18:06 < bneff> either another instance of openvpn running or a diff app all together 18:06 < qmr> Shouldn't be any apps using it 18:06 < bneff> you can try adding the "nobind" option to client config ..openvpn will just pick a port to bind to 18:07 < qmr> zomg 18:07 < bneff> of you do netstat -aon it will print out the process id that is using it...then you can check the process in task manager 18:07 < qmr> YELLOW COMPUTERS 18:07 < qmr> BWUWAHHAHAHAHAHAHAHHAHA 18:09 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:10 < qmr> http://pastebin.ca/1328509 18:17 < qmr> woot ! 18:17 < qmr> I got it to work 18:17 < qmr> http://lifeboat.com/images/frankenstein.jpg 18:21 -!- Tonik [n=tonik@89.208.9.66] has quit [Read error: 110 (Connection timed out)] 18:28 -!- Tonik [n=tonik@89.208.9.87] has joined ##openvpn 18:46 -!- TB-Master [n=toni@pD9505392.dip0.t-ipconnect.de] has quit [Remote closed the connection] 18:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:02 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:05 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:18 -!- Tonik [n=tonik@89.208.9.87] has quit [] 19:19 -!- qmr [n=user@208.119.128.251] has quit ["Leaving"] 19:55 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:09 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 21:20 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 22:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:03 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:10 < clustermagnet> guys, to speed up NFS performance over openvpn... i think there are some mtu tags that can be specified... in openvpn.conf on the server 22:10 < clustermagnet> can someone suggest where i should look? :) 22:10 < clustermagnet> thanks 22:11 < clustermagnet> link-mtu 1456 22:11 < clustermagnet> mssfix 1412 22:11 < clustermagnet> is this correct? 22:17 < clustermagnet> yeh, its not helping :( 22:17 < clustermagnet> NFS performance is still quite slov over openvpn :( 22:17 < clustermagnet> it takes 30 seconds to list a large directory 22:18 < clustermagnet> :( 22:27 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:06 -!- Tonik [n=tonik@89.208.9.130] has joined ##openvpn 23:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:39 -!- justdave [n=dave@unaffiliated/justdave] has quit ["console received shutdown notice: kernel upgrade in progress"] 23:53 -!- Deiz [n=swh@unaffiliated/deiz] has joined ##openvpn 23:54 -!- clincher [n=clincher@pool-96-240-0-32.nwrknj.fios.verizon.net] has joined ##openvpn --- Day changed Fri Feb 06 2009 00:00 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 00:11 < Deiz> I'm utterly stumped; how do I route all my traffic (Other than traffic to the OpenVPN server's IP) through the VPN? 00:11 < Deiz> Making tun0 the default with route and specifying one exception (for the server) results in nothing but communication with the server working. 00:12 -!- justdave [n=dave@unaffiliated/justdave] has quit ["Reconnecting"] 00:12 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 00:15 -!- Tonik_ [n=tonik@89.208.26.215] has joined ##openvpn 00:15 -!- Tonik [n=tonik@89.208.9.130] has quit [Read error: 104 (Connection reset by peer)] 00:18 -!- krzie [n=k@unaffiliated/krzee] has joined ##openvpn 00:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:52 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 00:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:57 < upb> Deiz: then youre doing smth very wrong 00:57 < upb> you ned to setup source routing 00:58 < upb> becase technically your host is multihomed (it doesnt matter that the other interface is a tun device) 01:02 -!- krzie [n=k@unaffiliated/krzee] has quit ["Leaving"] 01:33 < reiffert> moin 01:34 < reiffert> Deiz: --redirect-gateway def1 01:50 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:36 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 02:50 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 113 (No route to host)] 02:57 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:58 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:36 -!- c64zottel [n=hans@p5B17B2F5.dip0.t-ipconnect.de] has joined ##openvpn 03:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:08 -!- worch_ [i=worch@battletoad.com] has quit [Read error: 60 (Operation timed out)] 04:08 -!- worch [i=worch@battletoad.com] has joined ##openvpn 04:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:22 -!- c64zottel [n=hans@p5B17B2F5.dip0.t-ipconnect.de] has left ##openvpn [] 04:30 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:52 -!- aroedl [n=aroedl@brln-4db900a5.pool.einsundeins.de] has joined ##openvpn 04:53 -!- aroedl [n=aroedl@brln-4db900a5.pool.einsundeins.de] has left ##openvpn ["http://howflow.com/"] 04:56 -!- bogdan_ [n=bogdan@84.201.239.103] has joined ##openvpn 05:07 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:34 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 05:36 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 05:44 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 05:59 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 05:59 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 06:00 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 06:13 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 06:20 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 06:41 -!- bogdan_ [n=bogdan@84.201.239.103] has quit [Read error: 60 (Operation timed out)] 07:16 -!- Gnutoo [n=gnutoo@host221-133-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 07:16 < Gnutoo> hello, I've this error: Fri Feb 6 14:19:48 2009 192.168.1.107:40839 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned what should I do? 07:19 < ecrist> um, make a certificate 07:20 -!- yash [n=chatzill@123.237.86.142] has joined ##openvpn 07:21 < yash> hi, can anyone tell me if vpn using openvpn is better or vpn using stunnel is better or am I just being a nood and both are the same? 07:22 < yash> anyone there??? 07:22 < Gnutoo> ecrist, I have one and it's valid 07:23 < Gnutoo> yash, don't know sorry 07:23 < yash> thanks gnutoo, atleast someone responded :-) 07:24 < Gnutoo> I've theses certs: ca.crt openvpn-asterisk-105.crt openvpn-asterisk-105.csr openvpn-asterisk-105.key sip.conf 07:25 < Gnutoo> mabe that's because of remote-cert-tls server 07:29 < Gnutoo> I find the reason...i removed the crl-verify /etc/openvpn/sip-keys/crl.pem line 07:39 < Gnutoo> why do I have Fri Feb 6 14:43:17 2009 us=799095 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.5 mtu 1500 instead Fri Feb 6 14:43:17 2009 us=799095 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.1 mtu 1500 ? 07:46 < reiffert> yash: openvpn and stunnel are two totally different concepts. 07:46 < reiffert> yash: there is no "better". 07:47 < yash> reiffert: Thank you. Can one setup VPN using stunnel? 07:47 < yash> Can one setup a virtual private network (without SSL)? 07:47 < reiffert> yash: yes (but whatever that means). 07:47 < reiffert> yash: yes again. 07:48 < yash> can you please point me in the right direction? Google isnt that helpful :-) 07:48 < reiffert> no. 07:48 < yash> ok reiffert, thank you 07:49 < reiffert> sorry pal, my crystal ball is broken and very dislike getting pieces out of everybodys nose. 07:49 < reiffert> so either come up with an openvpn specific question or tell us what you want and wait for someone to reply. 07:52 < Gnutoo> reiffert, hello, i've the wrong pointopoint...how do I handle this? 07:53 < Gnutoo> reiffert, I've Fri Feb 6 14:57:10 2009 us=353763 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.5 mtu 1500 and i'd like to have 10.0.0.1 instead of 10.0.0.5 07:54 < Gnutoo> reiffert, I've also push "route-gateway 10.0.0.1" on the server 07:56 < reiffert> Gnutoo: read up the manpage, look for what the --server line expands to and have a look for --topology. 07:56 < Gnutoo> reiffert, ok thanks 08:00 < Gnutoo> reiffert, thanks a lot I changed the topology for p2p and it magically worked!!! 08:08 -!- Gnutoo [n=gnutoo@host221-133-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:12 < ecrist> I hate people that don't give the entire log, and expect an answer 08:13 < ecrist> then, when they figure it out (with full logs available), they act like they're smarter/better than anyone else in here. 08:23 < c64zottel> thats called: information hiding, and a normal procedure in our sad world... 08:25 < reiffert> ecrist: pointing to someone in particular? 08:25 < ecrist> Gnutoo 08:25 < reiffert> well, those 3 lines I was reading from him sounded enough for me. 08:26 < ecrist> I was referring to his first CRL problem. 08:26 < ecrist> I told him the certificate didn't exist, which really *was* the answer, but I didn't know which certificate didn't exist. 08:28 < reiffert> Personally I dislike getting pieces of information from people. It makes me asking a lot of questions just to get another piece of the cake. 08:38 -!- yash [n=chatzill@123.237.86.142] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 08:59 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:20 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 09:25 -!- fralev [i=8d25217d@gateway/web/ajax/mibbit.com/x-915b3c4ee6a6a7c4] has joined ##openvpn 09:26 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 10:09 -!- fralev [i=8d25217d@gateway/web/ajax/mibbit.com/x-915b3c4ee6a6a7c4] has quit ["http://www.mibbit.com ajax IRC Client"] 10:10 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:37 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn 10:51 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 10:59 < plaerzen> g'morning irc 11:00 < krzee> wassup =] 11:00 < plaerzen> not much, just setting up a few users, messing around with some new HP metal. 11:01 < plaerzen> foosball in 25 minutes 11:01 < plaerzen> wassap with you? 11:08 -!- ikarius [n=ross@216.27.182.3] has quit [] 11:23 < krzee> visiting northern cali 11:23 < krzee> smokin bud and chillen =] 11:23 < Kobaz> rollin with the homies 11:32 < ecrist> aww 11:32 < ecrist> bring some bud up here, hang with me. 11:33 < krzee> =/ im packed with places to go and i dont cross state lines with bud 11:34 < krzee> dont need to give them a reason to not let me go home 11:35 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has left ##openvpn [] 11:35 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 11:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:21 -!- dako [n=dako@91.177.118.147] has joined ##openvpn 12:21 -!- dako1 [n=dako@91.177.118.147] has quit [Read error: 113 (No route to host)] 12:25 < Deiz> Hrm 12:25 < Deiz> Got redirect-gateway def1 going, but I'm unsure of how to get the traffic onto the internet. 12:27 < Deiz> Server has two interfaces, eth0 and ppp0. The latter being the only one that's connected to the internet. 12:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:27 < Deiz> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE seems to not work 12:28 < wonko> hmmm, my tunnel performance blows, great! 12:28 < upb> lol, is source in postrouting even allowed ?:PP 12:29 < reiffert> Deiz: netfilter.org 12:30 < reiffert> Deiz: documentation 12:30 < reiffert> Deiz: nat 12:30 < reiffert> Deiz: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html 12:30 < vpnHelper> Title: Linux 2.4 NAT HOWTO (at netfilter.org) 12:30 < reiffert> Deiz: # 4.1 I just want masquerading! Help! 12:33 < Deiz> reiffert: Thanks a lot. 12:33 < Deiz> I was missing the last bit. 12:34 < plaerzen> krzee, sounds like relax. 12:35 -!- clincher [n=clincher@pool-96-240-0-32.nwrknj.fios.verizon.net] has left ##openvpn ["Leaving"] 12:37 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 12:41 -!- Federico2 [n=Fede@193.200.193.239] has quit ["Leaving"] 12:51 -!- dako [n=dako@91.177.118.147] has quit [Read error: 113 (No route to host)] 12:52 -!- GreenCult [n=greencul@200.48.85.18] has joined ##openvpn 13:20 -!- dako [n=dako@193.93.114.250] has joined ##openvpn 13:26 -!- dako1 [n=dako@193.93.114.250] has joined ##openvpn 13:26 -!- dako [n=dako@193.93.114.250] has quit [Read error: 104 (Connection reset by peer)] 13:40 -!- dako2 [n=dako@193.93.114.250] has joined ##openvpn 13:40 -!- dako1 [n=dako@193.93.114.250] has quit [Read error: 104 (Connection reset by peer)] 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [No route to host] 15:04 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 15:10 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has quit [Client Quit] 15:17 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 15:17 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 16:10 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:22 < Deiz> Hmm. 16:22 < Deiz> I have NAT, redirect-gateway1 working... Sometimes. 16:23 < Deiz> The server passes the proper things to the client's route, but for the duration of the idle timeout, ipv4 forwarding doesn't work 16:23 < Deiz> After it times out and re-establishes, forwarding works. 16:23 < Deiz> Seems to be 100% repeatable 16:24 < reiffert> what do you expect to happen instead? 16:24 < Deiz> I'd expect forwarding to work after the initial connection. 16:24 < Deiz> Why should it have to time out before it works? 16:25 < reiffert> allright, time to get some cleanup here. Explain your following statements: 16:25 < reiffert> duration of the idle timeout, 16:25 < reiffert> idle timeout 16:25 < reiffert> ipv4 forwarding: from where to where 16:25 < reiffert> show us your setup 16:25 < reiffert> re-establishes? 16:25 < reiffert> works? 16:25 < Deiz> Heh. 16:25 < reiffert> repeatable? 16:26 < reiffert> and last: 16:26 < reiffert> "it" from your last sentence. 16:26 < reiffert> and "initial connection" of course. 16:29 < Deiz> http://pastebin.ca/1329445 16:29 < Deiz> That's the output from the client. 16:29 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 16:30 < Deiz> I was only able to make use of ipv4 forwarding (From the client to the server, then NATed onto the internet) after the ping-restart at 17:25:41 16:30 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 16:32 < reiffert> check out the manpage, persist-tun 16:33 < reiffert> and/or adjust the restart timeings. 16:38 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: upb 16:39 -!- Netsplit over, joins: upb 16:42 < Deiz> reiffert: But what causes this? 16:43 < Deiz> I have persist-tun and persist-key enabled in my conf 17:06 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 18:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Read error: 60 (Operation timed out)] 18:34 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 18:37 < sigius> Q: not really related to openvpn but maybe someone here knows: if I do a 'ssh target reboot' the target does reboot but subsequently the ssh connection hangs (sometimes). ssh only returns when the target comes back up again. How can I reboot AND have ssh return ? (btw there is no screen on the target and also I prefer not to have to write a dedicated target side script for this) 18:43 < krzee> reboot & 18:43 < krzee> in single or double quotes prolly 18:44 -!- GreenCult [n=greencul@200.48.85.18] has quit [] 18:44 < sigius> i'll try that 18:47 -!- Tonik_ [n=tonik@89.208.26.215] has quit [] 18:47 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:47 < vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com) 18:48 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:48 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:48 < vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com) 18:48 * dvl apologizes for the repeat 18:49 < krzee> haha 19:05 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has joined ##openvpn 19:05 < deibhaid> hello 19:06 < deibhaid> !configs 19:06 < vpnHelper> deibhaid: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:14 -!- MRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 19:14 -!- MRCUTEO is now known as mRCUTEO 19:14 < mRCUTEO> hiya all 19:15 < deibhaid> hello 19:15 < deibhaid> !route 19:15 < vpnHelper> deibhaid: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 19:17 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 19:29 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has quit ["This computer has gone to sleep"] 19:34 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Remote closed the connection] 19:37 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has joined ##openvpn 19:39 < jacktow> as i understand it, openvpn for windows requires the TAP driver to be installed and its service to be up. is there a way to remove this dependency? 19:49 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Remote closed the connection] 19:50 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 19:53 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 110 (Connection timed out)] 19:55 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:58 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 19:58 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 19:59 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:13 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Connection reset by peer] 20:14 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 20:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:46 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:56 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 21:45 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:43 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:48 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 22:48 < Mood> is it possible to connect to a VPN inside a firewall? 22:48 < Mood> i need to test it, so i want to connect via openVPN from a LAN machine to the server. is that possible? 22:52 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 23:00 < ropetin> Mood: if you can access the VPN server I don't see why not. You mean you and the server are both on the same side of the firewall? 23:02 < Mood> ropetin: yes, my vpn server is running on machine1, my vpn client on machine 2, both on the inside of a firewall LAN. are there any special features or exceptions i need to be aware of? (e.g. ssh, ftp, http) 23:03 < ropetin> Nope, don't think so 23:03 < ropetin> Give it a go, if something doesn't work, let us know and we'll figure it out 23:04 < Mood> ropetin: :-) ok 23:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:19 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has quit ["Leaving."] 23:47 -!- Mood [n=Mood@unaffiliated/mood] has quit [Read error: 60 (Operation timed out)] 23:51 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn --- Day changed Sat Feb 07 2009 00:04 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 00:08 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 00:08 < tjz> i have a question.. 00:10 < ropetin> OK... 00:14 < tjz> hehe 00:14 < tjz> i have sort it out 00:14 < tjz> :P 00:15 < lolipop> yo tjz 00:25 < tjz> hey 00:26 < tjz> actually trying to find you also :P 00:36 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 00:37 < Mood> help! 00:37 < Mood> i tried installing openvpn, now my ubuntu fails to boot :-( gets stuck at Now Configuring Network Interfaces... 00:38 < ropetin> If you let it sit there for a couple of minutes does it eventually time out? 00:38 < ropetin> Or what happens if you try and change to a different TTY? Do you have a login prompt? 00:38 < Mood> i never get a login prompt. it fails ... i waited for about 15 minutes. that's not normal :-( 00:46 < ropetin> Nope. So try doing Ctrl+Alt+F1, F2, F3 etc to see if you can get a prompt 00:49 < Mood> i'm going to try cleaning out my /etc/init.d/ 00:57 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 01:11 -!- Mood [n=Mood@unaffiliated/mood] has quit ["Leaving"] 01:12 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:13 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:26 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 01:48 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 01:51 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 01:54 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Excess Flood] 01:55 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 01:56 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:03 -!- Mood [n=Mood@unaffiliated/mood] has quit ["Leaving"] 02:12 -!- ikarius [n=ross@216.27.182.3] has left ##openvpn [] 02:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 02:49 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 02:57 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 03:06 -!- dako2 [n=dako@193.93.114.250] has quit [Read error: 60 (Operation timed out)] 03:31 < reiffert> idiot. 03:33 < ropetin> Who? 03:38 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 03:42 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 03:43 -!- julius [n=julius@p57B25432.dip.t-dialin.net] has joined ##openvpn 03:43 < julius> hello 03:45 < julius> hehe - problem solved 03:46 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 03:47 < Mood> ropetin: still awake? 03:50 < ropetin> Yup! 03:52 < Mood> ropetin: it was not a problem with openvpn 03:53 < Mood> ropetin: it was a problem with the way i configured /etc/network/interfaces 03:54 < ropetin> :D OK 03:54 < ropetin> That's good to know 03:54 < Mood> ropetin: uptime on my server was a week, but early on i had edited /etc/network/interfaces (long story). it was deceptive since it was essentially a broken interfaces file, but my services were already running in the bg despite /etc/init.d/networking restart 03:54 < ropetin> Ah hah! 03:55 < Mood> ropetin: so when i did a hard reboot, surprise, my system blew up and never booted 03:55 < Mood> ropetin: took a long a$$ while to isolate, first booting from live CD, mounting drives, chrooting, uninstalling openvpn, etc. etc etc ad nauseum 03:56 < ropetin> Well at least it was a learning experience 03:56 < julius> hehe 03:56 < Mood> ropetin: yeah i was almost about to pass a negative verdict on linux and reformat!!! :-s 03:56 < ropetin> Noooooooooooooo :D 03:57 < Mood> so, i will only install openvpn using a better writeup. the "official" one on ubuntu.com sucks b4llz 03:59 < ropetin> Go to the source, OpenVPN.net 04:00 < Mood> ropetin: good call 04:02 < reiffert> ropetin: Modd. 04:03 < ropetin> reiffert: OK.... 04:03 < reiffert> Mood: next time boot by init=/bin/bash 04:03 < ropetin> :D 04:04 < Mood> reiffert: not sure how to do that 04:04 < reiffert> it's a kernel parameter. Your bootloader will call the kernel with that parameter. 04:04 < reiffert> So edit the bootloader startup line by editing it while in grub. 04:04 < reiffert> e for edit 04:04 < reiffert> select, edit, b for boot. 04:05 < Mood> reiffert: very convenient. 04:06 < reiffert> you end up at a prompt, your shell. you manually have to remount / rewriteable, but thats it. 04:06 < Mood> reiffert: so it'll just boot w/o any network settings or anything? kind of like 'safe mode' w/o any X? just a commandline? 04:06 < reiffert> mount -o remount,rw / 04:06 < reiffert> just plain shell. 04:06 < julius> Mood: kind of - but it's pretty easy to set up networking 04:07 < Mood> reiffert: cool 04:07 < julius> `dhclient eth0` should do the job :) 04:07 < Mood> julius: just /etc/init.d/networking restart i guess? 04:07 < Mood> julius: ahh, ok 04:07 < julius> that's even better - yes 04:07 < reiffert> julius: it's not *that* easy when your init script just hangs in the forest during startup and decides to stay there. 04:08 < julius> I meant setting it up when you've booted using init=/bin/bash 04:09 < reiffert> julius: it won't work. 04:09 < julius> without modules or why? 04:09 < reiffert> julius: recent linux distros come up with whatsoever automatism fuckoff like udev, hal and whatnot, so dhclient will not work. 04:09 < julius> oh - kay 04:11 < reiffert> udev is the first thing I remove after bootstrap. 04:11 < reiffert> and initrd. I hate both of em. 04:11 < julius> so you're booting directly or using initramfs? 04:13 < reiffert> I dont like loading kernel modules just for accessing my hardware. I compile a static kernel (even without any module if possible, the module loader routines are b0rked sometimes) 04:13 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:13 < reiffert> julius: so yes, booting a kernel that knows how to access the harddrive and it's network card andsoon 04:13 < julius> cool 04:13 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:14 < reiffert> julius: without an initial ramdisk that need to load modules for that 04:14 * julius doesn't like modules very much either 04:18 < julius> but most uf the time I'm using the kernel provided by the distribution's package management 04:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:44 < Mood> does openvpn work well w/ ubuntu? 04:45 < reiffert> y 04:47 < Mood> do you do bridging? or routing? 04:47 < julius> okay - accessing an openvpn server through a pfsense gateway is awesome :) 04:47 * julius does routing 04:47 < Mood> julius: what distro you running? 04:48 < reiffert> Mood: both 04:48 < julius> Mood: debian etch/stable on the server 04:48 < julius> pfsense uses freebsd afaik 04:48 < Mood> i don't need any special configuration for IPv4 if i want to use routing w/ ubuntu/debian? 04:49 < julius> do you want two hosts to be able to communicate? 04:50 < Mood> julius: erm.. i want several clients to communicate with a server... not sure about 'hosts' 04:51 < reiffert> Mood: look, redhat and suse do both use RPM as package manager. 04:51 < reiffert> Mood: do you think redhat and suse have anything in common? 04:51 < Mood> i only used redhat about 8 years ago on a 486 machine :-s 04:52 < Mood> so i wouldn't know 04:52 < Mood> i take it redhat and suse are quite different? 04:52 < reiffert> right. 04:53 < reiffert> So if using ubuntu, dont call it debian and vice versa. 04:53 < reiffert> They both use the same package manager, and THATS IT! 04:53 < Mood> heh, understood :-P 05:06 < Mood> are vpnc and pptp commercial products? like $? 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:18 < reiffert> n 05:23 < reiffert> o 05:30 < Mood> ty 05:40 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 05:41 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 05:50 < upb> haha 05:50 < upb> you can use pptp from-to linux also 05:50 < reiffert> y 06:00 < Mood> so when using vpn, it's recommended to choose LAN subnet IPs that are NOT 192.168.x.x? Egh. 06:00 < julius> 10.0.0.0/8 is way cooler :) 06:04 < upb> huh wtf P 06:04 < upb> why would you think that mood 06:09 < Mood> openvpn.net->Numbering private subnets->"For example..." http://openvpn.net/index.php/documentation/howto.html#numbering 06:09 < vpnHelper> Title: HOWTO (at openvpn.net) 06:10 < Mood> "The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely." 06:10 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 06:10 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 06:34 < reiffert> Mood: 06:34 < reiffert> !howto 06:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:34 * Mood erms 06:47 -!- xanthus1 [n=marcelor@r190-134-34-214.dialup.adsl.anteldata.net.uy] has joined ##openvpn 06:55 -!- xanthus1 [n=marcelor@r190-134-34-214.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:18 -!- Sypher|NL [n=no@unaffiliated/syphernl/x-737232] has joined ##openvpn 07:19 < Sypher|NL> Hi folks, I've set up a VPN (tun) and I can connect to it. But I cannot get my gateway to work. I'd like to use the internet over my VPN tunnel instead of direct (security reasons).... At one point I got 10.8.0.5 as gateway but i am unable to ping it while i can ping 10.8.0.1 07:32 < reiffert> --redirect-gateway def1 07:32 < Sypher|NL> may I ask what the def1 is doing exactly? 07:33 < Sypher|NL> i had the push redirect-gateway in my server config, but without def1 07:33 < reiffert> !man 07:33 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:33 < reiffert> check it in the manpage. 07:34 < Sypher|NL> i've been there 07:39 -!- Tonik [n=tonik@89.208.26.215] has joined ##openvpn 07:40 -!- Sypher|NL [n=no@unaffiliated/syphernl/x-737232] has quit [] 07:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:16 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 08:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 08:19 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:22 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:23 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 08:23 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:34 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has left ##openvpn [] 08:46 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has quit [Read error: 104 (Connection reset by peer)] 08:51 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["This computer has gone to sleep"] 09:00 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 09:28 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has quit [Read error: 110 (Connection timed out)] 09:40 -!- Tonik_ [n=tonik@89.208.26.33] has joined ##openvpn 09:45 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:45 -!- Tonik [n=tonik@89.208.26.215] has quit [Read error: 113 (No route to host)] 10:06 < tjz> any idea having problem getting openvpn to work on vista? 10:06 < tjz> it still show the local isp even after connected.. 10:33 < Kobaz> it works on vista 10:34 < reiffert> tjz: "it still show the local isp" != helpful 10:38 -!- angryuser__ [n=gdobrovo@LPuteaux-151-42-35-99.w193-251.abo.wanadoo.fr] has joined ##openvpn 10:39 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has joined ##openvpn 10:41 < angryuser__> hello, can someone help me ? i am trying to build a openvpn package for centos 2.1 rc15 and the rpmbuild -tb gives me following error http://pastebin.ca/1329978 thank you for help 10:42 < tjz> reiffert, yea.. 10:42 < tjz> did a traceroute to yahoo after connected 10:42 < tjz> his vista still show he is tracing from his ISP 10:45 < Kobaz> it depends how the server is set up 10:45 < Kobaz> if you aren't using redirect-gateway, then your regular internet traffic will route through your isp 11:14 < tjz> i am using redirect.. 11:20 < tjz> good nite, guys 11:20 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 12:18 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 12:19 -!- Tonik_ [n=tonik@89.208.26.33] has quit [Read error: 104 (Connection reset by peer)] 12:29 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 12:57 < deibhaid> !man 12:57 < vpnHelper> deibhaid: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:18 -!- julius [n=julius@p57B25432.dip.t-dialin.net] has quit ["Wirf mir mal das grosse Messer r"uber"] 13:26 < deibhaid> Hey everyone. I've been lurking here for a day or so and read the man and howto. I have setup up a vpn from a openvz node that's part of a remote lan. Our client computers connect fine to the lan with our private ip's being 10.8.0.* initially we couldn't ping the vpn server, but upon adding push "route 10.0.2.0 255.255.255.0" that was rectified. the issue now is that we cannot ping outside of the vlan. tcpdump shows that packet 13:26 < deibhaid> s are being sent, but they never pass the vpn server to access other computer in the vpn server's private network. 13:47 < upb> outside the vlan_ 13:48 < upb> what does a vlan have to do with this 13:48 < deibhaid> I am referring to the openvpn as a vln 13:48 < deibhaid> sorry I meant the vpn 13:49 < upb> do you have a device on the lan you could use for monitoring_ 13:49 < upb> see whether the packets really get to the lan 13:50 < upb> and does tcpdump show packets being sent out of the lan interface? 13:50 < deibhaid> yeah I will show you. hold on one sec 13:52 < deibhaid> here is tcpdump showing two different ip's 13:52 < deibhaid> .141 is the vpn server 13:52 < deibhaid> and .140 is another computer in the vpn's lan 13:53 < deibhaid> 11:56:23.533493 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 7455, seq 52, length 64 13:53 < deibhaid> 11:56:28.131743 IP 10.8.0.6 > 10.0.2.241: ICMP echo request, id 8479, seq 0, length 64 13:53 < deibhaid> 11:56:28.179122 IP 10.0.2.241 > 10.8.0.6: ICMP echo reply, id 8479, seq 0, length 64 13:53 < deibhaid> 11:56:29.134768 IP 10.8.0.6 > 10.0.2.241: ICMP echo request, id 8479, seq 1, length 64 13:54 < deibhaid> sorry 240 and 241 13:54 < deibhaid> 240 just requests and receives no reply 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 UDPv4 READ [125] from *.21.193.128:59743: P_DATA_V1 kid=0 DATA len=124 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 TUN WRITE [84] 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 TUN READ [84] 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 UDPv4 WRITE [125] to *.21.193.128:59743: P_DATA_V1 kid=0 DATA len=124 13:56 < deibhaid> that is for packets that go through to the vpn server 13:57 < deibhaid> with .241 13:58 < deibhaid> from /var/log/messages of the vpn server 13:58 < deibhaid> whether we have a device for monitoring or now, I am not sure about that. lemme check 14:03 < deibhaid> in addition to that we tried setting up routing tables 14:06 < deibhaid> and the vpn servers' tcpdump is: 14:06 < deibhaid> 23:11:52.823928 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 19487, seq 18, length 64 14:06 < deibhaid> 23:11:53.823651 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 19487, seq 19, length 64 14:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:47 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 14:54 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["Leaving"] 14:55 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 15:00 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:08 -!- Mood [n=Mood@unaffiliated/mood] has quit [Read error: 110 (Connection timed out)] 15:55 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 15:57 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 15:57 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 16:00 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 16:26 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has quit ["Leaving."] 17:09 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 17:09 < djc> has anyone tried to run openvpn on Android? 17:10 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has joined ##openvpn 17:21 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has quit ["Leaving."] 17:47 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 17:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 17:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 17:51 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 18:54 < krzee> djc, main thing you'll need is tuntap drivers for it 19:27 -!- Tonik [n=tonik@89.208.26.103] has quit [] 20:09 < reiffert> moin 20:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:24 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 20:52 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 20:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 20:56 -!- xanthus1 [n=marcelor@r190-64-186-172.dialup.adsl.anteldata.net.uy] has joined ##openvpn 20:56 -!- xanthus1 [n=marcelor@r190-64-186-172.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 21:08 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 21:09 < JasonWoof> I'm only indirectly connected to my firewall/router (linux box). I'm running an openvpn server on the computer between me and the router, so I can connect to the router box through the tun0 openvpn device 21:09 < JasonWoof> so this computer, and my router are clients on the openvpn network 21:10 < JasonWoof> I'd like to rout all my internet traffic through openvpn to my router (set it as my default route) 21:10 < JasonWoof> I tried this, and get no response 21:11 < JasonWoof> I carefully updated my iptables rules on the router to make sure it'll route for the openvpn network 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:25 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 101 (Network is unreachable)] 21:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 22:07 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 22:16 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 22:18 < Phoenixfire159> Hi, I am three VPS servers on the same physical network (along with a number of other untrusted servers), I want to make sure all communication between my three VPS servers are encrypted, most services include some sort of SSL/TLS mode that does this automatically, but some things such as rsync and glusterfs don't support this 22:18 < Phoenixfire159> Is OpenVPN the right tool for this job? 22:18 < Phoenixfire159> I was thinking of setting up a VPN across all three machines 22:23 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 54 (Connection reset by peer)] 22:33 -!- Tonik [n=tonik@89.208.26.103] has quit [] 23:31 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-29af80bb53b5cf1a] has joined ##openvpn 23:32 < Natilous> reiffert: ping 23:33 < Natilous> reiffert: I want to Limit users bound wide with OpenVPN. Is it possible ? 23:34 < Natilous> reiffert: If yes can you help me ?! 23:34 < Natilous> Any one can help me ? 23:39 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-29af80bb53b5cf1a] has quit ["http://www.mibbit.com ajax IRC Client"] 23:49 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 23:51 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 23:52 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 23:53 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 23:53 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] --- Day changed Sun Feb 08 2009 00:36 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has left ##openvpn [] 00:44 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has joined ##openvpn 01:09 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 02:21 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has quit [Connection timed out] 02:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:38 -!- ikevin_ [n=kevin@ANancy-256-1-53-94.w90-26.abo.wanadoo.fr] has joined ##openvpn 02:48 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["Leaving"] 02:53 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 03:10 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:18 -!- Kobaz [n=kobaz@its.kobaz.net] has quit [Remote closed the connection] 03:18 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 04:01 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 04:02 < upb> is there a openvpn trac somewhere? 04:02 < upb> erm i mean svn server 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:34 < reiffert> upb: why? 05:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:35 < upb> to check who changed a certain line 06:49 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 08:13 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 08:15 -!- Tonik [n=tonik@89.208.26.103] has quit [] 09:04 -!- invalder [n=invalder@85.17.224.166] has joined ##openvpn 09:04 < invalder> !route 09:04 < vpnHelper> invalder: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:30 < upb> reiffert: so? 09:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:38 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:44 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 09:47 < JasonWoof> one of the clients on my vpn is set up with NAT/ip-forwarding on it's real ethernet port. I'd like to access the internet through that client (set it as my default route (route add default gw foo)). [how] can I do this? 09:51 -!- invalder [n=invalder@85.17.224.166] has quit ["bb"] 09:53 < upb> by using ip route add default x.x.x.x 09:54 < upb> hmm but 09:54 < upb> you dont have direct connectivity to that ip 09:55 < upb> when you traceroute to that ip, does it show as first hop? 09:55 < upb> if yes you can do it by route add default x.x.x.x dev yourtunneldev 10:00 < JasonWoof> traceroute to the router (vpn) ip shows one hop 10:01 < JasonWoof> but when I set it to default, and traceroute anything on the internet I get nothing 10:01 < upb> no i mean the host you want to set as default gw 10:01 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["bbl"] 10:01 < JasonWoof> the "router" is what I want to use as the default gw 10:01 < upb> hmm then i misunderstood your setup 10:02 < upb> 'one of the clients on my vpn is set up with NAT/ip-forwarding on it's real ethernet port. ' 10:02 < upb> and its connected to the vpn ? 10:02 < JasonWoof> router (vpn client) <-vpn-> intemmediary (svn server) <-vpn-> laptop 10:03 < JasonWoof> laptop is on VPN, but has no direct internet 10:03 < JasonWoof> I want laptop to get internet through router 10:03 < JasonWoof> router is on the internet, and sharing via iptables/NAT 10:03 < upb> i see 10:03 < upb> s/svn/vpn/ right? 10:03 < JasonWoof> yes, sorry 10:03 < JasonWoof> tma: too many acronyms :) 10:03 < upb> hmm okay 10:04 < upb> and if you set the routers vpn ip as default gw on laptop, what happens ? 10:04 < JasonWoof> I haven't read up on bridging. right now I've got vpn set up in "routing" mode 10:04 < upb> yes thats right 10:04 < JasonWoof> nothing 10:04 < JasonWoof> I can still ping the routers vpn address, but don't get anything back from internet 10:04 < upb> what do you mean nothing, tcpdump on the vpn server 10:05 < upb> on the vpn interface 10:05 < JasonWoof> tracerouting internet IPs doesn't even show the routers vpn ip as a hop 10:05 < JasonWoof> damn, wish I thought of that. thanks. I'll play with tcpdump and report back 10:05 < upb> to see if the packets reach out of openvpn and into the kernel 10:05 < upb> yes 10:08 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has joined ##openvpn 10:10 < JasonWoof> ok, tcpdump on router of vpn device shows no activity when I try to access internet ip from laptop (tried ping and telnet) 10:10 < JasonWoof> trying traceroute 10:10 < JasonWoof> ... 10:10 < upb> oh i just remembered something 10:11 < upb> you cant do that 10:11 < JasonWoof> ok, traceroute on laptop to ip on the internet shows no activity in tcpdump (on router) 10:11 < upb> because openvpn has a list of cidr masks that are beyound each client 10:11 < upb> and i dont think you can configure openvpn so it thinks the entire internet 0.0.0.0/0 is beyound 'router' 10:11 < upb> otherwise it will drop the packets going from internet to 'laptop' 10:12 < JasonWoof> it's dropping packets from laptop to internet 10:12 < upb> and probably the other way too 10:12 < upb> :/ 10:12 < JasonWoof> yeah, probably 10:12 < upb> but you can try to convince openvpn 10:12 < upb> sec 10:13 < upb> setup ccd so that 'router' has iroute 0.0.0.0 0.0.0.0 10:18 < JasonWoof> crap, out of time. Thank you so much for your help! I'll save what you said and come back to it later (hopefully later today) 10:18 < JasonWoof> have to read up on ccd 10:19 < JasonWoof> also it occured to me that I might be able to get the vpn server to be on router, and connect to it through an ssh tunnel (ssh -L) 10:20 < JasonWoof> I saw in a sample config file for openvpn an easy way to get the vpn server forward packets to the internet with the help of iptables 10:20 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 10:20 < JasonWoof> anyway, I better stop talking, gotta go 10:20 < eagle> hmm what could be wrong if, if im connected with openvpn client <--> server running openvpn, but i can only ping the server not the network? like 192.168.0.55 can i ping (which is the vpn server) but can cant ping .1 thats the gw on the network for example 10:21 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has quit ["Leaving."] 10:21 < eagle> i dont think its any thing wrong with the openvpn config, but could fw problems or something =/ 10:23 < diegoviola> hi, i'm new to openvpn, i need to set up a tunnel between me and my server, so that i can by-pass some sip blockage, how can i do this? 10:30 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 12:01 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 12:01 < Dougy> ecrist: ping 12:02 < Dougy> http://www.ovpnforum.com/ | http://www.ovpnforum.com/wiki/index.php/Main_Page 12:02 < vpnHelper> Title: Secure Computing Networks (at www.ovpnforum.com) 12:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:04 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 12:10 -!- trifler [i=trifler@farva.bsnet.se] has left ##openvpn [] 12:36 < reiffert> Hi 12:42 < Dougy> heya 12:47 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 12:53 -!- bandini [n=bandini@host154-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 13:01 < skx> Hello, I have a server with multiple ip addresses, I would like set up openvpn server there acting as a proxy and provide users witth an option to use four different addresses. What is the simplest solution here? Four instances of openvpn server each with different outgoing address? Communication between clients is not a priority. 13:45 -!- wonko [n=wonko@wiggum.4amlunch.net] has quit [Read error: 110 (Connection timed out)] 13:59 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 14:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:31 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 14:34 -!- El_Presidente [i=Martin@p5798F4D7.dip.t-dialin.net] has joined ##openvpn 14:34 < El_Presidente> hello 14:35 < El_Presidente> some time ago i set up an openvpn server / client to surf over my home network 14:35 < El_Presidente> but im not very satisfied with the speed 14:35 < El_Presidente> i have 5mbit upstream on my site at home 14:35 < El_Presidente> but mostly i get just around 500kbit 14:36 < El_Presidente> http://pastebin.com/m5f6671d8 thats my server config 14:38 < El_Presidente> thats my client 14:38 < El_Presidente> http://pastebin.com/m66305de6 14:41 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has left ##openvpn [] 14:49 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has joined ##openvpn 14:51 < reiffert> El_Presidente: get rid of the comp lzo. any reason using bridged tap0 setup and not routed tun? 14:51 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has quit [Read error: 54 (Connection reset by peer)] 14:52 < reiffert> El_Presidente: what about inbetween stuff like routers, anything doing QoS or similar? 14:55 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has joined ##openvpn 14:56 -!- El_Presidente [i=Martin@p5798F4D7.dip.t-dialin.net] has quit [Nick collision from services.] 14:56 -!- Nucular is now known as El_Presidente 15:02 < diegoviola> where is the openvpn config file? 15:02 < diegoviola> usually 15:03 < diegoviola> i'm new to it 15:03 < El_Presidente> reiffert, because i want to play games on it also 15:04 < El_Presidente> windows or linux? 15:04 < El_Presidente> linux /etc/openvpn/ 15:04 < diegoviola> linux 15:04 < diegoviola> it's empty 15:05 < El_Presidente> put your config the 15:05 < El_Presidente> xyz.conf 15:05 < El_Presidente> and it gets executed on boot 15:11 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:14 < El_Presidente> reiffert, i removed comp-lzo 15:14 < El_Presidente> no changes 15:16 < diegoviola> ok my tun0 device is up 16:04 < reiffert> El_Presidente: how are you measuring bandwidth? 16:05 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 16:05 < reiffert> El_Presidente: I'd advise using ftp or http. Please transfer a 1MB file by ftp/http and show us the result. 16:06 < reiffert> El_Presidente: then stop the openvpn tunnel and transfer the same file again between those two computers. 16:10 < El_Presidente> yes thats how i use it 16:10 < El_Presidente> i use ftp 16:10 < El_Presidente> without the tunnel i have about 4,5mbit 16:11 < El_Presidente> with the tunnel i have between 40kbit and 500kbit 16:11 < reiffert> come up with evidence. 16:12 < El_Presidente> what do you expect? 16:13 < reiffert> something wget puts out 16:13 < reiffert> !mtu 16:13 < vpnHelper> reiffert: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 16:13 < El_Presidente> i tested many settings 16:13 < El_Presidente> the mtu test gives strange results 16:13 < reiffert> ? 16:14 < El_Presidente> [22:08:48] y-chromosome: Sun Feb 08 22:07:34 2009 NOTE: Empirical MTU test completed [Tried,Actual] local 16:14 < El_Presidente> ->remote=[1573,1573] remote->local=[1573,1573] 16:14 < reiffert> Just for the fun of it ... 16:15 < reiffert> try setting http://help.expedient.com/broadband/mtu_ping_test.shtml 16:15 < vpnHelper> Title: MTU Ping Test (at help.expedient.com) 16:15 < reiffert> doh 16:15 < reiffert> try setting --tun-mtu 1500 --fragment 1300 --mssfix 16:15 < sigius> El_Presidente, did you try 'cipher none' ? If you dont need the encryption that might make a difference. 16:15 < El_Presidente> this helped nothing 16:16 < El_Presidente> i wouldnt have asked here if i had not tested that 16:16 < reiffert> El_Presidente: and please come up with some values a bandwidth measurement tool like wget puts out. 16:16 < El_Presidente> i used filezilla for measurement 16:16 < El_Presidente> and unfortunately i did not save the logs of it 16:17 < El_Presidente> it will take some time to do the tests again since i dont have a test person at the moment 16:18 < reiffert> what does it take for you, a http server with a file is enough for you? 16:18 < El_Presidente> i dont have a client that can use my tunnel ... 16:18 < El_Presidente> because he is afk 16:18 < El_Presidente> who needs it 16:18 < reiffert> I see. 16:19 < reiffert> I#d reask on the mailinglists meanwhile 16:21 -!- d0wn [n=nnscript@unaffiliated/d0wn] has joined ##openvpn 16:22 < reiffert> February 13th, UNIX Time Will Reach 1234567890 16:22 < El_Presidente> ;) 16:29 < d0wn> Which OpenVPN rpm should I choose for CentOS 4.7? http://dag.wieers.com/rpm/packages/openvpn/ 16:29 < vpnHelper> Title: DAG: openvpn RPM packages for Red Hat, CentOS and Fedora (at dag.wieers.com) 16:30 < El_Presidente> isnt there a package in the centos repo? 16:31 < d0wn> No 16:31 < d0wn> I tried yum install openvpn, and there wasn't anything 16:37 < El_Presidente> i would use the RHEL 4 package 16:39 < reiffert> d0wn: "there wasnt anything" = no icon to click or no openvpn binary in /usr/sbin/? 16:41 < d0wn> reiffert: there was no openvpn package in the centos repo is what i meant 16:54 < ecrist> Dougy: pong 16:56 < Dougy> hey 16:56 < Dougy> ecrist 16:56 < Dougy> what happened to the forum 16:56 < ecrist> sup? 16:56 < ecrist> nothing, should still be there. 16:56 * ecrist looks 16:56 < Dougy> its gone 16:56 < Dougy> www.ovpnforum.com 16:56 < ecrist> oh, it's not gone, I changed the IP, and you've not been around to update it. 16:57 < Dougy> you have my email dood 16:57 < Dougy> lol 16:57 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:26 -!- kyrix [n=ashley@93-82-15-136.adsl.highway.telekom.at] has joined ##openvpn 17:36 -!- kyrix [n=ashley@93-82-15-136.adsl.highway.telekom.at] has quit ["Leaving"] 18:16 -!- El_Presidente [i=Martin@p5798E717.dip.t-dialin.net] has quit ["Verlassend"] 18:23 -!- d0wn [n=nnscript@unaffiliated/d0wn] has quit [Connection reset by peer] 18:23 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:34 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:34 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:35 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:42 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 18:45 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:45 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:55 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:55 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:56 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 19:03 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 19:04 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 20:06 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 20:16 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 20:16 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 20:51 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 20:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:11 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 21:24 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 21:50 < diegoviola> is there a way to connect to a L2TP tunnel on linux? 22:02 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 22:17 -!- diegovio1a [n=diego@pool-71-180-154-80.tampfl.fios.verizon.net] has joined ##openvpn 22:30 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has quit [Read error: 110 (Connection timed out)] 22:32 -!- diegovio1a is now known as diegoviola 23:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:58 -!- diegoviola [n=diego@pool-71-180-154-80.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 23:58 -!- diegovio1a [n=diego@adsl-135-112.click.com.py] has joined ##openvpn --- Day changed Mon Feb 09 2009 00:05 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 00:05 < tjz> Hello~ 00:05 < tjz> where is jeff.. 00:05 < tjz> never heard from him these days 00:14 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 00:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 02:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 02:21 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 02:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:22 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 03:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 03:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:06 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has joined ##openvpn 04:06 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:06 -!- vasco [n=vasco@83.145.69.198] has joined ##openvpn 04:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:07 < Sypher|NL> hi Guys, I've setup a OpenVPN tunnel and my client recieves a gateway (10.8.0.5) but i'm unable to ping it, but I can ping 10.8.0.1 and all the other network nodes (i have a route in place) 04:07 < vasco> hello, i have a Internet provider routers in front of a firewall with 2 branch, one to the lan and the other to the DMZ. We need to setup a vpn, where i have to install the vpn routers? the lan? 04:22 < reiffert> Sypher|NL: check the manpage, especially --topology and what --server line expands to. 04:22 -!- vasco is now known as PrMoriarty 04:22 -!- PrMoriarty is now known as vasco 04:22 -!- vasco is now known as PrMoriarty 04:23 < reiffert> PrMoriarty: nickchanges enough now? 04:23 < reiffert> PrMoriarty: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) 04:23 < reiffert> PrMoriarty: 04:23 < reiffert> Services that belong in the DMZ 04:23 < reiffert> Generally, any service that is being provided to users in an external network should be placed in the DMZ. 04:25 < Sypher|NL> reiffert, i should switch from net30 to subnet? 04:27 < reiffert> Sypher|NL: whatever fits your needs. 04:27 < reiffert> Sypher|NL: you where asking "why is something like it is" and I gave you the place to read about the reasons. 04:33 -!- Sypher_ [n=Sypher@s5590f00b.adsl.wanadoo.nl] has joined ##openvpn 04:33 < Sypher_> reiffert, it sort of worked 04:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:35 < reiffert> krzee: . 04:36 < reiffert> krzee: u there? 04:37 -!- Sypher` [n=Sypher@145.89.206.88] has joined ##openvpn 04:37 -!- Sypher` [n=Sypher@145.89.206.88] has quit [Client Quit] 04:38 < reiffert> krzee: any idea what else to do here? http://pastebin.ca/1331501 04:52 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has quit [Read error: 110 (Connection timed out)] 04:54 -!- Sypher_ [n=Sypher@s5590f00b.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 05:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:04 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 05:17 < krzee> well 05:17 < krzee> he says he used filezilla for measurement 05:17 < krzee> that could mean he was measuring d/l speed from that site both times 05:18 < krzee> whereas he should be measuring xfer between the 2 endpoints with/without enc 05:20 < djc> krzee: (re porting to Android) well, it's just a Linux kernel 05:20 < djc> so that shouldn't be too hard, right? 05:21 < krzee> theoretically 05:21 < krzee> iphone is just darwin on a ppc, but we still dont have tuntap for it 05:24 < reiffert> krzee: yeah, that is what I was going to ask as soon as he finds a client 05:24 < reiffert> krzee: but anything else that might help? 05:25 < krzee> !noenc 05:25 < vpnHelper> krzee: "noenc" is if you're going to disable encryption, you might as well build a GRE tunnel 05:25 < krzee> oops 05:25 < krzee> !man 05:25 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:26 < krzee> hrm 05:27 < krzee> cipher none like you said... but when ive heard of that being the issue it usually came with high cpu loads 05:27 < krzee> mtu looks like hes good there 05:28 < krzee> lzo best to keep on if he has the cpu to spare and no issues of running low on cpu 05:28 < krzee> lzo by default is in adaptive mode 05:28 < krzee> so it uses random samples of traffic to decide how efficient the compression is being, compresses more or less based on that 05:28 < reiffert> I was running into small delys using lzo, so I decided to disable it. 05:29 < reiffert> untypeable when working remote. 05:29 < krzee> interesting 05:30 < reiffert> wll, however, let's asume his bandwidth results dont change .. what else might it be, QoS somewhere inbetween? 05:30 < reiffert> I'm loosing characters the whole day, damnit! 05:31 < krzee> well 05:31 < krzee> assuming he is getting his #'s from direct connections from each endpoint 05:31 < krzee> and not speeds to some site 05:31 < krzee> no, not qos between 05:32 < reiffert> sure. 05:32 < reiffert> he's using port 15000 udp. 05:32 < krzee> oh 05:32 < krzee> hrm 05:32 < reiffert> next step is make him use port 53 udp 05:32 < krzee> could be filtered based on torrent traffic 05:32 < krzee> torrents use tcp tho... dont they 05:33 < krzee> ya 53 may be better 05:33 < reiffert> Thought both. 05:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:35 -!- ikevin_ [n=kevin@ANancy-256-1-53-94.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 06:39 < tjz> hi jeff =) 06:39 < tjz> nice to see you here again 06:39 < tjz> =) 06:39 < krzee> hey =] 06:40 < krzee> thx 06:40 < krzee> im on vacation in usa 06:40 < krzee> so not online much 06:40 < tjz> i thought so too... must be went for holiday 06:40 < tjz> :P 06:40 < tjz> haha 06:40 < tjz> =) 06:40 < tjz> how was your trip? 06:40 < krzee> its been fun 06:41 < krzee> good weed and white vagina 06:41 < krzee> lol 06:41 < tjz> omg 06:41 < tjz> nice 06:41 < tjz> :P 06:41 < tjz> ^_^ 06:42 < tjz> i will try visit usa one day 06:42 < tjz> =) 06:43 < krzee> =] 06:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has left ##openvpn [] 06:43 < krzee> hows your vpn been? 06:44 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 06:45 < tjz> doing quite good 06:45 < tjz> i manage to run multiple instances of vpn 06:45 < tjz> and apply snat iptables rules to route different lan 06:45 < tjz> =) 06:46 < krzee> nice 06:47 -!- vasco [n=vasco@83.145.69.198] has joined ##openvpn 06:47 < vasco> hello 06:48 < vasco> don t blame me, but i a really simple network (1 lan, 1dmz) how many network card needed for a openvpn server? 06:48 < vasco> *in a really* 06:51 < vasco> !route 06:51 < vpnHelper> vasco: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:52 < krzee> 1 nic 06:52 < reiffert> even 1 nic is too much to have a openvpn server. imagine virtual machines. however. 06:53 < PrMoriarty> reiffert, lol ok 06:53 < krzee> haha tru 06:53 < PrMoriarty> krzee, thank you 06:53 < krzee> even a virtual nic is enough 06:53 < PrMoriarty> in fact it s the same problem 06:53 < PrMoriarty> buy a router vpn or build one with openvpn on linux box 06:54 < PrMoriarty> a network enginneer told me to put the vpn server on the lan... 06:54 < PrMoriarty> another told me to never did it and put it in the DMZ 06:56 < reiffert> I was quoting wikipedia. 06:56 < reiffert> public services => DMZ 06:57 < reiffert> PrMoriarty: it really depends on what you are trying to accomplish. 06:57 < reiffert> PrMoriarty: to keep all options open, I'd set it up on the router itself. 06:58 < reiffert> (Just to give you another idea) 07:04 < reiffert> PrMoriarty: did you allready decide wether you want routed or bridged? 07:10 < vasco> reiffert, routed for lan ressource 07:10 < reiffert> vasco: who are you? 07:11 < reiffert> ah, same IP. 07:11 < reiffert> vasco: for having broadcasts I'd go for a bridged setup. 07:12 < PrMoriarty> reiffert, ok i have to read more then for know what is the meaning of bridged setup 07:12 -!- vasco [n=vasco@83.145.69.198] has quit [] 07:12 < angryuser__> i have a basic question about values for each server, if i generate ca.crt with the "Organizational Unit Name (eg, section) []:IT" do i need all clients of that ca.crt to be in that organisation unit ? 07:12 < reiffert> vasco: do you control the central router? Because it will need additional static routes when using ( routed setup && (central router != openvpn server)) 07:13 < angryuser__> or i can specify different Unit name for each client ? 07:13 < PrMoriarty> reiffert, ok i understand more, the central router is the firewall for the moment 07:13 < reiffert> PrMoriarty: what kind of OS is running on the central router? 07:14 < PrMoriarty> reiffert, central routers is a firewall based on non free frimware i think, or a unix light version 07:14 < reiffert> which one? 07:14 < PrMoriarty> reiffert, watchguard 07:14 < reiffert> allright, so we forget about installing openvpn onto that for now 07:14 < PrMoriarty> reiffert, and it s dosent have vpn option 07:15 < reiffert> can you add static routes to it?> 07:15 < PrMoriarty> reiffert, yes i can 07:15 < reiffert> then you might go with a routed setup. 07:16 < reiffert> what kind of services do you like to share with openvpn clients? 07:16 < krzee> [05:16] vasco: for having broadcasts I'd go for a bridged setup. 07:16 < krzee> broadcasts will work on routed setup over tap device 07:16 < PrMoriarty> reiffert, pop3, fileserver access 07:16 < reiffert> krzee: we all know how much fun it is with our sweet little friend from redmond, dont we? 07:16 < krzee> for allowing broadcast traffic without all layer2 stuff 07:16 < krzee> haha ya 07:16 < reiffert> PrMoriarty: mac os x clients? 07:17 < PrMoriarty> reiffert, windows 07:17 < reiffert> PrMoriarty: I'd probably use bridged setup, but it's harder to setup. 07:17 < krzee> windows filesharing? 07:18 < reiffert> PrMoriarty: cause you can browse in the network neighbourhood just like if you were plugged into the company network. 07:18 < krzee> as would using wins 07:18 < reiffert> krzee: theoretically: yes. 07:18 < reiffert> krzee: practically: it's a mess. 07:19 < reiffert> PrMoriarty: openvpn server OS? 07:19 < PrMoriarty> reiffert, debian 07:19 < PrMoriarty> reiffert, i mean linux 2.6 07:19 < reiffert> OS is linux, distributor is debian, but good. 07:20 < reiffert> I'd start with a routed setup and when clients == happy stop 07:20 < reiffert> if happy!=clients 07:20 < reiffert> bridged++; 07:20 < PrMoriarty> lol 07:20 < PrMoriarty> but 07:20 < reiffert> !howto 07:20 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:20 < reiffert> just do everything like the howto does. 07:20 < PrMoriarty> if i buy a routers vpn it will works with routed setup no? 07:20 < reiffert> and you get finished within the hour. 07:21 < reiffert> "Buy a routers vpn" == ? 07:23 < PrMoriarty> reiffert, for example this one http://www.compufirst.com/catalogue/catProductForm.asp?mscssid={78523E45-C3BC-4CE8-9A1E-376B6CEDAC0D}&displayHeader=no&isPopup=y&idProduct=2005761 07:23 < vpnHelper> Title: Routeurs Cisco Solutions Filaires RV082-EU (at www.compufirst.com) 07:25 < reiffert> PrMoriarty: cisco routers = no openvpn 07:25 < reiffert> means: openvpn does not run on cisco routers 07:25 < reiffert> means: you can install openvpn on a dedicated machin in your network, just like you can do now. 07:26 < reiffert> RV082: 07:26 < reiffert> IPSec VPN Tunnel, 07:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 07:30 < PrMoriarty> reiffert, thank you for your help going to install an openvpn right now 07:30 < PrMoriarty> may be latter 07:30 < reiffert> PrMoriarty: !howto 07:31 < reiffert> !howto 07:31 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:32 < reiffert> PrMoriarty: debian etch or debian lenny? 07:33 < reiffert> PrMoriarty: I'd recommend debian/lenny. Got a recent version of openvpn. 07:34 < PrMoriarty> reiffert,lenny of course 07:35 < PrMoriarty> reiffert, for the brigged setup it s 1 nic right? 07:35 < reiffert> yes. 07:35 < reiffert> tap (virtual adapter that openvpn creates) 07:35 < PrMoriarty> reiffert, not same meaning of brigged nic 07:35 < reiffert> eth0 (the NIC) 07:35 < reiffert> bound together as 07:35 < reiffert> br0 07:35 < reiffert> the bridge interface 07:35 < PrMoriarty> reiffert, ok 07:35 < reiffert> carrying the IP address of the former eth0 07:35 < reiffert> howto. 07:39 -!- ikevin [n=kevin@ANancy-256-1-117-17.w90-33.abo.wanadoo.fr] has joined ##openvpn 07:43 -!- ikevin_ [n=kevin@ANancy-256-1-83-247.w90-26.abo.wanadoo.fr] has joined ##openvpn 07:51 < ecrist> morning, folks 07:52 < krzee> mornin 07:53 < reiffert> moin 07:55 < tjz> morning, bastard 07:55 < tjz> lol 07:56 -!- ikevin [n=kevin@ANancy-256-1-117-17.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 07:58 < tjz> just kidding 07:58 < tjz> :) 08:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:32 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 08:32 -!- d0wn [n=nnscript@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 08:42 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 08:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:06 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has joined ##openvpn 09:06 < jolelion> hello 09:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:09 < ecrist> howdy 09:09 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 09:09 < jolelion> I have a problem with the up script "update-resolv-conf", when I use it at home I have both the dns server of the VPN and from my provider in resolv.conf, but when I use it at work I have only the VPN DNS server, howo fix that? 09:10 < JasonWoof> ok, I've got openvpn server running on my linux-router(nat) box, and I'm using "push default-route" to get my internet access through it, which is awesome 09:11 < JasonWoof> I'd like help getting a port forwarded to my openvpn client. I set this up on iptables on the router (the computer running openvpn server), but I think openvpn is blocking it 09:12 < jolelion> for information, at work I have put a router which declare itself as a dns server in the dhcp options 09:12 < JasonWoof> also when I run traceroute on the router, telling it to trace to the openvpn ip for my computer (a client on the openvpn network) It shows one hop, but with the !X flag, which according to the manual means "administratively prohibited" 09:12 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 09:15 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:17 < ecrist> jolelion: I have no idea how to fix your problem. 09:20 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 09:22 -!- [intra]lanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:37 < jolelion> ecrist: thanks anyway 09:37 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has quit ["leaving"] 09:45 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 09:52 < ecrist> JasonWoof: sounds like your firewall is restricting ICMP packets 09:53 < JasonWoof> ecrist: a firewall in openvpn? or the one I have in the kernel/iptables? 09:56 < ecrist> there is no firewall 'in' openvpn. 09:57 < ecrist> I'm referring to the kernel/iptables one. 10:00 < JasonWoof> hmmm.... don't think so, because all my iptables rules have "prot = all" except the rule to forward port xxxx to my vpn client ip 10:00 < JasonWoof> but I'm just guessing... 10:01 < ecrist> 'administratively prohibited' means the packets are being rejected. 10:03 < JasonWoof> k 10:04 < JasonWoof> but the traceroute worked... it gave the hop time 10:04 < JasonWoof> I'm confused 10:04 < JasonWoof> maybe you can help me with something else, which might actually be the problem 10:04 < JasonWoof> when I connect openvpn (both on my laptop, and on the router/openvpn-server) I get routes I don't like 10:05 < JasonWoof> when I type "route" I get some weird setup where there's a fake odd-numbered gateway in the openvpn ip range 10:05 < JasonWoof> I don't know why that is there, and I can't "route del" it 10:06 < JasonWoof> to get internet through my openvpn server I have to add my own routes, like: 10:06 < JasonWoof> route add -host 10.8.0.1 dev tun0 10:06 < JasonWoof> route add default gw 10.8.0.1 dev tun0 10:07 < JasonWoof> this works, so it seems to me that I can directly access 10.8.0.1, and I don't need the silly "gateway" address of 10.8.0.5, though I can't seem to get rid of .5 10:08 < JasonWoof> on my router (the openvpn server) there is very similar weirdness 10:09 < JasonWoof> I can delete one of the routes that appears when openvpn is started up, but not the one that says there's a gateway for the "local" vpn network. And I can add a route to go directly to my openvpn client ip for my laptop, without using a gateway, and that route works (I can ping, ssh, etc) 10:09 < JasonWoof> only things that don't work or forwarding packets from my external ethernet into openvpn, and traceroute has that funny "!X" 10:13 < ecrist> JasonWoof: that's needed. 10:13 < ecrist> it's not fake, or weird, 10:13 < JasonWoof> what's it needed for? 10:13 < ecrist> it may be unfamiliar to you, but it's got to do with how openvpn deals with PPTP tunnels 10:13 < ecrist> !/30 10:13 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:13 < JasonWoof> I seem to be able to connect just fine when I route add around it 10:14 < ecrist> read that link for more information 10:14 < JasonWoof> thanks 10:16 < JasonWoof> still seems weird to me... but now I understand, and can turn it off 10:17 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:35 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 60 (Operation timed out)] 10:38 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 10:39 < tjz> Good nite, guys~ 10:41 < ecrist> l8r 10:49 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 10:56 < tjz> sorry 10:56 < tjz> i will be gone now 10:56 < tjz> :P 10:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:59 < tjz> going off 10:59 < tjz> good nite 11:00 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit ["bbl"] 11:02 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 11:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:12 < JasonWoof> I figured out the reason why my port forwarding wasn't working: my client had some iptables filters (thanks again fedora... grrr) which if I read them correctly say that it only accepts incoming connections for ssh 11:15 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 110 (Connection timed out)] 11:23 -!- angryuser__ [n=gdobrovo@LPuteaux-151-42-35-99.w193-251.abo.wanadoo.fr] has quit ["Ex-Chat"] 11:26 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 11:32 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has joined ##openvpn 11:34 < deibhaid> Good Morning. Does anyone have experience routing from an (openvz node + openvpn server) to other computers on the lan? 11:42 < PrMoriarty> how can i get the binary server-bridge? 11:43 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:43 < PrMoriarty> i am on a debian system i installed openvpn but couldn t find the binary server-bridge....? 11:47 < ecrist> PrMoriarty: not sure what you're looking for. 11:49 < PrMoriarty> ecrist, making a bridge 11:49 < PrMoriarty> ecrist, follow the tutorial i want to use the bridged method 11:49 < ecrist> right, you just need the openvpn binary, and a shell script which bridges your tap0 and ethernet interfaces 11:50 < ecrist> I think there's a copy of a shell script within the source for openvpn, but not certain 11:51 < PrMoriarty> ecrist, how many times for setup a standard vpn server ? 11:51 < PrMoriarty> ecrist, i mean your record? 11:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:52 < ecrist> more than once 11:55 < PrMoriarty> think everybody has his skills 11:56 < PrMoriarty> openvpn looks like strange machine a little afraid by this service 11:57 < ecrist> PrMoriarty: I don't understand you. 12:00 < deibhaid> sorry about the pm. ecrist 12:01 -!- PrMoriarty [n=vasco@83.145.69.198] has left ##openvpn [] 12:35 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:36 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:37 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:49 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 12:49 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 12:57 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 13:04 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:31 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:58 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:59 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 13:59 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:12 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: eagle, upb 14:12 -!- Netsplit over, joins: eagle, upb 14:18 -!- meturaf [i=meshuga@lenin.ww88.org] has joined ##openvpn 14:29 -!- meshuga [i=meshuga@lenin.ww88.org] has quit [Read error: 110 (Connection timed out)] 14:37 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: int, deibhaid, undertakingyou, Phoenixfire159, plaerzen, clustermagnet, ikevin_, disposable, penrod[1] 14:38 -!- Netsplit over, joins: Phoenixfire159, plaerzen, deibhaid, ikevin_, undertakingyou, penrod[1], clustermagnet, int, disposable 14:41 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 14:42 -!- disposable [i=disposab@blackhole.sk] has quit [Remote closed the connection] 14:42 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 14:51 -!- diegovio1a [n=diego@adsl-135-112.click.com.py] has quit ["leaving"] 14:52 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [] 14:52 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 15:05 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: int, deibhaid, undertakingyou, plaerzen, clustermagnet, ikevin_, penrod[1] 15:06 -!- Netsplit over, joins: plaerzen, deibhaid, ikevin_, undertakingyou, penrod[1], clustermagnet, int 15:22 < plaerzen> what was that? 15:25 < plaerzen> ah 15:31 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has quit ["Leaving"] 16:10 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has left ##openvpn [] 16:22 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has left ##openvpn [] 16:51 -!- Mood [n=Mood@unaffiliated/mood] has left ##openvpn ["Leaving"] 17:15 -!- dblick [n=blick@freiburg.gs.washington.edu] has joined ##openvpn 17:18 < dblick> Is there any reason I need iptables -A INPUT -i tun+ -J ACCEPT in my iptables config on an OpenVPN server, unless I _want_ to give every computer on the VPN access to every port on the server? 17:30 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 17:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:47 < dvl> Here we go, unemployement again. 17:49 < dblick> dvl, what industry are you in? 17:50 < dvl> Good question. http://www.freebsddiary.org/dan_langille.php 17:50 < vpnHelper> Title: Resume of Dan Langille (at www.freebsddiary.org) 18:11 -!- dblick [n=blick@freiburg.gs.washington.edu] has quit ["leaving"] 19:48 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 19:48 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit [Remote closed the connection] 19:49 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 19:53 < tjz> Hello guys 19:53 < tjz> Good morning 19:53 < tjz> =) 20:12 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 20:13 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:28 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 21:25 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:27 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:32 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 23:33 < dan__t> 'morning. 23:33 < dan__t> !route 23:33 < vpnHelper> dan__t: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:35 < tjz> I am getting this error on the client side: 23:35 < tjz> Mon Feb 09 23:58:45 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 23:35 < tjz> Mon Feb 09 23:58:45 2009 TLS Error: TLS handshake failed 23:35 < tjz> what does it mean? 23:35 < dan__t> Same thing for me heh 23:35 < tjz> oh?? 23:35 < tjz> lol 23:35 < dan__t> from what I understand, an issue with connectivity between the client and the server. 23:35 < dan__t> As to what exactly, I'm not yet sure. 23:35 < tjz> when i connect from another computer, it works. =) 23:35 < tjz> something is wrong with this computer 23:36 < dan__t> Yea... I've had the exact same setup working in the past. 23:43 < tjz> what system are you using (the one having problem) ? 23:44 < dan__t> Fedora, talking to a CentOS machine, openvpn 2.1.0.29 on both 23:44 < dan__t> Don't think that matters though. 23:45 < dan__t> I do, however, suspect this router. 23:49 < dan__t> Bingo. 23:57 < tjz> cool 23:57 < tjz> i will try that --- Day changed Tue Feb 10 2009 00:02 < dan__t> Using TCP over UDP 00:02 < dan__t> What kind of router? 00:03 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 00:04 < tjz> did you switch to tcp to fix the problem? 00:05 < dan__t> yeah. 00:05 < dan__t> I read once something about Linksys routers butchering it. 00:05 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 00:05 < tjz> hmm 00:05 < tjz> ok.. 00:06 < tjz> so weird 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:09 < dan__t> what kind of router? 00:10 < tjz> hmm 00:10 < tjz> linksys too 00:10 < tjz> lol 00:14 < dan__t> ok, works fine now. 00:16 < dan__t> Awesome. 00:16 < tjz> using tcp? 00:17 < dan__t> Yeah. 00:17 < dan__t> I just got the routing working... needed ip forwarding and some POSTROUTING NAT rules on the server. 00:17 < dan__t> Appears that NetworkManager doesn't like my settings, either. 00:19 < tjz> hmm 00:20 < tjz> isn't that server end issue? 00:20 < dan__t> What? 00:25 < tjz> nvm 00:25 < tjz> :P 00:38 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 00:39 < tjz> openvpn doesn't work in a school network? 00:40 < tjz> it is showing the same IP for my friend in school.. 00:40 < dan__t> Which IP would that be? 00:40 < dan__t> And why wouldn't it? 00:42 < tjz> his school's network.. 00:43 < tjz> it is still showing his school ip 00:43 < dan__t> In what context? 00:43 < dan__t> from whatismyip.com, from his ethernet adapter, what? 00:46 < tjz> quite hard to explain... 00:46 < tjz> it is a school network.. :( 00:47 < dan__t> no its not. i just asked two possible places 00:47 < dan__t> Its not like OpenVPN is going to magically change your IP. 00:49 < tjz> he is using windows vista 64 bit.. 00:51 < dan__t> So? 00:51 < dan__t> *where* is it showing his school IP? 00:55 < tjz> whatismyip 01:00 < dan__t> Read up on redirect-gateway 01:09 < tjz> i have that configure on the server side.. 01:12 < dan__t> Did you restart openvpn? 01:19 < lolipop> Hello, i'm using openvpn 2.09 with auth-ldap 2.0.3, when i try to connect from client with this command: ./openvpn --config openvpn.vong --auth-user-pass , my openvpn server will die with this error msg: libraries/liblber/encode.c:288: ber_put_ostring: Assertion `str != ((void *)0)' failed 01:53 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 < reiffert> lolipop: sounds like an auth ldap issue. do they have a mailinglist? 02:35 < lolipop> i just create an issue on their site 03:55 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:54 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:11 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:32 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 06:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:17 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 07:29 < ecrist> I'm in a bad mood today. 07:30 < reiffert> get a fuck then 07:36 < ecrist> yeah, someone uploaded a spam-sending script to my webserver. 07:36 < ecrist> haven't figured out how they got it on the system yet, but will figure it out soon. 07:38 < reiffert> last week I was investigating such a thing on a friends rootserver. They were uploading some irc bouncers. I was joining the irc channels they were sitting in and blaming the guys there :) 07:41 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:44 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 07:45 < vincas> Did 2.1 change the virtual address in the openvpn-status to look something like a mac address? What is that 6 bytes ? I can't arpping it from my bridge host, and I don't see what IPs clients currently have. 07:52 -!- Some_ux [n=chatzill@bzq-79-176-50-148.red.bezeqint.net] has joined ##openvpn 07:52 < Some_ux> hi 07:52 < Some_ux> I don't even know hjow to explain my problem :) 07:52 < Some_ux> how 07:53 < Some_ux> ok, I'll try: I have linux box running VMmware and openVPN server 07:53 < Some_ux> I am able to establish a connection to the openVPN server 07:54 < Some_ux> but, I can't reach the virtual machines on that server 07:54 < Some_ux> I know it's routing issue 07:55 < Some_ux> probably the packets don't know how to route back to the exterior interface 07:55 < Some_ux> which in my case is ppp0 07:55 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 07:57 < Some_ux> Oh, the openVPN server is also the router 07:57 < Some_ux> which i rigged to uber paranoid firewall 07:57 < Some_ux> So i can't even run pings to figure what went wrong 07:59 < Some_ux> hmm, though, in theory, since openVPN is tunneled, it should not effect pings 08:03 < tjz> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:03 < tjz> what does this mean on the client side? 08:03 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:09 < Some_ux> ugh, nested tunneling + vmware = routing headache 08:11 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:17 < Some_ux> should i firewall tun0 packets ? 08:18 < reiffert> Some_ux: should you? 08:18 < Some_ux> I don't know, Is tun0 trusted ? 08:18 < Some_ux> on the vpn server side 08:18 < reiffert> Some_ux: openvpn cares about who can connect and who cannot. 08:19 < Some_ux> I need to understand what tun0 is 08:19 < reiffert> tun0 is a device. 08:20 < Some_ux> does this device listen on all available interfaces ? 08:20 < reiffert> packets run through it. 08:20 < vincas> Some_ux: it is an interface 08:20 < reiffert> Some_ux: tun0 __IS__ an interface. 08:20 < Some_ux> who connects to this interface ? 08:21 < reiffert> Some_ux: noone. 08:21 < Some_ux> then why does it exist ? 08:21 < reiffert> well. when openvpn clients talk to your server over the tunnel, they get to tun0. 08:22 < Some_ux> So can i assume tun0 is secure ? 08:23 < reiffert> Depends on the rest of your setup. 08:27 < Some_ux> well, the openvpn server is a router, it connects via dialup. the ppp0 interface is firewalled, but set to allow openvpn traffic 08:27 < Some_ux> does that make tun0 secure ? 08:28 < reiffert> no. 08:30 < reiffert> In normal situations customers or clients run openvpn clients and you never know whats running on their computers. 08:30 < Some_ux> I assume all clients are reliable 08:31 < Some_ux> them being me and all 08:31 < Some_ux> :P 08:31 < reiffert> better shoot yourself then. 08:38 < Some_ux> ugh, I made ipchains. now i can't find heads and tails in them 08:42 < reiffert> ancient kernel dude. 08:43 < Some_ux> i mean iptable chains 08:43 < cpm> ipchains? 08:44 < Some_ux> well you can create use chains 08:44 < Some_ux> user 08:44 < Some_ux> like iptables -N my_silly_tcpchain 09:06 < Some_ux> If I have a router with two interfaces (eth0 and ppp0), can i treat the tun0 device, as tough it was another internal "eth0" device ? 09:11 < ecrist> Some_ux: yes 09:12 < Some_ux> if i understand correctly, the tun0 device is as though, by some magical means i have another network device on my machine which plugs directly to machines on the remote network ? 09:14 < Some_ux> following this rationale, the same firewall rules which apply on the real physical internal interface of the router, should apply on the tun0 device (that is assuming the remote network is trusted) 09:18 < ecrist> Some_ux: we're not here to help you decide network policy 09:19 < Some_ux> my questions are purely functional, that is, understanding the operation of the tun0 device in openvpn 09:21 < ecrist> Some_ux: it's not that difficult to understand 09:22 < ecrist> it's a virtual interface used to route VPN packets 09:22 < ecrist> man tun 09:22 < ecrist> not specific to OpenVPN 09:22 < Some_ux> no man page for tun 09:22 < Some_ux> :P 09:23 < Some_ux> but i think i got it 09:31 < reiffert> dude, it's the endpoint of the vpn on your side. 09:32 < reiffert> just like ppp0 is the endpoint of your provider on your side 09:32 < reiffert> or just like eth0 is the endpoint of your LAN on your side. 09:34 < Some_ux> My concern was whether this interface is behind ppp0 09:35 < Some_ux> but clearly it is the tunnel endpoint 09:35 < Some_ux> hence the name tun 09:35 < Some_ux> since it is the tunnel endpoint, it must be behind the tunnel provider (in this case ppp0) 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:41 < reiffert> Some_ux: it is on your computer. just like ppp0 and eth0 are. 09:43 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has quit [Remote closed the connection] 10:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:05 < Some_ux> thanks 10:05 -!- Some_ux [n=chatzill@bzq-79-176-50-148.red.bezeqint.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] --- Log closed Tue Feb 10 10:11:31 2009 --- Log opened Tue Feb 10 10:40:48 2009 10:40 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 10:40 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 10:40 -!- Irssi: Join to ##openvpn was synced in 0 secs 10:46 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 10:54 < reiffert> ecrist: 10:54 < reiffert> 17:31 < diegoviola> is there a way to configure openvpn without certs, but with user/pass instead? 10:54 < reiffert> 17:34 < reiffert> diegoviola: yep. 10:54 < reiffert> ecrist: is that right? 10:54 < reiffert> 17:35 < reiffert> diegoviola: but dont have any encryption then. 11:06 < plaerzen> hi 11:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:19 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit ["bbl"] 11:21 < ecrist> reiffert: I believe so. 11:49 < dan__t> Hello. 11:49 < dan__t> So I've got a handful of subnets which I don't want going through OpenVPN. I've never been fantastic with routing. Should these routes be told to the client, by the server, to not be included in the VPN? 12:03 < upb> hum, no ? 12:03 < upb> the client should have routes to those networks 12:03 < upb> how else would they work without the vpn being connected 12:07 -!- teratoma [n=teratoma@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn 12:07 < teratoma> my openvpn clients immediately disconnect when i define a client-connect script on the server 12:07 < teratoma> my client-connect script is "exit 0" 12:07 < teratoma> any ideas? 12:10 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:12 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:13 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:18 < ecrist> teratoma: you should be able to figure that out. 12:21 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 12:22 -!- bneff [n=bneff@12.44.178.253] has quit [Client Quit] 12:23 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 12:26 < reiffert> dan__t: think about clients setting routes manually. 12:26 < teratoma> ecrist: i tried! any ideas ? 12:26 < reiffert> dan__t: after that they can reach those subnets you dont want to be accessible. 12:27 < reiffert> dan__t: so what comes in mind is firewalling to prevent that. 12:28 < reiffert> teratoma: anything else other than "exit 0"? 12:28 < teratoma> reiffert: entire contents of script is "exit 0" 12:28 < reiffert> teratoma: how about #!/bin/bash 12:28 < reiffert> and how about making that script chmod a+x 12:31 < teratoma> reiffert: i did. http://pastebin.com/m709e1775 13:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:07 < reiffert> teratoma: do you think AUTH: Received AUTH_FAILED control message 13:07 < reiffert> teratoma: is relevant? 13:09 < teratoma> reiffert: probably. when I do not have the client-connect in my server.conf , it works fine. do you see my confusion ? 13:10 < reiffert> teratoma: yeah 13:10 < reiffert> increase the verb level to 6 13:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:18 < teratoma> setting script-security 2 fixed it 13:19 < reiffert> !script-security 13:19 < vpnHelper> reiffert: Error: "script-security" is not a valid command. 13:19 < reiffert> !learn script-security as may be relevant when using --client-connect and various other scripts 13:19 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:19 < reiffert> ![learn] script-security as may be relevant when using --client-connect and various other scripts 13:19 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:19 < reiffert> !die 13:19 < vpnHelper> reiffert: Error: "die" is not a valid command. 13:20 < reiffert> !part 13:20 < vpnHelper> reiffert: Error: You don't have the admin capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:20 < reiffert> !leave 13:20 < vpnHelper> reiffert: Error: "leave" is not a valid command. 13:20 < reiffert> !whoami 13:20 < vpnHelper> reiffert: I don't recognize you. 13:20 < reiffert> !w 13:20 < vpnHelper> reiffert: Error: "w" is not a valid command. 13:24 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: diegoviola, teratoma, roentgen, eagle, upb 13:24 -!- Netsplit over, joins: roentgen, diegoviola, eagle, upb 13:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:47 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 14:02 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 14:05 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 14:06 < fbond> Does --username-as-common-name, work with --client-config-dir (if username is foo, does the config file foo get used)? 14:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:32 < reiffert> fbond: how about you just try it out? 14:33 < fbond> reiffert: I was hoping someone might know already and save me the time. 14:35 < reiffert> creating a new cert: 1 minute, trying it out: 1 minute 14:35 < reiffert> time wasted on ##openvpn: 3 minutes. 14:37 < reiffert> skip the time for creating a new cert. use an existing one. 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < fbond> reiffert: That's assuming I have a server set up that I can play with. 14:42 < fbond> reiffert: I'd also have to figure out how to write an auth script. 14:42 < fbond> reiffert: We're talking about more than a few minutes here. 14:45 < reiffert> fbond: If I answer your initial question with "yes", will you setup a server to play with? 14:45 < reiffert> and if I answer with "no", will you believe me and write an authentication scheme without trying it out for yourself? 14:49 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 14:49 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 14:50 < logiclrd> I have a couple of machines at a remote location connecting in to a VPN that get disconnected if I transfer too much data through the VPN 14:50 < fbond> reiffert: I wouldn't use --auth-user-pass-verify if --uername-as-common-name doesn't select a client configuration file. 14:50 < fbond> Anyway, I've looked at the source and I think it would probably work. 14:50 < logiclrd> it's most apparent with a VNC connection -- if I do things that result in a lot of data transfer, like displaying a JPEG image on the remote end and letting VNC send it, more often than not, it doesn't make it to the end of the image 14:50 < logiclrd> my initial instinct was to blame VNC, but when this happens, the OpenVPN link has actually gone down -- I can't ping the remote host for a few minutes 14:51 < fbond> logiclrd: Are you using TCP or UDP? 14:51 < logiclrd> fbond: TCP 14:51 < fbond> logiclrd: Try UDP. 14:51 < logiclrd> okay -- can you explain why? 14:52 < fbond> logiclrd: http://sites.inka.de/~W1011/devel/tcp-tcp.html 14:52 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 14:52 < logiclrd> thanks :-) 14:52 < fbond> logiclrd: I've been told by folks that know more about OpenVPN than I do that using TCP is bound to lead to problems. 14:52 < fbond> logiclrd: No problem. 14:54 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has joined ##openvpn 15:01 < Evilliksass> I am trying to configure openvpn to work with a shared key however it is telling me that the key "does not appear to be valid" what exactly does openvpn look for in a shared key? 15:05 < Evilliksass> nevermind I got it 15:24 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:41 < logiclrd> fbond -- hmm, it didn't fix it :-( it just happened again, using UDP this time 15:41 < logiclrd> I think I'll keep it on UDP, though; seems a lot snappier somehow :-) 15:45 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 15:48 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 15:48 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 16:27 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 16:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:43 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 110 (Connection timed out)] 16:44 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:45 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 16:55 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 16:55 -!- diegoviola [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 17:19 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 17:19 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:40 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 17:40 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:49 -!- intralanman is now known as [intra]lanman 17:52 -!- munga [n=munga@81.194.35.9] has quit [Read error: 110 (Connection timed out)] 18:26 < vincas> can anyone tell me what the mac-address-like things are in openvpn-status.log that are there instead of the client IPs ? I'm not sure if it's like this because I'm using 2.1 or if it's because I have a bridge set up 18:27 < dan__t> So I've got a handful of subnets which I don't want going through OpenVPN. I've never been fantastic with routing. Should these routes be told to the client, by the server, to not be included in the VPN? How does that work? 18:51 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has joined ##openvpn 19:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 19:44 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 19:48 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 19:48 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:53 -!- diegovio1a [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 19:53 -!- diegoviola [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 19:54 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has quit [Read error: 104 (Connection reset by peer)] 19:54 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has joined ##openvpn 19:54 < hackel> Can anyone point me to a good (current) guide for setting up a simple VPN link to a linux server to secure a wifi connection? I can get a link up, but no nat and I just keep pulling my hair out over this... 19:54 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 19:54 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:59 -!- diegovio1a [n=diego@adsl-140-108.click.com.py] has quit [Remote closed the connection] 20:00 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 20:06 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:18 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit ["Reconnecting"] 20:19 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 20:19 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 20:30 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:02 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 21:19 -!- wayner [n=wayner@202.6.120.43] has joined ##openvpn 21:20 -!- wayner [n=wayner@202.6.120.43] has quit [Read error: 54 (Connection reset by peer)] 21:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 23:03 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: upb, lolipop 23:03 -!- Netsplit over, joins: lolipop, upb 23:19 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:33 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 23:33 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 23:35 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 23:41 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 23:43 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 23:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn --- Day changed Wed Feb 11 2009 00:07 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 00:20 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 110 (Connection timed out)] 00:21 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 00:21 < ScribbleJ> !route 00:21 < vpnHelper> ScribbleJ: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 00:47 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 00:54 < ScribbleJ> Nice having that in the topic. 00:54 < ScribbleJ> I guess it colved my problem. 00:55 < ScribbleJ> solved. 01:10 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- int [n=quassel@wikia/int] has joined ##openvpn 02:04 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 02:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 02:18 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 02:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:21 < reiffert> hackel: 4.1 nat howto netfilter.org "Help! I just want masquerading" 02:50 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Read error: 60 (Operation timed out)] 02:54 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 02:54 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:03 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 03:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 03:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Client Quit] 03:05 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:07 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 03:24 -!- int [n=quassel@wikia/int] has quit [Read error: 110 (Connection timed out)] 03:26 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 03:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 03:44 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 03:52 -!- int [n=quassel@wikia/int] has joined ##openvpn 03:58 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 04:00 -!- int [n=quassel@wikia/int] has joined ##openvpn 04:00 -!- int [n=quassel@wikia/int] has quit [Client Quit] 04:00 -!- lionel [n=lionel@ip-185.net-89-3-221.rev.numericable.fr] has joined ##openvpn 04:00 -!- int [n=quassel@wikia/int] has joined ##openvpn 04:00 < lionel> Hi all 04:01 < lionel> I'm trying to connect a net behind an OpenVPN client 04:01 < lionel> I did not want to mask the network behind the client. So I needed to add the route for the client on the vpn server 04:01 < lionel> and I'm getting an error: 04:01 < lionel> ip r a 192.168.92.0/24 via 10.5.0.185 dev tun0 04:01 < lionel> RTNETLINK answers: No such process 04:10 -!- c64zottel [n=hans@p5B17B42C.dip0.t-ipconnect.de] has joined ##openvpn 04:12 -!- c64zottel [n=hans@p5B17B42C.dip0.t-ipconnect.de] has left ##openvpn [] 04:17 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:21 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:22 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:30 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 04:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:37 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 05:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:14 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 06:27 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 06:28 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 06:42 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has joined ##openvpn 06:42 < jolelion> hello 06:46 < jolelion> I would like to build user's certificates in a program that do some others things, so in the batch mode and not in the interact mode, does anyone as some examples? 06:51 < hackel> reiffert, thanks, but unfortunately that was the *first* thing I tried. Something else isn't working. 06:56 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:01 < ecrist> jolelion: what do you mean? 07:06 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 07:09 < jolelion> ecrist: I would like to write a script that create the certificates for a user and in the same time write the ccd file associated to the user and some others things 07:10 < jolelion> so I need to be able to create the certificates in batch mode 07:10 -!- nexxer [n=nex@unaffiliated/nexxer] has joined ##openvpn 07:13 < nexxer> hello, will a machine in 2.1 with proto tcp-client be able to connect to one with 2.1 in proto tcp-server? 07:15 < ecrist> jolelion: see ssl-admin. it will build certificates, but not yet in batch mode. 07:15 < ecrist> !ssl-admin 07:15 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 07:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 07:19 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:24 < jolelion> ecrist: ssl-admin is not what I need but thanks anyway 07:25 < ecrist> jolelion: what is it you're looking for, then? 07:29 < jolelion> example scripts to generate automatically (not in interact mode) certificates for a user and also automatically sign them and commit them 07:30 < ecrist> jolelion: it's not that difficult to do. 07:31 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:39 -!- icu [n=me@67.202.107.157] has joined ##openvpn 07:41 < icu> i want to transport hd content via openvpn. any hints for a "lowest overhead" configuration? 07:43 < jolelion> ecrist: maybe not , I just want some example scripts 07:45 < reiffert> icu: "hd content"? 07:45 < icu> HD Movie Streaming 07:45 < reiffert> icu: streaming udp/tcp? 07:47 < icu> TCP (mostly) 07:48 < reiffert> openvpn settings to use: proto udp 07:48 < reiffert> openvpn settings to read after: --mtu* mss* 07:49 < icu> thanks 07:50 < reiffert> welcome 07:50 -!- cpm_ is now known as cpm 07:54 < ecrist> jolelion, those examples are going to be anything. if you know how to write a script, you shouldn't have any problems. 07:54 < jolelion> ecrist: ok thanks 07:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:31 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:35 -!- nexxer [n=nex@unaffiliated/nexxer] has quit [Read error: 113 (No route to host)] 08:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:47 -!- icu [n=me@67.202.107.157] has quit [Read error: 110 (Connection timed out)] 08:49 -!- nexxer [n=nex@unaffiliated/nexxer] has joined ##openvpn 09:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:51 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 10:13 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 10:21 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:41 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 10:47 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:32 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 11:33 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 11:34 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 11:35 < plaerzen> hai 11:47 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has joined ##openvpn 11:51 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-91718264f508429e] has joined ##openvpn 11:51 < PiousMinion> when I run "./build-key-server server" and it asks for "A challenge password []:".... where/when will this password be asked for? 11:52 < french> Hi i have a vpn on a fedora 9 machine (10.0.0.22), i also have a virtural machine on teh fedora machine (10.0.0.44), i am vpn to the fedora machine (10.0.0.22), i then am able to pull up any lan webpages on the 10.0.0.22 but not on the 10.0.0.44; is there a reason for that? is there any way to pull up the lan pages ont he 10.0.0.44? 11:54 < plaerzen> !route 11:54 < vpnHelper> plaerzen: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:59 < Kobaz> PiousMinion: any time the key is used 12:00 < french> anyone? 12:02 < plaerzen> !route french 12:02 < vpnHelper> plaerzen: Error: "route" is not a valid command. 12:03 < french> any docs? how do i use it? 12:03 < ecrist> PiousMinion: every time OpenVPN is started 12:03 < ecrist> french: 12:03 < ecrist> !route 12:03 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:04 < french> thanks i'll look it over 12:04 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-91718264f508429e] has quit ["http://www.mibbit.com ajax IRC Client"] 12:04 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 12:05 < PiousMinion> ecrist: on the server side, yes? client won't need this pasword? 12:08 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 12:15 < ecrist> right 12:15 < ecrist> unless you set a challenge password for client certificates, too 12:16 < ecrist> you *can* leave it blank. 12:19 < PiousMinion> on both server and client? 12:28 < PiousMinion> the howto doesn't cover this. Doesn't even mention a password let alone implications of not setting one. :/ 12:32 < ScribbleJ> I'm not sure about the howto, but in general that's not really an openvpn question. 12:32 < ScribbleJ> I'm not saying stop asking, I'm just trying to explain why it's probably not covered. 12:32 < ScribbleJ> IT's more of a general ssl/pki question. 12:33 < PiousMinion> That is true, but other than here, what other channel would you suggest I ask in? I'm new to this. 12:37 -!- Error_X [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 12:37 < Error_X> Hi! What is best to use? tap or tun when I have a router -> server ? 12:38 < Error_X> !configs 12:38 < vpnHelper> Error_X: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:38 < Error_X> !route 12:39 < vpnHelper> Error_X: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:39 < PiousMinion> Error_X: I think this should help you more. --> http://openvpn.net/index.php/documentation/howto.html#vpntype 12:40 < vpnHelper> Title: HOWTO (at openvpn.net) 12:42 < Error_X> Thanks, one more question.. am I able to route all inet traffic from clients via the server's internet? 12:43 < Error_X> gonna set it up because I work offshore where they use proxy and im only able to use the web. 12:43 < PiousMinion> Error_X: I'm depending on that functionality, but haven't gotten to that point yet. 12:43 < Error_X> Ok 12:43 * PiousMinion is an openvpn newb. :P 12:44 < Error_X> Same here... just started :s 12:44 < Error_X> Linux? 12:44 < PiousMinion> aye 12:44 < Error_X> same 12:45 < PiousMinion> So I'm sitting at the "A challenge password []:" prompt and not sure what the implications of not setting a password would be. :/ 12:45 < ScribbleJ> Error_X, there's a simple option for that; did you read the same configs? 12:46 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 12:46 < ScribbleJ> See 'redirect-gateway' 12:46 < ScribbleJ> Er 12:46 < ScribbleJ> same = sample, I can't type... 12:47 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 12:48 < Error_X> =) 12:49 -!- nexxer [n=nex@unaffiliated/nexxer] has left ##openvpn [] 12:50 < ScribbleJ> PiousMinion, if you do not set a challenge password, and someone gets access to your key file, it's game over, man. 12:50 < ScribbleJ> Er, my mistake 12:50 < ScribbleJ> That's the passphrase on the key 12:50 < ScribbleJ> :) 12:53 < ScribbleJ> The challenge password is pretty useless, I wouldn't worry about it. It's good for controlling who can revoke a cert but that's basically controlled by who's got access to your ca/server configs anyhow. 12:55 < PiousMinion> thanks. :) 12:55 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 12:55 < ecrist> ScribbleJ: I'd hardly call it useless. 12:56 < PiousMinion> useful for client I suppose, but what use is it on server end? 12:56 < ScribbleJ> ecrist, I suppose it depends on how complex your PKI is... it's mostly useless in small PKI just being used for openvpn and adminned by one dude. 12:56 < ScribbleJ> ecrist, unless I'm missing something - please correct me. 12:57 < ecrist> ScribbleJ: in a 'single-dude' setup, there's little benefit, as long as the server is hardened. without a challenge password, it's trivial to create another VPN certificate and get into the network at one's leisure, however. 12:57 < ecrist> I recommend challenge passwords for root CA certificates, generally not for client certificates. 12:57 < ecrist> in VPN setups, anyways 12:58 < ecrist> from there, however, I would recommend a multi-factor authentication scheme on the server side (user/pass + certificate), which prevents some abuses of an unprotected certificate/key pair, if they're compromised. 12:59 < PiousMinion> ok, now to figure out how to undo what I did. 13:00 < Kobaz> rm -rf 13:00 < PiousMinion> path = ? 13:01 < Kobaz> heh, that was a joke 13:01 < ScribbleJ> ecrist, I must not know enough about this. What's the vector for an easy attack by not using a challenge password? They still need to get access to your keystore, and you've got a passphrase on the keys themselves. 13:02 < Kobaz> i always thought that if you got haxored you would have bigger problems than your vpn server key being out in the open 13:02 < ScribbleJ> And if we can assume the attacker can get access to your keystore, we might as well worry about whether they can just log into the openvpn machine and switch out the configs entirerly. 13:03 < ecrist> there are varying degrees of being compromised. 13:04 < ecrist> many people fail to put proper restrictions and permissions on the SSL certificates and keys. in this case, rooting a box is not needed. 13:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 < ScribbleJ> Well, this is true. But again, if we have to assume an admin incompetent enough to basically give his keys away, we might as well worry about whether he puts telnet on the wan interface. PLus, the keys themselves /still/ have the passphrase on them. 13:05 < ScribbleJ> I'm just not seeing the attack vector based on the challenge password. 13:06 < ScribbleJ> He might, what, revoke all your certs then -seperately, mind you- hack your openvpn server and put in the updated CRL? Then you'd be DOSed? 13:06 < ScribbleJ> He still couldn't give himself access though. 13:07 < ScribbleJ> Well, I mean - except once he got to the point of being able to put in the CRL, anything goes, of course. 13:07 < ecrist> if he can build a CRL, he can sign a certificate. 13:08 < ecrist> s/a c/a new c/ 13:08 < ScribbleJ> But I'm supposing he can't do either without the passphrase to your ca. 13:09 < ScribbleJ> Which is a seperate entity from a challenge password. 13:09 < Error_X> Huh, when I start openvpn the server loses its primary ethernet connection 13:09 < PiousMinion> Howto says to copy "ALL" files in the keys folder to the client machine. Can this be right? 13:09 < ScribbleJ> The /server/ does? That sounds odd. 13:10 < ScribbleJ> PiousMinion, that doesn't sound right... I'll read it. 13:10 < Error_X> the server do get a IP address from the router, but I cant ping any computers on the physical network or the internett 13:10 < PiousMinion> ScribbleJ: http://openvpn.net/index.php/documentation/howto.html#pki 13:10 < vpnHelper> Title: HOWTO (at openvpn.net) 13:10 < Error_X> as soon as I do 'openvpn stop' the internet/lan works again 13:10 < ScribbleJ> Error_X, you probably screwed up your routing somehow. 13:11 < Error_X> probably 13:11 < Error_X> My physical network uses; 10.0.0.0/24,, and I set up the VPN to use: 192.168.10.0/24 13:11 < ScribbleJ> PiousMinion, I'm not seeing where it says that. I see a nice graph that shows what needs to be copied where. 13:12 < PiousMinion> ScribbleJ: right after "Key Files" underneath the table that shows the different files and their prupose. 13:13 < PiousMinion> "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel." 13:13 < ScribbleJ> It means copy allt he files listed as needed to the machines listed as needing them. 13:14 < ScribbleJ> Follow the table, it makes it clear (I think) 13:14 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-8ae1c2a1b26bcdd5] has joined ##openvpn 13:14 < PiousMinion> kk 13:14 < ScribbleJ> Error_X, well, that's obviously no conflict on it's own. 13:16 < french> ok i was on earlier and sent to iroute man pages, anyways, i have a vpn on Server A (10.0.0.22), when i vpn onto Server A, i also want to go to a few lan pages on Server B (10.0.0.44) so 13:17 < french> i added http://pastebin.com/d3f83149b to my conf 13:17 < french> then i created a client1 in /etc/openvpn/ccd/ 13:17 < french> and put iroute 10.0.0.44 255.255.255.0 in it 13:18 < french> however when i restart openvpn service i get this error 13:18 < french> RTNETLINK answers: Invalid argument 13:18 < ScribbleJ> french, 10.0.0.44 255.255.255.0 and 10.0.0.22 255.255.255.0 are the same address. 13:18 < french> what do you mean? 13:18 < Kobaz> same address? 13:18 < Kobaz> those aren't the same 13:18 < french> machine a is 10.0.0.22 and machine b is 10.0.0.44. 13:19 < ScribbleJ> It's going to set up the same /24 route for both of those route lines, is it not? 13:19 < Kobaz> no 13:19 < french> well i was just tring to copy it from http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing but now i am all confused 13:19 < ScribbleJ> OK, I'll be quiet then. 13:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:19 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 13:20 < french> so any ideas? 13:21 < ScribbleJ> I'd suggest using a netmask of 255.255.255.255 for a route of a single host, but I also would trust anyone else here before myself. 13:22 < french> so would that just change machine b address to push "route 10.0.0.44 255.255.255.225" or both a and b? 13:22 < ScribbleJ> Hrm 13:22 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 13:23 < ScribbleJ> Rereading your problem, I'm not sure if it's openvpn you need to mess with. You are setting up openvpn to give you access to the client's networks, but you really want something behind the server. 13:24 < french> what i have is server A with openvpn installed, then i have server B on a virtaul machine on Server A; when i VPN i want to be able to access both Server A and Server B lan webpages 13:24 < Kobaz> can't you just use ethernet bridging between the host and the guest 13:25 < Kobaz> or are you specifically testing openvpn 13:25 < french> i believe it has one; if so how do i tell, client it fedora 10 13:25 < ScribbleJ> ? 13:25 < french> 9 13:25 < french> using vmware 13:26 < Kobaz> if i understand what you wrote, you have one machine 13:26 < Kobaz> and you're using openvpn to connect from the host to the guest vm 13:27 < french> the vmware is set up to bridge the connect to the physical network 13:28 < ScribbleJ> If it is bridging the the physical network; are you usingtap or tun in openvpn? 13:28 < Error_X^> !configs 13:28 < vpnHelper> Error_X^: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:28 < Kobaz> sounds like tap, since he's using /24's 13:29 < ScribbleJ> Kobaz, no, he's got openvpn server on his host,a nd when he connect to it (from the outide world) he wants to hit the vms too. 13:29 < Kobaz> ah 13:29 < ScribbleJ> I use /24s on tun all day long. :) 13:29 < french> ScribbleJ that is correct 13:29 < ScribbleJ> So french, tap or tun? 13:29 < Kobaz> ScribbleJ: tun gives each client a /31 13:30 < french> i have no idea 13:30 < Error_X^> http://pastebin.com/m52fe7b5 <- when I start openvpn with this config file the server disconnects from the local network.. it "drops" out, but I can still access the internet pages that has already been accessed before. 13:30 < ScribbleJ> Kobaz, ? his client only needs a /31 - it's his server that needs to provvide a /24. And the !route doc tell you all about how to get a client ot provide a /24 13:30 < french> here is server config http://pastebin.com/d1896a53e 13:31 < ScribbleJ> french, my guess is you are using tun, and you need to enable forwarding in your kernel and set up approriate firewall rules. 13:31 < Kobaz> what do you mean: provide a /24 13:31 < ScribbleJ> Ah, let's see. 13:31 < ScribbleJ> Kobaz - access to a /24 network at the client side? 13:31 < Kobaz> you mean allow routing to the /24 behind the client? 13:31 < Kobaz> yeah 13:31 < french> i'm lost 13:31 < ScribbleJ> Don't worry, french, I think Kobaz and I are just arguing about nothing. :) 13:31 < Kobaz> i wouldn't call that providing a /24... you're not assigning ips out of it... anywaysa 13:31 < Kobaz> heh 13:32 < ScribbleJ> french, it's tun, so I'm right 13:32 < Kobaz> i jumped in late, so i dont know what he's using 13:33 < ScribbleJ> french have you encable forwarding in your kernel, an set up appropriate permissions to allow forwarding of traffic from your LAN/VMs to the VPN tun adaptor? 13:33 < Kobaz> okay, so the server has a 10.0.0.0/24 behind it 13:33 < ScribbleJ> french, wht is output of 'sysctl net.ipv4.ip_forward 13:33 < ScribbleJ> Yeah, although 'behind' in this case means 'inside', it's the same thing. 13:34 < french> net.ipv4.ip_forward = 1 13:34 < ScribbleJ> And traffic from that /24 is bridged into his LAN. 13:34 -!- Error_X [n=Errorx@6.84-234-140.customer.lyse.net] has quit [Read error: 110 (Connection timed out)] 13:34 < Kobaz> you need to NAT it then 13:34 < ScribbleJ> OK, that's good french.... it sounds like it might just be a routing issue then - is the machine that is the HOST the GATEWAY for the VM? 13:34 < ScribbleJ> I'mt hinking you're right, Kobaz, just htought I'd ask first. 13:34 < Kobaz> the vpn server is going to be the nat gateway for the network behind/inside the server 13:35 < ScribbleJ> Or i a machine o your LAN a gateway for the VM? 13:35 < french> that is machine A which has machine b on a vms 13:35 < ScribbleJ> Machine A is machine B's gateway, french? Are you sure? 13:35 < Kobaz> /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 13:35 < ScribbleJ> If it was, this sounds like it would be working. Do you have iptables rules? Can you pastebin 'iptables -L -v -n' ? 13:36 < french> give me nothing /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 13:36 < Kobaz> it means it worked 13:36 < ScribbleJ> Getting traffic through both ways means it worked. 13:36 < ScribbleJ> Try it and see. 13:36 < Kobaz> i assume tun0 is your tunnel device 13:36 < french> http://pastebin.com/d12e8723c 13:36 < ScribbleJ> I was going to check his config first, but you can shotgun a solution. 13:37 < Kobaz> ScribbleJ: it means the kernel accepted the firewall rule (meaning the command itself worked) 13:37 < ScribbleJ> Kobaz, right. 13:37 < Kobaz> heh 13:37 < Kobaz> anyways 13:37 < Kobaz> try pinging some stuff 13:37 < ScribbleJ> According to what he said, he shouldn't need the NAT, Kobaz, so something is missing still. 13:38 < Kobaz> you need to nat, since openvpn will not nat on it's own 13:38 < ScribbleJ> If Machine A is MAchine B's gatewya and he's pushing the /24 ROUTE in openvpn already, and his patebin of the iptables command I listed shows forwarding enabled, the NAT is just a waste. 13:38 < ScribbleJ> Right, but no nat is necessary ince the routes are known both ways. 13:38 < Kobaz> forwarding won't do anything without turning on nat 13:38 < ScribbleJ> nd the server is his gateway. 13:38 < ScribbleJ> Wrong. 13:38 < ScribbleJ> I use it without nat on my nets. 13:39 < ScribbleJ> Again, if the routes are known, the ip space does not overlap, and the openvpn machine is the server, nat is just extra cruft you do not need, and breaks comms one-way, in fact, that'll break it the way he wants to go without port forwarding, no? 13:40 < Kobaz> he'll be able to go into the lan net and back out 13:40 < french> is this really that difficult? 13:40 < Kobaz> no 13:40 < Kobaz> hehe 13:40 < ScribbleJ> I see the missing peice too. 13:40 < ScribbleJ> You said your vmwaer guest is bridged to lan 13:41 < french> yes 13:41 < ScribbleJ> But you said the guest uses the host as it's gateway 13:41 < ScribbleJ> It's possible to do both but very weird, are you sure? 13:41 < french> i might not, i prob useing the firewall as the gateway 13:41 < Kobaz> the guest should be using the router as the gw 13:41 < Kobaz> yeah 13:41 < ScribbleJ> Heh, that's the second time I asked are you sure! 13:41 < ScribbleJ> This is critical information! 13:42 < french> yes i am sure 13:42 < ScribbleJ> I predict if you change it to use the host as it's gateway things will 'work' but you may find other thing 'break' and you may find that Kobaz's MASQ line means you can still only get to the host, ot the guest. 13:42 < Kobaz> okay well, you can axe the nat rule and continue futzing: /sbin/iptables -t nat -D POSTROUTING -o tun1 -j MASQUERADE 13:42 < Kobaz> tun0 rather 13:42 < ScribbleJ> Without the MASQ line, and witht he gest using host as it's gateway, all shoudl work as you expect. 13:43 < Kobaz> make that: /sbin/iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE 13:43 < french> ok 13:43 < ScribbleJ> The only probably problem is tht your guest is configured via dhcp on the LAN and will continue to want the use the LAN gateway, not your host OS as the gateway, yes? 13:43 < Kobaz> i haven't set up a bidirectional route with openvpn before, so i generally use nat 13:43 < ScribbleJ> It is possible to fix this but it gets into a bit more complicated routing. 13:44 < ScribbleJ> Kobaz, if the only tool you have is a hammer... :P 13:44 < french> no static 13:44 < Kobaz> heh 13:44 < ScribbleJ> french, well, you might get by you know better than I do the implications of changing your default gateway on the LAN for the guest. 13:44 < french> both machines are static 13:44 < Kobaz> ScribbleJ: then you're going to have a large collection of hammers 13:44 < ScribbleJ> Kobaz, hahah. 13:44 < Error_X^> Hmm, why does the server lose all local connections when I start openvpn? (I can access the internet but not ping the router/local machines). http://pastebin.com/mccdfb38 13:44 < french> so what do i need to do 13:45 < Kobaz> Error_X^: subnet conflicts? 13:45 < Error_X^> Kobaz: Is it? 13:45 < ScribbleJ> French, if I were in your shoes, I would a) set guest OS to use host IP as it's gateway b) make sure guest still works this way. c) remove MASQ line Kobaz suggested. d) restart openvpn server. e) Enjoy your networking. 13:45 < Kobaz> server 192.168.0.0 255.255.255.0 13:45 < Kobaz> Error_X^: what's your local lan subnet 13:45 < Error_X^> local is 10.0.0.0 255.255.255.0 13:46 < Kobaz> oh okay 13:46 < ScribbleJ> Remove this line: route 10.0.0.0 255.255.255.0 13:46 < Kobaz> paste your routing table after openvpn is started 13:47 < Error_X^> huh... it worked now.. I still hear my mp3 playing from the server tho 13:47 < Error_X^> after I removed route 10.0.0.0 255.255.255.0 13:47 < Error_X^> I set up routing table in my linksys router 13:47 < ScribbleJ> I do not understand the problem anymore. mp3? 13:47 < Kobaz> Error_X^: every computer with an ip stack has a routing table 13:48 < Error_X^> ScribbleJ: Yes, streaming from my server? 13:48 < ScribbleJ> Error_X^, ok, what about it? 13:48 < Error_X^> locally 13:48 < ScribbleJ> Error_X^, how? 13:48 < Error_X^> so when I started openvpn,, it stopped... all local connection to the server stopped 13:48 < ScribbleJ> OK, but now it works? 13:49 < Error_X^> after I removed route 10.0.0.0 255.255.255.0 13:49 < ScribbleJ> Good, OK 13:49 < Error_X^> so now Im gonna try to connect with a client 13:49 < ScribbleJ> So problem solved, right? 13:49 < Kobaz> Error_X^: route 10.0.0.0 255.255.255.0... that's telling the openvpn server that the 10.x route is going to be handled by openvpn 13:49 < PiousMinion> In the openvpn ethernet bridging howto it says "configure the DHCP server on the LAN to also grant IP address leases to VPN clients.", but how would my lan dhcp server know if it was a vpn or a real client? 13:49 < ScribbleJ> I think he wanted to push-route that route. 13:49 < ScribbleJ> That'll be his next problem. 13:49 < Kobaz> hehe 13:49 < Error_X^> its not easy ^^ 13:49 < ScribbleJ> PiousMinion, if you are using bridging, it cannot tell the difference. 13:50 < Kobaz> Error_X^: you want the 10.x route going straight out your network card instead 13:50 < french> thank it now works 13:50 < PiousMinion> ScribbleJ: I didn't think so, but the howto says I should configure it anyway. lol 13:50 < Error_X^> Kobaz: yes 13:50 < Kobaz> Error_X^: problem solved... 13:50 < ScribbleJ> PiousMinion, I think it's just trying to say, "Make ure your DHCP is gunna handle this, too," or something. 13:50 < ScribbleJ> I dunno. 13:50 < Error_X^> ok.. I will fire up my mobile broadband and try to connect :) 13:51 < Kobaz> okay, back to breaking my own stuff 13:51 < ScribbleJ> I take that back. Does bridging decrease the TTL? 13:51 < ecrist> weird 13:51 < ScribbleJ> Elephino. 13:51 < Kobaz> ScribbleJ: i wouldn't think so 13:52 < ScribbleJ> Me neither, Kobaz. 13:52 < ScribbleJ> But I seldom use it. 13:52 < ScribbleJ> And never had ocassion to wonder. 13:52 < ecrist> for some reason, checkpoint firewalls need a host mask of 0.0.0.1 in cisco access-lists for a match to occur. 13:52 < Kobaz> ScribbleJ: and ttl is going to be set by the originator anyway 13:52 < ScribbleJ> Kobaz, right, my thought was, if his DHCP TTL is set to 1.... 13:52 < Kobaz> ScribbleJ: oh you mean, does it count as a hop 13:52 < ScribbleJ> Kobaz, on the DHCP server 13:52 < ScribbleJ> Kobaz, but yes, and I'm sure it has to be routed for that, then. 13:53 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 13:53 < Kobaz> you don't want dhcp going over the bridged vpn anyway 13:53 < Kobaz> probably cause all kinds of problems with clients maintaining a connection... you want local dhcp from where you're at 13:54 < ScribbleJ> I could think of a config where you would, but ... not one I'd find int he real world. 13:54 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-8ae1c2a1b26bcdd5] has left ##openvpn [] 13:55 < Kobaz> ...back to really breaking stuff 13:55 -!- Error_X [n=fdfskodf@6.84-234-140.customer.lyse.net] has joined ##openvpn 14:13 < PiousMinion> Ok, so if I run this "bridge-start" script from the howto... how much of a chance is there that it will break my network connection and I will have to drive 5 miles to the server for physical access? lol 14:14 < ScribbleJ> I'd say you should count on it... 14:14 < ScribbleJ> And 5 miles? NICE. Yer lucky, walk over. 14:15 < PiousMinion> Did I mention this comp has no keyboard, mouse, or monitor? O.o 14:15 < ScribbleJ> Crash cart! 14:15 < PiousMinion> I'll just call 911 and explain the emergency. I'm sure they'll understand. rofl 14:16 < ecrist> PiousMinion: there's a low probability it will break network connectivity for the server, unless you're messing with the firewall, which is seldom recommended OTW 14:16 < PiousMinion> I hope you're right. here goes. 14:17 < PiousMinion> ok, yeah. That server is offline. lol 14:17 < ecrist> I don't actually know what I'm doing, I'm just here to give people a hard time. :D 14:17 < ScribbleJ> I love to say "I told you so;" if only I had the opportunity. 14:18 < PiousMinion> nothing important on that server. It's just a test server when I need something to be remote. 14:18 < PiousMinion> poo 14:18 < ScribbleJ> Like... now? 14:18 < PiousMinion> exactly 14:19 < PiousMinion> Even if I was to test the server on this end..... how the hell am I supposed to test it if I can't physically be in two places at once? heh 14:20 < PiousMinion> I guess I should have tested it on something important so it would get fixed quickly and then claim it wasn't me. :P 14:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 14:24 < PiousMinion> So why would this bridge script not do what it's supposed to do and just kill the network connection? 14:27 < ecrist> PiousMinion: we can't actually know what you did without more detail than, 'I ran this script' 14:27 < ecrist> what script, how did you run it, etc. 14:27 -!- PiousMinion1 [n=clay@7-167.106-97.tampabay.res.rr.com] has joined ##openvpn 14:30 < PiousMinion1> Strange. I'm able to ssh in from the lan side, but not remote, even though IP is the same. 14:30 < PiousMinion1> lan IP is the same is what I mean to say. 14:32 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has quit [Read error: 60 (Operation timed out)] 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < PiousMinion1> scratch that. I ran bridge-stop and now it's double broke. 14:38 < PiousMinion1> man, whoever wrote the example script needs to have their head examined. lol 14:39 < Error_X> do I need to copy the crt files over to the client? 14:39 < PiousMinion1> Error_X: some of them, not all. 14:40 < PiousMinion1> scroll down to the "Key Files" section. --> http://openvpn.net/index.php/documentation/howto.html#pki 14:40 < vpnHelper> Title: HOWTO (at openvpn.net) 14:42 < Error_X> cant find the file to create client files :s 14:42 < Error_X> build-client1 14:44 < PiousMinion1> /usr/share/doc/openvpn... something 14:47 < PiousMinion1> I could tell you exactly if I didn't just kill my server... twice. lol 14:48 < ScribbleJ> My only gripe is that most of the docs I've seen act like bridged should be preferred to routed when I feel it's the opposite. 14:49 < ecrist> routed is preferred. lots of docs were written around getting netBIOS working on windows networks, though 14:50 < PiousMinion1> All I care about is routing all traffic on the client through the vpn and being able to access all things on the lan as if I was local. 14:51 < Error_X> If I use 'secret', do I have to use a secure channel then? 14:51 < ecrist> well now, define *all* 14:51 < PiousMinion1> ecrist: which all? I used two of them. :P 14:52 < ecrist> either of them. Let's concentrate on the first 14:52 < ecrist> are you referring to ethernet traffic or IP traffic? 14:53 < PiousMinion1> I assume IP traffic. idk what the difference in the end result would be. 14:53 < ecrist> windows file sharing? 14:54 < PiousMinion1> that will be needed, yes, but I think I can call via IP as \\IP\share 14:54 < ecrist> right 14:54 < PiousMinion1> correct if wrong 14:54 < PiousMinion1> k 15:00 < Error_X> Ok, this encrypting thing is very confusing. 15:00 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 15:05 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: eagle 15:10 < PiousMinion1> at first, yeah 15:13 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 15:13 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [SendQ exceeded] 15:13 < Error_X> PiousMinion1: But its for our own safety I guess ;) 15:13 -!- xanthus1 [n=marcelor@r190-134-197-61.dialup.adsl.anteldata.net.uy] has joined ##openvpn 15:13 < PiousMinion1> of course. 15:19 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 15:30 -!- xanthus1 [n=marcelor@r190-134-197-61.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:32 < Error_X> bleh.. I just get connection failed.. the port is forwarded and everything 15:32 < Error_X> using TCP 15:38 < Error_X> it wotn even connect locally 15:38 < Error_X> but the service is up and running 15:39 -!- Error_X [n=fdfskodf@6.84-234-140.customer.lyse.net] has quit [Remote closed the connection] 15:47 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has joined ##openvpn 15:48 < BasketCase_EEE> if I want to setup OpenVPN tunnels for my laptop from my wireless lan or from the internet (2 different NICs) would I need to run two different instances of OpenVPN with two different private subnets or would I put both in the same config? 16:04 < reiffert> one config per daemon 16:04 < reiffert> you might want two different setups here. 16:05 < reiffert> it's no matter of 2 different NICs. 16:06 < reiffert> e.g. wireless lan openvpn server might need --local option 16:06 < BasketCase_EEE> so, I would have 2 config files, 2 openvpn pids, and 2 private subnets? 16:06 < reiffert> sorry, forget my last sentence. bullshit. 16:07 < BasketCase_EEE> I am routing not bridging if that matters 16:07 < reiffert> just head on for one server, one pid and one config file and one subnet 16:07 < reiffert> and if it doesnt work, clone() the setup. 16:09 < BasketCase_EEE> that sounds kinda like what I tried. It didn't work but I haven't had time to work on it much yet 16:11 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 16:11 < french1> i have a question, for openvpn client on windows is their a way to have it auto start when windows comes up? 16:12 < reiffert> french1: 16:12 < reiffert> !howto 16:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:14 < french1> will taht still have me prompt for a passwrod? 16:15 -!- straterra [n=straterr@2001:470:8a81:0:0:0:0:2] has joined ##openvpn 16:15 < straterra> How long does a dixie hellman file take to generate, most of the time? I have a 2.8GHz core 2 based Xeon..and its beeng going for about 45 minutes 16:18 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 16:18 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:19 < Error_X^> Heya! When I connect to the OpenVPN server I get the address: 10.8.0.6 (and it says dhcp server: 10.8.0.5, but I cant ping either dhcp or server which is 10.8.0.1 in tun0 according to ifconfig). the internet on the client is also lost until I disconnect..... http://pastebin.com/m1fd0bcfa (Server config) 16:24 < reiffert> straterra: some seconds. 16:24 < reiffert> Error_X^: read up what the server line expands to and read up the topology setting. 16:26 < Error_X^> what? 16:27 < reiffert> Error_X^: what exactly is it you do not understand in my sentence? 16:29 < reiffert> Error_X^: and remove line 24 and 27 from your server config file. 16:29 < reiffert> ah, and read up about option def1 for redirect-gateway. 16:29 < Error_X^> Ok 16:30 < Error_X^> but why should I remove push "route 10.0.0.0....."? isnt that used to access the "real" LAN behind the VPN? 16:31 < reiffert> remove it for now. 16:32 < Error_X^> ok 16:34 < reiffert> note: when using your openvpn server as redirect-gateway it already knows how to handle packets to 10.0.0.0 as it is member of that subnet. 16:37 < Error_X^> reiffert: yes, I got access to the LAN now :) . the only thing now is to get the "internet tunnelling" thing to work 16:38 < reiffert> !def1 16:38 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:40 < Error_X^> !man 16:40 < vpnHelper> Error_X^: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:42 < Error_X^> but I can route internet traffic by using tcp and tun, right? 16:43 < reiffert> yep 16:43 < reiffert> paste your server config again pls 16:45 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has joined ##openvpn 16:50 < Error_X^> http://pastebin.com/m4bf00302 <- server 16:51 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has left ##openvpn ["Client exiting"] 16:51 < Error_X^> I have also added a "Advanced routing" in my linksys WRT54G router 16:51 < Error_X^> Dest. LAN IP: 10.8.0.0 || Subnetmask: 255.255.255.128..... Default Gateway: 10.0.0.100 (The openVPN server).... Interface: LAN & Wireless 16:55 < reiffert> # 16:55 < reiffert> push "redirect-gateway" 16:55 < reiffert> change that to 16:55 < reiffert> push "redirect-gateway def1" 16:56 < Error_X^> tried it 17:02 < french1> how do i get the vpn to same the username and password info so i never have to enter it? 17:03 < Error_X^> reiffert: cant even ping the server's VPN address 17:04 < Error_X^> reiffert: I can 17:04 < Error_X^> had to renew... but still cant acceess the other computers 17:21 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 17:33 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit ["Leaving"] 17:37 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 110 (Connection timed out)] 17:39 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 18:14 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 18:15 < french1> is thir something i can add to my client openvpn conf the .ovpn file, to have it remember username and password? 18:19 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 18:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:48 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:08 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 19:09 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- emcepe is now known as mcp 19:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 19:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 19:16 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:37 < french1> is thir something i can add to my client openvpn conf the .ovpn file, to have it remember username and password? 19:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:18 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 20:27 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 20:52 < ecrist> evening, folks 20:59 -!- french [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 21:06 < ecrist> french: it's covered in the howto, iirc 21:08 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:08 -!- intralanman [n=Raymond@99-196-39-200.cust.wildblue.net] has joined ##openvpn 21:13 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:13 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:16 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- french [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit ["Leaving"] 22:11 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:18 -!- lionel [n=lionel@ip-185.net-89-3-221.rev.numericable.fr] has quit [Read error: 101 (Network is unreachable)] 22:20 < vincas_> Why is there something that looks like a mac address under virtual address in my openvpn-status.log ? Is this due to my having a bridging setup ? 22:20 < vincas_> It was an IP address before, and now it's a maclike thing that I can't arp-ping 22:27 < vincas_> every reference I see to it has IP addresses 22:35 -!- vincas [n=vincas@216.25.249.228] has joined ##openvpn 22:50 -!- intralanman [n=Raymond@99-196-39-200.cust.wildblue.net] has quit ["Leaving"] 22:51 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 110 (Connection timed out)] 22:52 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:20 -!- tjz [n=tjz@bb121-7-22-236.singnet.com.sg] has joined ##openvpn 23:21 * tjz wink 23:29 < ropetin> Cheeky! 23:48 < tjz> lol 23:48 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 23:50 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 23:50 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 23:59 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["[BX] I'm out like a light..."] --- Day changed Thu Feb 12 2009 00:02 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:02 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:03 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:03 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:04 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:04 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:04 -!- vincas [n=vincas@216.25.249.228] has quit [Read error: 110 (Connection timed out)] 00:05 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:05 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:07 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:07 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:10 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:10 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:30 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:30 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:34 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:34 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:34 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:37 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:37 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:42 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:42 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:15 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 01:15 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:35 -!- lkthomas_ [n=lkthomas@218.189.198.146] has joined ##openvpn 01:35 < lkthomas_> hey guys 01:35 < lkthomas_> if I setup an openvpn server 01:35 < lkthomas_> how does windows xp user connect to this server ? 01:38 < reiffert> openvpn client 01:44 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:45 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 01:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 -!- clusterm1gnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 02:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:37 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has quit [Read error: 110 (Connection timed out)] 02:42 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 02:44 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:46 < lkthomas_> uys 02:46 < lkthomas_> guys 02:46 < lkthomas_> if I want user to use same IP subnet as LAN user 02:47 < lkthomas_> I should use bridge mode, right ? 03:08 < ropetin> lkthomas_: I'll ask the silly question; why do you want to use the same subnet? 03:08 < ropetin> (I'm slow tonight!) 03:09 < lkthomas_> ropetin, because it is now it works, we don't want NAT as we got tons of fileserver need to access from same subnet 03:18 < ropetin> Hmmm, ok... 03:18 < lkthomas_> is there have any method to use openvpn via web interface ? 03:19 < ropetin> I think webmin has a module for openvpn 03:20 < lkthomas_> nono 03:20 < lkthomas_> I don't mean to config 03:20 < lkthomas_> I mean, client side 03:21 < ropetin> Windows? 03:21 < ropetin> And yes, bridge mode will allow you to do what you wan 03:21 < ropetin> t 03:22 < ropetin> There is OpenVPN GUI for Windows, it's pretty good and allows me to use the same config file from my Linux box 03:23 < lkthomas_> you know F5 network ? 03:23 < lkthomas_> they offer activeX as windows client 03:25 < reiffert> 10:24 < lkthomas_> is there have any method to use openvpn via web interface ? 03:25 < reiffert> wtf? 03:25 < reiffert> no, there is not. 03:25 < lkthomas_> F5 SSL VPN client is based on activeX control application 03:26 < reiffert> sounds like activex browser only. Dont have such a thing. 03:26 < lkthomas_> hmm 03:27 -!- tjz is now known as tjz|dinner 03:32 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:33 < reiffert> lkthomas_: and from the browser window, what can you do there? 03:34 < lkthomas_> run the ssl vpn client 03:35 < reiffert> and then what happens, the browser adds an virtual interface? 03:35 < lkthomas_> good question 03:35 < lkthomas_> it might be a good time to read F5 docs :) 03:35 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 03:35 < reiffert> sounds as you need admin rights for that. 03:35 < lkthomas_> that IS F5 SSL VPN selling point 03:35 < reiffert> lkthomas_: and this IS ##openvpn. 03:35 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 03:35 < lkthomas_> I mean, in compare with F5 03:36 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 03:41 < ropetin> :D 03:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:53 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 04:05 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:08 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Client Quit] 04:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:19 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:39 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 04:44 < mRCUTEO> hiya all 04:51 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 04:57 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:58 -!- tjz|dinner is now known as jz 04:58 -!- jz is now known as tjz 04:59 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 05:31 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 05:56 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 05:57 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:12 -!- vincas_ [n=vincas@216.25.249.228] has joined ##openvpn 07:29 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 110 (Connection timed out)] 07:37 -!- whaletales [n=Paul@5ad19f2e.bb.sky.com] has joined ##openvpn 07:38 -!- PiousMinion1 is now known as PiousMinion 07:45 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:47 -!- whaletales is now known as aptanet 08:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 08:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:13 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 08:17 < jolelion> hello 08:19 < jolelion> I can't find in the pkitool file if the optional company name of the certificates is setable ? 08:19 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit [Remote closed the connection] 08:19 < jolelion> I mean in the same way as "export KEY_ORG='mycompany' " 08:25 < reiffert> Then have a look in the openssl.cnf file 08:35 < jolelion> reiffert: there is only one line in the openssl.conf file : "unstructuredName = An optional company name" 08:36 < jolelion> and no KEY_xxxx associated 08:41 -!- vincas_ [n=vincas@216.25.249.228] has quit [Read error: 60 (Operation timed out)] 08:41 < ecrist> jolelion: you were talking yesterday about writing a script. If you can write a script, read through the easy-rsa scripts and modify them to your needs. 08:41 < reiffert> jolelion: feel free to do so. 08:41 < ecrist> we're not here to do your research for you. 08:41 < reiffert> s,to do so,to add one, 08:42 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:42 < reiffert> :) 08:51 < straterra> Is Dixie Hellman generated using any kind of cpu/disk entropy? 08:55 < reiffert> yes. 08:55 < reiffert> oh well. 08:55 < reiffert> system entropy. 08:55 < straterra> diffie^ 08:55 < reiffert> your kernel decides a source for that. 08:55 < straterra> so..ramping CPU load won't help it go faster o.O 08:56 < reiffert> and it may be that keyboard/mouse is used, or disk usage (rarly) 08:56 < reiffert> how many bits you are toasting on diffie hellman? 08:56 < straterra> well..i hope kb/mouse isn't..cause neither are hooked up 08:56 < straterra> 4096 08:56 < straterra> I'm using the easy-rsa scripts 08:56 < reiffert> 1024 bits should be doable in 5 sec, 4kbit lasts many many many days. 08:57 < reiffert> straterra: easy rsa is using openssl. 08:57 < straterra> 4096 took about an hour to generate last night 08:57 < reiffert> ah, so get some randomness to your kernel then. 08:57 < straterra> cat /dev/urandom > /dev/null? 08:58 < straterra> lol 09:00 < reiffert> it's not trivial. have a look into your kernel docs. 09:00 < reiffert> and openssl docs of course. 09:09 < ScribbleJ> Uh 09:09 < ScribbleJ> Seriously, can't you just cat LARGE_FILE > /dev/urandom ? 09:09 < ScribbleJ> It's /supposed/ to work. 09:09 < straterra> finished 09:12 < ScribbleJ> So how "many many days" was that? 09:12 < straterra> lets see.. 09:13 < straterra> about 15 minutes o.O 09:13 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:13 < ScribbleJ> So roughly .01 days. 09:14 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:14 < straterra> yesterday it took an hour..so..hmm.. 09:14 < ScribbleJ> yeah, entropy being what it is. 09:14 < ScribbleJ> Just keep in mind for next time - 09:14 < ScribbleJ> You really /can/ pipe a large file into random to increase entropy 09:15 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 09:15 < straterra> Will do 09:15 < ScribbleJ> Or you can do what I do; knock everything in your room to the floor. It doesn't help generate ny keys, but it /does/ increase the overall entropy of the system.... 09:15 < ScribbleJ> Where 'the system' includes my room anyhow. 09:15 < straterra> heh 09:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 09:20 < straterra> hmm... iroute in a clients ccd file didn't push a route :/ 09:20 -!- tjz [n=tjz@bb121-7-22-236.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:21 < straterra> Oh well..I'm going to handle all of that on the client's bridge interface anyway 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:28 < ScribbleJ> Push a route to a clients network to other clients? 09:28 < ScribbleJ> I don't think you'll get it to work unless you have the openvpn config right; openvpn /is/ involved in that routing. 09:30 < ecrist> straterra: iroute doesn't push the route... 09:32 < straterra> Alright..I got it set up how I need to..complete with ipv6 09:33 < ecrist> fwiw, openvpn doesn't do ipv6 at this time.. 09:33 < straterra> I have ipv6 working over several openvpn tunnels 09:33 < ecrist> ah, didn't know what you meant, entirely. 09:33 < straterra> ipv6 works as long as you use tap and not tun 09:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:27 -!- sfafg [i=a0248bc9@gateway/web/ajax/mibbit.com/x-824f36ba9ecca206] has joined ##openvpn 10:27 < sfafg> on the windows openvpn client, is it possible to add username inside that config and password, so that you do not have to enter it everything you want it to start? 10:28 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 10:28 -!- tjz|dinner is now known as tjz 10:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:41 * ecrist shoots his boss. 10:44 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 10:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 10:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 60 (Operation timed out)] 11:12 -!- french [i=a024fe2b@gateway/web/ajax/mibbit.com/x-b0c5dc30e55d8603] has joined ##openvpn 11:20 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 11:29 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has joined ##openvpn 11:38 < jolelion> when I generate a certificate, openssl ask for a password . Is this password the same as the one ask by the "--pass" option of pkitool? 11:39 -!- max06 [n=max06@unaffiliated/max06] has joined ##openvpn 11:40 -!- french [i=a024fe2b@gateway/web/ajax/mibbit.com/x-b0c5dc30e55d8603] has quit ["http://www.mibbit.com ajax IRC Client"] 11:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:52 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 11:53 < tjz|dinner> i am getting this error.. 11:53 < tjz|dinner> Unable to connect because your certificate is not yet valid. Check that your system time is correct 11:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:06 < seldon> Check that your system time is correct. The system that made and/or signed the certificate has a system time after that of the system that's trying to use it. 12:07 < seldon> So essentially, openvpn sees a certificate at 6 o'clock that says it's been made or signed at 8 o' clock, thinks it's broken (which it is) and rejects it. 12:07 < tjz|dinner> the system time that create the cert is... Thu Feb 12 20:16:55 UTC 2009 12:08 < seldon> Which is off by thee minutes. 12:08 < seldon> *three 12:08 < tjz|dinner> hmm 12:09 < seldon> You probably just have to wait three minutes, assuming the client system's time is correct. 12:09 < seldon> Also, consider using an ntp server 12:10 < tjz|dinner> ok 12:10 < tjz|dinner> 2 hours earlier, i guess 12:11 < seldon> Oh, UTC. Yeah, you're lagging two hours. 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:13 < tjz|dinner> let me try 12:14 < max06> hi... i'm using debian lenny and i installed the openvpn package provided in the debian-repos... 12:14 < max06> I changed the neccesary settings in the server.conf 12:14 < tjz|dinner> Thu Feb 12 18:19:33 UTC 2009 12:14 < tjz|dinner> ok 12:15 < tjz|dinner> look good 12:15 < tjz|dinner> gonna try 12:15 < max06> and I created the zertificates 12:15 < max06> when I want to start the server with "openvpn /etc/openvpn/server.conf" it says Options error: --server directive network/netmask combination is invalid 12:16 < max06> the line in the file: server 10.8.0.1 255.255.255.0 12:19 < max06> http://rafb.net/p/ToNNv614.html 12:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:20 < seldon> I am guessing that the option expects the network to have zeroes in the variable part of the netmask. 12:20 < seldon> i.e., 10.8.0.0 255.255.255.0 should work 12:20 < ScribbleJ> Yeah, no '1' 12:20 < ScribbleJ> Hangonthough 12:20 < ScribbleJ> Oh, no I'm just confused. 12:20 < ScribbleJ> Heh 12:20 < max06> nice... one problem less...^^ 12:20 < ScribbleJ> That's yerproblem. 12:22 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:22 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:24 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:43 < seldon> What exactly do the numbers in "Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]" mean? 12:45 < ScribbleJ> Well, the first one is clearly labeled "L". 12:45 < ScribbleJ> <- not helpful. 12:46 < ScribbleJ> I'm kidding. You could tell the first one is the link-layer MTU, the second is probably data-layer (i.e. MTU over your tunnel), the first = the second when you add in the EF... 12:47 < sfafg> on the windows openvpn client, is it possible to add username inside that config and password, so that you do not have to enter it everything you want it to start? 12:47 < ScribbleJ> Er, and overhead? Hrm. 12:47 < ecrist> ScribbleJ: L - EF != D 12:48 < ScribbleJ> ecrist, I know, I fail at math. 12:49 -!- sfafg [i=a0248bc9@gateway/web/ajax/mibbit.com/x-824f36ba9ecca206] has quit ["http://www.mibbit.com ajax IRC Client"] 12:50 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 12:50 < seldon> Hmm. Link MTU should be 1492 ('swhat the ISP dishes out). I kinda figured D would be the data mtu, because it's the only number that fits. The tun interface is configured to mtu 1500, though. 12:53 < ScribbleJ> I got nothin. I should learnt o shut up when I don't know; it just makes me look like a tool. 12:53 < seldon> I get the impression you'd manage that even if you knew. ;) 12:54 < ScribbleJ> Ow. 12:54 < ScribbleJ> The truth /does/ hurt. 12:55 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 12:55 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 12:56 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 12:57 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has joined ##openvpn 12:57 < seldon> AF might have something to do with QoS, I (wildly) guess. But I have nothing about the rest. 12:58 -!- icebrew54 [i=proxy@static-71-117-242-28.ptldor.dsl-w.verizon.net] has joined ##openvpn 12:58 < icebrew54> does anyone have experience with SIP/openvpn? 12:59 < ecrist> icebrew54: what do you need to know? 12:59 < ScribbleJ> He's getting horrible call quality, and I suspect he should turn off compression. 13:00 < icebrew54> I'm running into a challenge, and would want to ask "what areas" to troubleshoot in this process....so far I'm going to look into compression, asterisk codec, and MTU 13:00 < ScribbleJ> I'm not psychic, I'm in #asterisk. :) 13:00 < icebrew54> call quality was very flaky this morning and we believe it could be a setting in our openvpn 13:00 < ecrist> icebrew54: does your problem go away outside OpenVPN (across bare IP)? 13:01 < icebrew54> ecrist: over our ipsec tunnel it is perfect quality, and over regular IP it is as well 13:01 < seldon> My crystal ball tells me that ssh works and sip doesn't, and that your firewall doesn't let icmp fragmentation-needed packets through. 13:02 -!- mode/##openvpn [+o seldon] by ChanServ 13:02 < ecrist> finally, someone who knows something. 13:02 <@seldon> Eh? 13:03 -!- mode/##openvpn [-o seldon] by ChanServ 13:05 < seldon> Well, I ran into the same problem when I started using openvpn. Took me ages to figure out, too. Of course, I was a lot greener then. 13:12 < ScribbleJ> I tried running Skinny over openvpn once, but failed horribly... but it was me -- I couldn't figure out how to route that stuff. 13:13 < ScribbleJ> We moved to SIP since then, I shoudl try again. 13:16 < seldon> On that note, my configuration is a bit archaic and overly complex; I run one tun interface for every remote site, so I should probably update it to use the server directive. Problem is, there's a windows client among them, so I expect problems with the limitations of the win32/tap driver. 13:18 < seldon> There's no hidden, secret way to make it work with subnets larger than four hosts, is there? 13:18 < ScribbleJ> Wow, that must be archaic... I've been using openvpn happily for > 6 years and I've never heard of doing it that way. 13:19 < seldon> I started back with...1.5, I think it was. 13:19 < ScribbleJ> Well, I'll say this much, seldon - I run a pretty 'complex' config with some subnets exposed behind /clients/ and some behind the server, all /24 and some windows /clients/ connect all day without problems. 13:20 < ScribbleJ> I'm using tun though, you said tun right? 13:20 < ScribbleJ> I'm routing everything - running openvpn on my firewalls. 13:20 < seldon> Yeah, tun. The windows driver only accepts /30 subnets. 13:21 < ScribbleJ> Hrm... I've only second-hand experience with the windows clients; some of the guys in my office run windows. 13:21 < ScribbleJ> But they have never had a problem accessing resources over the vpn, I didn't do anything special. 13:21 < ScribbleJ> vpn(s) I should say. 13:27 < seldon> Well, it's a pretty small setup I have, but with each new client, the firewall grows and grows. 13:28 < seldon> *shrug* I'll just set it up with the server directive for the linux clients and see if I can work in the windows client afterwards. 13:28 < ScribbleJ> Yeah... the only change I have to make on a per-client basis is allowing acess to the firewall from their IP; we use IP-based blocking of clients in aaddition to everything else. 13:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:31 < ecrist> seldon: I think you may be confused. a tad 13:32 < ecrist> until 2.1, all tun clients are assigned addresses with /30 subnet 13:32 < ecrist> there's some subnetting foo going on in 2.1 that allows things to work differently. 13:32 < ecrist> what version of OpenVPN are you using now? 13:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:33 < seldon> 2.1 rc11 13:34 < ecrist> and what are the clients using? 13:34 < seldon> The windows client uses 2.0.9, if I'm not mistaken, and I keep the linux clients as updated as the server. 13:34 < ecrist> then you can use the --server directive without issue 13:35 < seldon> However, the config for the first connection hasn't changed since the beginning, and it's still using 192.168.23.1 and .100 13:39 < seldon> Well, that is good to know. I just don't understand how, if the windows tun/tap driver supports only very small subnets. 13:45 < seldon> But I'll figure that out tomorrow, now I need some sleep. See you guys around! 13:45 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has quit ["Conspiracy theorists are planted by the government."] 14:04 -!- davidj2_ [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 14:14 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:17 -!- max06_ [n=max06@agsb-4d048cfa.pool.mediaWays.net] has joined ##openvpn 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- max06 [n=max06@unaffiliated/max06] has quit [Connection timed out] 14:45 -!- max06_ is now known as max06 14:45 -!- MaoaM [n=MaoaM@86.56.2.106] has joined ##openvpn 14:45 < max06> hi again... my vpn-server is running fine 14:45 < MaoaM> hi :) 14:45 < ecrist> gratz 14:46 < max06> I could connect 2 linux-clients without problems 14:46 < max06> I tried the same with MaoaM but he can't ping any other client on the net 14:46 < max06> He's using the openvpn-package for windows 14:46 < max06> any ideas? 14:49 < kyrix> its probably something with: routers, configuration files, firewall apps. ;) 14:50 < MaoaM> the firewall shouldn't be the problem, for testing it is switched off. 14:50 < kyrix> not sure if i left anything out. its hard to tell without more info. 14:50 < max06> the server is a root-server with static ip, no firewall 14:51 < max06> i gave him the same config-file i used for the linux-clients 14:51 < max06> the server-console says he's connected 14:51 < max06> he got the ip 14:51 < kyrix> what does the route table output? 14:52 < max06> 172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0 14:52 < max06> 172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0 14:52 < kyrix> no pasting here plz :) 14:52 < max06> not more than 2 lines :) 14:53 < kyrix> im not sure in here. but in most irc channels, not even two lines 14:53 < max06> ok, next time 14:53 < ecrist> you're welcome to paste up to five lines here. 14:53 < max06> thanks ecrist :) 14:53 < reiffert> 21:55 < kyrix> its probably something with: routers, configuration files, firewall apps. ;) 14:53 < reiffert> 21:55 < MaoaM> the firewall shouldn't be the problem, for testing it is switched off. 14:53 < reiffert> 21:56 < kyrix> not sure if i left anything out. its hard to tell without more info. 14:53 < reiffert> 21:56 < max06> the server is a root-server with static ip, no firewall 14:54 < reiffert> 21:56 < max06> i gave him the same config-file i used for the linux-clients 14:54 < kyrix> 5 lines? ;) 14:54 < reiffert> How long will I have to wait for another 5 lines? 14:55 < max06> I think 5 pasted lines won't be the solution ;) 14:55 * ecrist wonders if reiffert actually has to *try* at being an ass, or if it comes naturally. 14:55 < reiffert> max06: I didnt even ask a question yet! 14:55 < ecrist> :P 14:55 < reiffert> ecrist: my sweet little pony. 14:56 < max06> (sry... reiffert, sorry, mein englisch is nich so das wahre...) 14:56 < ecrist> max06: you probably need client-to-client in the server config file 14:56 < max06> ecrist, the connection with 2 linux-clients works fine? 14:57 < ecrist> so, you've got one server and two linux clients, and the two clients can ping eachother? 14:57 < max06> yes 14:57 < reiffert> ecrist: what makes me a little bit sad is, that you didnt make a decision yet :) 14:58 < ecrist> reiffert: I'll treat it like I treat such questions from my kid - ignore it. 14:59 < ecrist> !configs 14:59 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:59 < reiffert> ecrist: yeah, and the fun goes on, lemme pick another 5 lines. 14:59 < max06> k... moment 15:03 < max06> server.conf: http://rafb.net/p/Nnf56529.html 15:03 < vpnHelper> Title: Nopaste - server.conf (at rafb.net) 15:05 < max06> client.conf: http://rafb.net/p/2XHjQQ51.html 15:05 < vpnHelper> Title: Nopaste - client.conf (at rafb.net) 15:05 < max06> OpenVPN 2.0.9 on windows Vista --- Log opened Thu Feb 12 15:05:36 2009 15:05 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 15:05 -!- Irssi: ##openvpn: Total of 60 nicks [0 ops, 0 halfops, 0 voices, 60 normal] 15:05 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 15:05 -!- Irssi: Join to ##openvpn was synced in 1 secs 15:05 -!- mode/##openvpn [+o-o ecrist ecrist] by ChanServ 15:05 < max06> server: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 15:05 -!- mode/##openvpn [+o-o ecrist ecrist] by ChanServ 15:05 < max06> server: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 15:06 < max06> same version on the linux-client 15:06 < max06> same version on the linux-client 15:06 < kyrix> can you post the connection log of the windows client 15:06 < kyrix> can you post the connection log of the windows client 15:06 < max06> I think, I got all 15:06 < max06> I think, I got all 15:06 < max06> kyrix, moment 15:06 < max06> kyrix, moment 15:10 < MaoaM> connection log of the windows client: http://rafb.net/p/CWAZqy10.html 15:10 < MaoaM> connection log of the windows client: http://rafb.net/p/CWAZqy10.html 15:10 < vpnHelper> Title: Nopaste - OpenVPN 2.0.9 - Windows Vista: connection log (at rafb.net) 15:10 < vpnHelper> Title: Nopaste - OpenVPN 2.0.9 - Windows Vista: connection log (at rafb.net) 15:11 < kyrix> hmmm... 15:11 < kyrix> hmmm... 15:12 < kyrix> why use 2.0.9 if your server is 2.1 15:12 < kyrix> why use 2.0.9 if your server is 2.1 15:12 < kyrix> just asking, i have absolutely no idea on windows 15:12 < kyrix> just asking, i have absolutely no idea on windows --- Log closed Thu Feb 12 15:12:18 2009 15:12 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has quit ["Lost terminal"] 15:12 < kyrix> but as you see on line 40, there is something in the configuration that does not work 15:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:12 < MaoaM> well, it's exactly the version i downloaded on openvpn.net. didn't know that there is a newer one? 15:13 < max06> i'm using the version provided in the debian/ubuntu-repositories :) 15:13 < kyrix> http://openvpn.net/index.php/downloads.html 15:13 < vpnHelper> Title: Downloads (at openvpn.net) 15:13 < kyrix> look at the whole page 15:13 < kyrix> you'll see several versions 15:14 < MaoaM> usually i don't use release candidates, so i ignored this. but this time i'll give it a try. ;) 15:14 < kyrix> and on line 52, you have a zugriff verweigert 15:14 < max06> ah, vista... 15:15 < max06> maoam, try it in an administrator-shell :) 15:15 < MaoaM> didn't see that line. :o 15:15 < max06> mee too 15:16 < kyrix> you just looked at the last one huh? ;) 15:16 < MaoaM> ehr, well.. ;D 15:16 < max06> working? 15:16 < MaoaM> moment please 15:16 -!- davidj2_ [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit [Read error: 110 (Connection timed out)] 15:16 < max06> :) 15:16 < max06> I hope... 15:17 < kyrix> either that or different versions is my bet atm 15:19 -!- straterra [n=straterr@2001:470:8a81:0:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 15:19 < kyrix> yeah, googling that line pretty much gives you the solution: http://openvpn.net/archive/openvpn-users/2007-10/msg00033.html 15:19 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN client on Vista (at openvpn.net) 15:20 < kyrix> so maybe running as adminstrator doesnt work, you might have to find the right rights ;) but thats vista, no idea 15:20 < reiffert> http://i33.tinypic.com/20ksw89.gif 15:21 < max06> kyrix, trying it :) 15:21 < max06> it wouldn't be a big problem if it wont work 15:21 < max06> at the moment it's only for testing 15:22 < kyrix> reiffert: very funny 15:24 < kyrix> have to go, good luck 15:24 < max06> thanks 4 help :) 15:24 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 15:27 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has quit ["Leaving"] 15:33 -!- d0wn [n=d0wn@unaffiliated/d0wn] has joined ##openvpn 15:33 < d0wn> I'm receiving a weird error on my client's end. I'm new to OpenVPN, so I'm not too sure how to handle this 15:33 < d0wn> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=26] 15:33 < d0wn> My client is running Windows Vista, btw 15:34 < d0wn> !logs 15:34 < vpnHelper> d0wn: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:34 < d0wn> !configs 15:34 < vpnHelper> d0wn: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:34 < max06> d0wn, try the latest RC 15:35 < max06> I have the same problem at the moment 15:35 < MaoaM> we're just about to solve it. 15:36 < max06> right :) 15:36 < d0wn> max06: i'm using OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007 15:36 < max06> yes, we too 15:36 < max06> on debian, but the same built 15:37 < d0wn> Whoops. my bad. i thought i had the latest build 15:37 < max06> no 15:37 < max06> the server is ok 15:37 < max06> it's a problem with vista 15:37 < d0wn> oh okay 15:37 < d0wn> ohh 15:37 < d0wn> my bad 15:37 < max06> the damn UAC...^^ 15:37 < d0wn> I have UAC disabled 15:37 < max06> yes 15:37 < max06> in addition you need the latest RC 15:38 < max06> (told google to me...) 15:38 < MaoaM> ... or any version since rc4? 15:38 < d0wn> alright, one second while i download it 15:38 < max06> MaoaM, told google :D 15:39 < d0wn> will my keys and configs stay the same, or should I make backups? 15:39 < max06> they won't change 15:39 < d0wn> Okay, just checking 15:40 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit ["Ex-Chat"] 15:40 < d0wn> I felt so ashamed earlier when I couldn't figure out why the TAP driver wouldn't install, and I found out that I was clicking the "Do not install driver" instead of "Install anyways" 15:41 < MaoaM> :D 15:41 < max06> but you found the fault :) 15:41 < d0wn> Haha, yes, I did. I was about to join here and ask for assistance with it 15:42 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit ["Wow! What a great client! Bersirc 2.2 [ http://www.bersirc.org/ - Open Source IRC ]"] 15:42 < max06> the first time i tried openvpn 15:42 < max06> I found a script named bridge-start 15:43 < max06> i will never execute this script again! 15:43 < MaoaM> what happened? 15:44 < d0wn> I used to get BSOD when I bridged connections over Windows. it was terrible 15:44 < max06> I needed to write a ticket for a manual restart of the server....^^ 15:46 < d0wn> Hmm.. Something is up with my dh1024.pem. Once I stopped my OpenVPN server, and tried to restart it, it's giving me errors that the file doesn't exist 15:46 < MaoaM> freezed up the whole server? 15:47 < d0wn> Weird, nevermind, the server started this time 15:48 < max06> ok, the latest built works perfect 15:49 < d0wn> That error is gone for me aswell now, however, my ip does not appear to be changing at all, so I don't believe that my traffic is hitting the VPN at all 15:50 < max06> your external ip? 15:50 < d0wn> yes 15:50 < max06> I you followed the instructions in the howto 15:50 < d0wn> I'm assuming that this is an error in my configuration 15:50 < d0wn> Yes, I did 15:50 < max06> you won't surf in the internet 15:50 < d0wn> Ah 15:50 < max06> through the vpn 15:51 < max06> It's like a LAN-Party 15:51 < max06> without internet 15:51 < d0wn> how would I go about setting it up so that my traffic goes through the vpn? 15:51 < max06> only the connected clients can see the server (and if enabled) the other clients 15:51 < max06> hm, there are some parts in the howto 15:52 < max06> but i never used it 15:52 < max06> It wouldn't be as fast as with your normal home connection 15:52 < MaoaM> have to go now. thanks for your help. :) 15:52 -!- MaoaM [n=MaoaM@86.56.2.106] has left ##openvpn [] 15:52 < max06> even if the server is connected with 100mbit 15:52 < d0wn> I'm only using it for when I'm on unencrypted wifi hotspots 15:53 < max06> ah, yes 15:53 < max06> good idea 15:53 < max06> hm... moment 15:54 < max06> http://openvpn.net/index.php/documentation/howto.html#redirect 15:54 < vpnHelper> Title: HOWTO (at openvpn.net) 15:54 < max06> that would be the right 15:55 < d0wn> Ah, tthank you for that 15:55 < max06> np 15:55 < max06> i'll have to leave now 15:56 < max06> cya 15:56 -!- max06 [n=max06@agsb-4d048cfa.pool.mediaWays.net] has left ##openvpn ["Verlassend"] 16:00 < d0wn> Could anyone assist me with that? I see where it says to put 16:00 < d0wn> push "redirect-gateway def1" into the configruation, however, is def1 supposed to be substituted with something? 16:15 < d0wn> Hmm, nevermind 16:39 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has joined ##openvpn 17:23 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has left ##openvpn [] 17:36 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:50 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 18:51 -!- nsar [n=nsar@121.1.18.241] has joined ##openvpn 18:52 < nsar> hello 18:52 < nsar> i have a strange problem 18:53 < nsar> i am trying to establish connection with a multipoint server connection but in the stderr output will always show me point to point connection 18:53 < nsar> what is wrong? 18:53 < nsar> for both of the clients will connect will be p-t-p 18:56 -!- nsar [n=nsar@121.1.18.241] has quit [Client Quit] 18:56 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has joined ##openvpn 18:57 < tranceparance> hello there... is it possible to connect to multiple VPNs at the same time in Linux? 19:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:54 -!- icebrew54 [i=proxy@static-71-117-242-28.ptldor.dsl-w.verizon.net] has quit [Remote closed the connection] 20:52 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has quit ["I'll be back :-)"] 20:52 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 20:53 -!- kyrix [n=ashley@93-82-10-119.adsl.highway.telekom.at] has joined ##openvpn 21:06 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has quit [Connection timed out] 21:08 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 21:26 -!- lkthomas_ [n=lkthomas@218.189.198.146] has quit ["Leaving"] 21:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:05 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 22:06 * tjz ding dong 22:13 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has joined ##openvpn 22:16 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:21 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:37 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 22:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 22:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit ["leaving"] 23:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:49 < tjz> hmm 23:49 < tjz> example 23:50 < tjz> about MULTI: bad source address from client problem 23:50 < tjz> one computer is 10.67.133.150 23:50 < tjz> another computer is 192.x.x.x.x 23:50 < tjz> i know we can fix this by setting up "client1" in ccd directory.. 23:51 < tjz> client1 is the ovpn conf file we use here.. 23:51 < tjz> can we like auto-detect what lan the computer connecting from , is using? 23:56 < tjz> To explicitly allow packets from 10.YYY.YYY.YYY, you need to use 23:56 < tjz> --iroute/-client-config-dir. 23:56 < tjz> what do you mean by that? --- Day changed Fri Feb 13 2009 00:00 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 00:02 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 00:02 < oc80z> sup. 00:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:58 -!- Thorashh [n=Andreas@e176010008.adsl.alicedsl.de] has joined ##openvpn 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:04 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:22 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 01:39 -!- Thorashh [n=Andreas@e176010008.adsl.alicedsl.de] has quit [] 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:11 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:22 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: hardwire 02:23 -!- Netsplit over, joins: hardwire 02:27 < lolipop> Which is better, tun or tap 02:28 -!- kyrix [n=ashley@93-82-10-119.adsl.highway.telekom.at] has quit [Remote closed the connection] 02:37 < reiffert> lolipop: it#s covered in the faq and in the howto. 02:53 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:53 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 03:02 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 03:31 < ScribbleJ> I'd say prefer tun unless you know you need tap for some reason. 03:33 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 03:33 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:43 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:05 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 05:05 < Error_X> Hi! Why can't I ping 10.0.0.100 from a client? Also the client loses its real Internet connection.. http://pastebin.com/m6c711db9 05:06 < reiffert> because you didnt add "def1" to redirect-gateway, told you twice before. 05:07 < Error_X> huh, you're good at remember ppl :p 05:08 < Error_X> still doesnt work 05:08 < reiffert> paste routing table of client. 05:09 < Error_X> hm 05:09 < Error_X> of the client? 05:09 < reiffert> no, of the client. 05:09 < Error_X> I havent set up a routing table for any client. 05:10 < reiffert> JUST DO IT!" 05:10 < Error_X> uhm, how? ^^ 05:10 < reiffert> netstat -n -r 05:11 < Error_X> http://pastebin.com/m777ec1ed 05:12 < reiffert> Without starting openvpn, how does the client get to 10.0.0.100? 05:13 < Error_X> openvpn is open and connected 05:13 < Error_X> when I did the netstat command 05:13 < reiffert> yes, I see that. 05:13 < reiffert> Try to answer my question. 05:14 < Error_X> The client cant connect to 10.0.0.100 without starting openvpn 05:14 < Error_X> because 10.0.0.100 is @ home 05:14 < Error_X> 192.x.x.x is at work (Where I am now) 05:14 < reiffert> why are you using local 10.0.0.100 in openvpn server config? 05:14 < Error_X> because it should bind to the local address? 05:15 < reiffert> allright, add to server.conf: 05:15 < reiffert> push "route 10.0.0.0 255.255.255.128" or whatever is your netmask. 05:16 < Error_X> thats it? 05:16 < reiffert> you tell me. 05:16 < reiffert> btw, what data are you transferring over the tunnel, mostly tcp or udp data? 05:17 -!- Error_X^ [n=Error_X@77.241.102.86] has joined ##openvpn 05:17 < Error_X^> shit, gets disconnected when I stay connected too long at the VPN. 05:18 < reiffert> 12:21 < Error_X> thats it? 05:18 < reiffert> 12:21 < reiffert> you tell me. 05:18 < reiffert> 12:22 < reiffert> btw, what data are you transferring over the tunnel, mostly tcp or udp data? 05:18 < Error_X^> tcp data 05:19 < reiffert> then change proto to udp 05:19 < reiffert> http://sites.inka.de/~W1011/devel/tcp-tcp.html 05:19 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 05:19 < Error_X^> can't.... because I have to connect to the VPN via proxy when Im offshore 05:19 < Error_X^> and as I understood, you cant proxy via udp 05:19 < reiffert> use port udp/53, it will work. 05:20 < reiffert> (directly and without proxy) 05:20 < Error_X^> ok. 05:20 < Error_X^> why port 53? 05:20 < reiffert> DNS. 05:21 < Error_X^> you want me to set openvpn to port 53? That port is already used by bind 05:21 < reiffert> however, did route "push ..." fix your problem? 05:21 < Error_X^> no 05:21 < reiffert> Then paste firewall settings of your server. 05:22 -!- Error_X [n=Error_X@77.241.102.86] has quit [Read error: 60 (Operation timed out)] 05:22 < Error_X^> its a router,, but hold on 05:23 < reiffert> OS? 05:24 < reiffert> brb, out for a smoke 05:25 < Error_X^> Linux 05:25 < Error_X^> http://pastebin.com/m63bf25fb 05:28 < tjz> anyway to fix MULTI: bad source address from client problem ? 05:28 < tjz> for roadrunner who surf around cafe 05:29 < cpm> what's the netblock of the destination lan? 05:30 < reiffert> Error_X^: paste: iptables -L -v -n 05:31 < reiffert> Error_X^: and run tcpdump -n -i tun0 proto ICMP 05:31 < reiffert> Error_X^: then do on the client: ping -t 10.0.0.100 05:31 < reiffert> see the icmp ping packets arriving with tcpdump? 05:33 < Error_X^> nope 05:33 < Error_X^> 0 packets captured 05:33 < Error_X^> 0 packets received by filter 05:33 < Error_X^> 0 packets dropped by kernel 05:33 < reiffert> remove the push "route 10.0.0.0 255.255.255.128" from the server.config 05:34 < reiffert> reconnect 05:34 < reiffert> let tcpdump run 05:34 < reiffert> and let the ping run as well 05:35 < Error_X^> still nothing... 05:35 < reiffert> start wireshark on the client, do you see the packets on the right adapter_ 05:35 < reiffert> ? 05:36 < Error_X^> 2 sec.. need to download it first 05:40 < Error_X^> yes: 14 4.204937 10.8.0.6 10.0.0.100 ICMP Echo (ping) request 05:44 < Error_X^> strange... 05:46 < reiffert> allright 05:46 < reiffert> tel justasec 05:50 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 05:54 < reiffert> Error_X^: allright 05:54 < reiffert> So Packets leave your client. 05:55 < reiffert> But dont arrive on the server side. 05:55 < reiffert> paste the complete firewall. 05:55 < reiffert> iptables -t filter -L -v -n 05:55 < reiffert> iptables -t nat -L -v -n 05:55 < reiffert> iptables -t raw -L -v -n 05:55 < reiffert> iptables -t mangle -L -v -n 05:59 < Error_X^> http://pastebin.com/m6f801724 06:02 < reiffert> paste: ifconfig -a 06:03 < reiffert> paste: cat /proc/sys/net/ipv4/ip_forward 06:03 < Error_X^> http://pastebin.com/m53d17523 06:03 < Error_X^> ip_forward returns: 0 06:04 < reiffert> echo 1 > /proc/sys/net/ipv4/ip_forward 06:04 < reiffert> run tcpdump -n -i tun0 06:04 < reiffert> and let the client do a ping -t 10.8.0.1 06:05 < reiffert> or 10.0.0.100 06:11 < reiffert> you dont say something, means that it works. 06:11 -!- kyrix [n=ashley@93-82-7-185.adsl.highway.telekom.at] has joined ##openvpn 06:15 < Error_X^> nope 06:15 < Error_X^> :-/ 06:16 < reiffert> paste server and client config again 06:16 < reiffert> wait. 06:16 < reiffert> can you ping anything else from the client? 06:22 < Error_X^> nope, not even internet 06:22 < Error_X^> well, I can ping myself 06:22 < Error_X^> 10.8.0.6 ( The address I am given) 06:23 < reiffert> allright, change verbose level to 6 and paste client and server log 06:23 < Error_X^> Sure thing. 06:24 < Error_X^> will be disconnected.. 06:24 < Error_X^> brb 06:26 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 06:30 -!- Error_X^ [n=Error_X@77.241.102.86] has quit [Read error: 60 (Operation timed out)] 06:31 < Error_X> http://pastebin.com/m6b17f9c4 <- server log 06:32 < Error_X> http://pastebin.com/m214a174c <- client log 06:36 < reiffert> paste current config files. 06:42 < Error_X> http://pastebin.com/m7808525d <- client 06:43 < Error_X> http://pastebin.com/m7d3321b7 <- server 06:44 < reiffert> ok. server change: 06:44 < reiffert> # 06:44 < reiffert> server 10.8.0.0 255.255.255.128 06:45 < reiffert> to 06:45 < reiffert> server 10.8.0.0 255.255.255.255 06:45 < reiffert> wrong 06:45 < reiffert> change to server 10.8.0.0 255.255.255.0 06:45 < reiffert> comp-lzo no 06:46 < reiffert> remove both lines: 06:46 < reiffert> # 06:46 < reiffert> push "route 10.0.0.0 255.255.255.128" 06:46 < reiffert> # 06:46 < reiffert> push "redirect-gateway def1" 06:46 < reiffert> change proto to udp, JUST FOR NOW. 06:46 < reiffert> you fucked up the client config 06:46 < reiffert> # 06:46 < reiffert> # Windows needs the TAP-Win32 adapter name 06:46 < reiffert> # 06:46 < reiffert> # from the Network Connections panel 06:46 < reiffert> # 06:46 < reiffert> # if you have more than one. On XP SP2, 06:46 < reiffert> # 06:46 < reiffert> # you may need to disable the firewall 06:46 < reiffert> # 06:46 < reiffert> # for the TAP adapter. 06:47 < reiffert> and comp-lzo no as well 06:47 < reiffert> why not get back to the howto for an example working config and change it from there, once it's working? 06:50 < Error_X> hey! I can ping the server on 10.8.0.1 06:50 < Error_X> and also access the samba server on it 06:50 < Error_X> did the changes you told me 06:51 < Error_X> now I need to get contact with the rest of my home network ^^ 06:56 < reiffert> just change one thing at a time. 06:57 < Error_X> true 06:57 -!- Error_X [n=Error_X@77.241.102.86] has left ##openvpn [] 06:57 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 07:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:10 -!- sterna [n=jype@91.185.195.204] has joined ##openvpn 07:10 < sterna> hi 07:11 < sterna> one of my users has problems, allegedly since updating his xpsp3 windows 07:11 < sterna> have there been any reports of windows tun/tap driver issues? 07:11 < sterna> tcpdump shows he receives packets on the tap driver, but userspace apps seem not to get them 07:12 < sterna> i.e. ping timeouts, but if he puts wireshark on his tap interface, he can see both icmp requests and replies 07:12 < sterna> his firewalls are disabled, i think 07:14 < reiffert> http://openvpn.net/index.php/documentation/change-log/changelog-21.html 07:14 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 07:15 < reiffert> openvpn for windows comes with some .bat files. you can have them uninstall all interfaces and add a new one. try that. 07:15 < ecrist> good morning, bitches 07:17 < reiffert> moin ecrist 07:17 < sterna> thanks 07:24 < kyrix> thanks too :) 07:26 -!- Error_X [n=Error_X@77.241.102.86] has quit [] 07:28 -!- kyrix [n=ashley@93-82-7-185.adsl.highway.telekom.at] has quit ["Leaving"] 07:59 -!- [gnubie] [n=[gnubie]@119.56.59.7] has joined ##openvpn 07:59 * [gnubie] waves 07:59 < [gnubie]> is there a good java openvpn client? 08:00 < reiffert> this is #openvpn and there is not. 08:02 < [gnubie]> reiffert: yes, i know this is #openvpn .. i am looking for a good java openvpn client that is for openvpn 08:03 < reiffert> there is none. 08:04 < [gnubie]> i see.. thanks.. ;) 08:09 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:37 -!- [gnubie] [n=[gnubie]@119.56.59.7] has quit ["Leaving"] 08:41 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 08:56 < tjz> any solution to fix MULTI: bad source address from client problem ? (in event where the user is logging from different location) 09:12 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:36 < ecrist> tjz: what does google say about that error? 10:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:35 -!- spiderr [n=cfowler@mail.viovio.com] has joined ##openvpn 10:36 -!- spiderr [n=cfowler@mail.viovio.com] has left ##openvpn [] 10:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:37 < tjz> :( 10:37 < tjz> keep asking me to add them in ccd/ 10:37 < tjz> there is so many lan IP.. 10:37 < ecrist> ask krzee, he's the expert 10:37 < tjz> can't expect me to add them.. 10:38 * tjz was hoping for mr jeff 10:38 < tjz> lol 10:38 < krzee> hah 10:38 < tjz> omg 10:38 < tjz> now he is here 10:38 < tjz> lol 10:39 < tjz> krzee.. 10:39 < tjz> any solution to fix MULTI: bad source address from client problem ? (in event where the user is logging from different location eg. different computer lan ip) 10:40 < krzee> paste the real line 10:40 < krzee> i wanna know what the ip it reports is 10:42 < krzee> ie: is it the clients real ip, is it a machine on the lan, etc 10:43 < tjz> the machine on the lan 10:43 < tjz> MULTI: bad source address from client [10.0.1.199], packet dropped 10:44 < krzee> and 10.0.1.199 is another machine on the lan that you want routing through the vpn? 10:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:45 < tjz> nope 10:46 -!- v0lksman [n=shayne@ottawa-hs-64-26-169-151.s-ip.magma.ca] has joined ##openvpn 10:46 < tjz> previously, i had this in my "ccd" directory 10:46 < tjz> iroute 192.168.1.0 255.255.255.0 10:46 < tjz> to fix the MULTI problem 10:47 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has joined ##openvpn 10:48 < v0lksman> hey all...I setup a site to site VPN and everything works. However my problem is xfer over the VPN is dog slow. It's not a connection issue cause scp over ssh between the same networks over the public net works fast..just over VPN...any pointers on what to look for? 10:49 < Matt___> ping. hello. i have the misfortune of running XP here. i have set up a VPN, i can ping 10.8.0.1, but i can't establish a connection using the M$ vpn client 10:49 < Matt___> any pointers? 10:50 < krzee> tjz, WHO is 10.0.1.199 ?? 10:50 < v0lksman> Matt___: are you using OpenVPN Gui for the client? 10:50 < krzee> v0lksman, hows the cpu / io on the box during slow xfer? 10:50 < Matt___> no, but i have it available. 10:51 < v0lksman> krzee: non-existant on both sides (both being linux boxes with load average 0) 10:51 < krzee> v0lksman, try using no encryption (cipher none) just to see if it speeds up 10:51 < v0lksman> Matt___: I setup using the Gui and had no issues...worked great 10:51 < krzee> not perm solution, but for tracking down the issue 10:51 < v0lksman> krzee: cool..will try... 10:51 < krzee> Matt___, MS vpn client is for MS vpns 10:52 < krzee> Matt___, you need to use openvpn on the xp box 10:52 < Matt___> ok. i am brand-new to vpn btw. i always use ip-restricted ssh for remote access myself 10:52 < Matt___> my boss has decided he needs remote access, so vpn seemed like the way to go 10:53 < krzee> yup 10:54 < Matt___> so, if you don't mind indulging my ignorance, how would this work - he wants to be able to browse our office network as though he was onsite 10:54 < krzee> like windows shares? 10:55 < Matt___> i suppose so yes 10:55 < Matt___> i am NOT an IT guy - i'm a friggin chemical engineer who programs lol; this is all new to me 10:56 < krzee> running on linux with samba or windows? 10:56 < krzee> umm 10:56 < Matt___> windows 10:56 < krzee> you dont have an IT guy? 10:56 < Matt___> nope. we're a small outfit 10:56 < krzee> vpns are advanced networking 10:57 < Matt___> well it'll be an uphill battle thn 10:57 < krzee> cool 10:57 < Matt___> what else is new!? 10:57 < krzee> with some reading you should be fine 10:57 < Matt___> yeah RTFM is my motto 10:57 < krzee> you will want to use bridged mode 10:57 < krzee> imo its harder to setup 10:57 < krzee> but it will let him see windows shares with no magic 11:01 < Matt___> well, the problem i appear to be having now is that when i try to start the client, it says it can't resolve the server - i think i may have misentered the servername, but i don't see where the servername is declared anywhere - is there a place where i can verify the server name or do i have to throw everythign away and go through the cfg process again? 11:03 < krzee> !configs 11:03 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:08 < v0lksman> krzee: cipher none doesn't seem to make any difference...I'm going to try fragmenting...it seems like it just hangs after a while on large file xfers (small ones <1k xfer fine) 11:09 < krzee> ahh 11:09 < krzee> !mtu 11:09 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 11:09 < krzee> use #2 11:09 < krzee> see if it suggests a diff mtu 11:14 < tjz> krzee, 10.0.1.199 is another user.. 11:15 -!- sterna [n=jype@91.185.195.204] has left ##openvpn [] 11:15 < tjz> from another computer connecting to the vpn server 11:17 < krzee> tjz, if its directly connected to the vpn and giving that error, and owns 10.0.1.199 personally, i think its messed up NAT rules 11:18 < v0lksman> interesting...with --mtu-test is says its starting the test and to wait...then about 2minutes later the connection recycles itself... 11:19 < tjz> hmm 11:19 < krzee> v0lksman, heh never heard of that happening 11:19 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 11:20 < v0lksman> yeah this is bizar 11:20 < krzee> v0lksman, you are using udp right? 11:20 < v0lksman> yep 11:20 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has joined ##openvpn 11:20 < krzee> and tun 11:20 < v0lksman> tap 11:21 < tjz> krzee, the problem is similar as describe here: http://openvpn.net/archive/openvpn-users/2007-07/msg00184.html 11:21 < vpnHelper> Title: Re: [Openvpn-users] MULTI: bad source address from client [217.164.246.54], packet dropped (at openvpn.net) 11:23 < krzee> i think he prolly had a NAT issue too 11:23 < krzee> ive seen that error a bunch of times, but heres why... 11:24 < krzee> the client is sending packets to tun0 endpoint while using src address of eth0 11:24 < krzee> which to me points me straight to a NAT issue 11:26 < v0lksman> krzee: I used this when I was building my configs...is it outdated by chance? 11:26 < v0lksman> http://www.thebakershome.net/openvpn_tutorial?page=1 11:26 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 11:27 < krzee> why are you bridging? 11:27 < tjz> krzee, how to solve it? ^_^ 11:28 < krzee> tjz, check firewall rules and fix 11:28 < v0lksman> krzee: just seemed easier than routing 11:28 < tjz> hmm 11:29 < krzee> v0lksman, using any layer2 traffic over vpn? 11:29 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 11:29 < v0lksman> don't think so...not at this time 11:29 < krzee> !tunortap 11:29 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:30 < v0lksman> hrm... 11:31 < tjz> it's 1.36am 11:31 < tjz> will be back later 11:31 < tjz> :P 11:31 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 11:32 < plaerzen> hi guize 11:33 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has joined ##openvpn 11:33 -!- mode/##openvpn [+o krzee] by ChanServ 11:34 -!- mode/##openvpn [-b *!*@*.cust.bredbandsbolaget.se] by krzee 11:34 -!- mode/##openvpn [-o krzee] by ChanServ 11:34 < jacktow> why is installing the TAP driver on windows an option in the installation, if it's required for openvpn to run? 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:47 < v0lksman> krzee: so I switched to a routed connection. haven't setup any routes yet but just as a test I sent a file to 10.8.0.1 and the same behavior. looks like it's xfering but there is no traffic... 11:47 < v0lksman> but I can load a web site sitting on 10.8.0.1 11:48 < krzee> no traffic or slow? 11:48 < v0lksman> well it's slow then dies out 11:48 < v0lksman> mtu reports 1557 not really sure what that means though... 11:48 < v0lksman> I assume that is more than enough? 11:49 < v0lksman> sorry...its just slow...just saw some bits going through 11:49 < krzee> that means default is good 11:50 < krzee> for MTU 11:52 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 11:56 < v0lksman> http://dpaste.com/120254/ my configs if you can see anything out of place.. 11:58 < krzee> and top shows mostly free cpu when the xfer is slow? 11:58 < v0lksman> yep...server side is virtually 0 11:59 < krzee> thats a nice config 11:59 < krzee> check client side too tho 11:59 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has left ##openvpn [] 12:00 < krzee> as far as your config goes 12:00 < v0lksman> client side is a pretty beefy dual core...even hat though is running 0.2 average 12:00 < krzee> you are doing everything right 12:00 < v0lksman> krzee...well that's a good start... ;) wonder if it's the stupid provider DPI crap 12:00 < krzee> im not interested in load avgs, just spikes during xfer 12:00 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 12:01 < v0lksman> krzee: no spikes either.. 12:02 < krzee> hrm 12:02 < krzee> anything in firewall? 12:02 < krzee> QOS maybe? 12:02 < v0lksman> nope...no QOS 12:03 < v0lksman> anything else I may not know about in standard Linksys routers mebbe? 12:03 < v0lksman> that's all there is on both sides really 12:03 < krzee> nah once you make the connection its just AES traffic that the routers pass 12:04 < krzee> and no change with cipher none? 12:04 < v0lksman> nope...made no difference 12:04 < krzee> you got me dude 12:04 < krzee> maybe someone else has an idea 12:04 < krzee> OH 12:05 < krzee> see what happens if you change both to TCP 12:05 < krzee> thats the only diff between your test with and without vpn, maybe your provider is rate limiting UDP for some stupid reason 12:05 < v0lksman> yeah I think I tried that this morning and it just timed out...can try again...gimme a sec...trying a different port (known trick with one of the providers in use here) 12:06 < v0lksman> it's possible...one side has a limited connection but I was under the impression they didn't touch this traffic...could be wrong though 12:11 < krzee> you dont WANT tcp 12:11 < krzee> but sometimes you need it 12:11 < krzee> !tcp 12:11 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:11 < krzee> thats what you should know before using tcp 12:12 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Connection timed out] 12:14 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 12:22 -!- xattack [i=xattack@132.248.214.65] has joined ##openvpn 12:22 < v0lksman> !route 12:22 < vpnHelper> v0lksman: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:23 -!- xattack [i=xattack@132.248.214.65] has left ##openvpn [] 12:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:33 < v0lksman> what is ccd? 12:34 < v0lksman> sry...still reading.. ;) 12:36 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 12:42 < reiffert> !ccd 12:42 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:47 < v0lksman> ok...the routing example provided by the bot is a little more than I want...I don't need all my clients to talk to each other...they just need access to the remote LAN...is there a simplified version of that doc for that? 12:57 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:01 < krzee> the point is to understand what every command in the doc does 13:01 < v0lksman> arg...sorry folks.. I added a push "route" command with the IP range of the LAN behind the server. when I connect I still can't ping anything in that LAN... 13:01 < krzee> and use that to your needs 13:01 < v0lksman> krzee: yah I had skimmed a little..but I've re-read a couple times now and think I got it 13:01 < krzee> gotta go, bbl 13:02 < v0lksman> l8s 13:02 < krzee> if lan is behind server you need a push route only 13:02 < krzee> but 13:02 < krzee> if openvpn is not on the router for that lan 13:02 < krzee> you would also need a route added to the router or every box that needs to communicate over the vpn 13:02 < krzee> as described at bottom 13:03 < krzee> adios 13:03 < v0lksman> thanks dude 13:03 < krzee> np 13:06 -!- d0wn_ is now known as d0wn 13:18 < v0lksman> !mtu 13:18 < vpnHelper> v0lksman: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 13:25 < v0lksman> anyone know the difference between "fragment" and link-mtu? 13:25 < reiffert> --fragment max 13:25 < reiffert> Enable internal datagram fragmentation so that no UDP datagrams 13:25 < reiffert> are sent which are larger than max bytes. 13:26 < reiffert> --link-mtu n 13:26 < reiffert> Sets an upper bound on the size of UDP packets which are sent 13:26 < reiffert> between OpenVPN peers. 13:26 < v0lksman> right...so really what is the difference...they both limit the size of the UDP packet... 13:27 < reiffert> head your eyes to the manpage, read what comes next at --fragment. 13:35 < v0lksman> well I'm baffled...my setup works with fragment 1400...as soon as I add mssfix it breaks again...link-mtu also breaks it... 13:42 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 13:43 -!- gallatin [n=gallatin@dslb-092-073-253-015.pools.arcor-ip.net] has joined ##OpenVPN 13:44 < firecrotch> I've tried searching and have come up with nothing that I can figure out with regards to this: How can I set the subnet mask on the client when using tun mode? 13:45 < ecrist> firecrotch: you can't, really. 13:45 < ecrist> why do you want to? 13:47 < firecrotch> I basically want all of the remote machines that I (will) have to be on separate subnets per state 13:48 < ecrist> the howto discusses such things. 13:48 < firecrotch> so that for example, all of my machines in Wisconsin are on one subnet, Illinois on another, etc 13:48 < ecrist> they use a different example, admins and non-admins 13:51 < firecrotch> I had read somewhere that openvpn 2.1 has a subnet-topology config option that would do what I want but I can't find any docs on that 13:51 < ecrist> !betaman 13:51 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 13:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:52 < firecrotch> thanks 13:55 < firecrotch> Hmmmm, it looks to me as if using tap would work out easier for my situation, but are there any caveats to using tap instead of tun ? 13:56 < ecrist> tap is a bigger pain to set up, and unless you're doing ethernet protocol stuff, tun is the correct protocol 13:57 < firecrotch> ecrist: thanks 13:57 < straterra> I only use tun 13:58 < straterra> err, rap 13:58 < straterra> TAP..grr 14:08 < firecrotch> do I have to use tap if I need the client computers to access other computers on the server's subnet? 14:09 < ecrist> no 14:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:41 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 14:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:53 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 15:19 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has quit ["Leaving."] 15:45 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 15:45 -!- gallatin [n=gallatin@dslb-092-073-253-015.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 15:47 < hiptobecubic> My vpn has stopped managing to connect. I'm not sure what's up. Here are some logs. server: http://rafb.net/p/u1vZm696.html Client: http://rafb.net/p/O8CW2758.html 15:47 < vpnHelper> Title: Nopaste - # tail /var/log/messages; (at rafb.net) 15:48 < krzee> !logs 15:48 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:48 < krzee> verb 6 16:00 < ecrist> moo 16:03 < krzee> i went to a thai coffee shop 16:03 < krzee> thai chicks serving coffee in lingere 16:03 < krzee> was dopeness 16:04 < reiffert> http://en.wikipedia.org/wiki/Lingerie that? 16:04 < vpnHelper> Title: Lingerie - Wikipedia, the free encyclopedia (at en.wikipedia.org) 16:04 -!- zapp [n=zapp@fuji05.math.uni-bielefeld.de] has joined ##openvpn 16:05 -!- zapp [n=zapp@fuji05.math.uni-bielefeld.de] has quit [Client Quit] 16:06 < reiffert> Drinking coffee from lingeries sounds a bit strange. 16:10 < krzee> the girls were in it 16:10 < krzee> lol 16:13 < reiffert> "were" .. and gave you all they have had! 16:15 < krzee> hahah 16:15 < krzee> woulda been nice 16:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 17:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:28 < reiffert> /bin/sh: figlet: command not found 17:35 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 17:49 -!- constantine [n=constant@70.91.232.102] has joined ##openvpn 17:50 < constantine> hi, I'm installing open vpn on intrepid and it says cisco compatible vpn as the only available option 17:50 < constantine> how do I know if this is right for my connection? 17:50 < reiffert> openvpn != cisco vpn compat. 17:52 < constantine> and where do I get the settings for the vpn connection? 17:54 < constantine> you don't say! lol 18:00 < constantine> is there a way to set this up to work with any found signal 18:01 < reiffert> dude I have no idea about what you are talking. 18:02 < constantine> this is openvpn? 18:02 < reiffert> no, this is openvpn. 18:03 < constantine> meaning? 18:03 < ScribbleJ> Wow, all I need is a waiter to deliver me a flaming phonebook now. This is surreal. 18:03 < reiffert> ScribbleJ: wtf? 18:04 < ScribbleJ> openvpn has nothing to do at all with 'cisco compatible vpn' - if you see an option like that, whatever you are asking about is not openvpn. 18:04 < constantine> I installed it but can't find it anywhere 18:04 < constantine> the forums said it would be under network manager but the only thing there is what I described 18:04 < constantine> OPENVPN that is 18:04 < ScribbleJ> Did you try looking for e.g. /bin/openvpn, /sbin/openvpn, /etc/opevpn, or asking your package manage where it was installed? 18:05 < ScribbleJ> I do not use Redhat, but I am /certain/ it's package management has a way to tell you where package files were installed. 18:05 < reiffert> ScribbleJ: flaming phonebook sounds like Cohen brothers or Tarantino...? 18:06 < reiffert> /usr/sbin/openvpn 18:06 < ScribbleJ> reiffert, actually, I think it was Picasso, but I heard the quote originally from an untrustworthy source, so not sure. 18:07 < ScribbleJ> No 18:07 < ScribbleJ> Dali 18:07 < ScribbleJ> My bad. 18:07 < ScribbleJ> "Salvador Dali used to complain that there wasn't enough surrealism in the world. He said it was a shame that when you went to a restaurant and ordered a nice piece of fish the waiter never brought you a flaming phone book." 18:07 < constantine> I'm in synaptic but I'm new and I've never done this 18:07 < reiffert> hehehe 18:07 < constantine> what kind of file am I looking for? 18:08 < ScribbleJ> OH 18:08 < ScribbleJ> HAhahaa 18:08 < reiffert> constantine: you are looking after a strategy. something to follow after. something with a goal. 18:08 < ScribbleJ> Constantine, I suck, I know ubuntu well 18:08 < ScribbleJ> Dunno why I thought you were on Redhat. 18:08 < ScribbleJ> I always use it from the comandline, though, so dunno about helping with your clicky problem. 18:09 < ScribbleJ> You shoudl be able to configure your .conf file in /etc/openvpn/ and then the system will be configured by default to connect tot he vpn at boot. 18:09 < ScribbleJ> Or if you do not want that, put it elsewhere and start manually with e.g. 'sudo openvpn ~/myvpns/client.conf' 18:10 < ScribbleJ> Or, if you want to know the Ubuntu Way, ask in #ubuntu or something I guess. Heh 18:11 < constantine> heh is right 18:11 -!- constantine [n=constant@70.91.232.102] has left ##openvpn ["Leaving"] 18:12 < ScribbleJ> Was he being a dick? I'm never sure. 18:14 < reiffert> next problem will be: To who should he/she connect to ... 18:15 < reiffert> 00:57 < constantine> and where do I get the settings for the vpn connection? 18:15 < ScribbleJ> OH boy 18:16 < ScribbleJ> Interestingly enough I have a neato 'configure vpn' button on my ubuntu desktop, but it does nothing. 18:17 < reiffert> I run fvwm2, I dont do buttons. 18:17 < ScribbleJ> Oh, probably because I'm not letting Ubuntu Network Manager manage my network. Shame on me. Oh well. 18:17 < ScribbleJ> I did xfce4 for a long time but I started using Gnome lately since it just seems like you have to to get 'stuff' to be supported in Ubuntu. 18:18 < reiffert> really? Time to get something new then... 18:18 < ScribbleJ> Yeah, maybe it's just me, I can't think of any particulars. 18:19 < reiffert> What stuff are you onto, anything you cant do by typing some letters in a terminal window? 18:19 < ScribbleJ> Hahaha, no, 18:19 < ScribbleJ> I suppose my only gripe has been with gui config tools. 18:19 < ScribbleJ> They are mainly tied into gconf for Ubuntu... 18:19 < ScribbleJ> And not well supported then in 'xubuntu' 18:20 < ScribbleJ> But I tend to use the commandline for everything so I can't even think what it was that pissed me off enough to change. 18:20 < ScribbleJ> Maybe it was whn I was fucking with compiz, that I'm not even using anymore. 18:21 < reiffert> Last time gnome I tried to get a Wireless LAN working automatically at a girls notebook. 18:21 < reiffert> I decided to stop fscking with the ubuntu/gnome and put some lines into networking/interfaces file. 18:22 < ScribbleJ> Yeah, seems like the way to go. Debian set things up well, Ubuntu's friendliness sometimes is its own greatest weakness. 18:23 < reiffert> I like OS X. 18:23 < ScribbleJ> My girlfriend came with an OSX notebook, and I've played with it a little and liked how it is a GNU-type system underneath. 18:24 < ScribbleJ> But my total experience consists of pretty much setting up openvpn on it. Heh. 18:24 < reiffert> ah well, apple took gnu source and modified it, so it's a strange mix of BSD and apple. 18:25 < reiffert> But all the GUI stuff *just works* and even when playing remotely, you can do everything even without the GUI. 18:25 < ScribbleJ> Well, that's how an OS should be, I suppose. 18:26 < ScribbleJ> Now if only it didn't require expensive proprietary hardware. :( 18:27 < reiffert> yeah, but it's worth it, got mine for coding a hylafax java client :) 18:27 < ScribbleJ> Oh, interesting. 18:28 < ScribbleJ> There's so many cool projects out there, it's impossible to keep up. 18:29 < ScribbleJ> I've been knee-deep in code from CMU lately, their speech synthesis and speech recognition stuff, it's great fun toys. 19:47 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 19:54 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:20 -!- tjz [n=tjz@bb121-7-13-94.singnet.com.sg] has joined ##openvpn 21:14 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has joined ##openvpn 21:30 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 21:33 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has quit [Remote closed the connection] 21:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:02 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:39 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: pa, clusterm1gnet, disco-, reiffert, hackel, dan__t, worch, Typone 22:39 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: T0aD, fpletzv6, smk, straterra, kaii 22:39 -!- Netsplit over, joins: clusterm1gnet, pa, hackel, dan__t, worch, disco-, reiffert, Typone 22:40 -!- Netsplit over, joins: fpletzv6, straterra, T0aD, kaii, smk 22:40 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Operation timed out] 22:42 * tjz 's a$$ got split 22:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:07 -!- blaxthos [n=blaxthos@64.94.108.181] has joined ##openvpn 23:07 < blaxthos> !route 23:07 < vpnHelper> blaxthos: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:08 < blaxthos> anyone have hefty lan <-> openvpn <-> cisco asa experience/skill ? 23:08 -!- tjz [n=tjz@bb121-7-13-94.singnet.com.sg] has quit ["bbl"] 23:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] --- Day changed Sat Feb 14 2009 00:36 -!- straterra [n=straterr@projectstfu.com] has quit ["Lost terminal"] 00:36 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 00:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 00:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 00:45 -!- straterra [n=straterr@projectstfu.com] has quit ["Lost terminal"] 00:45 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 00:50 -!- straterra [n=straterr@projectstfu.com] has quit [Client Quit] 00:50 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 02:14 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:14 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 02:18 -!- Deesl [n=deesl@unaffiliated/deesl] has joined ##openvpn 02:18 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 02:18 < lavren> If I have a vpn router on my lan and my friend has one and we want to do a site-to-site VPN do I have to have my ns-sert-type as a client? 02:19 < lavren> if there are any gotchas with any of that in general let me know, but I think I have everything right 02:19 < lavren> one as the client? 02:19 < Deesl> who initiates the connection? 02:19 < lavren> He already has his setup if that's what you mean 02:20 < Deesl> nopes 02:20 < Deesl> who *starts* the handshake? 02:20 < lavren> he sent me his config (which I'm slightly modifying) 02:20 < lavren> I guess I will be then 02:20 < Deesl> ok so you should be the client 02:20 < lavren> I've done this before along time ago, but not with this awesomely convenient software 02:20 < Deesl> and ns-sert should be client for you 02:20 < lavren> right, ok. 02:20 < lavren> ok cool 02:21 < lavren> oh crap 02:22 < lavren> I think I have to recompile my kernel with support for what is it tun? 02:22 < lavren> I forget 02:22 < lavren> client 02:22 < lavren> dev tun 02:22 < lavren> proto udp 02:22 < lavren> 02:22 < lavren> remote 98.232.30.11 1194 02:22 < lavren> resolv-retry infinite 02:22 < lavren> route 192.168.0.0 255.255.255.0 02:22 < lavren> nobind 02:22 < lavren> daemon 02:22 < lavren> 02:22 < lavren> comp-lzo 02:22 < lavren> 02:22 < lavren> user nobody 02:22 < lavren> group nobody 02:22 < lavren> 02:22 < lavren> persist-key 02:22 < lavren> persist-tun 02:22 < lavren> keepalive 10 60 02:22 < lavren> ping-timer-rem 02:22 < lavren> 02:22 < lavren> ca /etc/openvpn/keys/ca.crt 02:22 < lavren> cert /etc/openvpn/keys/client1.crt 02:23 < lavren> key /etc/openvpn/keys/client1.key 02:23 < lavren> 02:23 < lavren> ns-cert-type server 02:23 < lavren> 02:23 < lavren> oops shit 02:23 < lavren> sorry 02:23 < lavren> I'm so tired 02:23 < lavren> out of it, my apologies 02:23 < lavren> I was going to copy =) 02:25 < lavren> oh this isn't going to work properly, I need to get a hub behind my VPN router and use it as a gateway for the computers behind it (which they are currently on the same subnet as the VPN router which in turn is behind my primary router) 02:26 < lavren> if my VPN router and his VPN router are connected to eachother will they be able to access eachother by NFS? I suppose not since they really aren't the virtual network but rather the link 02:26 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 02:28 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 02:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 02:46 -!- countd_ [n=countd@unaffiliated/countd] has joined ##openvpn 02:57 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 03:39 -!- c64zottel [n=hans@p5B1799FB.dip0.t-ipconnect.de] has joined ##openvpn 04:13 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 04:15 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 04:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:26 < reiffert> http://hardware.slashdot.org/article.pl?sid=09/02/13/2337258 04:26 < vpnHelper> Title: Slashdot | Long-Term Performance Analysis of Intel SSDs (at hardware.slashdot.org) 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:37 -!- countd_ [n=countd@unaffiliated/countd] has quit [Remote closed the connection] 06:39 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 07:01 -!- mcp [n=mcp@wolk-project.de] has quit [Remote closed the connection] 07:41 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 07:50 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: meturaf, c64zottel, v0lksman, ScribbleJ, dvl 07:51 -!- Netsplit over, joins: c64zottel, v0lksman, ScribbleJ, meturaf, dvl 08:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:01 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 08:06 -!- Deesl [n=deesl@unaffiliated/deesl] has quit [] 08:09 -!- countd_ [n=countd@unaffiliated/countd] has joined ##openvpn 08:13 -!- countd_ [n=countd@unaffiliated/countd] has quit [Client Quit] 08:14 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 08:24 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 08:54 < stephenh> hi, i'm trying to push default route to clients, 08:54 < stephenh> but i keep getting bad source address from client, packet dropped 09:09 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Read error: 110 (Connection timed out)] 10:09 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 10:29 -!- vincas [n=vincas@216.25.249.228] has joined ##openvpn 10:30 < vincas> Hi, I was wondering why the virtual addresses in openvpn-status.log (apparently) when openvpn is in bridging mode appear to be some kind of MAC address. How does it come by this, and why is it not the IP address issued to the client ? 10:31 < vincas> I'm using openvpn 2.1 10:40 -!- countd [n=countd@unaffiliated/countd] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 10:44 < reiffert> vincas: because ethernet frames are adressing mac addresses. 10:49 < vincas> reiffert: But I can't arping those mac addresses...of course, if I arping the IP addresses of the clients, it returns those macs....does openvpn generate these macs ? 10:54 < reiffert> yep. 10:55 < reiffert> They should start with 00:FF IIRC 10:56 < vincas> reiffert: Cool, thank you! :) 10:59 < vincas> Odd...I have one that starts with 0a:e0 11:02 < reiffert> http://openvpn.net/index.php/documentation/install.html?start=1 11:02 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 11:02 < reiffert> read 11:02 < reiffert> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 11:02 < reiffert> bbl, gone for girls 11:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 12:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:06 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 12:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:43 -!- c64zottel [n=hans@p5B1799FB.dip0.t-ipconnect.de] has quit ["Leaving."] 14:09 < ecrist> afternoon, fuckers 14:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 14:21 -!- beaver74 [n=Helmut@unaffiliated/beaver74] has joined ##openvpn 14:23 < beaver74> hey, it is possible to connect clients over openvpn without this system having static ip adresses? 14:23 < ecrist> what is *this* system? 14:23 < beaver74> the involved to end-point of this tunnel 14:24 < ecrist> ah, sure, using a dynamic DNS of some sort. 14:25 < beaver74> there 2 router, and there have dynamic ips, connecting them over OpenVPN. This is possible with or without DDNS? 14:25 < ecrist> for reconnections, they'll likely need dynamic dns 14:25 < beaver74> ah, ok.. 14:26 < beaver74> if there is a third machine, running the server side, and having a static ip, can help to solve this? 14:27 < ecrist> yep 14:27 < beaver74> wow, nice... 14:27 < ecrist> then there's no need for DDNS 14:27 < beaver74> k, thx, ecrist 14:28 < beaver74> because on of that two machine without the third will act as that server?, is that right? 14:28 < beaver74> -on +one 14:29 < ecrist> the static IP system would be server to both the dynamic ip systems 14:29 < beaver74> ok 14:30 < beaver74> thx again, bye 14:30 -!- beaver74 [n=Helmut@unaffiliated/beaver74] has left ##openvpn ["Verlassend"] 14:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:33 < ecrist> facebook should change their name to 'Hook up with old girlfriends.' 14:34 < krzee> hah 14:34 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 14:35 < Qantouri1c> VPN-server with road wariors ... possible withpreshared key ? or only TLS ? 14:44 < Qantouri1c> Do road wariors needs a resovable DNS ? 14:46 < Qantouri1c> nvm 14:46 < Qantouri1c> client: key :p 14:46 < Qantouri1c> whoot :p 15:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:04 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 17:09 -!- upb [i=cmpxchg@closet-core1.ge1-0s3.cust1000158.rev.prq.se] has left ##openvpn [] 17:15 -!- mepholic [n=mepholic@star.emokid.nu] has joined ##openvpn 17:16 < mepholic> I've been reading about how in a bridged openvpn setup, you shouldn't assign a default gateway 17:16 < mepholic> this is because you'll lose connection to the openvpn server, right? 17:16 < mepholic> eh 17:16 < mepholic> via dhcp 18:01 < Qantouri1c> mepholic: depends on how smart / stupid the client os is 18:01 < Qantouri1c> will it take the newly suggested gateway or not ? 18:02 < Qantouri1c> (often this can also be configured) 18:02 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has quit ["night"] 18:19 -!- carpe_ [n=carpe@174.0.97.175] has quit [Connection timed out] 18:20 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 18:30 -!- v0lksman [n=shayne@ottawa-hs-64-26-169-151.s-ip.magma.ca] has left ##openvpn ["cheerio"] 18:42 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 19:01 -!- carpe_ [n=carpe@174.0.97.175] has quit [Connection timed out] 19:02 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 19:03 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 21:06 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 22:43 -!- tjz [n=tjz@bb116-15-75-97.singnet.com.sg] has joined ##openvpn 23:20 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 23:20 < dmb> hey 23:20 < dmb> what does read UDPv4 [ECONNREFUSED]: Connection refused (code=111) mean? 23:22 < Kobaz> something is blocking the packets 23:22 < Kobaz> probably firewalling 23:23 < dmb> the client end shouldn't matter right? 23:25 < dmb> Kobaz, is there a way to use openvpn without udp? 23:32 < dmb> hmm, i don't think thats a good idea (tcp in tcp) 23:39 < Kobaz> it works very well 23:39 < Kobaz> udp is the recommended protocol 23:41 -!- tjz [n=tjz@bb116-15-75-97.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] --- Log closed Sun Feb 15 00:36:51 2009 --- Log opened Sun Feb 15 00:37:13 2009 00:37 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 00:37 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 00:37 -!- Irssi: Join to ##openvpn was synced in 23 secs --- Log closed Sun Feb 15 00:55:16 2009 --- Log opened Sun Feb 15 10:41:26 2009 10:41 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 10:41 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 10:41 -!- Irssi: Join to ##openvpn was synced in 1 secs 11:10 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- p4ch0 [n=p4ch0@190.69.224.12] has joined ##openvpn 11:14 -!- p4ch0 [n=p4ch0@190.69.224.12] has quit ["Saliendo"] 11:47 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:48 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:08 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 12:08 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- mipshelpme [n=mips@host146-242-dynamic.43-79-r.retail.telecomitalia.it] has joined ##openvpn 12:19 < mipshelpme> hello! 12:19 < mipshelpme> someone can help me with a openvpn mistery? 12:23 < mipshelpme> I've a mips sustem, with busybox 1.00 + kernel 2.6.8.1 , but in my openvpn 2.1 rc15 no --mktun and the other options that I can see in other system with kernel 2.4+ it's available. It's normal? 12:31 < reiffert> mipshelpme: tell us more about your system please. 12:33 < mipshelpme> thanks 12:35 < mipshelpme> mips system, with busybox 1.00 and minimal kernel 2.6.8.1 12:35 < mipshelpme> I rebuild kernel adding tun module 12:36 < mipshelpme> with busybox command cat /dev/net/tun it tell me "error: file descriptor in bad state" 12:36 < reiffert> Is it some kind of openwrt? 12:36 < mipshelpme> but if I use tun test source code it works correctly 12:37 < mipshelpme> it's the kernel of a router 12:37 < mipshelpme> dg834 12:38 < reiffert> And does your kernel and the openvpn belong to some kind of openwrt or dd-wrt or something similar? 12:38 < mipshelpme> I think 12:38 < mipshelpme> but not sure 12:39 < reiffert> I cant tell you anything related to kernel, hardware and busybox. Whats your openvpn question again please? 12:39 < mipshelpme> yes 12:39 < mipshelpme> the question is 12:40 < mipshelpme> that I understand why 12:40 < mipshelpme> in kernel 2.6.8.1 12:40 < mipshelpme> muy openvpn 12:41 < mipshelpme> in my openvpn I can't found the --mkdev option and the other options 12:41 < mipshelpme> available with 2.4+ kernel 12:42 < reiffert> there is no --mkdev in openvpn. 12:42 < mipshelpme> --mktun 12:42 < mipshelpme> sorry --mktun 12:42 < reiffert> Again, I cant tell you anything related to kernel versions. 12:43 < reiffert> Nor can I tell you why some software contains foo or bar, that someone was compiling. 12:43 < reiffert> Did you compile openvpn for yourself? 12:43 < mipshelpme> yes 12:44 < mipshelpme> by myself 12:44 < reiffert> Well, then check and diff the config.logs for each version 12:44 < mipshelpme> what can I found in particular in config.logs 12:46 < reiffert> Maybe something that your build environment was deciding not to compile in, because something was missing in your build environment. 12:47 < mipshelpme> oh yes 12:47 < mipshelpme> I look now 12:47 < reiffert> As you say, one openvpn version "does not have" the --mktun option 12:48 < mipshelpme> reiffert: my openvpn is 2.1rc_15 12:49 < mipshelpme> and kernel 2.6.8.1 12:50 < mipshelpme> I forgot tell you : when I run "insmod /lib/modules/tun.ko" the system make for me automatically the /dev/net/tun device 12:51 < ecrist> this would appear to be a kernel issue, and not one related directly to openvpn 12:51 < mipshelpme> oh 12:51 < mipshelpme> do you know some irc channel for kernel linux? 12:52 < ecrist> #linux 12:52 < mipshelpme> THANKS 13:04 < mipshelpme> how can I make tap0 , without --mktun option ? 13:07 < reiffert> mipshelpme: what happens when you enter openvpn --mktun tap0? 13:07 < mipshelpme> I haven the --mktun option 13:07 < mipshelpme> I haven't the --mktun option 13:07 < reiffert> answer my question. 13:09 < mipshelpme> "unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun (2.1_rc15) 13:09 < mipshelpme> I look the log file I and found 2 "error" message 13:09 < mipshelpme> error: size of array `test_array' is negative 13:09 < mipshelpme> error: invalid application of `sizeof' to incomplete type `conftest.c' 13:10 < reiffert> check options.c 13:10 < mipshelpme> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 13:10 < reiffert> #ifdef TUNSETPERSIST 13:10 < reiffert> else if (streq (p[0], "mktun")) 13:10 < reiffert> #endif 13:10 < reiffert> then check why it thinks you dont have TUNSETPERSIST 13:11 < mepholic> is there a way to set a range that openvpn assigns the tap interfaces mac address in? (in the config) 13:11 < mepholic> doesnt matter if it is client or server side 13:12 < reiffert> did you read what I was writing? 13:12 < mepholic> :< 13:12 < mepholic> me? 13:12 < mipshelpme> reif: for me? yes .. and looking for the confeste.c 13:12 < mipshelpme> reif: for me? yes .. and looking for the conftest.c 13:12 < reiffert> ah, sorry, were mixing up nicknames. 13:13 -!- mipshelpme is now known as MIPS 13:13 < MIPS> :) 13:13 < reiffert> mepholic: a range of mac addresses, whats that going to be? 13:14 < ScribbleJ> Not exactly an openvpn question.... I'm trying to test transfer speeds on two networks using scp over openvpn, except how can I easily make a large garbage file to try transferring? reading /dev/random takes too long. 13:14 < mepholic> reiffert, I want top be able to tell the clients, "use a mac address in THIS range" 13:14 < mepholic> like 13:14 < mepholic> 00:0E:44 13:14 < mepholic> for example 13:14 < mepholic> and it would randomize the last 3 octets 13:14 < mepholic> or whatever :3 13:15 < reiffert> mepholic: yeah, check the source. 13:15 < reiffert> mepholic: the tap driver source that comes with the tapdriver. Kernel for != windows and tap-win32 directory for win32. 13:15 < ScribbleJ> n/m, used /dev/urandom to pull some, then just duplicated that over and over. 13:16 < mepholic> so i'd have to give my clients a custom version? 13:16 < mepholic> ugh 13:16 < reiffert> mepholic: win32? 13:16 < mepholic> reiffert, i have win32 and linux clients 13:16 < mepholic> and mac 13:16 < mepholic> lolol 13:17 < mepholic> and uh 13:17 < mepholic> freebsd 13:17 < reiffert> mepholic: have fun then. linux = matter of kernel, mac = matter of kernel module, win = matter of tap-win32 directoy source. have fun. 13:17 * mepholic waits for somebody with BeOS or VAX to come along 13:18 < mepholic> wait, does openvpn even support those? 13:18 < MIPS> reif: ..uhm... I can't find the conftest.c ! It's a openvpn file? 13:18 * Qantouri1c concludes his SLT connection is oks .... but the pipe doesn't work :p no connection on the other end :p 13:18 < Qantouri1c> what connection type tap/tun is recommended ? 13:20 < MIPS> oh, another error 13:20 < mepholic> Qantouri1c, what are you going to use the vpn for? 13:20 < MIPS> conftest.c:14:28: ac_nonexistent.h: No such file or directory 13:20 < Qantouri1c> mepholic: MS-exchange, file share 13:20 < mepholic> heh 13:20 < mepholic> i'd use tap 13:20 < reiffert> MIPS: checkout the configure file. 13:20 < Qantouri1c> mepholic: me too :p 13:20 < mepholic> tun doesn't allow network broadcasts 13:21 < mepholic> (which is annoying) 13:21 < Qantouri1c> mepholic: soooo 13:21 < Qantouri1c> mepholic: brctl addbr test 13:21 < Qantouri1c> mepholic: brctl addif test eth1 13:21 < Qantouri1c> mepholic: like that ? 13:21 < mepholic> well 13:21 < MIPS> reif: what does it mean "checkout" configure file 13:21 < mepholic> on each client machine, you don't need a bridge 13:22 < reiffert> MIPS: open it, read it, understand it. 13:22 < Qantouri1c> mepholic: cause last time i tried i couldn't get it working (probalby issues with my iptables settings, it uses nic ... 13:22 < ScribbleJ> Ok, I have the dumb, now. I have tested the speeds I am getting, and I top out around 150KB/sec. Is this about right for a T1? 13:22 < mepholic> Qantouri1c, my tap setup uses no bridges at all 13:22 < Qantouri1c> mepholic: how does -i / -o nic work on bridges ? 13:22 < MIPS> reif : ah ok (sorry my english not so good) 13:22 < Qantouri1c> mepholic: ow ? 13:22 < mepholic> well 13:22 < Qantouri1c> mepholic: that's possible ? 13:22 < Qantouri1c> NICE 13:22 < mepholic> yes 13:22 < mepholic> i actually have a bridge on my desktop 13:23 < mepholic> going to a vlan on my switch 13:23 < mepholic> so i can plug other computers into the vlan, and they will be directly on the vpn 13:23 < Qantouri1c> mepholic: so tap is connected to a eth device ? like a real tap ? 13:23 < mepholic> kinda hard to explain 13:23 < mepholic> but 13:23 < mepholic> my server is at FDC in chicago 13:23 < mepholic> unmetered datacenter 13:23 < ScribbleJ> FirstData? 13:23 < Qantouri1c> mepholic: ooooo :p 13:24 < mepholic> and clients connect to it 13:24 < mepholic> and share files, play lan game, whatever 13:24 < mepholic> lol 13:24 < Qantouri1c> mepholic: nice :p 13:24 < mepholic> yeah 13:24 < reiffert> ecrist: I cant find TUNSETPERSIST in the Makefile, nor configure, wtf? 13:24 < mepholic> i'm working on dhcp right now 13:24 < mepholic> isc dhcpd is being retarded 13:24 * Qantouri1c now tries to learn how to use taps 13:25 < Qantouri1c> mepholic: my dhcp is easy to setup :p 13:25 < mepholic> windows? 13:25 < Qantouri1c> mepholic: linux 13:25 < mepholic> ah 13:25 < mepholic> are you using isc? 13:25 < Qantouri1c> mepholic: yea, hwat's the iseu ? 13:25 < mepholic> well 13:25 < Qantouri1c> mepholic: are are you suing some exotic setup ? 13:26 < mepholic> no not really 13:26 < mepholic> what it is doing 13:26 < mepholic> is assigning the last ip in my specified range first 13:26 < mepholic> well, ranges 13:26 < Qantouri1c> mepholic: !?! 13:26 < mepholic> i don't know 13:26 < Qantouri1c> mepholic: also, i never took notise of the ip, 13:26 < mepholic> here, i'll show you my config 13:26 < mepholic> huh? 13:26 < Qantouri1c> mepholic: i mean, an ip addres is one right ? 13:26 < mepholic> wat 13:27 < Qantouri1c> why do you even care which one he assings ? 13:27 < Qantouri1c> for all i care, he can use random :p 13:27 < mepholic> Qantouri1c, well 13:27 < mepholic> it is frusterating 13:27 < mepholic> i like things to be in order 13:28 < Qantouri1c> aaa 13:28 * Qantouri1c digs the speccs 13:29 < reiffert> mepholic: 13:29 < reiffert> MIPS: 13:29 < reiffert> grep TUNSETPERSIST /usr/include/linux/if_tun.h 13:29 < reiffert> #define TUNSETPERSIST _IOW('T', 203, int) 13:29 < mepholic> lol 13:29 < mepholic> Qantouri1c, i havn' 13:29 < mepholic> t tried more then 1 dhcp client 13:29 < mepholic> i dont even know if it works 13:30 < mepholic> the config seems basic 13:31 < reiffert> MIPS: do you understand whats going on? 13:32 < MIPS> :( 13:33 < Qantouri1c> mepholic: i find no indication (at first glimps) of the ip assignemnt order 13:33 < MIPS> I cant find the conftest.c 13:33 < mepholic> huh 13:33 < reiffert> MIPS: 13:34 < reiffert> MIPS: do you know the meaning of a COMPILE TIME MACRO like #ifdef TUNSETPERSIST? 13:34 < MIPS> no 13:34 < MIPS> :( 13:34 < MIPS> what does it mean 13:35 < reiffert> MIPS: during the preprocessor stage, before compiling, the preprocessor creates the source files for the compilation stage 13:35 < MIPS> yes 13:35 < reiffert> MIPS: when the preprocessor thinks TUNSETPERSIST is set, then it will take that code and it will get compiled 13:35 < reiffert> MIPS: and when the preprocessor doesnt think so, the code does not get compiled. 13:35 < MIPS> oh 13:36 < reiffert> MIPS: now, for your case, we already KNOW that TUNSETPERSIST was not set during preprocessor phase. 13:36 < reiffert> still follow me? 13:36 < MIPS> I think yes 13:36 < reiffert> MIPS: On a normal system TUNSETPERSIST gets set in the file /usr/include/linux/if_tun.h 13:37 < reiffert> MIPS: that means, that during the compilation of your openvpn, TUNSETPERSIST was not found in /usr/include/linux/if_tun.h 13:38 < reiffert> MIPS: which means: Check both: kernel-source/include/if_tun.h and /usr/include/linux/if_tun.h for TUNSETPERSIST 13:38 < reiffert> MIPS: and recompile and make all those openvpn source files include that file which contains TUNSETPERSIST. 13:38 < MIPS> #define TUNSETPERSIST _IOW('T', 203, int) 13:39 < reiffert> which file? 13:39 < MIPS> this is my kernel 13:39 < MIPS> "/opt/routerkernel/include/linux/if_tun.h" 13:40 < reiffert> well, then have openvpn include that file during compilation. 13:40 < MIPS> "/opt/routerkernel is the kernel I using in crosso compile 13:40 < reiffert> and problems fixed. 13:40 < MIPS> how can I include that file? 13:41 < reiffert> dude you are messing around with crosscompilation and you dont know anything about compilers? 13:41 < MIPS> yes, but I don't unndersta I if use that file or include in #innclude 13:42 < reiffert> like all places do it in .c files. 13:42 < MIPS> in .c files , I must "#include" that if_tun.h ? 13:42 < reiffert> right. 13:43 < MIPS> ok 13:43 < MIPS> but In which .c file? how can I know , which .c I must to change? 13:43 < reiffert> sigh. 13:43 < reiffert> do you know grep? 13:43 < MIPS> yes 13:44 < MIPS> ohhh 13:44 < reiffert> grep -l if_tun.h *.c *.h */*.c */*.h 13:44 < MIPS> yes 13:44 < MIPS> THANKS 13:44 < MIPS> try now 13:46 < Qantouri1c> How to control where tap's get "connected" to ? 13:46 < reiffert> read the howto 13:46 < reiffert> and the faq 13:47 < Qantouri1c> rgr 13:49 < MIPS> reif: I found reference in syshead.h , in particular : 13:49 < MIPS> #include 13:50 < MIPS> #include 13:50 < reiffert> congrats. 13:50 < MIPS> I need to change every? 13:50 < reiffert> MIPS: dunno, if unsure say YES. 13:51 < MIPS> I try .. 13:51 < reiffert> the 1st one should be enough 13:51 < MIPS> ah ok 13:52 < reiffert> and check in config.h for 13:52 < MIPS> ok 13:52 < reiffert> #define HAVE_LINUX_IF_TUN_H 1 13:52 < MIPS> config.h in openvpn . it's tight? 13:52 < MIPS> right? 13:52 < reiffert> y 13:53 < MIPS> thks .. i'm working 13:56 < MIPS> syshead.h it's changed, now check config.h 13:58 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 13:58 < reiffert> MIPS: ah well, an alternative approach might be: 13:59 < reiffert> configure --includedir=/opt/routerkernel/include 13:59 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 13:59 < reiffert> and probably the better way. 13:59 < MIPS> I try it 14:00 < MIPS> can't find the config.h , only config.h.in :( 14:00 < MIPS> why? 14:00 < reiffert> because you didnt run configure yet 14:00 < MIPS> uhm 14:00 < MIPS> I thinked yes 14:00 < MIPS> retry 14:00 < reiffert> together with --includedir=/opt/routerkernel/include 14:00 < MIPS> with the --includedir too 14:02 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has left ##openvpn [] 14:03 < MIPS> config.h now exist :) 14:04 < MIPS> and it's ok 14:04 < MIPS> like you tell me 14:04 < MIPS> now check the log file 14:05 < reiffert> just run make 14:05 < MIPS> conftest.c:14:28: ac_nonexistent.h: No such file or directory 14:05 < reiffert> forget about it. nonexistent = non existent 14:05 < MIPS> ok 14:05 < MIPS> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 14:06 < reiffert> hit 14:06 < reiffert> m 14:06 < reiffert> a 14:06 < reiffert> k 14:06 < reiffert> e 14:06 < MIPS> s.o.r.r.y 14:06 < MIPS> try 14:08 < MIPS> .. openvpn-2.1_rc15-build/missing --run automake-1.9 --foreign 14:08 < MIPS> openvpn-2.1_rc15-build/missing --run autoheader 14:09 < MIPS> openvpn-2.1_rc15-build/missing: line 52: aclocal-1.9: command not found 14:09 < MIPS> WARNING: `aclocal-1.9' is missing on your system. You should only need it if 14:09 < MIPS> ?? 14:09 < MIPS> I need to install some packages for mips? 14:09 < MIPS> other packages 14:10 < MIPS> the same openvpn versione I compiled for my ubuntu, without problem 14:21 < MIPS> reif : can you tell me the exact parameter to compile openvpn for mips? 14:22 < MIPS> I'm using ./configure --host=mips CC="mygcccompiler" 14:22 < MIPS> it's correct using --host? 14:39 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 14:47 -!- MIPS^ [n=mips@87.18.247.226] has joined ##openvpn 14:48 < MIPS^> :( 14:51 < MIPS^> reif? 14:55 -!- MIPS [n=mips@host146-242-dynamic.43-79-r.retail.telecomitalia.it] has quit [Connection timed out] 14:59 < MIPS^> reif? 15:00 < MIPS^> reif? 15:03 < MIPS^> :( 15:05 < reiffert> start reading the fucking docs that come with the build environment. 15:06 < MIPS^> ? 15:06 < reiffert> What you will find in there is how to compile software. 15:07 < MIPS^> it's a custom environmen ,no docmentation 15:10 < MIPS^> I installed all packages, but messages don't change 15:15 < MIPS^> someone can help me? 15:25 < MIPS^> where can I find documentation about compiling openvpn on mips 15:28 < krzee> you even have tuntap for it? 15:29 < MIPS^> tun.ko, for kernel 2.8.6.1 15:32 < MIPS^> compiled 15:40 < reiffert> better ask how to compile with a cross compiler environment. 15:41 * krzee cross compiles tom 15:42 < krzee> (no i dont know what that meant either) 15:46 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Read error: 104 (Connection reset by peer)] 15:57 < MIPS^> my problem is that I'm a microsoft programmer, I know microsoft , and so I hate microsoft. I'm newbie in this linux world, and looking for infomation it's no simple 15:57 < MIPS^> for me 15:57 < MIPS^> and my english it's no so good 15:58 < MIPS^> I can't move in this world , like in microsoft world 15:59 < reiffert> tom crosscompiles to intruction 1111000000001111 which means: beerandthensleep which gets fetched and executed in just one clock cycle. 16:05 < MIPS^> when I run 'openvpn --dev-node /dev/net/tun --dev tap0 --proto udp' system tell me : 16:05 < krzee> !howto 16:05 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < MIPS^> '.... read TUN/TAP : file descriptor in bad state (code=81)' 16:06 < krzee> usually dont need --dev-node 16:06 < MIPS^> :( 16:07 < MIPS^> I try without it 16:07 < krzee> why using tap instead of tun? 16:07 < krzee> and it would be --dev tap not tap0 16:07 < krzee> read these: 16:07 < krzee> !howto 16:07 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:07 < krzee> !man 16:07 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:07 < krzee> read docs 16:07 < krzee> you said you're newer to the linux/unix world 16:08 < krzee> how things are learned in that world is reading docs 16:08 < krzee> man pages > * 16:09 < MIPS^> I readed, and maked a linux system on i386 16:09 < MIPS^> it works 16:10 < MIPS^> with openvpn 16:10 < MIPS^> but in mips, it appears little different 16:11 < MIPS^> I'm newbie, and I know that some I make some error 16:11 < MIPS^> but I need to start somewhere 16:16 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 16:27 < MIPS^> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 16:27 < MIPS^> :(( 16:27 < krzee> im thinking you wont get a lot of help with porting oenvpn to MIPS here 16:27 < krzee> ild help if i knew that stuff 16:28 < reiffert> porting already got done e.g. in openwrt and similar. 16:28 < reiffert> mips el? 16:28 < MIPS^> can u exaplain better? 16:29 < MIPS^> I need openvpn on my router 16:29 < krzee> oh mips is what they use in those linksys routers? 16:29 < reiffert> yep 16:29 < MIPS^> without changing the entire firmware 16:30 < krzee> i see 16:30 < reiffert> http://downloads.openwrt.org/kamikaze/packages/mipsel/openvpn_2.0.9-2_mipsel.ipk 16:30 < reiffert> ipk is a tarfile iirc 16:30 < MIPS^> ? what is this 16:30 < MIPS^> let's see 16:30 < krzee> lol 16:31 < reiffert> zucker:~/usr/sbin ute$ file openvpn 16:31 < reiffert> openvpn: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size 16:31 < MIPS^> .ipk ? 16:32 < reiffert> openwrt comes with a build environment for mipsel and openvpn sources, so all you need is to build openwrt from sources and you get all you want, dude. 16:32 < reiffert> ipk = .tar.gz 16:32 < MIPS^> ah ok 16:32 < reiffert> http://forum.openwrt.org/viewtopic.php?id=9180 16:32 < vpnHelper> Title: OpenWrt / [howto] Building OpenWrt Kamikaze from source (at forum.openwrt.org) 16:33 < reiffert> following that howto will get you a working openvpn for mipsel 16:33 < MIPS^> wow! this is the binary!? 16:33 < reiffert> yes. 16:36 < MIPS^> :) try now 16:36 < MIPS^> may be connection drop down 16:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["Lost terminal"] 16:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 16:44 < reiffert> MIPS^: btw, your english is pretty well for an italian :) 16:50 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has quit ["night"] 16:51 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 16:57 -!- MIPS [n=mips@87.18.247.92] has joined ##openvpn 17:08 -!- MIPS^ [n=mips@87.18.247.226] has quit [Read error: 110 (Connection timed out)] 17:09 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 17:10 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 17:11 -!- MIPS [n=mips@87.18.247.92] has quit [Read error: 60 (Operation timed out)] 17:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 17:15 -!- MIPS [n=mips@host118-195-dynamic.16-87-r.retail.telecomitalia.it] has joined ##openvpn 17:16 < MIPS> reif : I'm? Italian? Noooooo 17:16 < MIPS> ;) 17:24 -!- mcp [n=mcp@wolk-project.de] has quit [Connection reset by peer] 17:24 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 17:25 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 17:25 -!- emcepe [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 17:41 -!- MIPS [n=mips@host118-195-dynamic.16-87-r.retail.telecomitalia.it] has quit [Success] 17:49 -!- MIPS [n=mips@87.18.244.220] has joined ##openvpn 17:56 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has left ##openvpn ["Leaving"] 18:07 -!- MIPS [n=mips@87.18.244.220] has quit [Read error: 60 (Operation timed out)] 18:08 -!- MIPS [n=mips@87.18.244.209] has joined ##openvpn 18:13 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 18:15 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 18:53 -!- MIPS [n=mips@87.18.244.209] has quit [Connection timed out] 18:53 -!- MIPS [n=mips@87.18.247.131] has joined ##openvpn 18:54 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has joined ##openvpn 18:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:59 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 18:59 < MIPS> it's late for me, boys thanks for all, it's possibile I back next times :) 19:00 < MIPS> Good night , or have a nice day! 19:00 < MIPS> bye 19:00 -!- MIPS [n=mips@87.18.247.131] has quit [] 19:00 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 19:03 -!- eric1234 [n=vic@pool-141-158-125-57.pitt.east.verizon.net] has joined ##openvpn 19:06 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has joined ##openvpn 19:08 < Improv> Note that there is a line length limit in IRC 19:08 < Improv> Oops 19:09 < eric1234> Hi, I am using openVpn on Mac OSX, it recently stopped connecting (possibly due to an system update). when I launch the server it says "Cannot allocate TUN/TAP dev dynamically" anyone have an idea what the problem is? 19:19 -!- eric1234 [n=vic@pool-141-158-125-57.pitt.east.verizon.net] has quit [] 19:19 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 20:21 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:44 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:28 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:36 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 21:36 -!- eagle [n=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 21:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:54 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 21:54 * tjz roll in 21:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:56 -!- eagle [n=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 21:59 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 22:22 -!- tjz is now known as tjz|lunch 22:30 < mepholic> SUP GUYS 22:43 < dvl> lovely 23:01 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit ["Changing server"] 23:01 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 23:04 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 23:04 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 23:05 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Client Quit] 23:08 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 23:09 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Client Quit] 23:10 -!- d0wn [n=d0wn@unaffiliated/d0wn] has joined ##openvpn 23:20 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:24 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Client Quit] 23:47 -!- tjz|lunch is now known as tjz --- Day changed Mon Feb 16 2009 00:00 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:45 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 01:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 02:08 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 02:09 < Error_X^> reiffert: Hey :p would you help me with sharing the openvpn server's Internet connection to clients? 02:25 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 03:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:36 -!- TB-Master [n=toni@pD9505C38.dip0.t-ipconnect.de] has joined ##openvpn 04:04 < reiffert> no. 04:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:41 < krzee> lol 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:47 < reiffert> he tends to be resistant against all proposals. 05:39 -!- dtcrshr [n=datacrus@200.145.121.55] has joined ##openvpn 05:41 < dtcrshr> hi folks! im having an issue with openvpn. I got one building with a normal adsl access, and my vpn server will be on the hq, wich have a proprietary link, with valid ip and so on. How do i set on the other side to work with the same ips from the internet link, and the inner network? 05:41 < ecrist> see this: 05:41 < ecrist> !route 05:41 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:51 < dtcrshr> thanks! 05:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:05 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 06:05 < hads> !route 06:05 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 06:57 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:00 < reiffert> dtcrshr: an alternative way is using a bridged setup, see !howto 07:16 < dtcrshr> !howto 07:16 < vpnHelper> dtcrshr: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:57 -!- ikevin_ [n=kevin@ANancy-256-1-83-247.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 07:58 -!- ikevin_ [n=kevin@ANancy-256-1-69-35.w90-26.abo.wanadoo.fr] has joined ##openvpn 07:58 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:00 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:41 < ecrist> Boats and Hos 08:42 < c64zottel> hi, is it possible to get XDMCP broadcast over the vpn? 08:43 < ecrist> what is XDMCP 08:43 < c64zottel> the X-window protocol 08:43 < ecrist> sure 08:43 < c64zottel> how? 08:44 < ecrist> well, let's start with this. Do yo have a VPN setup? 08:44 < krzee> what kind of traffic is it? 08:44 < c64zottel> without bridging 08:44 < krzee> is it broadcast or is it layer2? 08:44 < c64zottel> open vpn is running 08:45 < ecrist> krzee: http://en.wikipedia.org/wiki/X_display_manager 08:45 < vpnHelper> Title: X display manager - Wikipedia, the free encyclopedia (at en.wikipedia.org) 08:45 < ecrist> c64zottel: for what you're doing, using SSH with x-forwarding would be sufficient 08:46 < c64zottel> there are a lot of X-servers here 08:46 < c64zottel> and its not possible to give them direct access to the internet 08:46 < ecrist> the x-server runs on the client workstation. 08:47 < ecrist> the short answer, is yes, you can run XDMCP over OpenVPN 08:47 < ecrist> we're not the ones to help you setup XDMCP, however. 08:47 < c64zottel> its like this: exceed tries to find x-server and is sending xmdcp-broadcasts to the net 08:48 < c64zottel> the servers answers with ther ip-addresses, and a list will appear, which the user can choose from 08:48 < c64zottel> and can connect to a x-server 08:49 < krzee> ahh 08:49 < krzee> use tap 08:49 < c64zottel> i guess, you can compare it with samba 08:49 < krzee> but not bridging 08:49 < c64zottel> i have tap 08:49 < c64zottel> without bridging 08:49 < krzee> doesnt work? 08:49 < c64zottel> it doesn't 08:49 < krzee> ok then its not ip broadcasts, it is ethernet broadcasts 08:50 < krzee> so you need bridging 08:50 < c64zottel> hm 08:50 < c64zottel> how can i see the difference between ip/ethernet broadcasts? 08:50 < krzee> which would be the same answer for samba 08:50 < krzee> its an entirely different layer of traffic 08:50 < krzee> ethernet is layer2 08:50 < krzee> ip is layer3 08:51 < c64zottel> ok, then i understand 08:51 < c64zottel> thank you 08:51 < krzee> np 09:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:25 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has joined ##openvpn 09:26 < uchimata> Hi, is there a possibility to run more than one "config" at startup? e.g. openvpn.conf, openvpn2.conf etc? - running FreeBSD 09:27 -!- mcp [n=mcp@wolk-project.de] has left ##openvpn [] 09:27 < uchimata> - or is this even default behaviour, using all *.conf? ;-) 09:29 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:29 -!- mcp [n=mcp@wolk-project.de] has left ##openvpn [] 09:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:20 < uchimata> hm k got it 10:34 -!- Roman123 [n=Roman123@bmt-beigelb.isas.tuwien.ac.at] has joined ##openvpn 10:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 10:37 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:42 < tjz> with openvpn, we couldn't keep track of the activities in the tunnel to a log? 10:43 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has left ##openvpn [] 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 < uchimata> tjz: do you want to log all tunnel traffic? 11:30 < ecrist> tjz, sure you can 11:30 < ecrist> tcpdump is your friend. 11:35 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has joined ##openvpn 11:36 < datac> hi fellas! iv got a tunnel stabilished, but one address i must see through the tunne, is also public. iv checkd the howtos about push "gateway, and push "ip mask, but it didnt work... 11:37 < datac> how do i force on the client to search for some range of addresses, to be on the tunnel? 11:38 < MIPS> during openvpn compilation I read "checking for struct tun_pi... no" 11:38 < MIPS> what does it mean 11:39 < uchimata> datac: the push commands for additional routes should work 11:41 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has quit [Read error: 54 (Connection reset by peer)] 11:48 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has joined ##openvpn 11:48 < datac> i think im messing with the ip addresses.. 11:48 < reiffert> MIPS: check the configure file. 11:48 < datac> is there a way to see this rules, when the vpn is running? 11:48 < krzee> MIPS, didnt reif give you the precompile for mips proc? 11:48 < datac> like tcpdump or sort of? 11:49 < krzee> datac, tcpdump works... 11:49 < krzee> just use the vpn interface 11:49 < datac> tcpdump -i tun0 11:49 < datac> ? 11:49 < uchimata> datac: what rules? the pushed routes? 11:49 < datac> yesh 11:49 < datac> to se if they are really active 11:50 < uchimata> datac: route -n / route print 11:50 < uchimata> datac: os? 11:50 < datac> im using a linus build up firewall, wich gots open vpn as an addon. im installed and configured it on both pcs, the server and the cliend. 11:50 < datac> its 2.5.36.2 kernel 11:50 < uchimata> datac: alright, so route -n will show you all routes 11:50 < datac> a coyote, sort of linux from scratch, just a few apps 11:51 < datac> yes 11:51 < uchimata> datac: so you can see whether you're routes have been pushed? 11:51 < datac> im using the defaults form the openvpn how to, 10.8.0.1 and so on 11:51 < datac> im on the client right now 11:52 < datac> i got a rule like this - 10.8.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 11:52 < datac> and 192.168.10.0 10.8.0.1 255.255.255.0 ug 0 0 0 tun0 11:52 < datac> the only one i read from the tunnels. 11:52 < uchimata> so all traffic to 192.168.10.0/24 would be sent through the tunnel 11:53 < datac> hmmm 11:53 < datac> il try to add the route by the route add command 11:53 < uchimata> ? 11:53 < datac> i think the push are not working, since the address i need to reach throught the tunnel, can also be reach bu the internet 11:53 < datac> so here on the client when i traceroute that server ip the path its from the internet connection 11:54 < uchimata> datac: when a route is set, always the most specific route will be choosen 11:54 < uchimata> datac: so a route which comnes from openvpn that says "go to host x via ip y" would be more specific than your default gw 11:54 < datac> i think ill have to do that here. ill try 11:54 < datac> yes 11:55 < datac> makes sense 11:55 < krzee> datac 11:55 < krzee> !configs 11:55 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:55 < uchimata> great point krzee ;) 11:55 < datac> im on this for so much time, just to got the tunnel up that my brains are running out 11:59 < datac> the server side, gots the internet access from a proprietary link, wich gots the same address from the lan network 12:00 < datac> is that an issue that wont work? 12:00 < krzee> datac 12:04 < datac> yes 12:04 < reiffert> get some basic networking knowledge. 12:04 < datac> thanks 12:04 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 12:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:05 < krzee> !configs 12:05 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:10 < reiffert> datac: are you going to paste them? 12:10 < krzee> i dont think he wants help 12:11 < reiffert> let's raise a playdoll from datac. 12:17 < datac> sorry, the server its pretty far away 12:17 < datac> im managing its pastebin to paste here 12:17 < datac> wait a sec 12:17 < datac> sorry for my huge ignorance 12:17 < datac> and the bad english 12:26 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 12:31 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:34 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has quit [Read error: 104 (Connection reset by peer)] 12:35 -!- Roman123 [n=Roman123@bmt-beigelb.isas.tuwien.ac.at] has quit ["Leaving"] 12:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:12 -!- pkrumins [i=nhl@unaffiliated/pkrumins] has joined ##openvpn 13:12 < pkrumins> hi guys, i am having trouble with openvpn not updating my /etc/resolv.conf file. 13:12 < pkrumins> can't quite find info if i need to specify some config option when i start it 13:12 < pkrumins> or it should do it automatically 13:13 < krzee> !pushdns 13:13 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:20 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 13:21 < dtcrshr> [krzee]: it worked! 13:21 < dtcrshr> thansk you all for the tips 13:21 < dtcrshr> i was changing the ips on the push route 13:21 < dtcrshr> and i needed to add the push "gateway 13:23 -!- dtcrshr [n=datacrus@200.145.121.55] has quit [Read error: 104 (Connection reset by peer)] 13:28 < pkrumins> okay, i managed to get it working 13:28 < pkrumins> but now the problem is that my original resolv.conf gets overwritten 13:28 < pkrumins> that is kinda fina 13:28 < pkrumins> that is kinda fine 13:29 < pkrumins> but i would expect it to be restored when openvpn shuts down 13:29 < pkrumins> but it does not 13:29 < pkrumins> it just erases it 13:29 < pkrumins> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 13:29 < pkrumins> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 13:29 < pkrumins> here is what it leaves. 13:29 < pkrumins> "DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN" huh 13:31 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 110 (Connection timed out)] 13:35 < Roman123> Hi! I guess I have a similar problem than thousands of other OpenVPN users before. :-( The connection between client (configuration http://128.131.71.10/openvpn_client ) and server (configuration http://128.131.71.10/openvpn_server) is established without any error but I'm not able to send any traffic through the tunnel, i.e., no ping etc. :-( My OpenVPN is on a OpenWRT machine (8.09RC2) and my client is situated at a vmware setup running Windows XP 13:35 < Roman123> (host machine is gentoo linux). route print gives 128.131.71.10/shot.png Thank you for any suggestions to get rid of the problem. 13:36 < pkrumins> craaaaaaaaap 13:36 < pkrumins> i'm crapping my pants now. 13:36 < pkrumins> any ideas how to get openvpn to restore the dns 13:36 < pkrumins> once it goes down 13:37 < Roman123> Bye, yeah I know it is pretty perverted to run the OpenVPN client from a XP virtual machine over a bridged interface over Gentoo but I guess that's not the problem. ;-) 13:38 < Roman123> btw, the windows firewall is disabled. I've checked that. 13:38 < Roman123> s/Bye/Btw 13:39 < pkrumins> resolved. 13:39 < pkrumins> i changed 'down' part of /etc/openvpn/resolv-update-up scirpt 13:40 < pkrumins> adn added echo "nameserver my_shit" > /etc/resov.conf 13:40 < pkrumins> now it works! 13:43 < Roman123> oops, sorry http://128.131.71.10/shot.png 13:43 -!- pkrumins [i=nhl@unaffiliated/pkrumins] has left ##openvpn [] 13:45 < Roman123> argh, sorry wrong urls http://128.131.71.10/default/openvpn_client ; http://128.131.71.10/default/openvpn_server ; 128.131.71.10/default/shot.png -> sorry, the firewall here does not allow to access this webserver but now it should work. 14:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 14:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:08 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 14:08 < Roman123> No expert available with a tricky suggestion what I can try to solve the problem? :-( 14:09 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 14:17 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:35 < reiffert> Roman123: and your problem is? 14:36 < reiffert> bbl, bed 14:38 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 14:38 < Roman123> reiffert: still there? 14:39 < Roman123> reiffert: Hi! I guess I have a similar problem than thousands of other OpenVPN users before. :-( The connection between client (configuration http://128.131.71.10/openvpn_client ) and server (configuration http://128.131.71.10/openvpn_server) is established without any error but I'm not able to send any traffic through the tunnel, i.e., no ping etc. :-( My OpenVPN is on a OpenWRT machine (8.09RC2) and my client is situated at a vmware setup running 14:39 < Roman123> Windows XP 14:39 < Roman123> (host machine is gentoo linux). route print gives 128.131.71.10/shot.png Thank you for any suggestions to get rid of the problem. 15:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 15:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 15:46 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:48 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 16:10 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 16:33 -!- mrcerulean [n=chris@ppp-71-137-137-7.dsl.sndg02.pacbell.net] has joined ##openvpn 16:36 < mrcerulean> I have OpenVPN server running on CentOS 5.2 and the client running on Vista. I get a connection and an IP address, but no traffic between the two systems. 16:36 < mrcerulean> On the Windows side, the log says: Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 16:36 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 16:37 < mrcerulean> The FAQ suggests that the DHCP server needs to be running on the Windows client... 16:38 < mrcerulean> Sorry. The DHCP client service is running. How do I disable the TAP firewall in Vista? 16:39 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:40 < mrcerulean> OK. 16:40 < mrcerulean> Figured that out. :) 16:41 < mrcerulean> When I restart the connection, I get the same error. 16:42 < mrcerulean> I've disabled the firewall on the TAP device and verified that the DHCP Client service is running. 16:50 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 17:31 -!- rubymonk [i=55ab9159@gateway/web/ajax/mibbit.com/x-5bdddcaf020cfe8a] has joined ##openvpn 17:31 < rubymonk> Hello everyone 17:31 < rubymonk> :) 17:31 < rubymonk> I'm trying to understand some things about how openvpn works... well, especially it's relationship with openssl 17:33 < rubymonk> well, first of all, for future reference, I've been following the how to, which leads to the creation of a PKI and a CA 17:33 < rubymonk> The first thing I don't get is... I didn't see in the whole process any public key 17:33 < rubymonk> so, I'm wondering where it/they is/are 17:33 < rubymonk> anyone please ? 17:36 < rubymonk> Is my question unclear ? 17:42 < mrcerulean> The client keys are generated by the master cert authority. 17:42 < mrcerulean> As are the server keys. 17:43 < mrcerulean> The root cert goes on the server + all clients. 17:43 < mrcerulean> Then the client key cert goes on the client. 17:43 < mrcerulean> When the client connects, the client and server keys are exchanged and verified by the root ca key. 17:44 < mrcerulean> Once that's done, keys are set on both ends. 17:44 < mrcerulean> There is no public key, per se. 17:45 < mrcerulean> If you're doing it by accepting self generated keys from the client, then the client must also generate a cert signing request that has to be fullfilled. 17:45 < mrcerulean> Because the generation is happening under complete server control, there is no need for "public key" in this transaction. 17:46 < mrcerulean> Think of it as cert exchange rather than key exchange and it becomes a little clearer. 17:47 < rubymonk> Yes, I think I get the fact public keys are not necesary since both parts already have the cert 17:47 < rubymonk> correct ? 17:48 < rubymonk> the public key would be necessary to get the cert 17:48 < mrcerulean> That's simplified,, but basically yes. 17:48 < rubymonk> ok 17:49 < rubymonk> now on this config... 17:49 < rubymonk> both sides have a private key 17:49 < rubymonk> and this puzzles me a bit 17:49 < rubymonk> the public key was supposed to tell how to crypt 17:49 < rubymonk> and the private how to decrypt 17:50 < rubymonk> if I understood what I've read about SSL 17:50 < mrcerulean> I think you're confusing public key crypto like PGP and SSL. 17:50 < mrcerulean> SSL is cert based, so no public key is required. 17:51 < mrcerulean> Step back from OpenVPN and see how it goes at a higher level: 17:51 < mrcerulean> I am a CA. 17:51 < mrcerulean> I can issue certs. 17:51 < rubymonk> ok 17:51 < mrcerulean> Before I do, I have to verify you. 17:51 < mrcerulean> So, you send me a request for a cert. 17:51 < mrcerulean> That request has, embedded within, identification that's unique to you. 17:52 < mrcerulean> I use that identification and generate a cert, which I then send to you. 17:52 < mrcerulean> The cert I send you is based on a few factors: my own root cert, my server cert, your csr. 17:52 < rubymonk> I send you a csr and you send back a crt 17:52 < mrcerulean> Yes. 17:52 < rubymonk> (file) 17:52 < rubymonk> :) 17:52 < rubymonk> ok 17:53 < mrcerulean> Now, when you present that cert to me in the future, I can verify it's valid. 17:53 < mrcerulean> By comparing it with my root cert and my server cert. 17:53 < rubymonk> using your private key ? 17:53 < rubymonk> ah 17:53 < rubymonk> ok 17:53 < mrcerulean> Again, stop thinking about public/private keys. 17:53 < mrcerulean> :) 17:53 < mrcerulean> Think only in terms of certs. 17:53 < rubymonk> hehe, ok, sorry 17:54 < mrcerulean> There are analogs there, but really the process is a little different. 17:54 < rubymonk> ok, so with the cert, you are able to tell I am who I tell I am 17:55 < rubymonk> but if someone steals me my cert ? 17:55 < mrcerulean> The point is, once the cert validity is verified, I can now open a channel between the two devices and start encrypting traffic using any method available, including public/private keys which are generated and exchanged in real tme. 17:55 < mrcerulean> If someone steals your cert, you're in trouble. :) 17:55 < rubymonk> ok :) 17:55 < mrcerulean> That's why you can password protect the cert. Then you have two-factor auth: something you have and something you know (cert/password). 17:57 -!- mepholic [n=mepholic@star.emokid.nu] has quit [Client Quit] 17:57 < hads> And you can revoke 17:58 < mrcerulean> Yes. If you find a cert's been stolen, you can revoke the cert and it will no longer work. 17:58 < rubymonk> In the howto, there a small table if you scroll a bit to the top at this url http://openvpn.net/index.php/documentation/howto.html#config 17:58 < vpnHelper> Title: HOWTO (at openvpn.net) 17:59 < rubymonk> and it tells the certs are not secret... 17:59 < rubymonk> is it an error or a case in which the certs are not supposed to be secret? 18:00 < mrcerulean> The certs are not secret, but the keys are. 18:00 < mrcerulean> The certs are, in essence, public keys. 18:00 < mrcerulean> The keys are private keys. 18:00 < rubymonk> ok 18:01 * hads has a little cry about working with someone else's network setup 18:01 < rubymonk> but if the cert is so public... it doesn't really matters if someone steals my cert, does it ? 18:01 < rubymonk> (Sorry to be a pain) :) 18:02 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Connection timed out] 18:03 < mrcerulean> It only matters if they get both the cert and the key. 18:03 < rubymonk> oh, ok 18:03 < rubymonk> :) 18:03 < rubymonk> I got it now 18:04 < rubymonk> hum... 18:05 < rubymonk> Yes, I think I fully got it, clients also need a private key because they send datas, so those datas are crypted with the private key and the cert tells how to decrypt to the server... 18:05 < rubymonk> right ? 18:05 < mrcerulean> Close enough. 18:05 < rubymonk> hehe 18:06 < rubymonk> ok, I won't get further today or I'll mix things up 18:06 < mrcerulean> But the cert and key is only used to negotiate the connection. At that point, a completely different crypto mechanism can take over. 18:06 < rubymonk> Thanks a lot mrcerulean :) 18:06 < rubymonk> yes, a symetric one since asymetric is too slow 18:07 < rubymonk> it's only used to share a key for them to communicate 18:07 < rubymonk> as I got it :P 18:07 < rubymonk> s/as/as far/ 18:16 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 18:16 < hads> I can't figure out why remote clients can only ping the OpenVPN host and the default gateway. There is a static route on the default gateway and LAN hosts can ping remote OpenVPN clients. 18:20 -!- mrcerulean [n=chris@ppp-71-137-137-7.dsl.sndg02.pacbell.net] has left ##openvpn [] 18:29 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 18:31 -!- carpe_ [n=carpe@174.0.97.175] has quit [Read error: 113 (No route to host)] 18:45 -!- justdave [n=dave@unaffiliated/justdave] has left ##openvpn [] 19:03 -!- rubymonk [i=55ab9159@gateway/web/ajax/mibbit.com/x-5bdddcaf020cfe8a] has quit ["http://www.mibbit.com ajax IRC Client"] 19:05 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 19:51 -!- TB-Master [n=toni@pD9505C38.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 19:57 -!- kaii [n=kai@ciphron.de] has quit [Read error: 60 (Operation timed out)] 19:59 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 20:09 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 20:12 -!- kaii [n=kai@ciphron.de] has quit [Read error: 104 (Connection reset by peer)] 20:34 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 20:36 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:39 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 20:40 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 22:24 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 23:04 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit ["Quick! Kill your client! Bersirc 2.2 is here! [ http://www.bersirc.org/ - Open Source IRC ]"] 23:06 -!- Haris1 [n=Haris@unaffiliated/haris] has joined ##openvpn 23:06 < Haris1> Hello people, folks, everyone, all 23:06 < Haris1> Does openvpn support ipsec over udp based vpn? 23:06 < Haris1> Can we create or simulate ipsec over udp based vpn with openvpn ? 23:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 23:48 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Tue Feb 17 2009 00:17 -!- tjz|lunch is now known as tjz 00:25 < krzee> no 00:40 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 00:53 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 01:09 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 01:14 -!- int [n=quassel@wikia/int] has joined ##openvpn 01:30 < Haris1> no? 01:31 < Haris1> Which protocols/technologies does openvpn support? 01:34 < uchimata> Haris1: ssl 01:36 < Haris1> just ssl ? 01:38 < uchimata> what else do you need? ;-)) 01:40 < Haris1> there's l2tp based vpn 01:40 < Haris1> ipsec over udp based 01:40 < Haris1> I need to simulate the problem we are facing in ipsec over udp based vpn 01:40 < Haris1> to find the cause or a better option to use 01:41 < uchimata> there are also free ipsec implementations like freeswan? 01:45 < Haris1> I thought freeswan was something like quagga 02:07 < reiffert> Haris1: openvpn supports openvpn 02:07 < reiffert> Haris1: openvpn does not l2tp or pptp or cisco vpn or freeswan or similar. 02:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:16 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 02:17 < nardul> Morning. Is there a way to make the client push it's local route? 02:25 < reiffert> is it static? 02:28 < nardul> Yes 02:30 < reiffert> multiple lines of push "route netaddress netmask" 02:30 < nardul> In the client config? 02:30 < reiffert> server config 02:31 < nardul> No can do. I need the routes from the client on the server 02:31 < reiffert> Oh, that way. There is no way. 02:31 < nardul> Ok, i'll add it manually to the server then. Darned. 02:36 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 02:39 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit [Client Quit] 03:33 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 03:41 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 04:40 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 04:53 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 05:04 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 05:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 05:07 -!- disposable [i=disposab@blackhole.sk] has quit [Read error: 104 (Connection reset by peer)] 05:07 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 05:18 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 05:22 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 05:34 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 05:35 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:52 -!- Haris1 [n=Haris@unaffiliated/haris] has left ##openvpn ["Time to jet!"] 06:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:27 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:28 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:36 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 06:40 < Roman123> When I start openvpn, in my logfiles the message "TUN/TAP device tap0 opened" appear but I have only a tap1 interface! If I remove the interface, add a new one with the name tap0, and restart openvpn, then the message "TUN/TAP device tap1 opened" appears. Is this ok? 06:41 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:42 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:46 < ecrist> Roman123: does the vpn work? 06:47 < Roman123> ecrist: no :-( 06:47 < Roman123> That's the problem. 06:48 < Roman123> The tunnel can be established but no traffic goes through the tunnel. 06:49 < Roman123> For example, I can't ping from the client side to the network on the remote side. I'm pretty sure it is no firewall issue. At the moment I'm taking a look at the openvpn FAQ. Hopefully, it helps. 06:49 < ecrist> can you post your config? 06:49 < ecrist> via pastebin.com 06:50 < Roman123> ecrist: sure. Thank you very much for the help. This drives me nuts for about one day now and I'm starting to be very frustrated. 06:52 < Roman123> ecrist: my server config http://pastebin.com/m3a96fad0 06:52 < ecrist> is this a linux server? 06:52 < Roman123> ecrist: openwrt 06:52 < Roman123> that's linux 06:52 < Roman123> "small scale linux" :) 06:52 < ecrist> yeah, they're a bit different animal, though. 06:53 < Roman123> it's my router 06:53 < ecrist> try changing option dev tap to option dev tap0, and make sure you have no tap devices 06:53 < ecrist> it *should* create a tap0 device, or fail, rather than using a random interface. 06:54 < Roman123> ok, I'll try. Give me a moment 06:55 < Roman123> ecrist: my client side http://pastebin.com/m45123f19 06:56 < ecrist> you're having problems with the server, right? 06:57 < Roman123> ecrist: I'm not sure where the problem is located. 06:58 < Roman123> The tunnel is built (without any error in the logfiles) but then I cannot ping from the client to the server side and vice versa. 06:58 < ecrist> the problem you described above, was that client or server? 06:58 < Roman123> server 06:58 < Roman123> ecrist: I made the change tap -> tap1 06:59 < ecrist> when the tunnel comes up, it uses that interface then, right? 06:59 < Roman123> how can I check that. 06:59 < Roman123> let me post my log file 07:01 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:03 < Roman123> ecrist: http://pastebin.com/m453ebc08 07:03 < Roman123> ^^^ the log entries on the server side 07:04 < Roman123> imho they look fine 07:06 < Roman123> http://pastebin.com/m461e1ecf <- log on the client side 07:07 < Roman123> At least, my routes on the client side http://pastebin.com/m4a9ed96 07:10 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 07:12 < ecrist> any reason you're using tap rather than tun? 07:12 < nardul> How would i add a route to the server, so it can send packages to the initiating clients network? 07:13 < ecrist> nardul, see here: 07:13 < nardul> Assuming the client has routing enabled, ofcourse. 07:13 < ecrist> !route 07:13 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:13 < Roman123> ecrist: well, I guess tap is the better choice for me. 07:13 < ecrist> Roman123: why? 07:14 < ecrist> one problem I think you're going to run into is using a common 1918 address space for your VPN. It's going to conflict with the majority of home and hotspot gateways. 07:15 < ecrist> see here for some other options: 07:15 < Roman123> ecrist: I like that my openvpn client receives an ip from the remote network and not its own subnet ip. 07:15 < ecrist> !1918 07:15 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 07:22 < Roman123> ecrist: so, you would recommend utilizing tun instead of tap? 07:30 < ecrist> Roman123: unless you're doing ethernet protocols, tun is much easier to setup 07:35 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 07:38 -!- hdfdisk [n=Phoenix@116.10.199.46] has joined ##openvpn 07:38 < hdfdisk> Hi All 07:39 < hdfdisk> Is there any Developer here? 07:41 -!- hdfdisk [n=Phoenix@116.10.199.46] has left ##openvpn [] 07:42 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 07:42 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 07:43 -!- Bjar [n=Bjar@64.55.144.11] has joined ##openvpn 07:44 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:44 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 07:46 < Bjar> Ok, I'm a person from China, If there is any developer can help me, we got a really big problem because the Chinese-Great Firewall is Trying to "Stole" The VPN/HTTPS Connection to a monitored server. Which the Government will be able to control the secure Connections, They are already on the action, and It will deploy in all this country before long. We need someone help us, as fast as it can. Sending this message I'm also taking risk, so don't be strange if I 07:46 -!- Bjar [n=Bjar@64.55.144.11] has left ##openvpn [] 07:59 < Roman123> ^^^ that was the end of Bjar :-P 08:00 < reiffert> he's still on freenode. 08:01 < ecrist> I think that was meant to be a funny 08:02 < Roman123> yes in a sarcastic manner, although such things taking place in china are not funny 08:08 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:13 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:17 -!- Spockz|irssi [n=alessand@71pc198.sshunet.nl] has joined ##openvpn 08:18 < Spockz|irssi> I have a openvpn server running, but when I connect to it the server authenticates itself with it's local IP. Not the vpn IP. 08:20 < Spockz|irssi> UDPv4 link remote: 192.168.13.18:1194 08:20 < Spockz|irssi> should that point to the public interface ip or the vpn ip? 08:21 < uchimata> Spockz|irssi: you cannot connect to the server using its vpn ip 08:22 < Spockz|irssi> uchimata: I suspected that, so I do remote public_ip 08:25 < Spockz|irssi> trying with tcp, and it times out 08:30 < Spockz|irssi> hmm, 08:30 < Spockz|irssi> now I'm getting connection refused. 08:31 < Spockz|irssi> and there is no firewall installed on the server 08:31 -!- rubydiamond [n=rubydiam@123.236.183.202] has joined ##openvpn 08:33 < Spockz|irssi> uchimata: where can I find the server side log of openvpn? I only see a /var/log/openvpn-status.log 08:34 < uchimata> Spockz|irssi: there's a config option to specify the logfile 08:34 < uchimata> !configs Spockz|irssi 08:34 < vpnHelper> uchimata: Error: "configs" is not a valid command. 08:34 < uchimata> !config Spockz|irssi 08:34 < vpnHelper> uchimata: Error: 'supybot.Spockz|irssi' is not a valid configuration variable. 08:34 < uchimata> !config ,Spockz|irssi 08:34 < Spockz|irssi> erh.. 08:34 < vpnHelper> uchimata: Error: 'supybot.,Spockz|irssi' is not a valid configuration variable. 08:34 < Spockz|irssi> it's in syslog I see in the conf file 08:34 < uchimata> hm... ;) 08:34 < uchimata> you can pastebin your config files for further support 08:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 08:36 < Spockz|irssi> ah found it 08:36 < Spockz|irssi> I was referring to a crl file that doesn't exist 08:42 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:45 -!- sjhstorm [n=sjhstorm@123.98.164.216] has joined ##openvpn 08:47 < ecrist> Spockz|irssi: you can create an empty crl, and sign it with your CA certificate. 08:54 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 08:55 -!- Spockz|irssi [n=alessand@71pc198.sshunet.nl] has quit ["Lost terminal"] 09:03 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit ["Leaving."] 09:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Remote closed the connection] 09:18 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:26 -!- sjhstorm [n=sjhstorm@123.98.164.216] has quit ["Ex-Chat"] 09:29 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:32 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 09:47 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:48 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:01 < Roman123> ecrist: with tun everything seems to work fine. 10:09 < ecrist> Roman123: you were probably missing the bridging script to bridge your interfaces 10:10 < Roman123> ecrist: no, I did "openvpn --mktun --dev tap0 ; brctl addif br-lan tap0" 10:11 < ecrist> well, glad it's all working. 10:11 < Roman123> "brctl show" depicts then tap0 10:13 < Roman123> ecrist: anyway, thank you very much. Now, I just have to figure out how to utilize client_config_dir to assign certain ip addresses to certain clients. 10:13 < Roman123> But that can't be difficult 10:14 < ecrist> really easy 10:14 < ecrist> !freebsd 10:14 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:14 < ecrist> that's got a section on it, os-agnostic 10:15 < ecrist> and it's covered in the howto 10:15 < ecrist> !howto 10:15 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:20 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 10:28 < Roman123> From the configuration example can be obtained: "option client_config_dir ccd" and then add this line to ccd/Thelonious: ifconfig-push "10.9.0.1 10.9.0.2" 10:28 < Roman123> What is the function of the second ip (10.9.0.2)? 10:29 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:29 < Roman123> The first one is supposed to be assigned to Thelonious but I don't understand why is there a second one. 10:29 < MIPS> HELLO! 10:30 < ecrist> hello 10:30 < ecrist> Roman123: they're all /30 subnets 10:30 < ecrist> !/30 10:30 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:32 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 10:33 < MIPS> I run a server with "openvpn --dev tap0 --dev-node /dev/net/tun --proto udp" 10:33 < MIPS> can u tell me wich client.opvn options I need too use 10:33 < MIPS> ? 10:33 < MIPS> thanks 10:33 < MIPS> or tell me where I can read documentation for client connection without security options 10:35 < ecrist> MIPS: I'd suggest a read through the man page 10:35 < ecrist> !man 10:35 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:35 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:35 < MIPS> look here 10:51 -!- rubydiamond [n=rubydiam@123.236.183.202] has joined ##openvpn 10:55 < MIPS> I look http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAV at the section Example 1: A simple tunnel without security but on server I can read 10:55 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 10:56 < MIPS> Connection Refused 10:56 < MIPS> Code=146 10:56 < MIPS> :( 10:57 -!- dan__t [n=dant@vpn.withparity.net] has quit [Remote closed the connection] 10:57 < MIPS> on client log I see "Local Options hash (VER=V4): '46e399f1'" and "Expected Remote Options hash (VER=V4): '46e399f1'" 10:58 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 10:58 < MIPS> what does it mean 10:58 < MIPS> my openvpn server has built without security options 10:58 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 10:59 -!- dan__t [n=dant@ns1.hitb.net] has left ##openvpn ["Leaving"] 11:01 -!- french [i=a024ebdf@gateway/web/ajax/mibbit.com/x-42bc28bf398fa060] has joined ##openvpn 11:02 < french> i am trying to vpn to my server, it was working just fine now i am getting this error WARNING: No server certificate verification method has been enabled. what exactly does that mean? 11:07 < french> actually here is teh problem http://pastebin.com/d1b2b16ed any ideas? i am tryign to connect two to different vpn servers each givin the same error, and i have tired more than one client 11:24 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 11:29 < ecrist> french, that's not a fatal error 11:30 < ecrist> and, if you're going to post a log file, post the whole thing 11:45 < reiffert> Uh, bad bad bad 11:45 < reiffert> http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html 11:45 < vpnHelper> Title: [Full-disclosure] FreeBSD zeroday (at lists.grok.org.uk) 11:46 < ecrist> yeah, if you're a retard still running telnetd 11:48 < reiffert> ecrist: quoting an admin I was working under, some years ago: "We have a fully switched net, the authentication is encrypted, I still run telnet across the LAN" 11:49 < ecrist> like I said, if you're a retard. :) 11:50 < ecrist> telnet, in general, is more broken than a cheerleader after a victory in a high school football game. 11:50 < reiffert> :) 11:51 < ecrist> the *only* thing we have running telnet on my network at the office is an old Cisco router, which we're not going to upgrade, as it will be gone soon. and we only allow telnet from the next-hop freebsd system, which is connected to via console or ssh 11:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:54 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:03 < french> ok here is my entire client log, http://pastebin.com/d1c0f7c8e it will not allow me to connect, it worked fine a few days ago 12:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:06 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 12:18 < ecrist> french: would need to see logs from the other side as to why handshake is failing. 12:20 < french> ecrist can you tell me where the log file is located? fedora 9? 12:21 < ecrist> os means nothing, really. I have no idea. it'll be defined in the config of the other system 12:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:37 -!- french [i=a024ebdf@gateway/web/ajax/mibbit.com/x-42bc28bf398fa060] has left ##openvpn [] 12:40 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 12:45 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 12:51 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 13:00 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 13:32 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 13:44 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 13:44 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 13:48 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 14:45 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [No route to host] 14:51 < plaerzen> so. Hello #ovpn 15:34 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 15:35 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 15:37 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 16:14 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 110 (Connection timed out)] 16:20 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit ["Leaving."] 16:27 < penrod> greetings , anybody here ? 17:11 < d0wn> Could anyone assist me with this? http://openvpn.net/index.php/documentation/howto.html#redirect 17:11 < vpnHelper> Title: HOWTO (at openvpn.net) 17:12 < d0wn> I'm having trouble with it. I've got it set up as said in that howto, however, nothing will load, at all 17:17 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 17:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 17:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 17:54 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 17:58 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 19:09 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 19:20 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 19:33 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [No route to host] 19:56 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:10 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 20:21 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit ["leaving"] 20:39 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: krzee 20:40 -!- Netsplit over, joins: krzee 20:42 -!- _skx [i=skx@217.17.32.190] has joined ##openvpn 20:43 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 110 (Connection timed out)] 20:50 -!- mottz [n=mottz@cpe-76-172-44-55.socal.res.rr.com] has joined ##openvpn 20:52 < mottz> has anyone written a tool to package windows clients w/ configs and keys for simple clent install? 21:27 -!- mottz [n=mottz@cpe-76-172-44-55.socal.res.rr.com] has quit ["Leaving"] 21:43 -!- d0wn_ is now known as d0wn 21:43 -!- int [n=quassel@wikia/int] has quit [SendQ exceeded] 21:44 -!- int [n=quassel@wikia/int] has joined ##openvpn 21:54 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:17 -!- citrusfruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 22:18 < citrusfruitsnack> Hello, I have set up openvpn correctly between my vista laptop and my fedora system at home. everything works and i can transfer files fine (samba), except for the fact that windows explorer.exe hangs for at least 10 seconds when navigating the samba shares and when trying to transfer files 22:18 < citrusfruitsnack> transfering files and navigating the directories works fine using the windows command line, but explorer always freezes up 22:19 < citrusfruitsnack> does anyone else know of this problem? 22:22 < citrusfruitsnack> i tried modifying the tun-mtu and fragment sizes a little but i can't seam to fix this 22:34 < citrusfruitsnack> like i just tried using ftp and everything works great in terms of file transfers and stuff, but if i try to browse file shares with explorer it jsut freezes 22:35 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:37 < ecrist> evening, folks 22:37 < citrusfruitsnack> hi ecrist 22:40 < ecrist> citrusfruitsnack: you could try switching to tap, see if that helps at all. 22:41 < citrusfruitsnack> hmm i need to look into it. im not quite show how routing works different than tun, and what the implications/why i should need it 22:42 < citrusfruitsnack> what does tap do that tun doesnt? 22:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:04 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:22 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)] 23:29 < krzee> tunnels ethernet traffic 23:29 < krzee> tun can only tunnel ip traffic 23:44 < citrusfruitsnack> so like what's an example of ethernet traffic that's different from ip traffic --- Day changed Wed Feb 18 2009 00:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:52 -!- citrusfruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has quit ["Leaving"] 00:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:23 -!- surf_ [i=surf@gateway/tor/x-7a74ac1d3535f694] has joined ##openvpn 01:28 -!- c64zottel [n=hans@p5B17A9AF.dip0.t-ipconnect.de] has joined ##openvpn 01:55 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has joined ##openvpn 01:55 < Burps> hi everyone 01:57 < Burps> I have an old ovpn server A, that I want to physically replace with a brand news server B. Is it possible to migrate without having to connect on each client ? Right now, when I shutdown server A, the clients dont reconnect by themselves on server B 01:59 < uchimata> Burps: if it runs the same config and ip 02:05 < Burps> the config is based on dns... shold this be the problem ? 02:06 < Burps> apparently, when trying to reconnect, the client makes a nex DNS request 02:07 < Burps> *new 02:07 < Burps> so the IP is different... but the DNS is still the same 02:59 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has joined ##openvpn 02:59 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has left ##openvpn ["Leaving"] 03:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 03:38 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: eagle, T0aD, c64zottel, clusterm1gnet, Burps, blaxthos, d0wn, disco-, pa, paruchuri, (+21 more, use /NETSPLIT to show all of them) 03:48 -!- Netsplit over, joins: eagle, reiffert 03:49 -!- Netsplit over, joins: T0aD, bandini, fpletzv6, smk 03:49 -!- Netsplit over, joins: paruchuri, hardwire, d0wn, vpnHelper 03:50 -!- Netsplit over, joins: surf_, krzee, troy-, logiclrd, dogmeat 03:50 -!- Netsplit over, joins: dvl, stephenh, blaxthos, clusterm1gnet, pa, worch, disco-, Typone, [intra]lanman 03:51 -!- Netsplit over, joins: c64zottel, jpalmer, kaii_, hads, huslu, meturaf 03:51 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 03:52 -!- tjz|lunch is now known as tjz 03:53 < tjz> darn. why am i always having lunch.. 03:53 < tjz> anyone what is the most efficient way to track bandwidth for multiple ip addresses? 04:04 < uchimata> to track or to limit? 04:05 -!- toni__ [n=toni@pD95040A2.dip0.t-ipconnect.de] has joined ##openvpn 04:20 -!- surf_ is now known as suirf80 04:20 -!- suirf80 is now known as surf80 05:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has joined ##openvpn 05:10 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 05:11 < Burps> hi, new question : when creatinga new openvpn cert, I would like to give the "challenge password" as an argument to my script : is there an option to pass it to "openssl req " after that ? 05:31 -!- surf80 is now known as surf6869 06:27 -!- zhou_rock [n=zhou@61.151.242.254] has joined ##openvpn 06:28 < zhou_rock> how to install openvpn on smartphone? 06:29 < zhou_rock> for windows mobile 06:32 < zhou_rock> :D,bye 06:32 -!- zhou_rock [n=zhou@61.151.242.254] has left ##openvpn [] 06:36 -!- _skx is now known as skx 06:42 -!- bsund [n=bsund@213.180.77.55] has joined ##openvpn 06:56 < ecrist> tjz: cacti and a polling script 06:57 < ecrist> lol, zhou_rock waited 4 minutes for an answer. 07:12 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:18 < reiffert> http://netzdeponie.de/download/fun/pics/if-bankers-were.jpg 07:18 -!- Waldgichtel [n=toni@pD95067FC.dip0.t-ipconnect.de] has joined ##openvpn 07:27 -!- toni__ [n=toni@pD95040A2.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:36 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 07:41 < nardul> Who's the routing a routing master here? :) 07:44 < ecrist> nardul, what's your problem? 07:46 < nardul> We have a server, and a client. The client can connect to the server no problem, the client can ping the servers ip addresses. However the client can't ping network addresses on the servers network. 07:46 < nardul> Now, i have done "echo 1 > /proc/sys bla bla bla". So it should be able to forward. 07:47 < nardul> The machine on the server network does have a return path that is set correctly. 07:47 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:50 < nardul> However, from my workstation machine. I can ping the network on the other side of the client, through the VPN. However, i cannot ping the openvpn virtual network. 07:52 < ecrist> nardul: see here: 07:52 < ecrist> !route 07:52 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:52 < ecrist> see if that helps 07:53 < nardul> Thanks, you pasted that same link yesterday, and it did help me alot. However, i seem to have problems reaching the openvpn virtual network. I don't think it's a routing problem. 07:58 < ecrist> oh 07:59 < ecrist> well, the lan on the vpn server side needs to have routes for the VPN 07:59 < ecrist> this is often accomplished 'automagically' by having your openvpn server running on your default gateway 07:59 < ecrist> otherwise, you should be able to put a static route on the default gateway pointing a route for the VPN subnet to the vpn server. 08:09 < nardul> I found the problem. The silly thing was ofcourse a misconfigured route on my part. Thanks alot, it helped ecrist! 08:09 < ecrist> np 08:11 -!- diazepam1 [n=trent@220-244-78-68.static.tpgi.com.au] has joined ##openvpn 08:13 < diazepam1> hi guys can anyone help me with this one http://paste2.org/p/149579 08:16 < ecrist> diazepam1: is this a new problem on a working VPN, or an initial setup? 08:16 < diazepam1> it was working 08:16 < diazepam1> for about 30 min 08:17 < diazepam1> but i had tls off 08:17 < diazepam1> i have 4 other servers running this 08:17 < ecrist> at first look, it appears to be a problem with your SSL certificates, but I don't know what the problem is, sorry. 08:17 < diazepam1> and are rock solid 08:17 < diazepam1> okay 08:18 < diazepam1> everything else looks okay 08:18 < diazepam1> ? 08:18 < ecrist> is that the server or client log? 08:18 < ecrist> looks like client 08:18 < diazepam1> client 08:19 < ecrist> what does the server log show? 08:19 < diazepam1> http://paste2.org/p/149586 08:20 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:21 < ecrist> I don't know. I'd have to point you to the mailing list for this one. 08:22 < diazepam1> can i ask 08:22 < diazepam1> the line tls-auth ta.key 1 08:22 < diazepam1> what does the '1' mean 08:22 < diazepam1> ? 08:22 < diazepam1> ?that its active 08:25 < ecrist> not sure 08:26 < reiffert> diazepam1: found this line in th official openvpn howto? I guess not. 08:26 < diazepam1> which line 08:28 < reiffert> diazepam1: see the manpage for about what the '1' means. 08:28 < reiffert> especially Data Channel Encryption Options: 08:29 < diazepam1> ahhh okay 08:29 < diazepam1> i think i might go back and wipe all my keys 08:29 < diazepam1> start again 08:29 < diazepam1> thanks guys for the quick responses 08:29 < diazepam1> you rock! 08:29 < diazepam1> night 08:30 -!- diazepam1 [n=trent@220-244-78-68.static.tpgi.com.au] has left ##openvpn [] 08:33 -!- surf6869 [i=surf@gateway/tor/x-7a74ac1d3535f694] has quit [Remote closed the connection] 08:41 < Burps> when I create a certificate for a client, how can I specify, during the "openssl req...." command, the PEM passphrase, as an argument to this command ? 08:42 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:51 < ecrist> you need to store that in a file. this is covered in the man page 08:52 < Burps> and I give it as argument with "-pass file:MyPassFile" ? right ? 08:52 < Burps> or passin ? or passout ? 08:53 < Burps> I can't clearly understand how that works, a little hit would be appreciated :) 08:53 < Burps> hint* 08:54 < ecrist> !man 08:54 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:54 < ecrist> or, if you're running 2.1 08:54 < ecrist> !betaman 08:54 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 09:09 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:12 < Burps> ecrist: sorry, I can't find the solution in the link you gave me.... I already read the openssl man, but I still can't understand 09:15 < Burps> my colleague doesn't want it, but I think i'm going to do this with "expect".... 09:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:41 < tjz> SSH used how many bit? 09:41 < tjz> may i know.. 09:41 < tjz> =) 09:48 < reiffert> may you read the ssh source to know ... 09:51 < tjz> hehehehe 10:03 -!- mindbendr [n=neveraga@82.196.231.29] has joined ##openvpn 10:03 < mindbendr> hi, my openvpn server is trying to give the same ip to the clients which results the clients disconnected 10:03 < mindbendr> here is my openvpn cfg http://pastebin.com/m3cdf545a 10:04 < mindbendr> any ideas why does this occur 10:19 < sigius> mindbendr, not sure yet, but what is the 'float' for ? 10:19 < sigius> i.e. what does it do? 10:20 < mindbendr> sigius: man pages says "Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used)" 10:20 < mindbendr> -float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client. 10:20 < mindbendr> ssentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. 10:21 < sigius> mindbendr: right, got it 10:22 < sigius> mindbendr, btw by 'the same ip' you mean a fixed ip for each client ? 10:22 < mindbendr> sigius: no 10:23 < mindbendr> sigius: whoever tries to connect gets 172.16.0.134 as the ip 10:23 < mindbendr> so if a user is already connected 10:23 < mindbendr> the otherone gets disconnected 10:24 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has left ##openvpn ["Leaving"] 10:26 < sigius> mindbendr, and does each client have its own key or are they sharing the same one ? 10:27 < mindbendr> sigius: generated by easy-rsa individually 10:27 < mindbendr> i've put the same `common name` when i'm generating them 10:27 < mindbendr> so assuming it's not wrong 10:29 < sigius> mindbendr, Sorry, I keep having trrouble with the word 'same' :). same as what ? 10:30 < mindbendr> when i was generating the certificates 10:30 < mindbendr> I've put `gate.local` as the common name to all of them 10:30 < mindbendr> am i mistaken by doing that? 10:30 < sigius> As far as I know the ovpn server identiefies the client by there 'common name' 10:31 < mindbendr> so it must be the same on all the certs? 10:31 < sigius> so the ovpnserver would not see a difference between clients in your setup 10:31 < mindbendr> hmm 10:31 < mindbendr> why is it called `common name` then 10:31 < mindbendr> if they are not gonna be common ;) 10:32 < sigius> good point, theres bound to be a very good reason but I dont know it 10:32 < sigius> anyway they should differ 10:33 < mindbendr> are you sure 10:33 < mindbendr> Common Name (eg, your name or your server's hostname) []: 10:33 < mindbendr> if I'm gonna put my server's hostanem 10:33 < mindbendr> it would be the same for all, wouldn't it 10:34 < sigius> Yes, im sure. altough I'm having trouble refuting your logic :) 10:34 < mindbendr> right :) 10:34 < sigius> let me check the manpage 10:35 < mindbendr> found this 10:35 < mindbendr> Always use a unique common name for each client. C:\Program Files\OpenVPN\easy-rsa>build-key.bat client1 Loading 'screen' into random state - done ... 10:36 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 10:37 < sigius> Right, Im reading something similar in ovpns howto: 10:38 < sigius> Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. 10:40 < sigius> Q: In the manpage I read on using ipp.txt that "Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push". 10:40 < sigius> Now I dont like the overhead of using ifconfig-push. Is there away to make the ip addresses list in ipp.txt mandatory ? 10:42 < sigius> Btw: Indeed I've seen other ip addresses (then in ipp.txt) being given out, and only when reseting ovpn server did the client get the ipp.txt address again 10:47 < mindbendr> yeah 10:47 < mindbendr> but stupidity is 10:47 < mindbendr> when you want to generate a cert 10:48 < mindbendr> it says `Common Name (eg, your name or your server's hostname) []:` 10:48 < mindbendr> as it's called COMMON and it says SERVER's HOSTNAME 10:48 < mindbendr> i thought they supposed to be the same! 10:48 < sigius> mindbendr, very misleading, i have to agree. 10:50 < mindbendr> i assume the thing is 10:51 < mindbendr> they provide the same binaries for generating the key for the server and for the client 10:51 < mindbendr> in linux, that's the reason 10:57 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:59 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has quit ["Leaving"] 11:00 < sigius> Anyone any ideas on this : In the manpage I read on using ipp.txt that "Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push". 11:01 < sigius> Now I dont like the overhead of using ifconfig-push. Is there away to make the ip addresses list in ipp.txt mandatory ? 11:03 < reiffert> ccd and ifconfig-push 11:06 < sigius> Yes, but is there another way ? using ipp.txt is suits me lots better 11:06 < reiffert> edit the source code. 11:11 < sigius> hmm, yes .. well 11:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:25 -!- vcs [i=vcs@alien.jinxshells.com] has joined ##openvpn 11:25 < vcs> Hi, is it possible to assign an OpenVPN server an address other than .1? 11:28 < reiffert> vcs: yes. 11:29 < vcs> I have googled but Have not had any luck, and I have tried doing i in the same way as I would a client to no avail. What is the easiest way to acomplish this without editing source code? 11:30 < reiffert> read the manpage. especially what the server line expands to and follow commands from there. 11:36 < ecrist> sigius: no, short answer is no 11:37 < ecrist> you *could* create a perl script which tails ipp.txt, and auto-creates ccd entries on the fly 11:37 < ecrist> but you'd have to know perl, or another scripting language 11:42 < reiffert> ecrist: thats wrong. the short answer is: it depends. 11:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:42 < ecrist> reiffert: depends on what? 11:42 < reiffert> ecrist: i'm sorry, thought you were replying to vcs. 11:43 < ecrist> oh 11:43 * ecrist puts on dunce cap anyway 11:43 -!- jreb__ [n=jreb@r47h141.dixie-net.com] has joined ##openvpn 11:43 -!- jreb__ [n=jreb@r47h141.dixie-net.com] has left ##openvpn ["Leaving"] 11:46 < sigius> ecrist, ok thanks, i think editing the code (and doing it again after an ovpn update) would be more appealing even 11:47 < ecrist> I would disagree with you. the script would be about 10 lines, and would be compatible with future versions. 11:48 < vcs> reiffert, I am trying to set OpenVPN up with a Class B netmask, however 11:48 < vcs> woops, that was supposed to be in my terminal :| 11:48 < ecrist> vcs, the netmask is irrelivant 11:48 < ecrist> I know I spelled that wrong 11:48 < sigius> ecrist: 'on the fly' means triggered by what exactly ? 11:49 < ecrist> new entries in ipp.txt 11:49 < ecrist> see 'man tail' for information on how tail works. 11:50 -!- mindbendr [n=neveraga@82.196.231.29] has quit ["leaving"] 11:52 < sigius> ecrist, are you suggesting to keep a tail running on ipp.txt such that whenever I go and add a line the corresponding cdd entry is made (by the perl script) 11:52 < vcs> I keep getting route: netmask doesn't match route address. My boss is INSISTENT that I use 255.255.0.0 as a netmask. Shouldnt 10.2.2.103 be as valid a route address as any(ifconfig 10.2.2.102 10.2.2.103,ifconfig-pool 10.2.2.105 102.2.2.254,route 10.2.2.0 255.255.0.0, push "route 10.2.2.102")? I don't even understand what the point of that is given we are going to have less than 5 people on this. 11:52 < ecrist> sigius: yes. 11:53 < ecrist> ipp.txt isn't really supposed to be for you to edit, entries are added by the openvpn process automatically. 11:55 < vcs> AHh fixed it, never mind 11:55 * vcs slaps himself 11:56 < sigius> ecrist, I'm not sure the man page says :If seconds = 0 (in --ifconfig-pool-persist file [seconds]), file will be treated as read-only. This is useful if you would like to treat file as a configuration file. 11:57 < ecrist> regardless, the script would auto-create the ccd entries. 12:00 < sigius> ecrist, ok thanks, i'll give that a try (once I get these ccd approach working in the first place) 12:00 < sigius> these -> that 12:00 < vcs> I have ifconfig-pool 10.2.0.1 10.2.255.255, ifconfig 10.2.2.102 10.2.2.103 but for some reason my first client IP is 10.2.2.106 12:01 < vcs> do clients have to come explicitely AFTER the gateway when automatically being assigned an address? 12:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:39 < ecrist> sigius: what isn't working with ccd? 13:00 < vcs> wow, ethernet bridging just fixed ALL of my problems. 13:06 < krzee> vcs 13:06 < krzee> !/30 13:06 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:08 -!- toni__ [n=toni@pD9506BD1.dip0.t-ipconnect.de] has joined ##openvpn 13:12 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 13:25 -!- Waldgichtel [n=toni@pD95067FC.dip0.t-ipconnect.de] has quit [Read error: 101 (Network is unreachable)] 13:26 < krzee> [09:57] ecrist, are you suggesting to keep a tail running on ipp.txt such that whenever I go and add a line the corresponding cdd entry is made (by the perl script) 13:26 < krzee> ipp.txt makes no garuntee it will be obeyed 13:26 < krzee> its more like a suggestion 13:27 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 13:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:51 < sigius> krzee, I know, that was my problem. until recently I always saw the suggestion being followed, but not anymore 13:54 < vcs> hmmm... I run: "iptables -t nat -A PREROUTING -p tcp -i tun0 -d 10.2.2.102 --dport 5002 -j DNAT --to 10.2.1.212:5001" and then "iptables -A FOWARD -p tcp -i tun0 -d 10.2.1.212 --dport 5001 -j ACCEPT" but for some reason traffic is not flowing. i can connect to 5001 on 10.2.1.212 just fine, but still not able to connect to 10.2.2.102 on port 5001. 10.2.1.212 is accessible on eth0, and 10.2.2.102 is accesible from tun0.\ 13:54 < vcs> 5001* for dport 13:55 < vcs> I get a connection refused when telnetting into port 5001 13:55 < vcs> is there anything special I need to do with the tun device? 13:57 < krzee> nah but its only accessible to vpn clients 13:58 < krzee> im no iptables expert 13:58 < krzee> but finding someone who is would be your fastest way to an answer 13:58 < krzee> since thats not an openvpn question at all 13:58 < vcs> well I mean i am sure it is a pretty common use of openvpn to access an external service in a controlled manner 14:04 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 14:06 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:06 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 14:07 < sigius> Come to think of it, what would make a lot of sense is, if openvpn where to consult the hostfile when giving out ip addresses to connecting clients 14:07 < ecrist> sigius: that would not make sense. 14:08 < ecrist> I can understand your point of view, but openvpn configuration can be much more complicated than a single IP. 14:09 < krzee> !factoids search ip 14:09 < vpnHelper> krzee: 'tls-cipher', 'iporder', 'winipforward', '2.1-winpass-script', 'chooseip', 'iptables', 'linipforward', 'ipp', and 'ipv6' 14:09 < krzee> !iporder 14:09 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:10 < ecrist> krzee: done touring the Americas, or just sitting in another consulate? 14:10 < sigius> ecrist, this way I add a CommonName to my host table, the client (with that CN) connects and gets the ip address in the hosfile. Once connecting is made I can do a 'ping CommonName'. Handy. minimal administration effort 14:10 < krzee> im in southern california right now 14:10 < krzee> headed to peru any day 14:11 < sigius> ecrist, makes sense to me 14:11 < ecrist> sigius: while I understand what you're saying, it's over-simplified. 14:11 < krzee> sigius, --client-connect script can add to /etc/hosts for you if you want it to 14:11 < krzee> and i dont want me existing hostfile to mess up connecting clients because a name was double chosen 14:12 < sigius> krzee, thanks i'll check that out 14:12 < krzee> sigius, when i typed !iporder it was for you 14:12 < krzee> !iporder 14:12 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:12 < krzee> that is, in order, how openvpn assigns IPs 14:12 < sigius> krzee, ok didnt get that. thanks 14:12 < krzee> np 14:13 < krzee> !man 14:13 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:13 < krzee> for more info 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:36 -!- dscastro [n=diego@unaffiliated/dscastro] has joined ##openvpn 14:36 < dscastro> morning all 14:36 < dscastro> evening 14:37 < ecrist> howdy 14:37 < dscastro> can i set opvn for multiclients and each clients gets same LAN ip? 14:38 < ecrist> not sure I follow, but PAT would be the answer. 14:39 < dscastro> ecrist, have you ever does it? 14:39 < ecrist> yep 14:39 < ecrist> it's not supported in OpenVPN, it's a firewall/router issue 14:39 < ecrist> each VPN client would really have their own IP 14:40 < dscastro> ecrist, and must be different of lan, right? 14:40 < ecrist> yes 14:41 < dscastro> well.. have you same doc for do this? 14:41 < ecrist> no, you would setup OpenVPN normally, and then setup PAT/NAT on the router between the VPN and the LAN 14:42 < dscastro> ok, 14:42 < dscastro> how i setup for multiple clients? 14:43 < ecrist> have you read the howto? 14:44 < dscastro> i'm reading now! 14:44 < ecrist> ok! 14:44 < krzee> !! 14:44 < vpnHelper> krzee: Error: "!" is not a valid command. 14:45 < krzee> lol 14:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:07 -!- fpletzv6_ [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has joined ##openvpn 15:07 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has quit [Read error: 54 (Connection reset by peer)] 15:13 -!- dscastro [n=diego@unaffiliated/dscastro] has quit [Remote closed the connection] 15:42 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 16:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 16:25 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 16:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:36 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Connection timed out] 16:36 -!- d0wn_ is now known as d0wn 16:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:49 < sigius> hmm, it seems client-config-dir scripts and client-connect scripts are treated differently; ifconfig-push does not work in a client-connect script. 16:55 < sigius> also a client-connect script understands things like $common_name and a ccd script doesnt 16:58 < sigius> ok, think i got it .... 16:59 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit ["Leaving"] 17:10 < sigius> So, turns out I can use the hostfile /etc/hosts directly: my client-connect script is one line "echo 'ifconfig-push $common_name 10.8.0.1' > $1" . $common_name is then matched against the hostfile. 18:00 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 18:02 < diazepam> hey guys, just a quickie. I have a tap tcp vpnserver working nicely, however it only allows one person to connect at any time even though i have specified a range of addresses .161 -> 191. The person to log on always gets the address .161 and kicks any other connected users. Any ideas? 18:04 < diazepam> server.conf http://paste2.org/p/149885 18:06 < diazepam> client conf http://paste2.org/p/149886 18:17 < diazepam> wont somebody love me? 18:20 < diazepam> okay everyone is busy. Be back later tonight. =) 18:20 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 18:53 -!- c64zottel [n=hans@p5B17A9AF.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 19:15 -!- toni__ [n=toni@pD9506BD1.dip0.t-ipconnect.de] has quit ["Verlassend"] 19:53 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:03 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 20:11 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:16 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:17 -!- dmb_ [n=dmb@74.214.115.252] has joined ##openvpn 20:18 -!- dmb [n=dmb@unaffiliated/dmb] has quit ["Leaving"] 20:27 -!- dmb_ is now known as dmb 20:47 -!- LumberCartel [n=IceChat7@24.86.160.252] has joined ##openvpn 20:48 < LumberCartel> Hello folks. I'm using OpenVPN v2.1 on the server, and I'm trying to connect a client. The client gets an IP address, but is unable to ping the server or anything on the network on the server side. The server is unable to ping the client. 20:48 < LumberCartel> The server is NetBSD 4 and it acts as a gateway. 20:49 < LumberCartel> Where should I look for OpenVPN configuration tips when the OpenVPN server is on the gateway, with packet forwarding enabled? 20:49 < LumberCartel> Thanks in advance. 20:55 < onats> howdy 21:01 < LumberCartel> Hello onats. 21:03 < onats> !configs 21:03 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:03 < onats> !sample-config 21:04 < vpnHelper> onats: Error: "sample-config" is not a valid command. 21:04 < onats> !sample 21:04 < vpnHelper> onats: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:04 < onats> there you go 21:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 21:38 < dmb> if you are connecting to an openvpn server, is there a way on the linux client side to use that openvpn's internet connection? 21:45 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:58 -!- LumberCartel [n=IceChat7@24.86.160.252] has quit ["Go Team Venture!"] 22:36 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 23:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:20 < onats> yes 23:33 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:38 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Thu Feb 19 2009 00:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:40 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 01:01 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 01:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 < reiffert> moin 02:14 -!- Ox41464b [n=satria@unaffiliated/Ox41464b] has joined ##openvpn 02:15 < Ox41464b> Im looking for Easy-To-Install/Config OpenVPN for Server and Client side, its there any suggestion ? 02:15 < reiffert> !howto 02:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:17 < Ox41464b> reiffert, yes its great... and confusing.. I've tried it before with my LAN-PC, and ended with i must physical reboot (on Windows) 03:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:33 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 03:42 -!- mikkel_ is now known as mikkel 03:53 -!- fpletzv6_ is now known as fpletzv6 04:29 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:29 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 04:30 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:44 < Roman123> After I disconnect my client from the openvpn server (connect and disconnect work smoothly, no error messages), the openvpn logfile of the server is filled up with read "UDPv4 [ECONNREFUSED]: Connection refused (code=146)". Is this a bug? 04:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- mindbendr [n=neveraga@host86-133-198-234.range86-133.btcentralplus.com] has joined ##openvpn 04:55 < mindbendr> hi I can't make openvpn working with UDP, it works fine with TCP protocol 04:56 < mindbendr> i can see there are some stuff coming in and going out on UDP port via tcpdump 04:56 < mindbendr> but it can't get to TLS handshaking etc 04:58 < mindbendr> any ideas? 05:26 -!- mindbendr [n=neveraga@host86-133-198-234.range86-133.btcentralplus.com] has quit ["leaving"] 05:42 -!- Ox41464b [n=satria@unaffiliated/Ox41464b] has quit [] 06:09 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 06:51 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 07:15 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 07:18 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:25 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 07:44 -!- Spabby [n=G@host-84-9-136-140.dslgb.com] has joined ##openvpn 07:52 < Spabby> hi there my client is timing out despite the settings appearing to be correct, I have pasted my configs and the log here, any advice would be gratefully received! 07:52 < Spabby> http://pastebin.com/m6c8a62ea 07:56 < Spabby> does the keep-alive setting need to be set in both client and server config? 07:58 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:20 < reiffert> Spabby: when did it stop working? 08:22 < reiffert> Spabby: are both machines on 192.168.0.0 net? 08:28 < Spabby> hi 08:29 < Spabby> it stops after about 3-4 minutes I think 08:29 < Spabby> and yes both machines are on 192.168.0.x/24 08:29 < Spabby> in the wild they will be connecting over internet link 08:29 < reiffert> does it work for those 3-4 minutes? Can you proove the packets to travel over the enrcpted tunnel? 08:30 < Spabby> yep, I am posting to a mysql database over the tunnel 08:30 < Spabby> it works when it reconnects as well 08:30 < Spabby> but I can see that the control pings are not getting returned by the client (I think) 08:32 < reiffert> Change comp-lzo zo comp-lzo no on both configs, then have both configs a keepalive 10 60 08:32 < reiffert> s, zo , to , 08:32 < Spabby> chamge comp-lzo to comp-lzo no 08:32 < reiffert> 2yep 08:35 < Spabby> no difference :( 08:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:38 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 08:44 -!- T0aD [n=nnnnnnnn@lescigales.org] has left ##openvpn [] 08:44 -!- Spabby [n=G@host-84-9-136-140.dslgb.com] has left ##openvpn [] 09:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:24 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 09:31 < ecrist> howdy, plaerzen 09:37 < plaerzen> hey ecrist 09:37 < plaerzen> how's it going ? 09:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:51 -!- El_Presidente [i=Martin@p5798E9BE.dip.t-dialin.net] has joined ##openvpn 09:51 < El_Presidente> hello 09:52 < El_Presidente> reiffert, may i ask you *again* about my vpn problems; here is the config : http://pastebin.com/m58dce922 09:53 < El_Presidente> i always get this error : http://pastebin.com/m4d695112 09:53 < El_Presidente> also the performance is crappy if i set route-gateway 09:53 < El_Presidente> i get just 15kb/s 10:14 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:17 < MIPS> hello. my /dev/net/tun device permissions are like these 'crw-r-----' but I think the correct values are 'crw-r--r--' It's true? What kind of problem I may encunter using openvpn in my situation? 10:18 < ecrist> MIPS: crw------- is the permissions for my interfaces on FreeBSD. 10:18 < ecrist> why ar you looking at that? 10:25 -!- Omache [n=teastep@2002:ce7c:92b4:1:21b:24ff:fecb:2bcc] has joined ##openvpn 10:25 < MIPS> linux kernel 2.6.8.1 10:26 -!- Omache [n=teastep@2002:ce7c:92b4:1:21b:24ff:fecb:2bcc] has left ##openvpn ["Leaving"] 10:26 < MIPS> and it's true that the correct value is 'crw-r--r--' ? 10:34 -!- c64zottel [n=hans@p5B17B27E.dip0.t-ipconnect.de] has joined ##openvpn 10:34 -!- c64zottel [n=hans@p5B17B27E.dip0.t-ipconnect.de] has left ##openvpn [] 10:35 < MIPS> I asked this because in my openserver side I can read anythink RX packets:0 TX packets: 553 10:36 < MIPS> and using verb 9 I read in openvpn server 10:36 < MIPS> something like 10:36 < MIPS> Thu Feb 19 16:33:55 2009 us=330829 UDPv4 read returned -1 10:37 < MIPS> Thu Feb 19 16:33:55 2009 us=330829 read UDPv4 [ECONNREFUSED]: Connection refused 10:37 < MIPS> (code=146) 10:37 < MIPS> :( 10:39 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 10:40 < toddoon_> can someone help me to configure my client? 10:40 < toddoon_> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:4: ---BEGIN (2.1_rc11) i have this 10:43 < toddoon_> ok no problem in fact 10:44 < El_Presidente> take a look in line 4 ... 10:44 < MIPS> can someone help me? 10:44 < toddoon_> ok i fix the solution thx 10:44 < toddoon_> *problem 10:48 < Roman123> Enabled Common name is "James_Band" /etc/openvpn/clients/James_Band 10:48 < Roman123> oops 10:48 < Roman123> Sorry, too fast. 10:49 < Roman123> I like to assign certain IP's to certain client, which should be possible by means of the client_config_dir directive, right? 10:52 < Roman123> So I put option client_config_dir /etc/openvpn/clients in my server's openvpn config file. Additionally, I put a file called James_Band into /etc/openvpn/clients with the content "ifconfig-push 10.168.1.198 10.168.1.199". The IP range in the openvpn network is ' option server "10.168.1.0 255.255.255.0" '. 10:53 < Roman123> After restarting the server, an connecting with the client featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead as 10.168.1.198) 10:54 < Roman123> I guess I've missed just a small thing. 10:54 < Roman123> Any ideas how get rid of that? 10:58 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:08 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 11:09 < toddoon_> hi could help me, i can ping tje vpn server 10.3.0.8 but i don't anybody 11:09 < toddoon_> *see 11:10 < Roman123> toddoon_: sorry, I don't understand in particular your problem. 11:10 < Roman123> you can ping from the client side the server? 11:10 < toddoon_> yes i am the client and i can ping the server 11:10 < Roman123> and you like to see? 11:11 < toddoon_> yes 11:11 < Roman123> other clients? 11:11 < toddoon_> yes 11:11 < Roman123> or what? 11:11 < Roman123> do you use tun or tap? 11:11 < toddoon_> no i will others clients 11:11 < toddoon_> i have an interface named tap0 11:12 < Roman123> you will others clients? <-- this means? 11:12 < toddoon_> sorry, i would *see 11:13 < Roman123> Perhaps try to put "option client_to_client 1" in your server config. 11:13 < Roman123> I guess that should help 11:14 < Roman123> IMHO that's disabled per default 11:14 < toddoon_> ok thx i will try 11:14 < Roman123> good luck :) 11:16 < Roman123> No ideas about my "client_config_dir" problem? :-( 11:18 < toddoon_> Roman123: it tell me: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:5: option (2.1_rc11) 11:20 < Roman123> toddoon_: what did you put exactly in your config file (which line)? 11:21 < toddoon_> Roman123: line 5: option client_to_client 1 11:22 < Roman123> weird, then I have no idea. 11:22 < Roman123> toddoon_: which version of openvpn do you run? 11:22 < Roman123> and on which os? 11:22 < toddoon_> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 11:22 < toddoon_> Developed by James Yonan 11:22 < toddoon_> Copyright (C) 2002-2008 Telethra, Inc. 11:22 < toddoon_> g 11:22 < toddoon_> *ubuntu 11:23 < Roman123> toddoon_: sorry I have to leave. But try to google for "option client_to_client 1" 11:23 < toddoon_> Roman123: ok thx :D 11:24 < Roman123> toddoon_: i guess you're on the right way with this option. 11:24 < Roman123> bye 11:24 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:47 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: eagle, toddoon_, clusterm1gnet, vcs, blaxthos, disco-, pa, krzie_, skx, disposable, (+39 more, use /NETSPLIT to show all of them) 11:47 -!- Irssi: ##openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal] 11:49 -!- Netsplit over, joins: toddoon_, MIPS, El_Presidente, roentgen, plaerzen, [intra]lanman, pa, zertyuio, cpm, mikkel (+10 more) 11:49 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 11:49 -!- Netsplit over, joins: Typone, disco-, worch, clusterm1gnet, blaxthos, stephenh, dvl 11:49 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:49 -!- Netsplit over, joins: logiclrd, troy-, vpnHelper, hardwire, smk, bandini, reiffert, eagle, skx, disposable (+10 more) 11:54 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 11:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 12:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:11 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 13:08 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has left ##openvpn [] 13:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:11 < krzee> ecrist, server sent 13:11 < krzee> (im in orlando, just sent it) 13:12 < ecrist> damn, about time 13:12 < krzee> i hope you dont mind i sent 2 boxes, i cant take the other on the airplane 13:12 < krzee> maybe i can have you send it to the next place for me when it comes time if you dont mind 13:12 < ecrist> shouldn't be an issue. 13:12 < krzee> nice, thaqnx 13:12 < ecrist> np 13:13 < reiffert> Call the police, they are smuggling drug sniffing dogs! 13:14 < krzee> do they have dog sniffing dogs to find the drug sniffing dogs? 13:14 < ecrist> nope, they have cats for that. 13:14 < ecrist> lol 13:15 < krzee> hah 13:15 < krzee> my plane to cali is about to board 13:16 < krzee> im going going 13:16 < krzee> back back 13:16 < krzee> to cali cali 13:16 < ecrist> travel much? sheesh 13:16 < krzee> heh 13:16 < krzee> tomorrow i go to peru 13:17 < krzee> i just had to stop here quick to ship those servers 13:17 < krzee> i hella want the guys sister now too 13:17 < krzee> shes way hot and cool too 13:17 < ecrist> I want a piece! 13:18 < krzee> ill save your spot in line behind me 13:19 < ecrist> a'ight 13:23 < ecrist> krzee: am I putting both those boxes online, or just one? 13:24 < krzee> ones missing a HD 13:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:41 < reiffert> sounds like get a HD and get it online :) 13:41 < ecrist> heh 13:41 < ecrist> I *do* have a couple 250GB drives... 13:42 < ecrist> 'what, I only remember getting one box. where'd my new server come from, oh, I just picked it up somewhere...' 13:44 < Roman123> I like to assign certain IPs to certain clients, which should be possible by means of the client_config_dir directive. So I put the option "client_config_dir /etc/openvpn/clients" in my server's openvpn configuration file. Additionally, I put a file called James_Band with the content "ifconfig-push 10.168.1.198 10.168.1.199" into /etc/openvpn/clients. The IP range in the openvpn network is defined by ' option server "10.168.1.0 255.255.255.0" '. A 13:44 < Roman123> fter restarting the server, a connecting with the client featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead of 10.168.1.198). I guess I've missed just a small thing to get this working. Any ideas how get rid of that? 14:03 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 14:03 < zertyuio> hi there 14:03 < zertyuio> where i can find openvpn for wm6 ? 14:03 < zertyuio> windows mobile 6 14:03 < ecrist> zertyuio: no idea. try google 14:04 < zertyuio> i have allaready tried 14:04 < zertyuio> there is only version wm5 14:04 < zertyuio> is it existe ? 14:04 < ecrist> Roman123: we'd need your client and server logs to help you 14:05 < ecrist> zertyuio: don't know. it's not an overly-popular topic. 14:05 < zertyuio> sorry 14:05 < zertyuio> my question is 14:05 < zertyuio> is there any openvpn version for WM6 ? 14:05 < zertyuio> or is it only designed to be use only WM5 ? 14:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:08 < zertyuio> hello 14:09 < ecrist> hello 14:10 < zertyuio> yes 14:10 < zertyuio> is there any version of openvpn for windows mobile 6 please ? 14:10 < zertyuio> i still searching using google can't find an download for WM6 14:12 < zertyuio> anyoene can help plz .;? 14:19 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 14:22 < zertyuio> hello 14:23 < zertyuio> what s wrong with my question ? 14:25 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 14:31 < zertyuio> hello 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < zertyuio> hello 15:00 < zertyuio> is htere anyone here ? 15:02 < ecrist> yes 15:02 < zertyuio> you 15:03 < ecrist> me? 15:03 < zertyuio> so plz ask 15:03 < zertyuio> my auystion 15:03 < ecrist> I don't know the answer to your question. 15:03 < zertyuio> ok 15:03 < ecrist> My guess is that nobody here knows, otherwise they would have answered. 15:04 < zertyuio> ok let me 15:04 < zertyuio> is to possible to compile from source code 15:04 < zertyuio> for windows mobile 6 plateforme ? 15:05 < zertyuio> i m asking to you ecrist 15:05 < ecrist> I'd try to compile and see what happens. 15:06 < zertyuio> ok take your tiem 15:06 < ecrist> no. *you* try. I'm not going to 15:07 < zertyuio> ok leave it 15:08 < zertyuio> an other question what openvpn can do 15:08 < zertyuio> ??? 15:08 < zertyuio> sorry i m totally new 15:08 < ecrist> see the website 15:08 < zertyuio> yes i read 15:09 < zertyuio> i got a question 15:09 < zertyuio> it says to install on server and client the openvpns software 15:09 < zertyuio> once after installing 15:10 < zertyuio> it says the server openvpn send an ip to client 15:10 < zertyuio> am i right ? 15:10 < zertyuio> kind of dns server 15:10 < zertyuio> am i right ? ecrist 15:12 < zertyuio> yoou take time that is not good 15:12 < zertyuio> telll me quick 15:13 < zertyuio> are you an old bold 15:13 < zertyuio> ??$ 15:13 < ecrist> zertyuio: go away 15:13 < ecrist> don't PM me, either. 15:14 -!- mode/##openvpn [+o ecrist] by ChanServ 15:14 -!- mode/##openvpn [+b *!*=chatzill@*.fbx.proxad.net] by ecrist 15:14 -!- zertyuio was kicked from ##openvpn by ecrist [ecrist] 15:14 -!- mode/##openvpn [-o ecrist] by ecrist 15:15 < ecrist> lol, he PMs me and calls me a big pussy 15:15 < ecrist> in french, 15:15 < ecrist> or spanish, can't tell for certain 15:15 < ecrist> french 15:15 < reiffert> ecrist: and he is right. 15:15 < reiffert> isnt he? 15:16 < ecrist> well, you are what you eat 15:16 < ecrist> not that I eat 'big pussy', just big quantities 15:16 < reiffert> :) 15:19 < El_Presidente> *sigh* 15:19 < ecrist> my french is rusty. he called me 'big dog' and some other words I can't translate (even google isn't helping) 15:19 < ecrist> I confused chiene and chat 15:19 < El_Presidente> ecrist, i usually use latin ;) 15:19 < ecrist> lol 15:19 < El_Presidente> like *stultus es* 15:19 < El_Presidente> or *asinus es* 15:19 < El_Presidente> first means you are an idiot 15:20 < El_Presidente> and second you are a donkey 15:20 < El_Presidente> and the best is noone understands it ;) 15:20 < ecrist> I wish I was educated like that. 15:20 < ecrist> at best, I know enough french/spanish to misinterpret better than many. 15:21 < El_Presidente> well but i guess you are far more talented with VPN than me ;) 15:21 < El_Presidente> that brings me to my BIG problem ... 15:22 < ecrist> I'm a newb, masquerading as a guru. 15:22 < El_Presidente> ^^ 15:22 < El_Presidente> then i think i should ask reiffert ;) 15:23 < El_Presidente> reiffert, may i pm you? because you are also german and maybe im able to explain my problems better in german ... 15:24 < ecrist> El_Presidente: you may use german in here, if you'd like. 15:24 < El_Presidente> ty 15:24 < ecrist> we generally shy away from it, but you're here often enough. 15:24 < El_Presidente> well i usually try to use english here 15:24 < El_Presidente> because if i just talk about my problem in german noone else will understand 15:24 < ecrist> El_Presidente: what is your problem? 15:25 < El_Presidente> well i bridged my routers local interface with openvpn 15:25 < El_Presidente> so i can surf via my local dsl and use my local shares from university 15:25 < ecrist> ok 15:26 < ecrist> on the server, or the client? 15:26 < ecrist> when I see 'local,' I assume client. 15:26 < El_Presidente> well the tunnel works 15:26 < El_Presidente> also the surfing 15:26 < El_Presidente> but surfing is horrible slow 15:27 < El_Presidente> e.g. my notebook is 192.168.0.235 15:27 < El_Presidente> my router is 192.168.0.1 15:27 < El_Presidente> if i download something from my routers ftp 15:27 < El_Presidente> i get about 500kb/s 15:27 < El_Presidente> thats nearly 90% of my upstream to internet 15:27 < El_Presidente> thats ok 15:27 < ecrist> ok 15:27 < El_Presidente> but if i try to download something from a webserver like kernel.org 15:27 < El_Presidente> i just get 100kb/s 15:28 < ecrist> that sounds about right, maybe a little slower than it should be, but when you're downloading from another site, you're generally using double the bandwidth on the server end. 15:28 < El_Presidente> no 15:28 < ecrist> because you're using your internet connection twice. 15:28 < El_Presidente> i have VDSL 15:29 < El_Presidente> my local downstream is 2.5mb/s 15:29 < El_Presidente> the upstream is 600kb/s 15:29 < El_Presidente> so i download it via my downstream and send it through my upstream to the notebook 15:29 < El_Presidente> if i see this correct 15:29 < El_Presidente> ? 15:30 < El_Presidente> i really have no clue what i can do 15:30 < ecrist> to a degree. i don't know the exact math, but there's overhead for ack packets, etc. try playing with the MTU, there's a --test-mtu or similar. 15:30 < El_Presidente> hmm yes but shouldnt i have the same problems from local files then? 15:30 < ecrist> El_Presidente: the speed is going to vary greatly on the fragmentation. 15:30 < El_Presidente> if it is a mtu problem? 15:31 < El_Presidente> as i said if i send from 192.168.0.1 > tunnel > 192.168.0.235 i get 520kb/s 15:31 < ecrist> not neccessarily 15:31 < El_Presidente> but if i download kernel.org > dsl > 192.168.0.1 > tunnel > .... 15:32 < El_Presidente> hmm okay 15:32 < ecrist> the problem is, kernel.org sends a certain sized packet, which may get fragmented based on the MTU for the tunnel. 15:32 < El_Presidente> so what would you recommend? 15:32 < ecrist> when connecting to the VPN server, the server knows the MTU, so sets the packet size accordingly, the first time. 15:32 < ecrist> no re-fragmentation. 15:33 < ecrist> krzee is better with this part than I 15:33 < ecrist> !mtu 15:33 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 15:33 < ecrist> try that, see if it cleans up your connection. 15:33 < ecrist> otherwise, reiffert may know more than I. 15:35 < El_Presidente> okay ty 15:37 < reiffert> El_Presidente: no 15:37 < reiffert> (pm) 15:38 < reiffert> ecrist: I had some years french in school, I may translate... 15:38 < ecrist> 15:13 what enculer ? 15:38 < ecrist> 15:13 nicke ta race 15:38 < ecrist> 15:13 gros chiene ^ 15:39 < reiffert> enculer is n asshole 15:40 < reiffert> nick ta means : fuck your ... and race probably is in english 15:40 < reiffert> chienne is a bitch 15:41 < ecrist> you studied french better than I in school, then. ;) 15:42 < reiffert> I've been to france with 3 school-exchanges, twice on holiday andsoon 15:43 < reiffert> I really really love them, they are totally crazy. 15:43 < reiffert> (all of them, no exception) 15:44 < ecrist> lol 16:13 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:15 -!- matadon [n=matadon@173.8.157.70] has joined ##openvpn 16:17 < matadon> Stupid question, but can the same OpenVPN daemon (OpenVPN 2.1 on Linux) be used as both a server and client, or do I need to run a second daemon? 16:21 < El_Presidente> i think all you need is a second config file in /etc/openvpn 16:22 < El_Presidente> and then try to restart your daemon 16:25 < reiffert> matadon: checkout 16:25 < reiffert> !howto 16:25 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:25 < reiffert> matadon: that is, one daemon as server and one openvpn as vlient. 16:46 < matadon> Thanks; I got it sorted. 16:46 -!- matadon [n=matadon@173.8.157.70] has quit [] 17:21 -!- zheng [n=zheng@218.82.139.88] has joined ##openvpn 17:30 -!- ubunt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-959e30bfc9bfde07] has joined ##openvpn 17:31 < ubunt> hi 17:31 < ubunt> is there anyone here ? 17:36 -!- ubunt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-959e30bfc9bfde07] has left ##openvpn [] 18:00 -!- zheng [n=zheng@218.82.139.88] has quit ["Leaving"] 18:14 < El_Presidente> reiffert, i used mtu-test tool for windows and i always get different results 18:15 < El_Presidente> it seems everytime i press test i get a different value 18:15 < El_Presidente> also the mtu-test of openvpn shows something else 18:35 -!- El_Presidente [i=Martin@p5798E9BE.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 19:10 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 19:23 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 19:25 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 19:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:50 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has joined ##openvpn 20:53 < pg1054> Is there a current mailing list? @ "http://openvpn.net/index.php/mailing-lists.html" latest archive seems to be thru 02/2008 ... 20:59 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has joined ##openvpn 21:05 < ecrist> pg1054: yes, there is current activity. openvpn sites are pretty broken, for the most part. 21:06 < pg1054> ecrist: ah. _is_ there an uptodate archive _anywhere_? nabble, gmane, etc etc? 21:06 < pg1054> would like to peruse to not ask my/an alread-answered question .... 21:11 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has quit [] 21:17 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has quit [Read error: 104 (Connection reset by peer)] 21:24 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has joined ##openvpn 21:25 < endeavormac> i have host server and host client. host client is connecting to host server and using "redirect-gateway def1" to route all it's traffic through the tunnel. I can get so far as pinging the eth0 interface on the server, but i can't go further than that. does anyone have any ideas? 21:27 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Connection timed out] 21:40 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has quit ["Leaving"] 22:12 -!- steven_ [n=steven@pool-71-179-97-206.bltmmd.fios.verizon.net] has joined ##openvpn 22:12 < steven_> hi 22:12 -!- steven_ is now known as fuse_kt 22:13 -!- fuse_kt is now known as fuse_ly 22:13 < fuse_ly> ack 22:15 -!- fuse_ly [n=steven@pool-71-179-97-206.bltmmd.fios.verizon.net] has quit [Client Quit] 22:18 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Remote closed the connection] 23:04 -!- fruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 23:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:08 < fruitsnack> hello, i am trying to set up openvpn in the bridged interface. i use "openvpn --mktun --dev tap0" to make the tap device, and then "brctl adbr testbridge; brctl addif mybridge tap0; brctl addif mybridge eth0 23:08 < fruitsnack> after bridging eth0 to the bridge i just made, the internet immediately disconnects 23:08 < fruitsnack> by that i mean the ssh session is dropped and i have to restart my server before i can connect again 23:09 < fruitsnack> i dont understand why this is the case or how to fix it 23:18 < fruitsnack> i suspect i need to add a route for the new bridge device 23:18 < fruitsnack> so i did "route add default gw 192.168.1.1 dev mybridge 23:18 < fruitsnack> but it still doesn't work 23:20 < fruitsnack> !route 23:20 < vpnHelper> fruitsnack: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT --- Day changed Fri Feb 20 2009 00:28 -!- fruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has quit [Read error: 110 (Connection timed out)] 01:07 < reiffert> he was close. 01:19 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 -!- bombayvdmo [n=victor@adsl190-28-180-112.epm.net.co] has joined ##openvpn 02:05 < bombayvdmo> Hi 02:06 < bombayvdmo> i gets this error when openvpn try reconnect "RESOLVE: Cannot resolve host address: kaworu.dyndns.org: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 02:08 < bombayvdmo> i uses: keepalive 1 5 02:08 < bombayvdmo> inactive 3600 02:08 < bombayvdmo> user nobody 02:08 < bombayvdmo> persist-key persist-tun resolv-retry infinite 02:19 -!- bombayvdmo [n=victor@adsl190-28-180-112.epm.net.co] has left ##openvpn [] 02:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:07 -!- c64zottel [n=hans@p5B17AED7.dip0.t-ipconnect.de] has joined ##openvpn --- Log closed Fri Feb 20 03:20:14 2009 --- Log opened Fri Feb 20 03:20:18 2009 03:20 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 03:20 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 03:20 -!- Irssi: Join to ##openvpn was synced in 18 secs 03:56 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 03:57 < diazepam> hey anyone know much about using the ta.key option 03:57 < diazepam> when i set it I have heaps of trouble getting the vpn to work 03:57 < diazepam> connecting is slower 03:57 < diazepam> but when i disable ta.key things work flawlessly 03:58 < diazepam> second question is there a way of selectively forcing client traffic through the vpn 03:58 < diazepam> ? 03:58 < diazepam> or is this a global on/off thing 03:59 < diazepam> currently i have it set for all traffic on clients to route via the vpn -> remote network -> remote network gateway -> internet 03:59 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:00 < toddoon> could somebody tell me how do i configure my client.conf with client_to_client? 04:01 < uchimata> toddoon: this is a server-side config option 04:01 < diazepam> yeah client_to_client is really the only thing you need in your conf 04:03 < toddoon> uchimata: it is a serverdide option, somebody tell about it in my client.conf yesterday 04:03 < toddoon> so i don't need it diazepam? 04:04 < toddoon> in fact my problem is thar i am running ubuntu with openvpn client and i want to connect to a openvpn server with auth. On windows it works well but not on ubuntu :( 04:08 < toddoon> in a tutorial i find a good info, it say to check if ls | grep tun return something, for me it returns someting but the problem is that don't use interface tun but tap interface 04:15 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 04:15 < toddoon> nobody can help me? 04:17 < uchimata> toddoon: you must provide log- and configfiles for futher help 04:17 < toddoon> uchimata: ok 04:19 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 04:19 < toddoon> uchimata: can you tell me where is the log? 04:23 < Roman123> On my OpenWRT router featuring OpenVPN some weird things happen when I disconnect my client (OpenVPN GUI under Windows XP). Before everything works fine, i.e., I can connect transfer data, etc. everything is perfect. After I disconnect the client, the messages "openvpn(starnet)[1571]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)" appear every 10 seconds in the server logfile. 04:24 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 113 (No route to host)] 04:24 < toddoon> http://pastebin.com/m5dfff082 can you help me for debug i give my conf and the output of openvpn 04:30 < Roman123> toddoon: I missed the statement of your problem. Can you repost, please... 04:30 < toddoon> in fact my problem is thar i am running ubuntu with openvpn client and i want to connect to a openvpn server with auth. On windows it works well but not on ubuntu :( 04:31 < Roman123> toddoon: Which OpenVPN client/interface do you use in Ubuntu? The network manager stuff? 04:32 < Roman123> Because nw is a buggy crap :-P 04:32 < Roman123> nw manager 04:33 < toddoon> Roman123: no, i use the conf files i have posted and then i run the openvpn in command line 04:33 < Roman123> ah, ok 04:34 < Roman123> toddoon: Are you running a firewall on you Ubuntu box? 04:34 < Roman123> s/you/sour 04:34 < Roman123> s/you/your 04:35 < toddoon> Roman123: i have ufw but i disabled it 04:35 < Roman123> hmm 04:37 < Roman123> toddoon: I have no particular idea but I can suggest what I would try (step-by-step). 04:37 < toddoon> i have some problem with my connection in ubuntu, for example i have to reload dhclient each time i connect to my computer, perhaps there is a problem in /etc/interfaces? 04:38 < toddoon> how do you defined a tap interface in /etc/interfaces? 04:39 < Roman123> toddoon: sorry, I don't use Ubuntu. I'm running Gentoo. 04:39 < toddoon> Roman123: ok 04:41 < Roman123> toddoon: Well, I would try to connect by means of your Windows client and save the config file as example how it should look like if it works (increase the verbosity level on the server and on the client side). 04:42 < toddoon> Roman123: it's a good idea i will diff files output 04:42 < Roman123> yes 04:42 < Roman123> I would try that 04:43 < Roman123> Perhaps you'll see where the problem appears. 04:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:04 < sigius> Q: I want to set up a 'open' openvpn server (i.e. with 'auth none' and 'cipher none'), but still I want to protect the server the openvpn server is running on. How would I do this ? Ofcourse I am using the chroot option so as to have openvpn running in a jail, but am I doing enough with that ? f.e. Is it not posible still to route a network connection through the openvpn server ? 05:08 < reiffert> dropping perms to nobody:nogroup and additional firewalling. 05:16 < sigius> reiffert, Ok so I need the additional firewalling ? Is there not some openvpn option I can use so that there will be no routing (outside of the vpn-subnet obviously) from the servers endpoint ? 05:25 < reiffert> imagine such a feature is broken in a version, do you want to rely on that or have security? 05:26 < reiffert> (I dont know wether routing networks works for unknown networks, but I guess it will when client computers add route's manually and if the openvpnserver routes packets back) 05:26 < reiffert> (However, if the latter is not applicable, it still can be used for spoofing packets) 05:28 < reiffert> And I really dont know if openvpn comes with such an option, a fast manpage check doesnt look like it. 05:28 < reiffert> I'd say try it out but run a firewall on the openvpn server machine. 05:32 < sigius> reiffert: well im already sort of relying on openvpn to be safe, but I see your point. I think i will follow your suggestion and add the firewall policy (in iptables in my case). 05:35 < reiffert> iptables -I FORWARD -s 10.8.0.0/24 -i tun0 -j ACCEPT 05:35 < reiffert> iptables -I FORWARD -d 10.8.0.0/24 -o tun0 -j ACCEPT 05:35 < reiffert> or whatever. 05:45 < reiffert> and when protecting your localnet, something like iptables -I FORWARD -s 10.8.0.0/24 -i tun0 -o whatever -j ACCEPT 05:45 < reiffert> where whatever is not your localnet 05:45 -!- Typone [n=nnnnitsm@195.197.184.87] has quit [Read error: 110 (Connection timed out)] 05:51 -!- mib_wwjin9 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-110ec4e2899f2caa] has joined ##openvpn 05:51 < mib_wwjin9> hi 05:51 < mib_wwjin9> there 05:51 < mib_wwjin9> is there anyone here ? 05:54 < reiffert> no, all gone. 05:55 < mib_wwjin9> hi reiffert 05:56 < mib_wwjin9> i want to bypass a proxy server so i openvpn 05:56 < mib_wwjin9> i want to bypass a proxy server so i find openvpn 05:57 < mib_wwjin9> what it exactly do ? 05:58 < mib_wwjin9> hello is there anyone here ? 05:58 < reiffert> depends on your proxy and the whole setup that you are behind. 05:59 < mib_wwjin9> sorry can you plz explicite ? 05:59 < mib_wwjin9> sorry can you plz be explicite ? 05:59 < mib_wwjin9> what i have to check ? 05:59 < sigius> reiffert:thanks for these iptables lines 05:59 < reiffert> mib_wwjin9: what proxy software are you running? 06:00 < mib_wwjin9> i don't know 06:00 < reiffert> mib_wwjin9: why do you think there is a proxy server in front of you? 06:00 < mib_wwjin9> what it exactly do ? 06:00 < mib_wwjin9> openvpn what can do for me ? 06:01 < reiffert> it maybe. 06:01 < mib_wwjin9> because that block some of the port 06:01 < reiffert> a proxy does not block a port. a firewall does blocking ports. 06:02 < reiffert> ok, so you want to bypass a firewall with the help of openvpn? 06:02 < mib_wwjin9> yes 06:02 < mib_wwjin9> correct 06:03 < reiffert> Then do this: Install an openvpn server outside of your network 06:03 < reiffert> Install an openvpn client inside your network. 06:03 < mib_wwjin9> then 06:03 < reiffert> Then find a port so that the client can talk to the server. Most probably udp/53 will work. 06:03 < reiffert> Then you are done. 06:04 < mib_wwjin9> thx a lot first 06:04 < reiffert> !howto 06:04 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:04 < mib_wwjin9> yes that"s what i read too on a tutorial 06:05 < reiffert> follow that howto. 06:05 < mib_wwjin9> thx 06:05 < mib_wwjin9> yes that"s what i read too on a tutorial 06:05 < mib_wwjin9> i want to make me sure 06:05 < mib_wwjin9> one thing i don't understand 06:06 < mib_wwjin9> once i finish settings on the server and the client 06:06 < mib_wwjin9> side 06:06 -!- Typone [n=nnnnnits@195.197.184.87] has joined ##openvpn 06:06 < mib_wwjin9> once client connect to my openvpn server 06:07 < mib_wwjin9> what will be me ip ? 06:07 < mib_wwjin9> is it the same as i got before 06:07 < mib_wwjin9> or it will change ? 06:07 < reiffert> your client will have two network cards. One real network and one virtual card (openvpn adapter) 06:07 < reiffert> ip address of real network card does not change. 06:08 < mib_wwjin9> i want to do this 06:08 < mib_wwjin9> because the proxy server block the voip port 06:09 < mib_wwjin9> if i have done openvpn settings on both side 06:09 < mib_wwjin9> will it work ? 06:09 < mib_wwjin9> ok tell me 06:10 < reiffert> sigh. sigh. sigh. 06:10 < mib_wwjin9> if i have to network card one phycall and 06:10 < mib_wwjin9> if i have to network card one physicall and 06:10 < mib_wwjin9> the other one virtual 06:11 < mib_wwjin9> how the connection will work ? 06:11 < reiffert> The virtual network card is talking to the openvpn server which is outside your network. 06:11 < mib_wwjin9> yes 06:11 < reiffert> phone calls will travel along that path and packets. 06:11 < mib_wwjin9> then how the connection work , 06:12 < mib_wwjin9> i m totally sorry 06:12 < mib_wwjin9> be explicite plz 06:13 < mib_wwjin9> if i done both settings how the internet connexion will work ? 06:14 < mib_wwjin9> is it using through the physical network card or the virtual 06:14 < mib_wwjin9> ???? 06:16 < mib_wwjin9> hello r u still there reiffert ? 06:17 < mib_wwjin9> i dont knwo if you understand my question 06:17 < mib_wwjin9> tell me if not 06:20 -!- mib_wwjin9 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-110ec4e2899f2caa] has quit ["http://www.mibbit.com ajax IRC Client"] 06:25 < sigius> mib_wwjing: If its just the routing of the voip connection youre interested in just use a ssh tunnel instead of openvpn 06:26 < sigius> away from keyboard 06:26 < sigius> and back again after noticing mib_wwjing had already left 06:28 < reiffert> wow, thats the most nervous and impatient I've ever seen. 06:29 < sigius> lol 06:29 < reiffert> He can use pppd as well and so on. 06:29 < reiffert> Well whatever. 06:30 < reiffert> Ah, he was from paris. 06:30 < reiffert> 82.230.208.124 06:30 < sigius> right, or pppd over ssh, i was using when still behind a corporate proxy myslef 06:30 < reiffert> == 52e6d07c 06:30 < reiffert> http://www.utrace.de/?query=82.230.208.124 06:30 < vpnHelper> Title: 82.230.208.124 - IP-Adresse - utrace - IP-Adressen und Domainnamen lokalisieren (at www.utrace.de) 06:31 < sigius> I would guess he's from china and using some onion router 06:31 < reiffert> Yeah, I thought so too, but 'from france' matches perferctly as well :) 06:32 < sigius> :) 06:32 < reiffert> 13:01 [free2] -!- ircname : bgl93-3-82-230-208-124.fbx.proxad.net 06:32 < reiffert> hmmmm. 06:33 -!- reiffert2 [i=54a9e523@gateway/web/ajax/mibbit.com/x-2bb8b9740dd47aba] has joined ##openvpn 06:33 < reiffert2> :) 06:33 < reiffert> 13:39 [free2] -!- ircname : p54A9E523.dip.t-dialin.net 06:33 < reiffert> thats my host. 06:33 -!- reiffert2 [i=54a9e523@gateway/web/ajax/mibbit.com/x-2bb8b9740dd47aba] has quit [Client Quit] 07:17 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 07:34 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:35 < toddoon> Fri Feb 20 14:33:38 2009 us=356499 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.3.0.0 255.255.255.0' what does it means? 07:36 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has quit [Read error: 60 (Operation timed out)] 07:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:11 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:27 < ecrist> rawr 08:27 < ecrist> my voip provider is pissing me off. 08:38 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 08:38 < ecrist> firecrotch: you a red-head? 08:38 < ecrist> or a 'ginger' as they call them? 08:38 < firecrotch> yep :) 08:39 < firecrotch> though lately it's been turning more brown-ish 08:39 < ecrist> wasn't sure if that was it, or if your last partner gave you something the presented itself with a burning sensation. 08:39 < firecrotch> lol 08:48 < firecrotch> my client machines are not able to reach each other, despite having client-to-client in the server config file, can't figure out why.... configs and routing tables: http://pastebin.ca/1342906 08:57 < Roman123> I have a short question about > option keepalive "10 120" < . Does this also affect a client which is disconnected by hand, i.e., if the user cancels the connection between client and server? 08:59 < ecrist> w00t! pastebin.ca fixed their routing! I can use them again! 09:00 < ecrist> firecrotch: I'd recommend redacting your server IP in the future. 09:01 < ecrist> firecrotch: have you verified that the firewalss aren't blocking the traffic? 09:01 < ecrist> Roman123: no 09:02 -!- incorrect [n=fw1@mail.taptu.com] has joined ##openvpn 09:02 < firecrotch> ecrist: firewalls are definitely not blocking the traffic over the VPN... I can connect from the server to all the clients with no problem 09:02 < incorrect> i am struggling to set the DNS entry when connected, 09:03 < ecrist> firecrotch: client-to-client should allow such traffic 09:03 < Roman123> ecrist: I'm asking because if I enable it and disconnect the client from the server, then messages like "UDPv4 [ECONNREFUSED]: Connection refused (code=146)" appear every 10 seconds in my server logfile. 09:03 < ecrist> is there a firewall on the server that would be blocking the traffic? 09:03 < Roman123> Removing > option keepalive "10 120" < disables these log entries. 09:03 < ecrist> Roman123: if you shutdown the server, the clients may still try connecting. 09:03 < ecrist> you can't stop that. 09:04 < Roman123> no 09:04 < Roman123> the other way 09:04 < Roman123> I shutdown the connection from the client side. 09:04 < ecrist> that will time out 09:05 < ecrist> but, with a proper shutdown of OpenVPN, the server should stop trying to talk. 09:05 < Roman123> ecrist: ok, then perhaps this is a bug in the openvpn client under windows xp. 09:06 < ecrist> could be. 09:06 < ecrist> really, the messages are harmless. 09:06 < ecrist> if you've got an IDS triggering on those logs, I'd filter them out. 09:06 < Roman123> I'm pretty sure. Jippiee, that's the first time for a long time that the bug sits not in front of the screen :-P 09:08 < firecrotch> ecrist: nope 09:09 < ecrist> firecrotch: did you restart openvpn after adding client-to-client? 09:09 < firecrotch> yep, openvpn has been restarted several times since then 09:10 < ecrist> and you can't ping from one client to another? 09:11 < firecrotch> that's correct 09:11 < ecrist> I would still say firewall. 09:12 < ecrist> let me review your config agin 09:12 < ecrist> again* 09:13 < ecrist> hrm, everything looks OK. 09:14 < ecrist> the 10.x network doesn't interfere with any of the client subnets, does it? 09:14 < firecrotch> nope, they're all on class C's 09:15 < ecrist> no, I mean, is one of your clients using the 10.0.0.0/24 subnet on their home LAN? 09:16 < firecrotch> no, all the clients are on 192.168.x.x/16 subnets on their home LANs 09:17 < ecrist> firecrotch: is there any firewall at all running on the OpenVPN server? 09:20 < Roman123> I like to assign certain IPs to certain clients, which should be possible by means of the client_config_dir directive. So I put the option "client_config_dir /etc/openvpn/clients" in my server's openvpn configuration file (see http://pastebin.com/d64fd6be2). Additionally, I put a file called James_Band with the content "ifconfig-push 10.168.1.198 10.168.1.199" into /etc/openvpn/clients. The IP range in the openvpn network is defined by > option s 09:20 < Roman123> erver "10.168.1.0 255.255.255.0" <. After restarting the server, a connecting with the client (see config http://pastebin.com/d55847890) featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead of 10.168.1.198). I guess I've missed just a small thing to get this working. Any ideas how to fix that? 09:21 < ecrist> Roman123: can you pastebin your logs from both the client AND server? 09:22 < Roman123> yes 09:25 < ecrist> Roman123: I asked you for your logs yesterday, and you never gave them to me. :\ 09:26 < Roman123> ecrist: yes, because I was at home this time and I'm not able to open a vpn connection from my home to my home :) 09:26 < Roman123> now I'm at work 09:27 < plaerzen> g'morning irc 09:29 < Roman123> ecrist: server-log http://pastebin.com/d6e41458d | client-log: http://pastebin.com/d5d7c0b83 09:35 < reiffert> moin plaerzen 09:35 -!- bsund [n=bsund@213.180.77.55] has quit ["leaving"] 09:36 < firecrotch> ecrist: no firewall on the server. or rather, iptables is set up to accept everything :) 09:37 < ecrist> firecrotch: try disabling the firewall entirely and see if your problem goes away. 09:37 < ecrist> Roman123: looking now. 09:39 < ecrist> Roman123: it's appears to be due to mismatching data in the Root and Client certificates. 09:39 < Roman123> ecrist: I'm so sorry. I have to leave now but will be back in an hour (from my pc at home). 09:40 < Roman123> ecrist: thanks. I'll have a look at that and "I'll be back". :-) 09:40 < Roman123> brb 09:40 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 09:40 < plaerzen> moin reiffert - that's german, hey ? 09:44 < firecrotch> ecrist: firewall disabled and still having problems 09:44 < ecrist> firecrotch: what version of OpenVPN? 09:46 < firecrotch> ecrist: 2.1 09:46 < ecrist> latest rc? 09:47 < firecrotch> rc11 09:47 < firecrotch> not sure if thats the latest 09:47 < ecrist> iirc, rc15 is latest. try upgrading and see if it fixes your issue 09:49 < firecrotch> I'd prefer not to do that, rc11 is the version in the Ubuntu repository and I'd like to stick to that 09:50 < ecrist> at the risk of sounding rude, I'm not going to support out-of-date RCs 09:51 < firecrotch> not rude at all, ecrist. Thanks for all of your help 09:52 -!- incorrect [n=fw1@mail.taptu.com] has quit [Remote closed the connection] 09:56 < ecrist> firecrotch: why are you using tcp, rather than udp? 09:58 < firecrotch> ecrist: because that's what was specified on the page that I was using to set up everything? I assume from that statement that I should be using udp instead? 09:58 < ecrist> I don't want to say 'should,' but udp is a better transport for VPN traffic than tcp 09:58 < ecrist> !tcp 09:58 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:59 < ecrist> read that for more information 09:59 < ecrist> just an observation. 09:59 < firecrotch> will do 10:02 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 10:45 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 10:53 < Roman123> Hi! 10:53 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 10:55 < plaerzen> Hi! 11:06 -!- syere [n=sitrii@204.10.20.30] has joined ##openvpn 11:07 < syere> Hello all. Can someone kindly point me to a how-to for integrating openvpn on a linux box with my active directory? I can't seem to find one on the site 11:07 < syere> or google 11:08 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 11:13 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:21 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 11:21 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 11:27 < ecrist> AD ~= LDAP 11:27 < ecrist> there is an ldap-auth script out there, if you look in google 11:35 -!- bsund [n=bsund@unaffiliated/bsund] has joined ##openvpn 11:35 < bsund> http://pastebin.com/m6c64d36c 11:35 < bsund> Why? :) 11:39 < syere> ecrist, there is, but it is a VB script. as far as i know, linux doesnt like vb 11:40 < syere> its why i included my OS in my question 11:48 < ecrist> syere: it's not a VB script, the one I'm referring to. 11:48 < ecrist> getting smart with me means I won't help you. 11:48 < syere> ecrist, that was not being smart. i was stating. i apologize if it came off as such 11:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:49 < ecrist> syere: np, if my 7 year old were to say that to me, he'd be standing in the corner for 7 minutes. :) 11:49 < ecrist> bsund: the error tells you the problem. 11:49 < ecrist> your network address is not valid for that netmask 11:50 < syere> ecrist, do you remember the name of the script? i keep pulling up the amigo4life guy 11:51 < ecrist> syere: all I know is there is a freebsd port for ldap-auth 11:51 < ecrist> let me google for you 11:52 < ecrist> here's a good one: http://www.experts-exchange.com/Networking/Linux_Networking/Q_24083389.html 11:52 < vpnHelper> Title: Endian Firewall - OpenVPN authentication against Active Directory : OpenVPN EFW Endian Active Directory (at www.experts-exchange.com) 11:52 < syere> ecrist, sadness, not open information :( 11:53 < ecrist> syere: google 'openvpn ldap auth script' and you come up with a TON of links 11:53 < syere> thanks 11:53 < syere> didnt htink about calling it a auth script 11:57 -!- syere [n=sitrii@204.10.20.30] has quit [Remote closed the connection] 12:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 12:17 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:22 -!- c64zottel [n=hans@p5B17AED7.dip0.t-ipconnect.de] has left ##openvpn [] 13:33 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 13:33 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 14:09 < d0wn> Is anyone familiar with using redirect-gateway? I'm having issues with ti 14:12 < d0wn> It just doesn't want to load anything. I've followed the information in the HowTo, but it's still now working 14:16 < d0wn> ..and now my openvpn won't work at all 14:16 < d0wn> bash: openvpn: command not found 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:54 -!- El_Presidente [i=Martin@p5798EAFB.dip.t-dialin.net] has joined ##openvpn 14:54 < El_Presidente> hi 14:55 < reiffert> you are using port 15000 IIRC, right? 14:55 < El_Presidente> yes 14:55 < El_Presidente> i measued the mtu right now 14:55 < El_Presidente> Empirical MTU test completed [Tried,Actual] local 14:55 < El_Presidente> ->remote=[1573,1573] remote->local=[1573,1573] 14:56 < reiffert> I was talking to some guys recently about your problem 14:56 < El_Presidente> thank you for your help 14:56 < reiffert> our only idea is, that your isp or someone is using QoS on that port. 14:56 < reiffert> Change that to port udp/53 just for an additional test. 14:56 < El_Presidente> hmm i also testes port 10000 14:57 < El_Presidente> i have a question ... i have an ftp on my router 192.168.0.1 14:57 < El_Presidente> if my cousin downloads from there he gets 500kb/s 14:57 < reiffert> El_Presidente: however, try udp/53 14:57 < El_Presidente> ok 14:59 -!- achilles [n=achilles@62.90.142.153] has joined ##openvpn 15:00 < El_Presidente> well it tells me that udp53 is already in use 15:00 < El_Presidente> and please listen to what i wrote right before 15:01 < El_Presidente> if he downloads from my lokal ftp through the tunnel i get 500kb/s 15:01 < achilles> hello, I'm connecting to my server via ssh, and now connected p-t-p openvpn , tun device, I can ping my server through the tunnel, but not any other server on the remote side, any help ? 15:01 < achilles> ip_forward is enabled 15:01 < El_Presidente> if he downloads from a webserver he gets just 100kb/s 15:11 < El_Presidente> reiffert, still here? 15:11 < achilles> any help guys ? 15:12 < El_Presidente> i suggest you to take a look in the howtos 15:16 < achilles> El_Presidente, thank you, I did, it's supposed to when I add "push "redirect-gateway def1" 15:16 < achilles> what is def1 ? 15:17 < El_Presidente> with that value you dont overwrite the gateway 15:18 < achilles> is it the IP of the server then ? 15:18 < El_Presidente> there is a good explanation in the manual 15:31 -!- mib_q2jb2c [i=52e6d07c@gateway/web/ajax/mibbit.com/x-1232b568ba292e61] has joined ##openvpn 15:31 < mib_q2jb2c> hi 15:31 < mib_q2jb2c> there 15:31 < mib_q2jb2c> is there anyone here ? 15:32 -!- mib_q2jb2c [i=52e6d07c@gateway/web/ajax/mibbit.com/x-1232b568ba292e61] has quit [Client Quit] 15:38 -!- ikevin_ [n=kevin@ANancy-256-1-69-35.w90-26.abo.wanadoo.fr] has left ##openvpn ["Quitte"] 16:19 < El_Presidente> good night 16:19 -!- El_Presidente [i=Martin@p5798EAFB.dip.t-dialin.net] has quit ["Verlassend"] 17:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Connection timed out] 18:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 18:16 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 19:51 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 20:00 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has joined ##openvpn 20:05 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:44 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has joined ##openvpn 20:46 < eidolon> hi folks - i'm trying to configure nm-openvpn to talk to our openvpn server. seems to conncct (I get a "Connect - reply received") - but then there's a long pause after UDPv4 link remote: (ip address), and then i get 'vpn connection timeout exceeded' 20:46 < eidolon> i can telnet to the openvpn port on the target machine. 21:08 < eidolon> doh. they're set up for tcp, i was using udp 21:22 < d0wn> I'm confused about something 21:22 < d0wn> does redirect-gateway go in the server's config, or the client's? 22:10 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has left ##openvpn ["Leaving"] 22:15 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 23:37 -!- Deiz [n=swh@unaffiliated/deiz] has left ##openvpn ["Leaving"] 23:40 -!- appletizer [i=user@82-32-123-8.cable.ubr04.hawk.blueyonder.co.uk] has joined ##openvpn 23:41 -!- appletizer [i=user@82-32-123-8.cable.ubr04.hawk.blueyonder.co.uk] has left ##openvpn [] 23:43 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 23:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] --- Day changed Sat Feb 21 2009 00:37 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:37 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has joined ##openvpn 01:24 -!- davidm_ [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 01:24 -!- davidm_ [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 01:28 -!- davidm777 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 01:28 -!- davidm777 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 02:26 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 02:26 < diazepam> hi all - anyone here using the ta.key option? 02:32 < diazepam> its giving me grief. Some systems it works and others it causes soft-reset errors 02:32 < diazepam> i have to disable it in the server.conf to get the vpn working 02:32 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 02:33 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 02:34 < diazepam> anyone 02:34 < diazepam> do people thiink ta.key is necessary security feature? 02:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 03:14 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 113 (No route to host)] 03:23 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 03:23 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 104 (Connection reset by peer)] 04:11 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 04:14 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 04:26 -!- achilles [n=achilles@62.90.142.153] has quit [Read error: 110 (Connection timed out)] 05:26 -!- achilles [n=achilles@62.90.143.124] has joined ##openvpn 06:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:04 -!- El_Presidente [i=Martin@p5798EDD6.dip.t-dialin.net] has joined ##openvpn 07:04 < El_Presidente> hello 07:05 < El_Presidente> reiffert, does this looks typical for a MTU problem? 07:05 < El_Presidente> http://pastebin.com/mfa65b69 07:05 < El_Presidente> i have a HUGE DROP of packages @ tap0 07:05 < El_Presidente> i tested it with netio 07:29 < reiffert> Note: the maximum value is 1492. 07:29 < reiffert> so testing for 2k+ package sizes is irrelevant. 07:30 < reiffert> El_Presidente: what I really like to know is: 07:31 < reiffert> Write down an ASCII SChematics of the components that take part. 07:31 < reiffert> Also write down the link speed (up and down) of everything. 07:31 < reiffert> further: do a direct download with wget (some big file, 20MB) and paste the bandwidth results wget puts out. 07:31 < reiffert> then do the same when beeing connected with openvpn. 07:32 < reiffert> in both directions, that make 4 wget bandwidth outputs. 07:33 < El_Presidente> okay 07:39 < reiffert> or take 1MB file 07:39 < El_Presidente> i will do an ascii chart 07:41 < reiffert> I'm working on a different screen, I check back from time to time. 07:46 < El_Presidente> kk 07:57 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 08:02 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 08:51 < tjz|lunch> does openvpn works on windows 2008 server? 08:51 < reiffert> tjz|lunch: y 08:54 < tjz|lunch> want to install on windows 2003 or 2008 server =) 09:17 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:38 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:45 -!- c64zottel [n=hans@p5B17B154.dip0.t-ipconnect.de] has joined ##openvpn 09:45 -!- c64zottel [n=hans@p5B17B154.dip0.t-ipconnect.de] has left ##openvpn [] 09:46 < reiffert> tjz|lunch: y = yes 09:47 < tjz|lunch> oh 09:47 < tjz|lunch> i mistaken as ... 09:47 < tjz|lunch> y = why 09:48 < tjz|lunch> -_- 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:49 < reiffert> El_Presidente: how far did you get? 09:49 < El_Presidente> i dont have someone to test it again yet 09:49 < El_Presidente> just made the chart 09:50 < reiffert> hm, k, I'm off for doing extensive party. 09:51 < El_Presidente> sure 09:51 < El_Presidente> have fun ^ 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:16 -!- bombayvdmo [n=victor@adsl190-28-146-47.epm.net.co] has joined ##openvpn 10:16 < bombayvdmo> Hi 10:16 < bombayvdmo> OpenVPN trying to reconnect show this message "Sat Feb 21 16:09:36 2009 RESOLVE: Cannot resolve host address: mysite.dyndns.org: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 10:21 < bombayvdmo> i want open restart connection if this lost 10:21 < bombayvdmo> openvpn 10:31 -!- bombayvdmo [n=victor@adsl190-28-146-47.epm.net.co] has left ##openvpn [] 10:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:37 -!- tjz|lunch is now known as tjz 10:39 < tjz> hmm 10:39 < tjz> let's say i have two servers.. one setup in a DC. another server in an office .. can i print document using the IP printer method? 10:53 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has quit [Read error: 110 (Connection timed out)] 11:04 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has left ##openvpn [] 11:24 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 11:45 -!- El_Presidente [i=Martin@p5798EDD6.dip.t-dialin.net] has quit ["Verlassend"] 12:01 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 12:07 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has joined ##openvpn 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:38 -!- achilles [n=achilles@62.90.143.124] has quit [No route to host] 12:38 -!- achilles [n=achilles@62.90.14.205] has joined ##openvpn 12:41 -!- eidolon [n=dbs@host156.237.51.209.conversent.net] has joined ##openvpn 12:42 -!- Lede [n=lede@85.148.228.92] has joined ##openvpn 12:42 < Lede> hello 12:42 < Lede> does double NAT break VPN? 12:45 < Lede> !route 12:45 < vpnHelper> Lede: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:50 -!- achilles [n=achilles@62.90.14.205] has quit [Read error: 104 (Connection reset by peer)] 13:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:36 -!- eidolon [n=dbs@host156.237.51.209.conversent.net] has quit ["Leaving."] 13:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:28 -!- constantine [n=constant@70.91.232.102] has joined ##openvpn 14:28 < constantine> wow there's an openvpn channel! yes! 14:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote closed the connection] 14:28 < constantine> hi, which VPN prgram for intrepid would you suggest for accessing an unsecured wifi zone like a coffee house? 14:30 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection reset by peer] 14:39 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 14:40 < diazepam> is there any way of selectively forcing client traffic via the vpn - currently i have my vpns set so all of the clients traffic (including web browsing) tunnels via the vpn. I would like the option of picking and choosing which clients do this and which clients dont 14:41 < constantine> how do I setup openvpn for ubuntu intrepid? 14:43 < diazepam> constantine - thats a broad question 14:43 < diazepam> constantine - wanna narrow it down 14:44 < constantine> diazepam: what info do you need, I'd be happy to give 14:45 < constantine> diazepam - I connect to numerous hotspots throughout my city...ie routers...my box is setup to pick up the strongest signal and use it. I am trying to create a tunnel so that there is some degree of security. 14:46 < diazepam> okay ill send you some info 15:06 -!- constantine [n=constant@70.91.232.102] has left ##openvpn ["Leaving"] 15:27 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 15:36 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 15:36 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 15:45 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 15:45 < Qantourisc> I think i must have missed something 15:45 < Qantourisc> right faq first 15:52 < Qantourisc> nope 15:52 < Qantourisc> ok i starten openvpn 15:52 < Qantourisc> bridged the tap0 15:52 < Qantourisc> but i cannot seem to ping it using that bridge 15:52 < Qantourisc> what did i miss please ? 15:53 < Qantourisc> aa wait 15:53 < Qantourisc> it's also filted ? 15:53 * Qantourisc tries 15:54 < Qantourisc> nope that's not it 15:55 < Qantourisc> the DHCP is not travelling over the bridge 15:55 < Qantourisc> the dhcp requests enter 15:56 < Qantourisc> and my dhcp server replies 15:56 < Qantourisc> but client doesn't seem to receive it 15:56 < Qantourisc> is there anything openvpn is blocking ? 15:58 < Qantourisc> i quess ill use the server-bridge then that's also ok 16:06 < Qantourisc> hmm that's not helping either 16:08 < Qantourisc> there is squad moving over the bridge 16:08 < Qantourisc> no dhcp, no ping with static configuration northin 16:08 < Qantourisc> suggestions ? 16:40 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 16:52 < Qantourisc> closed but not yet there 16:57 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has joined ##openvpn 16:59 < Qantourisc> ok soemthin in my iuptables 16:59 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:00 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:03 -!- El-Cheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:05 -!- ElCheapo1 [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:17 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:18 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:18 < Qantourisc> whoot working 17:19 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has quit ["openvpn works ... let's call it a day"] 17:20 -!- El-Cheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:22 -!- ElCheapo1 [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:46 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 17:47 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 18:06 < onats> howdy 18:07 < krzee> hola 18:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:28 < reiffert> http://musicovery.com/ 18:28 < vpnHelper> Title: Musicovery : interactive webRadio (at musicovery.com) 18:32 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has left ##openvpn [] 19:07 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- cultureulterior [n=cultureu@94.191.156.10.bredband.tre.se] has joined ##openvpn 19:30 -!- bsund [n=bsund@unaffiliated/bsund] has left ##openvpn [] 19:34 < cultureulterior> So, anyway, I just rented a US vps with two public ip addresses. I'd like to use the other one for my laptop via proxy arp. I would do this by connecting through openvpn tun connecting to the one, then getting the other one assigned to the tun interface on my laptop. Does this make sense? 19:36 < cultureulterior> The point of this being to give my laptop a real ip address, something it doesn't now have, as it is behind a nat. 19:38 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 20:27 -!- cultureulterior [n=cultureu@94.191.156.10.bredband.tre.se] has left ##openvpn [] 22:33 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nemysis [n=nemysis@99-63.3-85.cust.bluewin.ch] has joined ##openvpn 22:59 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] --- Day changed Sun Feb 22 2009 00:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 00:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 00:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 01:13 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 01:13 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 01:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:28 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 01:28 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 01:55 -!- zheng [n=zheng@218.82.139.88] has joined ##openvpn 02:01 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 02:30 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 110 (Connection timed out)] 02:45 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 03:04 -!- zheng [n=zheng@218.82.139.88] has quit ["Leaving"] 03:04 < reiffert> moin 03:15 < Lede> ello 04:03 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has quit ["ride..."] 05:06 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 05:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:15 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 05:18 -!- countd [n=countd@unaffiliated/countd] has quit [Remote closed the connection] 05:22 < tjz|lunch> anyone used pmacct to track multiple IP's bandwidth before? 06:21 -!- Haris_ [i=Haris@119.152.49.108] has joined ##openvpn 06:21 < Haris_> Hello people 06:22 < Haris_> What's the 'significant' difference between tcp or udp based pvn ? 06:22 < Haris_> vpn+ 06:22 < Haris_> ammount of traffic? ammount of processing envolved? ammount of bandwidth envolved 06:22 < Haris_> security ? 06:33 < sigius> Haris_, In the howto it says: While OpenVPN allows either the TCP or UDP protocol to be used as the VPN carrier connection, the UDP protocol will provide better protection against DoS attacks and port scanning than TCP 06:33 < sigius> benefit of tcp on the other hand is it still works through a proxy 06:34 < sigius> I think the better protection, when using udp, is acheived by using 'tls-auth' 06:37 < sigius> Q: wireshark (a.k.a ethereal) is not decoding my openvpn traffic. Does anyone now of a wireshark decode plugin to use for this purpose ? 06:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 07:24 -!- nemysis [n=nemysis@99-63.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:24 -!- nemysis [n=nemysis@81-241.0-85.cust.bluewin.ch] has joined ##openvpn 07:26 < Haris_> does bridging ethernet connection with tap connection mean linking them together as one ? 07:26 < Haris_> linking them together and making them as one ? 07:27 < Haris_> will openvpn work if I don't give a ssl cert? 08:12 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 08:16 < Haris_> I have set cert and key in server.conf. I don't have a ca. Do I need to set a ca on server and client ? 08:29 < sigius> Haris_, All of thats is in the howto (http://openvpn.net/index.php/documentation/howto.html) (A:indeed you do) 08:29 < vpnHelper> Title: HOWTO (at openvpn.net) 08:29 < Haris_> I know 08:29 -!- kaii_ is now known as kaii 08:33 < Haris_> I'm getting this -> Sun Feb 22 20:35:09 2009 us=688618 Error: private key password verification failed 08:34 < Haris_> I made the ssl cert as per -> http://www.akadia.com/services/ssh_test_certificate.html 08:34 < vpnHelper> Title: How to create a self-signed Certificate (at www.akadia.com) 08:34 < Haris_> I removed the pass phrase 08:34 < Haris_> why does it need to confirm a password? 08:34 < Haris_> Sun Feb 22 20:35:09 2009 us=688554 Cannot load private key file /usr/local/etc/openvpn/openvpn.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 08:34 < Haris_> what does this mean ? I configured wrong private key file against the cert? 08:40 < Haris_> damned 08:40 < Haris_> now the client cert verify failed 08:41 < Haris_> Sun Feb 22 19:50:23 2009 us=471057 VERIFY ERROR: depth=0, error=self signed certificate: certificate-details-follows-here 08:41 < Haris_> what does this mean ? It doesn't allow self generated ssl cert? 08:42 < Haris_> I generated a cert at the server and copied that exact cert at the client 08:42 < Haris_> or was this the problem? 08:44 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 08:49 < Haris_> ok, I used the wrong Common name 09:03 < Haris_> Should the cert on server and client be different ? 09:03 < Haris_> for client1, client2, client3 ? 09:04 < Haris_> I am here -> http://openvpn.net/howto.html#mitm 09:04 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 09:04 < Haris_> I can't figure out the problem 09:04 < Haris_> http://pastie.org/396654 09:05 < Haris_> this is the log 09:05 < Haris_> I manually generated the self signed certs' 09:08 -!- El_Presidente [i=Martin@p5798F09A.dip.t-dialin.net] has joined ##openvpn 09:08 < Haris_> on windows, after I ran openvpn client once, I can't delete a config file, after I have exited from it 09:09 < Haris_> I checked the client, its not running, neither is openvpn's service 09:09 < El_Presidente> reiffert, i set up a openvpn on my webserver just to avoid bandwidth issues, i was able to download directly though the tunnel from my webserver with 2,5mbyte/s but if i download e.g. from uni-erlangen.de through the tunnel i just get 300kb/s 09:10 < El_Presidente> if i download without the tunnel from uni-erlangen.de i get the full 2.8mb/s 09:10 < El_Presidente> is there general such a huge penalty when routing web traffic ? 09:14 < Haris_> Options error: Unrecognized option or missing parameter(s) in /usr/local/etc/openvpn/openvpn.conf:307: remote-cert-tls (2.0.6) 09:14 < Haris_> Use --help for more information. 09:14 < Haris_> doesn't make sense 09:14 < Haris_> according to http://openvpn.net/index.php/documentation/howto.html#mitm 09:14 < vpnHelper> Title: HOWTO (at openvpn.net) 09:15 < Haris_> I have to put it there 09:18 < Haris_> :o 09:25 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 09:29 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 09:34 -!- ser [n=ser@sergiusz.pawlowicz.name] has joined ##openvpn 09:34 < ser> hello, is it possible to run openvpn as a client for one connection and a server for another in static key mode? 09:49 < El_Presidente> Haris_, you need ns-cert-type server instead of the other one ... 09:49 < El_Presidente> since you use 2.0.6 09:49 < El_Presidente> read the howto! 09:49 < Haris_> I am 09:49 < Haris_> what I'm doing is, I'm manually generating the certs/keys 09:49 < El_Presidente> replace remote-cert-tls with ns-cert-type server 09:49 < Haris_> and the howto is built around doing it with pre-existing example scripts from openvpn 09:50 < Haris_> I'km getting cert verificatoin errors 09:54 < Haris_> why does the cleanall script delete the key_dir ? 09:56 < El_Presidente> cleanall means cleanall ... 09:57 -!- Haris_ is now known as Haris 10:08 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:16 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:46 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 11:04 -!- ser [n=ser@sergiusz.pawlowicz.name] has left ##openvpn [] 11:14 -!- Lede [n=lede@85.148.228.92] has quit [Read error: 113 (No route to host)] 11:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:43 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: clusterm1gnet, bsdbandit, vcs, d0wn, blaxthos, disco-, rubydiamond, pa, Haris, worch, (+15 more, use /NETSPLIT to show all of them) 11:43 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: eagle, nemysis, krzie_, skx, disposable, smk, Typone, infinity_, sigius, kala, (+4 more, use /NETSPLIT to show all of them) 11:46 -!- Netsplit over, joins: rubydiamond, bandini 11:46 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 11:46 -!- Netsplit over, joins: skx, El_Presidente, nemysis, Haris, ropetin, Solver, roentgen_, eagle, Typone, pa (+6 more) 11:46 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 11:46 -!- Netsplit over, joins: disco-, worch, clusterm1gnet, blaxthos, stephenh, dvl, logiclrd, troy-, vpnHelper, hardwire (+9 more) 11:47 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 11:49 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [Client Quit] 11:52 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 12:01 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has joined ##openvpn 12:02 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit ["Lost terminal"] 12:05 < pg1054> is there a required/recommended relationship between server/client key bit depth (e.g., i'm using 2048-bit rsa) and the bit-depth of the "DH Paramaters" key file? I.e., must *should?) I use 2048-bit dhparam as well? 12:43 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has quit [] 13:02 -!- Baneo [n=hi2u@sophus.tiendaofertas.com] has joined ##openvpn 13:05 < Baneo> people can connect to my server, however can't browse atall once it's open 13:05 < Baneo> any ideas? 13:13 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 13:15 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 13:19 -!- mib_e1owaj [i=52e6d07c@gateway/web/ajax/mibbit.com/x-72cde72297aa254d] has joined ##openvpn 13:19 < mib_e1owaj> hi 13:19 < mib_e1owaj> there 13:19 < mib_e1owaj> is there anyone here ? 13:20 < mib_e1owaj> i try to install openvpn on my ubuntu pc it don't want to install 13:23 < mib_e1owaj> by doing this command $ . ./vars it give this message NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys 13:24 < mib_e1owaj> is it normal ? 13:25 < mib_e1owaj> hellog 13:25 < mib_e1owaj> is teher anyone here ? 13:31 < Haris> yes 13:31 < Haris> this is normal 13:32 < mib_e1owaj> hi haris 13:32 < mib_e1owaj> thx for your participation 13:33 < mib_e1owaj> then 13:33 < mib_e1owaj> running this command i got this error 13:34 < mib_e1owaj> desktop:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo ./clean-all Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. 13:34 < mib_e1owaj> what i have to do exactly ? 13:34 < mib_e1owaj> or can i skip this error ? 13:35 < Haris> it wants you to look at the vars file 13:35 < Haris> for any modifications you might want to make 13:35 < Haris> its ignore-able 13:36 < mib_e1owaj> so i can i ignor this error ? 13:36 < mib_e1owaj> is it ? 13:37 < Haris> yes 13:37 < Haris> not sure what source vars means 13:38 < mib_e1owaj> -desktop:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo ./build-ca Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. 13:38 < mib_e1owaj> can i ignore this 13:38 < mib_e1owaj> tooo 13:40 < mib_e1owaj> can i skip this one too ? 13:40 < mib_e1owaj> hello plz 13:46 < Haris> try going through them 13:47 < mib_e1owaj> sorrry 13:47 < mib_e1owaj> can i ignore this error or not 13:47 < mib_e1owaj> ? 13:47 < Haris> Nope, you can't 13:48 < mib_e1owaj> what i have to ? 13:48 < mib_e1owaj> to solve this error ? 13:48 < mib_e1owaj> plz 13:48 < Haris> read the instructions and do as it says, lol 13:49 < mib_e1owaj> http://pastebin.ubuntu.com/121539/ 13:49 < mib_e1owaj> this is the vars file actual configuration 13:50 < Haris> have you run the command -> source ./vars ? 13:50 < Haris> if not, run it 13:51 < Haris> then run ./clean-all 13:52 < mib_e1owaj> source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys 13:52 < mib_e1owaj> $ sudo ./clean-all Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. 13:52 < mib_e1owaj> it gives exaclty the same message 13:55 < Haris> if you have run those commands, you can ignore this message 13:55 < Haris> its programmed to be displayed that way 13:56 < mib_e1owaj> ok 13:56 < mib_e1owaj> thx 14:00 -!- mib_e1owaj [i=52e6d07c@gateway/web/ajax/mibbit.com/x-72cde72297aa254d] has quit ["http://www.mibbit.com ajax IRC Client"] 14:00 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has joined ##openvpn 14:07 < Haris> where is db_fetch_cell() supposed to be ? 14:07 -!- rubydiam_ [n=rubydiam@123.236.183.130] has joined ##openvpn 14:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 14:57 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 14:57 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 15:04 < Baneo> hey - any experts willing to take a look at something? I'll pay if need be. I can accept connections however no traffic seems to be routing through atall 15:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:11 < Baneo> anyone atall? :] 15:11 < krzee> ? 15:12 < Baneo> i've got some problems with openvpn - i think it's the iptables, basically people can connect to the vpn 15:13 < Baneo> however no traffic is being routed, i.e they can't use the net 15:14 < krzee> you have redirect-gateway def1, ip forwarding enabled, NAT setup? 15:16 < Baneo> yeah - i've checked all i know - it's beyond me i think 15:16 < Baneo> i've searched around on google etc - of course 15:16 < Baneo> yet to find an answer or some sort of pointer 15:16 < Baneo> i'd be willing to pay for someone's time to take a look? it would be greatly appreicated 15:17 < Baneo> i think it's something to do with iptables 15:18 < Baneo> i'm trying to add rules to forward traffic but it's not changing anything 15:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:23 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 15:24 < Baneo> krzee: anychance of you taking a look?! 15:24 < krzee> !iptables 15:24 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:24 < krzee> =] 15:24 < krzee> !linnat 15:24 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:26 < krzee> there ya go =] 15:27 -!- krzee [i=nobody@hemp.ircpimps.org] has quit [Client Quit] 15:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:31 < Baneo> it acts like i'd adding 15:31 < Baneo> but when i show the rule list, it isn't 15:35 < Baneo> krzee: can you take a look? i'll pay for your time 15:36 < krzee> im not much of a linux guy 15:36 < krzee> but go ahead and pastebin it 15:54 < Baneo> krzee: http://pastebin.com/m27ba66cc 15:55 < krzee> heh 15:55 < krzee> you def have a problem 15:55 < krzee> ask a linux channel 15:55 < krzee> when the rules actually add, you should have better luck 15:55 < Baneo> does it seem fine otherwise? 15:55 < krzee> umm 15:56 < krzee> only thing i can say that 1 way or other for is ip forwarding 15:56 < krzee> you showed me firewall and ip forwarding 15:56 < krzee> firewall is problem 15:56 < krzee> other than that i saw nothing 15:58 < krzee> if you post your configs (with no comments) i can answer that 16:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:23 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 16:39 < reiffert> krzee: carnival? 16:42 < krzee> nah didnt make it to brazil 16:42 < krzee> but im in peru 16:42 < krzee> and its AWESOME here 16:43 < reiffert> Doh, after 10 years of no carnival I've made it into the next bigger city today, tons of alcohol, tons of pretty girls, many friends and my pride. Tomorrow'll be the same thing again .. 16:46 < reiffert> Hope I get her join home very soon... 16:46 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:46 < krzee> where are you? 16:47 < reiffert> krzee: http://maps.google.de/maps?f=q&source=s_q&hl=de&geocode=&q=Klein-Winternheim&sll=51.151786,10.415039&sspn=13.27051,27.333984&ie=UTF8&ll=49.945476,8.211594&spn=0.212537,0.427094&t=h&z=11 16:47 < vpnHelper> Title: Google Maps (at maps.google.de) 16:47 < reiffert> n you? 16:47 < krzee> Lima, Peru 16:48 -!- felix__ [n=felix@static-87-79-236-180.netcologne.de] has joined ##openvpn 16:48 < reiffert> gimme some link 16:48 < Roman123> I have a question about the "every hour disconnect" of openvpn (http://openvpn.net/archive/openvpn-users/2006-12/msg00189.html). Does this disconnect also take place if data is transfered over the tunnel at this time? 16:48 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN, One Time Password, Disconnect every hour. (at openvpn.net) 16:49 < Roman123> or does it only take place if the tunnel is in idle state? 16:50 < reiffert> krzee: just showing my girl where you've been and where you're going to .. would be nice to have something clickable... 16:52 < reiffert> ok, we've found lima. 16:53 < krzee> Roman123, mine never disconnects, just re-keys 16:54 < Roman123> krzee: hmm, thanks for the response. This re-key activity takes place every hour? 16:55 < krzee> yes 16:56 < Roman123> ah, ok. I guess this "TLS: tls_process: killed expiring key" and "TLS: soft reset sec=0 bytes=38324/0 pkts=719/0" etc. 16:56 < Roman123> is the re-keying section in the openvpn log. 16:57 < krzee> yup 16:57 < krzee> does it kill xfers? 16:58 < Roman123> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #284 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 16:58 < Roman123> I'm not sure what this is. 16:58 < krzee> you on wireless? 16:58 < Roman123> krzee: maybe, ^^^ 16:59 < krzee> see what it told you to 16:59 < krzee> !man 16:59 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:59 < Roman123> No, I connect two lans 17:01 < Roman123> krzee: Currently I'm taking a look at the postings on google about his message. 17:01 < Roman123> this 17:09 < reiffert> krzee: still with me? 17:09 < reiffert> krzee: check out http://musicovery.com/ 17:09 < vpnHelper> Title: Musicovery : interactive webRadio (at musicovery.com) 17:09 < krzee> for 2 min 17:09 < krzee> battery dying 17:09 < krzee> and im out by the pool 17:09 < reiffert> krzee: must see! 17:09 < krzee> link saved 17:09 < reiffert> Must listen too. 17:10 < reiffert> spent last night with it, omg. 17:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:19 < sigius> Q: wireshark (a.k.a ethereal) is not decoding my openvpn traffic. Does anyone now of a wireshark dissector (decode plugin) to use for this purpose ? 17:22 < reiffert> sigius: OS? 17:28 < sigius> linux (debian) 17:34 < reiffert> running tcpdump -n -i tun0 works for you? 17:34 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:51 -!- nemysis [n=nemysis@81-241.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 17:52 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:18 < sigius> reiffert, sorry for the delay, had a bit of distraction here. Yes I can capture the traffic but it is being present as plain 'UDP'. I'd like wireshark to dissect the traffic as openvpn/ssl traffic 18:21 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 18:40 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit ["Lost terminal"] 18:51 -!- rubydiam_ [n=rubydiam@123.236.183.130] has quit [Read error: 104 (Connection reset by peer)] 18:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 19:33 -!- El_Presidente [i=Martin@p5798F09A.dip.t-dialin.net] has quit ["Verlassend"] 19:42 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 19:43 < metbsd> is there good book about vpn? i find it confusing 19:50 -!- oc80x [i=oc80z@quad.efnet.pe] has joined ##openvpn 20:14 -!- felix__ [n=felix@static-87-79-236-180.netcologne.de] has quit ["leaving"] 20:16 -!- metbsd [n=AXT@unaffiliated/metbsd] has quit [Read error: 104 (Connection reset by peer)] 20:17 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 20:19 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:20 < eliasp> hi 20:21 < eliasp> i have a strange problem on one of our hosts... nearly all the time, the OpenVPN connection stalls and the openvpn.log on this client is filled with lines like this: Mon Feb 23 03:19:23 2009 read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 20:21 < eliasp> it is a OpenVPN specific issue, as at the same time, it's no problem at all accessing the client directly via SSH... only via OpenVPN it stalls 20:22 < eliasp> i've issued a 'traceroute' to the OpenVPN server while the connection was stuck... it worked fine... 20:23 < eliasp> has anyone ever seen such a behavior before? there's also a bug in the Gentoo bugtracker where i've added my case as comment #8 http://bugs.gentoo.org/223033 20:23 < vpnHelper> Title: Gentoo Bug 223033 - net-misc/openvpn - VPN traffic disrupts networking in a strange way (at bugs.gentoo.org) 20:27 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 20:39 -!- Baneo [n=hi2u@sophus.tiendaofertas.com] has quit [Client Quit] 20:59 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 21:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 21:20 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 21:27 -!- rubydiam_ [n=rubydiam@123.236.183.74] has joined ##openvpn 21:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 21:49 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:49 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 21:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 21:56 -!- rubydiam_ [n=rubydiam@123.236.183.74] has quit [Read error: 110 (Connection timed out)] 22:04 -!- rubydiam_ [n=rubydiam@123.236.183.74] has joined ##openvpn 22:13 -!- rubydiam_ [n=rubydiam@123.236.183.74] has quit ["Leaving..."] 22:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 22:22 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 22:23 < dmb> ok, i need some help with iroute stuff 22:23 < dmb> basically, i set my openvpn server up to have all traffic, including the internet go through it 22:24 < dmb> the localip for the client is 192.168.1.174 22:24 < dmb> vpn ip is the normal 10.8.0.1 22:25 < dmb> i have iroute 192.168.1.0 255.255.255.0 for client1 22:25 < dmb> yet it still keeps printing out tons of Mon Feb 23 04:26:58 2009 client1/74.214.115.252:42519 MULTI: bad source address from client [192.168.1.174], packet dropped 22:25 < dmb> along with Mon Feb 23 04:27:00 2009 client1/74.214.115.252:42519 Replay-window backtrack occurred [1] 's 22:26 < dmb> can someone tell me what i'm doing wrong? 22:31 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 22:38 < oc80x> sup 22:38 < oc80x> not quite sure, hang on and we can help 22:38 < oc80x> brb. 22:38 < dmb> ok 22:38 < dmb> is there a way i can tell if iroute is working? 22:38 < dmb> i don't see to see it in verbose mode 22:58 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 23:15 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 23:17 -!- oc80x [i=oc80z@quad.efnet.pe] has quit [] 23:56 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Mon Feb 23 2009 00:04 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 00:59 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: soberbit, disposable 00:59 -!- Netsplit over, joins: disposable, soberbit 01:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:03 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has joined ##openvpn 02:14 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 02:17 -!- jave [n=user@79.138.130.132.bredband.tre.se] has joined ##openvpn 02:17 < jave> hello 02:17 < jave> I'm having difficult getting an openvpn conneection working 02:18 < jave> we have a suse openvpn 2.0 server, and 2.1 clients. is this a problem? 02:19 < dazo> jave: that should normally work fine ... but it might be a good approach to upgrade to the latest 2.1 on the server as well 02:19 * dazo have been running openvpn-2.1rc15 since it was released without any issues 02:19 < jave> dazo: ok, but I'm not sure there are any 2.1pkgs for opensuse 02:20 < jave> also I get this warning: WARNING: No server certificate verification method has been enabled 02:20 < jave> is this critical? 02:20 < mazzachre> I have setup openvpn on a box with a public ip address, I can connect to it, and it forwards and routes to the local network (Have tested via traceroute from my own linux workstation. However my coworkers running windows and outlook cannot connect outlook to the exchange server via vpn. 02:21 < dazo> jave: that might be a problem ... I would try to sort out that one .... tls-remote might be the option you'll need to look at 02:21 < dazo> jave: are you running opensuse or Novell SLES/SLED? 02:21 < mazzachre> I get that warning also. What does it mean? 02:22 < jave> dazo: opensuse on the server. fedora on one client, vista on another client 02:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:23 < dazo> mazzachre: that error means that it has not been enabled any methods for double checking that the server you are connecting to is validated ... hostname used against hostname (common name) used in the certificate match checking 02:25 < dazo> jave: I would dig around a little bit to find some 2.1 packages ... I'm pretty sure that's available, even though most probably not in the stable repos .... and if not, compiling openvpn is quite easy, and it do not depend on much which you most probably already have installed on your box already .... openvpn is actually a small piece of software 02:25 < mazzachre> dazo: Uhm... I don't understand... How to fix? 02:25 < dazo> mazzachre: --tls-remote 02:26 < mazzachre> dazo: In config file? (I use init scripts on linux and openvpn gui on windows) 02:27 < dazo> mazzachre: yes, in config .... tls-remote would be the config file option 02:30 < mazzachre> If I set that, do I need to generate new keys etc? And If I set it in server, does all clients need to add it immidiatly to be able to connect? 02:31 < dazo> mazzachre: the argument you give here must match the CN field of the server certificate, that's all 02:31 < dazo> mazzachre: usually that should be the hostname of your server 02:33 < mazzachre> argument to what? should tls-remote have an argument? 02:34 < jave> like : tls-remote nwise 02:34 < jave> but I still get: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 02:34 < mazzachre> ok 02:34 < jave> and: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 02:36 < dazo> jave: yeah, that next warning is pretty much annoying ... that comes automatically whenever you use tls-remote ... that's just an informative warning, as a lot of users have over time misunderstood the concept of tls-remote 02:36 < jave> dazo: ok thanks 02:36 < jave> is there a simple way of ensuring that the server is actually running? like "nc host 1194" or something 02:37 < dazo> jave: you could always check with netstat ... f.ex. run as root: netstat -lnptu | grep openvpn 02:37 < mazzachre> ah remote 02:38 < jave> dazo: yes but atm I dont have a shell on the server 02:38 < jave> will have later when I arrive at work 02:38 < mazzachre> you can always try to telnet to the port... if you get a connection, it is running 02:38 < mazzachre> So, no one have windows clients trying to connect to shared drives and exchange over an openvpn connection? 02:39 < dazo> jave: the TLS key negotiation failed .... that can be depending on some bugs in openvpn versions ... I think it was an issue in one of the versions between 2.1rc10-13 ... but it can also mean that static keys (if you use that in addition) is wrong 02:39 < jave> dazo: no static keys 02:40 < jave> 2.1 rc15 on this client 02:40 < jave> but ill try to upgrade the server then 02:40 < dazo> mazzachre: I've done that with Samba (Linux) and Windows clients ... no problem ... but you'll need to check up the firewall settings ... you might want to set up a WINS server and give details about WINS in "push" statements for DHCP parameters in openvpn config 02:41 < dazo> jave: check that you also have the same cipher settings on both client and server ... that can also give the same error 02:41 < dazo> jave: +1 for upgrade ... no big danger here 02:42 < dazo> mazzachre: have a look at --dhcp-option in the documentation 02:44 < mazzachre> dazo: Does it matter that the shares are on a AD network? 02:45 < dazo> mazzachre: yes, that could be ... but I'm not a MS/AD/Windows expert so I do not know anything about any gory details 02:45 < mazzachre> dazo: I forward anything that comes in on tun0 to the network behind the server. And I can traceroute from my linux machine to anything on the internal network... 02:47 < dazo> mazzachre: well, traceroute is one thing ... have you tried tcpdump on the openvpn server ... on your internal network and on your vpn network on that box? If you see SMB/CIFS/Exchange traffic passing ... then it's most probably something on the Windoze server 02:47 < dazo> mazzachre: if you see traffic hitting your win server but no reply ... then it's either firewalling on that server and/or routing issues 02:48 < dazo> mazzachre: if you see traffic going out from your win server on the internal net but not hitting the vpn network ... then it is firewalling/routing on your vpn box 02:49 < mazzachre> Will the vpn connected machines ip address be the address of the tun device? (eg 172.16.0.x) 02:50 < dazo> mazzachre: the ip address which will be used on your internal network from vpn clients, will be the VPN client IP address which it is given, yes 02:52 < mazzachre> So, (repeating to know I understood this correctly) my vpn servers lan address is 192.168.7.125, the tun addresses are 172.16.0.x, the exchange server is on 10.0.0.0/8 network (I push route 192.168.7.0/24 and 10.0.0.0/8 in config). So, my client will have eg address 172.16.0.25 on the local network? Or it have 192.168.7.125 (Servers ip) 02:57 < mazzachre> Ahh.. look in firewall.. All is SNAT to 192.168.7.125 so it should be the the address of the server... 03:00 < dazo> mazzachre: I'm not sure I would recommend you to SNAT the VPN tunnel traffic ... if you really want VPN clients to be a part of the local network (as a locally connected client) I would rather consider bridging 03:01 < dazo> mazzachre: it might work fine normally with SNAT ... but with proprietary Microsoft protocols and mostly "Microsoft concealed standards" on the protocol level, you'll never know how that really will work out in reality 03:05 -!- jave` [n=user@h-131-104.A184.priv.bahnhof.se] has joined ##openvpn 03:14 < mazzachre> So.. I should set openvpn up as bridging? 03:14 < mazzachre> How does that work? 03:23 < dazo> mazzachre: quick basics ... you'll create a bridge with brctl and add the tun/tap devices here and the eth interface of your internal network ... the br0 interface will have the proper IP address and that's the interface to be used in firewall rules etc ... all traffic going to one of the interfaces in the bridge will then distributed accordingly to the other devices as well 03:23 < dazo> mazzachre: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:23 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 03:24 < dazo> mazzachre: http://www.linux.org/docs/ldp/howto/Bridge+Firewall.html 03:24 < vpnHelper> Title: Linux Online - Linux Bridge+Firewall Mini-HOWTO version 1.2.0 (at www.linux.org) 03:25 < dazo> never mind this one ... that was pretty much outdated 03:28 -!- jave [n=user@79.138.130.132.bredband.tre.se] has quit [Read error: 110 (Connection timed out)] 03:30 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 03:30 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:31 < dazo> mazzachre: this one seems to be more updated: http://www.linuxfoundation.org/en/Net:Bridge 03:31 < vpnHelper> Title: Net:Bridge - The Linux Foundation (at www.linuxfoundation.org) 03:32 < dazo> mazzachre: you don't need to look at STP/Spanning Tree Protocol .... that's for a different usages than what you need now 03:42 < mazzachre> ok.. thx... will take a look.. 03:48 < jave`> dazo: now I got the connection working by upgrading the server! 03:48 < jave`> Thanks 03:48 < dazo> jave`: no prob :) 03:48 < dazo> jave`: good to hear it works now :) 03:50 < jave`> another question: I want to connect to a network called 10.0.75.X, but ive rigged openvpn to have a net like 10.8.0.X. what is the best way to configure the net? routing? something more clever? 03:53 < dazo> jave`: I'd recommend routing 03:54 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:54 < jave`> dazo: you can have the server send out routes to the clients right? 03:55 < dazo> jave`: yeah .... push "route " 03:55 < jave`> Thanks 04:01 < mazzachre> I HATE EXCHANGE!!! 04:01 < mazzachre> sry... just had to shout 04:01 * hads nods 04:02 < mazzachre> And it seems correct... it is not possible to use SNAT on openvpn to connect clients with outlook to an exchange server :s 04:02 < mazzachre> Why oh why? :( 04:05 < mazzachre> Everything else is working... why not this? 04:10 < dazo> mazzachre: because Microsoft did not know what it means to follow standards earlier ... but they slowly seems to begin to understand it now .... it just took them 5-6 Windows releases to understand why it's clever to follow standards 04:11 < hads> I tried to setup OpenVPN on a Windows network the other day, it wasn't fun, still not had a chance to look at why it's not working. 04:11 < mazzachre> dazo: I don't think they have gotten around to it yet... They are just mourning that they can't control the internet... planning how to mangle the standards so they can... 04:11 < dazo> mazzachre: well, things seems to change now with IE8, if what I read about it really is true .... 04:12 < dazo> mazzachre: but it'll probably take a while for Exchange, as the competition here is not so strong as in the browser marked 04:12 < mazzachre> They should just scrap IE and fix windows, office and exchange... 04:13 < dazo> mazzachre: I dare you to tell that to Steve Balmer ... face to face .... 04:13 < dazo> look out for flying chairs ....... 04:21 < mazzachre> If I could get a face to face meeting with Steve Balmer I would tell him that... I would tell him how he could turn M$ from one of the most hated companies in the world into one of the most loved... And still make loads of money... 04:21 < mazzachre> But I can't get a face to face meeting with him... and he would probably not listen to the chief developper of some minor european company anyways... 04:25 < mazzachre> Hmm... So, I should setup a bridging interface for all our "road warrior" machines? And one for our Miami office (So people there, while at work, should not start their vpn)? 04:25 < jave`> dazo: I put in a route like this: push "route 10.0.75.1 255.255.255.255" 04:25 < mazzachre> That takes some ip addresses... (looks at LAN) 04:25 < jave`> then I enabled ip_forward in the server 04:25 < jave`> it doesnt work, did I miss someting? 04:26 < mazzachre> jave`: you need to enable forwarding in the kernel and from iptables... and if you are routing, you need to nat or masquarade it 04:26 < dazo> jave`: try running the openvpn on the client with verb 4 .... that should give you something more .... are the client running as root? 04:26 < dazo> mazzachre: nope ... you don't need to nat or masq 04:26 < jave`> this is a collegues vista client 04:27 < jave`> but I can try from my fedora laptop 04:27 < dazo> jave`: make sure it's running with Admin privileges 04:27 < jave`> yes I believe it is running as admin 04:27 < mazzachre> dazo: Before I nat'ed the trafic from tun to eth, I could not contact anything on the lan side of the server... 04:28 < hads> You need routing 04:28 < dazo> jave`: pay close attention to the logs with verb 4 ... it usually gives clear hints 04:29 < dazo> mazzachre: hads is correct ... you need to set up sensible routes, that's all 04:30 < hads> e.g. On the default gateway 04:34 < mazzachre> I don't quite follow... In my case... what would be the way to go? (sorry for being a newb on networking) We have a local network 192.168.7.0/24 where the vpn server sits. It is connected to another local network (10.0.0.0/24) where the exchange, PDC, DNS, WINS, etc. servers sit. We have an office in Miami that needs to connect to the 192.168.7.0/24 network via vpn (over public internet) and should have access to the exchange servers etc. We also 04:34 < mazzachre> have machines that are not stationary to any of these networks and should connect via public internet... 04:34 -!- c64zottel [n=hans@p5B17B3D0.dip0.t-ipconnect.de] has joined ##openvpn 04:37 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:37 < mazzachre> I should set aside a range of ip's on local LAN (192.168.7.0/24) for bridged vpn connections and setup all clients (that are not stationary) to use bridged vpn, and setup a default route in Miami for 192.168.7.0/24 and 10.0.0.0/8 to go through a vpn connected router there? And default to global internet? 04:39 < mazzachre> When I look in my openvpn log, I get alot of "bad source address from client [172.20.0.15], packet dropped" (clients lan ip), why do I get those? 05:00 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 05:00 < metbsd> i'm wondering, how do i get bridge to work in openvpn 05:01 < metbsd> what does server-bridge mean 05:04 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 05:06 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:06 < mRCUTEO> !route 05:06 < vpnHelper> mRCUTEO: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 05:13 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 05:29 < mazzachre> So... If I don't have access to edit the routing tables of the default gw of my lan, I must use bridging because I cannot setup the correct routes? 05:29 < mazzachre> (or can I do nat/masq of any and all packages comming from tun+ in the server? Would that even work?) 05:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:46 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 05:46 -!- jave`` [n=user@79.138.130.132.bredband.tre.se] has joined ##openvpn 05:47 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [Client Quit] 05:47 -!- jave` [n=user@h-131-104.A184.priv.bahnhof.se] has quit [Read error: 60 (Operation timed out)] 06:17 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 06:17 < lkthomas> hey guys 06:17 < lkthomas> http://www.debian-administration.org/articles/35 06:17 < vpnHelper> Title: Joining Networks with OpenVPN (at www.debian-administration.org) 06:17 < lkthomas> this guide seems not involve any encryption ? 06:30 < dazo> lkthomas: I've just given it a very briefly and quick look ... as long as no cipher options are given to OpenVPN, it will default to blowfish encryption, IIRC 06:31 < lkthomas> I see 06:31 < lkthomas> I don't care what the encryption type it is using 06:31 < lkthomas> I just need it to be encrypt :) 06:31 < lkthomas> dazo, I could also specify the encryption type, right ? 06:32 < dazo> lkthomas: that's right, again by using the cipher option 06:32 < dazo> lkthomas: to see which are available, you can call openvpn --show-ciphers .... that will give you a list 06:33 < lkthomas> ok, one more question, what if those networks which is not run by this openvpn gateway? maybe I just need to use route add to add those routes to my openvpn router ? 06:33 < dazo> but you probably should care what kind of encryption you're using .... that will define how easily it will be to crack the encryption 06:33 < dazo> lkthomas: sounds about right .... have a look at 06:33 < dazo> !route 06:33 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:42 < lkthomas> thanks man 06:46 < mazzachre> When setting up bridging, should I remove the starting of the eth device from system startup? Or can eth0 be started by the system and then linked to the tap devices in a bridge? 06:52 < dazo> mazzachre: you should probably stop eth from startup ... or reconfigure it so that the init script sets the interface up as a part in a bridge 06:52 < dazo> mazzachre: which distro? 06:53 < mazzachre> Using gentoo 06:55 < dazo> mazzachre: The distro I know best ... but I don't really recall how to do it now ... have a look at the different examples in /etc/conf.d/net.example 06:58 < dazo> mazzachre: most probably, you'll need to have a look for something like bridge_br0="eth0" 07:01 < dazo> mazzachre: http://www.pastebin.ca/1344881 .... just a wild shot in the dark ... I believe you would need something like this in your /etc/conf.d/net file 07:01 < dazo> http://www.pastebin.ca/1344884 .... fixed some typos 07:10 < mazzachre> dazo: ok.. so I should not use the "bridging-start" script mentions on the openvpn site? 07:10 < mazzachre> but use the bridging setup in gentoo baselayout 07:11 < dazo> mazzachre: if you use the gentoo baselayout setup I pastebin'ed (with your local adoptations) ... I think that might work somehow better 07:11 < dazo> mazzachre: try tweaking and using the baselayout config instead of adding extra scripts ... makes it easier to maintain for you afterwords 07:12 < mazzachre> dazo: Sure... 07:12 < mazzachre> Uhm... all the things... are they supposed to be like that, or should I change them? 07:13 < dazo> mazzachre: are you looking at http://www.pastebin.ca/1344884 ? 07:13 < mazzachre> ya 07:13 < mazzachre> bridge_add_="br0" 07:13 < mazzachre> Should it be exactly like that? Or am I supposed to change something there? 07:13 < dazo> ahh ... sorry :) yeah, you need to change that to your VPN interface 07:14 < dazo> bridge_add_tap0="br0" ... if you're using tap0 .... 07:14 < mazzachre> so... it should say.. bridge_add_tap0="br0"? 07:14 < dazo> yeah 07:15 < dazo> and then config_tap0=( "null" ) later on 07:15 < mazzachre> ok... How do I know what tap device(s) I am using? I would suppose I only use tap0? Or should I have 1 pr. bridged connection? (16 for my 150 - 165 setup) 07:16 < dazo> mazzachre: you'll need one per openvpn server/client process .... and you can define that explicit in the openvpn config with "dev tap0" 07:17 < mazzachre> I have only 1 openvpn started... I will connect 16 other lans to it (basically mostly clients... 1 other complete lan) 07:18 < dazo> so you will have 16 clients connecting to you 1 openvpn server? ... in this case, you'll only need 1 tap device 07:18 < dazo> on the server 07:19 < mazzachre> fine 07:20 < mazzachre> And yes... I will have 16 clients to 1 server... With bridging it should work to have the clients talk to an exchange server right? (Everything else seems to work perfectly... only exchange is a problem... 07:22 < dazo> mazzachre: I can't guarantee anything, as it also depends on how the clients will interact ... but basically, if they are "single" clients using VPN as a tap into the internal network only (not routing network from the client side in addition), I would say this would look very transparent .... in reality, Exchange will believe the VPN client is a local computer on the LAN 07:22 * mazzachre wonders if there is a way to setup an CalDAV server to talk to exchange so we could have std. tools and still use the conference room booking system that uses exchange... 07:24 < mazzachre> Ya... that is what I want... now I am not quite sure if I can do the same with our Miami office (Our main office is in Copenhagen, Denmark) To let the entire network connect brigded to our network and run everything smoothly? 07:27 < mazzachre> In my current conf.d/net I have routes_eth0=( "default gw 192.168.7.1" ) Should I setup routes_br0 to the same now? 07:27 < dazo> mazzachre: I've never tried that .... might be a bigger challenge ... but on the other hand ... if the openvpn client is setup also as a bridge between VPN and eth ... even dhcp requests would go over the link 07:28 < dazo> mazzachre: yeah, you'll need to change that 07:28 < dazo> mazzachre: are your company in Copenhagen located in Rodovre? 07:30 < mazzachre> No, it is located on Holmen 07:31 < dazo> mazzachre: just curious ... worked for a company located in Rodovre some years ago, and they also had a Miami office :-P 07:32 < mazzachre> nice... Quite alot of small Danish companies are expanding to the Americas... and locate in Miami, because it gives access to US as well as caribian... 07:32 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 07:33 < mazzachre> (And there are nice beaches in Miami.. which we all suspect is the reason our CEO spends so much time over there :D) 07:33 < ecrist> probably not the beaches so much as who's at the beaches... 07:34 < dazo> mazzachre: I see ... well, if you would have worked for that company I was working for earlier, I'm not sure I would be willing to help you much more ... :-P 07:34 < dazo> ecrist: +1 07:36 < mazzachre> dazo: oh... ya... I have a few of those from my past... not wanting to work together with those ever again... 07:36 < mazzachre> ecrist: probably... ya 07:55 < mazzachre> dazo: What net.* init.d scripts should I have? And which should be in default runlevel? 07:56 < mazzachre> dazo: It is not working now ofcause because only eth0 is started (with null config) 07:56 < dazo> mazzachre: good question ... I would say you need to link net to net.br0 ... and net.br0 needs to be in the runlevel as well as net.eth0 07:57 < mazzachre> dazo: what about net.tap0? 07:57 < dazo> ln -s net.lo net.br0 ... is probably the correct one 07:57 -!- vasco [n=vasco@nat/mandriva/x-2d1b2f7e781d6776] has joined ##openvpn 07:58 < dazo> in gentoo you probably want to link /etc/init.d/openvpn to /etc/init.d/openvpn.tap0 ... and place your config under /etc/openvpn/tap0.conf .... and openvpn.tap0 would need to be in the runlevel as well 07:59 < dazo> you might need to investigate if you need a line in the /etc/conf.d/net under the depend_br0() part which says need openvpn.tap0 08:00 < dazo> mazzachre: maybe even .... that you need to change bridge_br0="eth0" to also include tap0, and then removing the bridge_add_tap0="br0" line 08:01 < dazo> I've never tried bridging in gentoo ... so you'll have to try what works for you 08:01 < mazzachre> I just use the openvpn.conf (only vpn connection on this machine) 08:01 < vasco> hello i have 1 general quarter + 2 far away site, what is the components needed for let this 2 site access the general quarter network on a different subnet for example ? 08:02 < vasco> we just have simple routeurs between each site 08:04 < dazo> mazzachre: that might work as well .... But to make it explicit and clear, I would probably rename the config file and link up the openvpn.tap0 as well ... then it is much clearer how things are set up, and you'll have the basics ready if you need another openvpn process as well 08:05 < mazzachre> ok... well.. server started up, and there is net... 08:05 < dazo> brctl show gives sensible results? 08:06 < mazzachre> no... 08:06 < mazzachre> br0 only contain eth0 08:07 < dazo> mazzachre: hmm ... it should containt tap0 too ... you'll probably need to tweak the net config then, to add the "need openvpn" and then add tap0 into the bridge_br0 line 08:07 < dazo> (and removing the bridge_add_tap0 line) 08:07 < mazzachre> I try with bridge_br0="eth0 tap0" 08:07 < dazo> mm 08:08 < mazzachre> network interface top0 does not exists... Should I start openvpn first? 08:08 < dazo> yeah .... you most probably need to add in the depend_br0() part of the config "need openvpn" 08:09 < mazzachre> should I need openvpn net.eth0 net.tap0 or only openvpn or how? 08:09 < dazo> I would guess you would need net.eth0 and openvpn 08:11 < mazzachre> that seems to work so far... (ntp have some issues because I have edited files in the future when it was not started last time :D) 08:12 < dazo> heh 08:12 < mazzachre> Now br0 have eth0 and tap0 as devices... 08:12 < dazo> then you're set :) 08:12 < mazzachre> sigh... 08:12 < mazzachre> Then to configure the clients... 08:13 < dazo> one thing to notice .... your dhcp config needs to stay away from the ip range you've setup in the openvpn config .... to avoid collisions 08:13 < mazzachre> What should I do about those (The do have config that worked with routed tun) now they should use dev tap0 what else should be changed? 08:13 < mazzachre> And DHCP is taken care of... dhcp only handles 2-100, server is 125, vpn addresses are 150-165 08:13 < dazo> mazzachre: I would just try to change that ... if you pastebin a config example, I'll have a quick look 08:14 < dazo> mazzachre: perfect ... then you won't have collisions 08:15 < mazzachre> http://dpaste.com/80/ (before change to tap) 08:15 < mazzachre> Should I use tap or tap0? 08:20 < mazzachre> Seems that I can connect and get an address on the network... problem is that I am already on tyhe network and cannot test if I can do everything through the new tap0 interface... What about routing? Should I push the routing I had before? 192.168.7.0/24 and 10.0.0.0/8 in config? Or how do I make client do the right thing? (use vpn for this net and public internet for rest?) 08:22 < dazo> mazzachre: good question ... I would guess tap0 08:22 < dazo> You will need to push routing as well 08:22 < mazzachre> Ah.. seems to be the same... 08:23 < dazo> if tap0 is already in use on the client, you may change to tap1 .... maybe just "tap" will dynamically take what's available 08:23 < mazzachre> Ya... it seems to with with dev tap 08:24 < mazzachre> Trying now with the full config... and a windows client (which was the problem in the first place...) 08:25 < mazzachre> damned... I have now spent the entire day trying to get these windows machines to tank to an exchange server when not in the office... sigh... someone go back in time and make sure windows never gets to be the std. os... 08:25 < dazo> that's why MS consultants are needed and make a lot of money .... like Accenture f.ex .... 08:27 < mazzachre> Could someone not make a NICE client to use OWA protocol? Would that be so hard? 08:28 -!- jimgrow_ [n=sebastin@gw243.carlson.com] has joined ##openvpn 08:30 < dazo> mazzachre: well ... you have evolution in Linux and the the Exchange implementation .... but evolution is not too great in reality 08:34 < mazzachre> ya 08:36 < mazzachre> But the OWA protocol should be nicer to the network afaik? And should be routeable etc. (Since it is basically rpc over http) 08:36 < mazzachre> I am not aware how fast it is though? 08:36 < dazo> mazzachre: that's true ... but it's somehow limited in some of the features too, afaik ... like push-mail .... 08:37 < mazzachre> Ya... ofcause it will have to be... since you can't push using http 08:38 < mazzachre> So it will have to be polled.. 08:38 < dazo> mm 08:38 < mazzachre> should I add -A FORWARD -i tap0 -j ACCEPT to my firewall? (Have added -i br0 so far) 08:39 < mazzachre> (Outlook still cannot connect to exchange) 08:39 < dazo> mazzachre: no, that should not be needed .... br0 should be sufficient 08:40 < dazo> you may try to use tcpdump on the br0 and tap0 interfaces, as well as eth0 ... to make sure you see the traffic going correctly 08:42 < mazzachre> Uhm,,, we use udp as protocol... 08:43 < dazo> hmm ... doesn't tcpdump also dump udp traffic? I believe it does 08:44 < ecrist> yes, it does. 08:45 < dazo> ecrist: thx :) 08:46 < mazzachre> ok... emerging tcpdump 08:46 < mazzachre> (not something I have used before...) 08:46 < mazzachre> What should i do? 08:47 < dazo> mazzachre: tcpdump -i -n .... this will give you a brief overview over which ip addresses talking to eachother on which ports 08:47 < dazo> mazzachre: if you want to narrow it down to a specific IP address, you may do it like this: tcpdump -i -n host 08:49 < mazzachre> Uhm... how do I debug a user on vpn trying to talk to an exchange server? :) 08:49 < dazo> on the openvpn server ... you can first try to run tcpdump on the br0 interface 08:52 < mazzachre> Doing that... what am I looking for? Alot is going on there... 08:53 < dazo> okey ... try to narrowing it down to only the VPN clients IP address ... using the host argument in addition 08:53 < mazzachre> uhm... -n what? 08:53 < dazo> if you know the port number .... you can also add: and port 08:54 < dazo> -n is to avoid dns resolving of IP addresses, which causes even more traffic 08:54 < dazo> tcpdump -i br0 -n host and port 08:57 -!- jave`` [n=user@79.138.130.132.bredband.tre.se] has quit [Read error: 113 (No route to host)] 08:58 < dazo> you should here see if the client sends a request to the server ... and if the server responds to that request 08:58 < dazo> but make sure that the IP range of the IP addresses the VPN clients now get are in the same network range as the internal network 09:00 < mazzachre> ok... seems to have found at least 1 problem... outlook refuses to accept an ip as server address... resolves it and finds a server name, that points to a different ip when not connected to the internal dns (when outside on public internet)... how clever is that!!! 09:01 < mazzachre> they are... LAN is 192.168.7.0/24 and vpn bridged addresses are 192.168.7.150-192.168.6.165 09:03 < dazo> mazzachre: IP addresses is correct ... but I think you've found your problem :) 09:03 < mazzachre> ya 09:04 < dazo> mazzachre: you might need to have a look at the dhcp-options ... to push your internal DNS ... but for Windows clients ... you'll need to do some more tweaks .... I'll find the link regarding this for you as well 09:04 < mazzachre> outlook raaaaawks... "Hey lets NOT let the user deside the exchange server to connect to..." 09:04 < mazzachre> so far I have added the internal address to the hosts file in windows... 09:05 < mazzachre> "It is much better if we here at microsoft desides what mails you shodul read..." 09:05 < mazzachre> Someone invent me a time machine and let me go back and stop the forming of microsoft.... PLZ!!! 09:07 < dazo> http://support.microsoft.com/kb/311218 09:07 < vpnHelper> Title: Cannot Change the Binding Order for Remote Access Connections (at support.microsoft.com) 09:07 < dazo> mazzachre: ^^^ .... Tweaks needed to make dhcp-options work when sending DNS server to use 09:08 < dazo> mazzachre: In Vista, I don't believe this is needed .... but for all before Vista, it's needed :( 09:09 < mazzachre> as said... can I not just use the hosts file? 09:12 < ecrist> good morning, fuckers. 09:13 < mazzachre> morning? It is 16:19 09:13 < dazo> mazzachre: ecrist has a screwed view of when the morning starts .... such late sleepers :-P 09:13 < mazzachre> :D 09:16 < ecrist> dazo, I've been trolling since 6:30am (~3 hours) 09:16 < ecrist> realized I forgot my 'good morning, fuckers' today 09:16 < dazo> ecrist: hah :) ...well 3 hours ago, is still in the afternoon for some of us :-P 09:17 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 09:19 < mazzachre> How should I make openvpn push the dns config? 09:26 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 09:26 -!- carpe_ is now known as plaerzen 09:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 09:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:31 < mazzachre> omg... that seems to work... at least a little bit... 09:38 < dazo> cool! 09:39 < dazo> mazzachre: if you didn't figure it out regarding pushing dns ...... have a look at the --dhcp-options in the man pages 09:42 < mazzachre> Ya 09:42 < mazzachre> I figured it out.. and it seems to be working now... 09:43 < mazzachre> However I have a problem with starting the server... It does not wait for openvpn to startup... So it fails in starting up br0 at boot time... 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:43 < mazzachre> Which again causes apache, samba, winbind, tomcat etc. to fail starting up.. 09:44 < mazzachre> So right now I have bricked the server :s 09:44 < mazzachre> Also it refuses to shutdown cleanly 09:46 < mazzachre> When it is started up (failing most of the highlevel services) openvpn is started up however... so I can manually start net.br0, samba and everything with the init scripts... 09:51 < ecrist> mazzachre: use an --up script for bridging the interfaces, or some other method. 09:51 < ecrist> the rc scripts generally have a methed which allows for requirements. 09:52 < mazzachre> I have setup requirements... it seems some timeout value or missing wait does it... 09:54 < mazzachre> trying to reboot server again... 09:55 < mazzachre> It does not want to shutdown either... 10:00 -!- bombayvdmo1 [n=victor@adsl190-28-199-78.epm.net.co] has joined ##openvpn 10:00 < bombayvdmo1> hi 10:00 < bombayvdmo1> if openvpn connection fail this no resolve correctly the remote server and display in log file : "Mon Feb 23 15:47:25 2009 RESOLVE: Cannot resolve host address: thenameserver.domain.com: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 10:02 < ecrist> bombayvdmo1: what's your question? 10:04 < mazzachre> hmm... perhaps I didn't need to do all this bridging anyways? :s and could have done everything with that dhcp option thingie... 10:04 < mazzachre> fuck windows and outlook... 10:05 < bombayvdmo1> ecrist: i want openvpn restore or reconnect in connection fail 10:06 < bombayvdmo1> ecrist: but, if connection fail, openvpn not resolve the name of openvpn server 10:07 < bombayvdmo1> ecrist: my current solution is restart the openvpn client manually 10:09 < mazzachre> bombayvdmo1: You can use tcp... with udp, the client or the server can never know if either one disconnects uncleanly 10:11 < bombayvdmo1> ecrist: proto tcp in server and client 10:11 -!- vasco [n=vasco@nat/mandriva/x-2d1b2f7e781d6776] has quit [Remote closed the connection] 10:14 < dazo> mazzachre: regarding booting and init scripts .... it might be you'll need to create something for net.tap0 to make it work, as long as depend_br0() do not seem to work .... you can also try to start openvpn directly in the depend_br0() block, that might be a hack around it 10:14 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:15 < bombayvdmo1> ecrist: client config file http://fpaste.org/paste/4284 10:36 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 10:41 -!- bombayvdmo1 [n=victor@adsl190-28-199-78.epm.net.co] has left ##openvpn [] 10:43 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has joined ##openvpn 10:44 -!- Trueblood [n=chatzill@c-98-245-17-136.hsd1.co.comcast.net] has joined ##openvpn 10:45 < Trueblood> !logs 10:45 < vpnHelper> Trueblood: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:47 < skarab> Is it possible yet to have two ifconfig client pools? 10:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:06 < Trueblood> What is the configuration directive that will cause connects and disconnects to appear via syslog, particularly with the CN from the certificate? 11:06 < Trueblood> ...is it a -verb thing? 11:18 -!- polaru [n=polaru@93.113.192.70] has quit [Connection reset by peer] 11:48 < Trueblood> ...ah, it's a "head up my butt" thing... the "daemon" config is the magic. 11:48 -!- Trueblood [n=chatzill@c-98-245-17-136.hsd1.co.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 11:48 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 11:48 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:10 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has left ##openvpn [] 12:38 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 13:51 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:14 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:24 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:24 -!- clusterm1gnet is now known as clustermagnet 15:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 16:16 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 16:31 -!- c64zottel [n=hans@p5B17B3D0.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:03 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 17:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:12 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:16 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 17:19 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 17:25 -!- jimgrow_ [n=sebastin@gw243.carlson.com] has quit ["Ex-Chat"] 18:07 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 19:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 20:00 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:43 -!- dcestari [n=dcestari@190.142.113.2] has joined ##openvpn 20:43 < dcestari> hello everybody 20:44 < dcestari> I'm having an error "TLS Error: TLS handshake failed" 20:50 < dcestari> anyone? 20:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:05 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:11 -!- dcestari [n=dcestari@190.142.113.2] has quit [] 21:43 -!- lkthomas [n=lkthomas@218.189.198.146] has quit ["Leaving"] 21:55 -!- malibu [n=malibu@S0106001310429722.wp.shawcable.net] has joined ##openvpn 22:05 < malibu> Hi there.. I can't connect to openvpn set up on a PC in my home... I'm trying to get it to work over TCP 21, so I can get out of my work. 22:05 < malibu> I get the TLS auth did not occur in 60 seconds messages 22:06 < malibu> Should this be able to work over TCP/21? 22:09 < malibu> I know my server is listening.. I see the listener go away when I stop it, etc 22:09 < malibu> my firewall is open.. 22:10 < malibu> my keys are right.. i've gone through the process twice 22:10 < malibu> I can't imagine what this could be 22:11 < malibu> I get connection established, but then the connection resets 22:12 < malibu> I get TLS handshake failed in the openvpn log 22:30 < jpalmer> and this is why my computers don't have internet connectivity at my workplace, other than via an HTTP proxy. 22:36 -!- malib1 [n=malibu@S010600904b29e5eb.wp.shawcable.net] has joined ##openvpn 22:39 -!- malib2 [n=malibu@S0106001310429722.wp.shawcable.net] has joined ##openvpn 22:40 < malib2> people are basically trusted where I work. 22:41 < malib2> By the way... For some reason it works on TCP/1194, UDP/1194, TCP/23, UDP/23, UDP/21 but not TCP/21!! 22:41 < malib2> Anyway I think TCP/23 should do the trick 22:53 -!- malibu [n=malibu@S0106001310429722.wp.shawcable.net] has quit [No route to host] 22:54 -!- malib1 [n=malibu@S010600904b29e5eb.wp.shawcable.net] has quit [Read error: 110 (Connection timed out)] 23:03 -!- malib2 [n=malibu@S0106001310429722.wp.shawcable.net] has quit [Read error: 113 (No route to host)] 23:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:20 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 23:48 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn --- Day changed Tue Feb 24 2009 00:12 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 00:12 < lkthomas> hey guys 00:12 < lkthomas> do I have to had two interface for openvpn to operate ? 00:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:33 < hads> No 00:41 < lkthomas> hads, so I could just use alias interface to get it working ? 01:29 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 01:40 < mRCUTEO> !configs 01:40 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:43 < hads> That expression would be better as '^#|^;|^$' 01:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:01 < krzee> umm no 02:01 < krzee> it would be better as ^[#;] 02:02 < reiffert> Put in some optional whitespaces. 02:08 < hads> krzee: Umm no, I was referring to the blank line issue. 02:11 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has joined ##openvpn 02:12 < dazo> lkthomas: why do you think you need two interfaces? 02:15 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 02:15 < kexman> hi there 02:15 < kexman> i managed to lock out mysel from my openvpn :) 02:15 < kexman> hehe 02:15 < kexman> i think its trying to redirect my connection trough the vpn ... which i dont want 02:16 < dazo> sounds less clever 02:16 < kexman> can i somehow tell the openvpn client not to get the routes ? 02:16 < dazo> kexman: have a look if you use redirect-gateway somewhere 02:16 < kexman> and just have routes to reach the vpn network ? 02:16 < kexman> dazo: well i cant connect to the openvpn server :) 02:17 < kexman> redirect-gateway local def1,route-gateway 192.168.5.1 02:17 < kexman> this is from the local openvpn.log (client) 02:17 < kexman> after connecting 02:17 < kexman> can i somehow ignore that ? 02:17 < dazo> kexman: hmm ... okey, so that is pushed from the server? 02:18 < kexman> yepp ... and until i cant get past this i cant remove that ... since i have no connection to the server :) 02:18 < kexman> i was thinking about manually deleting routes .... 02:18 < kexman> would that work ? 02:18 < KWhat4> why is open vpn so effing complicated to setup 02:18 < dazo> kexman: that should work ... restore your old routes 02:18 < kexman> dazo: but i dont know what routes i need :) 02:18 < kexman> hehehe 02:19 < dazo> kexman: you might want to create a dummy script and then use the --iproute option, then this script will be called instead of the route command ... but you'll anyway then need to setup a route back to your internal network over the VPN 02:19 < kexman> dazo: http://rafb.net/p/ZHeQ9846.html 02:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 02:20 < kexman> what do i need of that second routing table ... just to be able to connect to 192.168.5.1 02:20 < dazo> kexman: if you disconnect openvpn, you can dump the route table ... then you see what you need .... start the connection .... and then do a new route dump, then you'll see what you need to change to make it work ... most probably you just need to restore the original default gateway 02:20 < hads> KWhat4: It's not 02:21 < kexman> yeah well now i have two defaults :) hehehe 02:21 < kexman> dazo: that paste has a disconnected route -n and connected one 02:21 < dazo> kexman: you'll need to delete the default route on line 16 in your pastebin 02:21 < KWhat4> hads: im looking at about 6 different keys 02:22 < lkthomas> actually 02:22 < lkthomas> I am doing some testing 02:22 < lkthomas> can I just use alias interface to try tunnel and route two subnet between two box ? 02:23 < dazo> lkthomas: I still don't understand what you try to achieve .... 02:24 < kexman> dazo: yes but how to do that ? 02:24 < kexman> Tue Feb 24 10:27:59 2009 write UDPv4 []: Network is unreachable (code=101) 02:25 < dazo> kexman: route del default gateway 192.168.5.1 tap0 ? 02:25 < dazo> maybe it was route del default gw .... instead of gateway 02:26 < dazo> kexman: anyway the route on line 17 also looks completely weird 02:26 < KWhat4> open vpn use tcp or udp 02:26 < dazo> KWhat4: default is 1194/udp ... but it depends on your config files 02:28 < kexman> dazo: how could i delete that line ? route del 128.0.0.0 gateway 192.168.5.1 ? 02:28 < dazo> kexman: something like that 02:28 < hads> The OpenVPN docs are really very good. 02:28 < dazo> kexman: you might need to add netmask 128.0.0.0 02:29 < lkthomas> dazo, I am trying to tunnel between two public network box 02:29 < lkthomas> these two box only have one interface 02:29 < lkthomas> and VPN is to tunnel private subnet 02:30 < kexman> dazo: route del default gateway 192.168.5.1 netmask 128.0.0.0 02:30 < lkthomas> so can I just create alias interface for private subnet ? 02:30 < kexman> this is how it worked 02:30 < dazo> lkthomas: are you doing some virtualisation of some kind ... since you have 2 boxes and only one interface? 02:30 < kexman> but i cant delete the line with the 128.0 starting :) 02:30 < dazo> kexman: never mind that route now ... you might be able to access your things now .... 02:31 < kexman> yeah i think i am already can .. gonna try 02:31 < dazo> kexman: that last route probably needs to be corrected in either server or client config file 02:31 < kexman> still i need to learn how to properly delete / add routes 02:31 < dazo> kexman: man route 02:31 < kexman> :) yepp 02:31 < kexman> dazo: its working 02:31 < kexman> thanks alot 02:31 < dazo> kexman: np! 02:32 < lkthomas> dazo, yep 02:32 < lkthomas> usually each box contain two interface 02:32 < dazo> lkthomas: aha ... then you might already have a bridge setup .... or? 02:33 < lkthomas> bridge? no 02:33 < dazo> lkthomas: are we talking physical or virtual interfaces? 02:33 < lkthomas> actually 02:33 < hads> You'd have lo of course. 02:33 < lkthomas> let me explain this 02:33 < dazo> lkthomas: and are you inside the guest .... or on the virt-host? 02:33 < lkthomas> our current network using 172.18.2.x subnet in this office 02:33 < dazo> (dom0 in Xen terminology) 02:34 < lkthomas> another branch is running 10.1.1.x and 10.1.9.x, they are running IPSEC 02:34 < kexman> dazo: you know what the problem was ? :) i removed that line form the confing by commenting it :) (the line with redirect-gateway) but the problem was that i didnt restarted the server 02:34 < lkthomas> and they got their own VPN router as well 02:34 < kexman> also #push "redirect-gateway def1" 02:34 < kexman> that should work flawlessly :) 02:34 < lkthomas> now, I want to add a new VPN for a new subnet, let's say 10.99.99.x using openvpn simple tunneling 02:35 < dazo> kexman: sounds like it's gonna work now for you 02:36 < kexman> yepp works fine now 02:36 < dazo> lkthomas: in this setting .... the tun/tap interface which openvpn will use ... will have the 10.99.99.x address ... and you don't need any new "extra" interfaces ... all you need is routing then 02:36 < kexman> 86.123.235.212 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 02:37 < lkthomas> sorry, one more adding, we would like to use subnet 172.18.2.x that could reach 10.99.99.x as well 02:37 < dazo> kexman: you're pretty brave ... sharing public IP addresses ;-) ... might want to DoS you now :-P 02:38 < dazo> lkthomas: again, all which is needed is routing (and firewall rules, if that's in use on internal addresses) 02:39 < lkthomas> dazo, if I use openvpn --remote 02:40 < lkthomas> --ifconfig 10.99.99.2 10.99.99.3 ? 02:41 < dazo> lkthomas: yes? That seems reasonable .... but you might want to add --route 172.18.2.0 255.255.255.0 10.99.99.2 (or 3, depending on if you are client or server) 02:42 < dazo> lkthomas: and also to add extra route for each network segment you want to setup 02:42 < dazo> lkthomas: it might be you'll find more info here: 02:42 < dazo> !route 02:42 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:42 < lkthomas> yes, just add those route to proper gateway 02:44 < dazo> lkthomas: yeah, that's all :) ... then everything should basically be setup 02:44 < lkthomas> how is the performance compare with IPSEC like this? 02:44 < lkthomas> seems super easy ? 02:45 < dazo> lkthomas: I don't have any IPSEC experience, so I don't know .... I just know that openvpn is super-light compared to the IPSEC implementation ... and configuration of openvpn is pretty much straight forward if you read the docs and give yourself time to try out things 02:45 < dazo> lkthomas: but openvpn is super easy :) 02:46 < lkthomas> actually 02:46 < lkthomas> the problem is that our sonicwall does not support openvpn 02:47 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has quit ["Leaving."] 02:47 < dazo> lkthomas: that's a problem ... but you do know that you need openvpn on both sides to make it work? openvpn do not support any other protocols .... 02:47 < lkthomas> yes I know 02:47 -!- bandinia [n=bandini@79.20.21.198] has joined ##openvpn 02:48 < kexman> dazo: if you want to .... 02:48 < dazo> lkthomas: good :) Just wanted to be really sure .... still a lot of users who are surprised by that :) 02:48 < lkthomas> dazo, if I use --remote method to connect both side, is there have any protocol to help to connect between two side when it is disconnected ? 02:48 < dazo> kexman: nah ... not today .... need to get back to work again .... but can I save the IP? Is it a static IP address of yours? :-P 02:50 < kexman> dazo: not mine :) not static :) 02:50 < lkthomas> dazo, I got a question about routing 02:50 < lkthomas> assume I got two side 02:50 < lkthomas> A and B 02:50 < dazo> lkthomas: Not sure I follow .... but you can have several --remote ... and it goes round robin (iirc) to several hosts until i gets a connection .... you also have keepalive to help out on disconnect issues 02:50 < lkthomas> from A to B is faster than from B to A 02:50 < lkthomas> does openvpn know how to pick the best connection route ? 02:51 < dazo> kexman: hmmm ... okey, I'd better trace you down in another way then :-P 02:51 < kexman> hehe :) 02:51 < dazo> lkthomas: openvpn do not care about that .... you'll need to use the metric option in the route command to control that 02:52 < kexman> go to http://www.ukprivateinvestigators.com/ :) 02:52 < vpnHelper> Title: UK Private Investigators and Detectives, Matrimonial Surveillance, Relationship Investigations, Missing Persons, Background Reports, Surveillance, The UK Private Investigators and Detectives (at www.ukprivateinvestigators.com) 02:52 < lkthomas> dazo, where could I find those docs ? 02:52 < lkthomas> route command on openvpn or what ? 02:53 < dazo> lkthomas: openvpn only gives you a virtual network interface (tun or tap device, depending on config) ... and encrypts the traffic between two end points .... the rest is default TCP/IP networking, just that some (or all) traffic is routed via this virtual interface 02:54 < lkthomas> looks like I need to write some script to deal with this 02:54 < lkthomas> maybe ping return will help a bit 02:55 < dazo> lkthomas: that would be the route command which handles the metric settings 02:55 < lkthomas> dazo, I got another question 02:55 < lkthomas> remember 10.99.99.x ? 02:55 < dazo> lkthomas: yeah? 02:56 < lkthomas> that remote network need to use internet connection as well 02:56 < lkthomas> so openvpn server have to enable NAT too 02:56 < lkthomas> any docs tell me how to work this out ? 02:57 < dazo> lkthomas: I again are not sure what you ask .... openvpn will work perfectly well, also under NAT 02:57 < lkthomas> ok, the remote network is look like that 02:57 < lkthomas> the whole subnet machine running 10.99.99.x 02:57 < lkthomas> only one connection is there 02:58 -!- Netsplit over, joins: krzie_ 02:58 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: kala 02:58 < lkthomas> 1. they need to connect to 172.18.2.x subnet 02:58 < lkthomas> 2. they need to use NAT as well 02:58 < dazo> lkthomas: this is still to vague for me to understand ... 02:58 < lkthomas> you know you could direct all traffic to VPN right ? 02:59 < lkthomas> we just want to direct proper traffic to VPN tunnel 02:59 < lkthomas> everything else should run as NAT 02:59 < dazo> lkthomas: yes, that is possible .... so if that is what you want, then you need to do masquerading on the openvpn server for traffic coming from the tun/tap device and going out "to the world" 03:00 < dazo> lkthomas: ahh ... okey ... now I follow 03:00 < lkthomas> so what should I do? any docs showing how to deal with this ? 03:00 < dazo> lkthomas: this is actually the default ... if you do not use --redirect-gateway .... it will work like this ... you just then need to add --route for each network segment you want to route via the VPN tunnel 03:01 < dazo> lkthomas: please read this link: 03:01 < dazo> !route 03:01 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:01 < lkthomas> ok :) 03:01 < dazo> lkthomas: this example might be a little bit more advanced .... but it gives you the basics for how routing works as well 03:01 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 03:02 < lkthomas> I print it out but feel so tired to read it last night 03:04 < lkthomas> dazo, thanks for helping 03:04 < lkthomas> leaving soon 03:04 < dazo> lkthomas: no prob 03:04 < lkthomas> talk to you later 03:12 < lkthomas> dazo, you still there ? 03:13 < lkthomas> I still have some problem 03:14 < lkthomas> dazo, are you still around ? 03:18 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 03:40 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has joined ##openvpn 03:40 < MrY> hi all 03:40 < lkthomas> ? 03:40 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:41 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has joined ##openvpn 03:41 < MrY> I installed openvpn for linux box as client, i can not find "init-config" script anywhere? any idea? 03:43 < lkthomas> no idea, I just trying to use it to connect as P2P 03:43 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:43 < lkthomas> brb 03:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:20 -!- arturob [n=bandini@host27-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:25 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:33 -!- bandinia [n=bandini@79.20.21.198] has quit [Read error: 110 (Connection timed out)] 05:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:35 -!- reallove [n=dan@unaffiliated/reallove] has joined ##openvpn 05:35 < reallove> !route 05:35 < vpnHelper> reallove: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:53 -!- Haris_ [i=Haris@119.152.5.87] has joined ##openvpn 05:55 -!- dar_ [n=dar@fwnctech.nctech.fr] has joined ##openvpn 05:55 < dar_> elo 05:55 < kexman> i have an openvpn problem :) 05:55 < dar_> since i have updated my ubuntu i can't connect to my work vpn 05:55 < kexman> i have several eth's and some bridges 05:55 < dar_> it sais that the key is vulnerable and block me from conencting to the server 05:55 < kexman> and two subnets 05:55 < dar_> is tehre a way to force it ? 05:56 < kexman> i have 5.0 network and 10.0 network 05:56 < kexman> im connected to 5.0 via openvpn 05:56 < kexman> when connected normally to 5.0 i can ping 10.2 but when im connected from openvpn i cant connect 10.2 05:56 < kexman> why is this ? 05:57 < dar_> kexman: in conf if my memory is good you have to create a text file containing the list of subnet you want to be able to conenct something like ipp.txt 05:58 < kexman> dar_: aaaa :) i tought i can connect wherever my openvpn server can 05:59 < kexman> aaa right 05:59 < kexman> wait i dont have a route to 10.0 on my laptop ... and it would go through the default gw which doesnt know where to get 10.0 from 05:59 < kexman> ahaaa 05:59 < kexman> dar_: thankx 06:00 < dar_> so noone could help me for my problem 06:00 < dar_> ? 06:00 < dar_> :) 06:00 < dar_> i just want to be able to force connection even if my key is blacklisted 06:00 < kexman> no clue there sorry 06:00 < dar_> and what is strange is 06:01 < dar_> Tue Feb 24 13:05:46 2009 ERROR: '/etc/openvpn/keys/client1.key' is a known vulnerable key. See 'man openssl-vulnkey' for details. 06:01 < dar_> # openvpn-vulnkey /etc/openvpn/keys/client1.key 06:01 < dar_> Not blacklisted: ff3c85c94e7367ace91e048b35d6326e /etc/openvpn/keys/client1.key 06:01 < dar_> ???? 06:01 < dar_> i can't understand at this point 06:09 < dar_> kexman: are you here 06:09 < dar_> ??? 06:12 -!- Haris [i=Haris@unaffiliated/haris] has quit [Read error: 110 (Connection timed out)] 06:12 < reallove> hello . I have configured an openvpn server as in here :http://pastebin.com/d1aaa3a8a . The openvpn.up script is http://pastebin.com/m73924f61 .The client ,from linux,has this configuration : http://pastebin.com/d684ce247 .From the server,I can ping the client (ie,192.168.168.2) , but viceversa,not . From the client I can only arping the server and see the ARP entry . 06:13 < reallove> where should I look for a solution ? thank you 06:23 < kexman> dar_: yes 06:23 < kexman> i didnt yet started managing keys with openvpn 06:35 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 06:38 < mRCUTEO> i need ya now ohhhh more than words can i say.. i need u now ooh.. i've gotta find a way.. i need you now.. ohh before i lose my mind .. i need u now.. 06:47 -!- c64zottel [n=hans@p5B17B102.dip0.t-ipconnect.de] has joined ##openvpn 07:01 < dar_> kexman: the right option is ccd... 07:01 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 07:10 < dazo> dar_: you'll need to checkout the people at #ubuntu or some similar things .... the openssl-vulnkey is something they and/or debian came up with 07:11 < dazo> after their rather famous openssl bug 07:11 -!- reallove [n=dan@unaffiliated/reallove] has left ##openvpn [] 07:11 < dazo> kexman: for your networks issues, regarding routing .... pay a close look at 07:11 < dazo> !route 07:11 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:15 < eliasp> i have a strange issue on 2 of my OpenVPN clients.... the connection is actually unusable as most of the time it is stuck and the log is filled with lines like this: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 07:16 < eliasp> the affected clients are KVM VMs on a remote server... a connection without OpenVPN (direct SSH access) works quite fine... OpenVPN on the physical server is working fine too... just the VMs are affected ;-/ 07:16 < dazo> eliasp: sounds like you have an incomplete redirect-gateway configuration .... try removing anything related to that, and it might work ... or else you might have some strange route settings in either client or server (as push route) 07:17 * dazo presumes you did manage to get the openvpn connection up'n'running before it fails with that error 07:17 < eliasp> dazo: it's exact the same configuration as it was used on all other clients in the OpenVPN network (~15 clients) ... it works fine on all of them... 07:17 < dar_> is there any risk to generate openvpn with 4096 bits ? 07:17 < dar_> what are the side effects of a such action ? 07:18 < dazo> dar_: nope ... depending on the hardware, re-keying might go a little bit slower ... but that's a quite decent key size 07:19 < dar_> dazo: but i m talking about cpu ressource when you use it, and is it slowing the traffic much more than with 1024/2048 ? 07:19 < dazo> dar_: the public/private keys (which uses 4Kbit keys) are only used during key negotiating between the client and server and happens over the control channel 07:20 < dar_> dazo: so it wont get slowly than before (except at connection time) if i have well understand 07:20 < dazo> dar_: when client/server agrees on a key ... they use the encryption scheme defined by --cipher .... which can be up to max 256bit keys 07:20 < dar_> ha ok only 256 ??? 07:21 < dar_> dazo: it s not a strong encryption isn't it ? 07:21 < eliasp> dazo: the connection is established... i can log in via SSH but then it is randomly stuck.... 07:21 < dazo> dar_: that's the maximum, since the data channel uses symetric encryption 07:21 < dar_> just for information ipsec for sample can do more encryption or no ? 07:22 < dazo> dar_: the public/private keys are only used to initiate that encryption. And since you do have the public key widely known, the key size must be much higher 07:22 < dazo> dar_: I believe I heard that 128bit key for symetric encryption was comparable to 4096bit asymetrical encryption 07:23 < dar_> ha ok! 07:23 < dar_> :) 07:23 < dar_> thanks for that informations ;) 07:24 < dazo> dar_: anyway ... 256bit symetrical encryption is considered strong these days .... 64 bit and below is considered weak .... 128 is debatable 07:25 < dazo> dar_: anyway ... the performance loss on using 4Kbit asymetric keys will only be during key-exchange for client/server to agree on the next key being used for the symmetric encryption of the data channel (your network traffic) 07:25 < dar_> so doing VoIP through an openvpn configured like taht (with 4096 public/priv) and 256 bits can be realy secure 07:25 < dazo> dar_: np! 07:25 < dazo> dar_: yes, it can :) 07:25 < dar_> just another question 07:25 < dar_> by default is it 256 with openvpn ? 07:26 < dazo> dar_: I definitely would not discourage such config :) 07:26 < dar_> :D 07:27 < dazo> dar_: I'm not sure, to be honest .... I believe it is blowfish encryption which is used as default, but I don't remember the default key size 07:27 < dazo> dar_: have a look at --cipher in the docs 07:27 < dazo> (and --keysize) 07:27 < dar_> thks i m going to check :) 07:30 < dazo> eliasp: if your connection suddenly drops after having established the link .... it really sounds like you're messing with the default gateway somehow ... or that you have some IP address collisions 07:30 < dazo> eliasp: esp. if the configs work other places 07:31 < dar_> ;cipher AES-256-CBC # AES :D 07:31 < dazo> dar_: just remember to remove that ; in the beginning of the line ;-) 07:32 < dar_> eys :) 07:32 < dar_> i realy love openvpn 07:32 < dar_> simple and robust! 07:32 < dazo> dar_: you're darn right ;-) 07:33 < eliasp> dazo: hmm, but if i had problems with my default gateway every other connection like SSH (outside of OpenVPN) would have issues too, wouldn't it? 07:33 < eliasp> dazo: an IP collision was my first thought too... this would mean my OpenVPN server hands out the same IP twice... i'll double-check that but i'm pretty sure that's not the case... 07:34 < dazo> eliasp: I might have misunderstood you ... but I thought you said also the SSH link broke ... 07:34 < eliasp> uhm, sorry... i was probably a little bit unclear... the SSH link is broken inside of OpenVPN, outside works just fine.... 07:35 < dazo> eliasp: hmmm ... which versions are you running on server and client? 07:36 < eliasp> dazo: 2.0.7 on all of them 07:36 < eliasp> that's the latest "stable" package provided by Gentoo 07:37 < dazo> eliasp: heh ... well, Gentoo is really not updated at all .... anyway, I can recommend 2.1_rc15 - I'm running that on Gentoo, and it's been running stable since it was released 07:38 < eliasp> dazo: yeah, running 2.1_rc15 on some windoze clients too... i'll give 2.1_rc15 a try... let's see what happens then... 07:38 < dazo> eliasp: I would probably try to upgrade to 2.1_rc15 ... I might be able to provide you with a partially working ebuild file 07:38 < dazo> if interested 07:39 < eliasp> dazo: there's an ebuild for 2.1_rc15 in portage... it's just keyworded... 07:39 < dazo> eliasp: ahh ... they're getting forward :) It was missing when I did the upgrade :-) 07:39 < eliasp> hehe 07:40 < eliasp> dazo: someone else reported the same problem on b.g.o: http://bugs.gentoo.org/show_bug.cgi?id=223033 i've added my case as comment#8 07:40 < vpnHelper> Title: Gentoo Bug 223033 - net-misc/openvpn - VPN traffic disrupts networking in a strange way (at bugs.gentoo.org) 07:45 < eliasp> ok, running 2.1_rc15 on one of them now.... let's see how it works... 07:45 < dazo> eliasp: yeah, I even think I heard some Ubuntu guy complaining about something similar .... it begins to refresh in my head now ... 07:46 < eliasp> yehaw... no stuck connection so far ;-) 07:49 < eliasp> wow, cool... the new 2.1_rc15 ebuild provides now even support for pushing DNS etc. by default... roy marples wrote an up.sh script for gentoo which uses net-dns/openresolv ... 07:49 < dazo> eliasp: anyway ... I can warmly recommend 2.1_rc15 for production .... it is just as stable as it should be for production enviroment 07:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:51 < eliasp> dazo: yes, i think i'll test it for some hours now on this 2 problematic clients and if there aren't any further issues, i'll upgrade the whole network... as some windows user complained about having connection problems sometimes... maybe this is related to the 2.0.7 server too... 07:51 * dazo believes so 07:51 * dazo runs into a meeting for some hours 07:52 < eliasp> dazo: in the past i had problems when upgrading the server... not all clients didn't automatically reconnect... so i've lost the connection to them... is there any config param which helps with this issue? 07:52 < eliasp> dazo: ok, have fun in the meeting 07:52 < eliasp> dazo: thx for your help! 08:01 -!- andylockran [n=andylock@genesis.zrmt.com] has joined ##openvpn 08:01 < andylockran> hey gutys 08:01 * ecrist looks around for gutys 08:01 < andylockran> can I run two openvpn servers on port 1194 - if connect with certA then use config A, and certB config B ? 08:01 < andylockran> ecrist: s/gutys/guys/ 08:02 < ecrist> ah. :P 08:02 < ecrist> andylockran: no 08:02 < andylockran> ecrist: ok - so new server diff port ? 08:02 < ecrist> unless they're on different IPs. 08:02 < ecrist> either a different port, or another IP 08:03 < andylockran> ok, ta 08:05 < eliasp> maybe it works if you run one of them in udp and one of them in tcp mode... don't know if this makes it possible using the same port twice... 08:05 < ecrist> eliasp: yes, you could run one tcp and one udp, but tcp is not recommended. 08:05 < ecrist> !tcp 08:05 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:05 < eliasp> ok ;) 08:07 < dar_> dazo: i have the following message on a client WARN: could not open database for 4096 bits. Skipped 08:07 < dar_> dazo: byt it connects normally 08:07 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 08:08 < dar_> oups forget it it is just openssl-blacklist that has never seen taht :) 08:15 < dar_> i just wanted to know why my ipp is incorrect ? 08:24 < dar_> elo 08:25 < ecrist> dar_: what do you mean your ipp is incorrect? 08:25 < dar_> it doesn't contain the "true" ip of the client 08:25 < dar_> ip are decremented with -2 08:26 < ecrist> what you're likely seeing is the network address for the /30 that's assigned to a given client 08:26 < ecrist> ipp listing +1 is the server's endpoing, ipp +2 is client IP, ipp +3 is broadcast 08:27 < dar_> so for sample my server is 10.0.0.1 08:27 < dar_> but the first client start at 10.0.0.6 (real ip) 08:27 < dar_> how can i make it start at 10.0.0.2 08:27 < dar_> ? 08:28 < ecrist> you're running 2.1_rc15, right? 08:28 < ecrist> !topology 08:28 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:30 < dar_> heuuuuuu 08:31 < dar_> OpenVPN 2.0.9 08:31 < ecrist> dar_: in that case, you cannot change the behavior 08:31 < dar_> :( 08:31 < ecrist> all clients, and the server, need to be 2.1 08:31 < dar_> ok 08:31 < ecrist> why does it matter? 08:31 < dar_> another question :) 08:32 < dar_> do you know any tools (like VOIP) for making direct phone call IP to IP (or perhaps with conference mode) to use it thorough openvpn 08:36 < ecrist> dar_: you can use anything across the VPN. You could set up a VOIP server for use on your VPN, if you'd like. 08:36 < ecrist> otherwise, use something like Team Speak for simple voice comms 08:36 < dar_> thanks :) 08:37 < eliasp> dar_: if you wan't a real SIP server, take a look at Asterisk 08:37 < eliasp> dar_: it works with all the usual SIP clients/softphones 08:38 < ecrist> if krzee were here, he'd recommend Freeswitch 08:40 < dar_> :) 08:43 < eliasp> oh, never heard of freeswitch... looks nice... ;-) 08:44 < ecrist> iirc, it's a start-over by one of the original devs of asterisk. 08:44 < ecrist> he claims to do right where asterisk went wrong 08:46 < eliasp> a pity we just set up an Asterisk here... if i had known Freeswitch before this would have been a nice option.... 08:55 < dar_> i can't find any valuable doc for setting up an asterisk server on ly for an Intranet (no output connection to third server) for VoIP only 08:56 < ecrist> dar_: look harder. really, just follow any document on setting up a VOIP server, and don't set up the outside lines. 08:56 -!- andylockran [n=andylock@genesis.zrmt.com] has left ##openvpn [] 08:56 < ecrist> regardless, that's a question for another forum, say #asterisk or #freeswitch 08:57 < dar_> ;) 09:03 -!- disposable [i=disposab@blackhole.sk] has left ##openvpn [] 09:05 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit [Read error: 113 (No route to host)] 09:52 -!- mkultras [n=scotth@unaffiliated/mkultras] has joined ##openvpn 10:02 < eliasp> dazo: uhm, after having the openvpn connection running for a while using 2.1_rc15 i got this problem again... read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 10:02 < dazo> eliasp: hmmm ... are you running 2.1_rc15 on both client and server? 10:04 < eliasp> dazo: ah, good idea... i should try to upgrade the server first... 10:05 < eliasp> dazo: do you know how to make the clients reconnect automatically when the server is restarted?? last time i restarted the server i couldn't reach some of the clients anymore... 10:06 < ecrist> eliasp: that error has to do with your internet connection, not OpenVPN 10:06 < ecrist> look in the man page fore resolv-retry 10:07 < eliasp> ecrist: the EHOSTUNREACH error? 10:07 < eliasp> ecrist: ah, ok.. thx 10:07 < ecrist> eliasp: yep 10:07 < dazo> eliasp: not quite sure, to be honest ... there are some options which is suppose to help out here (ping, ping-retry, keepalive, iirc) but I'm not sure that's the solution 10:07 < dazo> eliasp: ecrist might be closer to something, actually 10:07 < eliasp> ecrist: i don't think it's an problem of the internet connection... don't know if you read the description of this issue earlier... i'll give a short overview again... 10:09 < eliasp> i have several openvpn clients, all using the same config... all of them, except 2 work fine.. the two ones causing problems are KVM VMs on a root-server... when connecting to these clients via OpenVPN the connection is most of the time stuck and the log is filled with this EHOSTUNREACH messages... while the SSH connection via OpenVPN is stuck, everything else works fine by not using OpenVPN (connecting directly via SSH to the external IP of this host) 10:10 < eliasp> so the problem occurs only for OpenVPN itself... the network "outside" of OpenVPN keeps working fine.... 10:10 < ecrist> so, connecting to the *real* IP works, but not the VPN ip? 10:11 < ecrist> post the log file for one of the clients having a problem 10:11 < eliasp> ecrist: exactly... but the strange thing is... connecting works (mostly) but then it keeps hanging for long periods... works again for some seconds... hangs again... and so on... 10:11 < eliasp> ecrist: ok 10:12 < eliasp> ecrist: http://dpaste.com/883/ 10:13 < eliasp> do you think this could be related to KVMs virtio network driver? when KVM tries to keep the VMs tsc in sync with the host, the timer of the virtio network driver isn't really in sync or so...? 10:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:19 < ecrist> eliasp: are these the only two systems on the virtio systems? 10:20 < eliasp> ecrist: yes, all other systems are virtualized using VMware Server 1.x or are bare metal systems... 10:20 < eliasp> ah, you've asked whether there are further systems on the KVM host... no, only these 2 are running on this host... 10:21 < eliasp> i made sure they have unique MAC and IP adresses... also the IPs assigned by OpenVPN are unique... so it isn't a address duplicate issue... 10:22 < ecrist> eliasp: there are some google results which indicate either 1) bad network cabling and/or 2) failing DNS 10:27 -!- arturob [n=bandini@host27-110-dynamic.44-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 10:28 < eliasp> ecrist: i think neither nor... as the connection is all the time stable on the physical host-server... or even to the VMs when connecting directly to their IP... 10:28 < ecrist> in that case, I'd point a big finger to your virtual machines. 10:29 < eliasp> ecrist: yes, looks like KVM or KVM's virtio driver is the bad guy in this case ;-( 10:30 < ecrist> interesting: http://beta.openvpn.net/images/pdf/openvpn_access_server_system_admin_guide.pdf 10:32 < ecrist> I really dread open source programs that go commercial 10:43 < dazo> eliasp: keep in mind that KVM is fairly new, so is virtio ... so it might be some kernel bugs here which is not found or fixed yet 10:43 < eliasp> dazo: yes, i'm just trying e1000 as network driver instead of virtio... if the problem doesn't occur anymore i'll file a bug at the KVM bugtracker 10:44 < dazo> eliasp: sounds good 10:46 < eliasp> argh, it happened again using the e1000 driver... 10:48 < dazo> ecrist: seems like Yonan is slowing down the open source part of openvpn ... to make it commercial now ... which might explain why 2.1 have been in beta for almost 2 years 10:51 * dazo heads home ... 10:51 < dazo> c'yall tomorrow 11:00 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 11:15 < eliasp> mDuff: don't know, never used TCP for OpenVPN http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:15 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 11:15 < eliasp> oups, wrong chan ;) 11:20 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 11:26 < eliasp> where do i find mailinglist information? http://openvpn.net/mail.html is a 404 ;-( 11:28 < eliasp> ah, found it https://lists.sourceforge.net/lists/listinfo/openvpn-users 11:28 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 11:29 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has joined ##openvpn 11:30 < DarKnesS_WolF> where i can find the docs. to create openvpn server which supports Keys and username / password ? 11:47 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 12:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:21 -!- c64zottel [n=hans@p5B17B102.dip0.t-ipconnect.de] has quit ["Leaving."] 12:40 < krzee> [06:43] dar_: if you wan't a real SIP server, take a look at Asterisk 12:41 < krzee> ya if you want a sip server that will crush itself under any real load =[ 12:41 < krzee> we used to actually get more performance by loading multiple virtual machines with asterisk 12:41 < krzee> which is sad 12:41 < krzee> but it did start things off, which is coolness 12:42 < krzee> http://www.freeswitch.org/node/117 12:42 < vpnHelper> Title: How does FreeSWITCH compare to Asterisk? | FreeSWITCH (at www.freeswitch.org) 12:42 < krzee> that is written by the man who made a lot of how asterisk does things, and he happens to be the leader of freeswitch dev 12:47 < krzee> DarKnesS_WolF, 1 sec 12:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:47 < krzee> !factoids search pass 12:47 < vpnHelper> krzee: 'winpass' and '2.1-winpass-script' 12:47 < krzee> !factoids search auth 12:47 < vpnHelper> krzee: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 12:47 < krzee> hrm 12:48 < krzee> !man 12:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:50 < krzee> !learn password as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:50 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:50 < krzee> !learn password as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:50 < vpnHelper> krzee: Joo got it. 12:52 < krzee> !learn password as or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required 12:52 < vpnHelper> krzee: Joo got it. 12:53 < krzee> !learn password as and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:53 < vpnHelper> krzee: Joo got it. 12:53 < krzee> there you go DarKnesS_WolF 12:53 < krzee> !password 12:53 < vpnHelper> krzee: Error: That operation cannot be done in a channel. 12:53 < krzee> aww damn, that was built in =[ 12:54 < krzee> !learn authpass as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> !learn authpass as or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> !learn authpass as and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> DarKnesS_WolF, here it is: 12:54 < krzee> !authpass 12:54 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:55 < krzee> sorry about all the scroll, but that new entry should help you 12:59 < DarKnesS_WolF> krzee: sorry didn't get it ? 12:59 < krzee> !authpass 12:59 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 13:00 < krzee> see #1 13:00 < DarKnesS_WolF> krzee: perfect thx man :) 13:00 < krzee> np =] 13:01 < krzee> and to read the manual... 13:01 < krzee> !man 13:01 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:08 -!- mib_3cwjc4 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7d7374ee086b22cb] has joined ##openvpn 13:08 < mib_3cwjc4> hi there 13:09 < mib_3cwjc4> i install openvpn on my ubuntu 13:09 < mib_3cwjc4> sudo openvpn /etc/openvpn/server.conf 13:09 < mib_3cwjc4> by running that command i got this error 13:09 < mib_3cwjc4> : 13:10 < mib_3cwjc4> Tue Feb 24 20:00:54 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Tue Feb 24 20:00:54 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Tue Feb 24 20:00:54 2009 Cannot open d 13:10 < mib_3cwjc4> is it normal ? 13:10 < mib_3cwjc4> your help will be welcome 13:12 < mib_3cwjc4> lesenc ???, 13:12 < mib_3cwjc4> isthereanyone here ? 13:12 < mib_3cwjc4> ::::::::::::::::===============::::::::::::::::::::::: 13:13 -!- Haris_ [i=Haris@119.152.5.87] has left ##openvpn ["Time to jet!"] 13:14 -!- mib_3cwjc4 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7d7374ee086b22cb] has left ##openvpn [] 13:18 < ecrist> wow, impatient much? 13:21 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-620ff7191356f9e9] has joined ##openvpn 13:21 < mib_t9d9g5> hello 13:21 < mib_t9d9g5> is there anyone here ? 13:22 < ecrist> yes 13:24 < mib_t9d9g5> hi 13:24 < mib_t9d9g5> ecrist: 13:24 < ecrist> mib_t9d9g5: 13:24 < mib_t9d9g5> i try to install ubuntu 13:25 < ecrist> were you the one who was just in here? 13:25 < mib_t9d9g5> i try to install openvpn on my ubuntu 13:25 < mib_t9d9g5> sorry 13:25 < mib_t9d9g5> ?? 13:26 < ecrist> what is your problem? 13:26 -!- mode/##openvpn [+o ecrist] by ChanServ 13:26 -!- mode/##openvpn [-o ecrist] by ecrist 13:26 < ecrist> stupid script 13:26 < mib_t9d9g5> i try to install openvpn on my ubuntu 13:27 < mib_t9d9g5> after the installation at the configuration stage 13:27 < mib_t9d9g5> openvpn server 13:27 < mib_t9d9g5> can't run 13:27 < ecrist> why not? 13:27 < mib_t9d9g5> so i want to reinstall 13:27 < ecrist> why can't it run? 13:27 < ecrist> no need to reinstall 13:27 < mib_t9d9g5> everything from a to z with someone online 13:28 < mib_t9d9g5> i just delete every config settings 13:28 < ecrist> ok, have you read the howto? 13:28 < mib_t9d9g5> yes 13:28 < mib_t9d9g5> i read 13:28 < ecrist> that tells you everything you need to know to setup a VPN 13:28 < mib_t9d9g5> w8 i tell the error what i got 13:28 < ecrist> ok 13:28 < mib_t9d9g5> w8 i tell u the error what i got 13:30 * ecrist waits 13:30 < mib_t9d9g5> plz wait 13:30 < mib_t9d9g5> i m doing from a to z 13:38 < mib_t9d9g5> sudo ./clean-all 13:38 < mib_t9d9g5> by doing this i got this error 13:38 < mib_t9d9g5> NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys 13:40 < ecrist> ok 13:40 < ecrist> what's your actual question? 13:40 < ecrist> I'm not willing to walk through an entire install/config with you, when there are docs out there to do itfor you. 13:40 < ecrist> hell, I've written some of those docs. 13:40 < ecrist> : 13:41 < mib_t9d9g5> sorry i totally sorry 13:41 < mib_t9d9g5> when is the first 13:41 < mib_t9d9g5> time 13:42 < mib_t9d9g5> you can't understand where is the probleme 13:42 < mib_t9d9g5> no one around me know the probleme 13:42 < ecrist> mib_t9d9g5: there is no problem that isn't explained in the documentation. 13:42 < ecrist> or in the errors themselves. 13:42 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:43 < Roman123> Hi! 13:43 < ecrist> howdy 13:44 < mib_t9d9g5> ok 13:44 < mib_t9d9g5> thx 13:47 < Roman123> Today, I was playing around with openvpn and two routers in our company network (in combination with different static route setups). So I managed it to confuse our manageable switches and lock/break our whole network connection. oops :-) 13:49 < Roman123> We had to reboot all three switches to fix the problem. 13:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < ecrist> way to go. 13:51 < Roman123> For me it was a funny situation because I had no idea why this happened. For my colleagues it was not that funny. 13:52 < ecrist> if I was the admin there, you probably wouldn't be there any longer. :) 14:02 < Roman123> ecrist: well, it is not that easy. The admins are my friends and I'm their boss... :-) 14:09 < Roman123> How should a typical routing table look like when using openvpn in tap-mode? Mine look (at the client side) like this http://pastebin.com/d2c4e2b31 14:10 < Roman123> On the server side it looks like this http://pastebin.com/d248411b7 14:14 < Roman123> It is a pity that I was still not able to set up a working tap-based tunnel between two routers in order to connect two LANs. The tun-based approach goes off without a hitch. 14:30 < DarKnesS_WolF> krzee: thx also i find using a plugin module much more safe http://openvpn.net/index.php/documentation/howto.html#auth 14:30 < vpnHelper> Title: HOWTO (at openvpn.net) 15:02 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has quit [Remote closed the connection] 15:03 -!- DarKnesS_WolF [n=wolf@196.218.202.242] has joined ##openvpn 15:07 -!- DarKnesS_WolF [n=wolf@196.218.202.242] has quit [Client Quit] 15:19 < ecrist> Roman123: what problems are you having? 15:19 < ecrist> iirc, you were not bridging the interfaces after the tunnel was up. 15:25 < Roman123> ecrist: what do you mean after the tunnel was up? 15:25 < ecrist> you must actually bridge the tap and ethernet devices in the kernel. 15:26 < Roman123> ecrist: I execute "openvpn --mktun --dev tap0 ; brctl addif br-lan tap0 ; ifconfig tap00.0.0.0 promisc up" on the server as well as on the client. 15:27 < Roman123> tap0 0.0.0.0 15:27 < ecrist> well, first, s/;/&&/ in your command 15:27 < ecrist> and, why are you assigning 0.0.0.0 to your tap device? 15:28 < Roman123> ecrist: because I've seen that in a lot of tutorials. 15:28 < ecrist> which? 15:28 < Roman123> ecrist: Usually I execute these commands not in one line. 15:29 < Roman123> ecrist: e.g., http://wiki.openwrt.org/OpenVPNHowTo 15:29 < vpnHelper> Title: OpenVPNHowTo - OpenWrt (at wiki.openwrt.org) 15:29 < ecrist> have you followed the howto on openvpn? 15:30 < Roman123> ecrist: this one? http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 15:30 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:30 < ecrist> aye 15:32 < Roman123> ecrist: ifconfig $t 0.0.0.0 promisc up is also in this tutorial 15:32 < Roman123> the sample script 15:34 < Roman123> sorry for this maybe stupid question: The router has already a predefined bridge called br-lan. Do I have to break this bridge before and then assemble it again containing tap0? 15:36 < ecrist> Roman123: why are you setting up a bridge? from the logs, it would appear tun is your solution 15:37 < Roman123> Because I skipped this step. I just used "openvpn --mktun --dev tap0", then "brctl addif br-lan tap0", and at least "ifconfig tap 0.0.0.0 promisc up". At http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html this is done sequentially. 15:37 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:37 < Roman123> ecrist: well, tun works. 15:37 < Roman123> I like to connect two lans. 15:37 < ecrist> tun works, right? 15:37 < ecrist> !route 15:37 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:38 < Roman123> being able to send things such as wake-on lan packets, etc. 15:38 < ecrist> read that 15:38 < Roman123> ecrist: tun works 15:38 < Roman123> I've tried 15:41 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-620ff7191356f9e9] has quit ["http://www.mibbit.com ajax IRC Client"] 15:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:50 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-ba402ab9f1cfd70e] has joined ##openvpn 15:50 < mib_t9d9g5> hi ecrist --- Log closed Tue Feb 24 15:55:30 2009 --- Log opened Tue Feb 24 16:06:37 2009 16:06 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 16:06 -!- Irssi: ##openvpn: Total of 46 nicks [0 ops, 0 halfops, 0 voices, 46 normal] 16:06 -!- Irssi: Join to ##openvpn was synced in 0 secs 16:09 < ecrist> foo 16:09 < ecrist> I need to reconfigure my network. 16:10 < ecrist> but first, com COD 16:17 < mib_t9d9g5> eh 16:17 < mib_t9d9g5> hello 16:17 < mib_t9d9g5> i place dh1024.pem 16:18 < mib_t9d9g5> in /etc/openvp/keys folder 16:18 < mib_t9d9g5> by running this sudo openvpn server.conf 16:18 < mib_t9d9g5> i got this error : 16:19 < mib_t9d9g5> Tue Feb 24 22:59:24 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Tue Feb 24 22:59:24 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Tue Feb 24 22:59:24 2009 Cannot open d 16:19 < mib_t9d9g5> whonoz ? 16:19 < mib_t9d9g5> plz 16:21 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-ba402ab9f1cfd70e] has quit ["http://www.mibbit.com ajax IRC Client"] 16:21 < Roman123> ecrist: The subnets on both sides of the lan (to be connected over openvpn) have to be the same in the bridging mode and I should assure that no ip address is assigned to the bridging interfaces (on the server as well as on the client)? <- someone told me that. 16:23 < Roman123> is that true? 17:02 < reiffert> moin 17:02 < reiffert> Roman123: when bridging, the two bridges itself should be assigned an IP address as well. 17:03 < reiffert> Roman123: theoretically bridges dont necessessarily need an IP assigned, but when not assigning an IP address to the bridges, openvpn cant connect from the client to the server. 17:04 < reiffert> as this connection uses IP. 17:05 < reiffert> ecrist: playing Call of Duty? 17:05 < Roman123> reiffert: ok, this behavior can be observed here. The tap0 interface on the client gets an ip assigned while the tap0 interface on the server remains without one. 17:05 < reiffert> 23:16 < ecrist> but first, com COD 17:06 < reiffert> Roman123: you normally assign them statically on both sides. 17:06 < reiffert> Roman123: oh, please note: 17:06 < reiffert> you bridge the tap0 interface with your eth0 interface to a new interface, the bridge interface, br0 for linux. 17:06 < reiffert> br0 needs to have an IP address on both sides. 17:07 < reiffert> tap0 and eth0 DONT have one (on both sides= 17:07 < Roman123> yes 17:07 < Roman123> hmm 17:07 < Roman123> br0 have ip addresses on both side 17:07 < reiffert> hamburg:~# brctl show 17:07 < reiffert> bridge name bridge id STP enabled interfaces 17:07 < reiffert> br0 8000.0002b302faf7 no eth1 tap0 17:07 < reiffert> hamburg:~# ifconfig br0 17:07 < reiffert> br0 Link encap:Ethernet HWaddr 00:02:B3:02:FA:F7 inet addr:192.168.0.64 Bcast:192.168.0.255 Mask:255.255.255.0 17:07 < Roman123> but tap0 has only one on the client side but none on the server side 17:07 < reiffert> tap1 Link encap:Ethernet HWaddr 00:FF:09:D9:91:38 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 17:08 < reiffert> eth1 Link encap:Ethernet HWaddr 00:02:B3:02:FA:F7 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 17:08 < reiffert> Roman123: then you did it wrong. 17:08 < Roman123> I guess the ip address on the client side is assigned by the "server-bridge" config option. 17:09 < reiffert> Roman123: wait, lemme rephrase. 17:09 < Roman123> option server_bridge "192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254" 17:09 < Roman123> 192.168.1.200 is assigned to tap0 on the client side 17:09 < reiffert> Roman123: is there a LAN behind the openvpn client? 17:09 < Roman123> yes 17:10 < Roman123> I connect two routers over openvpn 17:10 < reiffert> should this LAN behind the client, talk to the LAN behind the server? 17:10 < Roman123> well, I'm trying to :) 17:10 < Roman123> yes 17:10 < reiffert> should this LAN behind the client, talk to the LAN behind the server? 17:10 < reiffert> and does it work? 17:10 < Roman123> yes 17:10 < Roman123> now it works 17:10 < reiffert> allright. I still advise you to bridge tap0 and eth0 on the CLIENT as well to br0 17:11 < Roman123> in the tun mode as well as in the tap mode 17:11 < Roman123> I'll try if really everything works. 17:11 < Roman123> Then I'll put a howto on openwrt 17:11 < Roman123> perhaps the whole setup is useful for someone else. 17:12 < reiffert> !howto 17:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:12 < reiffert> it's all in there. 17:12 < reiffert> Roman123: however, I strongly suggest, that you create a br0 bridge on the client 17:12 < Roman123> reiffert: but nothing openwrt related 17:12 < reiffert> Roman123: and assign the dynamic IP to that br0 in a --up script 17:14 < reiffert> Roman123: if I'm right, the openvpn client now has two IPs, right? 17:14 < reiffert> Roman123: one for eth0 and one for tap0? 17:14 < Roman123> well, I use "openvpn --mktun --dev tap0", "brctl addif br-lan tap0", and " ifconfig tap0 0.0.0.0 promisc up" to initialize the interface tap0 and assign it to br-lan on both sides. 17:14 < Roman123> reiffert: yes 17:14 < Roman123> you're right 17:14 < reiffert> Roman123: but why using two IPs when one is enough? 17:14 < Roman123> one is this default gw for the lan 17:14 < Roman123> reiffert: I did not do anything ;) 17:15 < Roman123> The ip is assigned by the server 17:15 < Roman123> when the client connects, the server provides the address "192.168.1.200" (taken from option server_bridge). 17:16 < reiffert> whats the IP of eth0? 17:16 < Roman123> As far as I understand 17:16 < reiffert> (on client side) 17:16 < Roman123> client side (lan): br-lan = 192.168.51.2 17:17 < Roman123> server side (lan): br-lan = 192.168.51.1 17:17 < Roman123> bridge name bridge id STP enabled interfaces 17:17 < Roman123> br-lan 8000.0022153271c5 no eth0.0 17:17 < Roman123> tap0 17:17 < reiffert> and why are you using the .1.200 stuff then? 17:17 < Roman123> ^^^ my brctl show 17:18 < Roman123> reiffert: probably because I do not really know what I'm doing. I have just taken it from the howtos, e.g. http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:18 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:19 < reiffert> Roman123: ok, look: 17:19 < reiffert> server_bridge "192.168.51.1 255.255.255.0 192.168.51.2 192.168.51.3" 17:19 < reiffert> on the client do: 17:19 < reiffert> create a file named /usr/local/sbin/openvpn_client_up.sh 17:19 < reiffert> #!/bin/bash 17:20 < reiffert> device=$1 17:20 < reiffert> mtu=$2 17:20 < reiffert> mru=$3 17:20 < reiffert> ip=$4 17:20 < reiffert> mask=$5 17:20 < reiffert> cmd=$6 17:20 < reiffert> ifconfig $device 0.0.0.0 promisc up 17:20 < reiffert> brctl addif br0 $device 17:20 < reiffert> ifconfig br0 $ip up 17:20 < reiffert> in openvpn client conf add: 17:21 < reiffert> up /usr/local/sbin/openvpn_client_up.sh 17:21 < reiffert> ifconfig-noexec 17:21 < reiffert> what it does is: 17:21 < reiffert> when openvpn client is NOT connected: 17:21 < reiffert> you have a bridge br0 with IP 192.168.51.2 17:21 < reiffert> bound to the bridge: eth0 17:21 < reiffert> when openvpn connects: 17:21 < reiffert> it adds tap0 with 0.0.0.0 promisc up to that bridge 17:22 < reiffert> donee. 17:22 < reiffert> going to bed, have fun. 17:22 < Roman123> reiffert: thanks 17:22 < Roman123> good night 17:22 < reiffert> so your client always has 192.168.51.2 17:23 < reiffert> when client is connected and when its not. 17:23 < Roman123> I'm also on the way to bed. 17:24 < reiffert> as far as I remember openwrts' openvpn lacks some features when not using squashfs ... 17:24 < reiffert> related to storing keys in nvram 17:24 < reiffert> however, night 17:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:50 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:50 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has left ##openvpn [] 19:01 < lkthomas> dazo, you there ? 19:16 < ecrist> reiffert: yes, got Modern Warfare and World at War 19:26 < d0wn> Is anyone familiar with using the redirect-gateway in OpenVPN configuration? 19:27 < ecrist> yup 19:28 < d0wn> how is it supposed to be done? is redirect-gateway supposed to be put into the client configuration, or into the server? 19:29 < ecrist> client config 19:29 < ecrist> it should be: 19:29 < ecrist> redirect-gateway def 1 19:29 < ecrist> iirc 19:29 < ecrist> s/def 1/def1/ 19:29 < d0wn> what does def 1 mean, though? 19:29 < d0wn> Hmm 19:30 < ecrist> !man 19:30 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:30 < ecrist> go there, search the page for reirect-gateway 19:30 < ecrist> should find two matches. read through the first. 19:30 < ecrist> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 19:35 < d0wn> Ah, thank you ecrist. now, I read on the howto that I may have to do some work with the dns queries on the server. do I need to run a DNS server on my OpenVPN server? 19:35 < ecrist> no, but you need to make one available to your clients somehow. 19:36 < d0wn> I was thinking about using the OpenDNS servers 19:36 < ecrist> often, that's accomplished by running a server on the vpn server, or somewhere nearby. 19:36 < ecrist> but, I'm off to play more CoD 19:36 < ecrist> l8r 19:37 < d0wn> thanks for your help. you were the first to help me out with this 20:07 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 20:09 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 20:24 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:43 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has joined ##openvpn 20:44 < KWhat4> What happens if both lans have the same ip range? 20:44 * KWhat4 waits 20:45 < hads> Things don't work 20:45 < KWhat4> hads is there a resolution to that issue besides fix one of the networks 20:46 < hads> http://openvpn.net/index.php/documentation/howto.html#numbering 20:46 < vpnHelper> Title: HOWTO (at openvpn.net) 20:54 -!- lkthomas_ [n=lkthomas@218.189.198.146] has joined ##openvpn 20:55 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:55 < Dougy> hey ya'll 20:55 < Dougy> ecrist: ding 21:09 -!- lkthomas [n=lkthomas@218.189.198.146] has quit [Read error: 110 (Connection timed out)] 21:19 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:22 < ftp3> i want to setup a vpn between my home network and my work computer and my roving laptops. I wanted to install openvpn in our datacenter, and then have everything connect to it and share.. is this possible? (seems like what Hamachi does)... 21:42 -!- lkthomas_ [n=lkthomas@218.189.198.146] has quit [Read error: 104 (Connection reset by peer)] 21:51 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:51 < onats> hello 21:51 < onats> offtopic question, but what's the best text/background color combination which gives least strain to the eyes? black on white? or green on black? 21:54 -!- Dougy changed the topic of ##openvpn to: Check your firewall first. ||| We need !configs and !logs ||| HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man ||| LANs behind OpenVPN? See !route ||| Don't ask to ask, just ask; then wait. 21:55 -!- ChanServ changed the topic of ##openvpn to: Check your firewall first. || We need !configs and !logs || HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man || LANs behind OpenVPN? See !route || Don't ask to ask, just ask; then wait. 21:55 -!- mode/##openvpn [+t-o Dougy] by ChanServ 21:55 < Dougy> pffsh 21:55 < Dougy> t 21:57 < tjz|lunch> hey dougy!!! 21:58 < tjz|lunch> so long never see you 21:58 < ftp3> any thoughts on my question? 21:59 < Dougy> yo yo 21:59 < Dougy> sup 22:00 < Dougy> tjz|lunch: whats going on 22:03 < Dougy> bed 22:03 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:03 -!- toodles53 [n=citrusfr@pcp045821pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 22:05 < toodles53> Hello, i Have a question i am hoping someone can help me with. When the vpn server shuts down or otherwise loses connectivity, the vpn clients dont "notice" for quite some time 22:05 < toodles53> on the clients, the connection appears to be just fine and doesnt actually sever for a few mintues 22:05 < toodles53> how can i hasten this? 22:13 < toodles53> should i increase the ping frequency or something 22:16 -!- digerati1337 [n=noone@zms-laptop.rit.edu] has joined ##openvpn 22:17 < digerati1337> !configs 22:17 < vpnHelper> digerati1337: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:18 -!- toodles53 [n=citrusfr@pcp045821pcs.pcv.reshall.calpoly.edu] has quit [Read error: 104 (Connection reset by peer)] 22:32 < digerati1337> does anything special have to be done on a windows client to have it pull dhcp address through the vpn? 22:35 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 22:46 -!- digerati1337 [n=noone@zms-laptop.rit.edu] has quit [] 22:57 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:57 < lavren> hello 22:57 < lavren> When I go to do "openvpn openvpn.conf" it immediately returns, and I don't see a tun device in ifconfig. Should I be manually setting up this tun device? 23:01 < hads> Anyone heard of DNS traffic getting through/back from client to a server behind the OpenVPN host but no other traffic? 23:45 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 23:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Feb 25 2009 00:11 < hads> Here's a paste of DNS getting through but not ping; http://paste.pocoo.org/show/105282/ where 10.88 is OpenVPN client and 192.168 is the LAN behind the OpenVPN server. 00:11 < hads> That 192.168.1.3 box behind the OpenVPN server can also ping the 10.88 OpenVPN client. 00:12 < hads> The OpenVPN server can ping the LAN and VPN clients. 00:13 < hads> and dumping packets on the OpenVPN server's eth0 interface shows the packets coming in from the client but nothing responding from the LAN (except DNS). 00:13 < hads> Hmm perhaps the DNS is coming from the default gateway. 00:15 < hads> Nope, it's not. 00:18 < hads> Confusing. 00:43 -!- roentgen [n=HaRT@79.117.16.67] has joined ##openvpn 00:56 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has quit ["Leaving."] 01:22 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 01:22 < lkthomas> hey guys 01:22 < lkthomas> dazo, you there ? 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:04 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 02:12 < krzee> whats up 02:12 < krzee> hads, 02:13 < krzee> [21:07] Anyone heard of DNS traffic getting through/back from client to a server behind the OpenVPN host but no other traffic? 02:13 < krzee> if you remove "behind the openvpn host", yes 02:13 < krzee> hotels, airports, coffee shops 02:13 < hads> heh 02:13 < krzee> without removing that, no 02:13 < hads> Na, this is from my home network 02:13 < krzee> sounds like a firewall issue 02:14 * krzee points to 1st part of topic 02:14 < krzee> lkthomas, 02:14 < krzee> lkthomas, !ask 02:14 < hads> It does doesn't it. iptables is all accept though 02:14 < krzee> !ask 02:14 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 02:14 < krzee> hads, 02:14 < krzee> !config 02:14 < vpnHelper> krzee: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 02:14 < krzee> !configs 02:14 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:14 < krzee> ignore the first one 02:17 < hads> krzee: http://paste.pocoo.org/show/105288/ 02:17 < hads> Let me know if you want any other info, I'm a little stuck currently. 02:18 < hads> So any ideas would be fantastic :) 02:18 < krzee> cool 02:19 < krzee> im kinda drunk. on vacation in peru and had 5 pisco sours 02:19 < krzee> but i will look =] 02:20 < hads> heh, don't waste time playing with configs then, head to the bar :) 02:20 < krzee> nah im back from there 02:23 < krzee> ill be slow tho, talkin to a brazilian model i found while i been out here 02:24 < krzee> which takes precedence as im sure you understand 02:24 < hads> Nice :) 02:26 < krzee> 192.168.1.x is a network behind the server? 02:26 < hads> Yeah 02:26 < hads> I'm waiting on them to change that 02:26 < krzee> cool 02:26 < krzee> interesting that dns works 02:27 < krzee> !pushdns 02:27 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 02:27 < hads> It's in there 02:28 < lkthomas> couple of question, 1. if I use openvpn --remote to connect between two side of network, how does it sure that another side of network isn't come from hacker ? 02:29 < hads> Though it doesn't make a difference whether it is or not, I'm testing everything by IP at this stage. 02:29 < krzee> did you see #2? 02:29 < lkthomas> 2. how should I suppose to put command line option into config file ? 02:30 < krzee> lkthomas, i do not understand #1 02:30 < krzee> and #2 depends on when 02:31 < hads> krzee: Yeah, read through it, resolv.conf is updated, but like I said I'm doing things by IP currently anyway 02:31 < krzee> ok 02:31 < krzee> so you connect, and cant ping the server from the client, or client from server? 02:31 < krzee> what ips are you trying? 02:32 < hads> I connnect, I can ping the server and the remote default gateway from the client. I can ping the client from anywhere on the remote LAN. 02:32 < hads> But I can't ping anything else on the remote LAN form the client. 02:32 < krzee> what LAN ip is the client on? 02:33 < hads> 10.77.0.0/24 02:33 < hads> I can trace on the eth0 of the server and see http://paste.pocoo.org/show/105282/ 02:33 < hads> Which is really weird to me. 02:33 < krzee> ohhh 02:33 < krzee> check this out 02:34 < krzee> the server is not on the router for 192.168.1.x, right? 02:34 < hads> Correct 02:34 < krzee> what lan ip is the server on? 02:34 < hads> 192.168.1.7 02:35 < krzee> lan router needs to know that for 10.77.0.0/24 it must route traffic to 192.168.1.7 02:35 < hads> Static route on the default gateway (192.168.1.1) goes to 192.168.1.7 for 10.88.0.0/24 02:35 < hads> 10.77 aswell? That's my LAN here. 02:35 < lkthomas> openvpn --remote domain.com --dev tun1 --ifconfig... 02:36 < lkthomas> I could connect two side of network by using this simple command 02:36 < lkthomas> right ? krzee 02:37 < krzee> hads, i never saw .77 02:37 < krzee> lkthomas, see the manual, it has simple examples twords the bottom 02:37 < krzee> !man 02:37 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:38 < hads> Arg sorry, I possibly misunderstood your last question. Let me restate the facts. 02:38 < krzee> plus im drunk 02:38 < hads> Remote LAN is 192.168.1.0/24, default router is .1 OpenVPN server is .7; OpenVPN subnet is 10.88.0.0/24, client connects and receives .6 02:39 < hads> Static route on the default gateway (192.168.1.1) goes to 192.168.1.7 for 10.88.0.0/24 02:40 < hads> I've set this up a few times before without trouble. I was ready to blame the remote default gateway for being a crappy router but this DNS thing getting through is weird. 02:40 < hads> That and the remote LAN can ping connected OpenVPN clients. 02:41 < krzee> why do you believe dns is going over the vpn? 02:41 < lkthomas> krzee, can you give me some hints instead of asking me read the whole library ? 02:41 < hads> Becase I can see the packets when dumping with tshark on the remote VPN host. 02:41 < krzee> lkthomas, no, read the examples 02:42 < krzee> you see them one way in what you pasted 02:42 < lkthomas> openvpn.net is dead ? 02:42 < krzee> the machine gets the pings 02:42 < hads> krzee: The DNS is responding, the ping isn't 02:42 < krzee> but tries to respond to the packets at the 10.88. address 02:42 < krzee> but had no route 02:42 < krzee> so dropped them 02:43 < krzee> forget the dns unless you are willing to accept firewall issue 02:43 < hads> In that trace the DNS requests got a response all the way back to the client. 02:43 < hads> On the remote LAN I can ping OpenVPN clients successfully, let me get a trace. 02:45 < hads> http://paste.pocoo.org/show/105289/ 02:45 < krzee> then you have firewall problems 02:46 < hads> http://paste.pocoo.org/show/105290/ 02:46 < krzee> could be on the client... 02:47 < krzee> lkthomas, ya... sucks for you, try man openvpn 02:47 < krzee> yanno, like normal man pages ;] 02:48 < lkthomas> I think use --secret key will be better for point to point connection 02:48 < hads> Both are default accept with no rules, no firewall. 02:48 < krzee> ip forwarding on on the server? 02:48 < hads> Yup 02:49 < krzee> then you are pointing twords a firewall issue i think 02:49 < krzee> but im too drunk for it 02:49 < krzee> sorry 02:49 < krzee> im gunna go now, gnite 02:49 < hads> No worries at all, thanks for trying 02:49 < krzee> np 02:49 < hads> Have a good vacation :) 02:49 < krzee> thanx, its been awesome =] 02:50 < hads> I wish there was router there I could hack into rather than a Netgear POS 02:52 < lkthomas> hmm 02:52 < lkthomas> tun interface does not have to be on same subnet on both side, right ? 02:53 < krzee> cant be 02:53 < krzee> well 02:53 < c64zottel> hello 02:53 < krzee> tun if sets itself 02:53 < krzee> from within openvpn 02:53 < krzee> so dont worry bout that 02:53 < krzee> !/30 02:53 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:54 < c64zottel> i am at the end of my study and i have to do a work about 5 month, and i thought it might be a nice idea to write a OpenVPN - Management System 02:55 < lkthomas> krzee, are you talking to me ? 02:55 < c64zottel> and now i am thinking about the features and like to ask, if someone has some ideas 02:55 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:57 < krzee> c64zottel, learn it, use it, write it, ask for ideas... if you're already on last step then wait 02:57 < krzee> cause im gunna passout 02:57 < c64zottel> i have something like: monitoring: debugging errors, find bottle necks, key/user-management: key creation/delivering, 02:58 < krzee> lkthomas, yes 02:58 < krzee> nite all 02:58 < c64zottel> krzee: what do you mean? 02:59 < c64zottel> i have to present a small paper tomorrow, i can't wait that long 02:59 < hads> Maybe you left it a little late to decide :) 03:00 < krzee> hads is right, goodnight 03:02 < lkthomas> tun if set itself ? 03:02 < lkthomas> ..... 03:02 < lkthomas> anyone else could give me some hints on my question ? 03:08 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:14 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 110 (Connection timed out)] 04:21 < dazo> lkthomas: In the beginning you do not need to worry about which IP's the tun interface has or not ... the only time you need to think about that is when you're debugging the routing ... openvpn takes care of setting up IP addresses of the tun interface .... check out the man pages for openvpn and look for Example 1 in the end of the man page, here there are some examples which should get you started 04:22 < dazo> lkthomas: regarding putting command line options into a config file .... take all the options into a file, with one option and its related argument on each line ... and remove all leading -- ... that's all 04:24 < dazo> lkthomas: when you get example 1 and 2 working (and possibly 3) ... you can begin to look at --route option ... this will then begin to allow you to route traffic from one side of the network to the other network via your VPN 04:26 < dazo> (btw. www.openvpn.net seems to be down ... might want to google for info and maybe use google cache to catch info only available there) 04:38 < lkthomas> yes 04:38 < lkthomas> thanks for your explain 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:53 -!- kyrix [n=ashley@91-115-30-176.adsl.highway.telekom.at] has joined ##openvpn 04:55 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 05:20 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 05:21 < A[D]minS^Work> !route 05:21 < vpnHelper> A[D]minS^Work: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:24 < A[D]minS^Work> openvpn.net down? 05:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 54 (Connection reset by peer)] 05:44 < c64zottel> dazo, could you explain me what krzee told me at 10:03:59? does this mean he already working on something? 05:51 < lkthomas> this is funny 05:51 < lkthomas> eth0 = 172.18.2.56 05:51 < lkthomas> tun1 = 172.18.2.57 05:51 < lkthomas> p2p = 10.99.99.1 05:52 < lkthomas> traceroute from 172.18.2.x network to 10.99.99.1, holding @ 172.18.2.56 05:52 < lkthomas> anyone have idea why ? 05:52 < c64zottel> lkthomas: routing problem? 05:53 < c64zottel> i found tshark very useful for such stuff 05:54 < lkthomas> I did use route 10.99.99.0 255.255.255.0 172.18.2.56 05:54 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:56 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 05:56 < lkthomas> nevermind 05:57 < lkthomas> found the problem now, thanks 05:59 < nachox> guys, i have a network where my openvpn server is behing a firewall that is nating vpn connections to it while also having a dhcp server, i need my openvpn connected computers to get ip addresses from that dhcp server and be able to ping other computers in the same lan the openvpn server is in, is that even possible? 06:04 < tjz|lunch> openvpn.net seem to be down 06:04 < tjz|lunch> any other mirror? 06:10 < dazo> c64zottel: I think he might think about ssl-admin ... http://www.secure-computing.net/wiki/index.php/Ssl-admin ... maybe something else 06:10 < vpnHelper> Title: Ssl-admin - Secure Computing Wiki (at www.secure-computing.net) 06:11 < dazo> c64zottel: I also have been working on some management for OpenVPN, adding user/password auth in addition ... http://www.eurephia.net/ 06:11 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 06:12 < dazo> lkthomas: if you have these IP addr conflicts ... you have clearly done something wrong 06:12 < lkthomas> well, I am working on vmware virtual switch now 06:13 < dazo> lkthomas: tun devices should not have an IP address which is in the same network segment as the other interfaces 06:13 < lkthomas> I think I got it working 06:13 < lkthomas> I could ping to 10.99.99.1 on 172 subnet 06:14 < dazo> lkthomas: well ... I'm not to optimistic ... but I've never played with networking in vmware 06:15 < lkthomas> it sucks 06:15 < lkthomas> we are using esxi to do testing 06:15 < lkthomas> but that virtual switch sucks 06:15 < lkthomas> you will need to have a physical switch to deal with vlan 06:16 * dazo have also never played with VLAN in real life even ... so he have no clues 06:16 < c64zottel> dazo: thank you 06:16 < lkthomas> heh 06:16 < c64zottel> what happend with you project? still working on it? 06:16 < dazo> c64zottel: yeah, I am ... just had too much work to manage it in my spare time 06:17 < dazo> c64zottel: And I've also had 3 weeks holiday too in between 06:18 < c64zottel> dazo i believe that, that would be my advantage, i get payed for it, and it would be released as OS 06:18 < lkthomas> dazo, does openvpn default using udp ? 06:18 < dazo> lkthomas: yes 06:18 < c64zottel> i just have to convince the big boss here... 06:18 < dazo> c64zottel: released as OS? .... as in Operating System? 06:18 < lkthomas> I think include secret option will avoid hacker to connect 06:18 < c64zottel> dazo, open source 06:18 < c64zottel> gpl 06:18 < dazo> c64zottel: ahh ... sorry .... 06:19 * dazo is still in holiday mode :-P 06:19 < c64zottel> dazo: maybe i could fiddle an Operating System with it 06:19 < dazo> c64zottel: heh 06:19 < c64zottel> lik virtual private operating system 06:20 < dazo> c64zottel: if eurephia matches your goal ... then you are very much welcomed to help out 06:20 < c64zottel> dazo: that could be a small problem, its for my university 06:20 < dazo> c64zottel: why's that? 06:21 < c64zottel> dazo: i am near the end of my study, so, its my final work 06:21 < lkthomas> virtual private super private privatized private privately private OS ? 06:22 < lkthomas> can we wrap AES-2048 bit ten times on this connection ? :) 06:22 < c64zottel> dazo: if i would continue you project, the professor can not see, which part is from me, which not 06:23 < c64zottel> dazo: but probably i will steal some ideas of you, may you have some screen shots? 06:23 < dazo> c64zottel: aha ... I see :) Well, there are parts which has not been started on in this project .... I'm thinking about a web-gui for admin, written in C, probably using libmicrohttpd .... 06:23 < dazo> c64zottel: right now, it's all command line 06:24 < c64zottel> dazo: ah, ok, i already have a gui in mind, but written with ruby on rails + spring 06:24 < dazo> c64zottel: the main focus so far has been to get the authentication and IP blocking working properly ... I began on the cli admin at the end of last year 06:26 < dazo> c64zottel: the reason I want to have it in C with libmicrohttpd is to make it possible to fire up the admin interface on whatever device without requiring a web-server with php/python/ruby/whatever ... maybe even embeddable devices like WRT54GL and that kind of things 06:27 < c64zottel> dazo: good point 06:27 < dazo> c64zottel: I'm also thinking about to make the authentication happening against a separate process (not in the openvpn plug-in) so that can be chrooted as locked down as well ... and the communication between the plug-in and the auth-process would go over TCP/IP or Unix socket 06:27 < dazo> c64zottel: which then also gives another flexibility ... the core authentication can happen on a separate box from the openvpn server itself 06:28 < A[D]minS^Work> is there any GUI to configure OpenVPN? 06:29 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has left ##openvpn ["Leaving"] 06:29 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has joined ##openvpn 06:29 < c64zottel> but how sound that: there is a big server with all the configs and a fat web-gui, if you change something, the config is delivered to the appropriate device, like a WRT54GL 06:30 < lkthomas> hmm 06:30 < lkthomas> guys 06:30 < lkthomas> something more interesting 06:30 < dazo> A[D]minS^Work: not afaik ... might find something in Webmin or IPCop or things like that ... but nothing really well known "side-product" ... but I believe OpenVPN team will come with something commercial soon 06:30 < lkthomas> my openvpn server running tun1 = 10.99.99.1 06:31 < lkthomas> eth0 = public IP address 06:31 < lkthomas> I got a windows which is connecting to same switch as openvpn server 06:31 < c64zottel> A[D]minS^Work: i guess zero shell has something 06:31 < lkthomas> it can't ping 10.99.99.1 06:31 < lkthomas> but when I do arp -a 06:31 < lkthomas> it shows the MAC address which is same as eth0 06:31 < lkthomas> should I create eth1 with another MAC address ? 06:32 < dazo> c64zottel: well, that's more distributed config management ... it's plenty of such tools .... like ZENWorks, Red Hat Network ... 06:32 < A[D]minS^Work> ok dazo thx 06:33 < lkthomas> dazo, any idea ? 06:33 < dazo> lkthomas: quite honestly ... nope ... because I'm pretty sure you've done something incredibly wrong in the openvpn config ... 06:33 < lkthomas> how so ? 06:34 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 06:34 < dazo> lkthomas: from what you said earlier ... that tun0 had an IP address of your local network 06:35 < lkthomas> local network means ? 06:35 < dazo> lkthomas: 172.16.whatever you had 06:35 < lkthomas> so no ip addreess suppose to assign to tun ? 06:35 < c64zottel> dazo: probably that is the right headline, but zenworks, re hat network has nothing to do with openVPN 06:36 < lkthomas> how does the routing goes then ?! 06:36 < dazo> c64zottel: nope, but they do config distribution 06:36 < dazo> lkthomas: have you read the docs? ... --route 06:37 < lkthomas> so tun should contain no subnet which is own by two network ? 06:38 < lkthomas> something like 10.90.1.1 and 10.90.1.2 ? 06:38 < dazo> lkthomas: yes 06:38 < dazo> lkthomas: you obviously have not read Example 1 carefully enough in the docs 06:40 < lkthomas> openvpn is down 06:40 < lkthomas> web site I mean 06:41 < dazo> lkthomas: have you head about Google? .... and Google caching? 06:42 < lkthomas> try that yourself, cache is not work either 06:42 < dazo> lkthomas: hint: google for "man openvpn" 06:44 < lkthomas> hmm 06:44 < lkthomas> I still got one more question to go 06:44 < dazo> lkthomas: http://www.linuxjournal.com/article/7949 <<--- might help you further 06:44 < vpnHelper> Title: Meet OpenVPN (at www.linuxjournal.com) 06:44 < lkthomas> what is other clients default gateway on 10.99.99.x if tun does not use any 99.x subnet IP ? 06:45 < dazo> lkthomas: http://74.125.77.132/search?q=cache:t8n4XSY_Td0J:openvpn.net/index.php/documentation/manuals/openvpn-21.html+man+openvpn&hl=en&gl=cz&strip=1 06:45 < vpnHelper> Title: OpenVPN 2.1 (at 74.125.77.132) 06:45 < dazo> lkthomas: you should not alter the default gateway of any of these boxes in this phase 06:47 < dazo> lkthomas: http://web.archive.org/web/20080208172912/http://openvpn.net/man.html 06:47 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 06:48 < dazo> lkthomas: http://web.archive.org/web/20080202063403/openvpn.net/man-beta.html (if you're using OpenVPN 2.1 series) 06:49 < lkthomas> so you are telling me that I suppose to use NAT and create 10.99.99.1 gw on openvpn box as default gateway which have nothing related with vpn at all ? 06:50 < dazo> lkthomas: no, you do not need NAT 06:50 < dazo> lkthomas: you need --route 06:51 < lkthomas> I think you are misunderstanding about what I am trying to do 06:51 < lkthomas> I got a broadband, a switch and a openvpn box 06:51 < lkthomas> broadband only got one ip 06:51 < dazo> lkthomas: --route will only add additional routing which then will route the given networks via the openvpn tunnel 06:51 < lkthomas> I know 06:51 < lkthomas> nothing related with route 06:52 < lkthomas> if tun isn't act as default gateway 06:52 < lkthomas> it should be something else which act as gateway then ? 06:52 < dazo> lkthomas: the default route should not be altered 06:52 < lkthomas> IT DOES NOT HAVE ANY DEFAULT ROUTE, ddamn 06:52 < lkthomas> don't you get it ? 06:53 < lkthomas> it does not have default gateway exists in that network 06:53 < dazo> lkthomas: are your box online at all? ... because if you are ... it has to have a default route 06:53 < lkthomas> broadband default route, yes 06:53 < lkthomas> but that does not work without NAT if I got client machine behind 06:53 < dazo> lkthomas: exactly! and that route shall not be changed in anyway 06:54 < lkthomas> my question is that how does my clients which behind openvpn could access to internet and the subnet which I have tunneled 06:54 < dazo> lkthomas: NATing is needed only to give the network on the inside of this box internet access 06:54 < lkthomas> there is nothing left 06:55 < dazo> lkthomas: then you need to look more carefully at --redirect-gateway 06:55 < lkthomas> one windows xp box, and openvpn box 06:55 < lkthomas> windows xp is using private IP 06:56 < dazo> lkthomas: how does that box then get on the internet? 06:56 < lkthomas> openvpn box is connected to physical switch, the switch is connecting to broadband 06:56 < lkthomas> it can't dude 06:56 < dazo> lkthomas: so you are setting up a internal openvpn infrastructure so that this box can get Internet via the VPN? 06:57 < lkthomas> yes, and when it is access tunneled subnet, use tun 06:57 < dazo> lkthomas: then you need to look up --redirect-gateway in the docs 06:58 < lkthomas> OH god 06:58 < lkthomas> I don't want to tunnel all traffic to VPN 06:59 < lkthomas> I think 06:59 < dazo> lkthomas: in that case ... you need --route on the client (or --push "route ...." on the server) 06:59 < lkthomas> on openvpn box, first of all I should doing NAT 06:59 < lkthomas> then, turn on vpn tunnel 06:59 * dazo gives up 06:59 < lkthomas> and use route to add it to routing table 06:59 < lkthomas> here is the normal situation 07:00 < lkthomas> Subnet A --- tunnel ip A ==== tunnel ip B --- Subnet B 07:00 < lkthomas> where, tunnel IP is not belongs to any subnet at all 07:00 < lkthomas> but the current situation is : 07:01 < lkthomas> nothing ??? --- Tunnel IP A ==== tunnel IP B --- subnet b 07:01 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has joined ##openvpn 07:01 < lkthomas> there is no subnet on A side man 07:01 < imachine> !configs 07:01 < vpnHelper> imachine: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:01 < lkthomas> dazo, are you with me now ? 07:01 < imachine> would I find answers on the howtos and wikis how I could assign static ips to my tunX clients? 07:02 < imachine> right now, they get random ips. 07:02 < ecrist> meh 07:02 < dazo> lkthomas: in what I can understand from you now .... You just need --route on the client side 07:02 < imachine> I've looked a bit, but not really hard. 07:02 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 07:02 < dazo> lkthomas: you do not need to NAT anything 07:03 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 07:03 < Tophat> any idea when the website will be back up ? 07:03 < lkthomas> god 07:03 < tjz|lunch> :( 07:03 < tjz|lunch> why the long downtime 07:03 < dazo> lkthomas: but if your openvpn server is not acting as the default gateway in the server side of the physical network ... your default gateway needs to know where to route your WinXP box networks network via your openvpn server 07:03 < lkthomas> so what should I assign for my windows xp box ? 07:04 < lkthomas> YES 07:04 < lkthomas> that's what I said 07:04 < lkthomas> I need NAT 07:04 * dazo is talking to a f**king wall! 07:04 < dazo> lkthomas: please stay off me ... I have work to do now 07:05 < Tophat> whats the latest and greatest newest version number? 07:05 < ecrist> Tophat: which site? 07:05 < ecrist> openvpn? 07:05 < Tophat> ecrist - openvpn.net 07:05 < ecrist> no idea. soory 07:05 < ecrist> latest version (release) is 2.0.9 07:05 < ecrist> latest latest RC is 2.1_rc15 07:05 < lkthomas> okok dazo , thanks to helping me tho 07:06 < ecrist> 2.1 is very stable at this point, I've been running it as a client for some time now. 07:06 < imachine> I have another issue as well, my clients seem to not reconnect properly. they just drop and never connect again.. it's rubbish. I've removed the persist-* lines from configs, but it still has issues. 07:06 < ecrist> it would appear beta.openvpn.net is still online, www.openvpn.net is offline. 07:07 < imachine> any ideas how that might be sorted out ? 07:07 < dazo> Tophat: I've been running 2.1_rc15 since it was released ... it's rock solid for me 07:07 < ecrist> Tophat: look to beta.openvpn.net for the website 07:07 < ecrist> it's online and should have everything you're looking for. 07:09 < imachine> another question might be, what's the least memory consuming and cpu consuming way to connect over openvpn, currently I employed certificates, but the devices I use as clients are pretty weak machines, mips based 200MHz routers with 8MB of ram. 07:09 < imachine> (or 16) 07:10 < ecrist> I would still recommend certificates. 07:10 < imachine> would using static keys help on memory consumption? I've dropped comp-lzo as well, for the purpose of cpu consumption. 07:10 < lkthomas> dazo, actually, from what I could see, you usually got another NAT router to take care NAT network, and openvpn server just for tunnel, am I correct ? 07:10 < imachine> okay. 07:10 < imachine> ecrist, does comp-lzo make a huge cpu boost, in my conditions? 07:10 < imachine> or is it worth keeping? 07:10 < ecrist> it depends on what you're transmitting over the vpn 07:11 < imachine> realtime > throughput 07:11 < imachine> well, ~1-2Mbps tops. 07:11 < ecrist> if you're transmitting media, it doesn't make sense, as it's usually compressed already 07:11 < imachine> it's database access to a firebird server. 07:11 < imachine> so sql queries and pictures over the sql queries. 07:11 < ecrist> if you're transmitting text, it'll save bandwidth, but eat cpu cycles 07:12 < imachine> okay, I'll drop it ;] 07:12 < lkthomas> brb, thanks 07:15 < imachine> ecrist, where could I read about assigning static ips to tun-based vpn clients? 07:15 < imachine> the webpage is down, but I could take it off of google's "save the internet to a harddisk" service thing. 07:15 < imachine> "local copy" they call it ;] 07:17 < ecrist> looking, imachine 07:18 < ecrist> http://beta.openvpn.net/index.php/open-source/documentation/howto.html#policy 07:18 < vpnHelper> Title: HOWTO (at beta.openvpn.net) 07:18 < imachine> cheers 07:22 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 07:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:52 < imachine> ecrist, damn 07:52 < imachine> I get now proper addressing, but I can't do client-to-client 07:52 < imachine> furthermore, I can't access the clients from my server either :) 07:53 < dazo> imachine: have a look at: 07:53 < dazo> !route 07:53 < imachine> (even the ones I know that are working) 07:53 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:53 < imachine> dazo, I've only added the ccd client config. 07:53 < imachine> dazo, would pushing client ips require adding routes? 07:54 < dazo> imachine: might be needed ... but you might need to use --iroute in some cases 07:54 < imachine> they're all in teh same subnet tho 07:55 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 07:55 < imachine> if I don't use ccd, I can access the clients no probs. 07:57 < imachine> I've added iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.0.0/24 -j ACCEPT this line on teh server 07:58 < imachine> (which looks silly btw, bt my iptables knowledge is weak) 07:58 < imachine> it makes no difference nonetheless 07:58 < imachine> I still can't ping the machines... 07:59 < imachine> 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 08:00 < imachine> this is how route looks like on a client machine. 08:00 < imachine> looks good to me... 08:02 < dazo> imachine: it sure seems to look fine enough ... I'm sorry I don't have too much time now helping you out further ... I'll try to come back later 08:02 < imachine> dazo, much appreciated. 08:03 < imachine> dazo, I've turned off ccd/ which pushed ips to clients, and I can ping them again and client-to-client works as expected :) 08:03 < imachine> so I'm guessing with pushing ips to clients I need to add something to it ;] 08:03 < dazo> imachine: very strange that ccd should make that happen 08:04 -!- sirlog [n=malutzke@f053021112.adsl.alicedsl.de] has joined ##openvpn 08:05 < imachine> ifconfig-push 10.8.0.5 10.8.0.6 08:05 < imachine> this is what I have in ccd/client-file 08:05 < imachine> (on the client side, the addresses work fine, and I can access the vpn server. just not other clients) 08:05 < dazo> imachine: just a brief thought .... could it be that client-to-client do not work in tun mode? that you need tap mode? ... or topology subnet? 08:12 < ecrist> no 08:13 < ecrist> client-to-client works in tun mode 08:14 < sirlog> Hi@all, 08:14 < sirlog> primary I wanted to connect our PPC to the company. Because of the logs now I'm trieing it with another PC. So I've got a Open VPN Server and a Client. I have forwarded TCP and UDP (Port 1194) to the OpenVPN server and added the iptable entries. I just generated a static key and have written a config. But when I try to connect to the server I get the following error message: 08:14 < sirlog> Wed Feb 25 15:12:06 2009 us=801837 Attempting to establish TCP connection with 78.53.21.112:1194 08:14 < sirlog> Wed Feb 25 15:12:08 2009 us=202351 TCP: connect to :1194 failed, will try again in 5 seconds 08:14 < sirlog> Can anybody help me please. This problem is going to make me crazy. Thanks a lot. If you need further configurations just tell me. 08:15 < ecrist> sirlog: it's a problem with your firewall. something's not forwarded, or is being blocked. 08:15 < ecrist> not an openvpn-specific problem. 08:16 < sirlog> hmm but it's the same when I try it with the internal IP address 08:16 < imachine> dazo, nope, works just right. both with ccd and without, I use tun mode. 08:16 < imachine> dazo, only with ccd, issues arise:) 08:17 < imachine> oh, and I use tcp mode, if that's any differnet. 08:17 < imachine> ;] 08:17 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 08:18 < sirlog> yes I tried it again with the internal IP address and I get the same error message 08:18 -!- thefish [n=thefish@80-235-156-245.cable.ubr23.newt.blueyonder.co.uk] has joined ##openvpn 08:23 < sirlog> So I thougt it is enough when I add: 08:23 < sirlog> iptables -A INPUT -p tcp --dport 1194 -j ACCEPT 08:23 < sirlog> iptables -A OUTPUT -p tcp --dport 1194 -j ACCEPT 08:23 < sirlog> iptables -A INPUT -i tap+-j ACCEPT 08:23 < sirlog> iptables -A FORWARD -i tap+-j ACCEPT 08:23 < sirlog> Am I wrong? 08:25 -!- elshaa [n=elshaa@o.es6.aedgency.net] has joined ##openvpn 08:25 < elshaa> hi 08:26 < ecrist> sirlog: don't know. I don't know iptables, and don't run linux 08:26 < elshaa> I'm having a problem with openvpn2.1-0.29.rc15.el5.x86_64configured with tap0. When starting openvpn 08:26 < elshaa> sorry 08:27 < elshaa> when starting openvpn, the tap0 interface is not created. 08:27 < elshaa> I do have an interface configuration for tap0, so it's not started at boot time 08:28 < elshaa> I have an other server using the same type of configuration, and tap0 is created when openvpn starts... 08:28 < sirlog> Thanks ecrist. Does anyone else have an idea? 08:29 < c64zottel> how does cisco's vpn works? routing or bridging? 08:34 -!- kyrix [n=ashley@91-115-30-176.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 08:34 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Connection reset by peer] 08:34 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 08:35 -!- kyrix [n=ashley@93-82-10-71.adsl.highway.telekom.at] has joined ##openvpn 08:36 -!- brutuz [n=brutuz@ip67-88-58-242.z58-88-67.customer.algx.net] has joined ##openvpn 08:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:37 < brutuz> hi all i was wondering what happens when --keepalive 10 30 was set... 08:37 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 08:37 < brutuz> i was reading through it i got the first parameter.. "10" 08:38 < brutuz> it will send ping after 10 secs of no traffic.. 08:38 < brutuz> but i got lost on "30" the 2nd parameter.. 08:38 < brutuz> is this similar to dead timers? 08:45 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has quit [Read error: 60 (Operation timed out)] 08:54 -!- kyrix [n=ashley@93-82-10-71.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 08:55 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 08:55 < lkthomas_> Hi all 08:56 < lkthomas_> Anyone still alive? 08:57 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit [Client Quit] 08:58 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 08:59 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit [Client Quit] 09:00 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 09:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:25 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 09:26 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 09:28 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit ["Rooms o iPhone IRC Client o http://rooms.derflash.de"] 09:28 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Read error: 110 (Connection timed out)] 09:31 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 09:39 -!- sirlog [n=malutzke@f053021112.adsl.alicedsl.de] has quit [Remote closed the connection] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 -!- Zeti [n=gs@e180019244.adsl.alicedsl.de] has joined ##openvpn 09:58 < Zeti> hi folks 09:58 < Zeti> running my openvpn is fine, but using /etc/init.d/openvpn start fails 09:58 < Zeti> my server.conf is in /etc/openvpn 09:58 < Zeti> does it need anything else? 10:00 < Zeti> !logs 10:00 < vpnHelper> Zeti: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:17 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 10:26 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:30 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 11:18 -!- Zeti [n=gs@e180019244.adsl.alicedsl.de] has quit ["Verlassend"] 11:48 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:49 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:54 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 12:12 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Connection timed out] 12:12 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:15 -!- downhill_ [n=downhill@unaffiliated/err0r] has left ##openvpn ["Leaving."] 12:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:17 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 12:29 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:40 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has joined ##openvpn 12:40 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 12:42 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has joined ##openvpn 12:51 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 12:51 < sigmonsays> Hiyah 12:52 < sigmonsays> Anyone know how to run a iptables firewall script on post-connect for vpn clients? 12:54 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 12:55 < Tophat> If i use openvpn in a business do i only need to apply for commercial licensing if i make changes to the code and keep them to myself? 13:05 < ftp3> anyone have any ideas on my question yet? 13:25 < mkultras> sigmonsays: if you use kvpnc to connect it has a place to enter in commands to run after connect 13:25 < mkultras> you could put the iptables lines in there 13:25 -!- downhill_ [n=downhill@unaffiliated/err0r] has quit [Remote closed the connection] 13:26 < sigmonsays> mkultras, interesting.. i'll have to check that out 13:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:56 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has quit [Read error: 110 (Connection timed out)] 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:56 < sigius> ftp3: repeating the question might help 15:19 -!- sentronbarby [n=vildent@chello080108035065.3.11.vie.surfer.at] has joined ##openvpn 15:21 < sentronbarby> hello 15:42 < sigius> ... 15:53 -!- Kamilion [n=chatzill@204-16-153-84-static.ipnetworksinc.net] has joined ##openvpn 15:55 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:55 < Roman123> hiho 15:56 < Kamilion> Howdy. I'm trying to get saved passwords to work on 2.1_rc15 with a windows build... After reading the HOWTO and the windows Build instructions, it tells me to edit makefile.32 to add my lzo and openssl paths... But I can't find makefile.32. Then I'm told to make a change in config-win32.h and define ENABLE_PASSWORD_SAVE, but grepping the file for PASSWORD turns up nothing. 15:58 < Kamilion> Where do I go from here? I can't find ANY .32 files whatsoever. 16:06 < Kamilion> The backstory: I've got a standalone 866Mhz compaq box running XP, with special idiotic java-based HP Laserjet 2840 scanner drivers. The only problem is, it's in another room, is headless, and connects to our wifi. I've found several 'solutions' like using AutoHotKey or AutoitV3 to fake user interaction, but since the machine is headless, GUI interaction is a no-no. 16:19 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 16:20 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 16:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 16:48 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 16:49 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 17:00 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has joined ##openvpn 17:08 < christophe_> hello, i have a problem with openvpn, it always start reconnecting. This is my serverlog: http://pastebin.com/m5ace7ba4 , my clientlog: http://pastebin.com/m1360bf43 and finally my conf-file: http://pastebin.com/m7a502521 17:08 < christophe_> Is here someone he can find my problem? 17:09 < christophe_> These 2 lines seems weird: 17:09 < christophe_> # 17:09 < christophe_> Thu Feb 26 00:02:50 2009 Local Options hash (VER=V4): '69109d17' 17:09 < christophe_> # 17:09 < christophe_> Thu Feb 26 00:02:50 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' 17:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 17:21 -!- Kamilion [n=chatzill@204-16-153-84-static.ipnetworksinc.net] has quit ["AIEEEEEEEEEEEEEEEeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"] 17:22 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Client Quit] 18:15 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has quit [Remote closed the connection] 18:19 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 18:20 < kim0> Hi everyone... My openvpn server is getting a UDP connection request .. it is replying .. but that reply packet is not reaching the initial connector 18:21 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:46 < ftp3> i want to setup a vpn between my home network and my work computer and my roving laptops. I wanted to install openvpn in our datacenter, and then have everything connect to it and share.. is this possible? (seems like what Hamachi does)... 19:01 -!- ixs [i=andreas@lacht.ueber.gattinnen-im-netz.de] has joined ##openvpn 19:01 < ixs> evening. 19:02 < ixs> i have a openvpn2.1rc15 installation here and an interesting problem. 19:02 < ixs> when a client is disconnecting and quickly reconnecting, the client-disconnect script is not called. 19:02 < ixs> is that considered normal behavious? 19:04 -!- kyrix [n=ashley@91-115-189-239.adsl.highway.telekom.at] has joined ##openvpn 19:13 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 19:34 < ecrist> ixs, could be 19:34 < ecrist> depends on how quickly, could be a bug, as well. 19:35 < ecrist> I'd write the mailing list, if I were you. 19:48 < ixs> ecrist: I'll delegate that job. thx. Gotta look into it a bit more. sometimes the script is called, sometimes it isn't. 19:48 < ixs> looks somewhat racing conditionish... 19:48 < ixs> but off to bed now. 19:48 -!- ixs [i=andreas@lacht.ueber.gattinnen-im-netz.de] has left ##openvpn ["l8rs"] 20:15 < dvl> Finally had cause to use a CRL today. http://openvpn.net/index.php/documentation/howto.html#revoke 20:15 < vpnHelper> Title: HOWTO (at openvpn.net) 20:15 < dvl> I no longer work for my previous employer. That Macbook I used had a cert on it for my VPN. Gone. 20:17 < dvl> ecrist: when you're back, see above. FYI 21:12 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 21:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:58 -!- MrY [n=mry@67-207-118-99.static.wiline.com] has joined ##openvpn 21:58 < MrY> is there a way to get openvpn to use certificate on usbkey like etoken usbkey or ikey etc? 22:11 -!- Feltenix [n=Tanstaaf@adsl-074-166-075-102.sip.asm.bellsouth.net] has joined ##openvpn 22:12 < Feltenix> is there a way to tie an openvpn key to a user account? 22:26 -!- MrY [n=mry@67-207-118-99.static.wiline.com] has quit [Read error: 110 (Connection timed out)] 22:52 -!- kyrix [n=ashley@91-115-189-239.adsl.highway.telekom.at] has quit ["Leaving"] 23:10 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:10 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Connection timed out] 23:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:12 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:48 -!- sentronbarby [n=vildent@chello080108035065.3.11.vie.surfer.at] has quit ["Verlassend"] --- Day changed Thu Feb 26 2009 00:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:46 < dazo> sigmonsays: I saw your question about running iptables script on post-connect of VPN clients .... checkout http://www.eurephia.net/ 00:46 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) --- Log closed Thu Feb 26 00:59:12 2009 --- Log opened Thu Feb 26 06:38:17 2009 06:38 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:38 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 06:38 -!- Irssi: Join to ##openvpn was synced in 1 secs 08:05 -!- dar_ [n=dar@fwnctech.nctech.fr] has quit [Read error: 104 (Connection reset by peer)] 08:22 < ecrist> why must I lag? 08:24 < imachine> life 08:24 < imachine> it goes in circles and lags. 08:24 < imachine> anyway, is openvpn memleakish ? 08:24 < imachine> should I restart it once a month if I run a server? 08:25 < imachine> 2.0.9 08:25 < imachine> low mem conditions ;) 08:25 < imachine> Mem: 14304 13440 864 0 424 08:26 < imachine> 864k free 08:26 < imachine> I also see that nonetheless, using static keys consumes less memory than using certs. 08:27 < ecrist> imachine: shouldn't have problems 08:27 < ecrist> I've got a server that's got about 200 days uptime, currently 08:28 < imachine> so I guess I'll concider using static keys, despite lesser security or so. 08:28 < imachine> ecrist, okay. probably the rest of the software will be more problem causing. 08:28 < imachine> :) 08:28 < imachine> yeah but you have swap probably 08:28 < imachine> and you probably have more than 800k memory free ;) 08:28 * imachine runs OpenWRT on Linksys WRT54GL routers. 08:28 < imachine> + openvpn to certain locations from that. 08:29 < imachine> (it seems to work pretty smooth, sans comp-lzo) 08:32 < Roman123> imachine: I run openvpn on five openwrt boxes without any (memory) problem 08:32 < imachine> cool! 08:32 < imachine> the wrt54gl has only 16megs 08:32 < imachine> dhcp, vpn client, vpn server... 08:32 < imachine> well, we'll see. 08:32 < Roman123> that's why I prefer the asus wl-500gp 08:33 < Roman123> very cool stuff 08:33 < imachine> I'm not sure I can get hold of those here. 08:33 < imachine> I'd rather use ALIX 08:33 < imachine> 600MHz and small format, standard board. 08:33 < imachine> I think it's via. 08:33 < imachine> but, for now, I got these WRTs since they're easy to obtain. 08:33 < imachine> alix, I'd have to order in etc. 08:33 < Roman123> imachine: yeah, but the price of one asus is 70Euro. 08:34 < Roman123> imachine: how expensive is it? 08:34 < imachine> the alix? 08:34 < Roman123> yes 08:34 < imachine> about 100 euro 08:34 < imachine> let me check 08:35 < imachine> http://www.interprojekt.pl/wiki/Wiki.jsp?page=ALIX-BOARD-6b2 08:35 < vpnHelper> Title: InterProjekt Wiki :: PC Engines :: PC Engines ALIX.6B2 Geode LX800 500MHz 256MB RAM :: InterProjekt (at www.interprojekt.pl) 08:35 < imachine> about 120 euros. 08:36 < imachine> http://www.pluscom.pl/index.php?m=66 you can get them cheaper. but you should look in your own country ofcourse :) 08:36 < vpnHelper> Title: ALIX - PLUSCOM (at www.pluscom.pl) 08:37 < imachine> ofcourse, with 120 euro you just get the board. 08:37 < imachine> +20 for a mpci wifi card and about 10 for psu 08:37 < imachine> +10 for case. 08:37 < imachine> it's still worth it tho I guess... not sure if they include flash too. 08:38 < imachine> so a small flash card might be required. still, it's a decent board. if you're not the one paying for it, I hear it's worth it. tho to be honest, I haven't had my hands on them personally. 08:38 < Roman123> imachine: looks nice, but I prefer ready-to-go solutions such as wrt-54gl or asus wl-500gp. 08:38 < imachine> yea 08:38 < imachine> alix you need to play with. 08:38 < imachine> but they're powerful. 08:38 < imachine> what's the asus got ? 08:38 < Roman123> yes 08:39 -!- fgqsg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-e5e4a0ec5c18150e] has joined ##openvpn 08:39 < fgqsg> hi there 08:39 < imachine> cpu/ram/flash size? 08:39 < imachine> su 08:39 < imachine> p 08:39 < fgqsg> i try to configure openvpn on my ubuntu pc it display this error 08:40 < Roman123> 266 MHz/32MB/16MB 08:40 < Roman123> That's more than enough 08:40 < imachine> yeah. 08:40 < imachine> 32mb is nice. 08:40 < imachine> WRT54GS 08:40 < fgqsg> sudo openvpn /etc/openvpn/server.conf Thu Feb 26 15:38:11 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Thu Feb 26 15:38:11 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Thu F 08:40 < imachine> nice too 08:40 < fgqsg> can anyone help 08:41 < Roman123> fgqsg: well, change your subnet address to something else? 08:42 < Roman123> I don't get the problem 08:42 < fgqsg> what i have to change , 08:43 < Roman123> your ip range. 08:43 < Roman123> At the moment you use 192.168.0.0/24 or 192.168.1.0/24, right? 08:43 < Roman123> for your local subnet 08:45 < Roman123> fgqsg: how may computers do you run in your subnet? 08:45 < Roman123> s/may/many 08:50 < fgqsg> sorry for the delay 08:50 < fgqsg> for the moment there are 3 pc 08:50 < fgqsg> in my subnet roman123 08:51 < Roman123> fgqsg: ok, and their ip addresses are? 08:51 < fgqsg> 192.168.0.1 08:51 < fgqsg> 192.168.0.3 08:51 < fgqsg> 192.168.0.10 08:51 < fgqsg> these are my subnet ip s 08:51 < Roman123> btw, do you have the permission to change their ip addresses? e.g., are you the admin / is it your network? 08:52 < Roman123> for example, use instead 08:53 < Roman123> 10.1.2.1, 10.1.2.3, and 10.1.2.10 08:53 < Roman123> or 192.168.25.1, 192.168.25.3, 192.168.35.10 08:53 < fgqsg> no 08:54 < fgqsg> i dont think 08:54 < Roman123> anything else then 192.168.0.x 08:54 < fgqsg> i live in france 08:54 < imachine> man doing vpns over gprs/3g is madness. 08:54 < fgqsg> i got freebox 08:54 < imachine> slows. 08:55 < imachine> okay gotta go. lates! 08:55 < fgqsg> i dont think is possible 08:55 < Roman123> why? 08:56 < Roman123> everything is possible, you live in france and not in china ;) 08:57 < fgqsg> lol 08:57 < fgqsg> wait 08:57 < fgqsg> i check if i can change my subnet to 10.1.2.1 08:58 < Roman123> fgqsg: which openvpn mode do you use tun or tap? 08:58 < fgqsg> tap 08:59 < Roman123> ok, do you really want tap? 08:59 < Roman123> or need tap? 08:59 < fgqsg> no really 09:00 < fgqsg> give me the easiest solution 09:00 < Roman123> fgqsg: ok, then use tun 09:00 < fgqsg> thats enough 09:00 < Roman123> fgqsg: for you it is tun, then 09:00 < fgqsg> how do i change settings to tun , 09:01 < Roman123> in your config files replace tap by tun 09:01 < fgqsg> server;conf file , 09:01 < fgqsg> is it , 09:01 < Roman123> also on the client 09:01 < fgqsg> ok 09:02 < Roman123> fgqsg: which linux distribution do you run? 09:02 < Roman123> ubuntu? 09:03 < fgqsg> yes 09:03 < fgqsg> ubuntu 09:03 < fgqsg> i use ubuntu 09:04 < fgqsg> i can change setting to 192.168.25.1, 192.168.25.3, 192.168.35.10 09:04 < dazo> fgqsg: it's some known issues with Ubuntu and some of the openvpn version distributed .... you probably would like to compile from source to be sure .... 09:04 * dazo will try to find the link 09:06 < Roman123> fgqsg: I'm looking for an ubuntu step-by-step howto on google for you. 09:06 < Roman123> one moment 09:08 < Roman123> fgqsg: http://ubuntuforums.org/showthread.php?t=239219 <-- looks solid for ubuntu 09:08 < vpnHelper> Title: setup openVPN server? - Ubuntu Forums (at ubuntuforums.org) 09:08 < Roman123> it utilizes a tun-mode for the openvpn server 09:09 < Roman123> the howto is quite old but it should still work 09:09 < Roman123> important is the sample configuration file 09:10 < Roman123> fgqsg: good luck 09:10 -!- plaerzen [n=carpe@vip4.tundraeng.com] has joined ##openvpn 09:10 < ecrist> moin plaerzen 09:10 < plaerzen> moin 09:10 < fgqsg> thx roman123 09:10 < plaerzen> how is everything ecrist ? 09:11 < fgqsg> so if i understand it correctly 09:11 < fgqsg> i have to restart all my setting from a to z 09:11 < fgqsg> is it , 09:12 < fgqsg> r u still ther , 09:13 < fgqsg> roman123 09:13 < Roman123> fgqsg: http://openvpn.net/index.php/documentation/howto.html <-- take a look at this 09:13 < vpnHelper> Title: HOWTO (at openvpn.net) 09:13 < Roman123> it is well written 09:13 < Roman123> and easy to understand 09:14 < fgqsg> well 09:14 < fgqsg> i just follow how to document of ubuntu-fr 09:15 < fgqsg> i download from apt-get install 09:15 < fgqsg> openvpn 09:15 < fgqsg> why do you ask to change my sub net adrress to 192.168.25.x , ,,,, 09:15 < fgqsg> why i have to change to that adress 09:16 < Roman123> fgqsg: you don't have to change it at all! 09:16 < Roman123> this is just a warning 09:16 < ecrist> plaerzen: looks like I'm having a girl. 09:16 < ecrist> well, we, my wife is the one *having* the baby. 09:17 < fgqsg> so you ask me to change only the server id . 09:17 < Roman123> if you utilize the bridged (tap) mode, then maybe you run into problems if you connect from outside (road with a subnet 192.168.0.x) to your private network (192.168.0.x) 09:17 < fgqsg> is it ,. 09:17 < Roman123> clear? 09:18 < fgqsg> yes 09:18 < Roman123> for example, imagine you're on holiday and at an internet cafe 09:19 < Roman123> they have a private network 192.168.0.x 09:19 < fgqsg> yes 09:19 < Roman123> you connect your notebook to their private network and connect to your network using openvpn 09:19 < Roman123> bang 09:20 < Roman123> then you connect two private networks with 192.168.0.x 09:20 < Roman123> this can but must not be a problem 09:20 -!- cbt [n=cbt@75.150.49.162] has joined ##openvpn 09:21 < fgqsg> ok 09:21 < fgqsg> understand 09:21 < Roman123> so you have two options 09:21 < Roman123> 1. change your lan/private subnet at home and stay with the tap-mode 09:21 < Roman123> 2. switch to the tun mode 09:22 -!- Balazs [n=chatzill@81.183.224.187] has joined ##openvpn 09:22 < Roman123> http://openvpn.net/index.php/documentation/howto.html <- there is a good section about what's the difference between tun or tap. Please read it and then decide with is better for you 09:22 < vpnHelper> Title: HOWTO (at openvpn.net) 09:22 < Roman123> fgqsg: ^^ 09:22 < Roman123> ok? 09:23 -!- tzanger [n=tzanger@gromit.mixdown.ca] has joined ##openvpn 09:23 < Roman123> s/with/which 09:23 < fgqsg> ok 09:23 < Roman123> ecrist: congrats 09:23 < tzanger> good morning. I'm trying to get my client configuration to do the equivalent of "push dhcp-option xxx" -- the server side isn't doing it, and I'm getting kind of tired of updating resolv.conf manually. 09:24 < Roman123> ecrist: girls are easier to handle until they hit puberty 09:24 < tzanger> is it possible to use something equivalent to "push "dhcp-option DNS 1.2.3.4"" in the client configuration file and have it set foregin_dhcp_x correctly (so the supplied resolvconf scripts work) ? 09:24 < Roman123> ecrist: because this will also hit you too ;-P 09:25 -!- fxcs [n=fxcs@p578b5976.dip0.t-ipconnect.de] has quit [] 09:25 < dazo> tzanger: In the *nix world you need to do something with some --up scripts to make it work properly .... I've not dug into this, so I'm not quite sure what's really needed 09:26 < dazo> tzanger: but involving the resolvconf package (for most Linux distros) is usually a starting point from what I've read 09:26 < Roman123> ecrist: replace the last "hit" by "influence" because that word matches better 09:26 < tzanger> dazo: damn... it's too bad the client.conf files didn't accept the push command; it'd "just work" then 09:26 < tzanger> dazo: yes, resolvconf is there, and there is already support for doing this through the foreign_option_x environment variables 09:26 < tzanger> dazo: alternatively, is it possible to set environment variables in the client.conf file? 09:26 < dazo> tzanger: I know ... but updating /etc/resolv.conf .... that's really tricky business, when you want it done "The right way(tm)" 09:27 < tzanger> dazo: even more reason to try to use the already-supplied scripts :-) 09:27 < dazo> tzanger: not sure 09:28 < Balazs> Dear all! I read the how tos, but my openvpn server is not working well... anybody made a very detailed doc about that? 09:29 < fgqsg> it wass taking to undertstand 09:29 < ecrist> Balazs: there are lots of them out there. 09:29 < fgqsg> but at final i understand 09:29 < fgqsg> thx a lot roman123 09:31 < Balazs> ecrist: I tried on ubuntu and on debian 5.... the last one looks a little bit better but not good enough. Do you have any experience in pptp vpn? 09:31 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 09:32 < ecrist> Balazs: I've a fair amount of experience with OpenVPN 09:33 < Roman123> fgqsg: no problem 09:34 -!- fgqsg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-e5e4a0ec5c18150e] has quit ["http://www.mibbit.com ajax IRC Client"] 09:35 -!- mib_z3d3li [i=ad0876dd@gateway/web/ajax/mibbit.com/x-37311b75bff43eee] has joined ##openvpn 09:35 < ecrist> what's with all the mibbit clients, lately? 09:36 < mib_z3d3li> fuck you 09:36 < ecrist> o.O 09:36 < ecrist> that hurts. :( 09:37 < mib_z3d3li> anyone know if mibbit logs conversations? 09:37 < mib_z3d3li> this is actually a pretty neat irc client. 09:37 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:38 < Roman123> Balazs: Hi! Take a look at your sentence/question again. You have written that your server is not working well and then asked if there is anybody who has mad a detailed doc about that. 09:39 -!- mib_z3d3li [i=ad0876dd@gateway/web/ajax/mibbit.com/x-37311b75bff43eee] has quit [Client Quit] 09:40 * dazo don't want to try mibbit .... irc sessions seems to last too short for his taste 09:40 < Roman123> Balazs: I'm pretty sure that there is no one who wrote a detailed doc about your non-working server. ;-) 09:40 < Roman123> Balazs: where is the problem in detail. What does not work? Please pastebin some logs- 09:41 < Roman123> and perhaps someone can help you 09:43 < Balazs> Roman123: you're right. ;) 09:43 < Balazs> Roman123: I installed ubuntu 8.04 and 8.10 and now debian 5.0 09:44 < Roman123> ok 09:44 < Balazs> as I saw in the documents when I installing the module it will ask to create a tun/tap adapter.... it is strange, but I think it is not created... I created manually. 09:45 < Balazs> I am using webmin to create the CA, server and client keys. 09:45 < Roman123> Balazs: ok, the kernel module is loaded? 09:46 < Balazs> once on ubuntu I could connect and got an IP but unable to ping the other subnet 09:46 < Roman123> Balazs: ok, do you run a firewall? 09:46 < Balazs> yes, I checked in the webmin, that is running. 09:46 < Roman123> perhaps the firewall blocks 09:46 < Balazs> the firewall rule is: enable all. 09:47 < Balazs> no restrictions. 09:47 < Roman123> which mode do you use (tun or tap)? 09:47 < Balazs> I prefer openvpn but I thought that maybe the pptp will be easier for me but same happened... unable to ping. 09:48 < Roman123> sorry for the hard words but pptp is crap ;-) 09:48 < Roman123> stay with openvpn or ipsec 09:48 < Balazs> It is interesting, because as I heard I have to use tap on Windows XP, so tap, but tun could be better. 09:49 < Roman123> try tun, IMHO it is much more easier to setup 09:50 < Roman123> Balazs: http://openvpn.net/index.php/documentation/howto.html <- there is a good section about what's the difference between tun or tap. Please read it and then decide with is better for you 09:50 < vpnHelper> Title: HOWTO (at openvpn.net) 09:50 < Roman123> s/with/which 09:51 < Balazs> I red it, that's the point why I'd like to stay at TUN. 09:51 * Roman123 should avoid to copy-and-paste sentences without correcting typos :) 09:51 < Roman123> Balazs: ok, then change tap to tun 09:52 < Balazs> IMHO like a webmin what can manage the installation and setup or like openvpn what contains the openvpn functionalities? 09:53 < plaerzen> ecrist, Congrats! 09:53 < Roman123> you do not need webmin. you just need two config files. 09:53 < Roman123> one on the server and one on the client side. 09:54 < Roman123> webmin just complicates the problem. 09:55 < Roman123> take the example script from the openvpn website, change the ip's and the location & name of the certs and, assuming your firewall is not blocking the connection, everything should work fine 09:55 < Roman123> Balazs: ^^^ 09:57 -!- Balazs_ [n=chatzill@81.183.224.187] has joined ##openvpn 09:59 < Balazs_> Roman123: I am back.... so please tell me to use tun under XP am I have to do something or the simple openvpn will solve everything? 09:59 < Balazs_> may I ask yo uby mail or only here? 10:01 < Roman123> Balazs: tun should work in xp out of the box once you've installed the openvpn client and have enabled tun in the client config file. 10:02 < Balazs_> it looks easy. tomorrow I will try it. Will you be here tomorrow? 10:02 < Roman123> TAP-WIN32 Adapter V8 is just the name of the network adapter in windows xp 10:02 < Balazs_> OK. 10:02 < Roman123> Balazs: sorry, tomorrow I'm on holiday 10:03 < Balazs_> you are lucky. :) 10:03 < Balazs_> can I reach you by mail or just only here? 10:03 < Roman123> Just ask here 10:03 < Roman123> here are tons of experts 10:03 < dazo> Balazs_: please, let the man have some holiday in peace ;-) 10:03 < Roman123> I'm also not an expert 10:03 < Balazs_> okay, have a nice holiday I will ask you later. 10:04 < Roman123> I'm just trying to help as far as I can. 10:05 < Balazs_> thank you. 10:05 < Balazs_> what about IMHO? 10:06 < Roman123> in my humble opinion 10:07 < Balazs_> lol 10:08 < Balazs_> bye and see you next time. 10:08 -!- Balazs_ [n=chatzill@81.183.224.187] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 10:09 < Roman123> I don't understand why people claim that IPSEC is so hard to setup. 10:10 < ecrist> Roman123: it is fairly complicated to grasp 10:10 < Roman123> Yesterday, I managed it to fire up an IPSEC tunnel between two routers. It took about 20 minutes to configure racoon. 10:10 < Roman123> and that was all 10:11 -!- Balazs [n=chatzill@81.183.224.187] has quit [Read error: 110 (Connection timed out)] 10:11 < ecrist> doesn't mean it's not complicated. 10:12 < Roman123> and this was my first IPSEC time. ;-) 10:12 < ecrist> you're obviously superior to mortals 10:12 < Roman123> nope, definitely not 10:14 < Roman123> Usually, I spend hours on very simple thing ;-) 10:15 < ecrist> it only takes me about 2 mins to config an IPSec tunnel between cisco routers. 10:15 < ecrist> :) 10:15 < Roman123> the version of racoon, which is included in openwrt 8.09, seems a bit buggy. 10:15 < Roman123> cisco vpn does not count 10:15 < ecrist> Roman123: why not? 10:18 < Roman123> the ones I've seen feature that ipsec cisco stuff which was very easy to configure. 10:18 < ecrist> Roman123: I'm not talking about a web interface, either. 10:18 < Roman123> ahh, ok 10:18 < ecrist> and, if you've never done cisco IPSec, you have not right to speak on the matter. 10:19 < Roman123> the ipsec tunnel offers one very nice thing. It can be built up from both sides of the tunnel. 10:19 < Roman123> I guess that's not possible by means of openvpn, or is it? 10:20 < Roman123> just a ping establishes the tunnel 10:20 < ecrist> right, which means the tunnel is only *up* during use. 10:21 < Roman123> you can configure it to stay up 10:22 < Roman123> until one side is disconnected from the net or racoon is shut down 10:23 < Roman123> reboot the router and start racoon followed by a ping in a start script 10:26 < Roman123> have to go 10:26 < Roman123> ecrist: bye 10:27 < Roman123> cu later 10:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:29 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 10:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:53 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:04 < plaerzen> I don't think I like that guy 11:19 < ecrist> which one, Roman123? 11:26 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 11:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:44 < plaerzen> ecrist, yeah 11:49 < ecrist> ditto 11:50 < plaerzen> Who says things like "If I'm retarded, and I can set up IPSEC in 20 minutes... what does that make you, who (although I never bothered to ask or converse in any way) probably can't do it in that time?" 11:52 < jpalmer> I think he clearly admitted that he wasn new to IPSEC, and as such, probably doesn't know all the intricacies involved in anything more than a basic configuration. 11:52 < jpalmer> s/wasn/was/ 11:52 < ecrist> yeah, kind of gathered that from him. 11:53 < ecrist> what sort of annoyed me is that he's here for help, but he's offering help, and criticising others, as if he's an expert 11:53 < ecrist> I'm sick, so sooner or later, he'll piss me off. :) 11:53 < jpalmer> you know what they say about arrogance and ignorance ;) 11:53 < ecrist> lol 11:55 < jpalmer> once he does something a little more involved than a basic setup, he'll likely gain a little respect for the difficulty level people talk about. until then, he's a little on the ignorant side, and a lot on the arrogant side. experience will (hopefully) humble him. 11:56 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 12:00 < krzee> hehe 12:00 < krzee> whats up gentlemen 12:00 < krzee> sorry to hear you're sick eric 12:00 < ecrist> howdy krzee 12:01 < krzee> i am shitting ever 15 minutes, i think i drank the water or something 12:01 < krzee> so i know how ya feel 12:01 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 12:01 < ecrist> lol, hey, did you send that package fedex? 12:01 < krzee> sure did 12:01 < krzee> so i guess it arrived? 12:02 < ecrist> ok, they tried to deliver yesterday, I was at the ultrasound for the new baby yesterday, so they should try to redeliver it today 12:02 < krzee> or they tried and nobody was home 12:02 < krzee> ahh right on 12:02 < ecrist> 80-90% it's a girl. 12:02 < krzee> everything normal with the baby? 12:02 < krzee> ahh cool 12:02 < ecrist> all is well. 12:02 < krzee> good to hear 12:03 * krzee will follow the north star when the baby is born 12:03 < ecrist> afk for a bit - gotta make a samich 12:03 < krzee> with 2 other guys and gifts 12:07 < ecrist> lol 12:19 < MgGuGu> Hi .. I'm having a problem to get connected to an openVpn server from client .. i'm getting the "TLS key nego failed to occur in 60 sec" msg .. 12:19 < MgGuGu> I've check'd iptables n firewalls on client side also .. 12:19 < MgGuGu> as far as i know .. all firewalls allowing 1194 12:23 < MgGuGu> this is my server.conf 12:23 < MgGuGu> http://pastebin.com/m2edd9054 12:23 < MgGuGu> i'm trying to get ethernet bridging 12:25 < MgGuGu> here is my client.conf 12:25 < MgGuGu> http://pastebin.com/maf488cc 12:43 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 104 (Connection reset by peer)] 12:45 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:38 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 13:39 < higuita> anyone have any tip how to use openvpn in windows vista, without administrative rights? 13:39 < higuita> i spent all day trying to workaround it, but vista is a bitch! 13:41 < krzee> it MUST have admin 13:41 < krzee> it must add routes... 13:41 < krzee> !factoids search win 13:41 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', and 'wins' 13:41 < krzee> !win_noadmin 13:41 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 13:42 < krzee> but you can try that 13:42 < krzee> ;] 13:42 < krzee> (forgot about that) 13:42 < krzee> MgGuGu, why do you want bridging? 13:46 < krzee> !tunortap 13:46 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 13:48 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:49 < Roman123> Hi! 14:01 < ecrist> krzee: back at home? 14:02 < Roman123> hi ecrist 14:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:28 -!- cbt [n=cbt@75.150.49.162] has quit ["Leaving"] 14:35 < krzee> ecrist, nah still in peru 14:36 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 14:40 < qkf> hello i hope somebody can help - http://rafb.net/p/zMReYU99.html 14:40 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 < qkf> i do not seem to be able to have more than one remote computer connected to my OpenVPN server - once one machine has a connection the OpenVPN server stops listening for new connections until it is restarted 14:45 < higuita> krzee: let me explain better, in XP, the runas trick works fine, but in vista the UAC blocks the admin rigths even with the runas 14:49 < higuita> qkf: try to increase the debug log to see why it stop working... or in despair, strace the openvpn process :) 14:50 < qkf> i will try the former :) 15:00 < qkf> no clues 15:01 < Roman123> How can I ensure that an openvpn tunnel always stays up (if there is a network connection between server and client). I've tried the following things: 1. Disconnect the cable from the server -> wait 20 seconds -> reconnect cable -> connection comes up again. :-) 2. restart the server -> it takes about two minutes until the connection is up again. I guess that's the keep alive "10 120" option. Is it a good idea to reduce the value 120? Or could tha 15:01 < qkf> with verbosity at 10 i can see the socket listener start 15:01 < Roman123> t cause problems? 15:16 -!- demoncyber_ [n=marco@200.18.3.253] has joined ##openvpn 15:27 < higuita> Roman123: IMHO, there is no problem at all, its mostly a fine tune that each user must test on its network and usage 15:27 < Roman123> ok, then I'll reduce the value to 60 15:28 < Roman123> which should be fine for me 15:28 < higuita> test it with various values and use the one that works better... just remember that reconnect costs time, so you dont want to reconnect without need 15:34 < Roman123> In order to achieve a continuous tunnel should I enable persist-tun and persist-key? 15:35 < Roman123> I saw on the manpage: "The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade." 15:35 < Roman123> and "Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options." 15:36 < Roman123> well, I don't understand what this means in detail. 15:37 < Roman123> On the one hand, is it faster to close and reopen the TUN/TAP device, i.e., disable persist-tun 15:38 < Roman123> ? 15:38 < Roman123> ^^^ when the line is disconnected 15:47 < soberbit> any reason a TUN interface can not listen on tcp instead of udp? 15:51 < higuita> soberbit: that is a config option 15:52 < soberbit> "proto tcp" only proper syntax for a TAP ? 15:52 < higuita> udp you simulate a real connection, a lost udp package is "connection noise" and the vpn tcp/ip will recover 15:53 < soberbit> my reason for trying it as tcp is kinda dumb 15:53 < soberbit> i do understand what you mean though. 15:53 < higuita> but in tcp that noise will be retransmited, wasting bandwitdh, because the vpn tcp/ip will still retransmit the lost package, the out of order package will be dropped as dupe 15:53 < soberbit> thought it might be neat if netstat showed my various openvpn services for our TUN interfaces, as tcp. Then i would be able to see remote IP addresses in netstat. 15:54 < higuita> tcp is very useful for testing the firewalls rules and connections, after that, just switch to udp 15:54 < higuita> tcp is also useful for proxies :) 15:55 < higuita> soberbit: openvpn can create a log file that shows the current local/remote ip for all active connections 15:55 < higuita> its updated each minute IIRC 15:57 < higuita> Roman123: dont know what is faster, never tested that... 15:57 < Roman123> higuita: with faster, I mean reconnects 15:57 < higuita> again, better to a test yourself, but i suspect that will not make big difference 15:58 < higuita> persist-tun persist-key should be faster, as it will save a few steps, but i dont know if they bring other problems 16:00 < Roman123> higuita: thanks 16:13 < soberbit> i'm trying to make use of the openvpn commands, isntead of a full "service openvpn restart" everytime i make a change to just one of the interfaces 16:14 < soberbit> but i'm having a hard time putting it together with the man page 16:14 < soberbit> just trying to make changes to one of the .confs, and restart just the one tun 16:14 < soberbit> openvpn --rmtun --dev tun3.conf 16:14 < soberbit> however it's still listed in ifconfig 16:15 < krzee> tun3.conf? 16:16 < krzee> did you read the manual for --rmtun? 16:16 < krzee> !man 16:16 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:16 < krzee> [16:53] any reason a TUN interface can not listen on tcp instead of udp? 16:17 < soberbit> i just said i was having troulbe putting it together with the man page 16:20 < soberbit> how do you restart a tun without restarting the whole openvpn service for all tuns? 16:26 < krzee> tcp works for tun or tap, but should be avoided if possible 16:26 < krzee> !tcp 16:26 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:26 < krzee> umm, openvpn config 16:26 < krzee> will only start that config 16:26 < krzee> you in windows im taking it? 16:27 < krzee> first you need to kill the process that is already running tho 16:28 -!- plaerzen [n=carpe@vip4.tundraeng.com] has quit [Remote closed the connection] 16:30 < krzee> Roman123, are you useing user/group statements in your config? 16:34 < ecrist> krzee: Roman123 has no good reason I recall for needing tap. 16:37 < Roman123> krzee: no 16:38 < krzee> Roman123, then it doesnt matter if you use persist options 16:38 < krzee> [16:41] I saw on the manpage: "The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade." 16:38 < krzee> thats what its telling you 16:38 < soberbit> openvpn tun3.conf wants to start the config. i need to shut down tun3 first 16:38 < krzee> and Roman123 if you dont need tap, use tun 16:39 < krzee> soberbit, so then kill the process of openvpn that is running tun3 16:39 < Roman123> krzee: I need tap, don't know if it is a good reason ;-) 16:39 < krzee> why do you need tap? 16:39 < soberbit> krzee: that's what i'm trying to put together using the man page 16:39 < soberbit> openvpn --rmtun --dev tun3.conf 16:39 < Roman123> I like to send wake-on-lan requests 16:40 < krzee> soberbit, you dont know how to kill a process on your operating system? 16:40 < soberbit> obviously my syntax is wrong because it said it's in use 16:40 < krzee> soberbit, you wont kill it from using openvpn 16:40 < soberbit> you want me to run a kill command outside of openvpn?? 16:40 < krzee> no shit 16:40 < soberbit> why not just let openvpn do it 16:40 < krzee> cause thats not how it works 16:40 < krzee> did you even read rmtun in manpage?> 16:40 < soberbit> a deamon doesn't know how to shut down one of it's own configs? 16:41 < krzee> openvpn [ --mktun ] [ --rmtun ] [ --dev tunX | tapX ] [ --dev-type device-type ] [ --dev-node node ] 16:41 < krzee> do you see a place for config there? 16:41 < soberbit> yes, that is what i read. i'm trying the --rmtun 16:41 < krzee> dude 16:41 < soberbit> rtfm you too 16:41 < krzee> me? 16:42 < krzee> LOL 16:42 < krzee> listen to me or dont 16:42 < krzee> it dont matter to me 16:42 < krzee> but im telling you the truth 16:42 < krzee> rmtun is only to remove a non-in-use interface that you made persistent with --mktun 16:43 * ecrist looks around for a banhammer 16:43 < krzee> and ive read that manual more times than you want to know 16:43 -!- ilreds [i=57108019@gateway/web/ajax/mibbit.com/x-48c3eecb80a284b6] has joined ##openvpn 16:43 < ilreds> hi to all 16:43 < krzee> ya ecrist, im not feeling too good, my hammer is sitting right next to me 16:43 < krzee> haha 16:43 < ecrist> lol 16:43 < soberbit> i'm not telling you to read the man 16:43 < soberbit> i'm asking questions about the man 16:44 < krzee> you in windows or a unix? 16:44 < soberbit> linux 16:44 < krzee> then kill -9 that shit 16:44 < ilreds> i need to deploy an openvpn server into a subnet, clients must obtain an ip of same subnet: bridging is the unique solution? 16:44 < soberbit> i know 16:45 * ecrist goes outside. 16:45 < soberbit> of all the thigns i've built, i've never had a deamon not know how to turn itself off 16:45 < soberbit> so fine, i'll pull the power cord. 16:45 < krzee> hahahah 16:45 < krzee> you must be pretty new then 16:45 < soberbit> to openvpn, yes 16:45 < krzee> cause normally apps come with some sort of wrapper for that, and dont support it from within 16:45 < krzee> example, apache doesnt turn it self off 16:46 < krzee> nor does qmail 16:46 < soberbit> service httpd stop 16:46 < krzee> thats NOT apache 16:46 < krzee> thats a wrapper 16:46 < soberbit> read the init scripts, it's not just forcing a kill 16:46 < krzee> kill -9 `ps auxww|grep tun3|awk '{print $2}'` 16:49 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has joined ##openvpn 16:49 < krzee> and im sure you could make openvpn work with service 16:49 < krzee> if you set it up right for that 16:49 < krzee> but it for sure wont do that itself unless someone made it part of a custom package for your OS 16:49 < soberbit> so far i've only used openvpn with service 16:50 < krzee> service reads from /etc/init.d i believe 16:50 < christophe_> hey, openvpn always start a new tun-interface. is there a way to close the old one or to prevent this of happening? 16:50 < soberbit> it's a centos 3rd party package 16:50 < krzee> soberbit, so if you use service command it kills all? 16:50 < soberbit> tosses in some scripts in /etc/openvpn and sets up in init 16:50 < soberbit> ya 16:50 < krzee> ok then kill -9 16:50 < krzee> btw 16:50 < soberbit> i wanted to just learn how to do one tun. kill -9 will work fine. just never approached it like that 16:50 < krzee> none of those apps know how to shut themselves down 16:50 < krzee> thats something built in to you OS 16:50 < krzee> NOT into the apps 16:51 < soberbit> you're right 16:52 < krzee> christophe_, thats odd, what os? 16:52 < christophe_> ubuntu 8.10 16:52 < krzee> !configs 16:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:52 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 16:52 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 16:53 < christophe_> this is my client.conf http://pastebin.com/m7a502521 16:53 < krzee> christophe_, 16:53 < christophe_> client log http://pastebin.com/m1360bf43 16:53 < krzee> read what my bot told you 16:53 < krzee> !configs 16:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:53 < krzee> read the whole thing 16:53 < christophe_> sorry :) 16:54 < soberbit> being the guru you are, don't suppose you have any insight on the xp clients not taking a dns push. ? 16:54 < krzee> yes 16:54 < krzee> !pushdns 16:54 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:54 < krzee> #2 16:54 < soberbit> var/log/messages says the dns push is going out towards them. employees can even see the dns added to their tap32 interface 16:54 < soberbit> just doesn't work 16:55 < krzee> READ #2 16:55 < soberbit> if they manually add the dns to their real interface, works 16:55 < krzee> *sigh* 16:55 < soberbit> #2 didn't print to the chan 16:55 < krzee> bullshit 16:55 < krzee> !pushdns 16:55 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:55 < christophe_> the client.cong again: http://pastebin.com/m30f94fe2 16:55 < krzee> #2 16:56 < krzee> christophe_, and thats the client making a new tun device every time you start it? 16:56 < soberbit> http://pastebin.com/d9b46cd9 16:56 < krzee> soberbit, 16:56 < christophe_> krzee, yes it is the only conf-file on this hosot 16:56 < christophe_> host 16:56 < krzee> (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:56 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 16:56 < soberbit> awesome, thanks 16:56 < krzee> if you actually read youd have seen that 16:56 < krzee> its in your pastebin 2x 16:57 < soberbit> oh i thought the line #2 was a line from the bot 16:57 < soberbit> my bad 16:57 < krzee> christophe_, for 1 thing, if you can get off using tcp you should 16:57 < krzee> !tcp 16:57 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:57 < krzee> as for making a new device every time, very odd 16:58 < krzee> christophe_, can you pastebin ifconfig? 16:58 < krzee> and ps auxww|grep openvpn 16:58 < christophe_> krzee, i believe this is a company policy so i'm afraid this is not for the near future :s 16:58 < krzee> christophe_, are you running openvpn multiple times by chance? 16:59 < krzee> christophe_, gotchya, thats the only time its cool to use tcp 16:59 < soberbit> wow i'm really off today. i should go home and sleep for a change. 16:59 < krzee> sometimes you just cant get around it 16:59 < soberbit> fuck me 16:59 < christophe_> krzee the ifconfig http://pastebin.com/m2397f46a 16:59 < christophe_> no i only start it once at a time 16:59 < krzee> and ps auxww|grep openvpn 17:00 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 17:00 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 17:01 < christophe_> krzee, sorry ity was the wrong ifconfig http://pastebin.com/m53b7da93 17:01 < christophe_> previous was the server ifconfig 17:01 < krzee> server runs 3 openvpns? 17:01 < christophe_> yeah we have 3 vpn connections 17:01 < krzee> and if this is client, you only have 1 interface 17:01 < krzee> so looks like no problem 17:02 < krzee> maybe you were just confused for a min 17:02 < christophe_> yeah, but i cant close this one 17:02 < krzee> kill -9 `ps auxww|grep tun3|awk '{print $2}'` 17:02 < krzee> err 17:02 < christophe_> it always restarts because there is already a tun-interface 17:02 < krzee> kill -9 `ps auxww|grep openvpn|awk '{print $2}'` 17:02 < christophe_> k 17:03 < krzee> you just kill the process to stop openvpn 17:03 < krzee> as i was just telling soberbit before you came in 17:03 < christophe_> kill: No such process 17:03 < krzee> ps auxww|grep openvpn 17:03 < soberbit> lol 17:04 < krzee> is it even running? 17:04 < krzee> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 17:04 < krzee> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 17:04 < christophe_> not now 17:04 < krzee> im thinking not 17:04 < krzee> ok then what is your goal dude? 17:04 -!- ilreds [i=57108019@gateway/web/ajax/mibbit.com/x-48c3eecb80a284b6] has quit ["http://www.mibbit.com ajax IRC Client"] 17:04 < christophe_> i start it again, but it keeps restarting! 17:05 < christophe_> so it has no point of keep it running i belive 17:05 < krzee> what do you mean 17:05 < krzee> how bout this 17:05 < krzee> !logs 17:05 < Roman123> anyone here who uses openwrt? 17:05 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:05 < krzee> !configs 17:05 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:05 < krzee> i already have your client config 17:05 < christophe_> it tells Initialization Sequence Completed and after this it does: Connection reset, restarting [0] 17:05 < soberbit> all i'm getting form the article is just telling the employee to run the command in the command line. which is doable.... i'll test it out with them tomorrow. 17:06 < krzee> soberbit, you can tell openvpn to run a script as well 17:06 < soberbit> oh 17:06 < soberbit> gosh, i'm not sure i know how to script in xp/vista 17:06 < krzee> in fact theres hooks to run scripts in a few diff times of a ovpn connection 17:06 < krzee> batch files 17:06 < krzee> or vbs 17:06 < krzee> a batch file would just be the command-line entry 17:06 < soberbit> called from their client.ovpn file? 17:07 < krzee> if you can type it at command-line you can script it 17:07 < krzee> yes 17:07 < krzee> look for every instance of script in the manual 17:07 < krzee> theres a lot of them 17:07 < soberbit> and it would be pretty generic and harmless even if i ever did stop pushing dns. 17:07 < krzee> of course 17:07 < soberbit> point is, i'm trying to leave employees with rather generic configs, so i don't have to update them all the time 17:07 < krzee> welp 17:07 < krzee> its a windows problem 17:07 < soberbit> heh 17:07 < krzee> not openvpn one 17:07 < soberbit> ya 17:08 < christophe_> krzee, i get it working by doing ifconfig tun0 destroy; openvpn --config client.conf 17:08 < soberbit> oddly tough, some employees it works (me) and some it doesn't. 17:08 < soberbit> so here i am trying to recreat the prob, and i can't. 17:08 < krzee> christophe_, then it works?? 17:08 < christophe_> it doesn't restart like before 17:08 < soberbit> i have xp on a macbook to test what it's like to be them when needed. 17:08 < christophe_> the first command gives a warning but thats all 17:08 < krzee> soberbit, no idea, i dont use windows 17:09 < krzee> christophe_, you can also remove a device from within openvpn, openvpn --rmtun --dev tun0 17:09 < christophe_> good to know, maybe more safe also :) 17:09 < krzee> should be the same ild think 17:10 < krzee> christophe_, can you re-create the problem now?> 17:10 < krzee> like by killing and restarting openvpn 17:10 < krzee> if so we shouldnt consider it fixed yet 17:10 < krzee> if not... *shrug* 17:10 < christophe_> krzee, no :s very strange 17:11 < krzee> heh 17:11 < krzee> cool tho 17:11 < christophe_> but np for me, as long as it stays like this you don't hear me complain :) 17:11 < christophe_> thanks for the help and advice krzee 17:13 < krzee> np =] 17:27 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 111 (Connection refused)] 17:30 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has quit ["Leaving"] 18:22 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:23 -!- XATRIX [n=linux@steping-filter.volia.net] has joined ##openvpn 18:24 < XATRIX> hi...i've got a question.....i have a ~38Mbit asynchron. channel, and the second side has 2Mbit line 18:24 < XATRIX> why when i connect to other side 18:25 -!- tzanger [n=tzanger@gromit.mixdown.ca] has left ##openvpn [] 18:25 < XATRIX> my whole bandwith inside the tunnel is over ~4-5KB\s...? 18:25 < vcs> are you using UDP and compression? 18:25 < XATRIX> i'm using ssh X11 forwarding, and it's very very slow 18:26 < XATRIX> why it's not using the whole or a half bandwith ? 18:26 < XATRIX> i don't know about UDP compression 18:26 < XATRIX> how can i find out ? 18:27 < vcs> could you pastebin your configuration file for your server? 18:27 < vcs> If i can look through it I may be able to help you more 18:27 < XATRIX> ok..i need a sec 18:29 < XATRIX> http://rafb.net/p/iPsqRF66.html 18:29 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:29 < XATRIX> i guess that's it 18:33 < XATRIX> so 18:34 < XATRIX> vcs> 18:35 < XATRIX> any idea ? 18:35 < vcs> ahh sorry, i was ordering pizza 18:35 < vcs> let me take a look :P 18:35 < vcs> I HIGHLY recomend changing the line "proto tcp" to "proto udp" 18:36 < vcs> change it in the client configuration as well 18:36 < vcs> and then try X11 fowarding 18:36 < vcs> that should make a HUGE difference 18:38 < krzee> !tcp 18:38 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:38 < XATRIX> vcs> emm..i'm not a server administrator..i'm just a client... 18:38 < vcs> yes, but you must change directive so it knows to connect on UDP not tcp 18:38 < vcs> otherwise it will try to connect on the wrong protocool 18:41 < XATRIX> emm... 18:41 < XATRIX> how can i change the directive if i'm not a root 18:41 < vcs> OHH I see... 18:41 < XATRIX> and i'm not a system administrator.. 18:41 < vcs> who is the admit? 18:42 < XATRIX> he woun't be glad to hear about it ;) 18:42 < vcs> Either he has no clue what he is doing 18:42 < vcs> or he is limmited to only TCP for some reason 18:42 < vcs> complain to him... you deserve an answer. 18:43 < vcs> i gotta pick up pizza, kill your admin. later. 18:43 < XATRIX> ok....i will 18:43 < XATRIX> so there's no other way to increase the speed NOW ? 18:59 -!- dmb [n=dmb@unaffiliated/dmb] has quit ["Leaving"] 18:59 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:59 -!- XATRIX [n=linux@steping-filter.volia.net] has quit ["buying software is against our policy! :) || \u0410\u0445 \u0441\u0442\u0440\u0430\u043d\u0430 \u043c\u043e\u044f \u0440\u043e\u0434\u043d\u0430\u044f! \u041c\u0438\u0440 \u0437\u0430\u0433\u0430\u0434\u043e\u043a \u0438 \u0447\u0443\u0434\u0435\u0441. \u0413\u0434] 19:12 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has left ##openvpn [] 19:12 < vcs> No. 19:12 < vcs> kill your admin. 19:15 < vcs> it fails to amaze me how many people setup OpenVPN over TCP... 19:15 < vcs> and expect high performance 19:16 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 19:18 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit ["I am off"] 19:18 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 19:54 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 19:58 -!- hardwire is now known as forbidden_fruit 19:58 -!- forbidden_fruit is now known as hardwire 20:30 -!- SpiritedBB [n=Spirited@208.50.100.19] has joined ##openvpn 20:44 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 20:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:58 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:04 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 21:05 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 21:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:15 -!- vanchuck [n=dave@S0106001c2512a7bc.vn.shawcable.net] has joined ##openvpn 21:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:20 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:27 < vanchuck> hey all-- I'm trying to set up an openvpn bridge. Everything is set up except that the bridge-start script messes up my network configuration because I have multiple IP address on eth0 (ie, eth0:0, eth0:1, etc...). After running the script, ifconfig only shows 'eth0' 21:27 < vanchuck> any clues on how to get around that? 21:36 < dvl> I would expect tap0, not eth0, but I suspect you're using DVL. 21:36 < dvl> Sorry, my humour. Damn Vulnerable Linux. 21:36 < dvl> Google it. ;) 21:36 < vanchuck> hehehe 21:37 < vanchuck> I actually just made some progress by assigning the bridge to eth0:x rather than eth0-- now openvpn is running without messing up other ips 21:37 < vanchuck> but now it's saying destination net unreadble when I connect.. back to google :-) 21:38 < dvl> sounds like routing? 21:44 < vanchuck> yeah, I can't ping any of the hosts on the server/destination's network while connected (but its fine when vpn disabled) 21:56 < hads> Try using multiple ips on an interface rather than old eth0:n? 22:07 < vanchuck> re: WARNING: --remote address [xx.yy.zz.148] conflicts with --ifconfig subnet [xx.yy.zz.158, 255.255.255.240] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn) 22:07 < vanchuck> can I change the server-bridge subnet to something besides the 'actual' 22:07 < vanchuck> ... bridge (br0) subnet 22:22 -!- Netsplit anthony.freenode.net <-> irc.freenode.net quits: krzee, lavren, pa, roentgen, kexman, clustermagnet, krzie_, dazo, smk, disco-, (+5 more, use /NETSPLIT to show all of them) 22:23 -!- Netsplit over, joins: demoncyber_, roentgen 22:23 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 22:23 -!- Netsplit over, joins: brutuz, dazo, lavren, krzie_, dvl, blaxthos, clustermagnet, worch, disco- 22:24 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 22:24 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 22:24 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 22:39 -!- vanchuck [n=dave@S0106001c2512a7bc.vn.shawcable.net] has left ##openvpn [] 23:23 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:44 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn --- Day changed Fri Feb 27 2009 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:03 -!- c64zottel [n=hans@p5B17B248.dip0.t-ipconnect.de] has joined ##openvpn 01:26 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has left ##openvpn [] 01:26 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 01:27 < lavren> what's with openssl crypto headers not found ? what package do I need? I have ssl 01:32 < krzee> you have openssl? 01:33 < lavren> yes 01:33 < lavren> hmm and I have the crypto shared libs, but I'm not actually seeing the headers 01:34 < lavren> wonder what package I need, don't see any that might match 01:34 < krzee> what os? 01:34 < lavren> debian linux 01:34 < lavren> I have openvpn setup on gentoo and ubuntu ok, but I need to get it on this machine, shouldn't be a problem 01:34 < lavren> I just am stuck here atm 01:38 < lavren> hmm I think I see a package that will work, ssl lib 01:38 < lavren> dev stuff 01:38 < lavren> devlib 01:39 < lavren> that did it 01:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 < lavren> any openvpn developers in here? 01:40 < krzee> nope 01:40 < krzee> we're just helpers 01:40 < lavren> ah.. too bad. 01:40 < lavren> well its good you guys are right 01:40 < lavren> me and a friend got a site-to-site going recently 01:41 < lavren> but I';m moving my VPN router to this server, almost setup 01:41 < lavren> 2 mins from now hopefully ilt will be running 01:42 < krzee> ive never done a ptp setup 01:42 < krzee> i always use server 01:42 < krzee> but thats just cause of my needs 01:42 < krzee> thats something i really like bout openvpn, it fits many diff needs 01:44 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 01:44 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:44 < Perun> hi all 01:45 < Perun> do I need to use certificates if I want to use bridge mode with openvpn? 01:46 < dazo> Perun: You don't need to, you can use static keys ... but I recommend you to use both certs and static keys, for highest security 01:51 < dazo> Perun: of course you can skip everything which is related to keys too, but then you probably don't need VPN, as all traffic will go unencrypted between the openvpn nodes 01:55 < krzee> Perun, 01:55 < krzee> first, why do you want bridge mode? 01:56 < krzee> !tunortap 01:56 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 01:56 < krzee> dazo, certs are only for auth, not for the encryption itself 01:56 < dazo> krzee: that's very right 01:57 < dazo> krzee: I was unclear about that 01:57 < krzee> one can choose to use PAM or something of that sort for auth if they choose, but keeping certs in the mix is still recommended for security 01:57 < krzee> !factoids search auth 01:57 < vpnHelper> krzee: 'tls-auth' and 'authpass' 01:57 < Perun> krzee: dont want to use routes 01:57 < krzee> !authpass 01:57 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 01:57 < krzee> Perun, why? 01:57 < krzee> bridging is harder than routing, if thats what you're thinking... 01:57 < Perun> krzee: ist simpler to configure :) and my hosts behind the one endpoint should 'see' the road warrior 01:58 < krzee> no, its not 01:58 < Perun> and want to use dhcp 01:58 < krzee> and for "see" 01:58 < krzee> !route 01:58 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:58 < krzee> its less simple to configure 01:58 < krzee> and pushing the servers lan to the client is SIMPLE 01:58 < krzee> its just a push route 01:58 < krzee> a single line entry in the server config 01:58 < dazo> The "advantage" I see with bridging, is that it can look like that the VPN client is physically located on the local network 01:59 < krzee> thats a disadvantage 01:59 < krzee> cause then you are open to layer2 attacks 01:59 < Perun> krzee: hmm and on each host in lan I need a special route for the tunnel or not? 01:59 * krzee arp poisons you over the bridge 01:59 < krzee> negative 01:59 < krzee> you add the route to the router 01:59 < dazo> krzee: yeah, if you consider the traffic, I agree 02:00 < krzee> the only advantage to bridging is when you need NON smb layer2 traffic 02:00 < Perun> krzee: the endpoint of tunnel isnt the default gw 02:00 < krzee> Perun, which is why i said you add the route to the router 02:00 < krzee> aka add the route to the default gateway 02:00 < Perun> aa 02:01 < Perun> and what about ip? I cant use an lan ip on my roadwarrior 02:01 < krzee> it would be a VPN lan ip, seperate lan than the servers lan, but able to communicate just fine 02:01 < krzee> common is to use 10.8.0.x 02:02 < krzee> as to never have a conflict in addressing 02:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:44 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 02:44 < Roman123> #openwrt 02:44 < Roman123> oops 03:00 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 60 (Operation timed out)] 03:15 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 03:28 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 03:34 < MgGuGu> how do I check the iptables rules applied for the VPN conection between each client ?? 03:34 < MgGuGu> i want to know which ports are opened up between clients 03:38 < dazo> MgGuGu: iptables only configures the firewalling .... you cannot see which clients are connected or not or how 03:38 < dazo> MgGuGu: to do that, you probably need to look at the connection tracking in Linux 03:39 < dazo> MgGuGu: cat /proc/net/ip_conntrack 03:40 < dazo> dazo: but if you do not use connection tracking, I doubt you'll see much here 03:41 < dazo> MgGuGu: but to dump you iptables config .... use iptables -vxnL ... that'll list out all your entries 03:42 < MgGuGu> ok 03:42 < MgGuGu> thx 03:42 < MgGuGu> i'll try now 03:44 < MgGuGu> erm .. this is my iptables output 03:44 < MgGuGu> http://pastebin.com/d2bf4af15 03:44 < MgGuGu> it seeems everythin from br0 tap0 tun0 are accepted 03:44 < MgGuGu> and forwarded 03:46 < dazo> MgGuGu: technically speaking ... you do not have any firewalling ... this is completely open, in all kind of ways, how I see it 03:46 < MgGuGu> ya .. 03:46 < MgGuGu> i have been using it . 03:46 < MgGuGu> for cross-home file transfer 03:46 < MgGuGu> private web server browsing 03:46 < MgGuGu> now my friends wanna play DoTa on it 03:47 < dazo> well, there's not one single DROP or REJECT rule here ... and default policy is ACCEPT ... this is not firewalling at all, it lets the traffic through, even if you flush all your rules in the filter table 03:47 < MgGuGu> it seems that they can't see the game created on one VPN client from another VPN client 03:47 < dazo> MgGuGu: I'm guessing you have a routing issue instead 03:47 -!- lkthomas [n=lkthomas@218.189.198.146] has quit ["Leaving"] 03:48 < MgGuGu> dazo: such as ? 03:49 < dazo> MgGuGu: such as routing not working, perhaps? ... have you tried to ping from the VPN clients towards your game server? 03:49 < MgGuGu> ya 03:50 < MgGuGu> the way they setup game is 03:50 < dazo> MgGuGu: which protocol does the game server use? 03:50 < MgGuGu> someone host n everyone else joins 03:50 < dazo> MgGuGu: TCP/IP? 03:50 < MgGuGu> ya 03:50 < MgGuGu> erm .. what else can it use ? 03:50 < MgGuGu> i'm not sure 03:51 < dazo> MgGuGu: well, I haven't had time for network games at all (unfortunately) for a decade or so .... but back then you also had games using the IPX protocol ... but actually when I think about it now, I'd guess 99.9999% of the net-games today uses TCP/IP 03:52 < MgGuGu> ya 03:52 < MgGuGu> i just checked 03:52 < MgGuGu> TCP 6112 03:52 < dazo> that's proof enough 03:52 < MgGuGu> UDP 6112 03:52 < MgGuGu> ya 03:52 < MgGuGu> hmm 03:53 < MgGuGu> this sounds seriously strange for it 03:53 < MgGuGu> coz it works for everything else 03:53 < MgGuGu> haha 03:53 < MgGuGu> this is 1st time trying to play a game over vpn 03:53 < dazo> MgGuGu: you'll probably need to do some checking with tcpdump on your VPN server ... tcpdump will dump the network traffic on the given network interface (incl. tun/tap devices) ... and then you can see if you get traffic in and/or out from your game client 03:55 < MgGuGu> this is my client conf -> http://pastebin.com/m2c8c778e 03:55 < MgGuGu> just for ref 03:55 < MgGuGu> server conf -> http://pastebin.com/m16ef3465 03:55 < MgGuGu> ok 03:55 < MgGuGu> i'll try 03:56 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 03:58 < dazo> MgGuGu: you do not push any routes from the server, nor do you configure any routes on the client .... I'd recommend setting up a 'push "route x.x.x.x n.n.n.n"' in your server config 03:59 < MgGuGu> so it'll be like ? 03:59 < dazo> MgGuGu: where x.x.x.x and n.n.n.n are the IP address and netmask of the network where your game server is 03:59 < MgGuGu> oh .. 03:59 < MgGuGu> so .. now my vpn server has a public IP .. 04:00 < MgGuGu> and i have 3 remote locations 04:00 < MgGuGu> my home n friends home 04:00 < dazo> MgGuGu: if your internal network interface is configured with 192.168.0.50/255.255.255.0 .... it should say: push "route 192.168.0.50 255.255.255.0" 04:00 < MgGuGu> oh .. 04:00 < MgGuGu> so i now configureed 04:00 < MgGuGu> tap0 with 192.168.8.131 04:00 < MgGuGu> so 04:00 < MgGuGu> it;ll look sth like 04:01 < MgGuGu> push "route 192,168.8.0 255.255.255.0" 04:01 < dazo> MgGuGu: aha ... if your server only have one public IP ... why do you need to send the game traffic over VPN? 04:01 < MgGuGu> oops 04:01 < MgGuGu> wat do u mean by that ? 04:01 < MgGuGu> i have a web server running on that machine 04:02 < dazo> MgGuGu: you should not change the route of the IP addresses for tun/tap devices, openvpn takes care of those routes for you 04:02 < dazo> MgGuGu: ahh, I see 04:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:03 < dazo> MgGuGu: well, then you'll need to setup something a little bit more tricky ... since you do not have a private network behind your openvpn server ... you'll most probably need to redirect all internet traffic from your vpn client via your openvpn server 04:03 < dazo> MgGuGu: actually ..... that won't work even 04:03 < MgGuGu> i'm not sure 04:03 < MgGuGu> ok . 04:03 < MgGuGu> my server has 04:04 < MgGuGu> is a multi-homed server 04:04 < MgGuGu> one public 04:04 < MgGuGu> one private 04:04 < MgGuGu> private conencts to all db servers n stuff 04:04 < dazo> MgGuGu: okey ... and the public and private have different IP addresses, I presume? And the private one do *not* have a public IP address? 04:04 < MgGuGu> eth0 (67.xx.xx.xx) and eth1 (192.168.8.4) 04:04 < MgGuGu> yup 04:05 < dazo> MgGuGu: perfect! 04:05 < MgGuGu> :) 04:05 < MgGuGu> so 04:05 < MgGuGu> i have a bridge over the ethernet 04:05 < dazo> MgGuGu: okey, then you can go back to push route :) 04:05 < MgGuGu> oh .. 04:05 < MgGuGu> ok 04:05 < dazo> MgGuGu: you can then do it like this: push route 192.168.8.4 255.255.255.255 04:06 < dazo> MgGuGu: I presume your game server is located on that IP address 04:07 < MgGuGu> oh. 04:07 < MgGuGu> a little bit of misunderstandgin here i think 04:07 < MgGuGu> coz there's no particular game server 04:07 < MgGuGu> the game is in 04:07 < MgGuGu> ad hoc style 04:07 < MgGuGu> someone on the network setup 04:08 < MgGuGu> then i think it'll broadcast itself 04:08 < MgGuGu> lookin for other ppl to join 04:08 < MgGuGu> so now .. in my view .. the vpn server have to route that boradcast over to other vpn clients 04:08 < dazo> MgGuGu: aha ... that changes a lot more 04:09 < MgGuGu> hehe . this is getting interestng 04:09 < MgGuGu> :D 04:09 < dazo> MgGuGu: I've never done anything like that, as the broadcasting can be a bit complex sometimes ... and I'm not experienced at all with broadcast routing 04:10 < MgGuGu> eekz ... 04:10 < MgGuGu> any lead for me to read thru ?? 04:10 < dazo> MgGuGu: maybe some others on this channel have done this and can help you out better 04:10 < MgGuGu> ya .. hopefully 04:10 < dazo> MgGuGu: Not afaik ... try googling for broadcast and routing 04:11 < dazo> dazo: something in me screams out multi-cast routing as well .... but I'm not sure if that's a blind lead or not 04:11 < MgGuGu> i c 04:11 < MgGuGu> i'm not sure of the game itself 04:12 < MgGuGu> but i'm just making a guess out of myself 04:12 < MgGuGu> that's how they play this game .. someone setup a game server then everyone else on the same subnet sees it .. so i ended up concluding that this server-client discovery have sth to do with broadcasting 04:12 < MgGuGu> :D 04:14 < dazo> MgGuGu: surely .... because scanning for IP's in a big subnet is not efficient, broadcast is the way 04:14 < MgGuGu> ya 04:15 < dazo> MgGuGu: what you could do .... is to setup all your gamers with openvpn ... and use client-to-client directive in the config .... most probably you'll need to configure it as tap and not tun ... that'll give you a complete virtual network between all parties, completely independent of other networks, as it would be controlled inside the openvpn server 04:16 < MgGuGu> lettme see 04:16 < dazo> MgGuGu: but I'm sure it's better solutions as well ... as tap VPN has more traffic overhead and will be somewhat slower than tun VPNs 04:17 < dazo> !tunortap 04:17 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:18 < MgGuGu> hmm 04:18 < MgGuGu> i'v actually config with 04:18 < MgGuGu> tap and client-to-client 04:18 < MgGuGu> :D 04:18 < dazo> MgGuGu: then you're closer 04:19 < MgGuGu> ya 04:19 < MgGuGu> but still a problem 04:19 < MgGuGu> damn .. i'm a bit lost 04:19 < MgGuGu> haha 04:19 < MgGuGu> :D 04:19 < dazo> MgGuGu: the reason I believe you'd need tap ... is that then you can setup the tap0 interface on the VPN server to use 10.8.0.0 netmask 255.255.255.0 .... which would be almost like a "normal" local network 04:19 < MgGuGu> yup 04:20 < MgGuGu> i got mac machines n XPs all across 3 locations 04:20 < MgGuGu> n they can use NEtbios 04:20 < MgGuGu> file transfer 04:21 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 04:33 < MgGuGu> how many tapX interface ?? 04:34 < MgGuGu> *do i need 04:34 < MgGuGu> do I need as many tapX interface as the number of remote clients i'm expecting ?? 04:34 < dazo> MgGuGu: nope, you'll only need one ... and a big enough subnet on it 04:35 < dazo> MgGuGu: you'll also need ifconfig-pool (iirc) ... which will be the IP address pool each client gets an IP address from by the openvpn server 04:36 < MgGuGu> i c 04:41 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Remote closed the connection] 04:44 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 05:15 -!- zamba [i=marius@sveigde.hih.no] has joined ##openvpn 05:23 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 05:24 < Perun> re 05:24 < Perun> I have still problems with the routes 05:25 < Perun> I use this ip's for the vpn ends: 10.0.0.1 and 10.0.0.2 05:25 < Perun> have added a route on my router for network 10.0.0.0/24 with gw ip of the vpn endpoint 05:26 < Perun> and it does not work, I can ping on both sides the ends of vpn tunnel but I cant ping into lan, or from lan to roadwarrior 05:29 < zamba> i'm trying to set up a vpn connection to be able to reach a remote subnet 05:29 < zamba> point is that the subnet isn't a private one 05:30 < zamba> meaning 192.168.x.x or 10.x.x.x 05:30 < zamba> should this do any difference? 05:30 < Roman123> Perun: Do you use the tun or the tap mode? 05:32 < Perun> Roman123: tun 05:33 < Roman123> Perun: to be clear, 10.0.0.1 05:33 < Perun> Roman123: ? 05:33 < Roman123> 10.0.0.x is your openvpn subnet for the clients? 05:33 < Perun> yep 05:33 < Roman123> and what's the lan behind the openvpn subnet? 05:33 < Perun> 192.168.50.0 05:34 < Roman123> and you added which route? 05:34 < Roman123> how does the command look? 05:34 < Perun> Roman123: dev tun 05:34 < Perun> ifconfig 10.0.0.1 10.0.0.2 (<- die getunnelten IP-Adressen von alpha und beta) 05:34 < Perun> secret meinname-key.txt 05:34 < Perun> argh lol 05:34 < Perun> Roman123: 10.0.0.0/24 via 192.168.50.60 dev br-lan 05:34 < Roman123> I can understand german 05:35 < Roman123> np 05:35 < Perun> 192.168.50.60 is the host with tun interface and one end point of the tunnel 05:37 < Perun> the route in on my default gw/router 05:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 05:38 < Roman123> well, I'm not an expert but here something like > list push "route 192.168.1.0 255.255.255.0"< always worked in the config file of my server 05:39 < Roman123> Perun: are you running linux? 05:39 < Perun> yep 05:39 < Perun> on both sides 05:41 < Roman123> Perun: maybe try a modified version (change the ip-address according to your needs) of this command in your openvpn configuration file, restart server and client. 05:41 -!- TimotiSt [n=Timoti@dsl91EC7EAF.pool.t-online.hu] has joined ##openvpn 05:41 < TimotiSt> hi 05:41 < Roman123> otherwise I have no idea why it should not work 05:43 < TimotiSt> after looking at the source i'm not sure, but does the linux tun/tap driver support .1q vlan in tap mode? 05:44 < Roman123> I'm also suffering from routing problem. Sometimes I get "From 192.168.51.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.50.1)" messages. 05:44 < Roman123> s/problem/problems 06:00 -!- sentronbarby [n=Alex@84.114.180.116] has joined ##openvpn 06:00 < sentronbarby> Hello 06:09 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 06:09 < sunta> hi 06:14 < sunta> im new to openvpn, trying to connect vista to openvpn@ubuntu.8.10 using 2.1rc15 06:14 < Roman123> Perun: still there? 06:14 < sunta> initialitation sequence completes but I cannot ping back or forth. the error that occurs: 06:15 < Perun> Roman123: yep 06:15 < sunta> MULTI: bad source address from client [10.8.0.6], packet dropped 06:15 < Roman123> Perun: Since you speak german take a look at http://wiki.openvpn.eu/index.php/Hauptseite 06:15 < vpnHelper> Title: Hauptseite - OpenVPN Wiki (at wiki.openvpn.eu) 06:15 < Roman123> Perun: Do you know this site? 06:15 < Roman123> Perun: They offer some very nice step-by-step tutorials. 06:15 < Perun> Roman123: partially 06:16 < Roman123> Perun: but the config files are internationally :) 06:17 < MgGuGu> anyone tried to play Dota over ethernet bridge ?? 06:17 < MgGuGu> thx 06:17 < sunta> Roman123, thx for the openvpn.eu hint;) 06:18 < Roman123> MgGuGu: What or who is Dota? 06:18 -!- sentronbarby [n=Alex@84.114.180.116] has quit ["Verlassend"] 06:18 < Roman123> sunta: np 06:18 < MgGuGu> Warcraft 06:18 < Roman123> aha 06:18 < MgGuGu> network game i'd say 06:18 < MgGuGu> actually i've been talkin wif dazo 06:18 < MgGuGu> a while back 06:18 < MgGuGu> we drilled down that 06:18 < Roman123> nope, I'm haven't played a game for more than 10 years now 06:19 < MgGuGu> the broadcast msg from the game clients aren't reaching to each other 06:19 < Roman123> MgGuGu: MS Windows is the best real-time-adventure :-P 06:19 < MgGuGu> even though all VPN clients across 3 locations are on the same subnet, ping each other 06:19 < MgGuGu> omg 06:19 < MgGuGu> true! 06:19 < MgGuGu> :D 06:23 < sunta> MULTI: bad source address from client [10.8.0.6], packet dropped 06:23 < sunta> i dont get it 06:25 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 06:25 < nachox> guys, what kind of plugin line should i use when i want to use radius to authenticate my users? 06:29 < sunta> any hint on this:? WARNING: learn-address command failed: could not execute external program 06:31 < dazo> sunta: look carefully at your config file, you're probably using --learn-address option ... and whatever that is, might not be executable 06:31 < sunta> thx dazo will check that 06:31 < sunta> indeed 06:33 < sunta> omfg. now ping comes back 06:33 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 06:34 < dazo> nachox: look for which plugins you have available in the source tree in the pluins/ directory ... it should give you a quick hint, I'd believe .... or else google will be your friend 06:34 < nachox> aparenly i have to use pam to do this 06:35 < sunta> cant you wrap PAM do use radius? 06:35 < nachox> but i dont know if the pam library for openvpn is working properly, i cannot use likewise to authenticate my vpn users, but likewise users can login to the linux box through ssh 06:35 < dazo> nachox: I thought it was also a separate radius plug-in too ... I probably remember wrong and it might have been a 3rd party plug-in 06:36 < nachox> *likewise is a tool to get AD and unix auth integration btw 06:36 -!- TimotiSt [n=Timoti@dsl91EC7EAF.pool.t-online.hu] has quit [Remote closed the connection] 06:38 < dazo> nachox: You might need to go in and adopt /etc/pam.d/ files ... not sure if openvpn uses it's own pam config here or not 06:38 < nachox> it is using login which is the same the login program uses 06:38 < dazo> nachox: then it's strange if it works with ssh but not openvpn 06:39 < nachox> it is, i agree 06:44 < Perun> how can I set the routes automaticly for a roadwarrior? 06:44 < dazo> Perun: on the server: push route 06:44 < Perun> aha 06:45 < dazo> Perun: if different for each roadwarrior, you can also use this via ccd 06:45 < Perun> no its ever the same 06:46 < dazo> then a global push will be your friend :) 06:47 < MgGuGu> i'v tcpdump'd on both of the client's interfaces 06:47 < MgGuGu> physical en1 06:47 < MgGuGu> and virtual tap0 06:48 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:48 < MgGuGu> it seems that the game is not broadcasting on tap0 06:48 < MgGuGu> there's no broadcast on tap0 while there're packets captured on en1 06:48 < dazo> MgGuGu: then you're missing a route, I'd say 06:48 < MgGuGu> oh 06:49 < Perun> dazo: hmm doesnt work 06:49 < MgGuGu> how can i configure that ? 06:49 < Perun> dazo: have this in my server conf: push "route 10.8.0.0 255.255.255.0" 06:49 < dazo> MgGuGu: or .... do you configure in the game somehow which interface to use? 06:50 < dazo> (or IP address?) 06:50 < MgGuGu> i have absolutely no idea how to config the game 06:50 < MgGuGu> hehe 06:50 < Perun> dazo: urgs I mean: push "route 192.168.50.0 255.255.255.0" 06:50 < dazo> Perun: then I'd pay a close attention to the log from the client .... using verb 3, probably, maybe verb 4 .... to see if it receives it or not 06:50 < Perun> dazo: ok 06:51 < dazo> MgGuGu: you most probably need to figure out that ... because it could be that it defaults to the local physical interface, but it should use your virtual interface and/or IP address of that virtual interface (tap dev) 06:51 < MgGuGu> ya 06:51 < MgGuGu> tat shld b it 06:52 < Perun> dazo: hmm dont see it: http://paste.debian.net/29365/ 06:52 < ecrist> good morning fuckers 06:52 < dazo> ecrist: morning sucker 06:52 < dazo> Perun: increase log level (--verb) 06:52 < Perun> ok 06:57 < Perun> dazo: pull=DISABLED is this the problem? 06:57 < dazo> Perun: yeah, that's most likely the reason 06:57 < Perun> dazo: this is my conf: http://paste.debian.net/29366/ 06:58 < Perun> but I get now (after adding 'client') : Options error: specify only one of --tls-server, --tls-client, or --secret 07:00 < dazo> Perun: that's to add authentication and improved encryption on the tunnel ... at minimum, consider --secret .... which is quick'n'easy to setup ... ideally, use certificates in addition to --secret 07:00 < Perun> dazo: I have 'secret' in the conf 07:01 < dazo> Perun: ahh ... sorry .... "specify only one of" 07:02 < dazo> Perun: you have tls-server and/or tls-client in addition 07:02 < Perun> dazo: no... I dont want to use tls/ssl now 07:03 < dazo> Perun: When using --tls-server or --tls-client, --tls-auth is used for the static key .... I mixed it with --secret in this setting 07:03 < Perun> dazo: hmm dosnt understand, what do I need to add to the conf? 07:03 < dazo> Perun: then you need to remove everything regarding --tls-{server|client} 07:03 < ecrist> WHY DO PEOPLE USE AN SSL VPN PRODUCT IF THEY DON'T WANT TO USE SSL? 07:03 < dazo> ecrist: good question 07:03 < Perun> ecrist: it comes later, now I will test it 07:04 < sunta> security is for wussies. so are backups 07:04 < Perun> connect with minimal conf, after that I will secuer it with tls/ssl 07:04 < ecrist> retarded. 07:04 < ecrist> openvpn isn't that hard to set up. 07:05 < dazo> sunta: I prefer Linus Torvalds comment to that, regarding backup .... "Backup is for whimps! Real men upload their work to the Internet and let the rest mirror it" 07:05 < sunta> ;) 07:05 < Perun> dazo: I dont have tls options there in my conf... 07:05 < Perun> only secret 07:05 < sunta> ecrist, its tricky when you are unexperienced. i work with linux/networks moren then 10years and dont get along with openVPN too well. thats why im here 07:06 < dazo> Perun: hmmm .... that's strange 07:06 < dazo> Perun: can you post a complete startup log with --verb 4? 07:06 < dazo> s/post/pastebin/ 07:06 < Perun> dazo: ok mom 07:07 < ecrist> mom? 07:07 < Perun> dazo: ee there is no log on the client side, I get only this error 07:08 < dazo> ecrist: don't worry, I'm not his mom :-P 07:08 < Perun> ecrist: moment pls 07:08 < Perun> :) 07:08 < dazo> Perun: then I basically don't know how you're getting this .... somewhere you must have something which picks up this 07:09 < dazo> dazo: which version are you using? 07:09 < Perun> :) 07:10 < Perun> dazo: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 07:10 < Perun> from debian lenny 07:10 < dazo> Perun: hmmm ... could you try to compile 2.1_rc15 and test that one? (you don't have to install it, just compile it and run it from the source tree) 07:13 -!- MgGuGu_ [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 07:13 < MgGuGu_> sorry .. connection drop 07:16 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has quit [Read error: 113 (No route to host)] 07:16 -!- MgGuGu_ is now known as MgGuGu 07:18 < Perun> dazo: thts the log without 'client' in conf file: http://paste.debian.net/29367/ 07:21 < dazo> Perun: and your --secret is placed in '/etc/openvpn/leviathan.txt' ? 07:22 < Perun> dazo: yep 07:22 -!- alien8 [n=alien@indigo.alien8.org] has joined ##openvpn 07:23 < dazo> Perun: have you changed your config file now? ... because what I see here in this log to not match too well the config you pastebin'ed 07:23 < dazo> Perun: sorry, I found the port number now .... was looking wrong ... if the key is the only thing which is changed ... I'm pretty much confused 07:24 < Perun> dazo: http://paste.debian.net/29368/ thats the config now 07:24 < alien8> openvpn on a mac, has been fine for weeks using tunnelblick , this morning after a restart : Feb 27 13:22:18 chaos openvpn[311]: Need hold release from management interface, waiting... is all I'm getting. any clues please? :-/ 07:26 < Perun> grr I think I use the bridge mode.... no problem with routes etc :/ 07:26 < ecrist> Perun: if I may, you're over-complicating your setup by trying to avoid the parts you may find difficult. 07:27 < ecrist> setup of a bridged vpn is far more difficult that a routed vpn 07:27 < dazo> Perun: ecrist has a point 07:27 < dazo> Perun: I've always used --tls ... and I've never seen this error before, but I do get the same issue when trying myself 07:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:27 * dazo is using 2.1_rc15 for this test 07:27 < ecrist> alien8: from a terminal, ps auxwww | grep Tunnel 07:28 < ecrist> kill -9 all the PIDs you see as Tunnelblick or openvpn 07:28 < alien8> ok, have been debugging this for hours with full restarts and removed/everything/tried viscosity as well. etc. will try another kill ecrist 07:29 < Perun> it is possible to use secret and bridge mode? 07:29 < Perun> or do I need to use certs? 07:30 < dazo> Perun: I'm guessing you'll hit the same wall with bridged mode as well .... jump into the SSL/TLS world ... it's not that bad ... and it's plenty of certificate tools to help you out 07:31 < Perun> dazo: yep I do it, but now I want to have normal working connect before I use other auth etc 07:31 < ecrist> Perun: SSL *is* normal for OpenVPN 07:31 < alien8> ecrist: nuked all the PIDs for tunnelblick, none for openvpn as Feb 27 13:36:24 chaos openvpn[336]: Need hold release from management interface, waiting... 07:31 < alien8> Feb 27 13:36:37 chaos openvpn[336]: Signal received from management interface, exiting - restart tunnelblick - same thing, I bumped up logging to 5 and no clues there. 07:32 < ecrist> alien8: you kill -9? 07:32 < dazo> Perun: I've never tried to setup openvpn without certs ... and it usually works with, very well, I might add 07:32 < Perun> ecrist: but its complicated to set it up than secret... if I have working tunnel then I secure it with ssl 07:32 < alien8> yup ecrist 07:32 < dazo> Perun: it's not difficult 07:32 < dazo> Perun: If you want to have it the GUI way .... try TinyCA 07:32 < Perun> aha ok 07:32 < alien8> (I highly recommend certs for openvpn FWIW) 07:32 < dazo> Perun: if you want it the TUI way .... ssl-admin might help you out 07:33 < Perun> TUI? 07:33 < dazo> Perun: and you also have easy-rsa which is packaged together with openvpn ... even though a little bit strange usage 07:33 < dazo> TUI - Text User Interface 07:33 < ecrist> Perun: what OS? 07:33 < dazo> ecrist: Debian 07:33 < ecrist> ick 07:33 < dazo> :-P 07:34 < ecrist> ssl-admin is an option, but on linux, it's beyond his ability to configure ATM 07:34 < dazo> good to know 07:34 * dazo should probably have a close look at it ... "in the near future(tm)" .... 07:34 < Perun> ecrist: debian lenny 07:37 < alien8> ecrist: it's a full cert setup, I've got the certs out of my original tarball again just in case they got corrupted. config file as well.. it's totally bonkers 07:38 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit ["Lost terminal"] 07:39 < alien8> i've removed tunnelblick, the viscosity kext's, rebooted etc etc 07:53 < ecrist> alien8: what version of tunnelblick? 07:53 < alien8> 3.0b10 - also tried viscocity latest version 07:54 < alien8> originally I was thinking that a cert had borked, or password was being asked for 07:55 < ecrist> did you try removing tunnelblick, and ~/Library/openvpn, restarting? 07:55 < alien8> yup 07:55 < ecrist> and you reinstall, add your ca, client cert/key, config, and what error do you get? 07:56 < alien8> all starts ok, then Feb 27 13:36:24 chaos openvpn[336]: Need hold release from management interface, waiting... 07:56 < alien8> if i could see what the hold was for that might help :-/ 07:57 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 07:57 < vpnHelper> Title: Management Interface (at openvpn.net) 07:57 < ecrist> search for 07:57 < ecrist> -- hold 08:00 < sunta> the management is always the problem 08:01 < alien8> uh oh: The hold flag setting is persistent and will not be reset by restarts. 08:01 < alien8> um 08:01 < ecrist> alien8: tunnelblick sets the mgmt interface to port 1337 on 127.0.0.1 08:02 < alien8> so i can nc to that port, and tell it to 'hold off' ? 08:02 < ecrist> hold release 08:10 -!- TimotiSt [n=Timoti@mail.telequest.hu] has joined ##openvpn 08:18 < alien8> right that worked ecrist 08:18 < alien8> seems like 1 error at any time will lock that hold up and you're screwed till you release it 08:18 < alien8> thanks++ 08:19 < alien8> only then will you actually see the reason for the lock 08:19 < ecrist> glad I could help 08:20 -!- arzen1013 [n=Administ@119.123.227.197] has joined ##openvpn 08:23 -!- lkthomas_ [n=lkthomas@203.145.92.95] has joined ##openvpn 08:23 < lkthomas_> Sup all 08:24 -!- lkthomas_ [n=lkthomas@203.145.92.95] has quit [Client Quit] 08:27 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 08:27 -!- mikkel_ [n=mikkel@84.238.113.66] has joined ##openvpn 08:28 < arzen1013> Hi all, I have two sub network , one is 10.88.1.xxx , and 10.99.1.xxx, I want to through openvpn connect that two sub network, how to do it ? 08:30 < arzen1013> I installed openvpn server in 10.88.1.xx, and add : route 10.99.1.0 255.255.255.0 , but I still can't access 10.99.1.xxx from 10.88.1.xxx, why ? 08:30 < ecrist> arzen1013: read this: 08:30 < ecrist> !route 08:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:32 < arzen1013> ecrist: so, how to ? 08:32 < ecrist> arzen1013: did you read that link? 08:33 < dazo> obviously not 08:42 < arzen1013> ecrist: I add : push "route 10.99.1.0 255.255.255.0", and client-config-dir ccd & client-to-client, but still can't access 10.99.1.xxx from 10.88.1.xxx 08:44 < ecrist> arzen1013: did you read that link? 08:44 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 08:44 < Perun> re 08:44 < Perun> bridge does work... with tls :) 08:44 < arzen1013> dazo: I don't want access 10.88.1.xxx from 10.99.1.xxx, just only want to access 10.99.1.xxx from 10.88.1.xxx 08:44 < Perun> how can I start a script before the server starts? are there any options for it in server conf? 08:45 < ecrist> Perun: there are options. see the man page 08:45 < ecrist> !man 08:45 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:45 < Perun> aha 08:45 < ecrist> arzen1013: did you read that link? 08:46 < arzen1013> ecrist: yes, I read it, but still understand, could you obviously tech me ? 08:47 < ecrist> that link explains *exactly* how to do what you want. 08:47 < ecrist> no, I won't teach you, but I'll point you to the documentation 08:47 < arzen1013> I use : dev tun , mode 08:49 < Perun> ecrist: should I start the bridge build script with --up? 08:49 < ecrist> yes, that's what I'd recommend. 08:49 < ecrist> I'm out for now. good luck.k 08:49 < Perun> ecrist: thx 08:50 < arzen1013> ok, by ecrist: 08:51 < arzen1013> *bye :) 09:06 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has quit [Remote closed the connection] 09:14 < TimotiSt> after reading the tun.c source i'm still not sure: does a tap device (linux) support .1q vlans? 09:15 < dazo> TimotiSt: probably not 09:16 < sunta> damn my mouse is broken 09:17 -!- arzen10131 [n=Administ@119.123.226.126] has joined ##openvpn 09:22 -!- arzen10131 [n=Administ@119.123.226.126] has left ##openvpn [] 09:28 -!- sunta [n=cw@achilles.raytion.com] has quit ["Verlassend"] 09:29 < krzee> Perun, why are you still using bridge? 09:29 < krzee> i thought we figured out you didnt need bridge 09:30 < krzee> and i thought i explained that if you didnt need bridge, you shouldnt use it 09:31 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 09:31 < sunta> re 09:32 < krzee> fixed the rat? 09:32 < Perun> krzee: route doesnt worked here... with bridge no problems 09:33 < krzee> lol 09:34 < krzee> so its routings fault and not yours? 09:34 < Perun> it worked sometimes only, dont know why 09:34 < krzee> why exactly doesnt it work? 09:35 -!- arzen1013 [n=Administ@119.123.227.197] has quit [Read error: 110 (Connection timed out)] 09:35 < krzee> !bridge 09:35 < Perun> krzee: has had a route on router, and route on roadwarrior, I could ping roadwarrior from lan but not lan hosts from roadwarrior 09:35 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 09:35 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 09:35 < krzee> #3 09:35 * dazo wonders why people struggle so much with routing .... it's like riding a bike 09:35 < krzee> seriously dazo 09:36 < sunta> !tun 09:36 < vpnHelper> sunta: Error: "tun" is not a valid command. 09:36 < krzee> then they do the harder, more overhead, less secure method because they dont wanna learn 09:36 < Perun> it works now with bridge + tls 09:36 < dazo> exactly 09:36 < Perun> thats enough for me 09:36 < krzee> sunta, whatchya lookin for? 09:36 < krzee> Perun, cool 09:36 < dazo> that's a Microsoft attitude .... hey, IE6 seems to render something, works for us, let's ship it! 09:36 < krzee> hahahah 09:36 < krzee> no kidding 09:36 < Perun> krzee: for home server secure enough IMHO 09:37 < krzee> definatly MS attitude 09:37 < krzee> LOL 09:37 < sunta> I have tun setup, can ping server from dialiupwarrior. but cannot access anything behind the server (lan) 09:37 < krzee> sunta, 09:37 < krzee> !route 09:37 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:37 < krzee> i made a writeup just for that 09:38 < sunta> really? I just read it 09:38 < dazo> krzee: can you make vpnHelper even more clever ... when it sees a line with .... "cannot access" and ping in the same sentence, just return !route? 09:38 < krzee> read it ALL without skimming, ask if you have problems after that 09:38 < sunta> the client is dialup. that doesnt seem to be covered in that guide 09:38 < sunta> ok 09:38 < Perun> krzee: I know I know... but bridge brings here smaller administration overhead... same lan etc 09:38 < krzee> dazo, its a supybot, if you code python you can 09:39 < Perun> krzee: and as I say, its for a home server 09:39 < krzee> its using factoid plugin for the !commands 09:39 < dazo> sunta: it is covered, indirectly .... just replace one of the nodes on the drawing and text with your roadwarrior, and you basically have it 09:39 < krzee> Perun, *shrug* you're done anyways so if i dont need to help you with it its out of my realm of importance, so to speak 09:40 < krzee> heheh 09:40 < sunta> will try my very best;) 09:40 < dazo> sunta: you most probably then just don't need to think about --iroute ... that's the different 09:40 < dazo> s/different/difference 09:40 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 09:40 < krzee> sunta, the lan is behind the server? 09:40 < sunta> yes krzee 09:40 < krzee> all you need is a push route 09:40 < krzee> whats the servers lan? 09:41 < sunta> 172.16.0.0 09:41 < sunta> push "route 172.16.0.0 255.255.0.0 09:41 < sunta> i have 09:41 < krzee> in my drawing the server is on 192.168.2.0, all youd hafta do is replace that with your lan everywhere, which is 1 place only 09:41 < dazo> krzee: I'll have a look ... python is familiar, just have never tried to do any bot things with it yet 09:41 < sunta> server 10.8.0.0 255.255.255.0 i have too 09:41 < krzee> your lan is a /16? 09:41 < sunta> yes 09:41 < krzee> why? 09:42 < krzee> you have over 254 machines at your lan and no segmenting? 09:42 < sunta> I took over this lan some time ago from some slacker 09:42 < Perun> krzee: although big thanks for your help 09:43 < sunta> whats the problem with 172.16/16 09:43 < krzee> np 09:43 < krzee> sunta, ive witnessed openvpn get confused on /16 networks iirc 09:44 < krzee> but it shouldnt, so lets try it anyways 09:44 < krzee> you said: 09:44 < krzee> [10:48] push "route 172.16.0.0 255.255.0.0 09:44 < krzee> you have a " after that, right 09:44 < krzee> ? 09:44 < sunta> yes sorry 09:44 < krzee> ok 09:45 < krzee> is the server on the default gateway for its lan? 09:46 < sunta> not all but good point. will try to ping a machine that has openvpnserver as default gw 09:46 < krzee> huh? 09:46 < krzee> differing default gateways on same lan? 09:46 < sunta> tried to ping a machine with different gw 09:46 < krzee> why dont you just segment then!? 09:47 < krzee> sounds 1/2 way done 09:47 < sunta> not really. 09:47 < krzee> oh wait, thats not openvpn related ill leave you to that stuff on your own 09:47 < sunta> sure;) 09:47 < krzee> read "ROUTES TO ADD OUTSIDE OF OPENVPN" under the drawing in my routing writeup 09:48 < krzee> which i assume you still have open cause you been reading over it so thorough ;] 09:49 < krzee> hey dazo, i just noticed your spoof, you part of the redhat team? 09:49 < dazo> krzee: my spoof? 09:49 < krzee> hostname 09:49 < dazo> krzee: ahh ... yeah, I am 09:49 < krzee> right on =] 09:50 < krzee> we should rpm up ecrist's ssl-admin! 09:50 < dazo> krzee: normally working on Red Hat Enterprise MRG products, mainly Messaging and Real-Time Kernel ... doing QA 09:50 -!- TimotiSt [n=Timoti@mail.telequest.hu] has left ##openvpn ["Konversation terminated!"] 09:50 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:50 < dazo> krzee: I'm not against .... I've been thinking I should spend some spare time making it run smoothly on Linux 09:51 < krzee> its runs diff on lin than bsd? 09:51 < krzee> i figured its only install where there is a diff 09:51 < krzee> its just a perl script 09:51 < dazo> krzee: last time I tried it ... it was a little bit ugly to get working .... 09:51 < dazo> krzee: yeah, I know ... it did not fly immediately out of the box, sort of 09:52 < krzee> i modded the Makefile and added a configure to make it run on lin right, but it was UGLY 09:52 < krzee> cause im totally not a coder 09:52 < krzee> and im a bsd guy so i could only test on gentoo and ubuntu 09:52 < dazo> krzee: aha ... I think this was before the time of the configure script .... but I can have a look an fix it up for you :) 09:52 < krzee> only linuxes i could get access to 09:52 < krzee> ahh 09:53 < krzee> ya it shouldnt even need configure, i just couldnt make a proper Makefile, lol 09:53 < krzee> i shell script well, so i used configure to fix the Makefile 09:53 < krzee> uglyhax 09:53 < dazo> krzee: heh ... I see ... I'll try to poke around with it next week or so, a bit hectic nowadays with deadlines approaching for new release packages 09:54 < krzee> right on, wait til deadlines are over, this is no biggie 09:54 < dazo> krzee: goodie :) 09:54 < krzee> ;] 09:54 < dazo> krzee: then I might even be able to write you a .spec file for rpmbuild as well ... and might even try to test the gentoo ebuild file as well :) 09:55 < krzee> ahh sweet 09:55 < krzee> did the ebuild ever get submitted? 09:55 < dazo> krzee: I've only heard rumours about it .... but no smoke afaik 09:55 < krzee> i talked to some guy and got the ball rolling, never heard anything past that 09:55 < dazo> krzee: yeah, that's the lead I was thinking about following 09:56 < krzee> i think my Makefile turned them off 09:56 < krzee> haha 09:56 < dazo> hehe 09:56 < krzee> (its ugly) 09:56 < krzee> (in case i hadnt mentioned that) 09:56 < dazo> krzee: I know .... I looked at it .... and thought: "If this is the BSD way, I'm not gonna touch BSD" :-P 09:56 < krzee> hahahaha 09:57 < krzee> no its the 'i dont code' way 09:57 < dazo> it explains a lot :) 09:57 < krzee> seriously, i wrote 1000's lines of .sh to run my old webhosting company 09:57 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 09:57 < krzee> if i knew real languages that woulda been so much easier 09:58 < dazo> krzee: why not dig into that? .... it's not that hard, is it? 09:58 < krzee> well im a few chapters in to the K&R book on C 09:58 < dazo> krzee: oh dear .... jumping straight into _that_ book .... no wonder it takes you time :-P 09:59 < krzee> hahahah 09:59 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 09:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Client Quit] 10:00 < krzee> ya i had to make 24 apps to get through chapter 1 10:03 < dazo> well, I shouldn't speak too loudly .... my very very first C program which I wrote in '98 (which was used in production for 5-6 years) ... it had no functions, no memory pointers and was purely based on on-disk-buffers .... and it was used to parse and split and reorganise input files .... but amazingly enough, we never found a single bug in it, and it was, against all odds, incredibly fast at that time .... processed files with 100k records 10:03 < dazo> within a minute (on dual Pentium2 hardware) 10:04 < krzee> haha right on 10:05 < sunta> thx for your help krzee. basically openvpn should be working. need to clean up this network now to be satisfied 10:06 < krzee> ok so now it works fine? 10:06 < sunta> ping vpnserver works. rest doesnt work but is routing problems I believe 10:06 < sunta> and its friday evening. I wont go any further today;) 10:07 < krzee> !route 10:07 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:07 < krzee> bottom 10:07 < krzee> under the drawing 10:07 < krzee> ahh right on 10:07 < krzee> have a good weekend =] 10:07 < sunta> printed it to read tomorrow. 10:07 < sunta> greets from rainy germany btw... 10:07 < krzee> greetings from peru 10:08 < krzee> sunny peru ;] 10:08 < sunta> wow cool. no kiddin I love peru;) noticed when I met that girl in venezuela 10:08 < sunta> yelixa, nice name hehe 10:08 < krzee> ya im loving it here too, im definitely coming back 10:13 < krzee> got myself a Brazilian model named amanda on my first night 10:13 < krzee> (but keeping her the whole time, not just that night) 10:17 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has joined ##openvpn 10:18 < DarKnesS_WolF> i have a question if the server got restarted how long it will take for the clients to connect back to the server ? or i have to restart the service on the client also ? 10:19 < sunta> should be automatic as far as I understand 10:19 < DarKnesS_WolF> sunta: the server restarted since like 10 mints and still can't reach the clients 10:20 -!- _Pete_ [n=petriai@e82-103-218-67.elisa-laajakaista.fi] has joined ##openvpn 10:20 < _Pete_> hello 10:20 < _Pete_> I have problems using openvpn with firewall 10:20 < dazo> DarKnesS_WolF: I believe it depends on the keepalive settings on the clients 10:20 < sunta> I just made a restart of the server and the client needed like seconds to reconnect 10:21 < _Pete_> I open port 1194 from openvpn server firewall 10:21 < _Pete_> but still vpn connection doesnt work 10:21 < _Pete_> without firewall it works (at least ping) 10:22 < _Pete_> !configs 10:22 < vpnHelper> _Pete_: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:22 < dazo> _Pete_: you probably are missing to open up the tun/tap interface in the FORWARD chain 10:23 < _Pete_> one thing is that I am using firestarter to config/use firewall 10:23 < _Pete_> on the server 10:23 < _Pete_> not familiar to config it by hand :( 10:24 < dazo> oh dear .... well, I've looked at firestarter once .... and I threw it out relatively quickly .... I'm sorry, I can't help you here how to make that work out 10:25 < dazo> _Pete_: but you should find some place to set up forwarding rules .... and you need to allow traffic from your tun/tap device which your openvpn config uses and let that traffic be allowed to reach the ethernet interface of your internal network 10:25 < sunta> take care guys. im off. appreciated the community 10:26 < _Pete_> dazo: ok 10:26 -!- sunta [n=cw@achilles.raytion.com] has quit ["you rock"] 10:26 < nemysis> Hello, Could I use same Keys for OpenSSL and OpenVPN 10:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 10:27 < dazo> nemysis: ehhh .... openvpn uses openssl for the encryption and certificate processing .... so, yeah, basically you should be able to do that ... not sure what you really asks about here 10:28 < DarKnesS_WolF> dazo: mmm can't check now :) too late can't reach the clients already 10:28 < nemysis> I need the Keys only for OpenVPN, usually use OpenSSH, is safe to use RSA or is better DSA Keys? 10:29 < alien8> DSA isn't 'better' than RSA, it's just different 10:29 < alien8> (FYI) 10:29 < nemysis> But SSH FAQs say the DSA is for Protokol 2 and is better 10:29 < dazo> nemysis: well, I'd recommend RSA ... just because there are one less theoretical bug in RSA compared to DSA 10:30 < dazo> nemysis: RSA had a patent issue earlier, but that patent expired, afaik 10:30 < alien8> yup patent expired a few years ago 10:30 < dazo> nemysis: and RSA supports up to 4096 bits .... while DSA supports up to 1024bits 10:30 < dazo> (in openssh, that is) 10:31 < nemysis> Yes this is right I use with GnuPG 4096 bits too 10:31 < dazo> nemysis: you cannot use openSSH keys for openvpn .... but you can use whatever keys openssl provides with openvpn 10:31 < nemysis> Yes I use only OpenSSL Keys for OpenVPN 10:31 < dazo> nemysis: for GnuPG, I think even stronger keys than 4kbit is possible as well .... 10:32 -!- gabe__ [n=fuzzimac@pool-151-203-155-122.wma.east.verizon.net] has joined ##openvpn 10:33 < dazo> nemysis: then I think you have your question answered 10:33 < nemysis> Yes this is right 10:33 < nemysis> Thanks 10:33 < dazo> nemysis: np! you're welcome 10:33 < gabe__> Hello, I am trying to connect to my vpn using viscosity, and I am getting the following error: Options error: You must define CA file (--ca) or PKCS#12 file (--pkcs12) 10:34 < krzee> viscosity? 10:34 < gabe__> I don't really know much about this, can anyone point me in the right direction? 10:34 < gabe__> os x client for vpn 10:34 < krzee> !howto 10:34 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:34 < krzee> ahh 10:34 < krzee> i use osx but never bothered with a gui 10:36 < alien8> viscocity or tunnelblick gabe__ 10:36 < dazo> gabe__: you most probably have not setup any SSL keys 10:36 < alien8> viscocity costs $9, tunnelblick is GPL 10:37 < gabe__> alien8: I have viscosity 10:38 < gabe__> dazo: where do I set up ssl keys? 10:38 < dazo> gabe__: most probably somewhere in the GUI .... I dunno, I'm not using osx 10:38 < krzee> umm 10:38 < gabe__> okay 10:38 < krzee> screw config'ing via gui 10:38 < krzee> config using a text editor 10:38 < krzee> then start and stop with your gui 10:38 < alien8> viscosity has a support forum gabe__ : http://www.viscosityvpn.com/support/ 10:38 < vpnHelper> Title: Viscosity - OpenVPN Client for Mac (at www.viscosityvpn.com) 10:39 < krzee> whoa 10:39 < krzee> that app actually looks kinda cool 10:39 < krzee> i might try it out sometime 10:39 < alien8> it's ok - draws pretty graphs ;) 10:40 < alien8> it'll import tunnelblick configs as well, so pretty nice if you want that stuff 10:40 < krzee> tunnelblick makes configs now? 10:40 < krzee> last i tried it you made the configs manually and ran them with tunnelblick 10:40 < alien8> nah, just takes the openvpn text files 10:41 < krzee> well ya, no matter what makes the configs its just the openvpn text files 10:41 < alien8> but you'll see - viscocity cuts them down, and GUI's it 10:41 < krzee> viscosity is still just giving you a front end for what we do in text editors 10:41 < krzee> with many less options for sure 10:41 < _Pete_> dazo: so if I dump firestarter and do the firewall rules myself what to do? I need ssh/http/bittorrent/openvpn available 10:42 < krzee> seen the size of the manpages? no gui will cover all that 10:42 < krzee> heheh 10:42 < krzee> !iptables 10:42 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 10:42 -!- gabe_ [n=fuzzimac@pool-72-79-222-33.spfdma.east.verizon.net] has joined ##openvpn 10:43 < krzee> that accepts all though 10:44 < krzee> then you read the manual! 10:44 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 10:44 < krzee> my coder friends all hate writing manuals 10:44 < krzee> but they do it just for us! 10:44 < krzee> least we can do is read it 10:47 < krzee> alien8, so you paid for viscosity? 10:47 < alien8> just tried it, now using tunnelblick 10:47 < alien8> I had to recommend a few things to people, so made sure I went round all I could 10:49 < krzee> im just using commandline 10:49 < krzee> any command you can type into CLI you can make into a shell script 10:50 < krzee> then you make it filename.command 10:50 < krzee> and it becomes clickable 10:50 < alien8> indeed, but when you have 4 vpns up some people like a nice drop down list with checks/ticks 10:50 < krzee> so mine is a 1 liner that just runs openvpn configfile 10:50 < krzee> werd 10:50 < krzee> ya mines just for me 10:51 < krzee> time to go out and enjoy the vacation 10:51 < krzee> see ya guys 10:51 < dazo> c'ya! Enjoy 10:51 < alien8> :-) 10:52 < _Pete_> or right found solution using firestarter 10:52 < _Pete_> http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ 10:52 < vpnHelper> Title: Homage to Icarus Blog Archive OpenVPN and Firestarter (at jcape.ignore-your.tv) 10:52 < _Pete_> in case someone else needs too 10:55 < krzee> !learn firestarter as if you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help 10:55 < vpnHelper> krzee: Joo got it. 10:58 -!- gabe__ [n=fuzzimac@pool-151-203-155-122.wma.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 11:11 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 11:19 < _Pete_> hmm one question, my server is 10.69.1.2 and one client is 10.69.1.1 11:19 < _Pete_> if another clinet connects does it matter if that is too 10.19.1.1 ? 11:19 < _Pete_> 69 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < nemysis> Is this good to make Keys for OpenVPN http://zlin.dk/p/?NjA0Njg4 11:35 < vpnHelper> Title: K-nopaste (at zlin.dk) 11:38 -!- mikkel_ [n=mikkel@84.238.113.66] has quit ["Leaving"] 11:56 < _Pete_> can there be multiple clients connected to one openvpn server at same time? 12:42 -!- david_ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has joined ##openvpn 12:42 < david_> elo 12:42 < david_> i have never tried this so i wanted any adcvice, i wanted to put a password on a client.key 12:43 < david_> but i asked myself when openvpn start (if it is launched by /etc/init.d) how is the password asked ? 12:44 -!- david_ is now known as dar__ 12:52 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 12:52 < mmcgrath> are there any docs on network tuning and speed troubleshooting? 12:54 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has joined ##openvpn 12:54 < SH4|Gast457> Hi, can anybody tell me abount the script-security parameter? 12:56 < SH4|Gast457> no ip adresses and routes are set up by openvpn in vista, could this be the reason for it? 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:05 < SH4|Gast457> could anybody please take a look at the config? http://pastebin.com/d635a7971 13:06 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Remote closed the connection] 13:06 < SH4|Gast457> when I use ubuntu to connect to the server, everything works perfect 13:06 < SH4|Gast457> UAC is disabled in Vista 13:09 -!- toxygen [i=toxygen@stip-static-98.213-81-186.telecom.sk] has joined ##openvpn 13:09 < toxygen> hi 13:10 < toxygen> i would like to ask what is the proper way of making redirect such as assigning some external ip to vpn subnet ip, su clients can use openvpn as NAT for that ip 13:11 < toxygen> such as if you have allowed access to some server and you want your vpn clients to be able to access it through server 13:11 < toxygen> is that possible? 13:12 -!- Pred2k5 [n=Torsten@dslb-088-069-232-055.pools.arcor-ip.net] has joined ##openvpn 13:13 -!- Pred2k5 [n=Torsten@dslb-088-069-232-055.pools.arcor-ip.net] has left ##openvpn [] 13:13 < gabe_> okay... so if I am on the client machine, do I need to set up a CA Cert and Key file? or is that just on the server side? 13:14 < gabe_> and if so... how do I generate those files? 13:15 < toxygen> gabe_: build-key 13:19 -!- zaqsdfgh [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a4efc5572929e390] has joined ##openvpn 13:19 < gabe_> toxygen: I need to do that for the client side? 13:19 < zaqsdfgh> hi 13:19 < zaqsdfgh> buddy 13:19 < zaqsdfgh> i try to following this tutorial http://doc.ubuntu-fr.org/openvpn 13:19 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 13:19 < zaqsdfgh> http://doc.ubuntu-fr.org/openvpn 13:19 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 13:20 < gabe_> toxygen: also, from where (on an os x machine) would I run that command from? 13:20 < zaqsdfgh> voila 13:20 < zaqsdfgh> so i got some question 13:20 < zaqsdfgh> it is not written on this tutorial 13:21 < zaqsdfgh> 01.pem ca.key client2.csr dh1024.pem serial 02.pem client1.crt client2.key index.txt serial.old 03.pem client1.csr client3.crt index.txt.attr server.crt 04.pem client1.key client3.csr index.txt.attr.old server.csr ca.crt client2.crt client3.key index.txt.old server.key 13:21 < zaqsdfgh> is it normal that i got all those files ? 13:21 < SH4|Gast457> no! 13:22 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 13:23 < zaqsdfgh> where these 01.pem 02.pem 03.pem 04.pem for i use ? 13:23 < zaqsdfgh> for what purpose i have to use it ? 13:28 < zaqsdfgh> r u still there ppl 13:30 -!- zaqsdfgh [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a4efc5572929e390] has quit ["http://www.mibbit.com ajax IRC Client"] 13:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:31 < SH4|Gast457> sorry, I can't help you, I only know that I have only 4 files in my keys folder 13:33 < SH4|Gast457> client.key, ca.crt, dh1024.pem, client.crt 13:35 < ecrist> ping krzee 13:35 < SH4|Gast457> 01.pem ca.crt dh1024.pem index.txt.attr index.txt.old serial.old server.csr 13:35 < SH4|Gast457> 02.pem ca.key index.txt index.txt.attr.old serial server.crt server.key 13:35 < SH4|Gast457> thats at my servers key folder 13:35 < SH4|Gast457> contains certificate for 1 client 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:48 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 13:49 < kim0> Hi .. I'm a openvpn server .. I have 2 lines of internet .. a remote client can only connect to me over one of the lines and not the other 13:50 < kim0> tcpdump on the remote end .. reveals my packets are not reaching him 13:50 < kim0> how do I know if the packets are not leaving my router or not entering through his firewall for sure ?! 13:57 < ecrist> krzee: your server arrived. after it warms up, I'll get it plugged in/etc. 14:12 < krzee> sweet 14:12 < krzee> one has a HD one doesnt 14:12 < krzee> so ild say lets go with the one that does ;] 14:15 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 14:16 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has joined ##openvpn 14:24 < ecrist> krzee: plugged in, powered up 14:24 < ecrist> need to assign IP and get you access 14:25 < ecrist> IOW, I need a user/pass on that box, probably root. :) 14:27 -!- mmarker [n=mmarker@m415336d0.tmodns.net] has joined ##openvpn 14:27 < mmarker> !route 14:27 < vpnHelper> mmarker: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:30 < krzee> hrmmm 14:31 < krzee> i think we need to format it 14:31 < krzee> lol 14:31 < krzee> that thing has been down forever 14:31 < krzee> actually, can you single user it? 14:31 < ecrist> probably, haven't tried 14:31 < krzee> ohhhh wait, that things running gentoo isnt it 14:32 < krzee> screw that, lets fbsd it! 14:32 < krzee> but dude, totally not time sensitive 14:32 < krzee> im on vacation til the 10th 14:32 < ecrist> yes, it's on gentoo 14:32 < krzee> and have NO plans on logging in til after that 14:32 < ecrist> ok, you 7.1 on it? 14:32 < krzee> ya if 7.1 loads on the HW for sure 14:33 < krzee> we may need 8 14:33 < krzee> a chipset wasnt supported back then so we had to go gentoo 14:33 < krzee> but should be fine by now, back then it was being dev'ed 14:34 < ecrist> ok, will get that on there for ya 14:35 < krzee> right on man, thx 14:35 < ecrist> np 14:35 < krzee> ill try to get an address to send that other box to soon for ya, im sure you dont want it taking up your space 14:36 < ecrist> doesn't matter, take your time. my server room is 12x10, and only has one rack, so there's space. :) 14:36 < krzee> sweet thx 14:52 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has quit [Remote closed the connection] 15:22 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 15:23 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 15:42 -!- mmarker [n=mmarker@m415336d0.tmodns.net] has quit [Read error: 104 (Connection reset by peer)] 15:52 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 15:53 < Spockz|servert> hello 15:54 < Spockz|servert> I got some windows machines here who seem to loose their way to the vpn netwrok 15:54 < Spockz|servert> packages for the VPN ip's are directed too the normal/default gateway. 15:55 < Spockz|servert> How can I fix this? 15:57 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:01 < Spockz|servert> ahr, nvm. Using the openvpn-gui-1.0.3.exe fixes the problem 16:12 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 16:41 -!- gabe_ [n=fuzzimac@pool-72-79-222-33.spfdma.east.verizon.net] has quit [] 17:16 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has quit [Read error: 110 (Connection timed out)] 17:21 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 17:53 -!- toxygen [i=toxygen@stip-static-98.213-81-186.telecom.sk] has left ##openvpn [] 18:17 < kim0> Guys, anyway for openvpn to randomize its source port 18:55 < ecrist> kim0: it doesn't? 18:55 < kim0> guess not 18:55 < kim0> with nobind it does 18:56 < ecrist> not sure, I guess 18:56 < ecrist> sorry 19:06 < nemysis> port 1194 19:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:29 -!- rdz [i=roman@netpd.org] has joined ##openvpn 19:42 -!- arzen1013 [n=Administ@119.123.11.94] has joined ##openvpn 19:43 < arzen1013> Hi all, ccd folder place in 'OpenVPN\config\ccd' or 'OpenVPN\ccd' ? thanks 19:43 < krzee> whereever you want 19:43 < ecrist> what ever you prefer 19:43 < krzee> just have it match what you say it is in the config 19:43 < ecrist> krzee: 7.1 no-go, downloading december 8.0 snapshot 19:46 < arzen1013> ecrist: my server.ovpn setting is 'client-config-dir ccd', so , place in 'OpenVPN\config\ccd' , right? 19:46 < ecrist> no, in OpenVPN\ccd 19:46 < ecrist> krzee: pm? 19:46 < arzen1013> thanks ecrist: 19:47 < krzee> ecrist, werd, hopefully that works 19:47 * krzee crosses fingers 19:47 < krzee> sure 19:49 -!- kim0 [n=kimoz@unaffiliated/kim0] has quit [Remote closed the connection] 19:54 -!- arzen10131 [n=Administ@119.123.11.94] has joined ##openvpn 19:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:02 < arzen10131> ecrist: seem you are wrong, should be place in 'OpenVPN\config\ccd' , not in OpenVPN\ccd 20:07 -!- c64zotte1 [n=hans@p5B178F13.dip0.t-ipconnect.de] has joined ##openvpn 20:10 < arzen10131> !route 20:10 < vpnHelper> arzen10131: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 20:13 -!- arzen1013 [n=Administ@119.123.11.94] has quit [Read error: 110 (Connection timed out)] 20:23 -!- c64zottel [n=hans@p5B17B248.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 20:33 -!- arzen10131 [n=Administ@119.123.11.94] has left ##openvpn [] 20:33 -!- arzen10131 [n=Administ@119.123.11.94] has joined ##openvpn 20:39 < arzen10131> Hi all, I have two LANs, want to connect each other, A LAN 192.168.1.x ; B LAN 10.50.71.x ; openvpn server A.1 in 192.168.1.2 LAN, openvpn client B.1 in 10.50.71.21 LAN; now, from 192.168.1.2 can access 10.50.71.21, but can't access 10.50.71.111, how to ? thanks 20:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:23 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 21:24 < ecrist> arzen10131: !route 21:25 < xor|> question: all commands that are listed in the man file, for example --local host, if i remove the -- prefix, are they exactly the same as what i can type in the config files? 21:31 < ecrist> for the most part, yes. 21:39 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit ["leaving"] 21:39 < xor|> :D 21:59 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 22:00 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 22:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 22:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:08 < tjz|lunch> hi jeff =) 22:08 -!- tjz|lunch is now known as tjz 22:09 < krzee> sup man 22:09 < krzee> hows it goin 22:09 < tjz> doing great =) 23:02 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 23:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:33 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Sat Feb 28 2009 00:39 -!- rdw200169_ [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has joined ##openvpn 00:54 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 02:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:25 -!- arzen10131 [n=Administ@119.123.11.94] has quit [Read error: 110 (Connection timed out)] 02:34 -!- rdw200169_ is now known as rdw200169 02:39 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:01 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has left ##openvpn ["Leaving"] 03:14 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:27 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 05:28 < Maxtehmantus> Hmm.. While setting up an OpenVPN setup following the HOWTO on openvpn.net, the easy-rsa scripts didn't seem to make a client certificate. 05:28 < Maxtehmantus> It just made a file (max.crt) with nothing in it (0 byte file) 05:31 < Maxtehmantus> Oh, nvm.. Didn't notice this. 05:31 < Maxtehmantus> The countryName field needed to be the same in the 05:31 < Maxtehmantus> CA certificate (US) and the request (NZ) 05:32 < Maxtehmantus> Thought it'd make more sense to put the client's location in the client cert.. Dunno 05:51 < Maxtehmantus> Hmm.. 05:52 < Maxtehmantus> Sat Feb 28 11:55:34 2009 TLS: Initial packet from x.x.x.x:xxxx, sid=d5951f90 74e19d94 05:52 < Maxtehmantus> Sat Feb 28 11:55:37 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=LA/O=ares/OU=max/CN=ares/emailAddress=party@my.house 05:52 < Maxtehmantus> Sat Feb 28 11:55:37 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 05:57 -!- _Pete_ [n=petriai@e82-103-218-67.elisa-laajakaista.fi] has left ##openvpn [] 05:58 < Maxtehmantus> Anyone got a clue on what the problem could be? 06:06 * Maxtehmantus wonders why it'd care about a self-signed certificate. 06:15 < Maxtehmantus> Do I need to get the certificate signed by some company? 06:24 < Maxtehmantus> Anyone? 06:24 < Maxtehmantus> Google doesn't seem to be helping here.. People with the problem get some response, then they'll never reply back. 06:25 < hads> You don't need to get it signed, easy-rsa works. 06:26 < Maxtehmantus> Well I followed what it had in the HOWTO and it didn't. O_ 06:26 < Maxtehmantus> o 06:26 < hads> Follow it better? :) 06:30 < Maxtehmantus> Hmm.. Should server.crt be the same as the cleint's crt file? 06:33 < hads> Nope 07:07 < ecrist> Maxtehmantus: no 07:34 * Maxtehmantus is still getting it. 07:35 < Maxtehmantus> (After clearing all of the crts, keys, etc.. Everything made by easy-rsa 07:37 < Maxtehmantus> Hmm.. Maybe easy-rsa is broken.. Dunno. 07:37 * Maxtehmantus tries making them on the other end. 07:49 < Maxtehmantus> Nope. Still doing it. 07:49 < Maxtehmantus> What the hell is going on? 07:49 < Maxtehmantus> The client names don't need do be "client1", "client2", ... do they? 07:55 < Maxtehmantus> So in easy-rsa.. I just go: . ./vars 07:55 < Maxtehmantus> ./clean-all; ./build-ca 07:55 < Maxtehmantus> Then press enter for everything, except commonname, where I type "ares" 07:56 < Maxtehmantus> Then ./build-key-server, again, defaults, (common name here is defaulted to "server"), and I enter a password. 07:57 < Maxtehmantus> Then ./build-key max, defaults (common name this time is defaulted to "max"), same password as I entered in ./build-key-server 07:57 < Maxtehmantus> Then ./build-dh 07:58 < Maxtehmantus> Then copy the files that each the server and the client need onto the hosts.. It should work, right? 08:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:05 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 09:54 -!- onats [n=onats@122.53.136.244] has joined ##openvpn 10:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:07 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:38 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 11:39 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:48 -!- rubydiam_ [n=rubydiam@123.236.183.238] has joined ##openvpn 11:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 12:06 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:43 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 12:53 < vcs> I want to use OpenVPN to access the internal network of the server (in the 192.168.0.0 range). To do this would I need to add a route in both client and server configuration? 12:54 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 12:59 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 13:02 -!- alien8 [n=alien@indigo.alien8.org] has quit [] 13:03 < krzee> vcs 13:03 < krzee> !route 13:03 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:03 -!- alien8 [n=alien@indigo.alien8.org] has joined ##openvpn 13:03 < krzee> it would just be a push route on the server config (pushes to clients) 13:04 < krzee> and as described after the drawing, a route added to the servers router assuming the server is not the default gateway 13:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:13 -!- kyrix [n=ashley@91-115-187-169.adsl.highway.telekom.at] has joined ##openvpn 13:19 < vcs> ty 13:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:21 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:23 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 13:23 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 13:23 < mRCUTEO> so hiya all 13:38 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 14:31 -!- kyrix [n=ashley@91-115-187-169.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:32 -!- kyrix [n=ashley@91-115-187-43.adsl.highway.telekom.at] has joined ##openvpn 16:01 -!- kyrix [n=ashley@91-115-187-43.adsl.highway.telekom.at] has quit ["Leaving"] 16:31 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Remote closed the connection] 16:37 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 16:48 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 16:53 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 17:01 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit [Read error: 104 (Connection reset by peer)] 17:02 -!- Roman123 [n=Roman123@85-124-225-129.work.xdsl-line.inode.at] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:21 -!- star [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has joined ##openvpn 17:22 -!- star is now known as Guest93116 17:35 -!- Guest93116 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has quit ["Leaving"] 17:38 -!- Roman123 [n=Roman123@85-124-225-129.work.xdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 17:59 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 18:00 < Maxtehmantus> This easy-rsa doesn't seem to work.. I'm still getting the client complaining that it's using a self-signed certificate.. Tried making the crt and keys on both the server and client. 18:01 < krzee> user error, but do you happen to not be using windows...? 18:02 < Maxtehmantus> Yes, I do so happen to not be using Windows. Why? 18:02 < krzee> oh 18:02 < krzee> cause theres a better app made by someone from in here 18:02 < krzee> but it runs on * except windows 18:03 < krzee> well, i guess it would work on windows too maybe if theres perl for windows 18:03 < Maxtehmantus> Well I don't see where the user error could come in.. I've followed up to the part where it says to start openvpn, and it won't work. 18:03 < krzee> you followed the howto? 18:03 < Maxtehmantus> Hmm.. Where can I get it? I'd be willing to try that. 18:03 < Maxtehmantus> Yes. 18:03 < Maxtehmantus> http://openvpn.net/index.php/documentation/howto.html 18:03 < krzee> ive seen many with your problem 18:03 < vpnHelper> Title: HOWTO (at openvpn.net) 18:03 < krzee> then i tell them to regen the certs 18:03 < krzee> they do, it works 18:04 < krzee> http://openvpn.net/howto 18:04 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 18:04 < krzee> ;] 18:04 < Maxtehmantus> What? ./revoke-full? 18:04 < krzee> huh? 18:04 < Maxtehmantus> "regen the certs" 18:04 < krzee> not revoke 18:05 < krzee> re-generate 18:05 < Maxtehmantus> How do I do that? Just go through the process of generating them again? 18:05 < Maxtehmantus> I've done that three times. 18:05 < krzee> well somehow you're getting some part wrong 18:06 < krzee> using build-key-server for server and build-key for client? 18:06 < Maxtehmantus> I don't think so. 18:06 < krzee> umm 18:06 < krzee> you actually READ the howto? 18:07 < Maxtehmantus> Yes. 18:07 < Maxtehmantus> btw, when I revoke the client (max), it shows: max.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=max/emailAddress=me@myhost.mydomain 18:07 < krzee> why would you revoke the client? 18:07 < Maxtehmantus> Then the server: server.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain 18:07 < Maxtehmantus> Because I think it thinks they don't work together. 18:07 < Maxtehmantus> I dunno. 18:07 < krzee> lol 18:07 < krzee> no 18:07 < krzee> start over 18:08 < krzee> delete everything you did 18:08 < krzee> except dh 18:08 < krzee> thats fine 18:08 < Maxtehmantus> Mahia easy-rsa # rm -rf keys 18:08 < krzee> make sure EVERYTHING has different common names 18:08 < krzee> CA different than server different than any clients 18:09 < krzee> also 18:09 < krzee> if you followed the howto 18:09 < krzee> how did you miss: 18:09 < krzee> Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". 18:09 < krzee> Generate certificate & key for server 18:09 < krzee> Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix: 18:09 < krzee> ./build-key-server server 18:09 < krzee> On Windows: 18:09 < krzee> build-key-server server 18:10 < krzee> Generate certificates & keys for 3 clients 18:10 < krzee> On Windows: 18:10 < krzee> build-key client1 18:10 < krzee> build-key client2 18:10 < krzee> build-key client3 18:10 < Maxtehmantus> krzee, yes, I put ares for that common name (when running ./build-ca) 18:10 < Maxtehmantus> (Everything else was defaulted) 18:11 < Maxtehmantus> Then for ./build-key-server, I used server for the common name. 18:11 < Maxtehmantus> And for ./build-key max, I used max as the common name. 18:13 < krzee> [19:12] using build-key-server for server and build-key for client? 18:13 < krzee> [19:13] I don't think so. 18:13 < krzee> o_O 18:13 < Maxtehmantus> What? 18:14 < Maxtehmantus> well somehow you're getting some part wrong 18:14 < Maxtehmantus> I don't think so. 18:14 < Maxtehmantus> Was a delayed response. 18:14 < Maxtehmantus> Wasn't answering to the second thing you said there. 18:14 < Maxtehmantus> So the answer to the second thing is: yes 18:15 < Maxtehmantus> (It'd be rather trivial to answer that question within 1 second of you sending it - especially with aspects such as ping) 18:15 < Maxtehmantus> Oh, nvm, those are minutes. 18:17 < krzee> bbl 18:17 < krzee> heh 18:17 < Maxtehmantus> Wait. What was the alternative to easy-rsa? 18:17 < Maxtehmantus> You mentioned something about Perl. 18:17 < krzee> !ssl-admin 18:17 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 18:18 < Maxtehmantus> Mk, thanks. Will try that after easy-rsa one more time. 18:18 < krzee> adios! 18:18 < krzee> np 18:26 < Maxtehmantus> Hmm.. That wiki seems to lack the page. :\ 18:33 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 18:39 < Maxtehmantus> Well the easy-rsa thing failed AGAIN 18:39 < Maxtehmantus> Either it's not so easy, or it's fucked. 18:41 < Maxtehmantus> Could it possibly be due to an openssl/openvpn version mismatch? Client is running OpenSSL 0.9.8h, OpenVPN 2.0.7. Server is running OpenSSL 0.9.8g, OpenVPN 2.0.9 18:42 < Maxtehmantus> And the only thing "ssl-admin" gets me on Google is some PHP script. 18:44 < Maxtehmantus> Oh, there it is: http://www.freshports.org/security/ssl-admin/ 18:44 < vpnHelper> Title: FreshPorts -- security/ssl-admin (at www.freshports.org) 18:49 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 18:50 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 18:55 < dvl> Maxtehmantus: heh, that's my website. ;) 18:58 < Maxtehmantus> I see. 19:01 < Maxtehmantus> I think this secure-computing.net host is broken. 19:04 -!- c64zotte1 [n=hans@p5B178F13.dip0.t-ipconnect.de] has quit ["Leaving."] 19:04 * Maxtehmantus tries tinyca 19:07 < ecrist> fuckers 19:07 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Read error: 110 (Connection timed out)] 19:07 < Maxtehmantus> Yes? 19:07 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Read error: 110 (Connection timed out)] 19:08 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has quit ["Ex-Chat"] 19:18 < Maxtehmantus> Bleh. I don't get this tinyca crap. 19:18 < Maxtehmantus> I don't see why the hell easy-vpn isn't working for me. 19:18 < Maxtehmantus> rsa* 19:26 < ecrist> Maxtehmantus: the secure-computing.net host isn't broken 19:27 < Maxtehmantus> Hmm.. I don't think the problem is with easy-rsa.. It appears to be either with OpenVPN or my configuration. 19:27 < Maxtehmantus> I just tried the "sample-keys" from the source package.. They didn't work either. 19:28 < ecrist> Maxtehmantus: for the record, ssl-admin is a PERL script, not a PHP script 19:29 < Maxtehmantus> Yeah, Google's first few results were on some admin-ssl PHP script. 19:29 < ecrist> no, the third, FreshPorts, was for security/ssl-admin, a PERL script, in the FreeBSD ports tree. 19:30 < ecrist> ah, I see what you're talking about. 19:30 < ecrist> that's a plugin for wordpress. 19:31 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 19:31 -!- worch [i=worch@battletoad.com] has joined ##openvpn 19:31 < Maxtehmantus> Well secure-computing.net takes ages to load for me.. When I tried the SVN it just sat there (I had to kill -9 it) 19:32 < Maxtehmantus> I'll try on the other host. 19:32 < hads> Something else must be wrong if you followed the easy-rsa instuctions because they do work. 19:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 19:33 < ecrist> Maxtehmantus: what URL are you going to? 19:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:33 < Maxtehmantus> http://www.secure-computing.net/ssl-admin/ 19:33 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 19:34 < Maxtehmantus> Maybe it's just my ISP. 19:34 < ecrist> I think it's your ISP. 19:35 < Maxtehmantus> :X links doesn't seem to like this site. 19:35 < ecrist> lol, joogot.noskills.net 19:36 < ecrist> tor? 19:36 < krzee> nah i own noskills.net 19:36 < Maxtehmantus> Odd.. Worked the second time. 19:36 < Maxtehmantus> First time, it screwed up the chars on the terminal,. 19:37 < ecrist> Maxtehmantus: you using tor? 19:37 < krzee> oh, lol 19:37 < Maxtehmantus> tor? 19:37 < ecrist> I see you coming from a range of IPs. 19:37 < ecrist> range = more than one 19:37 < Maxtehmantus> And what's with that joogot.noskills.net? Just a blank page. 19:37 < ecrist> not same subnet 19:37 < Maxtehmantus> ecrist, err.. Should see my home address (as used on IRC here: 203.97.238.106) 19:38 < krzee> joogot.noskills.net shouldnt have a webserver running at all 19:38 < Maxtehmantus> And the IP of a dedi I'm using.. 69.42.220.something 19:38 < Maxtehmantus> .13 I think is the default. 19:38 < Maxtehmantus> Wait, 69.42.221.107 19:38 < ecrist> Maxtehmantus: 69.42.221.107 19:39 < Maxtehmantus> Yes, that. 19:39 < ecrist> so, no problems on my end, just PEKAC? 19:39 < Maxtehmantus> PEKAC? 19:39 < ecrist> sorry, PEBKAC 19:40 < ecrist> Probelm Exists Between Keyboard And Chair 19:40 < Maxtehmantus> With what? Trying to access the site? 19:40 < ecrist> i.e. 19:36 < Maxtehmantus> First time, it screwed up the chars on the terminal,. 19:40 < ecrist> yes, that's my site, I like to know if people can't reach it. 19:40 < Maxtehmantus> Yeah, that was just links.. Dunno why that happened. 19:41 < ecrist> ssl-admin is my script, so I like to know if people have problems with that, too. :) 19:41 < ecrist> I'm out - gotta attend to the wife. ;) see ya'll tomorrow. 19:42 < Maxtehmantus> You might. 19:45 < Maxtehmantus> Well I think the link just sucks between me and your site. :d 19:46 < Maxtehmantus> svn worked fine on the dedi I use. 19:54 < dvl> is there an extra comman in there? 19:54 < Maxtehmantus> Huh? 19:55 < Maxtehmantus> Hmm.. I think there's a problem with my configurations: http://rafb.net/p/qlseOA73.html 19:55 < vpnHelper> Title: Nopaste - server.conf (at rafb.net) 19:55 < Maxtehmantus> http://dpaste.com/3655/ 19:55 < Maxtehmantus> Hmm.. wgetpaste on different machines used different pbs. O_o 19:56 < Maxtehmantus> The keys I generate with easy-rsa don't work, NOR do the sample ones in the source package of openvpn-2.0.9 19:57 < Maxtehmantus> Ah fuck. 19:57 < Maxtehmantus> ca max.crt 19:57 < Maxtehmantus> God, how'd I manage to do that. 19:58 < Maxtehmantus> Yeah.. That seems to be the problem. :X 20:01 < hads> So things aren't broken 20:02 < Maxtehmantus> Nope.. Seems to be working. 20:02 < hads> Right. 20:03 < Maxtehmantus> (With my certificates - don't bother trying to connect using the samples now) 20:08 < Maxtehmantus> Hmm.. Partially working. :\ 20:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 20:10 < Maxtehmantus> Hmm.. Maybe this could be a problem: 20:10 < Maxtehmantus> 172.16.7.0 172.16.7.5 255.255.255.0 UG 0 0 0 tun0 20:10 < Maxtehmantus> Shouldn't the gateway be the IP assigned to the tunnel on the server end? 20:10 * Maxtehmantus tries. 20:13 < Maxtehmantus> Hmm.. Why is tun0 on the client side on /32? Shouldn't it be /24, so it's part of the OpenVPN subnet? 20:14 < krzee> !/32 20:14 < vpnHelper> krzee: Error: "/32" is not a valid command. 20:14 < krzee> !factoids search / 20:14 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:14 < krzee> i was thinking 32 didnt sound right 20:14 < krzee> lol 20:14 < krzee> im headed back out to the party 20:14 < krzee> ecrist, thanx a lot man, you rule 20:15 < krzee> ecrist, im going to shut it down for now, as i wont be able to lock it down more than i just did yet 20:15 < krzee> so if you notice its off, thats no accident ;] 20:16 < Maxtehmantus> Oh right. It's a point-to-point link. 20:16 < Maxtehmantus> But that'd mean /30, and mine's /32 20:16 < krzee> prove it 20:16 < Maxtehmantus> inet addr:172.16.7.6 P-t-P:172.16.7.5 Mask:255.255.255.255 20:16 < krzee> negative 20:16 < krzee> stop over thinking 20:16 < krzee> openvpn is doing it right 20:17 < krzee> you arent understanding it 20:17 < krzee> but it is doing it right 20:17 < krzee> bbl 20:17 < Maxtehmantus> Oh hey, it works now. 20:17 < Maxtehmantus> 64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=152 ms 20:18 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has quit [Connection reset by peer] 20:20 * Maxtehmantus is wondering if it'd be possible to let clients use the server's IP address[es]. 20:21 < Maxtehmantus> Hmm.. Probably just need to set up some simple routers on the server side. 20:21 < Maxtehmantus> Dunno. 20:27 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has joined ##openvpn 20:31 * Maxtehmantus hasn't really done much routing on Linux. 20:33 < Maxtehmantus> So how do I get it to forward connections from the OpenVPN server to hte internet? 20:33 < Maxtehmantus> Mahia ssl-admin # route add -host 209.85.171.100 gw 172.16.7.5 && nc -v -v 209.85.171.100 80 20:33 < Maxtehmantus> Doesn't seem to connect. 20:33 < Maxtehmantus> Sat Feb 28 18:33:12 2009 max/203.97.238.106:35153 MULTI: bad source address from client [10.1.1.1], packet dropped 20:33 < Maxtehmantus> Ah. 20:34 < Maxtehmantus> Although -s 172.16.7.6 doesn't seem to do anything either. 20:35 < Maxtehmantus> I don't think the server is routing packets from the tun0 device through the default gateway. 20:36 < Maxtehmantus> Only seem to be able to access the OpenVPN network (172.16.7.0/24) 20:37 < Maxtehmantus> Oh, and I can access other the server's configured IPs. 20:37 < Maxtehmantus> ntuS.uni.cc [69.42.220.7] 80 (http) open 20:38 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 20:39 < dijital1> have any of you been able ot configure openvpn server to where it actually pushes dns to the client? 20:44 < Maxtehmantus> What'd be really cool, is if I could assign a single specific IP address belonging to the server, to the client.. 20:45 < Maxtehmantus> So the client will be able to bind to 69.42.220.7, and the connection will be forwarded through OpenVPN to the server, to the internet (from 69.42.220.7) 20:46 < Maxtehmantus> (The server has quite a few IPs) 21:07 < Maxtehmantus> I think I know how to do this. 21:07 * Maxtehmantus got it so far on thes erver side. 21:09 < Maxtehmantus> Hmm.. How do I get the client to route all packets where the src=172.16.7.6 through OpenVPN (tun0)? 21:09 < Maxtehmantus> I thought Linux did that automatically, but it appears it doesn't. 21:10 < Maxtehmantus> eg, if an outbound packet has the source address 127.0.0.1, it should be sent to the loopback device (lo), right? 21:10 < Maxtehmantus> Because lo is assigned the subnet 127.0.0.0/8 21:11 < Maxtehmantus> So it should route packets with src=172.16.7.6 through tun0, because tun0 has 172.16.7.6/32 21:12 < Maxtehmantus> It's not though.. I need to set routes for the outgoing packets.. Strange. 21:13 < Maxtehmantus> Wait.. It makes sense that it doesn't. 21:13 < Maxtehmantus> Because 127.0.0.0/8 is on the route table. 21:18 < krzee> dijital1, i havnt, but ive helped many do it 21:18 < krzee> you need this: 21:18 < krzee> !pushdns 21:18 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 21:18 < krzee> read the link 21:18 < krzee> Maxtehmantus, 21:19 < krzee> you need this: 21:19 < krzee> !def1 21:19 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:19 < krzee> along with: 21:19 < krzee> ipforwarding enabled, and NAT running for the vpn ips on the server 21:19 < Maxtehmantus> I don't want to use a default gateway. 21:20 < Maxtehmantus> I just want it to do some source-based routing from the client side./ 21:20 < Maxtehmantus> So it'll forward packets with src=172.16.7.6 to tun0. 21:20 < krzee> then you setup the routes instead 21:20 < krzee> either way you need the rest 21:20 * Maxtehmantus doesn't know how to do source based routes. 21:21 < krzee> its not an openvpn problem 21:21 < Maxtehmantus> I know. 21:21 < krzee> its you learning how to use your OS from here on out 21:21 < Maxtehmantus> Yeah, I know. 21:21 < Maxtehmantus> But this being a VPN channel, people are likely to have done this before. 21:22 < krzee> it being saturday night for many people here, you're less likely to find help 21:22 < Maxtehmantus> Lies. It's Sunday afternoon. 21:22 < krzee> *shrug* 21:22 < Maxtehmantus> Evening, even. 21:22 < krzee> that wouldnt help your cause either 21:22 < krzee> lol 21:24 < dijital1> krzee: hmm I just want a stable vpn client 21:25 < krzee> pushing dns has to do with stability? 21:27 < krzee> dijital1, what OS is the client? 21:29 < krzee> well if you stick around ill see your answer later 21:30 < krzee> im in and out 21:30 < krzee> everytime i come back to my room i check out my computer 21:33 < dijital1> OSX 21:33 < dijital1> mac os 21:33 < dijital1> I'm here 21:33 < dijital1> sorry 21:33 < dijital1> I'm back now 21:34 < dijital1> mac os x 21:34 < dijital1> I've tried several hardware ssl clients and they always seem to misbheave 21:34 < dijital1> hardware gateways rather 21:35 < dijital1> I want something to performs as reliably as some of the juniper ssl vpn gear 21:36 < krzee> just run the script mentioned in the link i gave you 21:36 < krzee> osx is a unix at heart 21:37 < dijital1> *looks for the link* 21:37 < krzee> !pushdns 21:37 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 21:37 < krzee> you didnt read that link? 21:37 < dijital1> reading it now 21:38 < krzee> bad diji! 21:38 < dijital1> hmm 21:38 < dijital1> I wonder if I can get tunnelblick to run the script for me 21:39 < krzee> no, you can get openvpn to 21:39 < krzee> tunnelblick just starts and stops your openvpn for you 21:39 < dijital1> there's s "script" directive? 21:39 < krzee> which i accomplish with a 1 line shell script instead of some lame gui 21:39 < dijital1> that I can add to the openvon.conf on my client? 21:40 < krzee> theres like 5 ways to runs scripts in openvpn 21:40 < krzee> find them! 21:40 < krzee> !man 21:40 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:40 < krzee> look for the word script, it will appear many times 21:40 < krzee> (i also use osx) 21:41 < dijital1> cool 21:41 < dijital1> i"m actually probably going to have ot open 2 ports and run 2 instances 21:41 < dijital1> because I want just port forwarding and full tunnel mode which require different server configs 21:42 < krzee> port forwarding? 21:42 < krzee> shouldnt ssh work for that... 21:42 < krzee> (ssh tunnels) 21:42 < dijital1> well not really port forwarding.. more like connecting to the server running openvpn without passing all of my traffic over it 21:42 < krzee> and then whats full tunnel mode? 21:42 < krzee> passing all traffic? 21:42 < dijital1> so if I want to connect to my remote network but not tunnel all traffic over it I mean 21:43 < dijital1> I'd like to have the option to do both 21:43 < krzee> you dont HAVE to push options 21:43 < krzee> you can put them in client config 21:43 < dijital1> that's going to take 2 different instances because ther server configs are different to do that 21:43 < krzee> instead of pushing redirect-gateway 21:43 < dijital1> at least that's th e only way that I can think of to do it 21:43 < krzee> put it in client config 21:43 < krzee> then comment it out, and it wont be used 21:44 < krzee> (or have 2 client configs) 21:44 < dijital1> yeah.. and swap between then 21:44 < krzee> easy enough =] 21:47 < krzee> hows that work for ya 21:47 < krzee> (the idea) 21:47 < dijital1> that works 21:47 < dijital1> this is what my server config looks like 21:47 < dijital1> http://rafb.net/p/x6E7uo31.html 21:47 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:48 < dijital1> did you get that link? 21:48 < krzee> ya but if comments arent stripped im not reading it 21:48 < dijital1> vpnhelper emoted when I pasted it 21:48 < vpnHelper> dijital1: Error: "emoted" is not a valid command. 21:48 < dijital1> there aren't any comments in it 21:49 < krzee> great 21:49 < dijital1> it's all directives 21:49 < krzee> !tcp 21:49 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:50 < krzee> other than that, cool 21:50 < krzee> except what i told you: 21:50 < krzee> you still have push "redirect-gateway def1" 21:50 < krzee> for what i suggested youd remove that 21:50 < dijital1> http://rafb.net/p/pSCSu382.htmlhttp://rafb.net/p/pSCSu382.htmland this is my client config 21:50 < krzee> and add to the clients that you want that on for: 21:50 < dijital1> http://rafb.net/p/pSCSu382.html 21:50 < vpnHelper> Title: Nopaste - client config (at rafb.net) 21:51 < krzee> redirect-gateway def1 21:51 < dijital1> so I need to put that in the client then 21:51 < dijital1> vs. having the server push it 21:51 < krzee> beats running 2 instances 21:51 < krzee> unless its for business use and you need the control 21:51 < krzee> but it seems its for you 21:52 < dijital1> yep it is 21:52 < dijital1> so to make it udp, it would just be proto udp client correct? 21:52 < dijital1> proto udp-client 21:52 < krzee> no 21:52 < krzee> read the manual! 21:52 < krzee> !man 21:52 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:52 < krzee> im not the manual 21:52 < krzee> in fact im on vacation 21:53 < krzee> so im going back out 21:53 < dijital1> alright man 21:53 < krzee> =] 21:57 -!- rubydiam_ [n=rubydiam@123.236.183.238] has quit [Read error: 110 (Connection timed out)] 22:19 < dijital1> are you still there krzee? 22:25 * ecrist guesses no 22:25 < dijital1> hmmm 22:25 < dijital1> trying to figure out the udp connectivity 22:25 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit ["# killall -9 xchat && shutdown now"] 22:25 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn 22:26 < ecrist> what a name, {}{}{}{} 22:29 < dvl> HHH 22:30 < dvl> == Hash House Harriers 22:30 < ecrist> Hubert H Humphrey Metrodome? The Vikings play there... 22:32 -!- dijital1_ [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 22:43 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 110 (Connection timed out)] 22:45 -!- dijital1_ is now known as dijital1 22:45 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has joined ##openvpn 22:45 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has left ##openvpn ["Leaving"] 23:10 < krzee> proto udp 23:10 < krzee> all you had to do was read --proto in manual 23:10 < krzee> *back to gone* 23:27 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 23:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 23:49 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 23:59 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Sun Mar 01 2009 00:00 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 00:01 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Read error: 60 (Operation timed out)] 00:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:05 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit [Client Quit] 00:27 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 00:27 < Maxtehmantus> Is it possible to get OpenVPN to detach after it's made the tun device? 00:28 < Maxtehmantus> Trying to set up a script to start OpenVPN and set up some routes.. Won't let me make the routes until the device is up. 00:41 -!- bsdx [n=bsd@61.17.165.191] has joined ##openvpn 00:56 < Maxtehmantus> Hmm.. I suppose --ipchange could work. 00:56 -!- bsdx [n=bsd@61.17.165.191] has left ##openvpn ["Leaving"] 01:06 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit ["# killall -9 xchat && shutdown now"] 01:06 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn 01:41 < ecrist> foo 01:41 < hads> bar 01:44 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 01:45 < hads> I think I need to get this remote router replaced, it's the only thing I can think of as being the issue. 01:46 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 01:46 < ecrist> good idea 01:46 < ecrist> !?!? 01:46 < vpnHelper> ecrist: Error: "?!?" is not a valid command. 02:16 -!- c64zottel [n=hans@p5B178CA3.dip0.t-ipconnect.de] has joined ##openvpn 02:23 < hads> I might setup bridging to try and get around the issue. 02:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:35 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 02:35 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 03:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:26 -!- c64zottel [n=hans@p5B178CA3.dip0.t-ipconnect.de] has left ##openvpn [] 04:47 -!- arzen1013 [n=Administ@116.24.178.121] has joined ##openvpn 04:51 < arzen1013> Hi all, I use openvpn in window box as vpn server, and it is not gateway, it ip is :192.168.1.2, another LAN machine 192.168.1.9 , I want to it also can access 10.8.0.1 openvpn sub net, how to do it ? 05:48 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 06:04 -!- rodpod [n=rod@hick.org] has joined ##openvpn 06:21 -!- arzen1013 [n=Administ@116.24.178.121] has left ##openvpn [] 06:44 -!- Roman123 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has joined ##openvpn 06:56 < Roman123> I have two networks (192.168.50.x and 192.168.51.x). Both are connected over a openvpn bridge by means of two openwrt router, which works very good. There is only one small problem: Sometimes, when a computer is connected to the 51er subnet, the dhcp server from the 50er subnet assigns an address. How can I filter the dhcp requests between both networks? 06:56 < Roman123> Is that possible? 06:58 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 06:58 < Gumbler> hello 06:58 < Gumbler> ;/ 06:58 < Gumbler> can somebody help me? i have the error "cannot locate HMAC in incoming packet from " (sry for my bad englisch) 06:59 < Gumbler> i use openvpn on debian and the client on vista.. 07:43 -!- fselo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-3a480b1a2598416c] has joined ##openvpn 07:44 < fselo> hi there 07:44 < fselo> is it possible to install openvpn server on mac os x ? 07:45 < fselo> is there anyone here ? 07:48 -!- fselo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-3a480b1a2598416c] has quit [Client Quit] 08:03 -!- j-a-b-b-a [n=Jabba@frnk-5f751312.pool.einsundeins.de] has joined ##openvpn 08:27 * ecrist is hung over... 08:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:29 < onats> from? 08:29 < ecrist> Jaegermeister + Red Bull 08:29 < ecrist> went to bed 4 hours ago. got up an hour ago. 08:30 < ecrist> got up for a good reason though - wife was on her way to work and needed some attention before she left. ;) 09:01 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:21 -!- Roman123 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has quit ["Leaving"] 09:24 * ecrist goes and tears down his network. --- Log closed Sun Mar 01 09:41:48 2009 --- Log opened Sun Mar 01 09:41:52 2009 09:41 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 09:41 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 09:42 -!- Irssi: Join to ##openvpn was synced in 13 secs 10:01 < ecrist> grr. I just VLANd myself out of my management interface on my new switch. 10:01 < ecrist> rawr 10:01 * ecrist goes and hooks up serial console 10:17 < ecrist> 10:27 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:00 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:00 -!- nemysis [n=nemysis@183-238.1-85.cust.bluewin.ch] has joined ##openvpn 11:01 * ecrist cheers for firmware upgrades 11:13 < rdz> hi all. i am very new to openvpn and i would like to achieve the following setup: openvpn server on win xp, which brigdes the clients to local network. all clients are also running win xp. i would like the bridge to be a simple and as transparent as possible, the whole traffic of the clients can go over the server, no additional routing should be necessary. there is lots of documentation many example are out there, but often they are not verbose enough for my li 11:13 < rdz> mited knowledge. also often they use feature, that i don't know what they are used for and/or i don't know how to use them (for instance, how to create the certificates). any hints are very welcome. --- Log closed Sun Mar 01 11:24:21 2009 --- Log opened Sun Mar 01 11:24:23 2009 11:24 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:24 -!- Irssi: ##openvpn: Total of 58 nicks [0 ops, 0 halfops, 0 voices, 58 normal] 11:24 -!- Irssi: Join to ##openvpn was synced in 12 secs 11:27 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 11:27 < reiffert> foo 11:40 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 11:48 -!- aowron [n=overkord@h28n1fls308o1114.telia.com] has left ##openvpn [] 11:56 < ecrist> beans 12:03 -!- Roman123 [n=Roman123@85-124-225-130.work.xdsl-line.inode.at] has joined ##openvpn 12:06 -!- rodpod [n=rod@hick.org] has quit [Remote closed the connection] 12:06 < Roman123> back home 12:06 < Roman123> hi 12:28 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 12:41 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:18 < ecrist> hey krzee 13:18 < ecrist> new switch is the sexy 13:19 * krzee rubs his nipple and the gigaswitch at the same time 13:23 < reiffert> :) 13:24 < ecrist> I got a Linksys SRW2024 13:25 < ecrist> I was disappointed at first, the web interface was shoddy and activex-ish, and no SNMP. 13:25 < ecrist> but, I found a firmware update, got rid of activex controls and gave me SNMP 13:25 < ecrist> :) 13:25 < reiffert> my facsimile is stronger than your mobile. 13:26 < krzee> hah 13:27 * ecrist goes back to couch to continue being sick. 13:27 < krzee> sick? 13:27 < krzee> that sucks 13:27 < krzee> get well soon! 13:36 -!- j-a-b-b-a [n=Jabba@frnk-5f751312.pool.einsundeins.de] has quit [Client Quit] 13:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:18 -!- alien8 [n=alien@indigo.alien8.org] has left ##openvpn [] 14:30 -!- mib_gh2mp1 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-9e4366f9f2f78096] has joined ##openvpn 14:32 < mib_gh2mp1> hi there 14:32 < mib_gh2mp1> i try to follow this tutorial 14:32 < mib_gh2mp1> http://doc.ubuntu-fr.org/openvpn` 14:32 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 14:33 < mib_gh2mp1> http://doc.ubuntu-fr.org/openvpn 14:33 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 14:33 < mib_gh2mp1> but i try to do on a mac os x 14:36 -!- Roman123 [n=Roman123@85-124-225-130.work.xdsl-line.inode.at] has quit ["Leaving"] 14:38 < mib_gh2mp1> is there anyone here ? 14:40 < mib_gh2mp1> hello 14:46 -!- mib_gh2mp1 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-9e4366f9f2f78096] has left ##openvpn [] 15:20 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:31 -!- mib_v5ncqcge [i=4570e460@gateway/web/ajax/mibbit.com/x-9e32c2be36141eff] has joined ##openvpn 15:31 -!- mib_v5ncqcge [i=4570e460@gateway/web/ajax/mibbit.com/x-9e32c2be36141eff] has left ##openvpn [] 15:32 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 15:33 < cscho0415> hello i am trying to install on centos 4.5 and i get this error: 15:33 < cscho0415> liblzo.so.1 is needed by openvpn-1.6.0-1.1.fc3.rf.i386 15:33 < cscho0415> any help? 15:37 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 16:13 -!- Bushmill- [n=nnnnl@verhau.de] has joined ##openvpn 16:37 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 16:49 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 17:00 < reiffert> Hi Bushmill- 17:10 < krzee> To the security guy: 17:10 < krzee> You guys really should not leave open writeable shares, especially on a WEP network. 17:10 < krzee> I am a friend, so don't worry... but bad people could do bad things very easily. 17:10 < krzee> I would also change the router's password off of the default 17:10 < krzee> =] 17:10 < krzee> My recommendation is to change to WPA encryption just for the reception network, and to use a multiple-word passphrase. For example, you could make it "This is Aquavit" 17:10 < krzee> Then you could leave the shares open without being at such risk. 17:10 < krzee> -Jeff 17:11 < krzee> that is now on the reception desktop in a dir named README 17:12 < reiffert> Teaching 3rd world getting any better? 17:12 < krzee> lol 17:13 < krzee> im in peru right now 17:13 < krzee> not sure if this is 3rd world or not 17:14 < cscho0415> hello i am trying to install on centos 4.5 and i get this error: 17:14 < cscho0415> liblzo.so.1 is needed by openvpn-1.6.0-1.1.fc3.rf.i386 17:15 < krzee> tried installing lzo? 17:15 < cscho0415> cant find for centos 4.5 17:15 < krzee> http://www.google.com/search?q=centos%20lzo 17:15 < vpnHelper> Title: centos lzo - Google Search (at www.google.com) 17:15 < krzee> looks rather easy to find for me 17:16 < cscho0415> do they work for 4.5 17:16 < krzee> but i dont use linux really 17:16 < krzee> *shrug* 17:16 < reiffert> According to government sources, poverty is projected to be reduced to under 10% in eight years [3], and the President Alan Garcia has stated that by this time Peru will cease to be a third world nation. 17:16 < reiffert> wiki 17:16 < krzee> even if i used linux it wouldnt be one of those redhats 17:16 < krzee> but dazo is our resident redhat expert i believe 17:17 < krzee> you could always compile without compression and not need lzo 17:17 < krzee> or use a package manager that knows how to deal with dependancies (assuming thats an option in centos) 17:17 < cscho0415> um 17:17 < cscho0415> ok 17:17 < cscho0415> =p 17:18 < reiffert> krzee: it really looks like he is not installing openvpn from a package manager. 17:18 < krzee> best bet is to google 17:18 < krzee> reiffert, does centos have package managers? 17:18 < reiffert> krzee: but instead sucked a package from google and is trying to convince the package installer. 17:18 < krzee> or just rpm 17:18 < krzee> right 17:18 < cscho0415> i used rpm 17:19 < reiffert> krzee: my wild guess is that every major ditribution comes along with a package manager that can resolve such easy tasks... 17:19 < krzee> my google search found it for centos4 hella easy 17:19 < krzee> which makes me wonder how you were looking... 17:19 < reiffert> obviously not by using the package manager. 17:20 < krzee> OH RIGHT 17:20 < krzee> yum 17:20 < krzee> forgot bout that 17:20 < krzee> (which means my efforts to forget it were successful 17:21 < reiffert> cscho0415: yum list available |grep -i openvpn 17:22 < cscho0415> i have to install yum them =s 17:22 < krzee> could always switch to a real os ;] 17:22 < krzee> lol sorry, im a dick 17:23 < cscho0415> lol 17:23 < krzee> just go grab the rpm from my google search 17:23 < cscho0415> its my first com using linux 17:23 < krzee> i mean hell i even did the search for ya 17:23 < reiffert> wow, it really looks like there is NO openvpn on centos. sigh. 17:23 < cscho0415> fedora runs on centos reiffert 17:23 < krzee> reiffert, with yum you always need to find the right server to add and lameness like that 17:24 < reiffert> cscho0415: http://www.centos.org/docs/4/ 17:24 < vpnHelper> Title: CentOS-4 Documentation (at www.centos.org) 17:24 < reiffert> especially System Administration Guide 17:24 < reiffert> Paragraph III 17:24 < reiffert> Package Management 17:24 < reiffert> Package Management Tool 17:24 < reiffert> Installing Packages 17:24 < reiffert> Removing Packages 17:25 < krzee> http://www.webhostingtalk.com/showthread.php?t=595436 17:25 < vpnHelper> Title: HOWTO OpenVPN setup guide for FC3, FC4, FC5, CentOS and others,connecting via Windows - Web Hosting Talk - The largest, most influential web hosting community on the Internet (at www.webhostingtalk.com) 17:25 < cscho0415> lol im not that n00b reiffert 17:26 < reiffert> cscho0415: you said it's your first time with linux and it really looks like that you didnt find the docs right now, cause you were asking such questions like a windows guy. 17:26 < cscho0415> no i said tht was my first com using linux 17:26 < reiffert> krzee: you missed adding -forum -board to your search terms, eh? 17:26 < cscho0415> and im a mac / freebsd guy 17:26 < cscho0415> im NOT a win guy 17:27 < reiffert> cscho0415: I step back from my previous sentence :) 17:27 < cscho0415> lol 17:27 < cscho0415> =p 17:27 < krzee> reiffert, nah my google gave him rpm for lzo 17:27 < krzee> he could have it installed by now had he used it 17:27 < reiffert> krzee: I doubt that it will keep your system stable for a long time. 17:28 < krzee> ? 17:28 < reiffert> On the other hand I really cant believe centos doesnt come with openvpn itself 17:28 < krzee> it is in yum 17:28 < reiffert> krzee: downloading rpms from unthrusted sources ... uhhh. 17:28 < reiffert> untrusted 17:28 < krzee> If you have CentOS, follow the ?additional third party CentOS repos? 17:28 < krzee> reiffert, oh right 17:28 < krzee> ya ill never need to install a rpm on a box i run anyways 17:29 < krzee> when i go linux i go gentoo 17:29 < reiffert> http://wiki.centos.org/AdditionalResources/Repositories 17:29 < vpnHelper> Title: AdditionalResources/Repositories - CentOS Wiki (at wiki.centos.org) 17:29 < ecrist> evening, folks. 17:29 < cscho0415> g2g thanks for the help 17:29 < krzee> evening ecrist 17:29 < krzee> feeling better? 17:29 < reiffert> I'm stuck to Debian 17:29 < ecrist> a bit, actually. 17:30 < reiffert> He didnt call us pussys, looks still very ill. 17:30 < krzee> see the note i left on reception computer? 17:30 < krzee> hahaah reif 17:30 < ecrist> krzee: I did, yes, I've powered it down. 17:31 < krzee> ahh cool, i meant this one tho: 17:31 < krzee> To the security guy: 17:31 < krzee> You guys really should not leave open writeable shares, especially on a WEP network. 17:31 < krzee> I am a friend, so don't worry... but bad people could do bad things very easily. 17:31 < krzee> I would also change the router's password off of the default 17:31 < krzee> =] 17:31 < krzee> My recommendation is to change to WPA encryption just for the reception network, and to use a multiple-word passphrase. For example, you could make it "This is Aquavit" 17:31 < krzee> Then you could leave the shares open without being at such risk. 17:31 < krzee> -Jeff 17:31 < krzee> in a dir named READ ME on the desktop 17:32 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 17:32 < ecrist> krzee: what WEP network? 17:32 < krzee> the one im on 17:32 < krzee> in the hotel 17:32 < ecrist> oh 17:32 < krzee> the reception network is WEP 17:32 < reiffert> :) 17:32 < krzee> and has best signal from my room 17:33 < krzee> the owner would have given me the key, but i didnt wanna bug him 17:33 < krzee> so i let myself in 17:33 < krzee> then inet went down so i started looking around 17:33 < krzee> turns out they arent taking security very seriously 17:33 < ecrist> lol 17:33 < krzee> i have access to all kinds of internal docs 17:33 < krzee> but yanno, owner is a buddy 17:34 < krzee> so he wouldnt care 17:34 < ecrist> heh, I thought you were talking about *my* network. 17:34 < krzee> no no 17:34 < krzee> i wont be doing anything of that sort 17:34 < krzee> that would be a violation of your trust 17:34 < ecrist> well, if you do notice anything, let me know. ;) 17:35 < krzee> joogot it 17:35 < ecrist> got hopped up on Jaegermeister and red bull last night. 17:35 < krzee> lol me too 17:35 < ecrist> was up till 4am drunk-dialing people 17:36 < ecrist> including a co worker. felt guilty this morning, tell I looked at the call log and realized we talked for over an hour. 17:36 < krzee> HAHAH 17:36 < ecrist> called him today, he was drunk too. 17:36 < krzee> successful drunk dial! 17:36 < ecrist> +1 ecrist 17:37 < krzee> thats like +10 17:37 < krzee> successful drunk dials are RARE 17:37 < reiffert> :) 17:37 < ecrist> I had a successful reverse drunk-dial, too. started chatting with my brother on FB, asked him to call me. 17:37 < ecrist> he did. 17:37 < ecrist> we only talked for a half our 17:37 < ecrist> hour* 17:39 < krzee> woohoo got nessus updating again 17:39 < krzee> my code had expired it seems 17:40 * ecrist starts production web/db server upgrades. 17:40 < krzee> they should make the gui aware of that 17:40 < ecrist> 6.3 to 7.1 17:40 < krzee> nice 17:40 < krzee> i like 7 17:41 < ecrist> I don't like the new bridging in 7 17:41 < ecrist> it's more in line with linux, but I didn't mind the sysctl 17:41 < krzee> ahh its not sysctl anymore? 17:41 < krzee> i liked it that way too 17:42 < krzee> whats it now? some app in world? 17:42 < ecrist> part of ifconfig 17:42 < ecrist> bridgeX interface 17:42 < krzee> bleh 17:42 < ecrist> ifconfig bridge0 addm en0 addm sk0 addm en1 17:42 < ecrist> adds en0, en1, and sk0 into a bridge 17:45 < krzee> i wonder why they felt the need to change that 17:48 < ecrist> crap, forgot to build one of the kernels 17:48 < krzee> doh, world and kernel outta sync? 17:49 < krzee> thats never fun 17:53 -!- zamba [i=marius@sveigde.hih.no] has left ##openvpn [] 17:54 * ecrist crosses fingers 17:56 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 17:59 -!- Bushmill- is now known as Bushmills 18:07 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 18:09 < ecrist> db server is back up and running. 18:09 < ecrist> now gotta wait for the damn kernel to compile on the web server. 20:06 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: pa, smk, Perun, Maxtehmantus 20:06 -!- Netsplit over, joins: Maxtehmantus, Perun, pa, smk 20:14 -!- Irssi: ##openvpn: Total of 56 nicks [0 ops, 0 halfops, 0 voices, 56 normal] 22:20 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 22:21 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 22:51 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 23:38 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Mon Mar 02 2009 00:44 -!- Jason404 [n=eggbean@host86-133-254-187.range86-133.btcentralplus.com] has joined ##openvpn 00:45 -!- Jason404 [n=eggbean@host86-133-254-187.range86-133.btcentralplus.com] has quit [Client Quit] 01:01 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 01:01 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 01:16 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:42 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 02:45 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:28 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-df3ec362ca1415e2] has joined ##openvpn 03:31 < Boulate> I all ! I just have a little question : I try to configure an OPENVPN, authentification seems to be ok, tun0 is mounted on the server, but when I start the client, I have no dev tun0 in my ifconfig :( (lsmod tun0 is ok) 03:32 -!- c64zottel [n=hans@p5B17B5AB.dip0.t-ipconnect.de] has joined ##openvpn 03:35 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:50 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-df3ec362ca1415e2] has quit ["http://www.mibbit.com ajax IRC Client"] 03:55 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:00 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-523e3ca2ab5c9600] has joined ##openvpn 04:00 < Boulate> Hi all (again ;)) Still no "tap0" in my ifconfig (debian client), and the logs says : TCP connection established with xxx:xxx:xxx:xxx : xxx 04:01 < Boulate> did you already have this probleme ? 04:03 < dazo> Boulate: from topic: "We need !configs and !logs" 04:03 < dazo> !configs 04:03 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:03 < dazo> !logs 04:03 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:05 < Boulate> ok ;) 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:52 -!- krzee [n=k@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 05:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:57 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-523e3ca2ab5c9600] has quit ["http://www.mibbit.com ajax IRC Client"] 06:16 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 06:29 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:41 -!- c64zotte1 [n=hans@p5B17A1E5.dip0.t-ipconnect.de] has joined ##openvpn 06:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 06:56 -!- c64zottel [n=hans@p5B17B5AB.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:10 -!- mikkel_ is now known as mikkel 07:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:13 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 07:30 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Read error: 60 (Operation timed out)] 07:30 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:12 -!- nemysis [n=nemysis@183-238.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 08:13 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has joined ##openvpn 08:24 < ecrist> morning, fuckers 08:25 < reiffert> ecrist is back :) 08:25 < ecrist> lol 08:38 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:39 < tjz|lunch> lol 08:39 -!- tjz|lunch is now known as tjz 08:42 -!- brutuz [n=brutuz@ip67-88-58-242.z58-88-67.customer.algx.net] has quit ["Leaving"] 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:33 -!- mike_electron [n=ErrolB@de1-as5172.alshamil.net.ae] has joined ##openvpn 10:35 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:44 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 10:59 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 10:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:59 < krzee> !authpass 10:59 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 11:00 < nachox> guys, is it possible to setup 2 vpns (2 server.conf like files) listening in the same port? i basically need for them to use one or the other based on the certificate 11:01 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:04 < krzee> same port, only if diff protocol 11:04 < krzee> what are you trying to accomplish? 11:09 < nachox> different protocol? 11:09 < dazo> nachox: tcp/udp 11:09 < nachox> ohh 11:09 < dazo> nachox: but why? 11:10 < nachox> i have a couple of networks here and i want people to connect to one of them depending on the certificate they present 11:10 < nachox> username would do too i guess 11:10 < nachox> but certificate would be better 11:10 < dazo> nachox: which OS are you on? 11:10 < nachox> debian 11:11 < nachox> but windows clients would be connecting to it 11:11 < dazo> nachox: oki ... have a look at http://www.eurephia.net/ .... this can change iptables access for each VPN client based on username/cert 11:11 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 11:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:12 < dazo> nachox: or else it's either different protocol, port or IP which will give you the possibility to do this 11:12 < nachox> i seem thanks guys 11:13 < nachox> *i see 11:13 < dazo> nachox: you can also checkout --client-config-dir 11:14 < dazo> nachox: I use --client-config-dir together with eurephia .... and depending on username/cert ... I push separate routes via a special config for each user ... and I control the access in addition with iptables 11:15 < nachox> thanks, i'll read about that plugin you showed me, it seems like the most flexible idea 11:24 < nachox> dazo, ok, the plugin you told me about requires an SQLite db where the usernames that authenticate against it are, i cannot do that since i'm using kerberos/AD to authenticate users 11:24 < dazo> nachox: ouch 11:25 < dazo> nachox: then you have only --client-config-dir left 11:25 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- c64zottel [n=hans@p5B17A104.dip0.t-ipconnect.de] has joined ##openvpn 11:26 < sigmonsays> How do you see who is connected to ur openvpn? 11:27 < dazo> sigmonsays: which openvpn version? 11:28 < sigmonsays> 2.1 11:28 < reiffert> sigmonsays: I evaluate status.log 11:28 < dazo> sigmonsays: if you have enabled management interface, you can check it via that (only in 2.1) .... log files ... or netstat 11:28 < reiffert> --status file [n] 11:28 -!- elshaa [n=elshaa@o.es6.aedgency.net] has quit ["leaving"] 11:28 < sigmonsays> reiffert, Nice! 11:29 < sigmonsays> exactly what I was looking for 11:29 * sigmonsays inherited a openvpn setup. still poking around 11:29 < reiffert> sigmonsays: check this out 11:29 < reiffert> !howto 11:29 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:29 < sigmonsays> awesome 11:31 < reiffert> sigmonsays: http://openvpn-web-gui.sourceforge.net/ might be intresting. 11:31 < vpnHelper> Title: OpenVPN Web GUI 0.3.x (at openvpn-web-gui.sourceforge.net) 11:31 < nachox> dazo, i dont think that'll do either, my plugin line is using the defaut plugin already and i cant change it if i want kerberos via pam to still work 11:31 < sigmonsays> I don't like gui's but glad it exists 11:37 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 11:38 < sigmonsays> is there a cli reporting tool that parses openvpn statu? 11:39 -!- c64zotte1 [n=hans@p5B17A1E5.dip0.t-ipconnect.de] has quit [Connection timed out] 11:40 < reiffert> sigmonsays: check out the openvpn management stuff 11:40 < sigmonsays> word 11:40 < reiffert> HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Duration 11:40 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:41 < reiffert> Doesnt look too complicated useing cat/less/more 11:45 < sigmonsays> i have a whole slew of things i'd liek to do ;) 11:45 < sigmonsays> seems the telnet ui / web page is suitable 11:46 -!- mike_electron [n=ErrolB@de1-as5172.alshamil.net.ae] has left ##openvpn [] 11:49 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 12:09 < sigmonsays> *sigh* the gui just gives me "the openvpn server has no status file" but i've fixed all errors in the logs. 12:09 < sigmonsays> anyone run this with 2.1 ? 12:16 < sigmonsays> man this script is crap 12:24 < sigmonsays> Ugh. It doesn't even work w/ the newest version as the stauts headers have changed 12:24 < sigmonsays> Am I looking in the right place? obviously nobody uses the gui..... 12:34 < sigmonsays> ahh. multiple versions os status-file 12:48 < Gabriel25ny> sigmonsays look at webmin and webmin module for openvpn 12:48 < Gabriel25ny> I use the gui from ... webmin when I am lazy :)) 12:49 < sigmonsays> well there is stuff that's only doable in the telnet ui 12:49 < sigmonsays> i suppose I could do that 12:49 < sigmonsays> but I am donig this mostly for other people =) 12:50 < Gabriel25ny> sigmonsays then use webmin with openvpn modules 12:50 < sigmonsays> I hate webmin! 12:50 < ecrist> webmin is the devil 12:50 < Gabriel25ny> really easy ... to create ca client config 12:50 < sigmonsays> I shoulda RTFM 12:50 < Gabriel25ny> ecrist ... why are u saying that ? 12:51 < ecrist> it's code base is too messy, and module interactive works by accident. 12:51 < ecrist> :) 12:51 < Gabriel25ny> LOL 12:52 < ecrist> s/interactive/interaction/ 12:52 < Gabriel25ny> Well well I am useing webmin for samba config and openvpn ... and I never had a problem .. 12:52 < Gabriel25ny> but I start webmin when I need it 12:52 < ecrist> Gabriel25ny: without trying to insult, GUIs are for dweebs 12:52 < Gabriel25ny> rest of the time the service is toped 12:52 < ecrist> in terms of administering systems, anyways 12:53 < Gabriel25ny> ecrist ... you are right ... but when you have a lot of servers ... 12:53 < Gabriel25ny> then u have to think about ... 12:53 < ecrist> I *do* have a lot of servers, that's when LDAP comes in. 12:53 < Gabriel25ny> I can`t say to a client ... ssh in the box ... and do useradd lalala 12:54 < Gabriel25ny> then so smbpasswd -a lalala 12:54 < Gabriel25ny> and then go and edit /etc/samba/smb.cong 12:54 < ecrist> again, all done with LDAP 12:54 < Gabriel25ny> etc 12:54 < ecrist> :) 12:54 < ecrist> and I wrote a little PHP front-end for my dweebs, erm, coworkers. 12:56 < Gabriel25ny> Most of my customers are small business ... 12:56 < Gabriel25ny> and they have a server ... with openvpn samba ... etc 12:57 < Gabriel25ny> but if they need a new forlder to share ... then they use ... webmin ! 12:57 < sigmonsays> webminis the lsat thing u want when u have lots of servers 12:58 < Gabriel25ny> sigmonsays I have 100 customers ... and they have a server each ... I don`t want to be bother for "can i crate a new share folder, can I add another user 13:01 < sigmonsays> i'm definitely not happy w/ the webgui 13:01 < Gabriel25ny> yu because u know .... 13:01 < Gabriel25ny> ask your girlfrind ... to add a user in samba ... and give 755 permision to a folder :)) 13:01 < Gabriel25ny> :D 13:02 < sigmonsays> hehe 13:04 < Gabriel25ny> :)) 13:04 < Gabriel25ny> U got my point :) 13:05 < Gabriel25ny> I look like an idiot when I use GUI ... 13:05 < Gabriel25ny> because sometimes I have no idea what is that :) 13:05 < Gabriel25ny> but for people that they have no idea ... is good :) 13:05 < Gabriel25ny> few clicks away :) 13:11 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:22 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:33 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 14:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:20 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 14:37 -!- magic_1 [n=magic_1@unaffiliated/magic1/x-836121] has joined ##openvpn 14:39 < magic_1> hi guys some help would be greatly appreciated 14:39 < magic_1> how would i test my conf from command line 14:39 < ecrist> what do you mean? 14:39 < magic_1> well i havent got access to my webmin front end 14:40 < magic_1> you know how you would do a test before you would apply 14:41 < magic_1> well i only have ssh access to my server, however last thing i need is for it to crash 14:41 < magic_1> and i cant loose access at the moment 14:42 < magic_1> that would be the reason i would like to test 14:42 < magic_1> thanks guys for any help 14:44 < magic_1> i am not sure if safe-restart is going to do what is needed though 14:46 < magic_1> i have googled however i am just too worried at the moment to take any chances, really cant afford to loose connection if it fales 15:04 < magic_1> any thoughts 15:05 < magic_1> see the thing is i am trying to get openvpn setup 15:07 < magic_1> not keen to to shorewall restart 15:10 < reiffert> !howto 15:10 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:13 < magic_1> i have read it 15:13 < magic_1> thanks though 15:14 < magic_1> the openvpn part is not the problem 15:14 < reiffert> but? 15:14 < magic_1> just not sure of the command line commands i should use 15:15 < reiffert> beg your pardon? 15:15 < magic_1> i am not sure of the cmd line command that is needed to test the rules set before apply them 15:16 < reiffert> which ruleset? 15:17 < magic_1> well i created the rules that i wanted, now i usually use the webmin interface for shorewall 15:17 < magic_1> however i have only got cmd access at the moment 15:18 < magic_1> in the gui there is a "test" function that will check your rules before you can apply them 15:19 < reiffert> magic_1: better apply to a shorewall helper community. 15:19 < reiffert> #openvpn is about openvpn and not about rulesets nobody knows. 15:19 < magic_1> true thanks 15:20 < magic_1> guys i must apologize i have been in the wrong window 15:21 -!- BATHORY [n=kleber@189.56.9.50] has joined ##openvpn 15:21 < BATHORY> hi 15:22 < BATHORY> sombody already have this error SIGUSR1[soft,tls-error] received, client-instance restarting 15:36 < reiffert> openvpn catched a signal. 15:36 < reiffert> signal name: USR1 15:36 < reiffert> read what USR1 is about here: 15:36 < reiffert> !man 15:36 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:23 < magic_1> hi guys im back, however this time it is a openvpn question, the vpn is up and running however for some reason i cannot access any of the host within the network 16:23 < magic_1> as before any help is greatly appreciated 16:25 -!- BATHORY [n=kleber@189.56.9.50] has quit ["Leaving"] 16:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:28 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["Leaving"] 16:29 -!- c64zottel [n=hans@p5B17A104.dip0.t-ipconnect.de] has quit ["Leaving."] 16:51 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: dijital1, Feltenix, higuita, imachine, eagle, onats1, sigmonsays, bandini, magic_1, Typone 16:51 -!- Netsplit over, joins: magic_1, dijital1, bandini, eagle, onats1, imachine, higuita, Feltenix, sigmonsays, Typone 16:52 -!- worch_ [i=worch@battletoad.com] has joined ##openvpn 16:55 -!- ropetin_ [n=ropetin@mail.sohoemailsolutions.com] has joined ##openvpn 16:56 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: higuita, dijital1, bandini, eagle, magic_1, imachine, Typone 16:56 -!- _vcs [i=vcs@alien.jinxshells.com] has joined ##openvpn 16:56 -!- vcs [i=vcs@alien.jinxshells.com] has quit ["changing servers"] 16:56 -!- _vcs is now known as vcs 16:56 -!- stephenh_ [i=stephenh@69.30.200.88] has joined ##openvpn 16:56 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- worch [i=worch@battletoad.com] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 16:57 -!- Netsplit over, joins: magic_1, dijital1, bandini, eagle, imachine, higuita, Typone 16:58 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: clustermagnet, vcs, mkultras, blaxthos, dazo, disco-, d0wn_, krzie_, pa, kaii, (+19 more, use /NETSPLIT to show all of them) 16:59 -!- Netsplit over, joins: stephenh_, vcs, Solver, smk, pa, Perun, Maxtehmantus, d0wn_, Bushmills, reiffert (+11 more) 16:59 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 16:59 -!- Netsplit over, joins: meturaf, huslu, hads, kaii, troy-, vpnHelper, hardwire 17:53 < reiffert> Bushmills: ping 18:20 -!- Feltenix [n=Tanstaaf@adsl-074-166-075-102.sip.asm.bellsouth.net] has left ##openvpn [] 18:30 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:31 < hardwire> pong 18:33 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 145 (Connection timed out)] 19:29 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 19:33 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has joined ##openvpn 20:05 * dvl announces http://twitter.com/bsdcan 20:41 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Operation timed out] 20:42 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 20:50 * ecrist follows 22:08 < dvl> ecrist: heh, sorry, I didn't mean to spam that here. 23:28 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Read error: 60 (Operation timed out)] 23:28 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn --- Day changed Tue Mar 03 2009 00:46 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 01:50 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:11 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 02:32 -!- BlackDex [n=opera@213.144.231.91] has joined ##openvpn 02:41 < BlackDex> Hello there 02:41 < BlackDex> i am trying to set up an OpenVPN server 02:41 < BlackDex> and i cant seem to get my client to connect 02:41 < BlackDex> here is the log and config 02:41 < BlackDex> http://pastebin.com/m642be26a 02:42 < dazo> BlackDex: have you tried to remove --client-config-dir from your config? 02:43 < BlackDex> nope 02:43 < BlackDex> i will try that 02:44 < dazo> BlackDex: try to read the error messages you get ... they are really obvious when you first spend some time reading them through 02:45 < BlackDex> hmm when i remove it i get the following Options error: --ccd-exclusive must be used with --client-config-dir 02:45 < BlackDex> so removing is not an option 02:46 < dazo> BlackDex: well, that just tells you that you have an issue with user configs which is supposed to be located under the --client-config-dir 02:46 < dazo> "--client-config-dir authentication failed for common name 'myname' file='/etc/openvpn/servers/Org/ccd/myname'" 02:47 < BlackDex> aha 02:47 < BlackDex> hmm 02:47 < dazo> do you have this file? /etc/openvpn/servers/Org/ccd/myname ... is it a valid config file? 02:47 < BlackDex> thx for pointing me in the right direction :) 02:47 < BlackDex> there are no files in that folder 02:48 < dazo> try adding an empty file 02:48 < BlackDex> i see that i missed a important step :S 02:48 < BlackDex> creating clients 02:48 < BlackDex> i only created a cert 02:49 < dazo> mm ... as I said .... error messages are not that unclear, and you even highlighted this error message for me 02:50 < BlackDex> i think i was looking to fast 02:54 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:08 < BlackDex> hmm it now goes a view steps further 03:09 < BlackDex> but now i get the following error message: Assertion failed at crypto.c:162 03:09 < BlackDex> in the server log 03:12 < dazo> BlackDex: uhh ... assertions are never good ... that's a bug, actually .... which version are you using? 03:13 < BlackDex> ah fixed :) 03:14 < BlackDex> had something to do with the cipher which is not supported on the server or the client 03:14 < BlackDex> selected an other cipher, one with CBC and now it works 03:15 < dazo> BlackDex: hmmm ... but that should rather give a normal error message and not an assertion .... assertions caught when an error is not handled 03:15 < dazo> (if properly written, of course) 03:17 < BlackDex> hase something to do with ubuntu/debian 03:24 < dazo> hmm 03:35 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 04:15 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has quit ["rboot! once in 584 days ;]"] 04:23 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 04:34 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 04:34 < _jack--> can somebody guide me how to setup and configure vpn in linux? 05:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:37 < nemysis> Is have OpenVPN compiled with "pam passwordsave ssl threads" is iproute2 needed for Server and Clients with dynamic IP Address? 05:40 < _jack--> nemysis: i want to simply configure OpenVPN in linux server... and if possible authentication with my ldap server 05:41 < _jack--> nemysis: have you any idea? 05:42 < nemysis> _jack-- I am new to OpenVPN 05:43 < _jack--> nemysis: me too... 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:00 < dazo> !howto 06:00 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:00 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 06:00 < dazo> _jack--: nemysis: ^ ^ ^ 06:01 -!- nemysis [n=nemysis@189-114.3-85.cust.bluewin.ch] has joined ##openvpn 06:14 < _jack--> dazo: can you suggest me? 06:14 < _jack--> daze: how to install and configure? 06:15 < dazo> _jack--: I will just tell you the same which is in the howto ... so I'd prefer you to read that instead of having me quoting the howto .... much more efficient for both of us 06:15 < dazo> _jack--: you can also google "openvpn tutorial" ... you might find some nice articles from Linux Magazine or Linux Journal which can also help you out 06:34 < _jack--> dazo: ok thanks 06:36 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:25 < ecrist> good morning 07:26 < dazo> good morning! 07:56 < nemysis> good morning 07:56 < ecrist> hola 07:57 < nemysis> dazo Could You me help with dynamic IP Address on Server and Client 07:58 < dazo> nemysis: would like to, but I have a meeting in a few minutes and need to get prepared for it ... might be others here on the channel as well which might manage that 07:59 < nemysis> good have a good Meeting 08:00 < ecrist> nemysis: what is your problem? 08:00 < nemysis> I make new config for OpenVPN and not use it now 08:04 < ecrist> I don't understand. 08:23 < BlackDex> hello again 08:23 < BlackDex> i now have the vpn working, and i can access the samba share on the same server 08:23 < ecrist> gratz 08:25 < BlackDex> now we also have an network printer located on the local network 08:25 < BlackDex> which is normaly accessable by 10.0.0.100 08:26 < BlackDex> i have added a route in the vpn to route all "10.0.0.0 255.255.255.0" traffic to the vpn 08:26 < BlackDex> but i can't access the printer with 10.0.0.100 08:26 < BlackDex> what am i doing wrong? 08:26 < ecrist> you need routes in both directions 08:26 < ecrist> !route 08:26 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:26 < ecrist> read that 08:26 < BlackDex> ah k :) 08:26 < BlackDex> i will look at that 08:44 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 08:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 08:46 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has quit [Read error: 104 (Connection reset by peer)] 08:46 -!- dazo [n=dazo@nat/redhat/x-0459cfa7ce609b71] has joined ##openvpn 09:09 -!- BlackDex [n=opera@213.144.231.91] has quit [Read error: 104 (Connection reset by peer)] 09:23 -!- BATHORY [n=kleber@189.56.9.50] has joined ##openvpn 09:50 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 09:50 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 10:08 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:15 -!- rubydiamond [n=rubydiam@123.236.183.187] has joined ##openvpn 10:16 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 10:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:27 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:11 -!- mkultras_ [n=scotth@208.98.242.129] has joined ##openvpn 12:23 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 12:25 -!- mkultras [n=scotth@unaffiliated/mkultras] has quit [Read error: 110 (Connection timed out)] 12:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:29 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 12:35 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["Read error: 2.71828182846 (Excessive e)"] 13:04 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 13:04 < Akuma> hello, I managed to connect to the openvpn I have access to, but I cannot navigate the net 13:04 < Akuma> anyone know how I can solve this? 13:09 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 13:13 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:14 -!- BlackDex [n=opera@93-125-176-168.dsl.alice.nl] has joined ##openvpn 13:19 < BlackDex> Hello again 13:19 < skx> I am considering getting a VPS with Debian, probably on openvz or sth like that -- what needs to be enabled by the provider for openvpn server to work on that configuration? 13:19 < BlackDex> i have setup a VPN 13:19 < skx> tun or tap module? 13:20 < BlackDex> i can connect to the samba share on that same server 13:20 < BlackDex> but not to any other computer/route/access-point 13:20 < BlackDex> This is the config: http://pastebin.com/d40c23b13 13:21 < skx> BlackDex, what system, bridging or routing? 13:21 < skx> I had the same problem with bridging on bsd, have not yet resolved that 13:21 < BlackDex> routing 13:21 < skx> add appropriate routes 13:21 < BlackDex> i think i have all i need 13:21 < skx> and no, I don't know what should these be ;) 13:21 < BlackDex> :p 13:21 < BlackDex> darn :) 13:22 < BlackDex> i just need one route as far as i know 13:22 < BlackDex> 10.0.0.0 255.255.255.0 13:22 < skx> is the machine you run openvpn server on also a gateway for the (real, physical) network? 13:22 < skx> gateway/router/whatever 13:23 < BlackDex> it is not the gateway 13:23 < skx> that's probably the problem 13:23 < BlackDex> it servers as DHCP server and file/web server 13:23 < skx> but I haven't resolved that one either ;) 13:23 < BlackDex> hmm 13:24 < skx> ok, back to my question ;) 13:24 < skx> I am considering getting a VPS with Debian, probably on openvz or sth like that -- what needs to be enabled by the provider for openvpn server to work on that configuration? 13:24 < skx> only tap or tun? 13:25 < skx> anybody? ;) 13:27 < Akuma> hello, I managed to connect to the openvpn I have access to, but I cannot navigate the net 13:27 < Akuma> how would I go about solving this problem? 13:36 -!- Typone [n=nnnnnits@195.197.184.87] has quit ["Terminated with extreme prejudice - dircproxy 1.1.0"] 13:37 < ecrist> ugh, this bug is kicking my ass. 13:39 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 13:49 -!- c64zottel [n=hans@p5B17AC3F.dip0.t-ipconnect.de] has joined ##openvpn 13:50 -!- c64zottel [n=hans@p5B17AC3F.dip0.t-ipconnect.de] has left ##openvpn [] 13:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 14:02 < reiffert> ecrist: still updating BSD? 14:02 < ecrist> no, still sick. 14:03 < reiffert> :( 14:04 < reiffert> Get well soon! 14:04 < ecrist> my wife is funny. I'm not one to go to the doctor, but she got me to go anyway. Kid has an appt tomorrow, she asked them to schedule me one at the same time (the three of us use the same doc) 14:04 < ecrist> hoping she'll give me good drugs tomorrow. 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- Gumbler is now known as Gumbler|NotHere 14:55 -!- Gumbler|NotHere is now known as Gumbler 15:32 -!- BlackDex [n=opera@93-125-176-168.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 16:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:29 -!- BATHORY [n=kleber@189.56.9.50] has quit ["Fuisss"] 16:44 < Roman123> hi 16:56 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:03 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 18:07 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:40 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Remote closed the connection] 19:41 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 20:11 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 20:13 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:21 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 20:21 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn --- Day changed Wed Mar 04 2009 00:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:30 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 00:31 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 00:35 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 00:38 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 00:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:52 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 01:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 01:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:10 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has joined ##openvpn 02:11 -!- nemysis [n=nemysis@189-114.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 02:11 -!- BlackDex [n=opera@213.144.231.91] has joined ##openvpn 02:11 < BlackDex> Hello agian. 02:12 -!- nemysis [n=nemysis@213-76.3-85.cust.bluewin.ch] has joined ##openvpn 02:12 < BlackDex> Im have problems with connecting to remote pc/printer's through the vpn 02:13 < BlackDex> i can only connect to the server where the vpn is connected on 02:13 < BlackDex> where the vpn is located on 02:13 < BlackDex> i have disabled the firewall etc.. 02:13 < BlackDex> changed gateway's, added routes to the router etc... 02:13 < BlackDex> what am i missing 02:14 < hads> ip forwarding? 02:14 < dazo> Akuma: Try checking out if you are using redirect-gateway ... looks like your default gateway goes away ... or another issue can also be that you push DNS server with an IP address which is not available for you 02:15 < dazo> BlackDex: is that remote pc/printer behind the openvpn server or openvpn client? 02:16 < dazo> BlackDex: I'd check out /proc/sys/net/ipv4/ip_forward .... it should be set to 1 as well 02:16 < BlackDex> ill explain it a bit 02:17 < BlackDex> we have a local LAN (10.0.0.0 255.255.255.0) 02:17 < BlackDex> the server where samba, vpn, web/ftp etc is located on is on 10.0.0.10 02:17 < BlackDex> the printer (with web interface) is located on 10.0.0.100 02:18 < BlackDex> there is also a route located on 10.0.0.254 02:18 < BlackDex> route = router/modem 02:18 < BlackDex> all services located on server it self (10.0.0.10) are accessable 02:19 < BlackDex> through VPN that is 02:19 < BlackDex> everything else on the local LAN can't be reached 02:19 < BlackDex> no ping etc... 02:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:21 < dazo> BlackDex: oki ... where is the openvpn server located on the network, on the LAN's default gateway? Or is it inside, as a separate server on the LAN? 02:21 < BlackDex> a seperate server on the LAN 02:21 < BlackDex> the router acts as gateway 02:22 < BlackDex> i also added a route to the router wich route 10.0.1.0 to 10.0.0.10 02:22 < BlackDex> but the ip_forward is currently set to 0 02:22 < hads> It needs to be 1 02:22 < dazo> BlackDex: try to flip that switch ;-) 02:22 < BlackDex> what does it do? 02:23 < hads> Forwards IP traffic :) 02:23 < dazo> BlackDex: it enables the kernel to forward IP traffic between interfaces 02:23 < BlackDex> do i only need to change it, and then its done? 02:23 < BlackDex> no services restart or something? 02:24 < dazo> BlackDex: nope, it's all in the kernel space 02:24 < BlackDex> whoho :P 02:24 < BlackDex> lets try 02:24 < dazo> BlackDex: you might want to edit /etc/sysctl.conf to make it reboot-proof 02:25 < dazo> but you'll need to flip it manually, or to reload the config with the sysctl command (forgot the proper options now) 02:26 < dazo> probably sysctl -p or something 02:27 < BlackDex> ah.. with the printer having the gateway set to 10.0.0.10 it works 02:28 < BlackDex> but i can't ping another local computer, because they don't have the 10.0.1.0 route added 02:29 < BlackDex> for example my computer has 10.0.0.2, but i can't ping it through the VPN 02:29 < dazo> BlackDex: does these computer have the default route to your router? 02:29 < dazo> *computerS 02:29 < dazo> (and the router, I presume do have the 10.0.1.0 route added) 02:31 < BlackDex> the default route of all the computers are that of the router 02:31 < BlackDex> and that router has an route added which redirects 10.0.1.0 to 10.0.0.10 02:32 < BlackDex> i can ping the router 02:35 < dazo> BlackDex: often such routes works ... but quite often, you need to put explicit routes on each client in these situations then 02:36 < BlackDex> anyway to push them to the client through dhcp? 02:36 < dazo> BlackDex: I believe it is .... long time ago I configured my last DHCP server .... which DHCP server are you using? 02:36 < dazo> (I'm pretty much ISC dhcpd supports it) 02:37 < BlackDex> isc-dhcpd-V3.1.1 02:38 < BlackDex> ill go try and look for something to do that :) 02:38 < dazo> BlackDex: why not placing openvpn server on your router? 02:40 < dazo> BlackDex: http://www.ezgr.net/blog/2009/03/03/distributing-multiple-routes-with-isc-dhcpd-and-dnsmasq/ 02:40 < vpnHelper> Title: Distributing multiple routes with ISC DHCPd and dnsmasq | Priestjim's Geeklog (at www.ezgr.net) 02:41 < BlackDex> dazo, the router is from my ISP 02:41 < hads> I have seen the same. My home network (OpenWRT and Linux clients) works fine with a route on the default router. A clients office (Netgear router and Windows clients) will not route from VPN clients to the LAN 02:41 < dazo> BlackDex: aha ... then I understand ... and of course, you don't need to have DHCP on the router ..... silly me 02:41 < BlackDex> i could change the gateway address in the DHCP to always use 10.0.0.10 02:42 < dazo> BlackDex: and then let that box route to default gw afterwards ..... hmmm .... might work 02:42 < BlackDex> so all clients use the 10.0.0.10 as a gateway 02:42 < hads> I used a bridged setup for that client to work around the issue. 02:42 < BlackDex> but then, if that server goes down for maintens or something, there is no internet :p 02:43 < dazo> BlackDex: but that only happens during night, when nobody is on the LAN, right? ;-) 02:44 < BlackDex> mostly yes :) 02:44 < BlackDex> but ill try the DHCP option 02:44 < BlackDex> like it more :) 02:45 < dazo> hads: I've had the same issues in Linux as well many years ago ... but that was back in the 2.0.x kernel series .... I believe that has improved now :) 02:45 < dazo> openwrt (stable) uses 2.4 kernels, I believe .... 02:45 < hads> dazo: I have been blaming the crappy Netgear router but I don't have a Windows box here to test on my LAN 02:46 < hads> OpenWRT uses 2.4 for broadcom devices (WRT54G etc.) and 2.6 for others. 02:46 < dazo> hads: nah, not worth testing .... won't work anyway, will it? ;-) :-P 02:46 < hads> Probably not :) 02:46 * dazo got a WRT54 02:46 * hads too 02:46 < hads> OpenWRT 8.09 was released the other day 02:47 * dazo goes to check that out 02:49 < reiffert> hads: 8.09 brings some nice features but it's broken as hell. 02:50 < hads> Oh yeah? Lucky I haven't upgraded then :) 02:51 < hads> Whatever I'm running currently works well anyway. 02:55 * dazo catches the hint .... stays away a little bit longer 02:57 < hads> What's actually broken out of interest? 03:21 < reiffert> wifi on broadcom to name one. checkout the bug database. 03:28 < BlackDex> well i want to thank you all for helping :) 03:28 < BlackDex> the main machines needed are accessable now 03:29 < dazo> BlackDex: congrats! :) 03:29 < BlackDex> in a few day's we get an other router which supports static routes, and that should fix the rest :) 03:30 < hads> Thanks. 03:33 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has quit ["Leaving."] 03:34 -!- lyles [n=song@124.161.72.166] has joined ##openvpn 03:35 < hads> I don't think I need to spend my evening looking through OpenWRT's trac. 03:35 -!- lyles [n=song@124.161.72.166] has left ##openvpn [] 03:43 -!- BlackDex [n=opera@213.144.231.91] has left ##openvpn [] 04:50 -!- onats [n=onats@unaffiliated/onats] has quit [Connection timed out] 05:08 -!- mrfree [n=mrfree@host1-89-static.40-88-b.business.telecomitalia.it] has joined ##openvpn 05:08 < mrfree> hi all 05:09 < mrfree> the openvpn server push a default gw... how can I prevent this client-site? 05:41 -!- stintel [i=stijn@madwifi/support/stintel] has joined ##openvpn 05:43 -!- stintel [i=stijn@madwifi/support/stintel] has left ##openvpn [] 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:56 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 06:00 -!- mrfree [n=mrfree@host1-89-static.40-88-b.business.telecomitalia.it] has quit ["Leaving"] 06:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:17 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has joined ##openvpn 08:49 -!- mkultras_ is now known as mkultras 10:34 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:53 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:16 < nemysis> Hello Can I have on Server and on Client Dynamic IP Address as NOip, DynDNS or I must use on Server static IP Address? 11:17 -!- antoine__ [n=antoine@193.253.141.89] has joined ##openvpn 11:17 < ecrist> nemysis: static IP is ideal, but dynamic IP with dyndns service should be OK. 11:18 < nemysis> thanks 11:18 < antoine__> hello 11:18 < ecrist> hi 11:19 < antoine__> i look information to make vpn with ipsec on ubuntu 8.10 to a Symbian S60V3 mvpn client 11:19 < antoine__> look for 11:19 < ecrist> antoine__: openvpn is not ipsec 11:19 < ecrist> it is ssl 11:19 < antoine__> does i have to use openswan? 11:20 < ecrist> not sure what that is 11:20 < dazo> antoine__: I don't think it exists an openvpn client for Symbian even ..... 11:20 < antoine__> i know openvpn is not ipsec protocol 11:20 < dazo> antoine__: openswan or freeswan are both ipsec 11:21 < dazo> antoine__: but I don't know which of them is good or not .... I don't use and have not been forced to use it ... so I've skipped digging into it 11:21 < antoine__> with wicth tools i can generate key on my computeur for my mobile ipsec client 11:21 * ecrist uses cisco gear for ipsec 11:22 < dazo> antoine__: dunno .... at this channel .... we mostly know about openvpn .... not so much ipsec things ..... maybe try #openswan or #freeswan (if they are here) 11:22 < antoine__> cisco gear is mobile client , if i use this i have to install vpnc on ubuntu? 11:23 < dazo> antoine__: vpnc is also just a client 11:23 < dazo> antoine__: but, yeah ... if you need a Ubuntu client too 11:24 < antoine__> its possible to use other protocole vpn client on symbian? 11:25 < dazo> antoine__: if you have the right software, everything is possible ..... but I haven't heard about any openvpn client yet, people have been asking about it on the openvpn-users mailing list ... but nobody have responded with any particular clues 11:25 < antoine__> if i not use the nokia software mvpn ipsec client wich one i have to choose? 11:26 < antoine__> ipsec is define by IETF what's difference with openvpn? 11:26 < dazo> antoine__: you'll have to search for it .... but afaik, it only exists ipsec based VPNs for Symbian 11:27 < antoine__> have you read it ? http://www.jacco2.dds.nl/networking/linux-l2tp.html 11:27 < dazo> antoine__: its different in the protocol layer .... and also in implementation .... ipsec needs to have code paths deep into the network layer in the kernel space, while openvpn is a software which do not need anything particular in kernel-space 11:27 < vpnHelper> Title: Using Linux as an L2TP/IPsec VPN client (at www.jacco2.dds.nl) 11:28 < antoine__> wich layer? 11:28 < dazo> antoine__: yeah, it exists a lot of l2tp/IPsec for Linux 11:28 < antoine__> transport layer? 11:28 < dazo> antoine__: I don't remember, but it does a lot of things in the kernel space .... which is why I basically do not like ipsec 11:28 < dazo> antoine__: most probably 11:29 < antoine__> humm iam embarassed 11:29 < dazo> antoine__: and it does this on the interface where the encrypted ipsec traffic goes in and out .... 11:30 < dazo> antoine__: while openvpn is just a user-space software which behaves just like an ordinary network service .... and puts the decrypted traffic into a virtual network interface 11:30 < dazo> antoine__: why embarassed? 11:33 < antoine__> i am embarrased because i hope that it will easier 11:33 < dazo> antoine__: hmm .... sorry for that 11:34 < dazo> antoine__: but if you really want to go the ipsec path .... try the #openswan channel here 11:36 * dazo vanishes for today 11:39 < antoine__> dazo thanks you say me lot informations and i try to understand all of them 11:48 < antoine__> for resume only ipsec make it possible and there is no other without ipsec? 11:48 < antoine__> no other way without ipsec? 11:48 < antoine__> but if make my own software 11:49 < antoine__> or find it? 11:53 < antoine__> virtual network interface is also call TAP? 12:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:10 -!- neuro_damage [n=neuro@nat-vlan200.sat.rackspace.com] has joined ##openvpn 13:21 < antoine__> help to tunneling computeur and nokia 13:28 < neuro_damage> so I was curious, I want to setup an openvpn client, I have a config file and a .key file, how do I exec on the config file etc ... 13:32 < antoine__> no SSL client for symbian? 13:33 < antoine__> what's difference between ssl and ipsec? 14:20 -!- magic_1 [n=magic_1@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 14:20 -!- magic_1 [n=magic_1@41.208.50.160] has joined ##openvpn 14:24 -!- SpiritedBB [n=Spirited@208.50.100.19] has quit [Read error: 110 (Connection timed out)] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:19 < dvl> antoine__: for you: http://lmgtfy.com/?q=what%27s+difference+between+ssl+and+ipsec%3F 15:19 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 15:19 -!- antoine__ [n=antoine@193.253.141.89] has quit ["Quitte"] 15:49 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has quit ["Leaving."] 17:29 -!- meturaf [i=meshuga@lenin.ww88.org] has quit [Read error: 110 (Connection timed out)] 17:54 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 18:06 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:09 -!- mkultras [n=scotth@unaffiliated/mkultras] has quit [Read error: 110 (Connection timed out)] 18:21 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Connection timed out] 18:23 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:36 -!- Akuma0n4 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:38 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 18:51 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 18:56 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 19:01 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 19:02 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [SendQ exceeded] 19:11 -!- Akuma0n4 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 19:12 -!- arzen1013 [i=dce79842@gateway/web/ajax/mibbit.com/x-1d41d6c65478c97f] has joined ##openvpn 19:15 < arzen1013> Hi all, I have a question , I have a machine as openvpn server not gateway, it's vpn IP is: 10.8.0.1, local connection ip is 192.168.1.2, I wan to make other LAN machine 192.168.1.6 can access vpn LAN 10.8.0.1, how to do ? thanks 19:16 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 19:36 < arzen1013> hello, anybody here / 19:55 < arzen1013> hello , anybody here ? 19:55 < arzen1013> I have a question , I have a machine as openvpn server not gateway, it's vpn IP is: 10.8.0.1, local connection ip is 192.168.1.2, I wan to make other LAN machine 192.168.1.6 can access vpn LAN 10.8.0.1, how to do ? thanks 20:24 < hads> !route 20:24 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 20:28 < arzen1013> hads: I have read it more than once 20:31 < arzen1013> hads: I can access client LAN from openvpn server machine, but I want to access client LAN from other server LAN machine, I don't know how to add route in gateway 20:45 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 20:47 < xjkx> i ran openvpn --ca (the ca file) --config (the config file) typed user and password, it says "Wed Mar 4 23:55:29 2009 Initialization Sequence Completed" but i open my browser and type for a website that tells my ip and its the same. I am new to this, am i messing something ? 20:47 < xjkx> missing* 20:49 < xjkx> about my logs, there is nothing you wanna see, except this "Thu Mar 5 00:00:36 2009 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system" 20:55 -!- xjkx [n=x@unaffiliated/xjkx] has quit [Read error: 104 (Connection reset by peer)] 20:56 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 20:56 < xjkx> added a default gw, and not it just doesn't ping 21:06 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 21:09 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 21:10 -!- xjkx [n=x@unaffiliated/xjkx] has left ##openvpn [] 21:41 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 22:33 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 110 (Connection timed out)] 22:47 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 22:47 < xjkx> anyone there ? i've asked some hours ago 22:57 -!- nemysis [n=nemysis@213-76.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:58 -!- nemysis [n=nemysis@194-92.3-85.cust.bluewin.ch] has joined ##openvpn 22:58 < xjkx> nemysis: hi 23:22 < xjkx> !route 23:22 < vpnHelper> xjkx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn --- Day changed Thu Mar 05 2009 00:15 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 00:15 < lavren> Me and a friend have a site-to-site VPN -- the connection seems to go idle really quickly, so within 5 minutes if I ping his VPN router from mine, it doesn't respond -- but if you try it again in about 10 seconds it starts responding again 00:16 < lavren> I'm not familiar with openvpn at all, but what typically causes something like this over an internet VPN 00:32 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has joined ##openvpn 00:33 < fuffalo> if i'm connecting to a openvpn server and i'm behind a router, should i need to change anything in my router? 00:33 < fuffalo> !route 00:33 < vpnHelper> fuffalo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 00:49 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has left ##openvpn [] 00:55 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 01:12 -!- harrisony [n=harrison@unaffiliated/harrisony] has joined ##openvpn 01:13 < harrisony> is there any nice way of having openvpn set up so every node is a client and a server (if that makes sense) 01:15 < harrisony> kinda like a mesh network in a way 01:39 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 01:46 < xjkx> harrisony: people are dead here :s do you know a free vpn service ? 01:47 < harrisony> the only thing i can think of is hamachi.cc 01:47 < harrisony> which isnt openvpn 01:49 < xjkx> okey :s harrisony are you experienced with openvpn ? i can't ping when i connect 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 < xjkx> polaru: are you experienced with openvpn ? i cant ping when i connect 01:55 < harrisony> xjkx, no, and your not going to get help by spamming when anyone joins 01:55 < harrisony> i would try the mailing list 02:07 -!- c64zottel [n=hans@p5B17B1FD.dip0.t-ipconnect.de] has joined ##openvpn 02:07 -!- stephenh_ [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 02:10 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 02:19 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 02:21 < xjkx> harrisony: sorry i wasnt meaning to spam 02:45 -!- xjkx [n=x@unaffiliated/xjkx] has quit [Read error: 110 (Connection timed out)] 02:51 -!- xjkx [n=x@201009150172.user.veloxzone.com.br] has joined ##openvpn 02:59 -!- nemysis [n=nemysis@194-92.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 03:03 -!- magic_1 [n=magic_1@41.208.50.160] has quit ["Leaving"] 03:15 -!- nemysis [n=nemysis@170-62.106-92.cust.bluewin.ch] has joined ##openvpn 03:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:44 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 03:44 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 03:50 -!- `VL [n=vl@82.138.2.25] has joined ##openvpn 03:51 < `VL> hello. does openvpn allows to set local port for client? i set option in config file, but it looks that openvpn just ignores it ;-( http://rafb.net/p/AIe9n746.html 03:51 < vpnHelper> Title: Nopaste - x (at rafb.net) 03:55 < reiffert> --bind --nobind 03:55 < reiffert> !man 03:55 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:56 < `VL> hm.. nobind is not set. is it by default? 04:03 < `VL> there is no --bind option in 2.07, nobind is not set, i tried to add 'local myaddr potr' but it still don't want to bind to specified local port and uses random... 04:06 < reiffert> 2.07 is ancient. 04:15 -!- kwek [n=kwek@206.Red-83-40-162.dynamicIP.rima-tde.net] has joined ##openvpn 04:15 < kwek> hey.. openvpn works fine for me and my collegue to the office.. but we cant ping each other.. what could this be 04:17 < reiffert> !client-to-client 04:17 < vpnHelper> reiffert: Error: "client-to-client" is not a valid command. 04:18 < reiffert> --client-to-client 04:18 < `VL> Bug: http://sourceforge.net/tracker2/index.php?func=detail&aid=1159432&group_id=48978&atid=454719 No binds to local port in tcp mode ;-( 04:18 < vpnHelper> Title: SourceForge.net: OpenVPN: Detail: 1159432 - openvpn doesn't bind to a specific port in tcp mode (at sourceforge.net) 04:19 < kwek> reiffert, thanks.. ill enable that 04:20 < reiffert> `VL: See 2nd comment. 04:20 < `VL> yes, i understand 04:21 < `VL> anyway, reasoning is strange. this option exists to modify default behaviour of client. 04:28 < reiffert> udp 04:29 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee 04:29 -!- Netsplit over, joins: krzee 04:30 -!- arzen1013 [i=dce79842@gateway/web/ajax/mibbit.com/x-1d41d6c65478c97f] has quit ["http://www.mibbit.com ajax IRC Client"] 04:38 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee 05:02 -!- `VL [n=vl@82.138.2.25] has left ##openvpn ["happines is a positive cache flow"] 06:17 -!- mib_0b9j3e [i=52e6d07c@gateway/web/ajax/mibbit.com/x-2af0ec9d8bbd1f9d] has joined ##openvpn 06:24 < mib_0b9j3e> hi 06:24 < mib_0b9j3e> there 06:24 < mib_0b9j3e> i try to install openvpn server on mac os x 06:25 < mib_0b9j3e> by running this command i got this error : sudo openvpn server.conf 06:25 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 60 (Operation timed out)] 06:26 < reiffert> mib_0b9j3e: google up tunnelblick 06:26 < reiffert> == openvpn + gui for OSX 06:26 < mib_0b9j3e> i got this error : http://paste.ubuntu.com/126675/ 06:27 < reiffert> openvpn --config ...server.conf 06:28 < reiffert> mib_0b9j3e: dev tun0 instead of dev tun. 06:29 < mib_0b9j3e> i got this one http://paste.ubuntu.com/126676/ 06:29 < mib_0b9j3e> k i will try 06:33 -!- mib_0b9j3e [i=52e6d07c@gateway/web/ajax/mibbit.com/x-2af0ec9d8bbd1f9d] has quit ["http://www.mibbit.com ajax IRC Client"] 06:35 -!- mib_yua12r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-c3ed7592f31600e6] has joined ##openvpn 06:35 < mib_yua12r> sorry 06:35 < mib_yua12r> connexion down 06:36 < mib_yua12r> now i got this error 06:36 < mib_yua12r> http://paste.ubuntu.com/126678/ 06:36 < mib_yua12r> by change dev tun to dev tun0 06:37 < mib_yua12r> hello reiffert 06:37 < reiffert> hi mib_yua12r 06:38 < reiffert> where are you from? 06:38 < mib_yua12r> from france 06:38 < reiffert> ah, parlez vous francais? 06:38 < mib_yua12r> of course 06:38 < mib_yua12r> man 06:39 < mib_yua12r> et vous ? 06:39 < reiffert> un petit peut 06:39 < mib_yua12r> where are you from ? 06:39 < reiffert> Germany, Mayance 06:39 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:39 < mib_yua12r> cool 06:39 < mib_yua12r> but i don't speak allemand 06:39 < reiffert> mib_yua12r: however, create that /dev/tun0 by running openvpn --mktun tun0 06:41 < mib_yua12r> sudo openvpn --mktun tun0 Password: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun Use --help for more information. 06:41 < reiffert> openvpn --mktun --dev tun0 06:41 < mib_yua12r> sudo openvpn --mktun --dev tun0 Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun Use --help for more information. 06:42 < reiffert> wtf. wait. 06:42 < mib_yua12r> thx 06:43 < reiffert> ./openvpn --help |grep mktun 06:44 < mib_yua12r> Macusers$ ./openvpn --help |grep mktun -bash: ./openvpn: No such file or directory 06:44 < reiffert> come on, think. 06:45 -!- kwek [n=kwek@206.Red-83-40-162.dynamicIP.rima-tde.net] has left ##openvpn ["Ex-Chat"] 06:46 < mib_yua12r> apparently there is no help file 06:46 < reiffert> did you load the kernel extension tun.kext yet? 06:46 < reiffert> kextstat |grep tun 06:47 < mib_yua12r> i just try to follow this tutorial 06:47 < mib_yua12r> http://doc.ubuntu-fr.org/openvpn 06:47 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 06:47 < reiffert> did you load the kernel extension tun.kext yet? 06:47 < reiffert> kextstat |grep tun 06:48 < mib_yua12r> yes i just done 06:48 < reiffert> kextstat |grep tun 06:48 < mib_yua12r> how to run tun.kext ? 06:49 < mib_yua12r> is it with this command kextstat |grep tun 06:49 < mib_yua12r> ? 06:49 < reiffert> tun.kext is a kernel extension. 06:49 < reiffert> you need that kernel extension. 06:49 < reiffert> it creates /dev/tun0 06:49 < reiffert> openvpn needs it. 06:50 < reiffert> tun.kext comes with tunnelblick. tunnelblick bundles openvpn and a gui. You know tunnelblick? 06:50 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:50 < mib_yua12r> tunnelblick 06:51 < mib_yua12r> is it not an openvpn client ? 06:51 < mib_yua12r> it do as a server ? 06:51 < reiffert> we only need that tun.kext from tunnelblick 06:52 < mib_yua12r> is it for server or for client tunnelblick ? 06:53 < reiffert> both 06:53 < mib_yua12r> ok 06:53 < reiffert> 1. Get tunnelblick. 2. Install Tunnelblick, 3. Say "Let continue" 06:54 < mib_yua12r> ok thx a lot 06:54 < mib_yua12r> my batterie down now 06:54 < mib_yua12r> i m on macbook 06:54 < mib_yua12r> outside 06:54 < mib_yua12r> maybe the charge will be down soon 06:54 < reiffert> k 06:55 < mib_yua12r> so i have to install tunnelblick 06:55 < mib_yua12r> and generate key from it 06:55 < mib_yua12r> to use it from windows mobile 06:55 < mib_yua12r> is it possible ? 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# ls -al /dev/tun0 06:55 < reiffert> ls: /dev/tun0: No such file or directory 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# kextload tun.kext 06:55 < reiffert> kextload: tun.kext loaded successfully 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# ls -al /dev/tun0 06:55 < reiffert> crw-rw---- 1 root wheel 10, 0 Mar 5 14:02 /dev/tun0 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# --- Log closed Thu Mar 05 06:58:03 2009 --- Log opened Thu Mar 05 06:58:26 2009 06:58 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:58 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 06:58 -!- Irssi: Join to ##openvpn was synced in 1 secs 07:08 -!- mib_pfoeil [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7e81b0b071d570e2] has joined ##openvpn 07:08 < mib_pfoeil> hi reiffert 07:08 < mib_pfoeil> i m back 07:08 < mib_pfoeil> i just finish installing tunnelblick 07:14 < mib_pfoeil> well i try to install openvpn on my mac os x 07:22 -!- mib_pfoeil [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7e81b0b071d570e2] has quit ["http://www.mibbit.com ajax IRC Client"] 07:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:40 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:55 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 07:55 < A[D]minS^Work> in config file .. what i should add for -> ifconfig 07:55 < A[D]minS^Work> ifconfig ipaddress gateway ? 07:56 < dazo> A[D]minS^Work: you should probably read the docs more carefully ... it's pretty well explained there 07:56 < A[D]minS^Work> ok thx dazo 08:01 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has left ##openvpn ["Ex-Chat"] 08:03 < A[D]minS^Work> just question for who can answer it 08:04 < A[D]minS^Work> what is different between "VPN server list with simmetric key" and "VPN server list" in Webmin 08:04 < A[D]minS^Work> and which one i should use to create my configuration file 08:06 < A[D]minS^Work> local-Peer 192.168.1.1 192.168.1.254 ? 08:09 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has left ##openvpn ["Leaving"] 08:30 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has joined ##openvpn 08:30 < platin> hey 08:30 < platin> i got a problem with my vpn 08:31 < platin> the computer is in a domain - and ive use openvpn with the gui. the user got no administration privilegs 08:31 < platin> now i want to start the openvpn service 08:31 < platin> but it says 08:31 < platin> faild to open "openvpnservice" 08:31 < platin> how to fix? 08:34 < ecrist> foo 08:44 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 08:44 < Tophat> anyone have any experience taking the configuration from a Watchguard firewall to the OpenVPN platform? 08:45 < platin> no one an idea? 09:25 < xjkx> do you know any free service with shell access ? 09:25 < ecrist> there are many of them out there. 09:25 < ecrist> use google. 09:26 < xjkx> i came from there already, tried "vpn account" free "shell access" and some other keywords 09:56 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 09:57 < xjkx> ecrist: suggest me keywords then 10:00 < ecrist> http://lmgtfy.com/?q=free+shell+account 10:00 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 10:03 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 10:06 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 10:08 < dazo> ecrist: that link rocks! 10:08 < dazo> :D 10:09 < ecrist> yeah, I found that site about two months ago, someday, I'll write a module for our bot. :) 10:09 < dazo> +1 10:29 < xjkx> thats for free shell, not for vpn with shell access 10:33 < dazo> xjkx: well, its probably just to readjust the google query then ... if you can't find anything, hey, we're not better here to find things than google already is 10:40 < xjkx> huh, what ? i just asked if anybody knew one server like that, he said i should have googled, and i told him i already did and expected maybe he would give me better keywords than mine, its not like i came here to ask for help googling lol 11:09 < reiffert> xjkx: and your openvpn question is? 11:17 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 11:18 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 11:58 < xjkx> reiffert: there is no ##vpn which makes this channel the closest to my question, that's how we usually do in freenode. anyway, i got a openvpn question thanks you asked. I will try to explain it: I connect by pppoe-start and after sending command "route" i see there is no default router set, which is why my message log cries about that, then I copied the only entry I had there and add to be default (route add default gw ip) so openvpn stopped 11:58 < xjkx> oh, and if i don't add a default geteway, i can access websites after connecting to vpn server, problem is that my ip remains the same 11:59 < xjkx> like it isn't connected, probably because it couldn't find the default router (which i added, as mentioned in first explanation) 12:00 < xjkx> and even with no default router set i have no problem with my normal connection, i think thats because its the only one there, no idea 12:04 -!- Jason404 [n=eggbean@host86-145-72-251.range86-145.btcentralplus.com] has joined ##openvpn 12:05 < Jason404> hey, does OpenVPN have any advantages over a hardware based PPTP VPN, like a cheap Netgear Prosafe router? 12:06 < Jason404> when you are connected to an OpenVPN VPN, do you still keep local network web connection? 12:06 < Jason404> do you with a PPTP hardware VPN ? 12:06 < dazo> Jason404: well, I'd guess that Netgear's router is also just running the VPN parts as software in its own closed router OS 12:07 < Jason404> any differences for the user though? 12:07 < dazo> Jason404: yes, local that's kept ... well, you can configure it in a diversity of ways 12:07 < Jason404> so being connected to the VPN does not affect your local networking or web? 12:07 < dazo> Jason404: probably not ... well, PPTP is built in into Windows .... while openvpn requires additional software to be installed 12:07 < Jason404> is that the case for a PPTP VPN as well, or not? 12:07 < dazo> Jason404: I don't know ... I've never tried setting up PPTP server 12:08 < Jason404> dazo: ic 12:08 < Jason404> i am not sure which way to go 12:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:08 < dazo> Jason404: but I can highly recommend openvpn .... it's open source, and it is rock solid .... I'm using OpenVPN 2.1_RC15 in production ... not have any issues 12:09 < Jason404> as OpenVPN has the disadvantage of it running on the very same server that I would need to connect to to fix if it was broken 12:09 < dazo> Jason404: and I'm using that with both Linux and Windows clients 12:09 < Jason404> so if I SSH/RDP into the server, the VPN will go down when I reboot it 12:10 < Jason404> dezo: I like what I hear about OpenVPN 12:10 < dazo> Jason404: well ... you could also setup a pure openvpn server in your network ... then the VPN wouldn't drop down when your other boxes are rebooted 12:11 < Jason404> I would like to know if PPTP VPNs can also be connected to while keeping the local web connection, without having to use the remote connection gatway 12:12 < Jason404> dazo: ic. But I am a home user, and do not want lots of machines on all the time, due to electricity costs. the only machne that will be on 24/7, will be my server, which would also be the only candidate for OpenVPN 12:12 < dazo> Jason404: http://www.soekris.com/net5501.htm ;-) 12:12 < vpnHelper> Title: Soekris Engineering > net5501 (at www.soekris.com) 12:12 < Jason404> the server is rock solid stable though, so it's not having a software VPN is not a big issue 12:13 < Jason404> how much would a micro-ATX machine cost to build? 12:14 < Jason404> I have been thinking of building a low-power HTPC, just powerful enoiugh to decode Blu-Ray 12:14 < Jason404> that would be good to use for OpenVPN I usppose 12:14 < dazo> Jason404: depends on your local dealers ;-) ... that soekris costs about EUR230 ... add a flash or a 2.5" IDE or SATA disk ... and you're there 12:15 < Jason404> not powefu enough to decode Blu-Ray though? 12:15 < dazo> Jason404: well, it's a 500MHz SoC .... so probably not :) 12:15 < Jason404> would be neat to make a low-power machine 12:16 < Jason404> yeah, thanks dazo. I will consider this route 12:16 < Jason404> although it will have to able to do the Blu-Ray thing 12:16 < dazo> Jason404: well, soekris do have a VPN board, to off-load encryption from main CPU ... not sure if you can use that as well to decrypt blueray disks 12:16 < Jason404> and HD gfx 12:16 < dazo> http://www.soekris.com/vpn1401.htm 12:16 < vpnHelper> Title: Soekris Engineering > vpn14x1 (at www.soekris.com) 12:17 < Jason404> would that card make the VPN connection faster or something? 12:18 < Jason404> this will only be a single connection VPN needed 12:19 < Jason404> i would not need CPU offloading if I am not at home watching Blu-Ray discs anyway, as the machine would be powrful enough for VPN if it can play BR 12:19 < dazo> Jason404: yeah, it will help encryption and decryption ... only BSD supported at the moment, Linux development in progress ... it claims to be able to handle between 210 and 400Mbps encryption streams 12:19 < Jason404> i will just have to find out what the minimum spec is for BR 12:19 < Jason404> ic 12:21 < Jason404> even with using OpenVPN, I gues it would be a good idea to forward a port througj NAT to another machine, just on case the VPN is down 12:21 < Jason404> insecure though? 12:23 < Jason404> dazo: so you are totally sure that with OpenVPN, you can still use your normal localconnection at the same time as the VPN connection? 12:23 < Jason404> I just ned to know that for sure 12:23 < Jason404> and are there any ssues with the beta, as I would need to use that for Win2008 12:23 < dazo> Jason404: very sure ... to redirect the default traffic, you need to configure that explicit ... actually, if you do not configure any network routes, all you have is an empty tunnel between to nodes 12:24 < Jason404> ok cool. I did not understand that, but I suppose I will once I start using it 12:24 < dazo> Jason404: For Vista (and most probably 2008) you must run 2.1_rc15 ... but, I'm confident that is rock solid ... I've run it in production since the release, and I have had no issues 12:25 < Jason404> great 12:26 < dazo> Jason404: to be honest, I would be surprised if RC15 will not become the stable 2.1 release which is expected to happen soon .... but on the other hand, we've been waiting for 2.1 for almost 2 years by now :-P 12:26 < Jason404> yeah, I saw the releasedates 13:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:21 -!- dazo_ [n=dazo@nat/redhat/x-2c7a4fd1671dfd7a] has joined ##openvpn 13:26 -!- dazo [n=dazo@nat/redhat/x-0459cfa7ce609b71] has quit [Read error: 145 (Connection timed out)] 13:27 -!- Jason404 [n=eggbean@host86-145-72-251.range86-145.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:40 -!- dazo_ is now known as dazo 13:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 < Tophat> can openvpn work with SHA1-HMAC auth and 3DES-CBC encryption? 14:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:14 -!- demoncyber_ [n=marco@200.18.3.253] has quit ["Leaving"] 16:00 -!- xjkx [n=x@201009150172.user.veloxzone.com.br] has quit ["Leaving."] 16:16 < nemysis> I which to use --mode server for more Clients and --dev tun, what is the best for --topology? 16:16 -!- c64zottel [n=hans@p5B17B1FD.dip0.t-ipconnect.de] has left ##openvpn [] 16:27 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 16:27 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 16:27 < hardwire> meh 16:28 < hardwire> has anybody configured openvpn to work like a mesh? 16:58 -!- sigmonsays_ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 17:07 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 17:58 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:59 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:05 < hardwire> anybody have experience with iroute and client-to-client? 18:05 < hardwire> I'm hoping clients will know what subnets are behind other clients.. and what external IP to use to reach clients directly? 18:17 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:08 < ecrist> evening, bitches 19:09 < ecrist> Tophat: openvpn is ssl, not ipsec 19:50 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:51 < onats> hello 19:51 < onats> how do i ensure that specific IP's are assigned to my clients? 19:51 < onats> do i need to create CCD's for each one? 20:49 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 21:01 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 21:54 -!- logiclr- [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 21:56 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 22:13 -!- dan [n=dan@155.229.22.98] has joined ##openvpn 22:13 < dan> Centimeter by centimeter he watched his cock grow thicker, 22:13 < dan> spreading Christa's cunt ever wider in its wake. Both of her hands 22:13 < dan> came down to grip the base of his cock as she looked down in disbelief. 22:13 < dan> At least six inches were outside of her now, and she had taken him 22:13 < dan> nearly all the way before. Curt opened his eyes and stared in disbelief. 22:13 < dan> He was growing even faster this time! His cumming continued to make him 22:13 < dan> buck like a bronco as his shaft grew ever more horse-like. Thicker and 22:13 < dan> longer -twined with huge, thick veins- his erection plowed into Christa's 22:13 < dan> tight bush like a dog trying to fit into a rabbit hole. 22:13 -!- dan [n=dan@155.229.22.98] has left ##openvpn [] 22:31 -!- OliTroll [n=oli@ip-78-94-201-203.unitymediagroup.de] has joined ##openvpn --- Day changed Fri Mar 06 2009 00:00 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 00:55 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:13 -!- nemysis [n=nemysis@170-62.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:14 -!- nemysis [n=nemysis@234-207.3-85.cust.bluewin.ch] has joined ##openvpn 01:15 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has joined ##openvpn 01:15 < platin> good morning 01:16 < platin> my openvpn says cannot load certificate file *****.crt whats the problem? 01:17 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 01:17 < tjz> hmm 01:18 < tjz> can two persons to the same vpn at the same time? 01:29 < platin> tjz, problem fixed... 01:29 < platin> i use a domain - and there were problems with the access to the certificates... 01:29 < platin> fixed with the privileges... 01:29 < platin> now it works 01:29 < platin> thanks for ur help anyway 01:47 < stephenh> tjz: yes 01:50 < tjz> without making additional client1,client2? 01:50 < hads> Certificates? 01:51 < hads> Multiple connections from the same cert are mentioned in the docs and in the server config. 01:51 < hads> Possible but not recommended. 01:52 < tjz> yea , cert 01:52 < tjz> i don't wish to allow multiple users to use the same cert to connect... 01:53 < hads> That's the default. 01:55 < tjz> ok 01:55 < tjz> i guess so 01:56 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:12 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 02:14 < mazzachre> Help... On one of the Windows clients when I connect to the server, it complains about the network address... Stating something about that it needs a netmask of 255.255.255.252... What is that about? The server have address 192.168.7.125/24 (on the inside) and it assigns addresses 150-165 on that network. Other windows clients connect fine... What is wrong? 02:15 < hads> !/30 02:15 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:28 -!- harrisony [n=harrison@unaffiliated/harrisony] has left ##openvpn ["Leaving"] 02:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:08 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has joined ##openvpn 03:08 < m31k0r> hi 03:08 < m31k0r> does any body know if you stablish a tunnel between two networks 03:09 < m31k0r> if it's possible to identify the hosts in one of the networks in the other? 03:09 < hads> Yes 03:10 < m31k0r> so if one network is 192.168.1.X 03:10 < m31k0r> and the other 192.168.2.X 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.1 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.2 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.3 03:11 < m31k0r> right? 03:11 < hads> You lost me 03:12 < m31k0r> sorry 03:12 < m31k0r> Well, if you have a roadwarrior configuration when each client stablishes a tunnel 03:12 < m31k0r> then you identify each host easily 03:12 < mazzachre> hads: Why does it work on some windows clients but not on others? 03:12 < m31k0r> because each host arrive to the internal network with a fixed IP 03:13 < m31k0r> but my question is if you stablish a tunnel to link to networks 03:13 < mazzachre> This is related to bridging, right? 03:13 < m31k0r> is possible to identify the hosts? 03:13 < m31k0r> yes 03:14 < hads> m31k0r: Identify them by subnet? 03:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 < hads> mazzachre: Pass, I don't understand Windows. 03:17 < m31k0r> no i want to indentify them like in the roadwarrior case 03:17 < m31k0r> because we want to filter to some ips the internal network services 03:18 < m31k0r> if i identify all the packets coming from the network with the same ip then it's uselesss 03:19 < hads> Not sure sorry 03:19 < mazzachre> hads: Heh... no one does... 03:19 < hads> Friday night :) 03:20 < m31k0r> ok thank you anyway 03:20 < m31k0r> I will try to research a bit more 03:20 < mazzachre> hads: The problem is related to bridging right? If I setup everything to use routing again it should work? (Except that I then have to find out how to setup correct routing rules for a network I can't control... 03:44 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 04:34 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 04:43 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:45 -!- prxtien [n=pro@115.131.200.228] has joined ##openvpn 04:50 < mazzachre> Uhm ok... found the problem with the windows machine... 04:52 < mazzachre> So... When using dev tap and bridged vpn... How many IP addresses on the server network does each connection take? 1 or 4? (Connecting to 192.168.7.125 and it can use the ip addresses 150-165 on that network for clients) 05:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:32 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has quit [Read error: 113 (No route to host)] 06:18 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has quit ["Leaving"] 06:20 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 110 (Connection timed out)] 06:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:33 -!- prxtien [n=pro@115.131.200.228] has quit ["Leaving"] 06:34 -!- nemysis [n=nemysis@234-207.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 06:35 -!- nemysis [n=nemysis@233-66.3-85.cust.bluewin.ch] has joined ##openvpn 07:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 07:54 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has quit ["Saliendo"] 08:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:36 < ecrist> mazzachre: 1 08:39 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:46 -!- SuperEvilDeath12 [n=death@212.206.209.177] has joined ##openvpn 08:46 < SuperEvilDeath12> question if i where to mutlicast over a openvpn vpn would all my packages go Caster -> Server -> Client or in a more p2p model ? 08:47 < reiffert> former 08:47 < ecrist> by nature of a vpn, all packets bound for the vpn must pass through the vpn endpoint 08:48 < SuperEvilDeath12> yeah i guess you kinda have a point there ecrist i guess it destroys my bandwith saving dream but hell etleast i know its gonna fail now :) 08:57 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 08:57 < A[D]minS> !configs 08:57 < vpnHelper> A[D]minS: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:58 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 08:58 < mazzachre> ecrist: thanx! 08:58 < ecrist> mazzachre: np 08:59 < ecrist> good morning, krzee 08:59 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 08:59 < krzee> mornin 08:59 < krzee> machu pichu was AWESOME 09:00 < krzee> and yes, i did blaze a joint at the top 09:00 * ecrist is jealous 09:00 < krzee> i got pics 09:00 < krzee> many many pics 09:01 < ecrist> sweet, send me a link (email, if you prefer) 09:01 < A[D]minS> would you please with this case : http://pastebin.com/d13e4e293 09:02 < A[D]minS> appreciate your advise 09:02 * ecrist wishes pastebin used black text 09:04 < ecrist> A[D]minS: are you running as root? 09:04 < A[D]minS> which part? 09:04 < A[D]minS> client side? 09:04 < A[D]minS> nope 09:04 < ecrist> you need to 09:04 < A[D]minS> ok let me try sudo 09:07 < krzee> i forgot my charger cable for my camera for the weekend 09:07 < krzee> 3 days of tours, machu pichu being last day 09:07 < krzee> the camera made it EXACTLY long enough 09:07 < krzee> last picture i wanted, then *poof* 09:08 * dazo is also jealous on krzee 09:08 < krzee> and i HAD to get the last pic in 09:08 < krzee> it was me smoking the joint up on machu pichu 09:09 < krzee> if i didnt get a pic of that it woulda been tragic 09:09 -!- kezhi [i=moneybag@drug.cartel.pl] has joined ##openvpn 09:10 < krzee> so the talent wasnt too special up in cusco (the city near machu pichu) 09:10 < krzee> the girls were so-so, and i didnt want an american traveler, i wanted a local 09:10 < krzee> so instead of a 10 i settled for a 5 - 6 09:10 < krzee> but i hit it 2x so i figure she was a 10 - 12 09:11 < krzee> ;] 09:11 < A[D]minS> woow working 09:11 < A[D]minS> ecrist: thx 09:11 < krzee> ecrist++ 09:11 < A[D]minS> ok i would like to understand how i can do it without root privileged 09:11 < krzee> which os? 09:12 < A[D]minS> Fedora 10 09:12 < krzee> basically, joo cant 09:12 < krzee> BUT 09:12 < krzee> you can have it drop its privs after it does what it needs root for 09:12 < krzee> (ie: adding routes and whatnot) 09:13 < A[D]minS> actually i couldn't get it 09:13 < krzee> huh? 09:14 < ecrist> krzee: I probably would have tried for a local, but gone for the traveler, if she was better than the locals. 09:14 < krzee> i went into it knowing i was down to take lower quality to have it be a peruvian 09:15 < ecrist> fair enough 09:15 < krzee> seeing as back here in lima im already with the brazilian model 09:15 < krzee> i had to get some peruvian 09:15 < ecrist> hehe 09:16 < krzee> besides, take a 6 2x and you got a 12! 09:16 < ecrist> my wife doesn't like sharing with women prettier than her, so I may have had a forced hand, as well. 09:16 < ecrist> lol 09:16 < krzee> hahah 09:18 < krzee> is she at least really pretty? 09:18 < krzee> cause that sounds like a really good deal 09:19 < dazo> A[D]minS: you can not start openvpn without root privileges .... but openvpn can, "degrade" itself to a non-privileged user when it is done with the "root-work" 09:19 < ecrist> yeah, she's very pretty 09:19 * krzee realizes what a dumb question that was 09:19 < dazo> A[D]minS: to start up openvpn without root privileges, you can use sudo .... sudo can be configured to allow openvpn to be started with root privileges without asking for a password 09:20 < krzee> "no my wife and the mother of my children is not attractive" lol 09:20 < krzee> dazo, good point, i didnt think of that 09:20 < ecrist> krzee: you ever watch married with children? I know guys like Al, who think their wives are hideous 09:20 < dazo> A[D]minS: another way can also be to play with PolicyKit in Fedora ... that's probably even safer than sudo, but I have not tried that approach 09:20 < krzee> lol theres a guy on the island i call al bundy 09:20 < krzee> you should hear him on the phone with her 09:21 < krzee> "whattaya want" 09:22 < ecrist> my former coworker would throw his phone across the room after getting off the phone with his wife. 09:24 < ecrist> my new switch doesn't track bandwidth on VLANS. :( 09:27 -!- SuperEvilDeath13 [n=death@212.206.209.177] has joined ##openvpn 09:27 -!- SuperEvilDeath12 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 09:30 < krzee> could track me by pushing my traffic through a pf box if you wanna 09:30 < krzee> (assuming thats the idea of what you were thinking 09:30 < krzee> ) 09:34 < ecrist> naw, got that solved 09:34 < ecrist> didn't you get the email? 09:34 < ecrist> your box is on its own switch port 09:34 < krzee> ahh cool 09:34 < krzee> im scared to check my email right now 09:34 < krzee> 422 messages 09:34 < ecrist> ouch 09:34 < ecrist> that's what happens when you go on vacation 09:35 < krzee> no kidding 09:35 < krzee> bbiaf, pedicure time 09:35 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:35 < ecrist> with the VLAN thing, I was hoping I could aggregate multiple ports together for traffic monitoring. 09:37 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 09:44 -!- neuro_damage [n=neuro@nat-vlan200.sat.rackspace.com] has quit ["leaving"] 09:51 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 113 (No route to host)] 09:55 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 10:03 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 10:09 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:12 -!- kB-- [i=moneybag@drug.cartel.pl] has joined ##openvpn 10:13 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 10:15 -!- kezhi [i=moneybag@drug.cartel.pl] has quit [Remote closed the connection] 10:17 -!- kB-- is now known as kezhi 10:23 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 10:26 < krzee> http://www.ircpimps.org/pics/krzee_vaca/machublazu.JPG 10:34 -!- sigmonsays__ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 10:37 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: pa 10:38 < ecrist> nice 10:39 -!- Netsplit over, joins: pa 10:39 < reiffert> pot :) 10:40 < reiffert> Even more :) 10:42 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 10:46 < krzee> =] 10:46 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 10:46 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 10:47 -!- sigmonsays_ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 10:47 < krzee> i cant even describe how badass machu pichu was 10:48 < krzee> i highly recommend it 10:52 < reiffert> Who was teaching them to build houses with 2 side roofs like the europeans do it? 10:52 < reiffert> http://upload.wikimedia.org/wikipedia/commons/a/a2/Macchu_picchu_panoramic.jpg 10:54 < ecrist> wouldn't that be considered common sense, in a way? 11:00 < reiffert> I know them from europe, but thats it. Just curious about similarity 11:14 < krzee> 2 side roofs? 11:15 < dazo> krzee: you have the upper side and the underside of the roof ... easy 11:18 < krzee> umm ok, i dont get it 11:18 < krzee> i learned a ton about how they built their stuff, so ild answer if i understoof the ? and knew the answer 11:30 < dvl> tape drives anyone? http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=110359343693 11:30 < vpnHelper> Title: TZ89N-AV SCSI DLT 7000 tape drive - used - eBay (item 110359343693 end time Mar-10-09 18:54:31 PDT) (at cgi.ebay.com) 11:30 < dvl> DLT 7000, robotics 11:33 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:11 < vcs> Hi, I have added push "route 10.2.1.0 255.255.255.0" and "route 10.2.1.0 255.255.255.0" to my server.conf file, I can access 10.2.1.212 on the local network but not from any clients. The openVPN server is running on the gateway of that subnet, any idea what the issue could be? 12:12 < krzee> !route 12:12 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:14 < vcs> I read that allready :|, when I run route PRINT in the windows client, the route is not there at all. 12:16 < krzee> !logs 12:16 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:16 < krzee> !configs 12:16 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:27 < krzee> also, you didnt mention if the lan is behind client or server 12:30 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 12:31 < A[D]minS> !route 12:31 < vpnHelper> A[D]minS: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:36 < A[D]minS> i have a weird problem with openvpn 12:37 < A[D]minS> i connect just for 10 sec then disconnect 12:37 < A[D]minS> http://pastebin.com/d4c67310a 12:37 < A[D]minS> any idea why i cut after 10 sec? 12:39 < krzee> multiple errors, increase verbosity 12:43 < krzee> verb 6 should be fine 12:45 < A[D]minS> i made it 6 12:46 < krzee> k, so lets see it 12:48 < A[D]minS> i am rebooting openvpn server because i need to make sure everything fine with this server :D 12:48 < A[D]minS> just in a moment i'll try again 12:59 < vcs> one momment, the lan is behind the server 12:59 < vcs> i will pastebin 13:05 < A[D]minS> krzee: the same 13:05 < A[D]minS> http://pastebin.com/d7b28dfe1 13:05 < A[D]minS> this is showing everything 13:06 < A[D]minS> maybe you can get whats wrong 13:06 < A[D]minS> if you want to pastebin my client.conf nd server.conf no problem 13:06 < ecrist> /topic Boats and Hos 13:10 < A[D]minS> now when i tried to connect it give this error 13:10 < A[D]minS> Fri Mar 6 23:17:17 2009 us=295898 UDPv4 WRITE [14] to 41.196.212.26:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 13:10 < A[D]minS> Fri Mar 6 23:17:17 2009 us=396256 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 13:11 < A[D]minS> once i do /etc/init.d/openvpn restart will work..but just for awhile then back to this error 13:17 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Excess Flood] 13:17 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 13:19 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Remote closed the connection] 13:32 < ecrist> yay, my new keyboard drawer just arrived 13:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- kezhi [i=moneybag@drug.cartel.pl] has quit ["napppp"] 14:16 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:24 < krzee> [14:06] one momment, the lan is behind the server 14:24 < krzee> then why do you have the route command in the server config? 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:11 < vcs> !route 15:11 < vpnHelper> vcs: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:15 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:41 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:42 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 110 (Connection timed out)] 17:03 -!- therian [n=Larson50@adsl-69-225-1-98.dsl.skt2ca.pacbell.net] has joined ##openvpn 17:03 < therian> why would i be able to connect to a samba share over openvpn but not an xp share 17:03 < therian> any ideas? 17:21 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 17:28 < reiffert> therian: you're asking *why*? 17:29 < therian> um ok more of how do i fix it? 17:29 < reiffert> Write a letter to bill@ms.com 17:29 < therian> kikz 17:29 < therian> lolz 17:34 -!- sigmonsays__ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 17:37 < ecrist> therian: two things, 1) this isn't ##windows and 2) you don't give us enough information, even if we wanted to help 17:41 -!- therian [n=Larson50@adsl-69-225-1-98.dsl.skt2ca.pacbell.net] has left ##openvpn [] 17:48 -!- Gomex [n=rafael@189.105.201.46] has joined ##openvpn 17:48 < Gomex> Hi 17:49 < Gomex> I have problem with Openvpn. I configured my openvpn ok, but I accidentally used clean-all and I lost all certs and keys 17:50 < ecrist> then you have to start over with the certs 17:50 < Gomex> I tried created the keys and certs again, but its don'ts works now :( 17:51 < ecrist> you need to distribute the new certs to your clients, too 17:51 < Gomex> is necessary I clean something before create another keys and certs? 17:51 < Gomex> yes, I did it 17:51 < ecrist> and you need to restart the vpn 17:51 < Gomex> ecrist, I did it 17:51 < Gomex> ecrist, I restarted Openvpn too 17:53 < ecrist> *shrug* 17:53 < Gomex> ecrist, I need use a command to clean something? 17:53 < ecrist> no 17:58 < Gomex> ecrist, Ok, I will try again slower 18:10 < Gomex> ecrist, I think that I forgot restart the openvpn 18:11 < Gomex> because I thought that I did it before, but I did it few time a ao with linux client and works... 18:41 < Gomex> ecrist, Works in Windows now! :D 18:42 < ecrist> glad to hear it 18:42 < Gomex> ecrist, thank you 18:43 < Gomex> ecrist, I think that in "storm" that I pass in work this morning, I forgot restart this! 20:09 -!- Gomex_ [n=rafael@189.105.135.171] has joined ##openvpn 20:32 -!- Gomex [n=rafael@189.105.201.46] has quit [Read error: 110 (Connection timed out)] 20:43 -!- Gomex_ [n=rafael@189.105.135.171] has quit [Read error: 110 (Connection timed out)] 21:51 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 21:51 < lavren> In my tun0 interface I have the router IP "10.5.0.10" the next to it I see P-t-P:10.5.0.9, it is also in my routing table... where is that coming from? neither me nor my friend (the other vpn router) know 21:52 < lavren> and our connection is terrible on my end, there is some weird route that is coming into play 21:54 < lavren> oh nm 21:54 < lavren> that's normal 22:11 < hads> !/30 22:11 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 23:14 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 23:14 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 23:14 -!- onats_ is now known as onats 23:15 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn --- Day changed Sat Mar 07 2009 00:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:31 -!- nemysis [n=nemysis@233-66.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:34 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 03:52 -!- JigSaw-2 [n=JigSaw-2@123.252.146.52] has joined ##openvpn 04:21 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 110 (Connection timed out)] 04:24 -!- nemysis [n=nemysis@193-86.3-85.cust.bluewin.ch] has joined ##openvpn 04:25 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 04:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 05:15 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 104 (Connection reset by peer)] 05:24 -!- nemysis [n=nemysis@193-86.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:29 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 06:45 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 110 (Connection timed out)] 06:52 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 06:53 < mjt> that'd probably be an annoying question but... is openvpn.net down? 06:55 -!- JigSaw-2 [n=JigSaw-2@123.252.146.52] has quit [Read error: 104 (Connection reset by peer)] 06:58 < mjt> and a newbie question. I need to build a vpn-server with 100% static config and with specified IP addresses for server and all the clients (the clients should use an address assigned by the server). How to specify address of the server, and of each client? 06:58 < mjt> i can't get the whole picture, so I need an example to start with.. ;) 06:59 < mjt> --ifconfig looks like the right option, but it requires 2 arguments 06:59 < mjt> while i need only one. Tried --ifconfig $Localaddr 0.0.0.0, it worked but it's ugly. 07:01 < mjt> and 2 more probs right away. Specifying `--route 1.2.3.4' or `--route 1.2.3.4 255.255.255.255' gives `SIOCADDRT: Invalid argument' -- openvpn does not show the command itself. 07:01 < mjt> and -- as per above, -- i can't understand how to configure client's IP address statically in ccd/$cn 07:02 < mjt> so it shows 'no dynamic or static remote --ifconfig address is available' 07:35 < mjt> aha. Found --ifconfig-push option 07:52 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 110 (Connection timed out)] 07:55 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 08:04 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 08:08 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:10 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 104 (Connection reset by peer)] 08:12 < reiffert> mjt: example to start with: 08:12 < reiffert> !howto 08:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:14 < reiffert> mjt: however, it looks like the webserver on openvpn.net is down. 08:14 < reiffert> mjt: http://web.archive.org/web/20080209040742/http://openvpn.net/ 08:24 < mjt> that's what i'm reading for several hours already ;) 08:25 < mjt> but i were really puzzled by the fake usage of fake p2p interface and peer addresses 08:25 < mjt> that's what i were asking really, to understand the principles 08:25 < mjt> now i see how it's done 08:26 < mjt> in all examples -- ifconfig 10.4.0.1 10.4.0.2; ifconfig-pool 10.4.0.4-10.4.0.250 08:26 < mjt> that 10.4.0.2 thing 08:26 < mjt> it's 100% fake 08:29 < mjt> in other words, there should be only one ip address in the ifconfig line (no peer), and routes should be device, not nexthop. I.e., route add $client dev $interface 08:29 < mjt> (instead of route add $client gw $fakenexthop) 08:41 < mjt> what does openvpn do when host routing table conflicts with openvpn's? I mean, say, host routes 10.4.0.5 to the tun interface, but openvpn does not know where to send it to? 08:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 08:53 < mjt> or in the other words, is there a way to tell openvpn to send some ICMP host unreach or somesuch in response to packets destined for "unknown" destinations? 09:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: eagle, qkf, rdz, meshuga, dazo, rubydiamond, xor|, skx, higuita, Typone, (+13 more, use /NETSPLIT to show all of them) 09:51 -!- Netsplit over, joins: rubydiamond, onats, lavren, skx, SuperEvilDeath13, OliTroll, logiclr-, eliasp, dazo, hads (+13 more) 09:58 < reiffert> mjt: thats a job for a firewall 10:01 < mjt> it's not 10:02 < mjt> the idea is to indicate that this client isn't connected *now*, instead of timing out 10:17 < mjt> " NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. 10:18 < mjt> -- any way to turn it off without shuttin up other useful warnings? 10:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:40 -!- joelsolanki [i=joelsola@123.237.173.76] has joined ##openvpn 10:40 < joelsolanki> Hi all 10:40 < joelsolanki> openvpn is donw ? 10:40 < joelsolanki> www.openvpn.net is down ? 10:42 < mjt> it is, for about 9 hours already (since i tried to access it) 10:42 < mjt> my guess is some i/o-related (disk) kernel OOPS 10:42 < mjt> and no watchdog configured 10:44 < joelsolanki> oh :( 11:02 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["lavren has no reason"] 11:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 131 (Connection reset by peer)] 11:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:13 -!- nemysis [n=nemysis@124-21.106-92.cust.bluewin.ch] has joined ##openvpn 11:29 -!- joelsolanki [i=joelsola@123.237.173.76] has quit [] 11:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 11:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:25 -!- gallatin [n=gallatin@dslb-092-072-070-152.pools.arcor-ip.net] has joined ##OpenVPN 13:36 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:37 < Roman123> Hi! 14:52 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 14:53 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 15:58 -!- nemysis [n=nemysis@124-21.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 15:59 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has joined ##openvpn 16:21 -!- OliTroll [n=oli@ip-78-94-201-203.unitymediagroup.de] has left ##openvpn [] 16:23 -!- gallatin [n=gallatin@dslb-092-072-070-152.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 16:48 < Roman123> very silent here 16:48 < Roman123> anyone else awake= 17:40 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 17:40 < betabot> hey 17:40 < betabot> i'm wondering how i would remove someone once they have a ca cert 17:41 < betabot> without having to make a new ca 17:41 < betabot> and resign everyone 17:45 < Roman123> betabot: yes it is possible 17:45 < Roman123> you can revoke a cert 17:47 < Roman123> betabot: Personally, I never revoked a certificate but you can plenty of howtos on google by searching for "openvpn + cert + revoke". 17:48 < Roman123> s/can/can find 17:48 < Roman123> !route 17:48 < vpnHelper> Roman123: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:50 < stephenh> betabot: ./revoke-full 17:50 < hads> (with easy-rsa) 17:56 < betabot> stephenh, so once i ./revoke-full then they can no longer log in? 17:56 < betabot> Roman123, thanks :) 17:57 < stephenh> if using easy-rsa as pointed out by hads 17:58 < stephenh> it does give an error at the end of revoking, but that is normal 18:01 < Roman123> I connected two LANs by means of two routers using openvpn (bridge mode): 192.168.50.0/24 and 192.168.51.0/24 are the networks behind the server (router) and the client (router), respectively. Everything works fine, i.e., I can transfer data in both directions. Now I like to connect to this network by means of a notebook (roadwarrior). Once the connection is established, I can transfer data from the 192.168.50.0/24 lan but not from 192.168.51.0/24 18:01 < Roman123> to the notebook although I have placed "route 192.168.51.0 255.255.255.0 192.168.50.1" in the notebook openvpn client config. 18:03 < betabot> stephenh, i am using easy-rsa 18:03 < betabot> stephenh, however when i tried it it failed horribly 18:03 < betabot> the username is the name before .crt & that in the /etc/openvpn/keys directory? 18:04 < stephenh> yes 18:06 < betabot> then it just failed horribly 18:07 < betabot> i have errors like: error on line 282 of config file '/etc/openvpn/openssl.cnf' 18:07 < betabot> 18931:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 18:07 < betabot> Using configuration from /etc/openvpn/openssl.cnf 18:07 < betabot> error on line 282 of config file '/etc/openvpn/openssl.cnf' 18:07 < betabot> 18932:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 18:07 < betabot> then it just starts failing 18:07 < stephenh> . ./vars first? 18:08 < stephenh> Roman123: 192.168.51.0 needs to know how to route back traffic to your road warrior subnet 18:09 < betabot> i sourced ./vars 18:09 < stephenh> ecrist wrote a little page regarding that sort of connectivity i think, can't remember it atm and i lost my inet history 18:09 < betabot> i just ran source ./vars then ./revoke-all [username] 18:09 < betabot> and it gave the same error 18:10 < betabot> its like its trying to find crl.pem, which doesn't exist 18:10 < stephenh> it hsould be in your keys directory 18:12 < betabot> nope 18:12 < Roman123> stephenh: the routeback works behind both lans. why does it not work to the road warrior although a bridged connection is utilized (no routing, the assigned ip to the road warrior is part of the 192.168.50.0/24 network). 18:12 < betabot> i have 01-07.pem 18:12 < betabot> dh2048.pem and revoke-test.pem 18:12 < Roman123> I don't understand that 18:13 < stephenh> is openvpn.net timing out for you guys too? 18:14 < Roman123> stephenh: yes 18:14 < stephenh> ok 18:15 < stephenh> is the 'client-to-client' directive in your openvpn config? 18:15 < Roman123> argh 18:15 < Roman123> stephenh: I guess I missed that 18:15 < betabot> so stephenh what do i do? 18:16 < Roman123> I thought about everything, every possible routing option but not about client-to-client :( 18:16 < Roman123> I'll try 18:16 < stephenh> ./build-key ; ./revoke-full 18:16 < stephenh> the last time i had an issue i did that and it worked 18:17 < stephenh> i can't remember if i had the same issue 18:17 < stephenh> Roman123: cool 18:17 < stephenh> i'm going to bed. 2.20am, email is taking too long to find mail i'm looking for 18:17 * Roman123 is trying 18:17 < Roman123> stephenh: thanks, n8 18:18 < stephenh> ok, good luck - i don't work with bridges ever, really. hope that directive sorts you out 18:19 < betabot> stephenh, it failed 18:19 < betabot> stephenh, first one worked, second failed with the same error 18:19 < stephenh> second command? second cert? 18:19 < betabot> yeah 18:19 < betabot> same error 18:20 < betabot> i'll pastebinnit 18:20 < stephenh> ok 18:20 < betabot> http://pastebin.ca/1355546 18:21 < betabot> thats just the revocation 18:21 < stephenh> use .bin pleae 18:21 < stephenh> i get a 403 forbidden message 18:22 < betabot> pastebin.com ? 18:22 < betabot> or what? 18:22 < stephenh> er, pastebin.com i mean 18:22 < stephenh> yeah, falling asleep here lol 18:22 < stephenh> losing my mind 18:22 < Roman123> stephenh: works 18:22 < Roman123> thanks 18:22 < stephenh> cool, np 18:22 < Roman123> good hint 18:22 < stephenh> sounded like a good one ;-) 18:22 < betabot> http://pastebin.com/d7f9f2bc6 18:25 < stephenh> error 23 at 0 depth lookup:certificate revoked <-- the error i was talking about (just created and deleted a key) 18:25 < betabot> what? 18:26 < betabot> stephenh, i'm getting a lack of certificate crl 18:28 < stephenh> reading now 18:32 < stephenh> missing that crl.pem is going to be a problem i think 18:33 < betabot> then what do i do? 18:34 < stephenh> you can try generate a new one with 'openssl ca -gencrl -out crl.pem -config /etc/openvpn/easy-rsa/openssl.cnf', but i don't know if that'll sort you out 18:35 < betabot> still don't have one 18:35 < betabot> ok 18:35 < betabot> yeah 18:35 < betabot> now it worked 18:35 < betabot> i hope 18:36 < betabot> it said ok at the end 18:36 < stephenh> to generate the crl.pem? 18:36 < stephenh> read two things so far, 18:37 < stephenh> one was to hash out the pkcs11_section in openssl.conf (although mine doesn't even have that) 18:37 < stephenh> second, to regenerate a lost crl.pem, you need to do: 18:37 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile 18:37 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile keys/ca.key -cert keys/ca.crt -out 18:37 < stephenh> erg 18:38 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile keys/ca.key -cert keys/ca.crt -out crl.pem 18:39 < betabot> stephenh, i made a crl.pem 18:39 < betabot> ok 18:39 < betabot> i've gotten a crl.pem 18:39 < betabot> i'll hash out that section 18:39 < betabot> where is openssl.conf 18:39 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 18:39 < stephenh> in easy-rsa 18:40 < stephenh> betabot: really need to go, can't keep my eyes open 18:40 < betabot> error 23 at 0 depth lookup:certificate revoked 18:40 < betabot> \ 18:40 < betabot> ? 18:40 < betabot> stephenh, ok 18:40 < betabot> thanks for your help anyway 18:41 < stephenh> that is it working 18:41 < stephenh> your cert has been revoked 18:41 < betabot> ok 18:41 < betabot> excelent 18:41 < betabot> so from now on they can't reconnect? 18:41 < stephenh> yep 18:41 < stephenh> if you look inside the revoke-all file, you'll see right at the end it does a check to see if the cert is still active, and fails 18:41 < stephenh> that error 23 is the test failing 18:42 < betabot> cool 18:42 < betabot> so if they are still connected they stay connected 18:42 < betabot> is there any way to drop everyone from the vpn? 18:43 < stephenh> sure is, 18:43 < stephenh> can either restart the service, 18:43 < betabot> i just want to drop everyone for like 45 seconds 18:43 < stephenh> or i think it can be done with the telnet admin cli 18:43 < betabot> to make sure everything times out and there forced to reconnect 18:43 < stephenh> sure, their clients will reconnect automatically 18:44 < betabot> if there key is revoked, it'll fail? 18:44 < betabot> if not they'll just reconnect? 18:44 < stephenh> yes 18:45 < stephenh> good night 18:45 < betabot> thanks 18:52 < Roman123> night 19:00 -!- betabot is now known as simplechat_ 19:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:02 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Read error: 104 (Connection reset by peer)] 19:03 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 19:22 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 19:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 20:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 22:08 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:08 < lavren> Is there a good paper on configuring iptables on a VPN router using openvpn? 22:08 < lavren> I want all of my clients behind the VPN router to have routes to both the destination VPN network and the internet 22:09 < lavren> I've got this working intermittently, but I'm wondering if there is something more effective. 22:09 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 23:04 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 23:05 < gejr> how do i set a linux client to use proper dns? he doesn't seem to honor push "dhcp-option" DNS 192.168.1.100 as much as i'd like him to :) 23:40 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 23:40 * patintin waves.. 23:40 < patintin> is http://openvpn.net website down? 23:43 < patintin> hello? anyone? i want to read the openvpn howto 23:47 < hads> Patience patintin 23:47 < hads> and yes, it appears the site is down currently. 23:50 < patintin> hads: ok. i see. thanks. ;) --- Day changed Sun Mar 08 2009 00:12 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [Read error: 113 (No route to host)] 00:29 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 00:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:50 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 00:51 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 01:10 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has joined ##openvpn 01:10 < ArtVandalae> Hi all, OpenVPN.net seems to be down. I've tried using Google cache, and am still unable to access it. Is there an alternative location I can access the website? 01:11 < hads> http://209.85.173.132/search?q=cache:duOUjpCIgcIJ:openvpn.net/howto.html+openvpn+owto&hl=en&client=firefox-a&gl=nz&strip=1 01:11 < vpnHelper> Title: HOWTO (at 209.85.173.132) 01:13 < ArtVandalae> hads, thank you 01:16 < mRCUTEO> !logs 01:16 < vpnHelper> mRCUTEO: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:16 < mRCUTEO> !route 01:16 < vpnHelper> mRCUTEO: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:16 < mRCUTEO> !SNAT 01:16 < vpnHelper> mRCUTEO: Error: "SNAT" is not a valid command. 01:20 < mRCUTEO> hiya krzie_ 01:26 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 01:57 -!- worch_ [i=worch@battletoad.com] has quit [Remote closed the connection] 03:03 -!- worch [i=worch@battletoad.com] has joined ##openvpn 03:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 03:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 03:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:26 -!- drzed_ [n=drzed@synflood.homelinux.org] has joined ##openvpn 04:26 < drzed_> hi there! 04:26 -!- drzed_ is now known as drzed 04:27 < drzed> i've got a central openvpn server and 2 vpn-client networks connect to the server 04:28 < drzed> both can talk to server but not to each other 04:28 < drzed> what do i have to do to get this working 04:33 < reiffert> !route 04:33 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 04:33 < drzed> http://www.nopaste.com/p/aDi43SvDob <--- setup looks like this 04:38 < drzed> thx reiffert 04:38 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has quit [Read error: 113 (No route to host)] 04:39 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has joined ##openvpn 04:56 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 04:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 05:41 < drzed> i did a detailed read of the given link, but i do still have no success 05:42 < drzed> bc/ the setup does differ quite a bit 05:43 < drzed> one my server i have multiple openvpn instances running (one for each client lan) 05:43 < drzed> so i do have differen tunX ifaces 05:44 < drzed> so for 192.168.4.0/24 there is a route to tun2 05:44 < drzed> and for 192.168.2.0/24 a route to tun1 05:45 < drzed> on client-server 4.0/24 there is a route to 192.168.2.0 via tun0 05:45 < drzed> 193.168.2.0/24 via 172.16.0.5 dev tun0 05:49 < drzed> hm strange the icmp reach tun0 on the client lan 05:52 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 05:54 < A[D]minS^Work> i would like to understand something... i installed OpenVPN on server with static ip under 1 eth and it works fine , now i want to use 2 Interfaces one for internet and one for locl network...and i'll need users who accessing the VPN Server get their ips from DHCP of local network 05:54 < A[D]minS^Work> dose it mean i must use bridge mode? 05:55 < A[D]minS^Work> openvpn.net down? 05:57 < prxtien> x 05:57 < A[D]minS^Work> ? 06:41 < reiffert> A[D]minS^Work: use archive.org 06:45 < A[D]minS^Work> reiffert, ok fine working 06:45 < A[D]minS^Work> now i would like to know something 06:45 < A[D]minS^Work> i have OpenVPN Server published with Interface eth0 with Internet IP 06:46 < A[D]minS^Work> i want to connect to this OpenVPN server and through eth1 access the Internal network 06:46 < A[D]minS^Work> is it applicable? 06:46 < A[D]minS^Work> and if yes can anyone advise how can i do it? 07:05 < reiffert> !route 07:05 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:18 -!- zheng [n=zheng@218.82.137.65] has joined ##openvpn 07:30 < A[D]minS^Work> reiffert i used route but i couldn't reach the internal servers 07:31 -!- zheng [n=zheng@218.82.137.65] has quit ["Leaving"] 07:38 < reiffert> It's your firewall then. 08:24 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 08:41 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has quit [Read error: 110 (Connection timed out)] 08:54 < ecrist> stephenh: !route 08:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:04 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [" HydraIRC -> http://www.hydrairc.com <- Chicks dig it"] 09:28 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:31 -!- JimUnderscore [n=zyme@216.218.95.3] has joined ##openvpn 09:31 < JimUnderscore> !route 09:31 < vpnHelper> JimUnderscore: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:33 < JimUnderscore> I'm probably overlooking something simple, but here 09:34 < JimUnderscore> is my question, I setup a vpn, got it to connect, it gets 10.8.0.x addresses, 09:34 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 09:35 < JimUnderscore> but I can't ping or communicate with any other machine that are also connected and have a (10.8.0.x) address 09:42 -!- SuperEvilDeath13 [n=death@212.206.209.177] has quit [Read error: 145 (Connection timed out)] 10:05 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has joined ##openvpn 10:05 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has left ##openvpn [] 10:14 < ecrist> JimUnderscore: other VPN machines? 10:14 < ecrist> if so, you need to add client-to-client to the server config 10:17 < mjt> btw, is there a way to set up connection between two tls-servers? 10:17 < ecrist> no 10:18 < mjt> i mean, i've two servers each with a bunch of clients. I'm currently running two openvpn instances on one of them 10:18 < mjt> ok 10:18 < ecrist> what you can do is run a client session on one of the servers to connect it to the other. 10:18 < mjt> that's what i'm doing right now 10:18 < ecrist> a client conection shouldn't interfere with the running server connection 10:19 < mjt> just wondered if it's possible to do it in one process. 10:19 < ecrist> nope 10:19 < ecrist> if it were me, I'd probably use IPSec between the two servers 10:19 < ecrist> it's bidirectional, and only comes up when traffic needs to pass 10:20 < mjt> well, it's one more thing to learn, and extra arrangements on one of the sides (corporate firewall) 10:20 < ecrist> ah 10:20 < mjt> port #655 is open but not ipsec ;) 10:20 < mjt> (655 = tinc) 10:21 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has left ##openvpn ["ArtVandalae -- Importer/Exporter"] 10:21 < mjt> But I had a bunch of other questions yesterday... ;) 10:22 < ecrist> well, I'm chained to a work table in my DC right now, so ask away, I'll answer in between walking over to our rack and punching keys 10:23 < mjt> in each example tls-server or the like, there's one fake setup element is in use - an IP address 10.4.0.2, the "other side", or "remote endpoint" of a "tunnel" which is 100% fake in case of server with multiple clients 10:23 < mjt> it puzzled me yesterday till i figured it out 10:24 < mjt> but it's used to set up routes. The question really is if it's possible to go without that address? 10:24 < mjt> (damn isp changed my ip again) 10:24 < ecrist> sure, use whatever addresses you want 10:25 < ecrist> those are examples, not rules. 10:25 < mjt> what's needed there is a "device route" (ip route add $foo dev $iface) 10:25 < mjt> the question is how to push those to clients 10:25 < ecrist> !route 10:25 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:25 < ecrist> read that 10:26 < ecrist> I left my DVI->VGA adapter at home, dammit 10:29 < mjt> well ok. it's all good, but does not answer my question. WHich is not really important as long as it's possible to run a command (have to use a script, while inline config is more readable) -- i mean, the --route (internal to openvpn) always uses nexthop, no way to specify device routes. 10:29 < mjt> and for client it's also not that important either as we have almost real "tunnel" 10:29 < mjt> just not completely clean, nothing wrong with that. 10:30 < mjt> speaking of routes -- is there a way to make openvpn to respond to packets to "unknown" clients with some ICMP net unreachable or somesuch? 10:31 < mjt> the idea is to set up routes for all clients at startup, but to let know the other host that this particular client isn't here yet, instead of letting it to time out 10:32 < mjt> ie, adding a route for whole 10.4.0.0/24 at startup, with that network used for clients. And instead of just dropping packets destined for some 10.4.0.25 (when it isn't connected), return some ICMP. 10:33 < ecrist> it should return NETRUNREAC 10:33 < mjt> thats what i'd think it does. 10:33 < mjt> ok, lemme check again 10:33 < mjt> when i tried it yesterday it just timed out 10:34 < mjt> i'm a newbie wiht openvpn, ran it for the first time yesterday (and immediately come to the problem with the site which was down :) 10:35 < mjt> but i know some bit of background with networking... ;) 10:37 < mjt> oh, and the site is still down... 10:39 < mjt> aha. It was iroute (from that wiki page) which I missed yesterday when testing that setup. 10:39 < ecrist> which site is down? 10:39 < mjt> openvpn.net 10:39 < ecrist> oh, we don't run that. 10:39 < mjt> it's THE site of openvpn 10:39 < ecrist> none of us in here are actually *with* openvpn, we just support it. 10:40 < ecrist> we tried becoming official, but they're sort of selfish and don't want outside help 10:40 < ecrist> *shrug* 10:40 < mjt> i didn't say you run it ;) It's just my bad luck, to come across evrything non-working excactly when I need it ;) 10:40 < ecrist> you can get to the documentation at beta.openvpn.net, though 10:40 < mjt> i used web.archive.org 10:40 < mjt> (which was in maintenance mode too yesterday, when I tried to access it for the first time :) 10:41 < ecrist> beta.openvpn.net seems more stable than openvpn.net 10:42 < mjt> irony 10:43 < ecrist> here's a funny story for you, we asked the openvpn folks to post links to our support docs, and they refused, saying they'd rather host them, and allow us to maintain them. 10:43 < ecrist> their reasoning was they were uncomfortable with our ability to keep the site online. 10:43 < ecrist> :) 10:43 < mjt> hmm. I had one more issue yesterday, but don't remember which one. 10:43 < mjt> heh 10:43 < mjt> lovely 10:43 < ecrist> secure-computing.net is *far* more stable than openvpn.net 10:43 < mjt> aha. 10:44 < mjt> but hm. 10:44 < mjt> ;) 10:44 < ecrist> hm? 10:44 < mjt> when looking at all the thing, I was thinking such a fat beast needs some more.. accurate security model. 10:44 < mjt> hm because you're not (probably) designing/writing the code 10:44 < ecrist> my site isn't as sharp-looking as theirs though. I suck at design. 10:45 < mjt> heh 10:45 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has joined ##openvpn 10:46 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has left ##openvpn [] 10:46 < mjt> but the thing is -- there are 2 kinds of stuff going on when openvpn process is running: the traffic, dealing with the network etc, and setting it all up. The first part is 100% unprivileged. The second one usually requires root. 10:46 < mjt> that's why keep-tun etc options are there 10:46 < mjt> (not sure of exact name but the idea should be clean) 10:47 < mjt> so that it first sets things up, next drops root and continues running there. 10:47 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:47 < ecrist> openvpn has the ability of de-escalating its privs 10:47 < ecrist> just add user and group args to the config 10:47 < mjt> yes 10:47 < mjt> but it will not be able to do interesting stuff anymore 10:47 < mjt> like, adding/deleting a route when a client connects 10:48 < mjt> /disconnects 10:48 < ecrist> that's why OpenVPN has internal routing 10:48 < ecrist> and why you need iroute in your ccd configs 10:48 < ecrist> those are setup, where needed, before de-escalation. everything else is internal to the process. 10:49 < mjt> but i wonder how difficult it will be to split it into 2 parts, one root-only that checks supplied credentials/whatever, sets up routes/etc, and another unprivileged that's running in chroot/user and talks with the privileged one using a simple well-defined protocol. 10:49 < mjt> first never talks with the network, only with the unpriv part of if 10:49 < mjt> *of it 10:50 < mjt> and if it's something useful, to start with :) 10:50 < mjt> because i'm only half a day with it, and it's quite possible i don't understand something yet ;) 10:50 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 10:51 < mjt> (sure there are many thing i don't know or else i'd not be there asking questions :) 10:52 < mjt> what i dislike in openvpn is it's huge size. Quite often a project that tries to become everything steps away from security. 10:53 < ecrist> it's huge size? 10:53 < mjt> it's fat 10:53 < ecrist> well, it does support a fair amount of configurability. 10:53 < mjt> well, compared with other similar stuff 10:53 < mjt> yes 10:53 < ecrist> much of it is desirable 10:53 < mjt> sure 10:54 < ecrist> almost necessary for a solid VPN package. 10:54 < mjt> the problem is that the larger it becomes, the more difficult to keep it secure 10:54 < mjt> (secure - i mean bug-free) 10:54 < ecrist> I don't think I'd agree with that. 10:54 < ecrist> the security of OpenVPN is handled by the SSL libraries 10:54 < ecrist> those are changing 10:55 < mjt> more code means more opportunities for bugs 10:55 < ecrist> what does change is the routing 10:55 < mjt> and yes, ssl scares me much more than openvpn ;) 10:55 < mjt> quite complex beast that talks directly with unfriendly network 10:56 < mjt> i'm paranoid. By definition of my profession :) 10:56 < mjt> but ok. Just a.. paranoid idea. 10:57 < mjt> one more little question.. is there a way to specify a reconnect timer/interval? 10:57 < mjt> in udp mode, that is 10:57 < mjt> i'm not sure i understand the connection model in this case 10:58 < mjt> right now when the other side becomes down (i just shut down openvpn server process), the client will try to re-establish connection on every packet it received destined for the tunnel connection 10:58 < mjt> or something like that anyway 10:58 -!- onats_ is now known as onats 10:59 < mjt> it prints ECONNREFUSED - about 10 of them in a row with one-second interval, and then restarts and tries again. 11:01 < ecrist> yes, let me look up the config, hang on 11:01 < mjt> oh, and a really excellent issue I ran across yesterday... not entirely openvpn-related but... 11:01 < ecrist> ping-restart I think. 11:02 < mjt> aha 11:02 < ecrist> look here for more info: http://beta.openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html 11:02 < vpnHelper> Title: OpenVPN 2.0.x (at beta.openvpn.net) 11:02 < ecrist> the entire man page. :) 11:02 < mjt> ok i got the idea -- thanks ecrist ! 11:02 < mjt> i was looking for something with timeout 11:02 < mjt> but it's ping 11:03 < mjt> (i did read the whole manpage, but somehow missed that) 11:03 < mjt> the issue i come across is like this. My ISP isnsists of changing the IP address every so often (it's adsl). The conection is handled by my home adsl router, that does NAT for my home network. 11:04 < mjt> yesterday I were testing openvpn when the ISP forced IP address change the next time 11:04 < mjt> and it suddenly stopped working, at all 11:04 < mjt> the packets were sent my my home machine, but never arrived at the destination 11:05 < mjt> the problem was that openvpn on both ends used fixed udp port. ANd the router remembered to nat that port from/to the two machines, with its OLD ip address! 11:06 < mjt> and each time i tried to make new connection from home, the router refreshed that NAT entry. 11:06 < mjt> updating its ttl, that is 11:06 < mjt> took me about 30 minutes to figure it out 11:07 < mjt> had to reboot the router to force it to forget the connection. Alternative was to use another port. 11:07 < ecrist> oops: http://www.thesun.co.uk/sol/homepage/news/article2284752.ece 11:07 < vpnHelper> Title: Brit nuclear HQ on Google Earth | The Sun |News (at www.thesun.co.uk) 11:08 < ecrist> mjt, you could probably do something with a script to refresh the ttl on the router, or use a dyndns service 11:08 < mjt> dyndns can't help here at all 11:10 < mjt> and i'd better replace the damn thing, -- i wanted to re-flash it with openwrt (openwrt.org) but this particular model isn't supported so i can't even install linux on it 11:10 < mjt> maybe will run it in bridge mode to do nat (and have real IP) on my real linux pc 11:11 < mjt> that's the difference between -j MASQUERADE and -j SNAT -- keeping entries when an interface goes down. 11:12 < mjt> this thing uses SNAT, while it should use MASQUERADE. Or it should remove all NAT entries with some /etc/ppp/ip-down script 11:13 * ecrist doesn't use linux. 11:13 < mjt> that prob @openvpn.net looks like an I/O subsystem (disk) on that machine is hosed, and no watchdog is configured 11:13 < ecrist> what makes you say that? 11:14 < mjt> it's quite typical behavour when it can't access its filesystem(s) 11:14 < mjt> seen that many, many times... ;) 11:15 < mjt> it accepts the tcp connections, it replies to pings, but anything that requires disk access is down. 11:16 < ecrist> ah, but you're not taking into account proxying for HA 11:16 < mjt> definitely not. I didn't know about that 11:16 < ecrist> which could simply be a down switch, bad ethernet cable, or a shutdown backend. 11:17 < ecrist> supposedly, they run a cluster of web servers, which, if it was just a disk, would mean 1/x connections would fail, where x is the number of nodes in their cluster. 11:18 < ecrist> theorhetically, their master node should detect the timeout, and remove the node from the cluster 11:18 < mjt> well, i never used HA stuff so can't comment 11:18 < ecrist> most people don't need HA 11:18 < ecrist> a single server with a hot-failover is sufficient. 11:18 < mjt> and this is one such place, i think ;) 11:18 < ecrist> well, not if you talk to their devs. 11:19 < mjt> openvpn.net site, that is ;) 11:19 < ecrist> (see mention of conversation above) 11:19 < ecrist> they claim to be transporting 1+ Gbps across the openvpn.net network 11:19 < ecrist> and through their web cluster 11:20 < ecrist> directly from the conversation: "We are currently hosting OpenVPN on two sites (Seattle & Dallas) with Gigabits links." 11:20 < mjt> that's quite alot 11:21 < ecrist> openvpn.net has a single IP, however, with 'The Planet' 11:22 < mjt> ok, i have to go to find some food, with kids too... ;) 11:22 < ecrist> which tells me it really probably is a single dedicated server in a colo in dallas 11:23 < ecrist> their working site, beta.openvpn.net, is at rackspace 11:23 < ecrist> :) 11:23 < mjt> ecrist: thank you for your comments. It's usually quite difficult to find someone who actually has knowlege and understands what he's talking about... 11:23 < mjt> ;) 11:23 < mjt> i'll go eat something right now.. bbl 11:23 < ecrist> l8r 11:43 -!- joelsolanki [i=joelsola@123.237.173.76] has joined ##openvpn 11:43 < joelsolanki> Hi all 11:43 < joelsolanki> still openvpn.net is down 11:43 < ecrist> beta.openvpn.net 11:43 < joelsolanki> oh :) 11:44 < joelsolanki> let me check 11:44 < joelsolanki> awesome that works. 11:44 -!- mode/##openvpn [+o ecrist] by ChanServ 11:44 < joelsolanki> ecrist: Hi 11:44 -!- ecrist changed the topic of ##openvpn to: openvpn.net is down, try beta.openvpn.net instead. 11:44 -!- mode/##openvpn [-o ecrist] by ecrist 11:45 < joelsolanki> can openvpn work with mysql database ? if yes then how secure it is to use in production environment 11:45 < ecrist> in what way would you couple mysql with openvpn? 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:56 < JimUnderscore> I finally figured it out, with client-to-client I was able to ping other clients but not the server, my problem was I needed to change the config from dev tun to dev tap 11:57 < JimUnderscore> it was sortof confusing because the instructions said to use dev tap if I was ethernet briding and bridged it with my ethernet interface, however I'm not bridging it to an ethernet interface I'm just running it as its own (virtual)lan 11:59 < joelsolanki> ecrist: sorry phone. i mean to say all openvpn configs and username/passwords, ssl stuffs should come from radius server using mysql as backend. 11:59 < joelsolanki> www.strongvpn.com 12:00 < joelsolanki> it seems they are providing hosted vpn service and using openvpn. 12:00 < ecrist> joelsolanki: without some hackery, no. 12:00 < ecrist> users/pass, yes 12:00 < ecrist> configs, not so much 12:00 < joelsolanki> hmm. 12:00 < ecrist> ssl stuffs, there isn't anything to be included. 12:00 < joelsolanki> aha 12:00 < ecrist> either it's a valid SSL cert, or it's not. 12:00 < joelsolanki> do you know strongvpn.com ? 12:01 < ecrist> no 12:01 < joelsolanki> they are using openvpn most probably. they give services of hosted vpn 12:01 < JimUnderscore> hmm, strongvpn...I think I used them once 12:02 < ecrist> ok, and this applies to your question how? 12:02 < joelsolanki> not really. now i m just trying to know how i can create hosted vpn environment. 12:03 < ecrist> well, use ldap for your user/pass on the backend, as it's better suited to such things. 12:03 < joelsolanki> hmm. agree 12:03 < ecrist> your ssl certificates need only be created and distributed 12:04 < joelsolanki> ok 12:04 < ecrist> server doesn't need to track all of the valid certificates, those are parsed out 12:04 < ecrist> 3) profit 12:04 < ecrist> everything else is the software package and servers you deploy 12:04 < joelsolanki> ok 12:04 < ecrist> and really, this has little to do with openvpn, it would work for anything 12:05 < joelsolanki> i understand. 12:05 < ecrist> with openvpn, you can build custom windows client packages, with your own logos, icons, etc 12:05 < joelsolanki> i see 12:05 < ecrist> you can do the same for Mac OS X, and you could build a wrapper for a linux client, but most of them would probably prefer to simply run the command themselves. 12:05 < joelsolanki> agree 12:05 < ecrist> hell, for $85/hour, I'll do all the dev for you. 12:06 < joelsolanki> :) 12:06 < joelsolanki> do you think the hosted vpn makes a good idea to business ? 12:06 < ecrist> if it didn't, you wouldn't see other companies out there making money 12:07 < joelsolanki> yes 12:07 < joelsolanki> a tech question. 12:09 < joelsolanki> if a customer who is using openvpn as client has 1 Mbps bandwidth and vpn server in usa has 10 Mbps bandwidth. so as far as i know that customer will get 1 Mbps after connecting to vpn to usa server. 12:09 < joelsolanki> is my knowledge correct ? 12:09 < ecrist> roughly, there's going to be overhead for the packet headers 12:09 < ecrist> and you introduce additional latency by adding more hops. 12:09 < ecrist> a proxy is almost always goign to be slower than a direct connection 12:10 < joelsolanki> hmm 12:10 < ecrist> also, it depends on the processor load on the VPN and client systems. 12:10 < joelsolanki> i see 12:10 < ecrist> encryption is going to chew proc time, and if the VPN server is too slow, or over used, it will affect bandwidth. 12:11 < joelsolanki> ok 12:12 < joelsolanki> i have 2 offices. 1st in canada and 2nd in germany. and vpn server is at USA. vpn server has config of client-client communication. 12:13 < joelsolanki> both offices are connected to vpn server in usa. 12:13 < joelsolanki> now if canada office and germany office send huge files over vpn then will the bandwidth of usa vpn server be used ? 12:13 < joelsolanki> or direct canada and germany banwdith will be used ? 12:14 < mjt> not direct 12:14 < mjt> unless you also connect this pair together 12:14 < ecrist> joelsolanki: yes 12:14 < mjt> it's just slightly different routing on the usa sade 12:14 < mjt> hm? 12:14 < ecrist> usa will be hit on both upload and download 12:14 -!- JimUnderscore [n=zyme@216.218.95.3] has quit [" HydraIRC -> http://www.hydrairc.com <- Organize your IRC"] 12:15 < joelsolanki> aah ok. 12:15 < mjt> aha, that's what i mean 12:15 < joelsolanki> got it :) 12:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:16 < ecrist> afternoon, krzee 12:16 < mjt> damn. I've read it kfreeze, or kernel freze ;) 12:17 < krzee> wassup eric! 12:17 < ecrist> you off your vacation yet? 12:17 < krzee> neg 12:18 < krzee> on tues i go back 12:18 < ecrist> lucky fucker 12:18 < krzee> totally 12:18 < krzee> except that im running out of $ 12:18 < krzee> lol 12:18 < ecrist> my wife is finally to the 'fun' stage of being pregnant. a little more randy. :) 12:18 < ecrist> isn't that always the rub? 12:19 < krzee> theres small talk of me coming down here to run a casino tho 12:19 < krzee> we'll see if that comes true or not 12:19 < ecrist> sweet 12:21 < ecrist> this box is taking far too long to compile freebsd. 12:21 < ecrist> I knew I should have done this last night. 12:28 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 12:29 < krzee> lol 12:32 < ecrist> this is an old box, too, though it's what I'd consider our core system 12:32 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 12:32 < ecrist> OpenVPN, SVN, and Jabber all run on it. 12:40 < krzee> werd 12:40 < krzee> im sure you can get by with a pentium 1 or those 3 apps 12:41 < krzee> (another reason to love unixes) 12:45 < joelsolanki> :) 12:46 < krzee> s/or/for/ 12:47 < joelsolanki> (another reason to love unixes) 12:47 < krzee> LOL 12:47 < krzee> nice 12:47 < ecrist> it's a Dell 1650 with dual procs and 2x36GB disks in gmirror :) 12:47 < krzee> my boy who i colo with in san diego finally switched to freebsd 12:47 < krzee> then he asks me what frontend he should use for pf, because he needed one for iptables 12:47 < ecrist> 2xP3 1.113Ghz, 2GB ECC RAM 12:48 < ecrist> lol 12:48 < ecrist> vim for the frontend. 12:48 < krzee> im like you dont need a frontend for PF, iptables you did cause iptables usage is the lameness 12:48 < krzee> but freebsd they just do it right instead 12:48 < krzee> lol 12:48 < ecrist> I'm still torn between pf and ipfw, though. 12:48 < krzee> ya, im gunna tell him his frontend is nano 12:48 < krzee> ya, i do like the first come first serve factor of ipfw 12:49 < krzee> but pf scrub wins the battle for me 12:49 < ecrist> I've switch to pf because it's what I use at work, but it's missing some things ipfw does, and vice-versa 12:49 < ecrist> ah, pf scrub kills Xbox Live. 12:49 < ecrist> can't use it on my network at home becuase of that 12:49 < krzee> pf scrub with NOTHING else will confuse the SHIT outta nmap -O 12:49 < reiffert> beta.openvpn.net looks different. 12:49 < ecrist> it is, but it's all there. 12:50 < krzee> heyyyy nice 12:50 < krzee> openvpn access server!? 12:51 < krzee> i hope they arent windowsafying openvpn 12:51 < ecrist> yeah, looks nice, but no freebsd support atm 12:51 < ecrist> access server is a bit of windowsafying 12:52 < krzee> welp, i guess they waited long enough and were sure to build the base strong enough 12:52 < krzee> so i have no room to complain 12:53 < ecrist> sweet, 7.1 didn't break svn, openvpn, or trac 12:54 < ecrist> krzee: access-server, from what I gather, is an option, and isn't going to be required. 12:54 < ecrist> good ol' openvpn is still going to be aorund 12:54 < krzee> ya thats what it looks like to me too 12:55 < ecrist> bbiaf, gotta rebuild pam_ldap et al 13:05 < onats> arent you guys part of openvpn team? 13:07 < reiffert> openvpn is a one (two) man show. 13:07 < onats> who's the one / two? 13:07 < onats> active in this channel? 13:08 < reiffert> James Yonan and Francis Dinha 13:08 < reiffert> no. 13:09 < onats> what is this access server? 13:10 < reiffert> OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. There are a number of server configurations options supported which are a carefully selected subset of a quite large set of possible OpenVP 13:10 < onats> yes. as posted on the website 13:10 < onats> lol 13:11 < onats> am gonna try it out anyway 13:11 < krzee> it looks like openvpn for MCSE's 13:11 < krzee> lol 13:12 < reiffert> It looks like buy license keys. 13:14 < onats> i got it 13:14 < ecrist> I talked to Francis about becoming the active support part OpenVPN, but they're not interested. 13:14 < onats> if a client wants to connect to a private network, he logs onto a web site on the server, authenticates, gets generated keys, and sets up ovpn on his/her machine 13:15 < krzee> ya, they just want to host our stuff so they can ruin it like they did the stuff they host 13:15 < krzee> they had a wiki, a forum, etc 13:15 < krzee> even have their own mail archives that they STILL havnt fixed 13:16 < onats> so does that mean openvpn is no longer going to be free? 13:16 < krzee> only if you need the MCSE version 13:17 < onats> if you dont, administrator has to manually manage/administer it right? 13:17 < onats> its basically an automation tool? 13:17 < krzee> i will personally go kick some ass if the current version changes licenses to require $$$ 13:17 < krzee> basically, if you can handle openvpn as you already know it, you have no worries 13:17 < onats> was openvpn based on some other opensource project? 13:18 < krzee> no 13:18 < onats> hey, btw, does anyone have a copy of the docs/FAQ's and everything else/old docs? 13:18 < krzee> well i dont believe so 13:18 < krzee> the FAQ is on the website 13:18 < krzee> !faq 13:18 < vpnHelper> krzee: "faq" is http://openvpn.net/index.php/documentation/faq.html 13:19 < onats> cant be loaded... 13:19 < onats> :(( 13:19 < onats> took em down? 13:19 < onats> why'd they open source? 13:19 < onats> for other people's contrib? 13:20 < krzee> lol i dunno, maybe cause the author is a good guy 13:20 < krzee> (just guessing) 13:20 < reiffert> the faq is on beta.openvpn.net 13:20 < krzee> those fags better keep all links working 13:21 < krzee> i have so many static links on the bot 13:21 < onats> saving now before it gets taken down 13:21 < onats> wehehhe 13:22 < reiffert> however, there are opensource versions of openvpn and if openvpn changes policy or license, there will be a fork() 13:22 < krzee> totally 13:23 < ecrist> krzee will be the new overlord 13:23 < onats> krzee, quick question. if i want the clients to get static IPs, i need to put them in cCD config file? 13:23 < onats> and ecrist 13:23 < krzee> !iporder 13:23 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 13:24 < onats> thanks! will read up 13:25 < krzee> np 13:25 < krzee> so for static you have 2 choices 13:25 < krzee> you can script it or use ccd entries 13:25 < krzee> if both exist, script takes precedence 13:26 < onats> script in? 13:26 < onats> im more familiar with CCD as what you've taught before 13:26 < krzee> --client-connect uses a script 13:26 < krzee> whatever script you build 13:26 < krzee> ya ccd is easier for most deployments 13:26 < krzee> but of course theres advantages to using the script as well 13:27 < krzee> i usually say go with ccd entries, but theres been usages where ive recommended client-connect scripts 13:28 < onats> ok ill read up on it tomorrow at work 13:29 < onats> thanks for the lead 13:29 < ecrist> I despise sun's java download requirements 13:29 -!- joelsolanki [i=joelsola@123.237.173.76] has quit [] 13:29 < onats> whats wrong with it? 13:43 < ecrist> you're required to go to their website and physically click 'I agree' to download it. 13:43 < ecrist> it breaks things like the FreeBSD ports tree 13:49 < mjt> anyone tried to chroot a tls-server? 13:50 < krzee> sure 13:50 < mjt> i guess ssl needs something in there too 13:50 < mjt> like /dev/random 13:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:51 < mjt> but ok, if it's supposed to work, i'll find out ;) 13:53 < krzee> you'll want persist stuff too 13:54 < mjt> does *bsd have "device" routes? Like "send this IP address over this device" as opposed to "via that nexthop" ? 13:54 < mjt> krzee: sure 13:54 < krzee> umm 13:55 < krzee> i dont see where you find the seperation... 13:57 < mjt> the actual difference is internal and small. It's if the 'nexthop' IP address will be the same as the destination when sending over that device, or different. 13:57 < mjt> when I send a packet from my 192.168.10.5/24 to 192.168.10.1, the two are the same. 13:58 < krzee> ohh, so your question is more about the source address when sending traffic over differing interfaces 13:58 < mjt> nothing to do with source address 13:58 < mjt> nexthop and destination, not source 13:58 < krzee> i dunno, maybe ecrist can answer 13:59 < mjt> but when i send packet from that same 192.168.10.5/24 to 1.2.3.4, i'm actually sending it to 192.168.10.1 (the gateway), not to 1.2.3.4 13:59 < mjt> in first case, nextho=destination, since the destination is directly reachable on this ethernet segment 13:59 < krzee> you're sending it to 1.2.3.4 on the IP level, but not on the ethernet level 13:59 < mjt> yes 14:00 * ecrist goes home. 14:00 < mjt> i tried to undestand this thing and already asked ecrist about that. But I still can't understand why it's done this.. strange way. 14:01 < mjt> bye ecrist 14:02 < krzee> its not *bsd 14:02 < krzee> its how the internet works 14:02 < mjt> nope 14:02 < krzee> layer 2 and layer3 14:02 < mjt> it's how openvpn works ;) 14:03 < krzee> umm 14:03 < krzee> no 14:03 < krzee> its how layer 2 and 3 work 14:03 < mjt> ;) 14:03 < krzee> openvpn happens to use those 14:03 < mjt> i'm trying to find the relevant section in the docs 14:04 < krzee> openvpn doesnt specify that stuff, it lets the OS handle it 14:04 < mjt> ok, the manpage, --server option 14:04 < mjt> ifconfig 10.8.0.1 10.8.0.2 14:05 < mjt> ifconfig-pool 10.8.0.4 10.8.0.251 14:05 < mjt> here, 10.8.0.2 is 100% fake 14:05 < mjt> it's unused, unreachable, but used to set up routes to clients 14:05 < mjt> and the next line 14:05 < mjt> route 10.8.0.0 255.255.255.0 14:06 < mjt> ifconfig+route will be like this on the host: 14:06 < mjt> inet 10.8.0.1 peer 10.8.0.2/32 14:06 < mjt> route 10.8.0.0/24 via 10.8.0.2 14:07 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: blaxthos, Bushmills, disco-, clustermagnet, dvl, krzie_ 14:07 < mjt> that ip address in the route line is SOLELY to send the packets to the tun device 14:07 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["lavren has no reason"] 14:07 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Excess Flood] 14:07 < mjt> in linux at least, i can use another route version: 14:07 < krzee> its internal 14:07 -!- Netsplit over, joins: Bushmills, krzie_, dvl, blaxthos, clustermagnet, disco- 14:07 < mjt> route 10.8.0.0/24 dev $tunnel 14:07 -!- A[D]minS [n=Whisky@196.219.128.160] has joined ##openvpn 14:08 < mjt> what's internal? 14:08 < mjt> the IP address? 14:08 < krzee> the .2 part 14:08 < krzee> heres why: 14:08 < mjt> it's not 14:08 < krzee> !/30 14:08 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:08 < krzee> !topology 14:08 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:08 < krzee> read that last link 14:09 < mjt> well, i'm pretty well aware of that /32 "pointopoint" thing 14:10 < mjt> here, the .2 is not "internal" per se 14:10 < mjt> it's used to set up route 14:10 < krzee> it IS internal 14:10 < mjt> i.e, to make `route' command happy. Or to deal with openvpn's internal `route' option deficiency 14:10 < krzee> right 14:10 < mjt> which expects the nexthop, not device 14:11 < krzee> to allow them to deal with windows lameness 14:11 < krzee> before they found topology subnet 14:11 < mjt> hence i asked is there's device routes in *bsd 14:11 -!- A[D]minS [n=Whisky@196.219.128.160] has quit [Remote closed the connection] 14:11 < mjt> s/is/if/ 14:12 < mjt> it's trivial to avoid that .2, but in this case --route has to be replaced with --cmd 14:12 < mjt> or --up -- whatever it is, i forgot 14:12 < mjt> and it's pretty much ok to use that .2 for a client 14:13 < mjt> it's just that traditionally, such type of interface had 2 IP addresses assotiated with it, "our" and "the remote" endpoints. 14:13 < krzee> false, you change it by changing the topology 14:14 < mjt> i mean interface of type POINTOPOINT, as opposed to ethernet-like -- ie, tun vs tap 14:14 < mjt> and it's not false 14:14 < mjt> and the remote endpoint address was never actually usedd 14:15 < mjt> think eg ppp links 14:15 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:15 < mjt> the remote end does not care which IP we think is his 14:15 < mjt> it just accepts every packet send its way and injects it to the kernel's IP stack 14:15 < mjt> s/send/sent/ 14:16 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has joined ##openvpn 14:16 < mjt> there's no "nexthop" in there, unlike with ethernets 14:16 < mjt> nexthop "field" in the packet, that is 14:17 < mjt> but the remote endpoint is used on the local machine, just for one single purpose -- to make routing table "happy" 14:18 < mjt> and openvpn goes further, inventing a bogus IP address for the remote "endpoint" (there are many endpoints actually). In examples anyway. 14:19 < mjt> in some operating systems, `route' command can only accept a "nexthop" IP address, not a device name. that's why. 14:19 < mjt> and openvpn implements its --route as the most common case. 14:20 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 14:20 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 14:22 < mjt> that link you mentioned -- it talks about things like --server, --topology, -- i.e., "high-level" constructs. I.e, how openvpn will configure its interface and stuff automatically. But what I said above applies even to the lowest level, --ifconfig-noexec and everything done with scripts. 14:24 < mjt> the only small problem i had with all this stuff is -- it's not quite possible to --push a device route to a client, syntax-wise. openvpn insists on using nexthop IP address, and i can't push a --cmd (obviously) 14:25 < mjt> (on server, it's all done with --cmd since again --route requires nexthop, not device) 14:30 < mjt> blah. why that osdir.com page is set to Refresh: every so often, and is not cacheable?.. 14:31 < mjt> it's amazing what creative ways they're finding to utilize bandwidth and resources... 14:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:10 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 15:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:42 < ecrist> garrgh 15:42 < ecrist> now my named cores. 16:00 * mjt finally switched from named to unbound+nsd 16:00 < mjt> the two has their own... issues, but it's cleaner so far. 16:21 < mjt> hm. 16:21 < mjt> Mar 9 00:25:11 csrv ovpn-vtls[509]: TLS Error: cannot locate HMAC in incoming packet from 91.77.90.232:1194 16:21 < mjt> Mar 9 00:25:43 csrv last message repeated 15 times 16:21 < mjt> is that a DDoS protection? :) 17:03 < mjt> ok, so I've built the network again, testing that 'unknown client' thing. 17:03 < mjt> and just routed some IP address, in this case 192.168.10.250, to the tunnel 17:03 < mjt> and am trying to ping it. 17:04 < mjt> openvpn receives the packet, but fails to understand what to do with it 17:04 < mjt> GET INST BY VIRT: 192.168.10.250 [failed] 17:04 < mjt> and the packet gets ignored. 17:04 < mjt> instead of generating ICMP back. 17:05 < mjt> so the original connection times out. 17:09 -!- `md [i=nobody@kosmos.kawaii-shoujo.net] has joined ##openvpn 17:09 < `md> hi 17:10 < `md> i have a problem, maybe someone can help me, i'll try to explain: 17:11 < `md> i have a openvpn connection to a server, the server has 10.10.0.1 on thetun interface and my windows machine has 10.10.0.2 17:11 < `md> additionally my windows machine is on my local network which is 192.168.10.0/24 17:12 < `md> and now i need other hosts on the 192.168.10.0 network to be able to reach 10.10.0.1 17:12 < `md> how do i accomplish this? i already tried bridging the openvpn tuntap adapter with my physical network card, but that didnt work at all 17:13 < `md> i suppose my last hope would be to just enable nat on the windows machine, but i'd really like to avoid that 17:13 < mjt> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:13 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 17:13 < `md> i was thinking that maybe you can somehow set some routes to make it work 17:13 < mjt> it's all explained in the HOWTO actually 17:14 < `md> oh? 17:14 < `md> cool, let me read it 17:14 < mjt> lol 17:14 < mjt> see /topic too 17:15 < `md> wow, this sounds promising 17:15 < mjt> hmm or maybe not - it probably was some other howto, not the one on openvpn.net 17:15 < mjt> but that wiki page is here anyway 17:17 < mjt> !route 17:17 < vpnHelper> mjt: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:18 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:19 < `md> yes 17:19 < `md> it explains it 17:19 < `md> but when it comes to the juicy part it doesnt explain what i need to do actually :( 17:19 < `md> ROUTES TO ADD OUTSIDE OF OPENVPN 17:19 < `md> that part at the end 17:19 < `md> thats exactly what i still need to know, cause i already have the iroute thingie in the ccd 17:20 < `md> 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10 17:20 < `md> This is true for any number of lans you want to connect, whether server or client. 17:20 < `md> ^ 17:20 < `md> how do i add this route 17:21 < mjt> in --up 17:22 < mjt> or --route 17:23 < `md> dont i need to add this on the machines that need to access the vpn (those which are not the ones running openvpn) 17:23 < mjt> but if you're referring to that part.. well.. that''d be every machine on both LANs, I suppose. 17:23 < `md> yes 17:24 < mjt> if there's a machine C on one end, an R which is it's default gateway, and V which is running openvpn connected to the other side 17:24 < mjt> how C will know that for the network belongin to that other side the packets should be sent to V, not to R? 17:25 < mjt> as a possibility you can add that knowlege to R only, and it will do redirects for C 17:25 < `md> well 17:26 < `md> for example, i have my windows machine that has 192.168.10.40 and 10.10.0.2 and a debian machine that has 192.168.10.50 and my openvpn server which has 10.10.0.1 17:26 -!- Diddi [n=diddi@zonic.bsnet.se] has joined ##openvpn 17:26 < mjt> ow 17:26 < `md> now the debian machine needs to access 10.10.0.1 too, cause i want to use 10.10.0.1 as its gateway 17:26 < mjt> windows machine with more than one IP address.. why? 17:27 < `md> cause thats where i run openvp 17:27 < mjt> aha 17:27 < `md> n 17:28 < `md> so yeah i'm looking for a route command for the 192.168.10.50 machine 17:28 < mjt> ugh. how openvpn server can be a gateway for your debian as the two aren't directly connected? 17:28 < `md> so it knows it should route 10.10.0.0 stuff over 192.168.10.40 17:28 < `md> mjt: that is exactly what i'm trying to find out 17:29 < `md> how i can make the two communicate to each other 17:29 < mjt> you can't do that 17:29 < `md> not at all? 17:29 < mjt> we 17:29 < mjt> err 17:29 < mjt> you can't make openvpn server to be a gateway for your debian 17:29 < mjt> unless you run another tunnel between the two 17:30 < mjt> if you use the same definition as I do 17:30 < mjt> sure you can make them to see each other 17:30 < mjt> but a gateway is something that's directly reachable 17:30 < mjt> in your case your windoze machine will be a gateway 17:32 < mjt> think of the two -- 10.10.0.* and 192.168.10.* - as about two entirely separate ethernet segments 17:33 < mjt> with the only macine that has network cards on both being the windows box 17:34 < `md> yes 17:34 < Diddi> Hi! can someone explain to me, or point me to papers that do, how the certificates actually work. I'd like to know what KEY_COUNTRY etc. are use for, and why each client must have the same variables in order to be signed by the ca (: 17:35 < `md> mjt: so yeah, you said something interesting... 23:37:21 < mjt> sure you can make them to see each other <-- how would that even work? 17:36 < mjt> `md: debian should know to send packets for 10.10.* to your win 17:36 < mjt> and the other side should know to send packets fof 192.168.10 back to the tunnel 17:36 < mjt> that's basically it 17:37 < mjt> Diddi: as far as i can see (i started with openvpn today), those fields are ignored -- everything but the CommonName 17:38 < `md> 23:43:32 < mjt> `md: debian should know to send packets for 10.10.* to your win <- no right now it doesnt know how, and i want to know how i can make it do that 17:38 < `md> do i need to add my windows machine as a gateway for the debian machine? and enable nat on the windows machine? 17:38 < mjt> wug, that's basic networking 17:39 < `md> yeah 17:39 < `md> i know :/ 17:39 < mjt> ip route add 10.10.0.0/24 via 192.168.10.40 17:39 < Diddi> mjt: but from what I know they can't be left out empty either... and I'd like to use those field to see the actual location of the client (country etc) 17:40 < mjt> Diddi: that's exactly what i used them for so far 17:40 < mjt> openvpn only cares about CN 17:40 < mjt> and the whole thing should be signed by the ca 17:40 < `md> ah! 17:41 < mjt> Diddi: (but again, i'm not sure about that -- just try it out) 17:41 < Diddi> (: 17:42 < mjt> from the logic of it, and from my less-than-a-day expirence, it shold work 17:43 < Diddi> iirc the signing process will fail because the variables doesn't match.. which bothers me.. but I may be wrong with the whole idea of certs also (: 17:43 < mjt> how do you think it works in "real life" -- for web sites with real certificate authorities? 17:43 < mjt> tawte, verisign etc? 17:43 < mjt> the variables don't match by definition 17:44 < Diddi> that's why I think I may be doing it wrong also :P 17:52 < `md> mjt: it seems to work :O 17:53 < Diddi> mjt: ah, I found the policy_match section in openssl.cnf (: it specifies what variables that need to match the ca etc 18:02 < `md> mjt: so is there anything else i could try to do? 18:02 < `md> i mean so i can use 10.10.0.1 directly or indirectly as a gateway 18:03 < mjt> i don't understan that question 18:05 < `md> 23:36:45 < mjt> you can't make openvpn server to be a gateway for your debian 18:05 < `md> 23:36:53 < mjt> unless you run another tunnel between the two 18:05 < mjt> and? 18:05 < `md> so only other choice is running yet another vpn tunnel? 18:06 < mjt> it's possible to play some games with IP packets 18:07 < mjt> but i don't see a reason 18:07 < mjt> like, it's possible to read an infromation which was erased (filled with zeros) from your hard drive. But what for? 18:11 < `md> to me it seems superfluous having to run 2 vpn tunnels 18:13 < mjt> you can have config on your debian which is almost the same as on your doze 18:13 < mjt> i mean ip-wise - which routers are used for what 18:13 < mjt> but routing different networks over vpn is hardly possible 18:14 < mjt> (not impossible but involves quite some configuration and understanding. and i've no idea if it really IS possible on 'doze) 18:14 < `md> yeah me neither, well i guess i just try another tunnel or simply enabling nat on the windows machine then 18:15 < mjt> nat on dose will not change anything 18:16 < mjt> well 18:16 < mjt> unless you've an issue i think you have 18:16 < mjt> some ANOTHER issue, that is 18:16 < `md> which would that be? 18:17 < mjt> but if it's not what i think, it's entirely your fault because of your description of the problem ;) 18:17 < `md> it might be? i dunno :D 18:17 < mjt> you said about gateway 18:17 < mjt> how you expressed it - it's not possible or really difficult 18:17 < mjt> but i assumed you have another box right now htat acts as a gateway for both 18:18 < `md> no 18:18 < mjt> and you want the remote to act as a gateway for debian only, but not for windows 18:18 < mjt> THAT is difficult or impossible 18:18 < `md> no i want the remote to act as gateway for both 18:18 < `md> but both machines are on the same physical network 18:18 < mjt> so it's entirely your fault 18:18 < mjt> ;) 18:18 < `md> lol :) 18:19 < `md> well yeah explaining isnt my strong point :/ 18:19 < mjt> you see how different the issue is compared to what i was thinking it is?.. ;) 18:19 < mjt> but ok 18:20 < mjt> so your issue - you'll have to find out what exactly does not work 18:20 < mjt> i guess the gateway of the remote end does not know how to route packets for 192.168.10. 18:21 < mjt> or it tries to send packets with SOURCE address of 192.168.10 to the 'net and sure thing it doesn't work because the replies never comes back 18:21 < mjt> think of it as if you were installed another ethernet segment on the remote side, connecting it via your 'doze box 18:22 < mjt> you have to teach existing hosts there how to send packets to your net 18:22 < mjt> and to do NAT for it when sending to the outside 18:22 < mjt> but i'm out of here anyway, it's 02:29 here already, night 18:23 < mjt> (and in this case setting up NAT on 'doze actually makes quite good sense) 18:32 < `md> yeah and it even works 18:32 < `md> just port forwarding could be a bit annoying 18:36 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Read error: 104 (Connection reset by peer)] 19:07 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 131 (Connection reset by peer)] 19:07 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 19:10 -!- Arkonide_ [n=source@p57B8F9EC.dip.t-dialin.net] has joined ##openvpn 19:10 -!- Arkonide_ [n=source@p57B8F9EC.dip.t-dialin.net] has left ##openvpn ["openvpn"] 19:11 -!- dpie [n=dpie@88-134-159-57-dynip.superkabel.de] has joined ##openvpn 19:12 < dpie> hi there i have problems to set up a vpn connection to perfect privacy in ubuntu, maybe anyone has a few minutes to help me? 19:33 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 19:49 -!- klasikahl [n=zg@unaffiliated/klasikahl] has joined ##openvpn 19:50 < klasikahl> uh seeing as how openvpn.net is down, where can i grab the latest lzo and openvpn tarballs? sf files send users to openvpn.net 19:57 -!- dpie [n=dpie@88-134-159-57-dynip.superkabel.de] has left ##openvpn [] 20:36 -!- klasikahl [n=zg@unaffiliated/klasikahl] has quit ["Lost terminal"] 20:39 -!- `md [i=nobody@kosmos.kawaii-shoujo.net] has left ##openvpn [] 20:39 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Read error: 110 (Connection timed out)] 20:51 -!- DaveQB [n=DaveQB@dward.us] has joined ##openvpn 21:01 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 21:01 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:02 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 21:02 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:02 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:04 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:04 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:06 < ecrist> evening, kids 21:08 < DaveQB> Just a quick question by a newbie with OpenVPN. The DHCP range you choose, does this need to be the same rang, or a part of the DHCP range the OpenVPN resides on or a totally seperate DHCP range [and the OpenVPN server bridges the remote DHCP range tinto the local DHCP range/network ] ? 21:08 < DaveQB> I hope that makes sense 21:08 < onats> morning 21:09 < onats> uncle 21:09 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 21:09 < ecrist> DaveQB: depends on what you're doing, tun or tap 21:09 < ecrist> typically, the VPN subnet is completely separate from the LAN, and proper routes are put in place 21:13 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:14 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:26 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Read error: 110 (Connection timed out)] 21:29 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 21:29 -!- onats [n=15172@221.121.120.254] has quit ["Leaving."] 21:35 < DaveQB> ecrist: Thanks. I want the remote users to be seamlessly in the LAN that the OpenVPN is on. 21:36 < DaveQB> ecrist: So still have them on a different rsubnet ? 21:37 < DaveQB> How do they get onto the LAN then ? A ruote on the OpenVPN server box ? 22:12 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 22:12 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 22:15 -!- worch [i=worch@battletoad.com] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- worch [i=worch@battletoad.com] has joined ##openvpn 22:20 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has quit [] 22:57 -!- fuffwork [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has joined ##openvpn 22:58 < fuffwork> when i try to add a new tap-win32 virtual ethernet adapter, i get "tapinstall.exe failed." I'm in vista and running it as an admin, anything else i need to do? 23:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:20 -!- hardwire [n=spencers@62-197-137-216.mtaonline.net] has joined ##openvpn 23:57 -!- fuffwork [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has quit [] --- Day changed Mon Mar 09 2009 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:21 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:45 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:05 < dazo> DaveQB: if you want them to seamlessly in the network, it can sound like you'd like to do bridging. But setting up a separate network segment is usually better ... you just define that network segment and provide routing information to the VPN clients ... usually by using 'push "route "' ... or just a route statement with the same info in the client config 03:36 < dazo> !route 03:36 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:36 < dazo> DaveQB: ^^^ 03:40 < mjt> hmm 03:40 < mjt> "Options error: --local addresses must be distinct from --ifconfig addresses" 03:41 < mjt> how to force it to stop complaining? 03:42 < mjt> i can use ifconfig in --up instead of --ifconfig, but this way breaks push route 03:50 < mjt> damn. it's too "smart". it dislikes even my internal IP address range. I want to shut up all this nonsense. 03:55 < mjt> ok, and here's something else. 03:56 < mjt> i want openvpn to be a "backup" vpn - alternative to the solution our ISP provides (connecting remote offices). Normally, there's a route to whole client network (10.90.0.0/16, whatever) pointing to the ISP's equipment. But when a particular client connects, I want to set up its particular route to go over openvpn interface (tls-server). 03:57 < mjt> it seems like it's impossible to do without running openvpn process as root. 03:58 < mjt> alternatively I can set up a socket (or a fifo) writable by openvpn user, have root-owned process listen to it and run a script at client connect/disconnect that will `echo $client up|down > fifo' 04:00 < mjt> any less ugly solution? :) 04:15 < mjt> wow. openvpn.net is up again! 04:16 -!- Diddi [n=diddi@zonic.bsnet.se] has quit [Remote closed the connection] 04:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 04:55 < reiffert> !topic 04:55 < vpnHelper> reiffert: Error: "topic" is not a valid command. 04:55 < mjt> it's /topic 04:55 < mjt> but you have to be op to change it 04:56 < reiffert> Hm, someone +n'ed the channel. 04:56 < reiffert> ecrist: /topic Check your firewall. We need !logs and !configs. See !howto for beginners, !route for lans behind openvpn 04:57 < mjt> it's 04:57 there now 04:57 < mjt> he's probably asleep 04:58 < mjt> heh. and his clock is off by 8 minutes, too 05:02 -!- mode/##openvpn [+o dazo] by ChanServ 05:02 -!- dazo changed the topic of ##openvpn to: openvpn.net is down, try beta.openvpn.net instead. || Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn 05:03 -!- mode/##openvpn [-o dazo] by ChanServ 05:03 < dazo> reiffert: satisfied? 05:04 < reiffert> dazo: no. 05:04 < reiffert> 10:22 < mjt> wow. openvpn.net is up again! 05:04 < dazo> reiffert: uhh ... didn't see that one :) fixing 05:05 -!- mode/##openvpn [+o dazo] by ChanServ 05:05 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn 05:05 -!- mode/##openvpn [-o dazo] by ChanServ 05:06 < reiffert> Please add: || Also intresting: !man !/30 !topology 05:06 -!- mode/##openvpn [+o dazo] by ChanServ 05:06 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn || Also intresting: !man !/30 !topology 05:06 <@dazo> reiffert: Good point! 05:06 -!- mode/##openvpn [-o dazo] by ChanServ 05:07 < reiffert> Fix the whitespace? 05:08 < dazo> reiffert: not easy making you happy today .... :-P 05:08 -!- mode/##openvpn [+o dazo] by ChanServ 05:08 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 05:08 -!- mode/##openvpn [-o dazo] by ChanServ 05:10 < reiffert> dazo: ah well, I just smile each time when you get opless after doing something :) 05:10 < dazo> reiffert: careful now ......... ;-) 05:10 < reiffert> :) 05:35 < mjt> whee. 05:38 < mjt> !man 05:38 < vpnHelper> mjt: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:38 < mjt> in the other words, RTFM! 05:45 < dazo> mjt: basically, yes ;-) ... 90% of all questions coming to this channel is because the person asking question have not bothered to do so ... and if they would have done that, they wouldn't have to ask us ... 05:46 < dazo> and we'll basically just say the same which is in the docs already too, if we would answer :-P 05:46 < mjt> it's that way everywher 05:46 < mjt> e 05:46 < dazo> mm ... unfortunately :( 05:47 < mjt> but ok... anyone around to answer a question or two that are NOT covered by docs/mans? :) 05:48 < dazo> mjt: shoot! ... and see who answers ;-) 05:49 < mjt> when I add a route for a network who's client isn't conneced yet, how can i force openvpn to return back something sensible like ICMP net unknown/unreachable, instead of just dropping the packet? 05:50 < mjt> connected even 05:50 < dazo> mjt: you want to route a network behind the client? 05:50 < mjt> well, let it be the client itself, -- makes no difference 05:51 < dazo> mjt: well ... it does a matter ... i depends on which route parameter to use .... route or iroute 05:51 < mjt> i've an openvpn interface. I add soome 1.2.3.4 route to that interface and ping it -- the packets goes to bitbucket. I'd expect to receive some "network unreachable" back 05:52 < dazo> mjt: aha! well, that's a question I've never seen before (10 points for you!) ... I'm really not sure, actually 05:52 < mjt> that route gets addded when openvpn server starts, when no clients are connected. I route all client's addresses 05:52 < mjt> he 05:52 < mjt> heh 05:53 < mjt> oh well. 05:53 < mjt> ok, one more thing... different MTU values for different clients possible? 05:53 < dazo> mjt: I would probably .... send this question to openvpn-users@lists.sourceforge.net .... you'll need to register to the mailing list before you can send anything here .... but that's really worth a shot 05:54 < mjt> aha 05:54 < mjt> i didn't know it's on SF 05:55 < mjt> "Options error: --local addresses must be distinct from --ifconfig addresses" 05:55 < mjt> -- any way to shut it up and just do what I said? :) 05:55 < mjt> (yes I explicitly used the same IP in --local and --ifconfig) 05:55 < dazo> mjt: no, I would not expect it to be possible with different MTU values ... that's because (IIRC) that the MTU value is set on the tun/tap device, and not for the connection itself .... to have different MTU's I'd expect you need more tun/tap devices (=more openvpn processes with different ip/port numbers) 05:56 < mjt> heh. I expected something of that sort about MTU belonging to an interface ;) 05:56 < dazo> mjt: you can shut up that message by correcting it .... must be distinct ... cannot go around that one 05:56 < mjt> the thing is that internally, openvpn server will fragment the packets 05:57 < mjt> but the actual MTU may be different per-client, so that fragmentation should be done differently for each client 05:57 < dazo> mjt: I'm not sure if it is the openvpn server itself or if it just sets the MTU value at the interface and let the kernel driver do the fragmentation ... 05:58 < mjt> openvpn may do fragmentation (--fragment) or it may let the IP stack (on the path) to do it (--mtu-disc) 05:58 < mjt> and speaking of different IP address for --ifconfig and --local - that's wrong requiriment to have the to differ 05:58 < mjt> two 05:58 < dazo> mjt: ahh ... true ... you have 2 levels of MTU ... what goes on the eth interface (where openvpn can adopt it's own packages) ... and the MTU used on the tun/tap device .... didn't think about that now 05:59 < mjt> so make that 3, not 2 ;) 05:59 < mjt> there's also PATH mtu, like, each CLIENT may have its own MTU on its own eth 05:59 < mjt> (but it's in fact even more complicated) 05:59 < dazo> mjt: have you tried --client-config-dir .... that's the only option I know about to setup config variations per client 06:00 < mjt> yes -- doesn't work, openvpn complains about wrongly placed option 06:00 < mjt> ;) 06:00 < dazo> mjt: you're getting to go far above my level of MTU knowledge .... I'll might appoint you as MTU expert soon ;-) 06:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:00 < mjt> 'hwell. 06:01 < dazo> mjt: well, in that case ... it's not supported now :( .... you may try that question as well on the mailing list 06:01 < mjt> i'd be glad if someone tell me where an expert can ask his own questions... ;) 06:01 < mjt> aha, on the mailinglist! ;) 06:04 < dazo> mjt: it's different people on the mailing list as well ... and there are some really experienced users there too :) Highly recommended! :) 06:05 < mjt> thanks! 06:05 * dazo will pay attention to mailing list ... curious about what answers might come ... 06:07 < mjt> looking at the code, it seems the openvpn internal fragmentation will just work in almost all cases as it just splits the packet into two halves (which is 750 bytes) and adds its own overhead, so the resulting thing shold not exceed ~1010 bytes anyway -- hardy a problem in nowadays networks. 06:07 < mjt> problematic MTU values are usually in range 1400..1499, not less. 06:08 < mjt> (1492 for typical ADSL line) 06:19 < mjt> ok, i had to comment out that --local vs --ifconfig check in the code - there's no way to disable it 06:24 < mjt> (well, there is -- by not using --ifconfig and the rest of "easy" options) 07:00 < mjt> !route 07:00 < vpnHelper> mjt: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:00 < mjt> that page does not answer one (at least) question 07:00 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 07:00 < mjt> how openvpn on the server knows to route its own LAN to the host? 07:01 < mjt> and ditto for all the other participants, for their own LANs 07:01 < mjt> shouldn't there be iroute for each? 07:03 < mjt> or does it just hand "everything" to the host? 07:04 < mjt> (if not client-to-client, everything received from other peers gets pushed to the TUN interface to reach the local kernel IP stack, that is) 07:06 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:07 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:09 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:12 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:13 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:21 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:31 -!- basty [n=basty@212.218.65.230] has joined ##openvpn 07:31 < basty> hi 07:32 < dazo> mjt: everything gets pushed to the IP stack normally ... if client-to-client is enabled, it activates it's internal routing in openvpn, where traffic from all clients on connected to the given openvpn process are routed/duplicated to the other clients on connected ... I'd believe that goes primarily for broadcast, multicast and specific client IP addresses are only sent to the given client 07:33 < mjt> so --iroute basically makes sense only together with --client-to-client 07:33 < basty> I am using OpenVPN 2.0.7 for about 3 years now - without any problems. Today I just wanted to create a new user to my openvpn. As soon as I transfer the certificate to the client I am getting errors like: VERIFY ERROR: depth=0, error=unable to get local issuer certificate - but whats the problem? I mean the "old" users I have created 3 years ago - are still working fine. 07:33 < dazo> mjt: well ... iroute is a kind of "backward routing" ... it gives the possibility to route the subnet from a client to the server .... route goes only from servers side to the client 07:34 < dazo> basty: you need to also transfer the same CA certificate too most probably 07:35 < basty> dazo: yeah - of course I did that also.... 07:35 < dazo> basty: which OS? 07:35 < mjt> there are no clients or servers when routing is concerned, -- everything is symmethric 07:35 < basty> dazo: SuSE 9.3 07:36 < basty> dazo: another error in the logfile: TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned and TLS Error: TLS object -> incoming plaintext read error and TLS Error: TLS handshake failed 07:36 < dazo> basty: please send us complete log file and config 07:36 < dazo> !logs 07:36 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:36 < dazo> !configs 07:36 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:37 < basty> okay - one sc 07:37 < basty> s/sc/sec :-) 07:37 < dazo> mjt: I'm talking about openvpn clients and openvpn servers .... I meant the relation between those processes .... 07:39 < mjt> well. your explanation confused me further ;) 07:39 < mjt> that "backward routing" thing 07:40 < mjt> iroute tells the server that this particular network is "behind" this particular client 07:40 < mjt> so i was wrong, it's orthogonal with client-to-client 07:41 < dazo> mjt: when the openvpn connection uses "route" .... it means that the network from behind the openvpn server is routed to the client. This will not work backwards, you cannot route a network behind the openvpn client with the route parameter. In this case, you need to use the iroute parameter on the client 07:42 < dazo> mjt: what --client-to-client does ... is that it allows all the VPN clients to see/contact each other, and this traffic never reaches the kernels IP stack, but is handled internally in the openvpn server 07:42 * mjt is confused even further... ;) 07:43 < basty> dazo: http://pastebin.com/d568d897b 07:43 < mjt> "The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client." 07:44 < mjt> aha. so --route only adds kernel routes, not internal-to-opvnvpn ones 07:44 < mjt> i was thinking it does both 07:44 < dazo> basty: do you have configs as well? 07:44 < basty> dazo: oh.sorry...one sec 07:46 < basty> dazo: what kind of configs do you need ? even the openssl.cfg ? 07:46 < dazo> basty: I need the openvpn client and server config 07:46 < basty> ah ok 07:46 < mjt> and ccd 07:46 < mjt> ;) 07:47 < dazo> true ... I'll bug for that if I see it is included in the config ... but right now, I don't think I need it 07:47 < basty> dazo: dumb question..where can I find the openvpn server config ? I am sorry - I used to install it 3 years ago..and cant remember anymore ;) 07:47 < dazo> basty: good question .... have a look under /etc/openvpn ... 07:47 < basty> ah doh 07:47 < basty> found it 07:49 < basty> dazo: http://pastebin.com/d6abc18d4 07:49 < mjt> is there a way to stop it from verifying keys (openvpn-vulnkey)? 07:49 < dazo> mjt: scrap Ubuntu or Debian and install a proper Linux distro :-P 07:49 < mjt> aha 07:50 < mjt> 'hwell. another recompile is in order. 07:50 < mjt> (it's debian, for about 8 years) 07:52 < basty> dazo: foud anything weirdo in the config ? I mean..the old users are stilling working fine..i quess there is something messed up with the certificates... 07:52 < dazo> basty: I'm looking now 07:52 < basty> thx 07:58 -!- mode/##openvpn [+o ecrist] by ChanServ 07:58 -!- mode/##openvpn [-o ecrist] by ecrist 07:59 < dazo> basty: I would double check if the double backslashes are needed in the client config 08:07 < dazo> basty: and if that's not helping ... I would try to recreate the client certificate 08:10 -!- mode/##openvpn [+o ecrist] by ChanServ 08:10 -!- mode/##openvpn [-n] by ecrist 08:10 -!- mode/##openvpn [+n] by ChanServ 08:11 -!- mode/##openvpn [-n] by ecrist 08:11 -!- mode/##openvpn [-o ecrist] by ecrist 08:11 < mjt> whee. 08:14 < basty> dazo: I removed the double slash...and created the client cert again..but..still the same problem 08:15 < dazo> basty: and the client cert is signed by the proper CA key? 08:16 < basty> dazo: how can I check that ? ;) I jused typed ". ./vars" in the easy-rsa folder...and created a client cert with "./build-key "username"" 08:16 < basty> just I mean..sorry for my english and all these typos.. ;-) 08:17 < dazo> basty: well, was the other (old) client certificates also created in this directory? 08:17 < basty> dazo: yep 08:17 < basty> dazo: but for right now the server ca is located in /etc/openvpn/ 08:18 < dazo> basty: make sure that the CA files in /etc/openvpn is the same as in the easy-rsa dir 08:19 < basty> dazo: hrm..it seems that the size of this certificate ist different... 08:19 < basty> should I copy the ca.* files from /etc/openvpn in the current directory and create the client ca again ? 08:20 < dazo> basty: if they differ .... you will get into big troubles, no matter what you do :-P 08:20 < dazo> basty: do you have many openvpn clients active? 08:20 < basty> dazo: only 5 08:21 < basty> dazo: i will try to copy the whole /etc/openvpn/ into the easy-rsa keys directory and try to generate another key 08:21 < dazo> basty: because worst case, you would need to recreate all client certs ... 08:21 < basty> ah okay..no problem ;) 08:22 < basty> ...at least it have to work... 08:22 < dazo> basty: backup of files is always a good idea :) 08:22 < basty> yeah 08:22 < basty> hehe 08:26 < basty> yeah 08:26 < basty> it worked 08:26 < basty> thanks much, dazo 08:26 < basty> :) 08:26 < dazo> basty: no prob! 08:26 < basty> have a nice day 08:26 < basty> bye 08:27 -!- basty [n=basty@212.218.65.230] has quit [] 08:39 < mjt> lovely 08:39 < mjt> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1436' 08:39 < mjt> -- that gets printed on BOTH ends 08:40 < mjt> so each thinks its tun-mtu=1500 and remote's =1436 08:40 < dazo> mjt: that's solved by --link-mtu, I believe 08:40 < mjt> you don't understand ;) 08:40 < dazo> sorry .... tun-mtu, I mean 08:40 < mjt> i didn't touch --*-mtu this time 08:40 < mjt> it's all default settings 08:41 < mjt> but each side thinks the other has different tun-mtu 08:41 < mjt> the warning i pasted above gets printed on both ends *exactly* 08:41 < mjt> not reversing it on one end 08:41 < dazo> you're still sure you want to play further with debian? :-P 08:41 < mjt> what it has to do with debian? 08:41 < dazo> I see ... yeah that's very odd 08:42 < dazo> debian might have done extra kernel tweaks which is not picked up by openvpn on the tun interface 08:42 < mjt> kernel tweaks?? 08:42 < mjt> it's standard tun, vanilla kernel.org kernel 08:43 < dazo> mjt: not debian patched kernel? 08:43 < mjt> and i just reviewed the other patches in debian dir 08:43 < mjt> no 08:43 < dazo> which openvpn version? 08:43 < mjt> and even if it was, there's nothing debian did of that sort 08:43 < mjt> it says 2.1pre11 08:43 < dazo> mjt: well, double check /etc/sysctl.conf as well .... and other configs related to /proc/sys settings 08:43 < mjt> the site mentions only pre10 08:43 < mjt> he 08:44 < dazo> mjt: try upgrading to openvpn 2.1_RC15 ... that's for sure stable 08:44 < mjt> but the sate mentions pre10 is the latest.. no? 08:44 < mjt> site 08:45 < dazo> mjt: I know that I've been running RC15 since it was released without any issues ... I don't know the pre*-releases 08:45 < mjt> om 08:45 < mjt> rc10 and rc11 it is, not pre 08:46 < mjt> but i think i know where that mtu stuff comes from. 08:46 < mjt> my fault and openvpn's fault together 08:47 < mjt> the lower mtu is set up on the tun interface which i made persistent 08:47 < mjt> and forgot about that 08:47 -!- Bluespuke [n=chatzill@87.240.206.215] has joined ##openvpn 08:47 < mjt> now i removed *-mtu settings from the config and expected it to be the default 08:47 < Bluespuke> hi 08:47 < mjt> but it left the old settings 08:48 < mjt> ok, both are my faults really 08:48 < mjt> because other side also configured mtu on its interface after push handling 08:48 < mjt> and had exactly the same prob 08:48 < dazo> mjt: Typical PEBKAC ....... :-P 08:49 < mjt> openvpn's fault is that it advertises 1500 to the other end while it perfectly knows its local tun is less than that 08:49 < mjt> ok, fixed that. 08:49 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:50 < Bluespuke> i successfully created a VPN with a network bridge, how can i access from PC1 (network A / VPN client) to PC2 (network B) through my server PC (network B / VPN server) ? 08:51 < dazo> Bluespuke: Did you configure it using bridge setup? (bridging local eth interface and tap interface) 08:51 < Bluespuke> yes, bridge on my server 08:52 < dazo> Bluespuke: and the VPN client receives a proper IP address on the tap interface, which is within the network scope on your lan of your server side eth 08:52 < dazo> ? 08:54 < Bluespuke> no it's kinda weird :s 08:54 < Bluespuke> 169.254.216.183 :( 08:54 < mjt> weird what? 08:54 < mjt> heh. link-local segment 08:54 < dazo> Bluespuke: okey ... now it's time to give us logs and configs 08:54 < dazo> !logs 08:54 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:54 < dazo> !config 08:54 < vpnHelper> dazo: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:54 < dazo> !configs 08:54 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:54 < mjt> heh 08:55 < vcs> do openvpn pushed routes show up in the windows command "route PRINT"? 08:55 < vcs> for clients 08:55 < vcs> i cant get any routes I push to show up there 08:56 < mjt> sure the routes should be in client's routing table 08:56 < dazo> vcs: make sure the openvpn runs with admin privileges 08:56 < vcs> does anything look invalid about this line: push "route 10.2.1.0 255.255.255.0" 08:57 < vcs> that is not going through to the admin account of my windows box 08:57 < mjt> !logs 08:57 < vpnHelper> mjt: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:58 < Bluespuke> my configs: http://pastebin.com/m601114ea 09:00 < dazo> Bluespuke: what is the network range on your client side? 09:00 < vcs> hmmm there is a "Certificate not yet valid error" in the server logs 09:01 < Bluespuke> both networks are 192.168.1.* 09:01 < dazo> Bluespuke: that's your problem 09:01 < vcs> but i can still connect to server via vpn 09:01 < vcs> :| 09:01 < dazo> Bluespuke: they need to be different .... esp. when doing bridging 09:01 < Bluespuke> so it's impossible without changing one of them? 09:01 < dazo> Bluespuke: yes 09:01 < Bluespuke> ok 09:01 < mjt> i'd not say that 09:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 09:02 < mjt> it's perfectly ok to have both in 192.168.1.* range 09:02 < mjt> as long as they're bridged 09:02 < mjt> and as long as there's no repeated IPs 09:02 < Bluespuke> they are given automaticly by DHCP... 09:02 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:02 < dazo> mjt: that's a long shot ... that can really cause some issues ... as both network address is .0 and broadcast is .255 on both networks ... and if you then have the same gateway address 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < dazo> ecrist: +1 09:03 < vcs> after I build a key in the easy-rsa directory for a client, is there anything I need to do otherwise? 09:03 < ecrist> !1918 09:03 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 09:03 < vcs> i dont remember if i did the last time I ran openvpn 09:03 < ecrist> use a different 1918 address space. 172.16/12 is usually safe 09:04 < mjt> nothing wrong with 192.168/16 09:04 < ecrist> mjt: you will collide with ~95% of private LANs out there. 09:04 < mjt> no 09:04 < mjt> because i'm not a part of them 09:04 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:04 < mjt> we don't iteract with each other 09:05 < mjt> dazo: as i said, there should be no repeated addresses, including those used for gateways 09:06 < dazo> mjt: how do you avoid to duplicate the broadcast address in this setting? 09:06 < ecrist> if you're going to have clients connecting from unknown, uncontrolled areas, stay away from 192.168.x/16 09:06 < mjt> dazo: nothing wrong with broadcasts either. it will broadcast to both sides, that's all. 09:07 < mjt> ecrist: that's true 09:08 < mjt> i don't know how to do it easily with openvpn yet (i'm only one day with it, a complete newbie). But i did something very similar using vtun, bridging 192.168.99/24 where half of the machines where on one side and half on another, both halfs random. 09:09 < mjt> a client boots (on either side), broadcasts a dhcp requests (to 255.255.255.255), dhcp server on the other side responds and assigns a random IP from that /24, and specifies a gateway which actually resides on the other side too. 09:10 < dazo> mjt: well ... but you also have to consider that you can only have 1 DHCP server on the complete network ... if you do it like this, you need to make sure that the openvpn connection is established before clients begins requesting for IP addresses 09:10 < mjt> yes 09:10 < mjt> see above ;) 09:10 < mjt> and again, nothing wrong with more than one dhcp in the network. 09:10 < mjt> as long as they know each other and/or assign addresses from differnt ranges 09:11 < dazo> mjt: if the openvpn link breaks ... half of your network will fail to work completely, esp. if the offended clients needs to refresh IP addr 09:11 < mjt> 192.168.99.51-60 one, and .61-70 another for example, whatever. 09:11 < mjt> sure 09:12 < mjt> that half will work halfway still -- seeing each other 09:12 < dazo> mjt: you might manage to make it run, in a short time perspective ... but it is absolutely insane to do it like this ... because you are depended on the other side of the network to have a stable network infrastructure 09:13 < mjt> it depends 09:13 < mjt> in our case it was a "remote" room (on another side of the building) with an ethernet cable going over all the building 09:14 < mjt> all the servers were on this side, so if the cable is broken they can't work anyway 09:14 < dazo> mjt: if the openvpn link fails ... if the internet link break ... you actually render the remote network without DHCP server completely useless, esp. when ip addresses are refreshed/requested 09:14 < mjt> it's useless w/o the link anyway 09:14 < mjt> so no difference 09:14 < dazo> mjt: in your setup, true 09:15 < mjt> it was a quick hack to make that room work 09:15 < dazo> mjt: but most people do not use openvpn for local connectivity, but for remote locations 09:15 < dazo> mjt: exactly, it's a hack 09:15 < mjt> sure 09:16 < mjt> $boss was afraid someone will listen on that cable on the way, thats the reason for the tunnel ;) 09:16 < mjt> later on we planned to set up ipsec but moved to another office instead. 09:16 < dazo> please tell me that it at least was 100m between the rooms ..... 09:16 < mjt> no, about 60 09:17 < ecrist> dazo, ethernet spec < 100m for copper 09:17 < dazo> ecrist: true ... Forgot that :-P 09:17 < dazo> well ... STP is 200, I think .... UTP is <100 yes 09:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:18 < mjt> there was a competitor of ours, sorta, in the intermediate offices... so the risk was real ;) 09:20 < mjt> but the thing i wanted to say is -- quite weird things are possible with networks. and there are cases (rare but still) when such weird setups are ok. 09:25 -!- Bluespuke [n=chatzill@87.240.206.215] has quit [Read error: 110 (Connection timed out)] 09:26 < mjt> quite some soho routers (adsl, wifi, etc) comes with default IP of 192.168.1.1 09:27 < mjt> and if you've a host with that IP already, .... 09:27 < mjt> ecrist: i can't make openvpn to return NETUNREACH still 09:28 < mjt> did you do something for that to work? Which setup did you have where it worked? 09:29 < ecrist> mjt, no, I was stating that, if the network is not routable, then that should be the result. If that's not what you're seeing, the implementation is not what I'd expect 09:30 < mjt> aha! 09:31 < mjt> (by "not routable" i mean there's a host route for it pointing to the tun device, but openvpn does not know it) 09:32 < reiffert> ecrist: when I wrote: someone +n'ed the channel, I originally meant: +t 09:34 -!- Bluespuke [n=chatzill@87.240.206.215] has joined ##openvpn 09:45 < mjt> why, technically, two tls-servers can't talk to each other? 09:46 -!- AlNahar [n=bitz@124.40.43.214] has joined ##openvpn 09:46 < AlNahar> HELLO FRIENDS 09:46 -!- AlNahar is now known as AnNahar 09:46 < AnNahar> i need help! 09:46 < AnNahar> can i use openvpn to get a U.S. ip address? 09:46 < mjt> hm. 09:46 < mjt> !help 09:46 < vpnHelper> mjt: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:47 < reiffert> AnNahar: yes. 09:47 < AnNahar> can i do this through using networkmanager-openvpn? 09:47 < AnNahar> i'm on f10 09:47 < dazo> AnNahar: http://www.strongvpn.com/ 09:47 < vpnHelper> Title: StrongVPN.com - Strong security for your internet connection and anonymity for your online presence (at www.strongvpn.com) 09:47 < AnNahar> but the only howto i found was for ubuntu:( 09:47 < reiffert> AnNahar: 09:47 < reiffert> !howto 09:47 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:47 < AnNahar> dazo, im not interested in a pay service 09:48 < mjt> pick any open proxy of your choice... ;) 09:48 < AnNahar> but strongvpn is pay service, rite? 09:48 < dazo> AnNahar: well, you need a destination host to connect to, to provide you with access .... so unless you have some nice friends in the US, you don't have much choices 09:48 * mjt used to feed dsbl.org with open proxies, several 1000s every day... 09:48 < AnNahar> well, i would just use ninjaproxy, but that doesn't seem to let me do what i want at hulu.com 09:49 < dazo> AnNahar: are you worried about protecting the network traffic? Or are you just in need of a pure US IP addr? 09:49 < AnNahar> i mean, im looking for something like hotspot shield, but for linux 09:49 < AnNahar> dazo, im currently in japan and i want to watch a video on hulu:O 09:50 < AnNahar> i found a howto for openvpn, but it's for ubuntu and the files are either in diff places or nonexistant for me on f10 09:50 < mjt> that's a bit unfair, isn't it? 09:50 < dazo> AnNahar: go for a proxy solution .... Chinese people like strongvpn .... as they can avoid "The Great Firewall" 09:50 < AnNahar> mjt, what's a bit unfair? 09:51 < mjt> pretending you're at a different place.. and (ab)using someone elses resources.. ;) 09:51 < dazo> AnNahar: configs on F10 should be found in /etc/openvpn .... the rest of the docs is usually under /usr/share/doc/openvpn-/ 09:51 < AnNahar> mjt, you mean like, using a proxy? 09:51 < mjt> like, using someone elses proxy ;) 09:51 < AnNahar> who is someone else? 09:52 < reiffert> wasteoftime. 09:52 < mjt> wug. proxy is not "who", it's "it" 09:53 < AnNahar> you said someone else's proxy 09:53 < AnNahar> im asking which someone are you talking about? 09:53 < mjt> whatever or whomever - who's proxy you want to use 09:53 < AnNahar> uhh 09:53 < AnNahar> there's zillions of proxies that are free for public use 09:53 < mjt> yse 09:53 < mjt> yes 09:54 < mjt> you see the smile at the end of all my statements? 09:54 < mjt> or some, anyway 09:54 < AnNahar> i dont see why they don't have something like ninjaproxy 09:54 < AnNahar> that works on hulu 09:55 < AnNahar> i mean, a web based proxy 09:55 < dazo> mjt: what's wrong about using a public proxy if it is publicly available to anyone? I don't see the problem .... the problem is more on those sites who believes that region blocking based on IP addr is a clever solution 09:55 < mjt> wug. 09:55 < mjt> it was a joke. sorta anyway 09:56 < AnNahar> dazo, do you know of any free proxies i can use? 09:56 < AnNahar> without having to use openvpn, etc? 09:56 < AnNahar> just to watch something on hulu 09:56 < dazo> AnNahar: no, I've not been following that ... I just know that Chinese people use strongvpn, and pay for it ... and hulu works pretty well 09:56 < mjt> i dealt with various botnets/spambots before, quite alot, and the word "proxy" *TO ME* become something evil which gets ABused by evil people. A hot button, of sort. 09:57 < AnNahar> poopie 09:57 < AnNahar> im going to have to reboot to xp to use hotspot shield 09:58 -!- AnNahar [n=bitz@124.40.43.214] has quit [Remote closed the connection] 10:10 < Bluespuke> i changed one of the networks from 192.168.1.* to 192.168.2.* and now everything is working very well 10:10 < Bluespuke> THX 4 ur help guys 10:14 -!- Bluespuke [n=chatzill@87.240.206.215] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 10:14 < dazo> Bluespuke: np! :) I'm happy it worked out in the end 10:18 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 10:18 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 10:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:22 -!- mode/##openvpn [+n] by ChanServ 10:22 -!- mode/##openvpn [+o ecrist] by ChanServ 10:22 -!- mode/##openvpn [-t] by ecrist 10:22 -!- mode/##openvpn [-o ecrist] by ecrist 10:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:01 -!- Irssi: ##openvpn: Total of 52 nicks [0 ops, 0 halfops, 0 voices, 52 normal] 11:11 < reiffert> Thx 11:17 -!- SURFkees [n=kees@honderdzevenentwintig.surfnet.nl] has joined ##openvpn 11:18 < SURFkees> Is there a difference between OpenVPN 2.0 and 2.1 in the way it handles --up scripts and how it handles the standard output of commands used in those scripts? 11:19 < SURFkees> in 2.1 my --up script generates "(Inappropriate ioctl for device)" whenever I do for example a "ifconfig dev up" 11:20 < mjt> shouldn't it be $dev, not dev ? 11:21 < mjt> from this point of view, there should be no difference. it's not related to standard output that's for sure. 11:21 < SURFkees> well, dev is just an example here 11:22 < SURFkees> the --up script gets called, does a "ifconfig s6 up" and gets that error 11:22 < SURFkees> if I change it to "ifconfig s6 up >/dev/null" it works 11:22 < mjt> lovely 11:22 < mjt> try strace'ing it 11:23 < mjt> like, strace -o /tmp/trc ifconfig ... 11:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:28 < dazo> SURFkees: yes, it has been some changes .... which 2.1 version are you using? 11:29 < SURFkees> 2.1_rc11 11:29 < ecrist> use 2.1_rc15 11:29 < dazo> SURFkees: try first to upgrade to RC15 ... it has come some changes in between RC10 and RC13 which gives some of the old behaviour back 11:30 < mjt> ok, i was wrong it seems. 11:31 < dazo> SURFkees: and then you need to check out the --script-security parameter in the man pages ... this is also to tweak the behaviour even more 11:31 < SURFkees> Yea, I already had it on "3 system" to see if that was the problem, but I will have to check wit rc15 11:32 < dazo> SURFkees: the older OpenVPN versions used a rather unsafe API when calling those scripts 11:32 < SURFkees> Right 11:33 < SURFkees> Well, I'll have a look at the latest version 11:33 < dazo> SURFkees: yeah, you're probably bitten by the incompatibility bug .... you may also try to encapsulate the command and it's argument in the config ..... --up "myscript param1 param2 etc" 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < SURFkees> that's what I'm currently doing :) 11:39 < dazo> SURFkees: then you're into a good track :) I'm just throwing out ideas from what I remember on the fly ;-) 11:40 < SURFkees> hehe, no problem. I was hoping for a quick fix. I wasn't really intending on using 2.1 yet since it's still a RC. 11:42 < SURFkees> hmm, still odd that Debian has added rc11 to it's stable repo 11:44 < dazo> SURFkees: RC15 is the most stable one of all releases ... and yes, it's been some tension on the mailing list about that 2.1 has been in RC for 2 years ;-) 11:45 < SURFkees> hehe, I don't really mind. I rather have a good finished product than a rushed one ;) 11:45 * dazo has used RC15 since it was released without any issues at all 11:47 < SURFkees> Well, I don't really have time to test 2.1 before my deadline, so I'm stuck with 2.0 I guess. Just didn't expect Debian would have added 2.1 to it's stable repo :) 11:58 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:00 < ecrist> SURFkees: 2.1_rc15 is stable 12:00 -!- AlNahar [n=bitz@124.40.43.214] has joined ##openvpn 12:00 < AlNahar> hi 12:00 < AlNahar> it seems hotspot shield uses openvpn 12:00 < ecrist> great 12:01 < SURFkees> openvpn website still calls it a beta release 12:02 < AlNahar> ecrist, so how do i use openvpn to use hotspot shield info in linux? 12:02 < ecrist> SURFkees: so? 12:02 < SURFkees> so I will consider it a beta release 12:02 * mjt builds a _rc15 debian package... 12:02 < ecrist> AlNahar: you'd have to ask the hotspot shield folks. I haven't used their service. 12:02 < ecrist> SURFkees: then quit bellyaching. 12:03 < SURFkees> I have. Just downgraded to 2.0.9 12:03 < AlNahar> http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu 12:03 < AlNahar> see 12:03 < vpnHelper> Title: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security | Ventanazul (at www.ventanazul.com) 12:03 < AlNahar> HULU 12:03 < AlNahar> err UBUNTU! 12:03 < AlNahar> i have fc10 12:03 < dazo> SURFkees: RC15 will most likely become the final 2.1 ... it really is the closest you get to a final release at the moment ... and nobody understands the hesitation of giving it a proper "stable" stamp 12:04 < dazo> AlNahar: the basic file based config is identical to all openvpn versions, on all platforms 12:04 < AlNahar> dazo, nay! 12:04 < AlNahar> dazo, have you used nm-openvpn? 12:04 < dazo> AlNahar: that's not file based config 12:04 < ecrist> AlNahar: network manager is crap 12:04 < AlNahar> dazo, i know that 12:04 < dazo> +1 12:05 < ecrist> don't use network manager 12:05 < AlNahar> dazo, i cannot follow that howto because the files are not there 12:05 < AlNahar> nor in another location 12:05 < ecrist> open a terminal and type 'openvpn ' 12:05 < dazo> AlNahar: skip the gui crap ... go edit config files manually .... it's just as easy ... and works immediately 12:05 < AlNahar> dazo, of course, i need a public proxy 12:05 < AlNahar> poopity poop 12:05 < AlNahar> i just rebooted to windows to use hotspot shield to watch something on hulu 12:06 < AlNahar> im trying to avoid having to do that again, but i did notice openvpn.exe was running 12:06 < dazo> AlNahar: in that link you sent ... it's a complete openvpn config file ready for you there 12:06 < AlNahar> dazo, nay sir 12:06 < mjt> dazo: btw, it looks like debian folks have several good points 12:06 < dazo> AlNahar: look for "The Configuration Files: openvpn.conf" 12:06 < AlNahar> some of the example stuff is not there either 12:07 < AlNahar> Comment all lines in /etc/default/openvpn and add: 12:07 < AlNahar> AUTOSTART="openvpn" 12:07 < AlNahar> not that one 12:07 < AlNahar> cp -r /usr/share/doc/openvpn/examples/easy-rsa/ . - not this one either 12:07 < mjt> wug 12:07 < dazo> AlNahar: well ... that's off-topic here ... as that's an Ubuntu issue ... not openvpn issue 12:07 < AlNahar> mjt, WHY do you keep saying that strange word? 12:07 < AlNahar> dazo, it's off topic to talk about openvpn in fedora? 12:08 < mjt> it's impossible to know how openvpn is packaged on every distro 12:08 < AlNahar> mjt, i didn't say it was possible 12:08 < AlNahar> i just said to say it's off topic is silly 12:08 -!- AlNahar [n=bitz@124.40.43.214] has left ##openvpn ["Leaving"] 12:08 < dazo> AlNahar: in this channel we can help out configuring openvpn ... and we do it via config files 12:09 < dazo> too late 12:09 < mjt> he's a bit too impulsive 12:10 * mjt installs -rc15 as debian package... 12:10 < dazo> Well ... if he had read the complete web page he sent a link to ... and used a couple of more brain cells .... he would have solved it .... but we're not helping people eat their food, we're just helping them to find it 12:13 < mjt> NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 12:13 < mjt> that's what -rc15 prints on startup 12:13 < mjt> silly 12:14 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:14 < mjt> i think i'll go and clean up all those idiotic warnings and notices... :( 12:15 < dazo> mjt: send a patch to the openvpn-devel list as well 12:15 < dazo> see what they say :) 12:15 < mjt> this notice is new 12:15 < mjt> it wasn't here in -rc11 12:15 < mjt> but it's useless 12:16 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 12:16 < mjt> it forces me to set -script-seecurity to 2 just to shut it up, even if I don't use any script 12:16 < dazo> yeah, they did some changes in rc12 or rc13 (don't recall now) ... and then somebody came up with this idea ... because without changing it to level 2, older configs wouldn't work 12:16 < mjt> but it will be obvious in the logs 12:17 < mjt> that's why it's useless. 12:17 < dazo> yeah, that's why it got added into the logs :) .... but the other thing is that that warning should only be used if scripts or plugins were used 12:17 < mjt> i mean, it logs a warning, since quite some time, when it actually tries to execute something and script-level forbids it 12:18 < dazo> if you read the mailing list from last autumn, you'll find the discussion about --script-sec 12:19 < mjt> other than this new NOTICE, it seems to work. 12:20 < mjt> www.corpit.ru/debian/tls/openvpn/ -- debian packages w/o debian stuff 12:21 -!- SURFkees [n=kees@honderdzevenentwintig.surfnet.nl] has quit ["Leaving"] 12:21 < mjt> just uploaded -rc15 there 12:35 -!- hardwire` [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 12:36 -!- hardwire [n=spencers@62-197-137-216.mtaonline.net] has quit ["Ex-Chat"] 12:36 -!- hardwire` is now known as hardwire 12:48 < mjt> is there a way to use random port on the client? 12:49 < mjt> it defaults to `port 1194'. setting port to 0 (which means 'use any random port' for the OS) is not accepted (openvpn claims it's invalid) 13:05 < reiffert> udp or tcp? 13:08 < mjt> udp 13:23 < reiffert> using lport? 13:23 < reiffert> -- 13:23 < reiffert> port = atoi (p[1]); 13:23 < reiffert> if (!legal_ipv4_port (port)) 13:23 < reiffert> { 13:23 < reiffert> msg (msglevel, "Bad local port number: %s", p[1]); 13:23 < reiffert> goto err; 13:23 < reiffert> } 13:24 < reiffert> static inline bool 13:24 < reiffert> legal_ipv4_port (int port) 13:24 < reiffert> { return port > 0 && port < 65536; 13:24 < reiffert> } 13:26 < ecrist> so, looks to be trivial to code the functionality mjt would want. 13:27 < ecrist> why don't you get right on that, reiffert? 13:46 < reiffert> sorry? 14:01 * mjt is back 14:01 < mjt> oh 14:01 < mjt> heh. I were testing the port0 change -- replaced > with >= in that legal_ipv4_port 14:04 < mjt> and the reason for that is my crappy adsl router that keeps conntrack entry across IP address change, and crappy ISP that those forces changes every so often (very annoying) 14:04 < mjt> the router's running linux btw. 2.6.8.something 14:07 < reiffert> and does it work? 14:16 < Gumbler> !route 14:16 < vpnHelper> Gumbler: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:17 < mjt> it works, yeah 14:17 < mjt> at least on linux 14:21 < mjt> 33782 39630 -- that's the port(s) it is getting 14:21 < ecrist> mjt, why not, rather than code it to depend on a linux feature, code it to see the 0, and handle it internally to openvpn? 14:22 < mjt> i actually changed the call to legal_ipv4_port() near the "port" option 14:22 < mjt> well, i expect *bsd to behave similarily 14:23 < mjt> and probably solaris too 14:23 < mjt> (it was quite some time ago when i last used solaris) 14:24 < mjt> the thing is - so far no one needed anything of this sort. 14:24 < ecrist> expect and know are two things. 14:24 < mjt> yes 14:24 < ecrist> actually, if you google, it's a common question 14:25 < mjt> for another thing, i almost gave up sending patches for various programs i use. it usually does not work. for me so far it's less hassle to maintain a local patch than to try to submit such things. 14:26 < mjt> such as this new NOTICE thing about script-security level 14:27 < mjt> (introduced in -rc14 hence new) 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:43 < ecrist> I totally agree. Why bother contributing to open source software when it takes effort. 14:45 < reiffert> Well, I failed so many times hitting authors "I just dont personally like this patch", I handle it like mjt. 14:56 -!- romero [n=user@193.219.160.109] has joined ##openvpn 15:06 < mjt> i usually hit silence. 15:06 -!- bandini [n=bandini@host237-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 15:07 < mjt> a good example - anyone know how much probs it can create when timestamps in syslog are in various different languages and encodings in the same file? 15:07 < reiffert> Arrogance, ignorance and snootiness. 15:07 < mjt> it's because syslog(3) routine does strftime() based on current $LANG 15:08 < mjt> which, on multi-user system, may be anything. 15:08 < mjt> also based on $TZ, so that timestamps are completely random... 15:09 < mjt> the trivial solution is to just stop adding the timestamp, since syslog damon does that anyway. Alternative is to do local implementation of strftime() (it's very small) 15:09 < mjt> both variants were proposed in about 1988 15:09 < mjt> that's 20(!) years ago 15:09 < mjt> i sent that stuff several times to the glibc mailinglist. 15:09 < mjt> no response so far. 15:10 < mjt> well, this one is atypical. but gave me good lesson. 15:15 < mjt> very nice for patches was Erik Allmann (sendmail), was very thankful. But he had another prob, and it's not a surprize sendmail had so many.. issues. He applied several patches of mine but didn't even bother to COMPILE-test them or actually look at them - I did an obvious mistake in one of the patches (solaris's kstat() calls). 15:15 < mjt> so the next version he released didn't compile on solaris. 15:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:41 < Kreg-Work> if one collected all the previous users keys, the origlan ca and key, would it be possible to remake an easy-rsa thing? such as all the history and stuff. 15:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:54 < krzee> easy-rsa thing? 15:54 < krzee> easy-rsa is just a script... 15:54 < mjt> the keys he mean, i think... ;) 15:55 < krzee> but he said if he collects all keys previous... 15:56 < mjt> well, it puzzled me too and hence i didn't comment ;) 15:59 < Roman123> Without a correct time, openvpn does not work properly and therefore I'm suffering from the following problem: My internet provider uses pppoe, which sucks bad ass. Sometimes, when I reboot my OpenWRT router it takes quit some time (up to four pppoe connection tryouts) until the connection is established. The only problem about that is getting the clock as fast as possible synced (using ntpd). It takes quite some time until ntpd syncs the clock. I 15:59 < Roman123> s there a clever workaround to start, e.g., ntpdate, right after the connection is established or by means of openvpn? Is it possible to execute a script triggert by the openvpn connection attempts? 16:00 < Roman123> s/triggert/triggered 16:00 < krzee> well 16:00 < krzee> theres a few places to hook in scripts in openvpn 16:00 < krzee> but the easiest i would think is to make a little wrapper script 16:00 < Roman123> ok 16:00 < krzee> which runs ntpdate, and after successfully syncing the clock starts openvpn 16:01 < mjt> Roman123: btw, who do you restart your router to start with? 16:01 < krzee> i believe in the manual theres a section where it lists execution order of scripts 16:01 < mjt> krzee: there is 16:02 < Roman123> openvpn is started by an /etc/init.d script 16:02 < Roman123> mjt: reboot 16:02 < Roman123> mjt: what do you mean? 16:02 < mjt> why do you reboot it? 16:02 < krzee> "Sometimes, when I reboot my OpenWRT router it takes quit some time" 16:02 < Roman123> If some settings have been changed 16:03 < krzee> werd 16:03 < mjt> heh. "YOu have moved the mouse. Windows needs to be restarted for the changes to take effect" 16:03 < krzee> well theres 2 ways to fix it 16:03 < Roman123> or if there is a power failure 16:03 < krzee> and you know both now =] 16:03 < krzee> so imma watch a movie and take a nap 16:03 < mjt> but ok. 16:04 < mjt> (when i had a router with openwrt, it had almost 2 years uptime before it fried) 16:06 < Roman123> mjt: after changing /etc/config/ it is sometimes easier to enter "reboot" and wait for 20 seconds than to apply ifdown, ifup, whatever :) 16:06 < mjt> yes 16:08 < mjt> i used it in 'set up & forget' mode, not messing with it much. 16:09 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 16:11 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 16:12 < reiffert> argh argh argh! 16:12 < reiffert> quote: "The initial window size is determined via the two-way handshake" 16:12 < mjt> mss 16:13 < reiffert> ccna 16:17 < Roman123> mjt: got a very creative hint. :-) I should place a small script into /etc/hotplug.d/iface. I'll try that. Probably the easiest fix. 16:17 < mjt> welcome to OpenWRT ! :) 16:18 < Roman123> yep, very helpful :) 16:55 < Roman123> mjt: I guess the easiest way is to put the script into /etc/ppp/ip-up.d :-P 17:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 17:20 -!- purifiedmadness [n=user@c-71-229-205-237.hsd1.co.comcast.net] has joined ##openvpn 17:32 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Connection timed out] 17:32 -!- bandini [n=bandini@host237-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:33 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 17:36 -!- purifiedmadness [n=user@c-71-229-205-237.hsd1.co.comcast.net] has left ##openvpn [] 17:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:59 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:43 -!- prxtien [n=pro@teamaustralia.net.au] has quit ["changing servers"] 20:29 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 20:29 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 21:09 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- romero [n=user@193.219.160.109] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- romero [n=user@193.219.160.109] has joined ##openvpn 22:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 110 (Connection timed out)] 22:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 22:10 < ecrist> evening, folks 22:35 < ecrist> fine, you guys suck 22:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:33 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 23:34 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 131 (Connection reset by peer)] --- Day changed Tue Mar 10 2009 01:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:52 < mjt> hi ecrist 01:52 < mjt> heh 02:18 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 02:19 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 02:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:18 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has joined ##openvpn 03:18 -!- simplechat_ is now known as simplechat 03:19 < Uranellus> ovpn-client[1817]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9) .. where should I look in order to fix this ? server or client conf? (btw this was log was ommited on the client side) 03:19 < krzee> cant push topology option 03:20 < Uranellus> krzee: I don't have any push lines on server side .. 03:20 < krzee> do you have the word topology in either? 03:21 < Uranellus> or is it because I tempoary set duplicate-cn ? 03:23 < Uranellus> krzee: http://pastebin.ca/1357188 03:25 < Uranellus> hm, seems not bo be because of the duplicate-cn option .. just removed it from the server side, and still getting the same messages 03:26 < Uranellus> hm, server logs show 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.1.38 10.8.1.37' (status=1) but why? 03:27 < Uranellus> server version is: OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008 (ubuntu 8.04) 03:31 < Uranellus> client version is: OpenVPN 2.0.9 arm-unknown-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 23 2007 03:32 < Uranellus> (debian 4.0) 03:32 < Uranellus> hm, seems to be a problem b/w 2.1 and 2.0.x 03:39 < Uranellus> unfortuanately the http://openvpn.net/index.php/documentation/miscellaneous/protocol-compatibility.html page contains nothing about this? 03:39 < vpnHelper> Title: Protocol Compatibility (at openvpn.net) 03:40 < Uranellus> hehe 03:41 < mjt> krzee: topology is pushable as far as i can see 04:00 < Uranellus> mjt: but not to a 2.0.x openvpn client .. 04:00 < Uranellus> well it looks like it's an error message in the logs, but the connection is fine anyway .. 04:51 < dazo> Uranellus: If you use topology on the server, I believe it is pushed implicit by the server to the client, even if you do not push it explicit 04:51 < dazo> Uranellus: and topology is only supported in OpenVPN 2.1 04:53 < Uranellus> dazo: any way to turn it off, serverside? 04:53 < dazo> Uranellus: it most probably works fine, because it manages to setup the routes correctly on the OpenVPN 2.0 client ... despite that the topology is not set correctly. But topology just changes how routing and addressing schemes are setup 04:53 < dazo> Uranellus: you must remove topology from the server config 04:53 < Uranellus> dazo: http://pastebin.ca/1357188 there's my conf .. 04:54 < dazo> Uranellus: anyway, if it is possible for you to upgrade your clients ... I'd recommend you to upgrade them to 2.1RC15 (server as well, in fact) ... that's just as rock solid as the 2.0.9 04:54 < dazo> Uranellus: now that's interesting 04:57 -!- Mark____ [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 04:57 < Mark____> !howto 04:57 < vpnHelper> Mark____: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:57 < Uranellus> dazo: but as I said, it seems not to influence the functionality .. therefore I might look over it .. 04:57 < Mark____> anyone looking into cuda and openvpn? 04:57 < mjt> cuda? 04:57 < Mark____> graphics card acceleration 04:57 < Mark____> using the stream processors 04:57 < dazo> Uranellus: I just quickly read about topology config in the man pages .... 'topology net30' is the default behaviour in openvpn 2.0 ... you can try to add that then in the config, but I'm not sure it will solve it 04:59 < dazo> Uranellus: anyway, really consider to upgrade to 2.1 ... 2.0.9 is not as updated as the 2.1_RC15 ... and the RC15, I believe, will become the final 2.1 release .... 2.1 has been in RC state for way too long already, and is by most distros considered to be the latest stable version 05:00 < Uranellus> dazo: ok thanks, will consider that 05:02 < dazo> Mark____: not afaik ... But that's really an interesting approach! 05:03 < Mark____> aes on an 8800gtx can get 8ish gbit/s 05:03 < dazo> Mark____: you could join the openvpn-devel mailing list and ask about it ... I'm sure more people will be interesting in this 05:03 < Mark____> a pentium 4 1.8 can do 64 mbit/s 05:03 < Mark____> thats AES-128 bandwidth 05:03 < dazo> Mark____: exactly! I'd love to see that in openvpn! :) 05:03 < Mark____> i mean, something like that might have to be done at the openssl or gnutls library level 05:04 < Mark____> but it could really set openvpn apart 05:04 < dazo> Mark____: that's true ... it most probably will need to go into the openssl libs, when I think about it .... and then all software using openssl will use that as an accelerator 05:05 < Mark____> yea ive got a ton of good ideas for cuda 05:05 < Mark____> but im no crypto-genious 05:05 < Mark____> lol 05:05 < dazo> Mark____: openssl already do have a plug-in interface of some kind for such accelerator cards ... so most likely here 05:05 < Mark____> im just a random guy with a 9600GT that doesnt play games and wants to put it to use 05:05 < dazo> Mark____: pity! Do you want to become one? ;-) 05:05 < Mark____> haha 05:05 < Mark____> no it takes a special kind of guy for crypto 05:05 < Mark____> im not indian or european 05:05 < Mark____> plus i dont have a big bushy beard 05:06 < dazo> Mark____: believe me .... big bushy beard just shows your personality, not your coding skills .... and I'm sitting among a lot of coders at work ;-) 05:06 < Mark____> but man, a 20mbit stream over my wireless network takes 20% of a sempron 2400+ 05:07 < dazo> Mark____: yeah, I know .... I'd love to see openssl and openvpn accelerated 05:07 < Mark____> have you looked at the prices of hardware vpn stuff? 05:08 < Mark____> like 6 grand for some junk that can only do 700mbit aes 05:08 < Mark____> when a 100 dollar graphics card can do an order of magnitude better 05:08 < Mark____> lol 05:08 < dazo> Mark____: no, not really ... well, I've looked at Soekris device with VPN accelerator ... that's not so bad, but the Linux driver seems not to be updated for a long time :( 05:08 < Mark____> i dont use vpn for anything 'serious' 05:09 < Mark____> more of an access control, but i had to look at the cost of hardware just for fun 05:09 < dazo> Mark____: the only thing which can be difficult ... is that the GPU must allow the main CPU to do other stuff than just graphics 05:09 < Mark____> well, the newer ones all support it 05:09 < Mark____> and ATI has something similar 05:09 < dazo> Mark____: but if that API is in place, it's really a goodie thing 05:10 < Mark____> i read a scientific paper from a guy who said it was more efficient to leave key scheduling on the main cpu 05:10 < Mark____> and just handle the algorithm in the gpu 05:10 < Mark____> would be nice to put compression on the gpu too 05:11 < Mark____> it will be nice when we reach a time when encryption and compression are essentially 'free' for the system 05:11 < dazo> Mark____: oh, I'm sure ... that's what Sony does in the Playstation 3 as well, with the Cell processors ... they can do much more that just the graphic ... 05:11 < Mark____> yes, but the ps3 locks the rsx graphics card (probably due to drm) since one of the early firmwares 05:11 < Mark____> sucks, cant use the ps3 for mythtv until we find a way to get into it :P 05:12 < dazo> Mark____: but you can't push it too far ... because it will take away some of the bandwidth of the internal buses on the mainboard .... you can't push all heavy duty to the GPU and let the CPU only do scheduling, unless the kernel code is heavily reworked 05:12 < Mark____> yea 05:12 < Mark____> 8gbit was theoretical 05:12 < Mark____> was like 8.24 exactly 05:13 < dazo> Mark____: yeah, but even 1/8 of that is still better than most CPUs 05:13 < Mark____> well, it wasnt 'theoretical' but it was in a lab setting 05:13 < Mark____> no network, like you said 05:13 < Mark____> which will probably eat a few gbit of that 05:14 < dazo> Mark____: so that's really not a bad case ... and in this setting, I believe it is doable ... but it also depends on the intern bus architecture on the main board as well ... if that bus can only push 400MBit ... it's not much useful anymore 05:14 < Mark____> well 05:14 < Mark____> 400mbit is still much better than the cpu 05:14 < Mark____> lab results for the p4 1.8ghz were 64mbit 05:15 < Mark____> http://www.google.com/url?sa=U&start=2&q=http://www.manavski.com/downloads/PID505889.pdf&ei=lD22SaTFConYsAOQj_T2CA&usg=AFQjCNGCbAWFAmGOqCSd3-HJFB6cQqCDZA 05:15 < Mark____> they only got 1.53mbit on a geforce 3 05:15 < Mark____> hacking the card to do aes with opengl routines 05:15 < Mark____> lol 05:17 < Mark____> As the final results show, 05:17 < Mark____> moving the data to and back from the device memory may 05:17 < Mark____> become the slowest operation when doing cryptography on the 05:17 < Mark____> GPU. It is due to the bandwidth of the PCIExpress interface 05:17 < Mark____> which is only about 3,2 GB/s compared to the 50 GB/s of the 05:17 < Mark____> onboard memory of the GeForce 8800 graphics card. 05:17 < Mark____> ahh 05:17 < Mark____> oops, sorry, thought it would paste as one line 05:18 < Mark____> the 8800 was 19.60x faster than the p4 3.0ghz they used 05:18 < dazo> Mark____: yeah ... well, this will come more and more ... for sure! :) 05:18 < Mark____> aes-256 had a max bandwidth of 6.65gbit 05:18 < Mark____> if the bus is the limiting factor 05:19 < Mark____> might as well use aes-256 lol 05:21 < dazo> Mark____: heh ... but another thing ... what will also come more and more are CPU and GPU which are integrated ... so when you buy the next-gen CPU, it will also contain the GPU unit .... and that's probably also to make better use of the power in the GPU unit ... and when CPU and GPU is inside the same CPU shell, the efficiency will be even higher, as the internal bus inside the CPU is even beefier than the motherboard buses 05:21 < Mark____> hmm 05:21 < Mark____> i wonder what the api will be for that 05:22 < Mark____> the thing about cuda is 05:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:22 < Mark____> nvidia sells beefed up ones 05:22 < dazo> Mark____: it will be the same as before ... but now the instruction goes to the CPU which then instructs the GPU what to do with what memory segments 05:22 < Mark____> just for number crunching 05:22 < Mark____> ahh so a new instruction set probably 05:22 < Mark____> gcc will have to do all the work :P 05:22 < Mark____> lol 05:23 < dazo> Mark____: Might be ... but not necessarily ... it could still use the same API ... but the instructions to the GPU would no longer pass over the motherboard buses, but just pass over to the GPU on the internal bus in the CPU unit 05:24 < dazo> Mark____: most probably the CPU would then have an extra set of data-buses which would be connected to the video-ram (which needs to be of even higher speed than normal DRAM) 05:24 < Mark____> probably a lot of l3 or something 05:25 < dazo> Mark____: and then it might sit a "graphic producer" on the "other side" of the VRAM which than produces images of whats stored in the VRAM 05:25 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:26 < Mark____> yea, just a small chip to drive the output 05:26 < dazo> There are several VRAM types ... and one of the types have 1 read/write bus and 1 read-only bus, which such a "graphic producer" usually is attached to 05:27 < dazo> Mark____: exactly ... so I believe we will see that CPU and GPU will melt more and more together .... and then you'll have even more throughput for number crunching (which encryption surely is all about) on the CPU uni 05:27 < dazo> t 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 < Mark____> i wonder if that will split intel/amd 05:28 < Mark____> maybe all of x86 05:28 < Mark____> if they both try to put gpu/cpu together 05:28 < dazo> Mark____: and in reality ... it ends up with where we were 20 years ago .... a "powerful" CPU and a video card which basically just knew how to produce video signals out of VRAM .... but it just goes a lot quicker in this "new" version 05:29 < dazo> Mark____: Neither ATI nor nVidia will choose only AMD or Intel .... they will work with both of them, that's for sure .... the question is more if AMD and/or Intel want's to work with ATI and nVidia 05:29 < Mark____> well amd bought ati 05:30 < Mark____> intel is working on their own gpu/cpu combo on their roadmap 05:30 < Mark____> i dunno what nvidia is doing 05:30 < dazo> Mark____: oh, true! I forgot ... then that's for sure a partnership ... which actually makes it very much interesting ... because that makes it very much likely that Intel+nVidia will be uniting 05:31 < dazo> I'm not sure AMD wants to share the ATI ideas with Intel, at least not in the beginning 05:31 < mjt> btw, nvidia had more success with amd so far, i think. That is, more successful chipsets 05:31 < mjt> or maybe not recently 05:36 < dazo> mjt: yeah, AMD was better at several points compared to the Intel P3 and P4 ... but from Intel Pentium D and the Core series, AMD went behind again. AMD was early and aggressive on the 64bit architecture ... but when Intel then finally decided to focus much more on the x86_64 architecture instead of Itanium ... it went to Intels favour again 05:38 < dazo> mjt: the challenge AMD have, is that they need to be compliant with the vast majority of the Intel instructions .... they can add their own extra things, but they always needs to have a certain compatibility set ... it's not easy to become leading in this scope 05:39 < Mark____> rofl, i couldnt figure out why topology subnet wasnt working 05:40 < Mark____> gentoo, bleeding edge gentoo 05:40 < Mark____> has 2.0.7 as latest in portage 05:40 < Mark____> even my ubuntu has 2.1........... 05:42 < dazo> Mark____: yeah, Gentoo's openvpn developer is not staying much updated ... I've been wondering if I should help out here 05:42 < dazo> Mark____: I believe 2.1_RC15 is just keyworded as unstable ... I think I heard something about that some weeks ago 05:42 < Mark____> well i found there is a package 05:42 < Mark____> yea 05:42 < Mark____> i dont like unmasking things though 05:43 < dazo> Mark____: I'm running RC15 on Gentoo Hardened .... and it's rock solid 05:43 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 05:43 < lclimber> hello guys, i have a question, is there a way to enable the forward bit on a windows system as you do it on linux?? 05:51 < dazo> lclimber: on WinXP I believe you can mark somewhere in the GUI that "I want to share Internet via this interface", or something like that .... most probably properties on the interface 05:51 < lclimber> thanks dazo 05:52 < dazo> lclimber: I'd believe that enables some kind of routing .... but I'm not a windows guru, so others might have better clues 05:52 < reiffert> enabling sharing Internet enables NAT. 05:52 < dazo> lclimber: ^^ ... I was wrong :( 05:53 < reiffert> Thats the point where XP starts playing tricks with me, insisting to own 192.168.1.1, which is exactly the point where I stopped using Windows. 05:54 < dazo> reiffert: haha ... Windows do have quite some guts :-P 05:54 * dazo stopped using Windows back in '96 05:55 < reiffert> I started using Linux by that time. 05:55 < lclimber> the thing is that i established a vpn connection from a windows system to my linux vpn server, now i need to be able to connect to a network wich is connected to a different nic on the windows machine, now i set a route on my vpn server that routes all the packages going to the net of the nic number 2 on my windows machine through the tunnel, but i am still not able to establish any kind of connection, do you have any suggestions? 05:56 < reiffert> lclimber: look whats going on on those interfaces by the help of wireshark 05:56 < reiffert> and tcpdump for the linux case. 05:56 < dazo> lclimber: suggestion find an relatively old PC ... install Linux ... and use that instead for openvpn routing:-P 05:57 < lclimber> dazo, well that would be great, unfortunatly i don't have any pc's availables 06:00 < dazo> lclimber: pity :( 06:01 < dazo> lclimber: and no old router of any kind ... which could run openwrt/x-wrt or other linux based firmwares? 06:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 06:01 < reiffert> erm, and now you insist following crazy proposals? 06:02 < dazo> (though throughput might not be too efficient) 06:02 < dazo> reiffert: You cannot achieve the impossible without attempting the absurd! ;-) 06:03 < reiffert> How about first trying the obvious to get finished? 06:03 < dazo> reiffert: details, details, details ... 06:03 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has left ##openvpn [] 06:03 * dazo is hungry .... going for lunch ... 06:03 < lclimber> good reflexion dazo, but i think i have a routing problem on the vpn server, i'll try to figure it out, and i'll let you know if it works 06:04 < dazo> lclimber: sure ... yeah, that's probably sensible if you think the problem is there :) 06:05 < reiffert> sigh. 06:05 < reiffert> dont think and guess, start a packet dumper and *know* 06:12 -!- sts_ [n=sts@hmm.ono.at] has joined ##openvpn 06:12 -!- sts_ [n=sts@hmm.ono.at] has left ##openvpn [] 06:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 07:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:13 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:14 < ecrist> good morning, folkd 07:14 < dazo> ecrist: good morning, sir! 07:14 < ecrist> sir?!? 07:14 < ecrist> I work for a living... 07:15 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 07:15 < dazo> ecrist: nahh ... it's just the "International ecrist sir day" today 07:16 < ecrist> oh, I must have missed that one. 07:17 < dazo> You should read more news :-P 07:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 07:31 < mjt> hi ecrist ! 07:39 < ecrist> hi mjt 07:42 < ecrist> why so many ctcps? 08:12 < mjt> just one 08:12 < mjt> (was afk for a bit) 08:12 < ecrist> /ignore * CTCPS 08:13 < reiffert> hehe: 14:12 [freenode] CTCP Tue reply from temba: Mar 10 14:12:42 2009 08:13 < reiffert> he changed TIME to Tue 08:13 < mjt> noticed you said 'he' before, i replied but it was too late - 04:something your time 08:13 < mjt> hi 08:14 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 08:23 < mjt> ecrist: btw, your time is off by 8 minutes, it seems. 08:25 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 08:26 < ecrist> mjt, when you said that yesterday, I fixed my time. 08:27 < ecrist> so, your CTCP TIME from 01:52 this morning would have had the correct time. 08:27 < ecrist> :\ 08:30 < reiffert> looks ok 14:12 [freenode] CTCP TIME reply from ecrist: Tue Mar 10 08:12:34 2009 08:32 < mjt> ecrist: ok i didn't knw 08:36 < ecrist> mjt, you did a CTCP TIME yesterday, and this morning. my time was corrected between the two, so you *did* know, you just chose not to pay attention. 08:40 < mjt> nitpicker ;) 08:41 < ecrist> I get irritated at nosy people. :P 08:42 < mjt> nosy? 08:42 < ecrist> nosey? 08:43 < mjt> damn. the online dictionary is down. 08:44 < ecrist> as in, putting your nose where it doesn't belong. like my system time. 08:44 < mjt> aha 08:44 < mjt> well, it's somewhat unfair about "doesn't belong" 08:45 < mjt> someone pinged you and i checked what time it is at your timezone 08:45 < mjt> because i was thinking it's night at your side 08:45 < mjt> nothing wrong with that, i think. Do you think differently? 08:46 < mjt> i've no idea which timezone you're at. and if you're supposed to be sleeping or whatever. 08:46 < mjt> ctcp time helps 08:46 < ecrist> fair enough 08:46 < mjt> nosy -- "unduly curious about the affairs of others; prying; meddlesome" 08:46 < mjt> got it 08:47 < mjt> (english isn't my native language as you may have guessed ;) 09:14 < mjt> blah 09:14 < mjt> RESOLVE: Cannot resolve host address: [...]: [TRY_AGAIN] A temporary error occurred on an authoritative name server. 09:15 < mjt> that's an... interesting error description. 09:43 < ecrist> what's wrong with it? 10:08 -!- onats__ is now known as onats 10:11 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 10:12 < toddoon> hi how do i set my account to access a vpn network because it said Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 10:15 < dazo> toddoon: you need to start openvpn with root privileges 10:16 < toddoon> dazo: ok 10:16 < toddoon> you mean the client 10:16 < toddoon> ? 10:17 < ecrist> yes 10:18 < dazo> toddoon: client or server, doesn't matter ... openvpn needs to be started with root privileges, no matter what you want to do 10:26 -!- onats [n=onats@122.53.136.244] has quit [Remote closed the connection] 10:37 < ecrist> norton is having a bad day 10:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:58 -!- eliasp_ is now known as eliasp 11:55 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 11:55 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 11:58 < ecrist> you guys are boring today 12:06 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 12:13 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 12:16 -!- Irssi: ##openvpn: Total of 55 nicks [0 ops, 0 halfops, 0 voices, 55 normal] 12:22 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 12:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Client Quit] 12:47 < nemysis> Could I place replay-persist file in /var/tmp or /etc/openvpn? 12:49 < ecrist> where ever you want, I think 12:54 < dazo> nemysis: if you have SELinux enabled, you might get some issues if the context on the directories are wrong 12:55 < nemysis> I don't have SELinux 12:56 < nemysis> i think is better /var/tmp this is 20GB and / is only 4GB 12:57 < dazo> nemysis: I would probably avoid such files in tmp dirs ... rather create a /var/openvpn or /var/lib/openvpn ... or something like that 12:57 < dazo> tmpdirs might be cleaned up regularly, depending on your distro 12:58 < nemysis> thanks I use Gentoo /var/openvpn is good 12:59 < dazo> nemysis: Gentoo is good too :) 12:59 < dazo> Gentoo do not clean up too much automatically, unless enabled in /etc/rc.conf (iirc) ... but it can do that on boot if enabled 13:00 < nemysis> Yes I am moderator for Linux and use Gentoo since 2002 i have in openvpn.conf now replay-persist /var/lib/openvpn/persist.file 13:04 < ecrist> you are a moderator for linux? 13:04 < dazo> nemysis: then you're a bigger Gentoo guru than I am ;-) 13:04 < dazo> c'ya guys! 13:05 < nemysis> I love Gentoo much and use only Fluxbox not KDE or Gnome 13:06 < nemysis> I am moderator for Linux on ES forums 13:07 < dazo> (before I hit for the door now) nemysis: we should try to get some speed up to Gentoo to get openvpn-2.1_RC15 up to become stable in Gentoo ... and have a good look at ssl-admin which krzee and ecrist have been working on as well 13:08 < dazo> nemysis: we can catch up that thread tomorrow again, if you are interested 13:08 < nemysis> I use this Version 13:15 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:26 < ecrist> \ 13:49 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 13:59 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 104 (Connection reset by peer)] 13:59 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 14:10 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Read error: 104 (Connection reset by peer)] 14:36 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:37 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 14:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:29 -!- Mark____ [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Read error: 110 (Connection timed out)] 15:31 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:48 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 15:54 < Roman123> hi 16:59 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 16:59 < sigmonsays> can open vpn server.conf handle includes of any kinda? 17:01 < hads> I've not seen it mentioned 17:02 < sigmonsays> my problem is how to slice up my dhcp pools. I'd like to template'ize my configs 17:02 < sigmonsays> so i'm givign a /24 for each openvpn servers 17:02 < sigmonsays> but i cant include the unique portion :( 18:07 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:11 < sigmonsays> my openvpn clients are doing nat and I don't know why 18:11 < sigmonsays> i'd like to have openvpn not rewrite the packet as I have my network configured appropriatly 18:30 < sigmonsays> !route 18:30 < vpnHelper> sigmonsays: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:32 -!- Kalavera [n=Kalavera@190.8.151.14] has joined ##openvpn 18:32 -!- Kalavera [n=Kalavera@190.8.151.14] has quit [Client Quit] 18:33 < sigmonsays> !topology 18:33 < vpnHelper> sigmonsays: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:33 -!- Kalavera [n=Kalavera@190.8.151.14] has joined ##openvpn 18:34 < Kalavera> hello I have a problem with my openvpn configuration 18:39 < sigmonsays> what's up Kalavera ? 18:39 < Kalavera> my tun/tap interface is up 18:40 < Kalavera> IPs are up 18:40 < Kalavera> but I can't have communication between networks 18:40 < sigmonsays> i'm trying to figure out a similiar issue 18:41 < sigmonsays> I have my vpn server doing nat 18:41 < sigmonsays> but I dont' want it to do nat 18:41 < sigmonsays> and just want it to "route" the packets 18:41 < sigmonsays> Kalavera, You may be able to iptables -t nat -A POSTROUTING -j MASQUERADE 18:42 < Kalavera> ohhhh 18:42 < Kalavera> let me try 18:42 < sigmonsays> I personally don't want nat 18:42 < sigmonsays> because then everywhere they go appears as the IP of ur vpn server 18:43 < sigmonsays> i can't figure out hwo to turn that off though :( 18:43 < Kalavera> mmm each remote network ? 18:43 < Kalavera> 192.168.2.x 192.168.3.x and 192.168.4.x ? 18:44 < Kalavera> mmm nop didn't work 18:45 < sigmonsays> heh 18:46 < Kalavera> I don't have firewall rules yet 18:46 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 18:46 < Kalavera> I mean INPUT, FORWARD and OUTPUT 18:47 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:52 < sigmonsays> I just need to figure out hwo to make linux route packets 18:56 < Kalavera> lol 18:56 < Kalavera> I am having this problem 18:56 < sigmonsays> ;) 18:56 < Kalavera> RTNETLINK answers: No such process 18:56 < sigmonsays> wierd! 18:56 < Kalavera> when I tried to apply an ip route 19:09 < Kalavera> why I have two configurations? one as client and one as server ? 19:23 -!- Kalavera [n=Kalavera@190.8.151.14] has quit [Read error: 60 (Operation timed out)] 19:43 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:53 < sigmonsays> Hrm: MULTI: no free --ifconfig-pool addresses are available 19:53 < sigmonsays> what does this mean 20:13 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 20:18 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: dazo, eliasp 20:18 -!- Netsplit over, joins: eliasp, dazo 20:23 -!- eliasp [n=quassel@78.43.213.203] has quit [Connection timed out] 20:28 < ecrist> evening, folks 21:37 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Nick collision from services.] 22:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] --- Day changed Wed Mar 11 2009 00:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:25 -!- eliasp_ [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 00:25 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 00:31 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 01:05 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 01:07 < Natilous> Hi,all .. I wanna run a LanAccounting server..can u Help me or give me a Document to do it? 01:10 < Natilous> any help ? 01:19 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 01:25 -!- mjt [n=mjt@isrv.corpit.ru] has quit ["reboot"] 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:49 -!- enzotib [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 02:50 < enzotib> !logs 02:50 < vpnHelper> enzotib: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:51 < enzotib> !configs 02:51 < vpnHelper> enzotib: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:03 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 03:04 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 03:09 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 03:09 < Natilous> Hey .. how can i run LanAccounting ? 03:09 < Natilous> anyone can help me ? 03:12 -!- enzotib [n=enzotib@unaffiliated/enzotib] has left ##openvpn ["Fuori servizio - Ricevuto segnale 15"] 03:12 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 03:14 < enzotib_> hi all, I would to connect two machine with openvpn point to point, I have the following configurations and log files http://pastebin.com/m572f5a8b , needless to say it doesn't work 03:17 < enzotib_> when the client (is a laptop) is on the same network as the server, the connection is established correctly 03:40 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 03:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:10 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:10 < toddoon> hi after initialization sequence completed i have WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.3.0.0 255.255.255.0' 04:12 < toddoon> what does it mean and how do i fix it? 04:14 < enzotib_> toddoon, there is a "ifconfig" line in the remote config file? 04:16 < toddoon> enzotib_: i am not the administrator of the server so i don't know 04:16 < toddoon> but for people who are working with Windows it works 04:17 -!- Mark_ [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 04:17 < enzotib_> toddoon, apart from that warning, it works or not? 04:18 < Mark_> anyway to selectively pull pushed options? 04:18 < Mark_> i.e. i want the ip address the server gives but i dont want its routes 04:18 < Mark_> are there environment variables i can script something up with? 04:20 < toddoon> enzotib_: i have difficulty to ping others virtual clients, for example i could ping 10.3.0.10 which is the openvpn server but not 192.168.0.51 which is the same computer but with nat address 04:21 < Mark_> does the client know the route? 04:21 < Mark_> is the client linux? 04:21 < toddoon> i am on linux (the client) and the server is Windows :p 04:21 < Mark_> okay well 04:21 < Mark_> type ip route 04:22 < Mark_> do you have a route to 192.168.0 ? 04:22 < toddoon> wait i paste the result 04:22 < enzotib_> by the way, I have a connection problem, some info: http://pastebin.com/m572f5a8b 04:22 < toddoon> http://pastebin.com/m4c502da8 04:23 < Mark_> okay toddoon, 04:23 < Mark_> i see you have a route to 192.168.0.x 04:23 < Mark_> but its over eth0, not the openvpn interface 04:23 < toddoon> yes 04:23 < toddoon> ok 04:23 < Mark_> also 04:24 < Mark_> your using bridge mode (dev tap) 04:24 < toddoon> http://pastebin.com/m5c8af26a 04:25 < toddoon> i am using tap yes 04:25 < Mark_> you have an odd configuration for what you are doing 04:25 < Mark_> so your linux computer is 192.168.0.25 is on network 1 04:26 < toddoon> yes 04:26 < Mark_> and you have a windows computer as a server.. is that on the same network or different network 04:26 < toddoon> thats my openvpn conf http://pastebin.com/m52dbc72f 04:27 < toddoon> Mark_: on a different network 04:27 < Mark_> well 04:27 < Mark_> the problem is 04:27 < Mark_> both private networks are the same ip address 04:27 < Mark_> also 04:27 < Mark_> bridge mode would mean giving the client an ip address on the same network 04:27 < Mark_> client is 192.168.0.x 04:28 < Mark_> server is 192.168.0.x 04:28 < toddoon> i have some difficulties to understand what you said but it is interresting 04:28 < Mark_> cannot tell 'which 192.168.0.x' to choose 04:28 < toddoon> yes certainly 04:29 < toddoon> client is 192.168.0.25 04:29 < Mark_> it will be hard to link these with vpn 04:29 < Mark_> because of the address collision 04:29 < toddoon> server is 192.168.0.51 04:29 < toddoon> erf 04:29 < Mark_> yes but both are 192.168.0. 04:29 < Mark_> so the client cannot decide which to choose 04:30 < toddoon> ok it is a poor server configuration the 'admin' didn't know a lot apparently 04:30 < toddoon> isn't there a solution because with Windows it works some times :p 04:31 < Mark_> you could do some really nasty hacks 04:31 < Mark_> hehe 04:31 < Mark_> nothing easy 04:31 < toddoon> ^ 04:31 < toddoon> ok 04:32 < toddoon> so leave it i hope that i haven't to use a lot this 'vpn' 04:32 < Mark_> yea i mean with tap you are supposed to have a bridge too 04:32 < Mark_> its weird 04:33 < toddoon> lol 04:33 < Mark_> basically with tap device its a bridged vpn 04:34 < Mark_> you wouldnt use 10.3.0.8 04:34 < Mark_> would give it an address from the servers subnet 04:34 < toddoon> ok 04:35 < Mark_> anyway 04:35 < Mark_> enzotib_, 04:35 < Mark_> whats your issue 04:35 < Mark_> im a novice but i might be able to help 04:36 < enzotib_> Mark_, in the pastebin you could see the config and log files 04:36 < enzotib_> but I cannot connect 04:37 < Mark_> well 04:37 < Mark_> you are using udp 04:37 < Mark_> maybe thats your snag 04:37 < Mark_> try setting proto tcp in your server config 04:38 < enzotib_> uhm 04:38 < enzotib_> ok 04:38 < Mark_> cus i see your nmap shows tcp 80 listening 04:38 < enzotib_> yeah, your right 04:38 < enzotib_> but I cannot test it now, i'm not at home 04:39 < Mark_> also your configuration looks like its missing some things 04:39 < Mark_> so im not sure it will work like you want it 04:40 < Mark_> also in my config im just using port xxx 04:40 < Mark_> not lport 04:40 < Mark_> works fine 04:42 < enzotib_> Mark_, when the laptop is in the same network of the server the connection works fine 04:42 < enzotib_> so I think it is a firewall problem, and the tcp/udp problem can really be the point 04:42 < Mark_> ahh ye 04:42 < Mark_> a 04:44 < Mark_> id just use netstat to double check what its listening on 04:47 < enzotib_> Mark_, the server: udp 0 0 0.0.0.0:80 0.0.0.0:* 10521/openvpn 04:48 < enzotib_> so "proto tcp" is the line to add to the config file? 04:48 < enzotib_> to both ends 04:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:58 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 04:59 < Mark_> yea 04:59 < Mark_> well on the linux client 04:59 < Mark_> it depends on your config 04:59 < Mark_> but something like 04:59 < Mark_> proto tcp-client 04:59 < Mark_> remote 1.2.3.4 80 04:59 < Mark_> would do the trick 05:00 < enzotib_> thanks very much Mark_ 05:00 < Mark_> np 05:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:28 < mRCUTEO> hiya krzee 05:28 < mRCUTEO> :D 05:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 05:32 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 05:33 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 05:34 < mf_417> hi, is there any solution to manage user's bandwith over vpn? 05:35 < mf_417> I mean max width + max monthly download limit 05:36 < Mark_> nothing built into openvpn 05:36 < Mark_> but you could do something with iptables/linux 05:36 < dazo> mf_417: not in openvpn ... but you can use your OS' own mechanism for doing that on the virtual interface (tun/tap) 05:36 < Mark_> actually im pretty sure you can attach qdiscs to the vpn interface 05:36 < Mark_> to do rate limiting yea 05:37 < dazo> mf_417: ^^ Mark_ got straight to the point 05:37 < mf_417> dazo: u mean something like cbq or tc over tap0 ? 05:37 < Mark_> yea 05:37 < Mark_> that can handle rate limiting 05:37 < dazo> mf_417: I've never tried it ... Mark_ seems to know very well :) 05:37 < Mark_> as far as 'accounting' 05:37 < Mark_> for monthly limits 05:37 < Mark_> well i dont know personally, but 05:37 < Mark_> 4: tun0: mtu 1500 qdisc pfifo_fast qlen 100 05:38 < Mark_> pfifo_fast is the default qdisc 05:38 < Mark_> so it makes sense that you could replace it 05:38 < Mark_> like any other interface 05:38 < Mark_> 2: eth0: mtu 1500 qdisc htb qlen 1000 05:38 < Mark_> etc 05:38 < mf_417> traffic on tun0 is encrypted ? 05:38 < dazo> mf_417: that's inside the tunnel ... so the traffic here is the unencrypted one 05:38 < Mark_> if you setup openvpn correct, it will be encrypted between the tun devices 05:39 < Mark_> but you can still see unencrypted with something like 05:39 < Mark_> tcpdump -i tun0 05:39 < Mark_> because its not encrypted until it leaves tun0 05:39 < Mark_> if you tcpdump -i eth0, you will see its all encrypted 05:39 < Mark_> (assuming tun0 tunnels through eth0) 05:39 < mf_417> u mean input traffic is UNencrypted and output traffic is ENcrypted? 05:40 < dazo> -> tun0 -> openvpn(encrypt/decrypt) <-> internet <-> openvpn(encrypt/decrypt) -> tun0 -> (unencrypted traffic) 05:40 < Mark_> well it depends on your definition of input and output 05:40 < Mark_> exactly, dazo explains it well 05:41 < mf_417> So I can easily manage bandwidth by tc 05:41 < Mark_> yes 05:41 < Mark_> accounting though, there are many options 05:41 < mf_417> Now, how I can manage monthly download limits? 05:41 < Mark_> i know iptables can count packets 05:42 < dazo> mf_417: for quotas ... like monthly limits .... that's more tricky ... You would need to log the traffic amount, which is logged by openvpn ... parse it, store it ... and then controll the access somehow .... 05:42 < mf_417> ok, if iptables can count, I can write a script that do it 05:42 < Mark_> there are also some programs i think 05:43 < Mark_> that can do it all automatically 05:43 < dazo> mf_417: I've been working on another project related to improving authentication and access controll to the network .... http://www.eurephia.net/ ... I log that information in an SQLite database .... so I guess it would be possible to extend this to include limits per account 05:43 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 05:43 < Mark_> ive only done rate limiting, never have kept track of per ip bandwidth (just use cacti and stuff for an entire server) 05:44 < dazo> mf_417: and it could be restricted on either iptables level (which means that the client would be able to connect with openvpn) ... or to "disable" the openvpn account, denying openvpn connections 05:44 < Mark_> openvpn-status has some information too about bandwidth 05:44 < Mark_> as dazo said (i didnt know this before) 05:44 < Mark_> hehe 05:45 < mf_417> Mark_: can u remember name of that programs that u said can do the job automatically? 05:45 < Mark_> no ive never used, i just remember reading about them over the years 05:45 < Mark_> i just found a script you might be able to modify 05:45 < Mark_> http://wiki.openvz.org/Traffic_accounting_with_iptables 05:45 < vpnHelper> Title: Traffic accounting with iptables - OpenVZ Wiki (at wiki.openvz.org) 05:46 < mf_417> tanx alot Mark_ and dazo 05:47 < dazo> mf_417: np! you're welcome 05:48 < Mark_> i found something called ipac-ng too 05:48 < Mark_> http://martybugs.net/linux/ipac.cgi 05:48 < vpnHelper> Title: Bandwidth Monitoring with ipac-ng (at martybugs.net) 05:48 < Mark_> looks kind of crappy 05:49 < Mark_> iptables is probably best 05:49 < Mark_> so you can put specific rules 05:49 < mf_417> Mark_: tanx, I'll check it too 05:51 < Mark_> uh oh 05:51 < Mark_> http://www.microsoft.com/technet/security/bulletin/MS09-006.mspx 05:51 < Mark_> sounds serious 05:54 < dazo> "The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system." ... 05:54 * dazo would like to figure out how 05:54 < dazo> :-P 05:54 < Mark_> it freaked me out when virtualbox restarted 05:55 < Mark_> i thought it crashed 05:55 < Mark_> thats the first time ive ever seen windows automatically reboot without any user input for windows update 05:55 < Mark_> thats why i said it must be serious 05:55 < dazo> Mark_: probably just Microsoft trying out this vulnerability :-P 05:55 < dazo> on your box 05:56 < mf_417> Mark_: u can simple exploit it by metasploit + one crafted wmf + a link to your file on your valid-ip server 05:56 < dazo> And it basically covers all Windows version which is still "valid" ... 05:56 < mf_417> I think it is a vul. in picture viewer of microsoft 05:57 < dazo> mf_417: ...... strike "picture viewer of" .... and you'll get it right 05:59 < mf_417> I saw a video about this vul. 05:59 < mf_417> a cracker breaks into on machine that was behind NAT and Firewall 06:00 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 06:01 < Mark_> well 06:01 < Mark_> whats sad is 06:01 < dazo> mf_417: yeah, of course ... send a corrupt picture which opens an SSL encrypted tunnel via port 443 to your own cracker-server ... and you'll basically have it 06:01 < Mark_> it affects everything 06:01 < Mark_> windows 2000 to 2008/vista 06:01 < Mark_> its like they copy and paste bad code for 10 years 06:01 < Mark_> lol 06:01 < dazo> Mark_: you think they don't do that? :-P 06:02 < dazo> If they didn't ... it might be even less errors :-P 06:02 < Mark_> a kernel mode bug too 06:03 < dazo> But the fun thing .... a lot of people hate the UAC in Vista .... but that came to improve all these weaknesses .... 06:03 < dazo> so it can't be easy being Microsoft too :-P 06:04 < Mark_> t Microsoft rates as critical but in the exploitability index they rate it a "3 - Functioning exploit code unlikely" and add that "Consistent denial of service is more likely than reliable, functional code execution." 06:05 < Mark_> of course 06:06 < Mark_> this is like the 800th exploit in gdi 06:06 < Mark_> so theres probably 10 more now 06:08 < dazo> :-P 06:16 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 06:16 < L|NUX> hello every one 06:16 < Mark_> hi 06:17 < L|NUX> Mark_: i have very strange issue 06:17 < Mark_> whats up 06:18 < L|NUX> i have installed openvpn b/w two linux boxes one is acting as server another one is acting as client 06:18 < L|NUX> now when i start client i keep getting this error 06:18 < L|NUX> Mar 11 17:35:31 bangladesh openvpn[21051]: TLS: Initial packet from 61.78.75.92:1194, sid=77c642a9 b2b0c8fb 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=korea.vplphone.com/emailAddress=info@korea.vplphone.com 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS Error: TLS object -> incoming plaintext read error 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS Error: TLS handshake failed 06:18 < L|NUX> i have tried to create keys manually but same issue is coming again and again :( 06:19 < Mark_> hmm 06:19 < L|NUX> any idea ? 06:21 < Mark_> hmm 06:21 < Mark_> is date/time correct on both servers? 06:21 < L|NUX> lemme check 06:22 < L|NUX> [root@bangladesh keys]# date 06:22 < L|NUX> Wed Mar 11 17:39:06 BDT 2009 06:22 < L|NUX> [root@bangladesh keys]# 06:22 < L|NUX> [root@korea openvpn]# date 06:22 < L|NUX> Wed Mar 11 20:52:50 EDT 2009 06:22 < L|NUX> [root@korea openvpn]# 06:22 < L|NUX> 2nd one is server time :$ 06:22 < L|NUX> should i change timezone ? 06:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 06:23 < Mark_> no 06:23 < Mark_> but make sure are correct 06:23 < Mark_> like 06:23 < Mark_> its not 20:52 EDT 06:23 < Mark_> its 6 or 7 AM eastern time 06:23 < Mark_> lol 06:24 < L|NUX> let me change on client server same timezone 06:24 < L|NUX> :) 06:24 < Mark_> if korea is really in korea, fix timezone 06:24 < Mark_> lol 06:24 < Mark_> if korea is on east coast usa, then time is way wrong 06:24 < Mark_> lol 06:24 < L|NUX> its in korea 06:25 < L|NUX> what time is it in EDT ? 06:25 < L|NUX> let me know 06:27 < Mark_> do you have ntpdate installed? 06:27 < Mark_> just type ntpdate -u time.nist.gov 06:27 < Mark_> will set clock to atomic clock 06:28 < dazo> L|NUX: which distro are you using? 06:28 < L|NUX> nope 06:28 < L|NUX> ok 06:28 < L|NUX> lemme update 06:28 < L|NUX> centos 06:28 < L|NUX> centos 4.4 06:28 < dazo> L|NUX: openvpn version? 06:29 < L|NUX> 2.0.9 06:29 < L|NUX> on both ends 06:29 < Mark_> i think its a time issue 06:30 < dazo> L|NUX: even though 2.1RC15 is not officially announced as the stable release .... it is just as solid and stable as 2.0.9 ... I recommend updating to that version 06:30 < dazo> Mark_: you might be right 06:30 < L|NUX> dazo: but i have sync my time ntpdate -u time.nist.gov 06:31 < Mark_> sync time and still failure? 06:31 < Mark_> "certificate is not yet valid" 06:31 < Mark_> not yet 06:31 < Mark_> so i think when you created it 06:31 < Mark_> it was in the 'future' 06:31 < Mark_> hehe 06:32 < L|NUX> tes 06:32 < L|NUX> re-creating cert 06:39 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 06:39 < L|NUX> works 06:39 < L|NUX> :0 06:40 < L|NUX> Mark_: thanks 06:41 < Mark_> np 06:57 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has joined ##openvpn 06:58 < m31k0r> hello folks! 06:58 < m31k0r> I have a problem in a network2network configuration 06:59 < m31k0r> if I ping from one site to another arribes but not in the other way 06:59 < m31k0r> if you use tcpdump 06:59 < m31k0r> then you see that ping are arriving good to the nic 06:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:00 < m31k0r> but when the openvpn changes de packets from the eth0 to the tun0 07:00 < m31k0r> then the origin Ip is changed to the tunnel entry point one 07:00 < m31k0r> does any body understands what is happening here? 07:03 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [] 07:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:18 < ecrist> good morning, folks 07:19 -!- hads_ [n=hads@argon.nice.net.nz] has joined ##openvpn 07:19 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 07:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:35 < dazo> m31k0r: a couple of things to check out .... if running Linux, make sure /proc/sys/net/ipv4/ip_forward is set to 1 07:36 < dazo> m31k0r: then check your firewall config ..... allow traffic to/from tun/tap devices (depending on your config) to pass in the FORWARD chain (in Linux) 07:37 < dazo> m31k0r: and lastly ... check your routing tables 07:37 < dazo> !route 07:37 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:37 < m31k0r> yes it is 07:37 < dazo> m31k0r: ^^^ ... that link might give you even more ideas 07:38 < m31k0r> well I will check but the behaviour is so strange 07:38 < dazo> m31k0r: if you're using iptables .... check also iptables -t nat .... make sure you don't masq tun/tap traffic 07:39 * dazo did just a quick brainstorm here now 07:39 < dazo> for more info ... we'll need at least configs 07:39 < dazo> !configs 07:39 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:44 < m31k0r> I think the problem is a masquerade rule we have on the firewall 07:44 < m31k0r> as you point 07:45 < ecrist> firewalls are the #1 cause of VPN problems 07:45 < ecrist> hence the channel topic 07:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 08:04 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 08:06 -!- onats_ is now known as onats 08:20 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 08:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:33 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:38 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has joined ##openvpn 09:38 < Ramasule> Good morning 09:40 < Ramasule> If someone has some spare time to help me figure this one out here is my problem. I can connect to my OpenVpn server at home using the web gui but when I use the tomato linksys to connect it fails on the tls negotiation. I used the same keys and loggin and everything, I even tried changing routers. I dont understand what the problem could be. 09:40 < dazo> Ramasule: which openvpn versions are you using? ... Are clocks in sync? 09:42 < Ramasule> clocks are in sync 09:42 < Ramasule> latest vpn 09:43 < dazo> Ramasule: which latest? 2.1_RC15? 09:43 < Ramasule> let me find out for sure 09:44 < dazo> Ramasule: it might be issues if there are 2.1 servers and 2.0 clients ... usually aligning all clients and server to the 2.1_RC15 have really solved issues for most users 09:45 < Ramasule> what is the command to check what version of openvpn it is? 09:45 < dazo> /usr/sbin/openvpn --version 09:46 < Ramasule> k 09:46 < Ramasule> ill brb 09:47 < Ramasule> server is 2.0.9 09:49 < dazo> and your clients? 09:49 < Ramasule> client is 2.1_r15 09:49 < Ramasule> sorry im having to ssh into routers 09:49 < Ramasule> little slow 09:49 < dazo> np 09:49 < Ramasule> its confusing because I had it working at home and then when I toke it to my workplace it no longer worked 09:50 < dazo> And the tomato linksys is the one running 2.0.9? 09:50 < Ramasule> no the tomato is running 2.1_r15 09:50 < Ramasule> my sme server is the one runnin 2.0.9 09:50 < dazo> goodie 09:51 < dazo> that combination should in theory work fine ... do you have some kind of firewall in front of your openvpn client? 09:51 < Ramasule> yes a nasty one 09:51 < Ramasule> but heres my conundrum 09:51 < Ramasule> my openvpn_gui client on my laptop works 09:51 < Ramasule> but then on the router it dosnt 09:51 < dazo> I used to use udp transport to "get home" .... and when I changed work, I had to change to tcp because the udp transport didn't work out well 09:52 < dazo> aha ... and the tomato linksys router is on the same network as the laptop? 09:52 < ecrist> !tcp 09:52 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:52 < Ramasule> yes 09:52 < Ramasule> my laptop and router are hooked into another router 09:53 < dazo> that's really odd 09:53 < Ramasule> yeah 09:53 < dazo> Ramasule: time to post server and client logs ... and configs 09:53 < dazo> !logs 09:53 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:53 < dazo> !configs 09:53 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:53 < Ramasule> sgtpepper was also kind enough to try to connect given teh keys I used and he got hte same problem 09:53 < Ramasule> verb 6 09:53 < Ramasule> k 09:53 < Ramasule> i will set 09:54 < Ramasule> I wil lgive you the log from my laptop as well 09:56 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has quit ["Saliendo"] 10:19 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 10:21 < Ramasule> hello 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverloglaptop.htm 10:24 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:24 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverlaptoplog.htm 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverrouterlog.htm 10:25 < Ramasule> http://www.apttest.kicks-ass.net/DerekLVPN_09_03_10.rar for config files on laptop 10:25 < Ramasule> and client key 10:26 < Gabriel25ny> !/30 10:26 < vpnHelper> Gabriel25ny: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:26 < Gabriel25ny> !topology 10:26 < vpnHelper> Gabriel25ny: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:29 < Ramasule> scratch the 2 server logs they should be 10:29 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:29 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:41 -!- c64zotte1 [n=hans@p5B17B135.dip0.t-ipconnect.de] has joined ##openvpn 10:42 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 10:42 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Connection timed out] 10:43 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has joined ##openvpn 10:55 < Ramasule> !howto 10:55 < vpnHelper> Ramasule: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:55 < Ramasule> damn you vpnhelper 10:55 < Ramasule> !vpnhelper fix vpn 10:55 < vpnHelper> Ramasule: Error: "vpnhelper" is not a valid command. 10:56 < Ramasule> i know :( 11:08 < Ramasule> oh i can pastebin right in here 11:08 < Ramasule> thats kinda cool 11:15 * krzee doesnt see the configs... 11:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has left ##openvpn [] 11:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has joined ##openvpn 11:19 < Ramasule> http://www.apttest.kicks-ass.net/server-bridge.conf.nocomment 11:19 < Ramasule> there is the server config 11:21 < krzee> and client... 11:21 < krzee> also, wheres the client log 11:21 < krzee> The requested URL /serverlaptoplog.htm was not found on this server. 11:21 < krzee> and, why do you want a bridged setup? 11:21 < krzee> especially when you use WINS 11:22 < krzee> if you already have wins, SMB will work in tun 11:22 < krzee> with less overhead and more security 11:22 < krzee> (i say more security because of the lack of security in layer2) 11:22 < Ramasule> I dont knwo I used the sme contribution 11:23 < krzee> sme contribution? 11:23 < Ramasule> it is integrated into my sme server panel 11:23 < krzee> heh 11:23 < krzee> !configs 11:23 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:23 < Ramasule> http://wiki.contribs.org/Main_Page 11:23 < krzee> oops 11:23 < vpnHelper> Title: SME Server (at wiki.contribs.org) 11:23 < krzee> i mean 11:23 < krzee> !sample 11:23 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:24 < Ramasule> i dont knwo how to get the client one because its in tomato firmware 11:24 < Ramasule> and when I ssh into the box it is very limited what I can do 11:25 < krzee> !router 11:25 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 11:25 < Ramasule> I did turn on loggin and posted it 11:25 < krzee> [11:21] The requested URL /serverlaptoplog.htm was not found on this server. 11:25 < Ramasule> yes below it I said ignore hte server ones they are at /serverloglaptop.htm 11:25 < krzee> that also goes for posting the configs too, just never had anyone not able to post their configs before 11:25 < Ramasule> log is in the middle 11:26 < krzee> [10:29] scratch the 2 server logs they should be 11:26 < krzee> [10:29] http://www.apttest.kicks-ass.net/serverlogrouter.htm 11:26 < krzee> [10:29] Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:26 < krzee> [10:29] http://www.apttest.kicks-ass.net/serverlogrouter.htm 11:26 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:26 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:27 < Ramasule> it has to be something in the router config because my gui client works fine 11:27 < krzee> config or firewall or something of that nature 11:27 < Ramasule> yeah 11:27 < krzee> looks like the laptop stops receiving responses at 09:11:00 11:28 < Ramasule> thats when I disconnected 11:28 < Ramasule> isnt it? 11:28 < krzee> ya but your server log is from a different point 11:28 -!- c64zotte1 [n=hans@p5B17B135.dip0.t-ipconnect.de] has quit ["Leaving."] 11:28 < Ramasule> i have one for the laptop and one for the router 11:28 < krzee> i only have til 09:06:18 11:28 < krzee> doesnt it make sense to gimme logs from the SAME time period? 11:29 < Ramasule> didnt I? 11:29 < Ramasule> let me check again thanks krzee sorry for frustrating you 11:29 < krzee> check your timestamps 11:29 < krzee> np 11:29 < Ramasule> http://www.apttest.kicks-ass.net/serverloglaptop.htm 11:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:30 < Ramasule> that the one your looking for? 11:30 < Ramasule> i think i got them mixed up 11:30 < Ramasule> I did too 11:30 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has quit ["Sto andando via"] 11:30 < krzee> that was the same 11:31 < krzee> its the router thats a diff time 11:31 < krzee> restart openvpn all together on both 11:31 < krzee> then gimme the log from start to first not working connection attempt 11:31 < krzee> like when it gives up and tries again 11:32 < Ramasule> i fixed the links 11:34 < Ramasule> but the router one is still wrong so im restarting 11:34 < Ramasule> and ill try to use pastebin down there 11:37 < krzee> umm, log links are same 11:38 < Ramasule> thats what I said 11:38 < Ramasule> im using pastebin 11:38 < Ramasule> hmm 11:38 < Ramasule> that didnt work out so well 11:41 < krzee> k im going back to idle 11:41 < krzee> tired 11:44 < Ramasule> http://www.apttest.kicks-ass.net/logrouter.log 11:44 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.log 11:44 < Ramasule> dang thanks krzee 11:51 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 11:52 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has quit [Remote closed the connection] 12:01 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 12:02 < unixSnob> any ovpn developers in here? you guys need to make openvpn smarter about dates; make it so an openvpn client has the ability to ask the server what the date is, and then report back that date 12:04 < Ramasule> I think I pissed them all off, and they left. :P 12:05 < unixSnob> you told them about the date issue :)? 12:05 < Ramasule> no I asked for help, and then gave them a bunch of shitty log files 12:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < dazo> Ramasule: I'm sorry I left out ... still at work and had to take of some things ... but my time is running out today :( 12:09 < dazo> s/take of/take care of/ 12:09 < Ramasule> haha no problem I think i gave krzee a headache trying ot help me :P 12:09 < Ramasule> time is always running out 12:09 < Ramasule> damn you time 12:09 < Ramasule> !kill time 12:09 < vpnHelper> Ramasule: Error: "kill" is not a valid command. 12:09 < Ramasule> :( 12:23 < Ramasule> oh well :/ 12:24 -!- Gumbler is now known as Apfel 12:24 -!- Apfel is now known as Gumbler 12:24 -!- Ramasule is now known as Apfel 12:24 < Apfel> lol 12:25 -!- Apfel is now known as Ramasule 12:25 -!- unixSnob_ [n=jj@starfury.spearlink.com] has joined ##openvpn 12:42 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 12:55 -!- billly [i=billy@misfacio.com] has joined ##openvpn 13:01 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 13:02 < ecrist> afternoon, folks 13:02 < ecrist> unixSnob_ and Ramasule: there are not any OpenVPN developers in here, that we're aware of. 13:03 < ecrist> so, if you want to bitch, email them directly. 13:03 < Ramasule> whos bitching 13:03 < ecrist> or, *gasp*, contribute 13:03 < Ramasule> I was trying to cracka joke 13:03 < Ramasule> If I contribute kernels around the world would panic 13:03 < Ramasule> bada ba ting 13:04 < unixSnob_> ecrist: this problem requires bitching, not contribution, because it appears to be a deliberate defect in openvpn that I would undo, and they might not want me reversing anything deliberate 13:04 < lclimber> hello guys i am trying to connect 2 networks over a vpn, the situation is the following, i have one vpn server and a client wich has a subnet of it's own, now when i conect the client to the server, the client is able to connect to the pc's on the serer subnet, but when i try to connect from the server to the client subnet i get no answer, i routed the packages from net server that go to the client's net through the vpn net, but 13:04 < lclimber> still no answer, any ideas?? 13:04 < ecrist> unixSnob_: I think your issue is with SSL, not OpenVPN. OpenVPN doesn't rewrite SSL libraries, they use the standard ones. 13:05 < ecrist> and the requirement for time synchronization between client/server is out of scope for the protocol. 13:05 < ecrist> there are other such things for that. 13:06 < ecrist> lclimber: have a look here: 13:06 < ecrist> !route 13:06 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:06 < ecrist> look for the section on iroute, specifically 13:06 < lclimber> thanx ecrist 13:10 < Ramasule> hmm that is a good read 13:12 < billly> am I having the same problem as lclimber? I have a VPS for the openvpn server, and my homepc as the client, I can connect to the VPN, and I see the packets on server side, but everything on my PC times out 13:19 < ecrist> billly: read the same article, ask questions you may have afterwards 13:19 < lclimber> yeah, that was the answe!!!! thanx a lot 13:19 < ecrist> krzee wrote it, thank him next time you see him 13:26 < lclimber> sure 13:32 -!- allquixotic [n=sean@129-2-175-109.wireless.umd.edu] has joined ##openvpn 13:33 < allquixotic> Hi, how can I quickly test whether my live OpenVPN network connection is split tunneled? I can get into the LAN just fine, but I'm really interested in tunneling all IP traffic through the server. 13:35 < reiffert> !redirect-gateway 13:35 < vpnHelper> reiffert: Error: "redirect-gateway" is not a valid command. 13:35 < reiffert> allquixotic: --redirect-gateway def1 13:36 < billly> sigh I have no idea what's wrong 13:37 < allquixotic> reiffert: Thanks :) 13:37 < billly> I'm not trying to reach any other private networks behind the server/clients 13:38 < billly> just trying to access the internet through my vpn 13:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:42 < Ramasule> -away 13:44 < billly> http://rafb.net/p/mWDDIz78.html <-- can anyone see if anything's wrong? client-->server works, but it seems like no traffic from server-->client works 13:44 < vpnHelper> Title: Nopaste - openvpn (at rafb.net) 13:47 < ecrist> billly: you need a couple things for that to work 13:47 < ecrist> 1) you need --redirect-gateway def1 on the server config 13:48 < ecrist> 2) on the server, you need proper NAT configured for VPN clients, or you need to be distributing *real* ips via OpenVPN 13:49 < lclimber> or you can install a proxy server 13:50 < billly> would bridging be simpler? 13:50 < billly> because all I really need is one client (me) 13:50 < ecrist> no 13:53 < billly> oh I think I see what's going on now 13:57 < billly> nice it works 13:57 < billly> ecrist: thanks :D 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 14:03 -!- unixSnob_ [n=jj@starfury.spearlink.com] has quit ["leaving"] 14:06 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:16 < Bushmills> live long and prosper 14:20 * vcs shows Bushmills with dilithium radiation 14:20 < vcs> showers* 14:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:21 < reiffert> vcs: thats superman, isnt it? 14:22 < vcs> no, dilithium crystals are what powers the enterprise 14:22 < vcs> http://en.wikipedia.org/wiki/Dilithium_(Star_Trek) 14:22 < reiffert> Ah, now where you mention that it really sounds familiar :) 14:22 < Bushmills> no, that's cryptonite 14:23 < vcs> thats how spock died, he replaced a dilithium crystal with no protection 14:23 < vcs> so the enterprise could escape the genesis weapon 14:23 < reiffert> Ah, really. 14:23 < vcs> yep 14:23 < Bushmills> he died another time, on genesis 14:23 < reiffert> Thats the same death I think. 14:23 < vcs> live long and prosper my friends 14:23 < vcs> yes 14:23 < Bushmills> on that planet with molecular instability 14:24 < Ramasule> KHAAAAANNNN 14:24 < vcs> the eugenics wars were not good to poor old khan :P 14:25 < Bushmills> causing some sort of dimensional deficiency on his tactics 14:25 -!- jameshicks212121 [n=james@static-67-62-198-140.dsl.cavtel.net] has joined ##openvpn 14:25 < vcs> the new star trek movie comes out this summer 14:26 < vcs> not sure if i am excited or not 14:26 < reiffert> We all are, no matter, after all we spent so many years of wasted time with startrek, we'll just have to be. 14:26 * Bushmills showers vcs with pangalactic gargleblaster 14:26 < reiffert> :) 14:27 * vcs beheads Bushmills with a Bat'leth 14:28 < Bushmills> good try, here's a band aid for your finger 14:29 < vcs> lol 14:30 < jameshicks212121> !route 14:30 < vpnHelper> jameshicks212121: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:30 * Bushmills tips vcs off to sylar 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:31 -!- allquixotic [n=sean@129-2-175-109.wireless.umd.edu] has quit [Read error: 110 (Connection timed out)] 14:33 -!- romero [n=user@193.219.160.109] has left ##openvpn [] 14:36 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 14:38 < ecrist> 'this idler has gone to sleep' 14:40 < jameshicks212121> hey all, anybody familiar with client error Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9) in response to a server config setting of push "redirect-gateway def1" when the client is running WinXP? 14:40 < ecrist> yep 14:40 < jameshicks212121> great 14:41 < jameshicks212121> anywhere I can read up on it? 14:41 < ecrist> looks like you're connecting to a server running 2.1 from a client running 2.0.9 where the server has an option (topology) which isn't available in 2.0.9 14:42 < jameshicks212121> so if I update the client all will be well? 14:43 < ecrist> should be, yeah 14:44 < jameshicks212121> thanks you saved the last hair on my head. I'm going to comb it over now. 14:44 < ecrist> lol, glad to help 14:46 -!- allquixotic [n=sean@129-2-131-69.wireless.umd.edu] has joined ##openvpn 14:47 < ecrist> jameshicks212121: thanks, I've added this to the SCN OpenVPN FAQ 14:47 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 14:47 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 14:49 < allquixotic> billly: How'd you fix your routing problem with the redirect-gateway option? I'm having some problems with that right now. 14:52 -!- allquixotic [n=sean@129-2-131-69.wireless.umd.edu] has quit ["Ex-Chat"] 14:59 < jameshicks212121> ecrist: cool 15:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 15:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:19 < Ramasule> bahahahahhhhhhhaaaaaaahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh 15:19 < ecrist> you must have realized how small your penis really is, eh? 15:19 < Ramasule> no just the guy standing in the mirror 15:19 < Ramasule> hey wait a second 15:20 < Ramasule> no I stillcant get my router connecting 15:29 < jameshicks212121> ecrist: I had my client update their software and the error message went away but the redirect-gateway def1 is still not working. I've posted all the particulars here http://pastebin.com/d1a4fac5a if you care to take a look. Thanks. 15:31 < jameshicks212121> the strange thing is that http traffic does seem to get routed but VNC will not work. I've setup tcpdump on the server and told it to listen to tun0 and can see all the clients http traffic being routed through the tunnel but cannot get the client to ping a local machine. 15:32 < jameshicks212121> another strange thing is that the client was working fine with the older client software less than a week ago. 15:34 < Ramasule> Ok 15:36 < Ramasule> if I have a server with samba and wins running on it what is the best method to connect a vpn router (tomato firmware) to this server. My server is currently running a openvpn contribution from somebody and it set it up in vpn mode. http://www.apttest.kicks-ass.net/server-bridge.conf.nocomment is the current config file. 15:41 < krzee> i told you the best way 15:41 < krzee> tun, instead of tap 15:41 < krzee> configuring the configs manually instead of that gui 15:41 < krzee> !sample 15:41 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:41 < krzee> that is enough to get you started 15:41 < krzee> along with: 15:41 < krzee> !man 15:41 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:46 < Ramasule> do I need to add those push options to the config though krzee 15:49 < Bushmills> don't try to set it as password 16:00 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 16:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 16:11 -!- jameshicks313131 [n=james@static-67-62-198-140.dsl.cavtel.net] has joined ##openvpn 16:14 -!- jameshicks212121 [n=james@static-67-62-198-140.dsl.cavtel.net] has quit [Read error: 110 (Connection timed out)] 16:21 < enzotib_> hi all, I have a connection problem, here are config and log files, and other info: http://pastebin.com/m5f852a5b 16:32 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 16:34 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:35 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:39 -!- Kreg-Work is now known as soberbit-work 16:47 -!- plaerzen [n=carpe@static-66-11-76-241.ptr.terago.net] has joined ##openvpn 16:47 -!- jameshicks313131 [n=james@static-67-62-198-140.dsl.cavtel.net] has quit [Read error: 110 (Connection timed out)] 16:47 < plaerzen> moin 16:49 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 17:17 < enzotib_> hi all, I have a connection problem, here are config and log files, and other info: http://pastebin.com/m5f852a5b 17:25 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 18:25 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 18:30 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has quit ["Fuori servizio - Ricevuto segnale 15"] 18:47 -!- allquixotic [n=sean@pool-151-196-247-171.balt.east.verizon.net] has joined ##openvpn 18:51 -!- enzotib [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 18:51 -!- enzotib [n=enzotib@unaffiliated/enzotib] has quit [Client Quit] 19:02 -!- allquixotic [n=sean@pool-151-196-247-171.balt.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 20:38 < Ramasule> redirect-gateway 20:38 < Ramasule> !redirect-gateway 20:38 < vpnHelper> Ramasule: Error: "redirect-gateway" is not a valid command. 20:38 < Ramasule> !gateway-redirect 20:38 < vpnHelper> Ramasule: Error: "gateway-redirect" is not a valid command. 20:38 < Ramasule> !--redirect-gateway def1 20:39 < vpnHelper> Ramasule: Error: "--redirect-gateway" is not a valid command. 20:39 < Ramasule> --redirect-gateway def1 20:39 -!- hads_ is now known as hads 20:45 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: jfkw, ploo, huslu_, Typone 20:45 -!- billly [i=billy@misfacio.com] has left ##openvpn [] 20:46 -!- Netsplit over, joins: ploo, Typone 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 20:50 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 21:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 21:03 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:06 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 21:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has quit ["http://www.mibbit.com ajax IRC Client"] 23:19 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit ["Leaving"] 23:35 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 23:35 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] --- Day changed Thu Mar 12 2009 00:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 00:29 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 01:11 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:02 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 02:02 < dan__t> Hello. 02:03 < dan__t> I'm trying to figure out how index.txt gets updated via pkitool. I don't know if I'm just plain retarded, tired, or what, but I can't figure it out. 02:03 < dan__t> I see database = $KEY_DIR/index.txt per the shipped openssl.cnf 02:04 < dan__t> But I see no reference to 'database' in pkitool 02:10 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 02:12 < dan__t> ...because its provided by openssl's 'ca' 02:45 -!- dan__t [n=dant@ns1.hitb.net] has left ##openvpn ["Leaving"] 02:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:42 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 04:39 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 04:42 < lclimber> hello, yesterday i posted a question for connecting 2 networks over a vpn using 2 linux machines, now i need to connect the two same networks but on the server sie a have a linux machine and on the client net i have a windows openvpn client making connections, my question is, is there a way to make windows work as a gateway as you do on linux, on linux i had to activate the forward bit, but is it possible to make such configurati 04:42 < lclimber> ons on windows?? 04:43 < reiffert> From my experience, bridging is working with windows quite well. 04:44 < reiffert> On the other hand, there is "connection sharing", which is some kind of nat which comes with microsoft stupidities. 04:45 < reiffert> Routing would be the best approach I guess, but I dont know if it will "just work" or else. 04:45 < hads> Windows is confusing 04:56 < lclimber> indeed, it is very confusing 04:57 < lclimber> i tryed using connection sharing wich apparently does the job but in only one way, i mean i can reach the subnet from the vom server, but the other way aroung 05:02 < lclimber> reiffert how do you configure bridging on a windows client? 05:05 < reiffert> !howto 05:05 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:06 < lclimber> thanx 05:06 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 05:06 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 05:06 < reiffert> same steps than Bridge Server on Windows XP 05:26 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 06:13 -!- onats [n=onats@122.53.131.243] has quit [Remote closed the connection] 06:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:25 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has quit [Remote closed the connection] 06:26 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has joined ##openvpn 06:27 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 06:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 06:42 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 07:07 < ecrist> morning, folks 07:23 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has quit [Connection timed out] 07:25 -!- nemysis [n=nemysis@143-117.3-85.cust.bluewin.ch] has joined ##openvpn 07:49 -!- dazo_ [n=dazo@nat/redhat/x-03e49a76085a46a4] has joined ##openvpn 07:51 -!- dazo is now known as Guest99792 07:52 -!- dazo_ [n=dazo@nat/redhat/x-03e49a76085a46a4] has quit [Client Quit] 07:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 07:54 -!- dazo [n=dazo@nat/redhat/x-e2e88e9051111d2f] has joined ##openvpn 07:56 -!- Guest99792 [n=dazo@nat/redhat/x-2c7a4fd1671dfd7a] has quit [Read error: 145 (Connection timed out)] 08:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 08:46 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: huslu_ 08:49 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 08:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: huslu_ 09:15 -!- Netsplit over, joins: huslu_ 09:18 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 09:20 < mRCUTEO> !man 09:20 < vpnHelper> mRCUTEO: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:20 < mRCUTEO> !/30 09:20 < vpnHelper> mRCUTEO: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:20 < mRCUTEO> !topology 09:20 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:21 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 09:21 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 09:21 < mRCUTEO> !logs 09:21 < vpnHelper> mRCUTEO: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:24 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 10:06 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 10:14 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["Leaving"] 10:16 -!- ignis_ [n=ignis@bzq-219-148-69.static.bezeqint.net] has joined ##openvpn 10:16 < ignis_> hello to all 10:17 < ignis_> if i have set up an openvpn as tun with a specific subnet say the suggested 10.8.0.0 to a network of addresses that are different say 192.168.1.0 10:18 < ignis_> users succeed connecting with a new assigned address of type 10.8.0.x but can't communicate with inner network 10:18 < ignis_> i read the manual several times but didn't succeed setting up a push route or anything else successfully, please help me 10:22 < ignis_> i am sorry for not pasting logs etc it's simply that the data in the files is for the company i work for and i can't reveal that, also i believe that information is not needed in this case since the question is general and straight forward and not related to a specific situation 10:22 < ignis_> !howto 10:22 < vpnHelper> ignis_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:22 < ignis_> oh and i read the howto 10:22 < ignis_> tried to follow it but didn't succeed with this 10:23 < ignis_> I am on a linux (ubuntu) on windows it's a peace of cake (doing bridging etc) 10:23 < ignis_> ubuntu 8.04 2.6.24-23-generic 10:25 < ignis_> well? no one? 10:30 -!- ignis_ [n=ignis@bzq-219-148-69.static.bezeqint.net] has quit ["Leaving"] 10:46 -!- dgodfather [n=dgodfath@bzq-219-148-69.static.bezeqint.net] has joined ##openvpn 10:46 < dgodfather> if i have set up an openvpn as tun with a specific subnet say the suggested 10.8.0.0 to a network of addresses that are different say 192.168.1.0 10:46 < dgodfather> users succeed connecting with a new assigned address of type 10.8.0.x but can't communicate with inner network 10:47 < dgodfather> how do i make a client able to communicate(ping) with inner network computers? 10:48 < dgodfather> i read the howto, and tried to push route but i don't understand how to do it. can succeed configuring it, please help me 10:48 < dgodfather> i am running the server on linux machine 10:49 < dgodfather> maybe i should use tap like windows installation does? 10:52 -!- plaerzen [n=carpe@static-66-11-76-241.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 11:02 < ecrist> ignis_ didn't even stick around 10 mins... 11:02 < ecrist> but now he's you. 11:03 < ecrist> !route 11:03 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:03 < ecrist> dgodfather: read that ^^^^ 11:03 < dgodfather> second 11:03 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 11:03 < dgodfather> please, thank you 11:04 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 11:05 < boney_> Hey, can someone tell me where i can find a list of all the "error codes" and what they (exactly) mean 11:05 < ecrist> google? 11:05 < boney_> icde tried with no luck :) 11:05 < boney_> tried the openvpn.net site aswell 11:06 < ecrist> if you have specific questions, ask here, otherwise your best bet is in the source code 11:07 < boney_> kk, well im interested in code=113 ( no route to host ), just need a reliable reference where i can check it out 11:08 < dgodfather> ecrist, sorry for the change in name i left inorder to change it, didn't like it :) didn't mean to full anyone 11:08 < ecrist> you can change it with /nick 11:09 < dgodfather> ecrist, well i am not very familiar with IRC and forgot that option 11:09 < dgodfather> so you say routing is my solution? 11:10 < ecrist> yep 11:10 < dgodfather> ecrist, thanks man it looks exactly what i was looking for 11:15 < dgodfather> ecrist, it seems this is for a situation where the clients are behind another lan. my situation is that clients are connecting from the www, not from another lan 11:15 < dgodfather> is the vpn address space the push route i need to do? 11:16 < ecrist> no. you need to setup two routes 11:16 < ecrist> you need to push route the vpn server LAN addresses, and you need to have a route on your lan gateway for the VPN subnet. 11:17 < dgodfather> so it's a route on the server with the vpn address space and a push route with the server's lan address space ? 11:21 -!- onats [n=onats@122.53.131.243] has quit [Connection timed out] 11:21 < boney_> Just greped for code=113 in the source with no results, anyone have a clue why? 11:25 < ecrist> why would you expect to find code=113 in the source? 11:27 < boney_> Daemon keeps writing it in the openvpn.log, so i thought there might be any hints in the source 11:27 < ecrist> if you post your logs here, we can probably help you 11:27 < boney_> read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 11:27 < boney_> i know what the problem is, but i need to know what code=113 means :P 11:29 < ecrist> that is the problem 11:29 < ecrist> no route to host 11:29 < boney_> i know.. 11:29 < boney_> but what exactly does code=113 mean? 11:30 < ecrist> no route to host 11:30 < boney_> k, so its just a reference to EHOSTUNREACH 11:30 < ecrist> aye 11:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection reset by peer] 11:30 < boney_> thanks 11:30 < boney_> happen to know if its documented somewhere? 11:31 < dgodfather> ecrist, can you please help me configure what i need? all these route adding, i don't understand it 11:31 < dgodfather> i read the page but can't configure it. all these i route entries and using the ccd 11:31 < ecrist> dgodfather: the routing link I gave you above explains a lot of it, and some things you won't need. 11:33 < dgodfather> yes but as i understand i need to define an iroute and user ccd directories 11:33 < dgodfather> where do i create the ccd directories? 11:34 < ecrist> you don't need an iroute or ccd entries 11:34 < dgodfather> but i did push route to the 192 11:34 < dgodfather> 192.168.2.0 network 11:34 < dgodfather> and the route to 10.8.0.0 11:35 < dgodfather> and still my client cant ping an inner user 11:35 < dgodfather> computer 11:36 < dgodfather> anything else i need to configure? 11:37 < ecrist> your firewall 11:37 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:38 < dgodfather> no firewall 11:38 < ecrist> your VPN server needs to be enabled as a gateway, as well 11:38 < dgodfather> i wrote exactly like that, route 10.8.0.0 255.255.255.0 11:38 < dgodfather> what do you mean? 11:38 < ecrist> I don't know what the linux part of that is, but on freebsd it gateway_enable="YES" in /etc/rc.conf 11:38 < ecrist> !linux 11:38 < vpnHelper> ecrist: Error: "linux" is not a valid command. 11:38 < ecrist> !search lin 11:38 < vpnHelper> ecrist: supybot.plugins.RSS.headlineSeparator, supybot.plugins.RSS.announce.showLinks, supybot.plugins.RSS.showLinks, supybot.databases.plugins.channelSpecific.link, and supybot.databases.plugins.channelSpecific.link.allow 11:40 < dgodfather> ecrist, enabling the vpnserver machine as gateway is OS stuff? 11:40 < ecrist> yes 11:40 < dgodfather> it won't interrupt my regular network activity? 11:40 < dgodfather> should i have written a route command like route -add 10.8.0.1 .... etc.? 11:41 < ecrist> no 11:41 < dgodfather> in the server.conf 11:41 < dgodfather> no to which 11:41 < dgodfather> ? 11:42 < ecrist> I can't speak whether it'll interrupt your network or not, as I'm not your netwrok admin. 11:42 < ecrist> you don't need to add the route on the server, as it's already aware of the route 11:44 < dgodfather> ecrist, so all i need is the push route line? push "route 192.168.2.0 255.255.255.0" ? 11:45 < ecrist> and you need to enable ip forwarding in your kernel' 11:54 < dgodfather> thank you ecrist 11:54 -!- dgodfather [n=dgodfath@bzq-219-148-69.static.bezeqint.net] has quit ["Leaving"] 11:59 < drzed> !\30 11:59 < vpnHelper> drzed: Error: "\30" is not a valid command. 12:00 < ecrist> !/30 12:00 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 < drzed> !/30 12:00 < vpnHelper> drzed: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:00 < drzed> !topology 12:00 < vpnHelper> drzed: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:35 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: jfkw, soberbit-work, hads 12:36 -!- Netsplit over, joins: jfkw, soberbit-work, hads 12:36 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Connection reset by peer] 12:36 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:36 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 12:37 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 12:58 -!- CybDev [i=cybdev@unaffiliated/cybdev] has joined ##openvpn 12:58 < CybDev> !route 12:58 < vpnHelper> CybDev: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:02 < CybDev> !topology 13:02 < vpnHelper> CybDev: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:04 < CybDev> so i have a rather dumb question, i have a local ip range of 10.0.0.0/24, and using openvpn to connect to another vpn net on range 10.0.0.0/24... any way to force the route statements to use a spesific device? 13:04 < ecrist> ew, you've got conflicting IP ranges. 13:04 < CybDev> yeah 13:05 < ecrist> you can force the route statements to specific interfaces, but not within OpenVPN, I think. 13:05 < ecrist> it's an OS-level thing. 13:05 < CybDev> i know 13:05 < CybDev> i was kinda hoping i could specify device within openvpn 13:05 < CybDev> i can pull it off by manually altering the routing table with iproute 13:05 < CybDev> but it sucks as it has to be re-done every time the connection is dropped and re-connected :-/ 13:06 < CybDev> if "route-gateway" took a device parameter too i think that would have solved a lof of my problems 13:07 < CybDev> or any of the route directives for that matter 13:23 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 13:24 < fbond> Hi, I have a remote user trying to get in, but it seems he's on a network that doesn't like his UDP traffic (I think). 13:24 < fbond> Any easy way to have one user connect via TCP ... ? I guess I'd have to run another OpenVPN server, right? 13:25 < CybDev> tunneling tcp in tcp isn't really the best idea, and should be avoided if at all possible 13:26 < CybDev> maybe you can work around it by running it on port 53 or smth 13:26 < CybDev> also the source port on the client can be changed with an option, bind or lport or smth if memory serves me right (check the manpage) 13:26 < ecrist> fbond: you'd have to run another instance. 13:27 < CybDev> (53/udp - dns - is usually allowed even in pretty strictly firewalled environments) 13:29 < fbond> CybDev: Ah, port 53 is a brilliant idea. 13:29 < CybDev> sometimes you can get away with just changing the client local port to 53 btw 13:29 < CybDev> requires root privs tho :-/ 13:30 < CybDev> served me well in the past :-) 13:31 < fbond> Hm, OpenVPN doesn't connect from a random client port? 13:31 < dazo> fbond: CybDev: 53/udp can be a good idea ... if you use --tls-auth .... or else your openvpn process might have some fun when DNS scanners pass your server 13:31 < CybDev> yeah, dazo 13:32 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:38 < fbond> dazo: Hm, why will tls auth help with that? 13:39 < dazo> fbond: because openvpn will not initiate any contact with the remote host if the TLS authentication (using the same static key in addition on both client and server) do not match what's expected 13:39 < dazo> fbond: its a kind of simple protection against DoS attacks 13:40 < CybDev> might wanna read up on the hmac parts of the man page fbond 13:40 < dazo> fbond: and if somebody port scans your server ... 53/udp will look like it's nothing there 13:40 < dazo> fbond: CybDev has a good hint 13:41 < CybDev> might have a slight performance penalty, but if you're not using openvpn for bulk data transfers it shouldn't hurt :-) 13:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:46 < dazo> security always has a cost ... openvpn adds a cost ... if the cost is too high, you can run unencrypted as well .... and so on 13:49 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 13:51 < CybDev> openvpn turned out to be one of the cheapest solutions, and in addition being the most flexible and scalable aswell :-) 13:52 < CybDev> hardware ipsec boxes cost a shitload and generally deliver pretty poor performance in my experience :-/ 13:57 < ecrist> for persistent LAN-LAN connections, I prefer cisco IPsec. 13:59 < CybDev> and how much did you pay for that solution? :P 14:01 < ecrist> $350 14:02 < ecrist> CybDev: it's not wrong to spend money smartly 14:02 < ecrist> just because you can't afford/justify a piece of cisco hardware doesn't mean others can't or shouldn't 14:05 < CybDev> $350 for the complete solution? 14:05 < ecrist> yes 14:05 < CybDev> that was very cheap 14:06 < ecrist> indeed 14:06 < CybDev> what kinda units did you get? 14:06 < ecrist> cisco 1841 14:06 < CybDev> last hardware ipsec box i fiddled around with cost around 150k nok i think 14:06 < ecrist> lol 14:06 < ecrist> freebsd can do ipsec out of the box. 14:07 < CybDev> (fibrechannel gigabit thingie) 14:07 < ecrist> i'm a proponent for using the right tool for the job 14:08 < CybDev> hehe, yeah 14:09 < ecrist> in my opinion, on corporate networks, ipsec is a better supported method for lan to lan connections, and if you're going to use ipsec, you might as well use real hardware for it. 14:12 < CybDev> how does it perform tho, bulk data and connection counts etc? 14:14 < CybDev> (which was one of the problems with that earlier mentioned box, bulk single-session filetransfers were just fine, but it couldn't handle tonns of simultaneous short connections very well) 14:14 < ecrist> our bread and butter is many simultaneous connections with many short files 14:15 < CybDev> :-) 14:16 < CybDev> got any experience with hardware ssl offloading btw? 14:16 < ecrist> none, sorry. 14:16 < ecrist> there are people that do it. 14:16 < CybDev> hehe, no worries, shot in the dark 14:17 < ecrist> there are folks I know that buy soekris boxes with crypto cards, throw netbsd on em and use them as openvpn servers. 14:17 < boney_> !search code=113 14:17 < vpnHelper> boney_: There were no matching configuration variables. 14:17 < CybDev> yeah i'm hearing mixed things about it 14:17 < ecrist> boney_: you're missing routes 14:17 < ecrist> 113 is NETUNREACH 14:17 < CybDev> ah, ssl offload cards works quite nicely 14:18 < boney_> i know what the problem is and i know how to solve it, i just want to find a list that i can use as reference 14:18 < boney_> a list, paper, documentation that explicitly explains code=113 14:18 < CybDev> but i was looking more in the direction of a proxy/firewall like thing that could handle that part so my webservers wouldn't have to negotiate all those ssl sessions all the time 14:18 < boney_> and i do know that code=113 is ref to No route to host 14:18 < ecrist> 113 isn't an openvpn issue, I don't think, I believe it's a network stack error code 14:18 < boney_> ah 14:18 < boney_> thanks for the hind 14:19 < boney_> hint 14:19 < ecrist> CybDev: F5 14:19 < ecrist> that's what they do, one of the things anyways 14:19 < ecrist> the other thing you could do is run an apache reverse proxy handling your SSL and proxy back to your real web servers. 14:20 < CybDev> yeah it's currently not a problem, well, solved for now anyway 14:21 < ecrist> additionally, in many cases, it's not necessary to encrypt the entire site. logins, etc, are ideally all that is encrypted. 14:21 < ecrist> ROT13 should be fine. ;) 14:21 < CybDev> we don't have that luxury :P 14:22 < ecrist> really screw them up and go ROT14 14:22 < CybDev> let's go all out and make it ROT15! 14:22 < ecrist> or, ooh ooh, ROT26 14:22 < CybDev> "unbreakable" 14:22 < CybDev> haha 14:22 < ecrist> ROT26 is easy to decode in your head, so no need for writing it down on paper, less of a security breach. :) 14:23 < CybDev> makes no difference :P 14:24 < CybDev> still as hard as rot13 or whatever 14:25 < ecrist> ROT13 is short for rotation-13, meaning a 13-character shift of letters in the alphabet. ROT26 would mean you rotate them 26 times, or back to where you started. 14:25 < ecrist> abc in ROT13 = nop abc in ROT26 = abc 14:26 < CybDev> yeees 14:26 < CybDev> but any computerized string is usually more than just the lowercase us letters :P 14:26 < CybDev> and the elgorithm is exactly the same with a different offset 14:27 < CybDev> *algorithm 14:27 < CybDev> you'd need an exact wraparound to just skip the step :P 14:27 < CybDev> (which i assume was the idea :P) 14:27 < CybDev> base64 encoded data with rot64 encryption? :P 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- logiclr- [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 15:20 < ecrist> you are the ball lickers! 15:21 < vcs> fire phasers 15:21 < ecrist> vcs -1 for make a star trek reference 15:22 < vcs> ecrist -1 for make ball licker joke 15:22 < ecrist> ecrist + 80 for being ecrist 15:33 < kaii> >LOG:1236889985,N,write UDPv4: No buffer space available (code=55) 15:33 < kaii> has anybody ever seen this error message? 15:34 < ecrist> yep, it means your firewall is blocking ICMP traffic, usually 15:34 < kaii> why icmp? 15:35 < kaii> in my case it seems that the upload is shaped (for voip and ack priorization) and the upload queue is full 15:36 < kaii> the kernel says like "cant take your packet now" and openvpn does not retransmit it. (if my understanding is correct) 15:36 < kaii> so the packet is lost, keepalive fails and the "inactivity timeout" occurs 15:36 < kaii> (in circumstances) 15:37 < kaii> the vpn is functional (because the app protocols that are sent through the tunnel DO the retransmit), but drops every 10 minutes or so when a packet burst make the keepalive fail. 15:38 < kaii> any suggestions? 15:38 < kaii> i thought like "maybe you can recognize the openvpn control packets and priorize them too", but tcpdump blew this illusion away. 15:39 < kaii> after all, the problem is not that the queue is full, the problem is that the control packets are not retransmitted .. 15:40 < kaii> switching to TCP would solve this problem, but this is a large VPN mesh and a TCP tunnel with UDP voice inside is a big mess and ends in roboter speech 15:41 < kaii> is there some dev channel for openvpn? ^^ 15:43 -!- qfk\ [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 15:47 -!- vcs [i=vcs@alien.jinxshells.com] has left ##openvpn [] 16:03 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [Connection timed out] 17:33 < ecrist> kaii: no, this is the only openvpn channel 17:35 < ecrist> kaii: your problem is with a firewall, I assure you. 17:35 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:50 < sigmonsays> i'm having arbitrary connectino issues with openvpn 17:50 < sigmonsays> many work. some don't 17:50 < sigmonsays> is there some tcp/iptables stuff I need to tweak? 17:50 < sigmonsays> i'm doing NAT through tun 17:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 18:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 18:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:17 * sigmonsays wants to kill openvpn 18:17 < sigmonsays> it fails connections at 63 18:17 < sigmonsays> always 18:20 < CybDev> 63? 18:20 < sigmonsays> i can disconnect one place, and then it connects elsewhere 18:20 < sigmonsays> I don't get it 18:21 < sigmonsays> client complains about no default gateway: failed to parse/resolve route for host/network: 10.128.0.0 18:21 < sigmonsays> but it does that even when it works 18:22 < CybDev> eurh 18:22 < CybDev> sounds to me like your config is messed up 18:22 < sigmonsays> and all the other 62 people are fine? :) 18:26 < sigmonsays> care to help a min w/ my configs? 18:26 < sigmonsays> they are suprisingly simple 18:29 < CybDev> nopaste them, along with debug output? 18:29 < sigmonsays> Sure 18:31 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:31 < sigmonsays> well probably not :) 18:31 < sigmonsays> Let me research some more 18:31 < CybDev> lol 18:32 < CybDev> start with connection limits :P 18:55 < sigmonsays> hehe, 240? :) 18:55 < sigmonsays> that's what i got configured :) 18:55 < sigmonsays> is there a make_operator_insaine_limit = 62 anywhere? 18:57 < CybDev> tis why i wondered about the config 18:57 < CybDev> also what os is this? 18:57 < CybDev> and what error does it fail with? 18:57 < CybDev> (set log level to 9 or smth) 19:09 < Bushmills> sigmonsays, my opinion is, you should follow that lead given by "no default gateway" 19:14 < CybDev> if i understood him correctly the problem occured when the 63rd client connected? 19:14 < sigmonsays> Bushmills, yah 19:14 < sigmonsays> how come others connect just fine 19:15 < sigmonsays> it's some artificial limit 19:15 < CybDev> but without debug log from server and client, and configs, it's not real easy to help :P 19:15 < ecrist> evening, folks 19:17 < Bushmills> netmask /26, maybe? 19:17 < ecrist> the problem is with /30 subnetting in tun VPNs. Only 62 are allowed in a /24 VPN subnet 19:17 < ecrist> exec -o echo "255/4" | bc -l 19:17 < ecrist> 63.75000000000000000000 19:17 < ecrist> one of the /30s is taken by the server IP and it's own internal tun interface. 19:18 < CybDev> :-) 19:18 < ecrist> but what do I know. ;) 19:18 < CybDev> what is the advantage of using a tun type vpn anyway? 19:19 < Bushmills> over a slice of cheese? 19:19 < CybDev> yes, a slice of cheddar 19:19 < CybDev> not tun vs tap obviously 19:22 < CybDev> oh well, getting late, off i go 19:22 < CybDev> *gone* 19:23 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 19:36 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 20:14 -!- Mark_ [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Read error: 54 (Connection reset by peer)] 21:09 < Bushmills> !route 21:09 < vpnHelper> Bushmills: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:17 -!- Mark``` [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 21:18 < ecrist> hi Mark``` 21:19 < Mark```> heya 21:19 * ecrist goes to hang with the wife. 21:19 < Mark```> my gf is making cookies 22:20 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:32 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 22:49 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 23:02 < tjz> hmm 23:02 < tjz> Some issue with vista system.. user still get his ISP's IP though he is clearly connected to the vpn.. 23:02 < tjz> it works for windows xp 23:03 < tjz> he is using openvpn 2.1 rc5 for his system 23:16 < Bushmills> tjz, why shouldn't he? 23:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:21 < tjz> yea 23:21 < tjz> strange x_x 23:21 < tjz> he is using tcp 23:21 < tjz> his ISP block udp 23:21 < tjz> x_x 23:22 < Bushmills> i mean, why should being connected to vpn prevent a machine to obtain an ip address for a different interface? 23:26 < tjz> his ISP really put down lot of restriction 23:27 < Bushmills> if his machine connects through his provider, that's not a problem. if it is, he can unplug the connection. otherwise, it is perfectly normal that he obtains an ip address. --- Day changed Fri Mar 13 2009 00:24 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 00:36 < tjz> thx for the info.. 00:36 < tjz> just too weird for his case 00:41 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 00:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 02:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:19 -!- onats_ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] 02:19 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 02:23 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 02:23 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 02:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [] 04:16 -!- nemysis [n=nemysis@143-117.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:16 -!- nemysis [n=nemysis@138-248.3-85.cust.bluewin.ch] has joined ##openvpn 04:30 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:31 -!- kempo [n=kempo@95.211.2.31] has joined ##openvpn 04:31 < kempo> hello everyone 04:33 < kempo> could anybody look at this: http://p.nn-d.de/848 04:33 < vpnHelper> Title: NoName-Development - Pastebin (at p.nn-d.de) 04:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:22 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 05:34 -!- Spabby [n=G@host-84-9-136-112.dslgb.com] has joined ##openvpn 05:35 < Spabby> hi folks, I'm trying to assign static ips on my openvpn using the ccn directory and files named the same as the client, but i can't get my windows client to connect 05:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 05:36 < Spabby> my vpn works fine without the client config file in the ccd directory 05:36 < Spabby> but once I add the ccd with the line 05:36 < Spabby> ifconfig-push 192.168.20.100 192.168.20.1 05:36 < Spabby> my client will not connect 05:36 < Spabby> the subnet I am using 192.168.0.0 05:38 < Spabby> I lie 05:38 < Spabby> it's 192.168.20.0 05:41 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 05:47 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:58 -!- Spabby [n=G@host-84-9-136-112.dslgb.com] has left ##openvpn [] 06:13 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 06:37 < Bushmills> that's a good config, excluding windows clients. 06:47 < ecrist> that ifconfig line will not work with 2.0.9 and tun. 06:49 -!- kempo [n=kempo@95.211.2.31] has left ##openvpn [] 07:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:30 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:56 -!- gnubie [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 07:56 * gnubie waves 07:58 < gnubie> my home server is also my gateway which directly connected to the internet. if i setup openvpn server on my box, the remote host need not to setup bridged or router configuration, right? 07:59 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 08:14 * ecrist waves back at gnubie 08:15 < ecrist> I don't understand your question, however. 08:16 < gnubie> ecrist: do i need to configure routing or bridge even if the server is already facing to the internet and the client that will connect to it will only connect that server only and nothing more? 08:24 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 08:28 < ecrist> up, not really. 08:29 < ecrist> s/up/um/ 08:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:37 -!- onats_ [n=onats@122.53.131.243] has quit [Read error: 110 (Connection timed out)] 08:43 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"] 08:43 < Bushmills> gnubie, clients can see beyond the server also without bridged config on the server 08:43 < Bushmills> gnubie, but it needs a wee bit of extra config on the server 08:50 -!- d [n=d@webmailserver.nisira.com.pe] has joined ##openvpn 08:50 < d> hi all 08:50 < d> Can I access to a ACtive Directory Domain throw a OpenVPN? 08:50 -!- d is now known as Guest98439 08:52 < gnubie> Bushmills: ok 08:56 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Remote closed the connection] 08:58 < ecrist> Guest98439: yes, you can 09:09 < Guest98439> ecrist but when I see the Login Window, I select DOMAIN: MYDOMAIN an telehpnic access? 09:10 < ecrist> Guest98439: not sure, you can do it, but it's gotta be as a windows service. 09:10 < ecrist> this is really more a windows question than an OpenVPN question. 09:15 < Guest98439> ecrist, I have a Domain Controler in SIte A , and I like to have a openvpn with Site B, the PCs in Site B can access the Domain throw openvpn to Site A? 09:16 < dazo> Guest98439: I don't know much about Win (and it's not a related to openvpn itself) ... but I do know that if the account is enabled as a "disconnected" profile, the user can login on the box, get the desktop and then startup OpenVPN and connect to the network 09:17 < dazo> Guest98439: but if the user have never been logged into that box before ... s/he needs to login unto that box while being either connected to the physical or VPN network, so that the authentication happens and is cached on the client 09:20 < dazo> Guest98439: in your scenario ... if you setup a router (preferably somewhere along on the default gateway route, to make it easier for you) on SiteB which establishes the VPN connection to SiteA ... and setup the DHCP correct to push out the needed WINS server (on SiteA), DNS server (on SiteA and a secondary on SiteB) etc ... then you it should work 09:21 < dazo> Guest98439: but most probably you would like to have a Win server on SiteB as well, which is replicating auth data from the master AD in SiteA ... that way, your clients will be able to logon also when the VPN (or Internet) connection is down 09:22 < dazo> Guest98439: From SiteA you will then manage the server in SiteB through the Windows admin GUI as well ... where all needed settings are pushed to SiteB by the SiteA AD 09:24 < Guest98439> with ISA Server VPN I can login whitout other AD Server in Site B 09:25 < dazo> Guest98439: but then you do need to have the VPN connection open, I presume 09:25 < dazo> Guest98439: in this case ... you will have the same situation as with OpenVPN 09:26 < dazo> Guest98439: you can make it work with OpenVPN without a server in SiteB ... but if the VPN connection or Internet connection fails, the login of users who have not authenticated themselves on that PC before, will not work ... as long as "disconnected" profile is enabled 09:27 < dazo> Guest98439: if the user account is not setup as a "disconnected" profile (I've forgotten the proper word), it denies caching of authentication data on the local client itself 09:29 < dazo> Guest98439: it's all about how reliable you want to have your network ... and how dependent you make yourself to the VPN connection 09:29 < dazo> never plan for best case scenarios ... because worst case scenarios happens much more often than you want ... and always when it really do not fit into your schedule 09:32 < dazo> Guest98439: anyhow ... to make a VPN net work as you want ... you anyway need to push the proper WINS and DNS servers to all clients on SiteB ... only that way, the clients get a clue of where to find the DC ... and you need to make sure that all those SMB/CIFS ports used are not blocked across the VPN tunnel anyhow 09:37 < Guest98439> dazo 09:37 < Guest98439> lets 09:37 < Guest98439> I can do it or not? 09:37 < Guest98439> I can connect to SiteB trow a openvpn to SITE A AD? 09:38 < dazo> Guest98439: I my English that unclear? .... Yes you can ... but you need to configure the DHCP server at SiteB correctly to push needed info for your clients to find and see the AD at SiteA 09:39 < dazo> Guest98439: and you do need to make sure that SMB/CIFS ports (with AD you also need kerberos, and possibly also LDAP ports) used by the Windows AD server to pass freely over the VPN network to the SiteB network 09:40 < dazo> Guest98439: the last point here, covers setting up network routes and firewall config correctly .... including on the SiteA AD 09:48 < Guest98439> ok 09:48 < Guest98439> thanks 09:50 < ecrist> /topic Boats and HOs 10:07 -!- felix_ [n=felix@p578b665c.dip0.t-ipconnect.de] has joined ##openvpn 10:07 < felix_> Hi 10:07 < ecrist> howdy 10:08 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 10:12 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 10:16 < ecrist> felix_: have a question you wanted to ask? 10:19 < felix_> yeah, i d like to know if there s a possibility to integrate lines (not comments) into openvpn.conf which will be ignored by openvpn and will be parsed by a script which runs when a user logs on 10:19 -!- diegovio1a [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 10:20 < felix_> we ve got an administration vpn and i force the clients into specific nets by common name and there are about 4 different options and a config parser but i thought it would be nicer to have it directly in the openvpn.conf 10:23 < dazo> felix_: have you looked at --client-config-dir ? 10:24 < felix_> we use client-connect 10:25 < felix_> client-config-dir also for using scripts right? 10:26 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] 10:27 < reiffert> --client-connect script 10:27 < reiffert> Run script on client connection. The script is passed the com- 10:27 < reiffert> mon name and IP address of the just-authenticated client as en- 10:27 < reiffert> vironmental variables (see environmental variable section be- 10:27 < reiffert> low). 10:28 -!- onats_ [n=onats@122.53.131.243] has quit [Connection timed out] 10:30 < felix_> yes i m using that, and i have a script http://chaos-disciple.org/cgit/ovpn-ip-manager/ 10:30 < dazo> felix_: what do you want to do in that script? 10:30 < vpnHelper> Title: ovpn-ip-manager - script for custom ip distribution on openvpn servers (at chaos-disciple.org) 10:33 < dazo> felix_: maybe a silly question ... but why do you want to control the IP address of the client like this? 10:34 < felix_> dazo: the vpn is routed into an administration network with different hosts, each host is administrated by a different guy and it s easier and more secure to filter for ip addresses then 10:34 < dazo> felix_: so you want to limit access in a firewall? 10:34 < felix_> dazo: right 10:35 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 10:35 < dazo> felix_: why not use the clients VPN MAC address instead? ... or pick out the IP address assigned in the --learn-address phase? 10:35 -!- diegovio1a is now known as diegoviola 10:35 < felix_> I would just like to have a nicer implementation which fits better into openvpn so that its easier for others to use my script 10:36 < dazo> felix_: openvpn provides you with the address it assigns to the VPN client in the --learn-address script 10:36 < dazo> felix_: even MAC address of the client 10:37 < dazo> felix_: this way, you don't need to create a config file on-the-fly for the client assigning the IP address 10:37 < felix_> well i d like to assign subnets to specific common names 10:38 < felix_> for example internal.guy-a.hostname will allow access to the admin network but internal.guy-b.hostname is in another subnet 10:38 < dazo> felix_: sure ... I won't stop you :) ... I've written a module in C which does authentication primarily, but it updates iptables rules on-the-fly, based on the MAC address 10:39 < felix_> dazo: iptables updating is difficult in this case because the ssh logons will go onto other hosts 10:39 < felix_> dazo: this machine is a xen dom0 and shouldnt do anything not necessary 10:40 < dazo> felix_: aha ... yeah, that's actually my next phase in my project .... to send iptables updates to another box from the openvpn process 10:42 < felix_> dazo: the machines are administrated by different people, would you like your neighboor beeing able to do any crap in your iptables ? 10:43 < dazo> felix_: not directly .... but if I knew that the table chains accessible where limited, and that I could control src/dst of the entry of the client tables, I would be calmer 10:45 < dazo> felix_: but actually the openvpn do not send explicit dst. address and names .... all this plug-in receives is "destination chain" (-j), "src MAC addr" .... and in the master config of openvpn it is defined which table chain these updates will go into 10:46 < felix_> okay 10:55 < diegoviola> hi 11:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:27 * ecrist hates looking like an ass to the boss. 11:33 < diegoviola> guys i will be starting an itsp soon, voip provider... but our main telco blocks sip+rtp, i tried to encrypt it with sip+tls+srtp and the signalling works but they still can see the rtp headers and block the media... i tried using openvpn and send all the traffic trough it and that works fine 11:33 < diegoviola> but how can i do the tunneling when i have a hundreds of customers? 11:35 < diegoviola> i tried the static key mini howto 11:57 < diegoviola> what can of configuration could i use for a massive carrier-grade setup? 11:57 < diegoviola> what kind of* 11:57 -!- felix_ [n=felix@p578b665c.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 12:15 -!- regis [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has joined ##openvpn 12:15 -!- regis is now known as Guest90354 12:19 -!- Guest90354 [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has quit [Client Quit] 12:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:50 < ecrist> diegoviola: not sure what you mean by 'carrier-grade' 13:02 -!- regis_ [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has joined ##openvpn 13:02 -!- regis_ is now known as Rere 13:02 -!- Rere is now known as Rere10 13:05 -!- Rere10 [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has quit [Client Quit] 13:27 -!- felix_ [n=felix@static-87-79-66-24.netcologne.de] has joined ##openvpn 13:28 -!- Guest98439 [n=d@webmailserver.nisira.com.pe] has quit [] 13:36 -!- felix_ is now known as pleed 13:55 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 14:11 -!- pleed [n=felix@static-87-79-66-24.netcologne.de] has quit [Read error: 110 (Connection timed out)] 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 14:32 -!- jpalmer [n=jpalmer@71.3.0.205] has joined ##openvpn 14:36 -!- pleed [n=felix@static-87-79-236-180.netcologne.de] has joined ##openvpn 15:16 -!- gnubie [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [" HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!"] 16:09 * sigmonsays smacks windows 16:09 * sigmonsays smacks windows for using a /30 16:10 < ecrist> what's wrong with a /30? 17:17 -!- quentusrex [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 17:18 < quentusrex> Is it possible to have a setup where some clients can access all vpn clients, but other clients can only access the server? 17:19 < quentusrex> Basically setup so that 10.5.*.* can access any vpn client, including the ones that are 'limited', and anything on 10.6.*.* can only access the server, but not anything else in 10.5.*.* or 10.6.*.* ???? 17:19 < quentusrex> !man 17:19 < vpnHelper> quentusrex: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:24 < quentusrex> I would like to have the --client-to-client connection for some, but not for others.... 17:25 < quentusrex> So, is a profile like that available or possible? 17:26 < reiffert> readup what client-to-client expands to. see manpage 17:26 < reiffert> And think about bad clients adding routes manually. 17:28 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 17:29 < cscho0415> hello, can some one help me setup openvpn 17:44 < reiffert> !howto 17:44 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:45 < diegoviola> ecrist: i just want to know what kind of config to use for million of computers 17:45 < diegoviola> a server config that my clients will connect to? 17:45 < diegoviola> with the same certificate? 18:08 < diegoviola> i need to know what kind of config to set up for a scalable system 18:09 < diegoviola> i tried client-server from two machines only 18:10 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 18:14 -!- diegovio1a [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 18:15 < diegovio1a> i need to know what kind of config to set up for a scalable system 18:27 < diegovio1a> how would i also configure my ip phones that don't have a vpn client to connect to a vpn 18:28 < hads> They would need to connect through a gateway that does support OpenVPN 18:29 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Connection timed out] 18:30 < diegovio1a> so something like this: phone -> gw (connected to the vpn) -> vpn server? 18:30 -!- diegovio1a is now known as diegoviola 18:32 -!- dazo [n=dazo@nat/redhat/x-e2e88e9051111d2f] has quit [Read error: 145 (Connection timed out)] 18:38 -!- dazo [n=dazo@nat/redhat/x-b03334b74c651cde] has joined ##openvpn 18:42 < Bushmills> hi reiffert 18:47 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 18:53 < diegoviola> hads: how do you think would be better, put a FS server and let the customers register to that and from the FS server encrypt everything to outside, or set up the openvpn server on the FS server and let the clients connect to it and encrypt it? 18:56 < Bushmills> what good is encryption if the first hops are without? 18:56 < hads> Bushmills: He's doing to to get around protocol blocking at an ISP 18:58 < hads> diegoviola: Depends how many instances of FreeSWITCH and OpenVPN you want to manage. 19:02 < diegoviola> i want to make it as simple as possible 19:04 < Bushmills> is it wise to have customers running over a net a provider tries to block the service they use? 19:04 < Bushmills> can't you just run your stuff on, say, a dedicated server at a server farm? 19:05 < Bushmills> (no need to work around things, that makes things much easier, therefore is consistent with your requirement) 19:06 < hads> Bushmills: I *think* it's a common end user ISP that is the issue. 19:06 < hads> But he can clarify that, I'm working from memory of a conversation in #freeswitch 19:07 < diegoviola> I need to be able to make SIP calls through the ISP 19:07 < diegoviola> that is blocking things 19:08 < Bushmills> then do what hads said, on that particular machine. openvpn from a gateway there to your openvpn server 19:09 < diegoviola> so openvpn on all customers machines? 19:09 < Bushmills> do they all have that issue? 19:10 < diegoviola> yes 19:10 < Bushmills> change your customers :D 19:10 < hads> I think it's the country. 19:10 < Bushmills> change the country 19:10 < hads> heh 19:11 < hads> Sell them all snom phones which do OpenVPN :) 19:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:25 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 19:26 < diegoviola> hads: if only i could encrypt rtp headers with srtp, that would have made my life easier... 19:26 < diegoviola> i think 19:34 < diegoviola> hads: why i can't encrypt RTP completely with SRTP? 19:34 < diegoviola> what's the point of it then? 19:34 * krzee checks what channel hes in 19:35 < krzee> #freeswitch would be where i would ask that channel, but it aqlso depends what software both endpoints use 19:35 < krzee> err, where ild ask that question 19:36 < krzee> if you control both sides, you can encrypt * any way you like 19:36 < krzee> otherwise, you are held to what the software supports 19:37 < krzee> hah cool, you were already in there 20:01 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 21:43 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 22:47 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 23:11 -!- pleed [n=felix@static-87-79-236-180.netcologne.de] has quit [Read error: 113 (No route to host)] 23:22 -!- tedz [n=aaa@internet-223-98.narocnik.mobitel.si] has joined ##openvpn 23:22 < tedz> Hi 23:22 < tedz> !howto 23:22 < vpnHelper> tedz: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:23 < tedz> !route 23:23 < vpnHelper> tedz: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Day changed Sat Mar 14 2009 00:55 -!- nemysis [n=nemysis@138-248.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:56 -!- nemysis [n=nemysis@16-30.3-85.cust.bluewin.ch] has joined ##openvpn 02:29 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 60 (Operation timed out)] 03:11 < reiffert> Moin Bushmills 03:30 -!- krzie_ [i=krzee@joogot.noskills.net] has quit [Read error: 110 (Connection timed out)] 03:32 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 113 (No route to host)] 03:32 -!- rere10 [n=regis@LAubervilliers-151-13-69-209.w217-128.abo.wanadoo.fr] has joined ##openvpn 03:34 < rere10> bonjour tous, qqn parle francais ou est-ce un forum anglais ? 03:39 -!- rere10 [n=regis@LAubervilliers-151-13-69-209.w217-128.abo.wanadoo.fr] has left ##openvpn ["Quitte"] 03:54 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 03:55 < SgtPepperKSU> Hi. Is there any way (SIGUSRx, etc) to force OpenVPN to update the status file (eg specified with "status status.log) on command? 03:56 < SgtPepperKSU> like how SIGUSR2 sends it to the syslog (in daemon mode), except to the already specified file? 04:23 < SgtPepperKSU> wow, I guess I'll try back another time 04:23 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 04:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:57 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:20 -!- jwasner [n=jwasner@cpe-72-191-5-183.satx.res.rr.com] has joined ##openvpn 08:24 -!- jwasner [n=jwasner@cpe-72-191-5-183.satx.res.rr.com] has left ##openvpn [] 08:41 -!- drzed_ [n=drzed@80.123.158.163] has joined ##openvpn 08:42 -!- drzed [n=drzed@synflood.homelinux.org] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- drzed_ is now known as drzed 11:14 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn 11:14 -!- smk [n=scott@cobra.httpd.org] has quit [Read error: 54 (Connection reset by peer)] 11:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:41 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 11:44 -!- dangermouse [n=dmouse@78.147.240.182] has joined ##openvpn 11:44 < quentusrex_> reiffert: I Could deal with a client trying to add a route, but I would like to get something similiar setup... 11:44 < quentusrex_> Even if I need to use two different openvpn servers.... 11:45 < dangermouse> Hey, I need to set up a VPN. Which will maintain my sanity: openvpn or ipsec? (disregarding the differences in operation/features) 11:45 < quentusrex_> Use one server, for 'limited' clients, and one server for 'unlimited' clients. and give the unlimited server access to all the limited clients... 11:46 < quentusrex_> dangermouse: openvpn has been much easier to implement for me then ipsec... 11:47 < dangermouse> quentusrex_: ok, thanks 11:47 < dangermouse> It has a nicer looking website too :D 11:47 < quentusrex_> :) 11:48 < quentusrex_> the learning curve might be a little steep, but it makes sense after a bit... 11:48 < quentusrex_> just make sure to be able to test stuff, and have a multiple computer sandbox.... 11:48 < quentusrex_> life is easier that way... 11:48 < dangermouse> ok 11:49 < dangermouse> It's for a project at University, my supervisor just told me I need to setup a VPN. No requirements or anything, so it's a bit hard to pick an implementation 8-) 11:49 < quentusrex_> yeah, go with openvpn... 11:50 < quentusrex_> have you decided if you'll use individual certs for each connection? or global certs? 11:50 < dangermouse> No idea, VPN is realy new to me 11:51 < quentusrex_> ok, well. I've gotten a few of the more simple implementations setup already. so if you have any questions let me know... 11:51 < dangermouse> ok, I'm just writing a preliminary report at the moment, I begin my project next week so I will probably be back with lots of questions hehe :) 11:52 < quentusrex_> with the certs, it is a question of: do you want to be able to disable access on a per person level??? 11:53 < quentusrex_> or on a group based level? 11:54 < dangermouse> mm not sure. Can I use kerberos for user authentication? 11:54 < quentusrex_> I have heard you could. I have not used it. 11:56 < quentusrex_> I use PKI certs.... 11:56 < dangermouse> oh ok 12:35 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit ["What did you expect me to say?"] 12:36 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 13:19 -!- mib_zaf5lt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-35e86c4096268060] has joined ##openvpn 13:19 < mib_zaf5lt> hi 13:19 < mib_zaf5lt> is there any one here ? 13:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:27 -!- dangermouse [n=dmouse@78.147.240.182] has left ##openvpn [] 13:38 -!- mib_zaf5lt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-35e86c4096268060] has quit ["http://www.mibbit.com ajax IRC Client"] 15:22 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 110 (Connection timed out)] 15:50 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 16:55 -!- quentusrex [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 17:08 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 18:09 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 18:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:15 -!- quentusrex [n=quentusr@97-113-103-127.tukw.qwest.net] has joined ##openvpn 18:16 -!- qfk\ [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 18:21 -!- mib_gc4i88 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-4924002b45326ebb] has joined ##openvpn 18:21 < mib_gc4i88> hi 18:23 < mib_gc4i88> i got this http://pastebin.ubuntu.com/131349/ 18:23 < mib_gc4i88> error 18:23 < mib_gc4i88> what i have tod o ,N 18:29 -!- mib_gc4i88 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-4924002b45326ebb] has quit ["http://www.mibbit.com ajax IRC Client"] 19:35 -!- tedz [n=aaa@internet-223-98.narocnik.mobitel.si] has quit [] 20:15 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 20:17 < gorkhaan> Hi everyone! I'd like to know one thing. If my clients are connecting to my server on interface ETH0, and TUN0 is Masqueraded to ETH0 from TUN0, the data flow is doubled. But what if I create a Bridged network, between ETH0 and TUN0? Will the data flow be doubled? :) 20:18 < ecrist> not sure I follow 20:18 < ecrist> it shouldn't be, no 20:20 < gorkhaan> so the packets way kidda this: internet -> eth0 -> tun0 <-- NAT --> eth0 --> Internet 20:20 < gorkhaan> as u can see eth0 is there twice 20:22 < gorkhaan> So my point is if I modify my stuff to Bridget network instead of NAT-ed, what is gonna be? :) 20:25 < gorkhaan> anyone pls? is it too late for ask kindda questions? XD 20:29 < gorkhaan> Never mind. I'll ask again later. thx anyway. bbcu 20:29 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Tvozom"] 20:51 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit ["Reconnecting"] 20:51 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 21:54 -!- quentusrex [n=quentusr@97-113-103-127.tukw.qwest.net] has quit [Read error: 113 (No route to host)] 22:07 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 22:07 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 22:15 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:26 -!- nemysis [n=nemysis@16-30.3-85.cust.bluewin.ch] has quit [Connection timed out] 22:27 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 22:37 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 23:00 < diegoviola> what's better for voip, bridging or routing? where scalability is important 23:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:14 < diegoviola> briding means having a tun virtual device and assigning ip's to that device to connect to the vpn right? 23:14 < diegoviola> and routing means only having to add a special netmask to the physical device? 23:15 < diegoviola> or ip 23:15 < diegoviola> i need a scalable solution that will allow me to use any *ip* phone just as easy as one computer, or whatever 23:38 < Bushmills> diegoviola, other way around, bridging gives you a tap device. 23:38 < Bushmills> non-bridging config gives tun 23:40 < diegoviola> oh, so both requires a virtual device 23:41 < Bushmills> yes. well, require .. those come up automatically when vpn connects 23:41 < diegoviola> what worries me is, how i will configure my ip phones to use vpn? 23:41 < Bushmills> by routing through the vpn deivce 23:41 < Bushmills> device 23:41 < diegoviola> i know snom does openvpn, but i can't force my customers to get it 23:43 < diegoviola> Bushmills: so i will need a computer here that is connected with openvpn and route the phones through that? 23:43 < Bushmills> my default route goes through the tun device given by openvpn 23:44 < Bushmills> looks like this: http://forthfreak.net/snap/route.png 23:45 < Bushmills> also, the vpn server can push routes 23:46 < Bushmills> (telling the client to use server specified routes) 23:46 < Bushmills> that's probably what you want for your clients because then they don't need to bother 23:47 < diegoviola> yeah but i don't know if my ip phones will be able to add a tun device 23:47 < diegoviola> i'm a bit confused, i will give it a try 23:47 < diegoviola> thanks 23:47 < Bushmills> where will openvpn client run? 23:49 < diegoviola> oh customers machines 23:49 < Bushmills> that's where the tun device will be 23:49 < diegoviola> yep i see 23:49 < Bushmills> and where a route to specify to route through vpn will exist 23:49 < diegoviola> i was confusing myself with the "routing" name, i thought that routing didn't required a virtual device 23:49 < diegoviola> i see 23:49 < Bushmills> virtual device is just like a real device 23:49 < diegoviola> got it 23:50 < Bushmills> routing goes to one or the other 23:51 < diegoviola> i see 23:54 < Bushmills> hehe ... 23:55 < Bushmills> 16 tasks running ... on a machine with 2 kilobytes RAM 23:55 < diegoviola> nice 23:58 < Bushmills> stacks using more than half of that 23:59 < Bushmills> looks a bit bizarre, that board: http://forthfreak.net/pari/board.jpg --- Day changed Sun Mar 15 2009 00:06 -!- sg [n=hypercub@unaffiliated/supergeek] has joined ##openvpn 00:06 < diegoviola> interesting, whats that? 00:06 < sg> Question: Does the server that is running OpenVPN have to be my network's router? 00:07 < Bushmills> sg, no 00:08 < sg> Bushmills: Alright...forgive me, I am a total noob and I could really find a straightforward answer in the FAQ 00:08 < Bushmills> sg, no worries 00:08 < sg> When a client connects to the VPN, then, does it get assigned an IP address on my network? 00:09 < Bushmills> sg, it will have two addresses, at least. one for for physical interface(s), and one for the virtual device used by openvpn 00:10 < Bushmills> the virtual device is being assigned an ip adress specific for the net your vpn machines are in 00:10 < sg> gotcha 00:10 < Bushmills> for all it matters, the virtual device looks and feels like a physical device. 00:10 < sg> can i change that virtual device IP to be assigned via DHCP from the VPN-server's network from an existing DHCP server? 00:12 < Bushmills> sg, i doubt that. better leave that task to the vpn server, which knows about the fact that the net for the vpn clients is a bit special 00:13 < sg> oh, ok 00:13 < sg> Bushmills: then with a "standard" config can devices in the openvpn net interact with other IP addresses on the actual net the openvpn server is connected to? 00:15 < Bushmills> two ways: either the clients route the traffic to local net through the physical interface connected to the local net, or the vpn server does ip forwarding/maskerading/NAT between VPN net and local net. 00:16 < sg> ah 00:16 < sg> i see 00:16 < Bushmills> doesn't make an awful amount of sense to use a vpn on the local net, btw 00:17 < sg> i'm not doing it like that 00:17 < Bushmills> i suppose having a route to local, and a wan route through vpn makes more sense 00:17 < sg> here's my situation 00:17 < sg> i'm stuck on a campus with an extremely restrictive firewall 00:17 < sg> blocks all outbound ports except 80 and SSL 00:17 < sg> >_> 00:17 < Bushmills> ok., piercing 00:18 < sg> so...i have a home server which i hope to setup openvpn on 00:18 < sg> this home server is in another state and is on a net with other devices on it (family member's computers, wii, dvr, etc) 00:18 < sg> what i need to do is be able to connect via a VPN to my home server 00:19 < sg> then be able to interact from my computer with other devices on my home net (family members PCs, wii, dvr etc) 00:19 < Bushmills> sounds quite feasible 00:19 < sg> indeed 00:19 < Bushmills> on your home machine you'd set up masquerading 00:19 < sg> i'm just not sure how to go about doing it seeing as i have no networking experience, let alone experience with openvpn 00:20 < Bushmills> so your vpn client - the campus machine - can see beyond the home machine 00:20 < sg> right...when it interacts with my home network will it use the IP address of my home server or will it be assigned its own? 00:21 < Bushmills> your vpn connection will use ip addresses assigned by yourself. usually an rfc1918 address, like 10.x.x.x 00:21 < Bushmills> so both campus machine and your home server share ip adresses on that net, in addition to other interfaces and addresses 00:22 < sg> got it 00:27 < sg> Bushmills: so if my campus machine decides to say..download something from my dvr, my DVR will see the connecting IP as the home server? 00:27 < Bushmills> sg, that is determined by the route. what what connections where to are routed through which interface. 00:28 < sg> this is of course assuming i am on campus and connecting to my home server via openvpn 00:29 < Bushmills> if you route the addresses of your home net through vpn, programs accessing machines on your home net go through the vpn 00:30 < Bushmills> you can also set default route through vpn, in which case also your "normal" traffic uses your home machine as gateway to internet 00:30 < sg> got it 00:30 < Bushmills> (that's about my setup here) 00:31 < sg> how do you set the default route on a windows machine? 00:31 < sg> i freaking hate windows :/ 00:31 < Bushmills> sg, you'd probably tell the server to instruct clients to add routes 00:32 < sg> ah 00:32 < Bushmills> but don't ask me about windows. i don't hate it - i probably would if i knew it. 00:32 < sg> ok, then, thanks 00:33 < sg> it's a frustrating and extremely closed platfortm 00:33 < sg> platform* 00:33 < sg> i only use it for video games :) 00:33 < Bushmills> last time i run windows was under OS/2 00:34 < sg> heh 00:37 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit ["What did you expect me to say?"] 00:51 < sg> is openvpn offline for you guys? 00:51 < sg> i keep getting timed out when i access the site 00:52 < diegoviola> seems to be down here as well 00:52 < sg> damnit. 01:08 -!- sg [n=hypercub@unaffiliated/supergeek] has quit [] 01:55 -!- JackPhil [n=chatzill@61.130.215.10] has joined ##openvpn 01:57 < JackPhil> could i put username/password in a config file 01:57 < JackPhil> so it can auto login when i start the vpn client 02:36 -!- JackPhil [n=chatzill@61.130.215.10] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120121]"] 03:42 < diegoviola> when openvpn.net will be back? 03:46 < hads> When whatever is broken is fixed I'd guess. 04:42 < reiffert> diegoviola: http://beta.openvpn.net/ 04:44 -!- reiffert changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 04:44 -!- ChanServ changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 04:44 -!- mode/##openvpn [+t-o reiffert] by ChanServ 04:44 < reiffert> ecrist: when you set -t next time, please tell the chanserv as well. 04:46 < diegoviola> reiffert: thanks 04:46 < diegoviola> reiffert: oh nice, is that a new web site? looks nice 04:47 < diegoviola> except that i'm not much of a flash guy but looks nice 04:47 < diegoviola> =p 05:46 -!- mib_3w7l1r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-6cc4d8933bd2a50b] has joined ##openvpn 05:46 < mib_3w7l1r> hi 05:47 < mib_3w7l1r> is there anyone here ? 05:51 < mib_3w7l1r> hello 05:51 < mib_3w7l1r> noone there ? 06:09 < mib_3w7l1r> hello 06:09 < mib_3w7l1r> noone hteeer 06:13 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 06:16 -!- mib_3w7l1r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-6cc4d8933bd2a50b] has quit ["http://www.mibbit.com ajax IRC Client"] 06:35 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 06:38 -!- mib_t3azmg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f01e2d07d20e1d0a] has joined ##openvpn 06:38 < mib_t3azmg> hi 06:38 < mib_t3azmg> is there anyone ihere 06:40 < gorkhaan> Hi! I'd like to ask something. I have an OpenVPN server and I'm Masquerading TUN0 to ETH0. Clients are physically connecting to ETH0. So the packets way are kinnda this: Internet --> Eth0 --> tun0 <-- (Masquerading) --> Eth0 --> Internet. As U can see eth0 is there twice. This means 2X data flow. My Question is if I'm wanna use Bridging instead of NAT-ing, what is gonna be? :) 06:41 < gorkhaan> NATING: (tun0 data flow) = (2 x eth0 data flow) 06:41 < gorkhaan> Bridging: ??? 06:43 < gorkhaan> Anyone plz? :) 06:43 < mib_t3azmg> i just newbies 06:43 < mib_t3azmg> i think you should know the answer 06:44 < mib_t3azmg> after following some tutorial on the net 06:44 < mib_t3azmg> i just finish configuring my openvpn server which running on ubuntu 06:45 < mib_t3azmg> now it is is listening mode 06:45 < mib_t3azmg> i mean i able to ping my openvpn server 06:45 < Mark```> cannot connect? 06:45 < gorkhaan> I cant afford to modify now, cos' clients are connected. I've found bridging tutorial, I can do it, but I wanna be sure it is gonna be better if I bridging. :) 06:46 < Mark```> bridging isnt better 06:46 < Mark```> less efficient 06:46 < Mark```> does not scale well 06:47 < gorkhaan> I see. And what about this data-flow-doubling stuff? 06:47 < mib_t3azmg> is it normal that it display this error ? : http://pastebin.ubuntu.com/131496/ 06:47 < Mark```> so you have a server somewhere with an ethernet port, traffic comes in from clients, then goes back out? 06:47 < gorkhaan> yes on the same interface: ETH0 06:47 < Mark```> that sounds normal 06:47 < mib_t3azmg> or what i have to have to do ? 06:47 < Mark```> just like a proxy.. 2x the traffic is used 06:47 < Mark```> you are working for the client 06:47 < Mark```> then sending him the results 06:47 < Mark```> mib_t3azmg, TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 06:48 < Mark```> some other program is already using port 1194 06:48 < Mark```> probably another copy of openvpn 06:48 < Mark```> you can check with something like 06:48 < Mark```> netstat -anp | grep 1194 06:48 < mib_t3azmg> sudo netstat -anp | grep 1194 udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:49 < gorkhaan> okay then. thx Mark. I stay with NAT. 06:49 < gorkhaan> thx 06:49 < mib_t3azmg> i can't understand why it display 0.0.0.0 ? 06:49 < Mark```> is the openvpn server on the same switch 06:50 < Mark```> 0.0.0.0 means ALL 06:50 < Mark```> wildcard 06:50 < Mark```> etc 06:50 < Mark```> * 06:50 < mib_t3azmg> k 06:50 < Mark```> gorkhaan: are clients and openvpn server on the same switch? 06:51 < mib_t3azmg> as i say before this is the tutorial that i follow 06:51 < mib_t3azmg> http://doc.ubuntu-fr.org/openvpn 06:51 < Mark```> what is the problem mib 06:51 < Mark```> if netstat says 06:51 < Mark```> udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:51 < Mark```> udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:51 < Mark```> means openvpn is running 06:51 < Mark```> udp port 1194 06:52 < mib_t3azmg> k so everything working correctly is it ? 06:52 < Mark```> i cant tell 06:52 < gorkhaan> Mark: Nope. I've got 1 eth0, 1 tun0 for server. so Clients are connected on eth0, then traffic goes to tun0, then traffic goes back to eth0 to the clients. THat's why data flow is doubled on eth0 06:52 < Mark```> but its definately running 06:53 < Mark```> yea gorkhaan, theres nothing you can do 06:53 < Mark```> its just a fundamental fact of how that is 06:53 < Mark```> any type of 'middle man' 06:53 < gorkhaan> Okay, thanks :) 06:53 < Mark```> proxy.. vpn.. etc when used like that 06:54 < Mark```> np 06:54 < mib_t3azmg> k so can i follow the rest of tutorial to configure on the client side ? 06:54 < Mark```> yea 06:54 < mib_t3azmg> thx Mark``` 06:54 < Mark```> i havent read french in so long 06:54 < gorkhaan> Last question: I'd like to Compile OpenVPN to windows, Because I'd like to use auth-user-pass for Autologin for my clients. Which compiler should I use for do that? I need to set a FLAG before compiling there is in the Manual I've read. 06:55 < Mark```> but your openvpn server is running if netstat says that 06:55 < Mark```> just remember for client.. udp and port 1194 06:56 < mib_t3azmg> k 06:56 < gorkhaan> On linux it's working auth-user-pass /etc/openvpn/autologin autologin file contains my Username and passwd. that's fine. but this isnt working on winsh*t. because it isnt compiled that way 06:56 < Mark```> gorkhaan: this guy says it is 'painful': http://ehsanakhgari.org/blog/2008-05-04/compiling-openvpn-windows 06:56 < Mark```> he has notes on how he did it 06:56 < gorkhaan> thx let's see 06:57 < mib_t3azmg> well this is the openvpn client file configuration 06:57 < mib_t3azmg> http://pastebin.ubuntu.com/131498/ 06:57 < Mark```> mib_t3azmg, you have proto tcp in your client 06:57 < mib_t3azmg> as you can see i choose TUN type 06:57 < Mark```> but your server is using udp 06:58 < Mark```> must be the same 06:58 < Mark```> udp or tcp 06:58 < Mark```> but both must be the same 06:58 < mib_t3azmg> yes it is udp 06:58 < mib_t3azmg> ok i will change 06:58 < Mark```> also 06:58 < Mark```> remote xx.xx.xx.xx 443 06:58 < Mark```> means port 443 06:58 < Mark```> you have 1194 06:58 < Mark```> so needs to be 06:58 < Mark```> remote xx.xx.xx.xx 1194 06:59 < mib_t3azmg> thx for your remark 06:59 < mib_t3azmg> a lot 06:59 < Mark```> np 06:59 < mib_t3azmg> so if i understand correctly 06:59 < mib_t3azmg> on the line 5 07:00 < mib_t3azmg> remote xx.xx.xx.xx 443 (remplacez les xxxx.xx par l'adresse de votre serveur) 07:00 < mib_t3azmg> i have to put my openvpn server public ip something like 82.02.211.123 1194 is it ? 07:00 < Mark```> yes 07:01 < Mark```> thats correct 07:01 < Mark```> remote 82.02.211.123 1194 07:01 < mib_t3azmg> yeah 07:01 < mib_t3azmg> excellent 07:01 < mib_t3azmg> http-proxy-option AGENT "xxxxxxxxxxxx" (user agent personalis'e) 07:01 < Mark```> i dont know that option 07:01 < Mark```> i dont use it 07:01 < mib_t3azmg> is it necessary to fill up that option 07:02 < mib_t3azmg> ? 07:02 < Mark```> i would just remove it 07:02 < mib_t3azmg> k 07:02 < mib_t3azmg> user agent you don't know 07:02 < mib_t3azmg> so i can remove that one from client configuration file ? 07:03 < mib_t3azmg> so can i remove that option from client configuration file ? 07:03 < Mark```> yea 07:03 < gorkhaan> One more "problem": I'm doing PortForward to my clients. When they connect, a script runs and updating the firewall to set the PortForward to their IP. When they disconnect _normally_ portforward gonna be deleted from the firewall. That's fine. But if some of my clients are disconnectig HARD, I mean they don't use the normal Disconnect button ( in OpenVPN GUI ), from my firewall the portforward stays there, even if the client disconnected ( hard ). T 07:03 < gorkhaan> hat's bad because "they are spamming" my firewall with this. I often need to use a default FW script: iptables-restore vpnfirewall. Is there a chance to solve this? ( 07:04 < mib_t3azmg> coool 07:05 < mib_t3azmg> as you can see i follow that tutorial to have full access on my gsm phone 07:05 < Mark```> gorkhaan maybe a seperate script 07:05 < Mark```> i dont know 07:05 < gorkhaan> how do u mean? :) 07:05 < Mark```> like something that checks clients being alive 07:05 < Mark```> openvpn keepalive doesnt detect eventuallly? 07:06 < gorkhaan> But even if it detects openvpn server wont run my clientdisconnect.sh script, which deletes the portforward rules... or am I wrong? 07:07 < gorkhaan> I post my server.conf, a mom 07:07 < Mark```> hmm 07:08 < gorkhaan> http://pastebin.com/d53488993 there u go 07:09 < gorkhaan> as u can see: client-disconnect /etc/openvpn/config/vpnserver/clientdisconnect.sh the DC script 07:10 < gorkhaan> U saind that: like something that checks clients being alive. I can write a ping script for it, but is there a way with openvpn to solve this? :) 07:10 < Mark```> does clientdisconnect ever run 07:10 < Mark```> ? 07:10 < Mark```> even if client clean disconnects? 07:10 < Mark```> i have heard of some bugs where disconnect does not get called 07:11 < gorkhaan> it works, but if openvpn dont catch the ClientDisconnect signal from the client, I'm f_cked :D 07:12 < gorkhaan> my firewall is fckd. 07:12 < gorkhaan> It isnt a big deal, but somethimes it's driving me to nuts. XD 07:12 < Mark```> hmm 07:13 < gorkhaan> http://pastebin.com/d5690d9fd 07:13 < gorkhaan> here is my client disconnect script 07:15 < gorkhaan> echo $ifconfig_pool_remote_ip > ./lool dont bother I forgot to comment it out. I was testing does the envinromental works. It is. :) 07:16 < Mark```> hmm 07:16 < Mark```> http://forums.whirlpool.net.au/forum-replies-archive.cfm/1020191.html 07:16 < Mark```> maybe you have no timeouts? 07:16 < Mark```> Its cool all... The client-disconnect script does run but it takes a few minutes before it does (3-4 minutes). 07:16 < Mark```> Thanks. 07:16 < Mark```> so maybe need to adjust keepalive 07:16 < Mark```> default might be 5-10 minutes 07:17 < gorkhaan> Where do i need to place "keepalive"? to server config? 07:18 < gorkhaan> because I have there: keepalive 20 120 07:20 < gorkhaan> Mark: never mind. I'm gonna write a ping script. I will use Cron for that 07:21 < gorkhaan> thanks anyway. :) 07:21 < Mark```> hmm 07:21 < Mark```> i also notice you have a timeout 07:21 < Mark```> are you using xinetd? 07:22 < Mark```> err 07:22 < Mark```> inactive 600 07:23 < gorkhaan> sry. what is xinetd? 07:24 < Mark```> its a tcp server 07:24 < Mark```> like a wrapper 07:24 < Mark```> but i guess the answer is no 07:25 < gorkhaan> u're right. I'm not using it. 07:25 < Mark```> http://209.85.173.132/search?q=cache:Gwc1lWNimpwJ:openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html+openvpn+manual&hl=en&client=firefox-a&gl=us&strip=1 07:25 < Mark```> are several options 07:25 < Mark```> inactive (i dont think you need) 07:25 < Mark```> but maybe ping and ping-exit 07:26 < Mark```> will help you 07:26 < gorkhaan> thx 07:26 < Mark```> hmm 07:26 < Mark```> according to docs 07:26 < Mark```> keepalive is just a combo for ping and ping-restart combo 07:27 < Mark```> i think openvpn should do what you want 07:27 < Mark```> but i am not expert enough to know the answer 07:28 < Mark```> anyway if i dont go to bed my girlfriend will beat me :P 07:28 < Mark```> good luck you guys 07:29 < gorkhaan> :D thanks mate. here is only T-1328. Middle of the day 07:29 < gorkhaan> cu man 07:33 < mib_t3azmg> for me it is not working 07:33 < mib_t3azmg> hesgone 07:35 -!- mib_t3azmg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f01e2d07d20e1d0a] has quit ["http://www.mibbit.com ajax IRC Client"] 07:52 -!- mode/##openvpn [+o ecrist] by ChanServ 07:52 -!- mode/##openvpn [-t] by ecrist 07:52 -!- mode/##openvpn [-o ecrist] by ecrist 07:52 -!- ecrist changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 07:53 < ecrist> reiffert: I forgot about another chanserv mode, separate from mlock, topiclock. it's been turned off and should work as advertised now. :) 08:57 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:04 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 09:21 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 09:32 -!- pandrew [n=andrew@79.114.4.185] has joined ##openvpn 09:33 < pandrew> !route 09:34 < pandrew> hey guys! can i push routes with explicit gateways to clients? 09:34 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [] 09:35 < pandrew> i mean everywhere i see push "route ... i only see a network, and a netmask specified. i also need to specify the gateway 09:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:15 < ecrist> pandrew: you may be able to, let me look 10:16 < ecrist> pandrew: did you read the man page? 10:18 < ecrist> well, if you did, you'd see that the route option allows for the specification of a remote gateway 10:18 < ecrist> remember that with routing tables, you need to specify a next-hop that the client already knows how to route, and is on the same subnet as the cliet. 10:21 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 10:53 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:54 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 11:03 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Tvozom"] 11:11 < pandrew> ecrist: i did found a route command, but i didn't realise that it has the same parameters as the push route. 11:11 < pandrew> anyway i tries it now, and it works 11:35 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has joined ##openvpn 11:39 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has quit [Client Quit] 11:39 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has joined ##openvpn 11:47 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 11:47 < mjt> heh. So openvpn.net is STILL/AGAIN/whatever down. 11:47 < mjt> oh well. 11:52 < mjt> what's the changes in 2.1-beta16 compared with beta15? 12:14 < mjt> ecrist: ping? 12:15 < mjt> ecrist: do you remember my --port change? 12:23 -!- drzed [n=drzed@80.123.158.163] has left ##openvpn [] 12:24 < mjt> ghrm. Now I'm.. confused again. 12:24 < mjt> -topology subnet requires tap-win32 driver version 8.2 or higher. 12:24 < mjt> is 8.0.0.4 higher or lower than 8.2 ? 12:25 < mjt> of lower, where's 8.2 or higher version? 12:25 -!- vaejovis [i=tweek@67.202.101.69] has joined ##openvpn 12:25 < mjt> (installed 2.1beta16) 12:25 < vaejovis> sup 12:26 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit ["I am off"] 12:26 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 12:35 -!- mepholic [n=what@hydra.weserv.in] has joined ##openvpn 12:36 < vaejovis> sup 12:37 < mepholic> you homo 12:54 -!- pandrew [n=andrew@79.114.4.185] has left ##openvpn [] 13:01 -!- vaejovis_ [i=tweek@67.202.101.69] has joined ##openvpn 13:01 -!- vaejovis [i=tweek@67.202.101.69] has quit [Read error: 54 (Connection reset by peer)] 13:15 < mjt> any way on windows to "redirect" dns requests for certain domains to a given nameserver? 13:15 < mjt> like, logging into an office vpn, names in the office should be resolved using the office nameserver, the rest should be done using usual method. 13:16 < mjt> office.example.com => here, the rest => there. 13:38 < mjt> ok, so if dhcp-option DOMAIN and DNS are pushed/configured, win queries the given nameserver for *everything*. 13:39 < mjt> AND it queries the default NS too. 14:08 < CybDev> fun fun fun 14:08 < CybDev> the joys of working with windows 14:11 < mjt> ghrm.. and it started using the office's proxy, too 14:12 < mjt> ok, the `subnet' topology (which seems to be accepted by the windows end).. it does.. strange thing 14:13 < mjt> I have a 192.168.67.254 (the server), and .221 and .253 (two clients). 14:13 < mjt> when pinding .253 from .221, the ICMP reaches the server (.254), which sends a REDIRECT 14:14 < mjt> 192.168.67.254 > 192.168.67.221: ICMP redirect 192.168.67.253 to host 192.168.67.253, length 68 14:14 < mjt> pinging even 14:15 < mjt> should i disable icmp-redirects on the server for that? The redirect it sends is umm... wrong. 14:16 < mjt> well, both .253 and .221 are accessible on this interface, but it's not an ethernet interface (tun) 14:16 < mjt> so the redirect will lead back to the server again. 14:18 < mjt> disabling send_redirects does not help, the redirect is still being sent. 14:23 < mjt> got it. When using fake nexthop on the server config it works. 14:35 < mjt> damn. this is just insane. 14:36 < mjt> if one does not sent script-security, openvpn barfs about it being too low and scripts will not be executed. If it's set to 2 as suggested, just to shut the damn NOTE up, it barfs that it's too high and that scripts now may be executed. 14:36 < mjt> s/sent/set/ 14:37 < mjt> any way to shut down the warning about "extremely common" 192.168.0.x 192.168.1.x subnets? 14:37 < mjt> (which I don't use anyway, so it's false) 14:46 < mjt> ok, so the only way is to patch that nonsense out. oh well. 14:57 -!- vaejovis_ [i=tweek@67.202.101.69] has quit ["leaving"] 15:05 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:06 < rashed2020> Hello everyone 15:06 < rashed2020> !howto 15:06 < rashed2020> Isn't that how it works? 15:06 < mjt> the bot's down, it seems 15:07 < rashed2020> Well, I'm trying to set up a VPN 15:07 < rashed2020> But moving from Hamachi to OpenVPN doesn't seem like the easiest thing to do 15:07 < rashed2020> Could you recommend any guides? 15:08 < mjt> not me 15:08 < mjt> 2nd day with it ;) 15:09 < rashed2020> Did you get it to work yet? 15:09 < mjt> not in a way i want it to be. 15:09 < mjt> but that requires source changes anyway 15:09 < rashed2020> Ok yea, don't go there. 15:09 < rashed2020> That's gonna scare me off 15:10 < mjt> alredy did... 15:10 < mjt> ;) 15:10 < rashed2020> lol 15:30 -!- Bushmills changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 15:37 < CybDev> O_o 15:37 -!- Dougy [i=Douglas@64.18.154.248] has joined ##openvpn 15:37 < Dougy> hey all 15:37 < Dougy> Whats up? 15:37 < CybDev> do i smell a move to a commerical license :-/ 15:37 * Dougy waves to ecrist 15:37 < Dougy> Hey, I haven't used openvpn in a while and dont have any idea what I'm doing 15:38 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 15:38 < Dougy> krzee! 15:38 < krzee> yeeee 15:38 < Dougy> say i have a real ip block, say 50.50.50.50/27, and I want openvpn to give each client one of those ips (a real one), and have it show as their IP when they surf (same thing as redirect-gateway, but the actual real ip allocated by the vpn shows as their ip instead of the one openvpn is bound to) 15:38 < Dougy> how would i go about this 15:39 < krzee> could bridge and hand out those ips prolly 15:39 < krzee> or could do a bi-directional nat 15:39 < Dougy> krzee: you forgot how stupid i was when i was actively doing stuff 15:39 < mjt> why not just use topology=subnet 15:39 * Dougy tried the cheap way 15:39 < krzee> Dougy, then you are asking a question above your skill level 15:39 < Dougy> krzee: obviously 15:41 < Bushmills> Dougy, sounds like a waste of precious ip addresses - vpn ip addresses can't be directly contacted by non-vpn machines anyway 15:41 < Dougy> Bushmills: it's a waste if a lot of ip's are in use 15:41 < Dougy> There's only 5 clients 15:41 < Dougy> so not a big deal 15:42 < Bushmills> Dougy, for logging access, whether you use rfc1918 addresses or your 50.x.x.x net addresses makes no difference 15:42 < Dougy> Bushmills: it's not that 15:42 < Dougy> I feel like making it seem like its a corporate network 15:42 < Dougy> when people are connected are on and around on the interwebs 15:42 < mjt> what's wrong with using real IPs and subnet topology? 15:42 < Dougy> the office network up here at the DC has a /26 routed 15:42 < Dougy> for 3 computers 15:43 < Dougy> my ip is 15:43 < Bushmills> do you know corporate networks with the clients exposed to the net through public ip addresses? 15:43 < Dougy> nope 15:43 < Bushmills> so why would it feel like a corporate network if you use those? 15:43 < Dougy> Bushmills: it's hard for me to explain it 15:43 < Dougy> the way I want 15:43 < Dougy> :p 15:44 < Bushmills> well. shouldn't make a big difference whether you set up the server to use 50.x.x.x or 10.x.x.x addresses for clients 15:45 < mjt> it makes no difference at all 15:45 < Dougy> meh forgeti t 15:45 < Bushmills> it does. on one case, you need to press a key which is slightly more to the left than in the other key when configuring. 15:46 < mjt> it's idiocy Bushmills 15:46 < Bushmills> mjt, i don't judge on sense. if Dougy wants it, it's his choice. 15:47 < Bushmills> just pointing out that it doesn't make a lot of should suffice. 15:47 < Dougy> krzee 15:47 < Dougy> pm 15:47 < mjt> ok 15:49 < mjt> what's the "sense" behind --keepalive option? 15:49 < krzee> mjt 15:49 < mjt> i mean, it expands to `if mode server: ping 10; ping-restart 120" 15:50 < krzee> oh ok 15:50 < krzee> was gunna say that 15:50 < Bushmills> mjt, besides, it could be that he has 17 million interfaces on his local nets, and exhausted the rfc1918 address space. 15:50 < mjt> but why restart? 15:50 < krzee> you saw what ping and ping-restart do? 15:50 < mjt> it just restrts every 120 secs 15:50 < krzee> cause if no ping responses in that amount of time, it'll restart 15:50 < mjt> ad infinitum 15:50 < mjt> yes 15:50 < mjt> but the client is gone 15:50 < krzee> good for making clients re-connect when not responding 15:50 < krzee> exactly 15:50 < krzee> you put it on the clients 15:50 < mjt> and the server restarts and restarts 15:50 < krzee> they'll make it back that way 15:51 < krzee> then dont put it on your server, lol 15:51 < mjt> in `mode server' it should expand to ping-exit, not ping-restart 15:51 < mjt> i think 15:51 < mjt> that's my point 15:51 < Bushmills> but the keepalive only comes into action when connection is not alive anymore, so it can't be really kept alive. 15:51 < mjt> but i wanted to ask first, what sense is behind it.. 15:52 < mjt> yes Bushmills 15:52 < krzee> For example, --keepalive 10 60 expands as follows: 15:52 < krzee> if mode server: 15:52 < krzee> ping 10 15:52 < krzee> ping-restart 120 15:52 < krzee> push "ping 10" 15:52 < krzee> push "ping-restart 60" 15:52 < krzee> else 15:52 < krzee> ping 10 15:52 < krzee> ping-restart 60 15:52 < Bushmills> should be more like --reconnect 15:52 < krzee> it does not expand to mode server 15:52 < mjt> sure it does not 15:52 < krzee> according to the manual... 15:52 < mjt> but it expands to different things depending if it's mode server or not 15:52 < krzee> no kidding 15:53 < mjt> and if mode IS server, --keepalive expands to --ping-RESTART 15:53 < mjt> but it makes more sense to make it expand to --ping-EXIT instead 15:53 < mjt> IMHO 15:53 < krzee> it tells the server to restart if a client hasnt responded in DOUBLE the time the client should be reconnecting in if it didnt get a response 15:53 < krzee> so in other words 15:53 < krzee> after 60 the client should reconnect 15:53 < krzee> after 120 if still nothing, server could be the problem, so restart that 15:54 < mjt> hm 15:54 < krzee> see how it pushes a time 1/2 that of what it uses itself... 15:54 < mjt> yes sure 15:54 < krzee> they did it right ;] 15:54 < mjt> but usually there's nothing wrong with the server 15:54 < krzee> and since it was confusing for a lot of people (like you for example) im glad they made a single command for you to use 15:54 < krzee> mjt: then dont use it 15:55 < mjt> the only wrong i can think off right away is a server on a dinamic IP 15:55 < krzee> but it was a good way to do it 15:55 < mjt> dynamic even 15:55 < mjt> fun 15:57 < Dougy> o.O 15:57 < Dougy> krzee: dell box leaves tomorrow hopefully 15:57 < krzee> ya im building some too dougy 15:57 < Dougy> I have.. on my desk right now.. 15:57 < krzee> q9400 8gb ram 15:57 < Dougy> nice 15:57 < krzee> 4core 15:57 < Dougy> i know 15:57 < Dougy> lol 15:57 < krzee> that'll be my new desktop running osx86 15:58 < krzee> then im replacing my nfs 15:58 < Dougy> E6750, 4gb, 1x250gb / Q8200, 4gb, 1x320 / 2xPentium 4 2.8, 2gb ram, 120gbg ide 15:58 < Dougy> 120gb* 15:58 < krzee> i grabbed 6 1.5 TB drives 15:58 < Dougy> i just racked another one of those p4's 15:58 < Dougy> i have enough boards and cpu's and drives to build 10 more 15:58 < Dougy> just need chassis 15:59 < krzee> the nfs will be dual core amd64 running fbsd8+zfs 15:59 < Dougy> i have like 5 pentium 4 socket 775's on my desk 15:59 < krzee> also 8GB ram 15:59 < Dougy> doign nothing 15:59 < Dougy> and a bunch of 478's 15:59 < Dougy> nice 16:00 < krzee> ya zfs loves amd64 and lotsa ram 16:00 < Dougy> AMD :< 16:00 < Dougy> er 16:00 < Dougy> amd cpu ? 16:00 < Dougy> or intel 16:00 < krzee> im running it on a i686 with 3gb ram now, and zfs is working... 16:00 < Dougy> nice 16:00 < krzee> but it crashes if i do real stuff on it for like a week 16:00 < krzee> zfs really wants 64bit 16:01 < Dougy> I want to build these servers and rent them out 16:02 < krzee> oh and i grabbed a 500gb drive for the laptop 16:02 < krzee> lil seagate 500gb internal 16:02 < krzee> i was in the usa so i stocked up 16:02 < krzee> i head home tuesday, in peru right now 16:02 < Dougy> ooh 16:02 < Dougy> where were you here 16:02 < krzee> full suitcase full of parts 16:03 < krzee> cali, vegas, orlando for 1 night 16:03 < Dougy> neato 16:03 < krzee> ya i wanted to hit NY 16:03 < krzee> but time just got away from me 16:06 < mjt> Mar 15 23:56:44 csrv ovpn-vtls[5039]: chroot to 'ccd' and cd to '/' succeeded 16:06 < mjt> Mar 15 20:56:44 csrv ovpn-vtls[5039]: GID set to openvpn 16:06 < mjt> it needs tzset() before chroot() 16:07 < krzee> checked the code and it doesnt, but should? 16:07 < mjt> even if it does, it does it wrongly ;) 16:07 < mjt> see the timestamps above 16:10 < Bushmills> krzee, that's under solaris, or the fuse user space driver? 16:10 < krzee> freebsd has been building zfs for awhile 16:10 < krzee> pjd rocks it 16:11 < krzee> its still experimental tho 16:11 < krzee> so i watch it on the freebsd-current mail list 16:14 < mjt> is it worth the effort(s) to send patches like this tzset() one? 16:14 < mjt> and where to send them? :_ 16:15 < mjt> ;) 16:40 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:40 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:45 < krzee> dougy: check out nerios.net 17:00 -!- bfdjsif [n=me@64.18.154.248] has joined ##openvpn 17:00 -!- Dougy [i=Douglas@64.18.154.248] has quit [Nick collision from services.] 17:00 -!- bfdjsif is now known as Dougy 17:00 < Dougy> krzee: yes? 17:00 < Dougy> what about em 17:01 < Dougy> i know the guy who owns it 17:01 < krzee> they're very good 17:01 < krzee> same 17:01 < krzee> danny 17:02 < Dougy> well, i know the owner of systeminplace 17:02 < krzee> ahh 17:05 < Dougy> yea 17:05 < Dougy> woot irc allowed on that freebsd vps 17:06 -!- Dougy [n=me@64.18.154.248] has quit [] 17:10 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has quit ["Leaving."] 17:11 < rashed2020> !howto 17:11 < rashed2020> dammit, still nothing 17:13 < krzee> my bad 17:13 < krzee> 1min 17:16 < rashed2020> krzee: me? 17:16 < krzee> yup 17:16 < rashed2020> Alright 17:19 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:19 < krzee> !hotwo 17:19 < vpnHelper> krzee: Error: "hotwo" is not a valid command. 17:19 < krzee> bleh 17:19 < krzee> !howto 17:19 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:19 < krzee> there we go 17:20 < krzee> dunno how that died 17:20 < krzee> err, the box rebooted, but i expected crontab to start it 17:22 < krzee> ahh there 17:23 < krzee> i forgot -d -m in screen 17:23 < ecrist> evening, krzee 17:23 < krzee> g'evening 17:53 -!- Googleman [n=azerty@82.101.189.37] has joined ##openvpn 17:54 < Googleman> hi all 17:54 < Googleman> anyone can tell me if there way to setup openvpn with pptp client ? 17:55 < krzee> there is not 17:59 < Googleman> what is best way to encrypt connection ? 18:09 < CybDev> rot13 :-) 18:10 -!- |COM|Styx1 [n=Julian@cpe-071-075-056-061.carolina.res.rr.com] has joined ##openvpn 18:10 < |COM|Styx1> hello 18:10 < |COM|Styx1> anyone have experience with openvpn + qemu? 18:12 < ecrist> nope, sorry 18:12 < ecrist> rot26 18:13 < |COM|Styx1> ? 18:13 < krzee> Googleman, default uses blowfish for data channel 18:13 < krzee> which many consider to be a good encryption method 18:19 < ecrist> krzee, when do you want that server fired up? 18:19 -!- |COM|Styx1 [n=Julian@cpe-071-075-056-061.carolina.res.rr.com] has left ##openvpn ["Leaving."] 18:19 < krzee> not yet 18:21 < ecrist> I'm picking up another new-to-me server tomorrow 18:22 < ecrist> little Dell 1850 18:22 < ecrist> going to segregate some of my services again. 18:23 < krzee> abraham lincoln would be mad 18:23 < ecrist> lol 18:23 < ecrist> I'm getting too many hosted services on the one box that's public facing. 18:23 < ecrist> my email, web, everything runs on that box. 18:24 < ecrist> so, going to put their shit on the new box, only a single-core Xeon, and keep my stuff on the current box. I think. 18:24 < ecrist> I might change things up, too. 18:24 < ecrist> that way, when one of the shitty little sites gets hacked again, I'm not suffering. 18:26 < ecrist> that, and I might be hosting more than some hobby boxes soon. 18:26 < ecrist> one guys talking about subsidizing multiple T1s and helping pay for a generator. :P 18:27 < krzee> sick 18:28 < ecrist> did the math recently. cheaper over three years to buy a generator and two T1s than host in a colo with real space 18:28 < ecrist> power in DCs has gotten seriously expensive 18:29 < ecrist> my employer's colo bill just went up $400/mo for an electricity surcharge. 18:34 -!- Googleman [n=azerty@82.101.189.37] has quit [] 19:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 19:35 < mepholic> !topology 19:35 < vpnHelper> mepholic: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 20:11 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 20:12 -!- nemysis [n=nemysis@220-238.1-85.cust.bluewin.ch] has joined ##openvpn 20:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:22 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 20:40 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:03 < rashed2020> !howto 21:03 < vpnHelper> rashed2020: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:04 < rashed2020> Is there any specific reason why I shouldn't use OpenVPN 1.X? 21:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:33 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:11 -!- Phoenixfire159 [n=Phoenixf@c-71-236-122-148.hsd1.pa.comcast.net] has joined ##openvpn 23:12 < Phoenixfire159> help, I'd like openvpn to update an ldap database with client ip address on virtual network when a client connects and disconnects 23:12 < Phoenixfire159> how to do this? 23:12 < Phoenixfire159> I'm looking at client-config-dir, is this the right direction? 23:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:51 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn --- Day changed Mon Mar 16 2009 00:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 00:18 -!- Phoenixfire159 [n=Phoenixf@c-71-236-122-148.hsd1.pa.comcast.net] has left ##openvpn [] 00:40 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:49 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 00:52 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 00:58 -!- jjjwoi [n=www@moscow.perfect-privacy.com] has joined ##openvpn 00:58 < jjjwoi> can anyone tell me how to prevent so called 'DNS-leaks'? 01:10 -!- breestrees [n=matt@pcp045799pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 01:10 < jjjwoi> breestrees, hello 01:10 < breestrees> when openvpn creates the tun device on linux, what is the actual command it uses? i need to add this command to the sudoers file. hello jjjwoi 01:12 < jjjwoi> breestrees do you know how to prevent so called 'DNS leaks'? 01:13 < breestrees> what do you mean by leaks 01:13 < breestrees> you mean you want dns requests to be forwarded through the tunnel? 01:13 < jjjwoi> i dont want my true IP to show up 01:15 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:19 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:53 -!- glguy [n=eric@pdpc/supporter/professional/glguy] has joined ##openvpn 01:55 -!- breestrees [n=matt@pcp045799pcs.pcv.reshall.calpoly.edu] has quit ["Leaving"] 02:21 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:56 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:08 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:09 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 03:58 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:58 < joelsolanki> Hello all 04:00 < joelsolanki> does openvpn works perfect on 64 BIT windows 2003 server ? 04:01 < joelsolanki> i am having issues on this. 04:01 < joelsolanki> dont know voip stuff is giving trouble 04:02 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 04:03 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 05:20 -!- jjjwoi [n=www@moscow.perfect-privacy.com] has quit [] 05:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 06:11 < joelsolanki> Hi all 06:11 < joelsolanki> is it possible to route public ip thru openvpn ? 06:14 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 06:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 06:58 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 06:58 -!- onats_ is now known as onats 07:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:22 -!- cyconx86 [n=cycon@131.203.115.65] has joined ##openvpn 07:23 < cyconx86> hey all. quick question. if i can start an openvpn daemon session from command line but not init.d service, what's the next thing I should check? 07:23 < cyconx86> am getting error "Options error: In [CMD-LINE]:1: Error opening configuration file:" 07:30 < dazo> cyconx86: do you give the full path to your config file? Can you (as the user you want to start openvpn) do cat ? 07:31 < cyconx86> dazo: i've tried defining the full path in the init.d script, yes. i'm attempting to start as root at the moment, just to eliminate permissions issues 07:32 < dazo> cyconx86: actually, that will not be successful ... when I think about it (slow head monday morning) ... openvpn needs root permissions to setup and configure the TUN/TAP device and setup the routes pushed by the server 07:32 < cyconx86> dazo: right - i'm starting as root right now 07:33 < dazo> cyconx86: you can however use the --user option ... which will degrade openvpn permissions to that user when it do not need those permissions anymore 07:33 < dazo> cyconx86: but you anyway need to be root when starting the service 07:33 < dazo> cyconx86: to allow a non-root user to do so .... you can have a look at sudo 07:34 < cyconx86> dazo: but my problem is i can launch the full command from root's bash prompt, but get this issue when calling "service openvpn start" 07:34 < cyconx86> dazo: if I put the command "echo `whoami`" in the startup script it comes back as root 07:34 < dazo> cyconx86: aha! sorry ... I got it the other way around 07:35 < cyconx86> dazo: i've also tried testing via echo all the other $variables in the startup script 07:35 < dazo> cyconx86: whoami can mislead you when called from scripts ... 07:35 < cyconx86> dazo: in any case, any ideas what should i check next? 07:35 < dazo> cyconx86: but if you get the error opening config file ... Check all permissions (including SELinux if that's used and also getfacl) 07:36 < cyconx86> dazo: aha, that's a good call, hadn't thought about selinux 07:36 < dazo> cyconx86: Which distro are you running? 07:36 < cyconx86> dazo: centos. 07:37 < cyconx86> dazo: if i run "setenforce 0" it lets me start. think you've got it. thanks (c: 07:38 < dazo> cyconx86: check /var/log/messages for audit log entries .... such issues can easily be resolved with some scripts (which I dont recall now) 07:38 * dazo needs to learn SELinux much better 07:38 < dazo> cyconx86: it's probably just wrong context on either config file or config dir 07:38 < cyconx86> dazo: "restorecon -R -v /etc/openvpn" fixes it for good 07:39 < dazo> cyconx86: there you go :) 07:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:14 < ecrist> mjt: pong? 08:17 < ecrist> Bushmills: you are incorrect in your statement yesterday 08:17 < ecrist> 15:41 < Bushmills> Dougy, sounds like a waste of precious ip addresses - vpn ip addresses can't be directly contacted by non-vpn machines anyway 08:17 -!- cyconx86 [n=cycon@131.203.115.65] has left ##openvpn ["Leaving"] 08:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 08:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:38 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn --- Log closed Mon Mar 16 08:54:35 2009 --- Log opened Mon Mar 16 16:24:22 2009 16:24 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 16:24 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 16:24 -!- Irssi: Join to ##openvpn was synced in 1 secs 16:24 < ecrist> ugh 16:25 < ecrist> Francis Dinha says they're having problems with a hosting provider, which is the cause of their outages lately. 16:34 -!- nemysis [n=nemysis@220-238.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:36 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has joined ##openvpn 16:45 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 16:46 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 16:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 17:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:26 -!- skx [i=skx@217.17.32.190] has left ##openvpn [] 18:34 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 18:47 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 19:10 < sigmonsays> anyone know of a command line interface to the management port of openvpn? 19:10 < sigmonsays> admittedly i hvan't even gone through all the commands, but it appears somewhat powerful 20:57 -!- sg [n=hypercub@unaffiliated/supergeek] has left ##openvpn [] 20:57 -!- sg [n=hypercub@unaffiliated/supergeek] has joined ##openvpn 21:00 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:09 < ecrist> sigmonsays: yea, telnet localhost 21:17 -!- Mark``` [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Remote closed the connection] 21:23 -!- sg [n=hypercub@unaffiliated/supergeek] has quit [Read error: 110 (Connection timed out)] 21:23 -!- DaveQB [n=DaveQB@dward.us] has left ##openvpn ["Kopete 0.12.4 : http://kopete.kde.org"] 21:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:47 -!- mepholic is now known as astlin 22:01 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:05 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:37 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt 22:38 -!- Netsplit over, joins: mjt 22:50 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt, clustermagnet, dazo, blaxthos, Bushmills 22:51 -!- Netsplit over, joins: dazo, Bushmills 22:51 -!- blaxthos [n=blaxthos@64.94.108.181] has joined ##openvpn 22:51 -!- Netsplit over, joins: clustermagnet 22:51 -!- Netsplit over, joins: mjt 23:30 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Day changed Tue Mar 17 2009 00:00 -!- dr_octalgon [n=dr_octal@c-71-204-128-111.hsd1.ca.comcast.net] has joined ##openvpn 00:01 < dr_octalgon> hi guys, I think I've found a bug in the proposed bridge-setup script, should I just mail info@openvpn? Or is there a bugtracker I should file at? 00:12 -!- dr_octalgon [n=dr_octal@c-71-204-128-111.hsd1.ca.comcast.net] has left ##openvpn [] 00:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: sigius, astlin, rdz, simplechat 00:49 -!- astlin [n=what@hydra.weserv.in] has joined ##openvpn 00:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 00:49 -!- simplechat [n=betabot@li20-55.members.linode.com] has joined ##openvpn 00:49 -!- rdz [i=roman@netpd.org] has joined ##openvpn 00:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [SendQ exceeded] 00:49 -!- rdz [i=roman@netpd.org] has quit [SendQ exceeded] 00:50 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 00:50 -!- rdz [i=roman@netpd.org] has joined ##openvpn 00:50 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [Connection reset by peer] 00:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 00:51 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 00:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:01 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 01:01 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: astlin 01:02 -!- Netsplit over, joins: astlin 01:02 -!- astlin [n=what@hydra.weserv.in] has quit [SendQ exceeded] 01:55 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 01:57 < Chrnos> Hello, any1 know how i can fix high latency i have between server and clients? i'm using tap 01:58 < reiffert> latency is an attribute of the media and internetwork between server and client. 02:04 < Chrnos> what you mean? 02:07 < Chrnos> i know the ping varies depending on the location between the server and users but I say if I will ping the vpn server ip lan I have high latency if I will ping the server ping the public is "normal" in certain words in vpn I get high pings 02:09 -!- mepholic_ [n=what@hydra.weserv.in] has quit [Read error: 110 (Connection timed out)] 02:22 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 02:22 < geaaru> hi, is it possible configure openvpn server for assign a dedicated ip address for a dedicated certificate? 02:22 < geaaru> thanks in advance 02:22 < reiffert> Chrnos: Allright. Draw a picture of your network infrastructure, give us your config and define the difference between high and normal. Also hand us your firewall configuration. 02:23 < reiffert> geaaru: yes. 02:24 < reiffert> bbl, work. 02:24 < geaaru> can you supply me a link where is describe this way, please? 02:37 < krzee> geaaru, 02:37 < krzee> !iporder 02:37 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 02:37 < krzee> you prolly want ccd 02:37 < krzee> (choice #2) 02:37 < krzee> !ccd 02:37 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 02:38 < geaaru> ah ok, thank you very very much for replies 02:38 < krzee> np 02:42 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 02:42 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 02:44 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 02:45 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 02:49 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:51 < tjz> hey jeff 02:51 < tjz> :P 02:51 < tjz> btw, is it possible to 1 command to generate our .ca, .crt cert/ 02:52 < krzee> in ssl-admin, yes 02:52 < krzee> !ssl-admin 02:52 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:52 < tjz> does this include generate our ovpn file? 02:53 < krzee> no, we'll add mind reading in the next version tho 02:53 < krzee> actually, yes it does 02:53 < krzee> but you pre-set the default to take advantage of that 02:54 < tjz> ok 02:54 < krzee> it'll even zip up the package 02:54 < krzee> iirc 02:55 < krzee> check it out 02:55 < krzee> ecrist made it 02:56 < tjz> cool 02:56 < tjz> where is the file? 02:56 < tjz> =) 02:56 < krzee> dunno man, play with it 02:56 < krzee> or read the manual 02:56 < tjz> lol 02:56 * tjz fainted 02:57 < tjz> lol 02:57 < krzee> gnite, sleep time 02:57 < tjz> ok 02:57 < tjz> gd nite 03:09 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 < Chrnos> reiffert, or other want to help me here my "network infrastructure" http://img4.imageshack.us/img4/6082/lann.jpg and here my config http://pastebin.com/d5775b24c 03:45 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 04:13 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:14 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 113 (No route to host)] 04:18 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 04:18 -!- onats [n=onats@122.53.131.243] has quit [Read error: 110 (Connection timed out)] 04:19 -!- onats [n=onats@122.53.136.244] has joined ##openvpn 04:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:55 -!- betabot is now known as simplechat_ 05:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 05:51 -!- Chrnos [i=Kuro@190.53.8.79] has quit ["Saliendo"] 05:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 05:54 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:58 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 06:02 -!- protocols [n=protocol@p5791FB52.dip.t-dialin.net] has joined ##openvpn 06:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:41 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 06:41 < ecrist> morning folks 07:05 < mjt> hi ecrist 07:55 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:07 -!- rubydiamond [n=rubydiam@123.236.183.169] has joined ##openvpn 08:09 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 08:13 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 08:34 < ecrist> I'm so ronery, so ronery, so ronery and sadry arone... 08:36 -!- ilreds [i=c2b93a94@gateway/web/ajax/mibbit.com/x-b8ef68d5b8889143] has joined ##openvpn 08:37 < ilreds> hi to all 08:38 < ecrist> howdy 08:38 < rashed2020> Hello everyone 08:39 < rashed2020> In my easy-rsa dir I have to other dirs 08:39 < rashed2020> 1.0 and 2.0 08:39 < rashed2020> Should I delete 1.0 and copy all the files in 2.0 a level up? 08:39 < mjt> you should copy 2.0 to somewhere else and modify it there to suit your needs. 08:40 < rashed2020> I've got a copy of it somewhere else 08:40 < rashed2020> Where does OpenVPN want the files though 08:40 < mjt> it doesn't want hem 08:40 < mjt> them 08:40 < rashed2020> So they're just for me to use? 08:40 < mjt> yes 08:41 < rashed2020> Ok cool, thanks. 09:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:16 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 09:24 < ilreds> using ccd subdirectory configuration, can i push different router for each client? 09:25 < mjt> sure 09:26 < ilreds> mjt: how? simply inserting push route directive into ccd files? 09:27 < mjt> yup 09:27 < ilreds> ok 09:27 < mjt> note that in reality you have only one router... 09:28 < mjt> which topology do you use? 09:43 < dazo> rashed2020: ideally ... the easy-rsa files should be stored on a box not connected to any network at all ... this is your CA, which signs certificate requests and returns a valid certificate for your server and clients ... but you need to copy out your server certificate and put it on your openvpn server. Where to place them is up to you, it depends on your config files 09:44 < mjt> dazo: he asked about the scripts, not keys... 09:45 < dazo> mjt: "... copy all the files in 2.0..." ... that's not just keys 09:45 < mjt> thats anything BUT keys ;) 09:46 < dazo> mjt: if you have changed the config ... if not, the keys also comes into this directory 09:49 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 10:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 10:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:41 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit ["Leaving"] 10:47 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 10:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 10:49 < jul_> Hello. i have a problem, i installed openvpn client/server , it'ok but when i ping from the client I saw ping in the server (tcpdump) but any return on client. any ideas ? 10:50 -!- smk_ is now known as smk 10:54 < ecrist> jul_: your question is difficult to understand 10:54 < jul_> ecrist: ok 10:54 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:55 < jul_> i have 2 pc, 1 server 192.168.0.1 1 client 192.168.0.6 -> when i ping from server to client i saw with tcpdump on client the ping but ping in server don't have return 10:57 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 10:58 < jul_> ecrist: it's more clear now ? 11:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:10 < krzee> jul_, those internal VPN ips? 11:10 < krzee> or the LAN ips? 11:10 < krzee> bridging or routing? 11:13 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:13 < krzee> you shouldnt be using that subnet for the vpn, its too common and wont work when a client has that as LAN ip 11:13 < krzee> otherwise, its your firewall 11:16 -!- sd1 [n=tux@pD9E7BB17.dip.t-dialin.net] has joined ##openvpn 11:16 < jul_> krzee: VPN ip , routing 11:17 < jul_> this ip are not used in my networks 11:17 < jul_> i use 10.0.0.0 11:21 < jul_> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 11:22 < jul_> it's for this error, when i try to ping with verbose 5 -> i saw Rwr on server and client 11:23 < dazo> jul_: that's a typical the result of iptables blocking access 11:25 < soberbit-work> if i start making vpn keys for clients outside of my company, what would be normal to enter into the attributs of the key? 11:25 < soberbit-work> their company name and email address instead? 11:26 < ecrist> no 11:27 < ecrist> certain pieces of data need to match, or certificates will not be valid 11:27 < soberbit-work> what's the purpose of the email field. 11:27 < ecrist> to have the user's email address 11:28 < soberbit-work> normal to sign the key with my company, city, org, and put the users own hostname/email in? 11:29 < ecrist> yep 11:32 < hardwire> can you roll your own tunnelblick? 11:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:33 < hardwire> I got openvpn gui with a custom config + keys working just fine .. 11:33 < jul_> so strange : i ping on my client to my server in my client i saw the sending and the receiving but ping say me 100% lost 11:35 < ecrist> hardwire: sure, why not? 11:37 < hardwire> ecrist: I suppose I'd just have to change the packaging and recompile it every time. 11:37 < ecrist> recompile what? 11:38 < hardwire> tunnelblick 11:38 < ecrist> hardwire, what are you re-rolling? 11:38 < hardwire> just need to put custom conf and key files into a package 11:38 < ecrist> you can do that without a recompile 11:38 < hardwire> so that I can just hand it to somebody 11:38 < hardwire> got info? 11:42 < ecrist> hardwire: mac os x .app files are just directories, handled specially by the OS 11:42 < ecrist> put the config is there, distribute. 11:42 < ecrist> easy 11:42 < hardwire> hmm 11:44 < ecrist> this isn't #mac-devel ;) 11:46 < hardwire> sorry. 11:46 < ecrist> you could look into viscosity, as well, they have native support for packaging, iirc 11:47 < ecrist> Easily pre-configure Viscosity so your users don't have to. Viscosity can be set up to automatically create VPN connections on first launch so users are good to go no matter their VPN knowledge. 11:47 < ecrist> ^^^ from their main web site 11:47 < ecrist> !fe 11:47 < vpnHelper> ecrist: Error: "fe" is not a valid command. 11:48 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 11:48 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:48 < ecrist> krzee: will you *please* fix my bot access 11:49 < ecrist> !learn fe as Win: OpenVPN GUI (http://www.openvpn.se) 11:49 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:50 < ecrist> !learn fe as Linux: OpenVPN Admin (http://sourceforge.net/projects/openvpn-admin/) 11:50 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:55 < ecrist> !whoami 11:55 < vpnHelper> ecrist: I don't recognize you. 11:56 -!- mode/##openvpn [+o ecrist] by ChanServ 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:57 -!- mode/##openvpn [-o ecrist] by ecrist 12:00 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 12:00 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:00 < ecrist> !whoami 12:00 < vpnHelper> ecrist: ecrist 12:00 < ecrist> grr 12:01 * ecrist looks for his banhammer 12:01 -!- ilreds [i=c2b93a94@gateway/web/ajax/mibbit.com/x-b8ef68d5b8889143] has quit ["http://www.mibbit.com ajax IRC Client"] 12:03 < ecrist> hardwire: http://www.viscosityvpn.com/support/?section=faq&supportid=6 12:03 < hardwire> whats vpnHelper for? 12:04 < soberbit-work> openvpn work in Windows 7? 12:05 < ecrist> soberbit-work: yes, it does 12:05 < soberbit-work> recoimmend better than this? http://www.fiberworks.com/DNN/Support/OpenVPN/tabid/171/language/en-US/Default.aspx 12:05 < vpnHelper> Title: OpenVPN Windows 7 (at www.fiberworks.com) 12:05 < ecrist> windows 7 is not yet supported, and there can be issues with vista, but it can be gotten to work. 12:06 < dazo> hardwire: vpnHelper is here just to frustrate ecrist ;-) 12:06 < ecrist> indeed 12:06 < ecrist> /kick krzee 12:06 < ecrist> 12:06 -!- ##openvpn You need to be a channel operator to do that 12:06 < ecrist> soberbit-work: that looks fine 12:08 < dazo> soberbit-work: you might want to check out the openvpn mailing list ... you'll find it at sourceforge ... it was some people discussing it there a few weeks ago ... I believe the latest 2.1_RC15 is not supported right out of the box ... but I believe it was an unofficial fix on the openvpn-users list, iirc 12:08 < dazo> soberbit-work: vista works 12:08 < dazo> (RC15, that is) 12:09 < soberbit-work> i don't get alot of experiece with openvpn on xp/vista. first time i got a client returning saying he runs windows 7 12:09 < soberbit-work> still running openvpn-2.0.9-gui-1.0.3-install.exe for XP/Vista clients 12:10 < soberbit-work> not sure if there is a better choice for xp/vista 12:10 < dazo> soberbit-work: 2.1_RC15 is the preferred one for Vista upstream 12:11 < soberbit-work> just going by updates from openvpn.net ? 12:11 < soberbit-work> back in the day seemed like 3rd party clients where were I was always directed to. 12:13 < dazo> soberbit-work: from one of the mails in the mailing list: "i'd like to say, the latest release (2.1r15), works just FINE, however, the installer doesn't. It seems to check the windows version, and say's it's incompatible.. it worked fine in compatibility mode though." 12:13 < soberbit-work> cool 12:14 < dazo> soberbit-work: a version with a fixed installer for win7 ... http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe 12:14 < ecrist> the link above indicates use of compatibility mode 12:15 < dazo> ecrist: yeah, but the last installer RC15e tells Win7 its safe to run in native Win7 mode, I believe 12:16 < krzee> heh 12:16 < dazo> it's a tiny thread in openvpn-devel from Jan. 17 2009@07:43 ... "[Openvpn-devel] windows 7 and openvpn" 12:16 < krzee> ./ban ecrist 12:16 < krzee> [12:16] * ##openvpn :You need to be a channel operator to do that 12:16 < krzee> hehe 12:17 < krzee> !learn win7 as http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:17 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:18 < krzee> !learn win7 as http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:18 < vpnHelper> krzee: Joo got it. 12:19 < soberbit-work> thanks for the help. gonna have the client try both 12:19 < soberbit-work> the rc15 with compat and rc15e without compat 12:20 < dazo> soberbit-work: the only difference is in the installer ... not openvpn binaries 12:20 < dazo> soberbit-work: so jump straight unto the rc15e version ... less hassle 12:21 < soberbit-work> roger 12:30 -!- jul_ [n=jul@colonel.verygames.net] has quit [Read error: 145 (Connection timed out)] 12:34 < krzee> [12:00] !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 12:34 < vpnHelper> Title: tunnelblick - Google Code (at code.google.com) 12:34 < krzee> you wanted to have !fe? 12:34 < krzee> also, if you leave those ()'s around links, they are not clickable in most clients 12:35 < krzee> which is another reason you never end a factoid with a link, it will get an appended comma when another entry is added to the factoid 12:35 -!- protocols [n=protocol@p5791FB52.dip.t-dialin.net] has quit ["Leaving"] 12:43 < reiffert> Hi guys 12:43 < ecrist> heya reiffert 12:43 < sd1> hey 12:44 < reiffert> How to keep customers from taking my offer and buying the staff themselfes, now that they know what they need and what it will approx. cost? 12:44 < Bushmills> hi reiff 12:44 < reiffert> Hi Bushmills 12:46 < ecrist> reiffert: that's hard to do. usually, it's done by offering such things for less than it would cost them to do it themselves. 12:46 < reiffert> ecrist: oh, and thats the point where I need one dedicated hardware dealer, giving me some discount? 12:52 < Bushmills> reiffert, by combining the offer with services, possibly needed services, they can't just buy in the shop. 12:53 < Bushmills> a heap of metal and plastic is different from a working installation 12:53 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has quit [Connection timed out] 12:54 < reiffert> Ah well, I could imagine, that they just try to it themselves. 12:54 < Bushmills> reiffert, who wants customers one can't trust anyway :D 12:55 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has joined ##openvpn 12:55 < reiffert> :) 13:03 -!- sd3 [n=tux@pD9E7E2B9.dip.t-dialin.net] has joined ##openvpn 13:05 < ecrist> reiffert: not necessarily. really, it's a matter of finding a combination of services and products which create a greater benefit for the cost that rolling your own. 13:06 < ecrist> for example, I own a small security company. we do mostly sub-contracting to big companies. us being small and nimble, we can roll with varying work flows and don't have to worry about lay offs, as we've got many large clients, so having our own staff is worth-while 13:07 < ecrist> those large customers don't want their own staff, as they don't want the hassles of lay off and the like if they have a lull in business. 13:07 < ecrist> so, it 'cheaper' for them to pay us $65/hour for each tech, than to pay their own techs $30/hour + benefits + insurance + unemploy insurance + etc etc etc 13:08 < ecrist> even though, when it comes to green, they're paying a higher hourly rate to us than they would the tech. 13:08 < ecrist> in this case, if they have a lull in work, they simply don't call us. 13:08 < ecrist> in your case, you can fill a similar roll, and sell it to them as such 13:09 < ecrist> give them a fixed cost for your time, offer service contracts. businesses like *known* costs. an employee is almost always an unknown factor (gota give them raises, etc) 13:10 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:20 -!- sd1 [n=tux@pD9E7BB17.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 13:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:32 -!- joelsolanki [i=joelsola@124.125.151.27] has joined ##openvpn 13:32 < joelsolanki> Hey all 13:32 < joelsolanki> morning / afternoon :)( 13:32 < joelsolanki> :) 13:33 < ecrist> hi 13:33 < joelsolanki> oh hey 13:34 < joelsolanki> i wanted to ask a question 13:34 < joelsolanki> can we route a single public ip or bunch of Ips thru openvpn ? 13:39 < joelsolanki> ecrist: you there ? 13:40 < ecrist> yep 13:40 < ecrist> the answer is yes 13:40 < joelsolanki> oh :) 13:40 < joelsolanki> any hints or suggestion on this 13:41 < joelsolanki> i m thinking to use linux as openvpn server 13:45 * Bushmills would use openvpn as openvpn server instead 13:47 < Bushmills> joelsolanki, and yes, you can sort of route public ip addresses through openvpn, sort of. assuming you mean "allow world to connect to openvpn client as if it was the machine with the pub address, while in fact the server has that address" 13:47 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 13:53 < joelsolanki> aha 14:02 < ecrist> Bushmills: why can't openvpn be useds to 'actually' route real IPs? 14:02 < ecrist> please explain yourself 14:03 < joelsolanki> if we route then atleast traffic will be encrypted will pass thru vpn so thats fine. 14:04 < joelsolanki> i dont any security issue. but it could be if any one has tested 14:04 < joelsolanki> i dont see any security i mean 14:09 < ecrist> joelsolanki: it can be done, and has been done. that's all you should need to worry about, provided you setup routing accordingly. 14:10 < Bushmills> ecrist, you'd use the routing facility of the OS, and openvpn merely as the network transport. 14:12 -!- joelsolanki [i=joelsola@124.125.151.27] has quit [] 14:14 < ecrist> Bushmills: I think you're over-complicating things. 14:14 -!- Cyllene [i=OdsIJx7t@unaffiliated/cyllene] has joined ##openvpn 14:15 < ecrist> you *can* route public IPs through OpenVPN without issue 14:15 < Cyllene> Hi, I am using the openvpn source code as a muse to my code. I have found this: 14:15 < Cyllene> #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false) 14:15 < Cyllene> What's the point of the do/while loop if the condition is false? 14:16 < ecrist> Cyllene: no developers here for openvpn, just support community. though, some here may develop, nothing specific to OpenvPN 14:16 -!- sd3 [n=tux@pD9E7E2B9.dip.t-dialin.net] has left ##openvpn [] 14:16 < Cyllene> I see. 14:20 < Bushmills> ecrist, i do route pub ip through openvpn. though in my case i use the DNAT target of iptables, though i am confident that adding a route to the routing table could work as well. i don't know of an openvpn-only way. 14:20 -!- Cyllene [i=OdsIJx7t@unaffiliated/cyllene] has left ##openvpn [] 14:21 < mjt> do{}while(false) executes exactly once 14:21 < mjt> but syntactically it can be placed between if() and else 14:21 < mjt> unlike the if that's inside that {} 14:22 < mjt> if (foo) ASSERT(bar); else baz; 14:24 < ecrist> Bushmills: as an example, if you've got a /28 and a /30 from your ISP, with your endpoint for the /30 being your OpenVPN server, you can have your ISP set a static route for the /28 to point to your endpoing for the /30, at which point you simply use the /28 as your OpenVPN address space 14:24 < Bushmills> ecrist, yes, i think i mentionend adding a route. 14:25 < Bushmills> still, this is what i consider "using OS facilities", not "using openvpn" 14:26 < mjt> you have to have the IP addresses somehow. 14:26 < ecrist> you're over-complicating your explanation. you can route public IPs over an Openvpn connection 14:26 < Bushmills> i don't argue with that 14:34 < ecrist> and yes, you can sort of route public ip addresses through openvpn, sort of. 14:34 < ecrist> those are your words. sort of is incorrect. you *can*. 14:36 < Bushmills> that was "can .. using openvpn" but you told how you "can... using OS routing facility" 14:37 < Bushmills> how do you route public ips with openvpn instead, then? 14:37 < ecrist> define a specific usage and I'll give you a specific example 14:38 < ecrist> or, read !route 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 104 (Connection reset by peer)] 15:32 -!- mib_0400sz [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a438ef8ea570c942] has joined ##openvpn 15:32 < mib_0400sz> hi 15:32 < mib_0400sz> there 15:32 < mib_0400sz> is there anyone here ? 15:33 -!- mib_0400sz [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a438ef8ea570c942] has quit [Client Quit] 15:33 < krzee> lol 15:35 -!- mib_oyzxjo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f0ac0f47614287e7] has joined ##openvpn 15:35 < mib_oyzxjo> hi 15:35 < krzee> hey 15:35 < krzee> just ask your question 15:35 < mib_oyzxjo> thx 15:35 < mib_oyzxjo> well 15:36 < mib_oyzxjo> i try to generate a key each time it give me 15:36 < mib_oyzxjo> unable to write 'random state' 15:36 < mib_oyzxjo> is it normal ? 15:37 < krzee> you in a freebsd jail or some other way you are unable to use /dev/random or /dev/urandom? 15:37 < mib_oyzxjo> i don't know 15:37 < krzee> you dunno your system? 15:37 < mib_oyzxjo> i just using ubuntu 15:38 < krzee> get in as root 15:38 < mib_oyzxjo> which mean what i have to do ? 15:39 < mib_oyzxjo> i m newbies 15:39 < mib_oyzxjo> i just following this tutorial http://doc.ubuntu-fr.org/openvpn 15:39 < krzee> learn how to use your operating system 15:39 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 15:39 < mib_oyzxjo> you mean i have to launch that command as a root ? 15:39 < mib_oyzxjo> is it ? 15:40 < krzee> [15:38] get in as root 15:40 < krzee> correct 15:40 < mib_oyzxjo> sorry i miss understand 15:40 < krzee> be root 15:40 < mib_oyzxjo> well 15:40 < mib_oyzxjo> k 15:40 < mib_oyzxjo> i just try 15:43 * ecrist consideres mibbit ban 15:48 < mib_oyzxjo> thx krzee 15:48 < mib_oyzxjo> it working 15:48 < mib_oyzxjo> now 15:48 < mib_oyzxjo> thx a lot krzee 15:48 < krzee> np 15:52 -!- mib_oyzxjo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f0ac0f47614287e7] has quit ["http://www.mibbit.com ajax IRC Client"] 16:10 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 16:11 -!- mib_vmz0uw [i=52e6d07c@gateway/web/ajax/mibbit.com/x-46b81c574432a31c] has joined ##openvpn 16:11 < mib_vmz0uw> hi 16:11 < mib_vmz0uw> there 16:12 < mib_vmz0uw> my connexion was lost 16:12 < mib_vmz0uw> last time 16:13 < mib_vmz0uw> i can't able to connect to openvpn server 16:13 < mib_vmz0uw> and this the log 16:13 < mib_vmz0uw> http://paste.ubuntu.com/132698/ 16:18 < mib_vmz0uw> hello 16:18 < mib_vmz0uw> is there anyone here ? 16:19 < Bushmills> you are 16:19 < mib_vmz0uw> thx 16:19 < mib_vmz0uw> you too 16:19 < mib_vmz0uw> well 16:20 < mib_vmz0uw> do you see my problem 16:20 < mib_vmz0uw> my openvpn server is in listening mode 16:20 < mib_vmz0uw> i can ping to my server 16:20 < mib_vmz0uw> but the client can't connect to the server 16:22 < mib_vmz0uw> helllllllllo 16:22 < mib_vmz0uw> r u still there ? 16:23 < krzee> are you joking? 16:23 < krzee> Tue Mar 17 22:03:09 2009 us=848000 Cannot load certificate file client1.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 16:24 < krzee> your cert file isnt where you said it was 16:24 < krzee> Cannot load certificate file client1.crt: ... No such file or directory 16:24 < mib_vmz0uw> no the file i was put it 16:25 < mib_vmz0uw> on my windows mobile 6 device 16:25 < krzee> well either its in the wrong location or you have the wrong location in your config 16:25 < mib_vmz0uw> \Program Files\OpenVPN\config\ 16:25 < krzee> but thats your problem 16:28 < mib_vmz0uw> there \Program Files\OpenVPN\config\ i got 4 files : ca.crt client1.crt client1.key and the sfr.ovpn files 16:29 < mib_vmz0uw> then how it can say there is no file 16:29 < mib_vmz0uw> i can't understand really 16:29 < krzee> it must not be looking there 16:30 < krzee> try adding cd \Program Files\OpenVPN\config\ 16:30 < mib_vmz0uw> so where i have to put 16:30 < krzee> [16:30] try adding cd \Program Files\OpenVPN\config\ 16:30 < krzee> into the config file 16:31 < mib_vmz0uw> as i say there : \Program Files\OpenVPN\config\ i got 4 files : ca.crt client1.crt client1.key and the sfr.ovpn files 16:31 < krzee> do what i said, or dont 16:31 < krzee> up to you 16:32 < mib_vmz0uw> so sorry i don't understand u 16:33 < krzee> add this to your config file 16:33 < krzee> (ovpn file) 16:33 < krzee> cd \Program Files\OpenVPN\config\ 16:35 < ecrist> /mode ##openvpn +b *@gateway/web/ajax/mibbit.com/* 16:35 < mib_vmz0uw> plz wait 16:37 < mib_vmz0uw> this is the actual client configuration file 16:38 < mib_vmz0uw> i just move all the four files : ca.crt client1.crt client1.key and the sfr.ovpn files to \Program Files\OpenVPN\config\ 16:38 < mib_vmz0uw> done 16:38 < mib_vmz0uw> then 16:39 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 16:39 < podman99a> hey all ... is openVPN compatible with the Vista/XP VPN Client 16:40 < podman99a> !howto 16:40 < vpnHelper> podman99a: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:44 < mib_vmz0uw> hello 16:44 < podman99a> hi? 16:46 < mib_vmz0uw> no thaaat was for my question* 16:47 < podman99a> ah ... yea seems a little quiet in here 16:48 < mib_vmz0uw> r u from europe 16:48 < krzee> mib_vmz0uw, im going away to do some things 16:48 < krzee> but i recommend you learn how to use computers before you try openvpn 16:48 < krzee> adios 16:49 < mib_vmz0uw> i m so 16:49 < mib_vmz0uw> sorrrrrrrrry 16:49 -!- mrcerulean [n=chris@adsl-69-232-76-240.dsl.sndg02.pacbell.net] has joined ##openvpn 16:49 < mib_vmz0uw> i just understand your question 16:50 < mib_vmz0uw> i just not understand your question 16:50 < mib_vmz0uw> thatt's don't say me to howo use computer 16:51 < mrcerulean> Good afternoon. I'm trying to get OpenVPN up and running and I'm 98% of the way there (I think). I can connect to the remote box and ping both the tun IP and the real IP. I cannot ping past it, though. http://pastebin.com/m5aad014e is my openvpn.conf and my iptables. 16:51 < mrcerulean> I'm sure this is something simple... 16:51 < mrcerulean> :) 16:51 < mib_vmz0uw> if u make sentence i can better understand$ 16:55 < hads> mrcerulean: ip_forward? 16:55 < mrcerulean> Urgh 16:55 < mib_vmz0uw> i m at the final i dont 16:56 < mib_vmz0uw> i m at the final step and noone dont want to help 16:56 < mib_vmz0uw> me`u`u`u`u`u`u 16:56 * mrcerulean slaps himself 16:56 < hads> It's always something simple you forget :) 16:57 < mrcerulean> That shouldn't require a restart, right? 16:57 < hads> Nope 16:57 < mrcerulean> Still no joy... 16:58 < mrcerulean> hads: Although, we now know that ip_forward is set. :D 16:59 -!- mib_vmz0uw [i=52e6d07c@gateway/web/ajax/mibbit.com/x-46b81c574432a31c] has quit ["http://www.mibbit.com ajax IRC Client"] 16:59 < mrcerulean> I can also ping *back* from the OpenVPN box to the tun device on my Windows machine. 17:00 < mrcerulean> What should the route command in the client configuration file look like? 17:00 < hads> You setup routing on the default gateway? 17:01 < mrcerulean> hads: Yes. 17:01 < mrcerulean> hads: errr... no. 17:01 < hads> !route 17:01 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:02 < mrcerulean> hads: There are routes there--I assume they were automagically set up? 17:03 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 17:04 < hads> Sorry, I have to get back to work now. 17:04 < mrcerulean> hads: I do a push route, wich is not the same as an iroute, I'm guessing... 17:04 < mrcerulean> Thanks for the help! 17:08 -!- mode/##openvpn [+o ecrist] by ChanServ 17:08 -!- mode/##openvpn [+b *!*@gateway/web/ajax/mibbit.com/*] by ecrist 17:08 -!- mode/##openvpn [-o ecrist] by ecrist 17:10 < ecrist> sorry mibbit users, but signal to noise is too high. 17:11 < hads> heh 17:14 < ecrist> sweet! just bought a dell 1850 from someone off CL for $200. it's got 2 more years of on-site service left. 17:14 * ecrist does a little dance. 17:15 < ecrist> 4GB RAM, dual-core Xeon 2.8GHz, 2x73GB 15K drives, PERC 4e/Si. only one power supply though 17:16 < ecrist> lol, another power supply is only $29.99 on ebay. 17:16 -!- mepholic_ [n=what@hydra.weserv.in] has quit [Remote closed the connection] 17:16 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 17:26 < krzee> for 200~? 17:26 < krzee> ~? 17:26 < krzee> !? 17:26 < vpnHelper> krzee: Error: "?" is not a valid command. 17:26 < krzee> damn 17:27 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:27 < ecrist> krzee: yeah, he asked $250, I offered $200 cash (before he was here, it's a dick move to change the price when you're already there) 17:27 < ecrist> that Xeon is 64-bit, too. :) 17:31 < CybDev> that's quite nice ecrist 17:31 < ecrist> I'm thrilled. :) 17:31 < ecrist> hoping to have it running tonight. will take a couple weeks to get everything migrated over I want to move. 17:46 -!- soberbit-work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 17:49 < mrcerulean> OK. After my connection is set up, I have an IP of 10.10.91.6. My route goes to 10.10.91.5. Where is this device? 17:50 < ecrist> virtual. it's the other end of your ptp tunnel 17:50 < mrcerulean> Yes, but it doesn't show up in ifconfig... 17:51 < mrcerulean> And I cannot ping it from either end. 17:52 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 17:53 < podman99a> !howto 17:53 < vpnHelper> podman99a: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:56 < mrcerulean> podman99a: The HOWTO got me this far. :) 17:57 < krzee> !/30 17:57 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:59 < mrcerulean> OK. My problem appears to be that traffic is not being routed back. The HOWTO states that the gateway device on the LAN (server side) needs to have a route back to the TUN device (which makes sense). What if I don't have access to change the routes on the gateway device? 17:59 < krzee> mrcerulean, if its really bothering you you can use 2.1 and topology subnet 17:59 < krzee> !topology 17:59 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:59 < krzee> mrcerulean, see the bottom of this: 17:59 < krzee> !route 17:59 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:00 < krzee> in fact read it all 18:00 < krzee> it explains everything you need to know about connecting lans behind openvpn 18:01 < mrcerulean> Yes. So. Because I have a route on the OpenVPN box itself, I can talk to that box. But because I don't have a route on the LAN gateway, I cannot talk past that box. 18:01 < mrcerulean> Makes perfect sense. 18:02 < mrcerulean> Can I use the OpenVPN box as a NAT device for the LAN? 18:04 < mrcerulean> OK. 18:04 < krzee> you mean as the default gateway? 18:04 < mrcerulean> I confirmed that that's the problem by adding a route to another box on the inside. 18:04 < mrcerulean> krzee: Basically, is there a configuration that I can use where I don't have to add a route to the entire LAN? 18:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:05 < Chrnos> so the topology feature is on version 2.0.9 ? 18:05 < Bushmills> mrcerulean, it is possible. i do that. 18:06 < Bushmills> simply set default route to vpn device. enable NAT on the server side. 18:09 < mrcerulean> So, Bushmills, set the default route to the TUN device on the client side, then enable NAT on the server side? 18:10 < Bushmills> right 18:11 < Bushmills> you may need to add an extra route to the server, an not relying on it being connectable through the default route 18:11 < Bushmills> (which will be over vpn ...) 18:13 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 18:13 < mrcerulean> Bushmills: How do I change the default route on the client side? 18:13 < mrcerulean> Bushmills: Sorry for the silly question... 18:13 < Bushmills> man route 18:14 < mrcerulean> Oh. 18:14 < mrcerulean> You mean change it on the OS level, not the OpenVPN configuration level... 18:14 < Bushmills> right 18:15 < Bushmills> unless ecrist finds that too complicated, in that case he probably knows how to do that with openvpn alone 18:16 < mrcerulean> Bushmills: The problem is that I'm sending this out to non-technical folks for setting up on their Windows machines. Doing it with the client configuration file is preferable. However, I've requested that the route be added to the LAN gateway. If that happens, we'll be good. 18:17 < Bushmills> i have zero windows exposure 18:17 < mrcerulean> Bushmills: You are a lucky, lucky man. 18:18 < Bushmills> i suppose windows has a man command too 18:18 < mrcerulean> Well, yes. And I can certainly set up *my* box. But non-technical users may have issues. 18:19 < Bushmills> well, set it up for them and charge them for it. 18:19 < mrcerulean> I like the way you think... :) 18:19 < Bushmills> as windows users they're supposed to being used getting charged 18:23 < Bushmills> oh. thinking of it, i must amend my "zero exposure". i have been playing a network first person shooter, not more than 4 weeks ago. 18:38 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:38 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:38 -!- Traveler5 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler5 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:39 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler8 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler8 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:45 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Remote closed the connection] 19:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 19:15 -!- arag00rn [n=arag00rn@albert.ip6.smallunix.net] has joined ##openvpn 19:18 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn ["Ex-Chat"] 19:58 -!- arag00rn [n=arag00rn@albert.ip6.smallunix.net] has quit ["leaving"] 20:22 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:22 < ecrist> mrcerulean: you want --redirect-gateway in the server config 20:23 < ecrist> it's covered in the man page. total option is 'redirect-gateway def1' if I remember correctly. 20:23 < ecrist> make sure you've got NAT and/or proper routing setup for your VPN subnet on the VPN server, or things will break horribly. 21:06 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:06 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 21:07 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:32 < mrcerulean> ecrist: Is that done on the client side? 21:38 < mrcerulean> ecrist: That works when set client side. Now all traffic is routing over the VPN, which works for me. Out of curiosity, is there a setting that would only direct LAN traffic out TUN? 21:41 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:42 < ecrist> mrcerulean: the redirect-gateway option can be either server or client, but the NAT and routing needs to be on the other end. 21:45 < mrcerulean> ecrist: I put it on the client side and set NAT and routing on the server and all is happy. 21:47 < ecrist> glad to hear. 21:47 < ecrist> usually that option is set on server side, but as long as your server is setup for it, you're good to go. 21:50 < mrcerulean> ecrist: What I'm trying to avoid is having the (non-technical) Windows users do anything other than double-click the task tray icon. :) 21:54 < ecrist> unless there are users whom you *don't* want to redirect all traffic for, I'd put the directive in the server config 21:58 < mrcerulean> ecrist: But if I put the directive in the server config, won't I have to set routes on the client side? 22:27 < onats1> anyon heard of DNS tunneling? OT 22:31 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nemysis [n=nemysis@149-63.107-92.cust.bluewin.ch] has joined ##openvpn 22:59 -!- mrcerulean1 [n=chris@ppp-71-137-137-32.dsl.sndg02.pacbell.net] has joined ##openvpn 22:59 -!- mrcerulean [n=chris@adsl-69-232-76-240.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 23:25 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 23:34 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:43 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:44 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 23:49 < ecrist> yep 23:50 < ecrist> there was an article on hackzine today or yesterday. also covered ICMP tunnelling, iirc. 23:50 * ecrist looks for a link 23:52 < ecrist> http://thomer.com/howtos/nstx.html and http://thomer.com/icmptx/ (respectively). The hackzine article is at http://blog.makezine.com/archive/hacks/ 23:52 < vpnHelper> Title: NSTX (IP-over-DNS) HOWTO (at thomer.com) 23:52 < ecrist> mrcerulean1: not sure what you mean, but nothing special I'm aware of. 23:54 < Kurogane> Hello i have a problem with a vpn inside vpn i have *high* latency between the server and users outside vpn i got normal latency here my "network infrastructure" http://img4.imageshack.us/img4/6082/lann.jpg and here my config http://pastebin.com/d5775b24c 23:59 < ecrist> I don't understand your graphic 23:59 < ecrist> what version of openvpn are you running? --- Day changed Wed Mar 18 2009 00:04 < Kurogane> beta 00:04 < Kurogane> tested beta and stable and same 00:04 < onats1> ecrist, thanks! 00:06 < onats1> is there a quick way to test this assuming im not in an airport? 00:14 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 00:20 < ecrist> onats1: nothing i'm aware of after a few rum and cokes 00:20 < hads> Block all traffic except DNS 00:21 -!- znoG [n=gs@host167.190-31-166.telecom.net.ar] has joined ##openvpn 00:21 < znoG> howdy 00:21 < ecrist> hi 00:22 < znoG> i've got an issue with openvpn i was hoping you guys might know what the deal is .. i've got my local lan on 192.168.1.0/24 .. then my gw on 192.168.1.254 .. there is just one remote host on 192.168.1.200 that I want to access over the VPN so I want the router (192.168.1.254) to respond (or proxy) the arp over the tunnel so that hosts on my local lan can access 192.168.1.200. 00:22 < znoG> Any ideas? 00:23 < znoG> ideally the remote lan and the local lan would be on different subnets, but unfortunately thats not the case. 00:23 -!- mrcerulean1 [n=chris@ppp-71-137-137-32.dsl.sndg02.pacbell.net] has left ##openvpn [] 00:23 < ecrist> that's fine, using bridged VPN (aka tap) 00:23 < znoG> ah, im using tun 00:23 < znoG> i think 00:24 < ecrist> aye, tap is more complicated, so tun is often recommended and used. 00:24 < znoG> yep tun 00:24 < ecrist> also, I' would caution you against the subnet you're currently using 00:24 < znoG> how i'm doing it right now is adding a static route on the machines that need access to .200 to go via the gw 00:24 < ecrist> it's WAY too common on residential and bussiness gateways by default 00:25 < znoG> yeah, i agree, problem is I can't change the subnet on either end or there would double nat everywhere 00:25 < znoG> they use 192.168.1.x here, so i would have to make my switch 10.0.0.x or whatever 00:25 < znoG> which means double nat to get out to the net 00:26 < ecrist> naw, you can use two NATs without actually being true double NAT 00:26 < znoG> ok i'll go with your suggestion and change my local subnet 00:27 < ecrist> think about it. one VPN subnet NATs to the internet, but is true IP to the other VPN subnet, even though the second VPN subnet also NATs to the internet. both NAT'd, but not actually double-NAT. 00:28 < Kurogane> so ecrist you have idea what causing my problem? 00:28 < ecrist> unless one is using the other for actual internet access, which means youv'e got more broken than you think. ;) 00:29 < ecrist> Kurogane: not aware of a current beta, and I still don't understand your graphic, or what problem you're having 00:31 < Kurogane> what part not understand? 00:31 < ecrist> any of it. 00:31 < ecrist> what version of software are you using, and explain your problem 00:32 < Kurogane> i'll try to resumen all 00:37 < Kurogane> if you see my crappy graphic there are server vpn and 3 pc, when pc1 connect to server vpn and ping the 'interanl ip server' in this case 10.8.0.1 i got high latency (as see in graphic) in the same pc1 if i ping the external (public ip) i got low latency between pc1 and server and if i ping between clients i have also have high latency if i ping normal (public ip) in the clients. the version i using is 2.09 client and server too 00:38 < Kurogane> hope now understand me =/ 00:39 < Kurogane> in little word inside vpn i got high latency 00:47 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 00:57 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has joined ##openvpn 00:59 < Asymmetry> Having a little bit of a routing issue. Two subnets: LAN is 10.1.1.0/24, and VPN is 10.1.2.0/24. When connected to VPN, 2.0 can talk to 1.0, but not the other way around. How would I configure my routing, and where would I do so? 01:01 < onats1> Asymmetry, i think you have to add something like this: push "route 10.0.1.0 255.255.255.0" 01:01 < onats1> on server config.. 01:01 < onats1> can you try it? 01:01 < onats1> and "client-to-client " 01:01 < Asymmetry> onats1, Would the route argument be the LAN network, or the VPN? 01:02 < onats1> Asymmetry, the 10.0.1.0 in my case is my LAN behind the server 01:03 < onats1> wait, which one can't ping again? 01:03 < Asymmetry> onats1, VPN clients can talk to LAN systems. LAN systems can NOT talk to VPN clients. 01:03 < onats1> ahhh 01:03 < onats1> hold on 01:04 < onats1> i have something like this on my config: 01:04 < onats1> iptables -I FORWARD 1 --source 10.0.66.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 01:04 < onats1> where 10.0.66.0 is the VPN Client's subnet.. 01:05 < onats1> so i think you have to add some routes on your router/server... 01:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:05 < onats1> to forward requests to your client subnet to an interface or gateway.. 01:06 < onats1> i'm not sure though.. i did my setup last year, and am almost forgetting it.. 01:06 < onats1> did it work? 01:07 < Asymmetry> Can I add that iptables line to my server config, or do I have to enter it manually? 01:08 < onats1> i dont think you can add it in the server config. that lines on my device are in startup scripts. 01:09 < Asymmetry> Alright. 01:10 < onats1> please do tell me if it worked 01:18 -!- simplechat_ is now known as simplechat 01:22 < onats1> Asymmetry, did it work? 01:22 < Asymmetry> onats1, Unfortunately, no. I'm digging a little more into iptables. 01:22 < onats1> wait 01:24 -!- onats1 is now known as onats 01:35 < onats> Asymmetry, can you do a traceroute to your VPN client's IP? 01:35 < onats> and tell me where it stops? 01:36 < Asymmetry> onats, It never gets anywhere with it. 01:36 < Asymmetry> I just get timeouts on all hops. 01:37 < onats> where are you pinging it from? 01:37 < onats> from LAN client? 01:37 < Asymmetry> onats, One of them, yes. 01:37 < onats> it should at least get to your gateway 01:38 < onats> where's your VPN server located anyway? 01:38 < onats> is it another device on your LAN? 01:38 < onats> or on the same device as router/gateway? 01:39 < Asymmetry> Another device 01:48 < onats> then i think your router has to have some routes to push all requests to 10.1.2.0 (vpn subnet) to that other device 01:50 < Asymmetry> I've tried that. :P I have a route set up to forward everything for the 10.1.2 subnet to the 10.1.1.2 machine. 10.1.1.2 is the IP of the LAN-side interface of the server that it's on. 01:51 < onats> and then do a traceroute from there 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:51 < onats> it should go to your gateway, then to your 10.1.1.2 01:52 < onats> then from 10.1.1.2, you have to have a route to the interface which was assigned to the VPN... 01:52 < onats> that's how i understand it 01:54 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has quit [Read error: 104 (Connection reset by peer)] 01:54 < onats> lol 01:54 < onats> what happened 01:54 < onats> ecrist, you there? 01:54 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has joined ##openvpn 01:57 < onats> what happeneD? 01:58 < Asymmetry> onats, It don't work. :D 02:00 < onats> 'what didn't work first 02:00 < onats> were you able to traceroute? 02:03 < Asymmetry> No. 02:05 < Asymmetry> onats, here's how it's set up: 02:05 < Asymmetry> Router: Dest - 10.1.2.0, gateway - 10.1.1.2 02:06 < Asymmetry> Server: Dest - 10.1.2.0, gateway is the local system 02:06 < Asymmetry> onats, I'm going to get some sleep, and work on this some more tomorrow. 02:06 < onats> ayt 02:06 < onats> good luck 02:07 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has quit [Read error: 131 (Connection reset by peer)] 03:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:21 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:46 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 101 (Network is unreachable)] 07:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 07:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:07 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 08:43 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has quit ["leaving"] 08:48 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:01 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 09:24 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:59 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 10:09 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 10:13 < jul_> hello, i have this error, anybody can explain me what is it ? :ULTI: bad source address from client [10.0.0.40], packet dropped 10:20 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 10:21 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 10:21 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: simplechat 10:27 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 10:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:52 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 11:01 -!- Gumbler is now known as Gumbler|NotHere 11:01 -!- Gumbler|NotHere is now known as Gumbler 11:24 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:55 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Read error: 104 (Connection reset by peer)] 12:08 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 12:46 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 13:05 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 13:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 < ecrist> I'm here now... 14:36 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:03 -!- skx [i=skx@unaffiliated/skx] has joined ##openvpn 15:03 < skx> Hello, I am trying to configure openvpn server on Debian and when I change server 10.8.0.0 255.255.255.0 to server 172.17.29.0 255.255.255.0 clients cannot access the Internet (as in other machines than the openvpn server) through the vpn 15:03 < skx> there is some NAT autoconfigured somewhere probably 15:03 < skx> where to look 15:03 < skx> ? 15:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:10 -!- pmguy [n=ekjsdm@c-24-5-243-180.hsd1.ca.comcast.net] has joined ##openvpn 15:10 < pmguy> i have a question about openvpn and virtual machines 15:13 -!- skx [i=skx@unaffiliated/skx] has left ##openvpn [] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:19 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 15:20 < podman99a> hey all... suffering of noob syndrome... have my VPN connection active however unable to access the internet through it or the rest of the lan behind the host machine? 15:20 < podman99a> in simple terms or .ovpn samples? 15:24 < podman99a> !route 15:24 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:29 < pmguy> !virtual machine 15:29 < vpnHelper> pmguy: Error: "virtual" is not a valid command. 15:29 < pmguy> !VM 15:29 < vpnHelper> pmguy: Error: "VM" is not a valid command. 15:29 < podman99a> Umm... thats brill for my local lan however I want to send ALL traffic through the connected VPN internet/remote lan ? 15:35 < podman99a> maybe im not explaining it correctly?... config examples/requirements for client->Server->Lan/World ?? 15:37 < Bushmills> podman99a, set up NAT/masquerading on the server. NAT the traffic from your VPN device 15:38 < Bushmills> just the same you'd do if it was a wire connection 15:44 < podman99a> Bushmills, problem is i have no idea where to look for that info .... its getting my head around the initial connection to the lan... i cant/couldnt even ping my server, however think i had ip addressing all wrong.... 15:45 < Bushmills> podman99a, iptables 15:45 < podman99a> winblows 15:45 < podman99a> just to throw a spanner in the works and only 1 interface 15:45 < Bushmills> doesn't have windows something comparable? 15:46 < reiffert> podman99a: netfilter.org documentation, nat howto, chap 4.2 "I just want masquerading. help!" 15:46 < reiffert> ah, windows. sorry. 15:47 < reiffert> http://technet.microsoft.com/en-us/library/bb457077.aspx 15:47 < vpnHelper> Title: Overview of Network Address Translation (NAT) in Windows XP (at technet.microsoft.com) 15:47 < podman99a> lovley people... now ill prob loose u when i try and connect... so ill load these links ... do some test and play for a bit... before i come back crying 15:47 < Bushmills> or does windows still use ipchains? 15:48 < reiffert> oh maybe http://www.google.de/search?q=windows+nat+service&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a 15:48 < vpnHelper> Title: windows nat service - Google-Suche (at www.google.de) 15:48 < podman99a> so would i be betteroff moving my OVPN server to a nix box so i can use IP tables for routing? 15:49 < podman99a> i can do ip tables... lol 15:49 < reiffert> probably. 15:49 < Bushmills> reiffert, if i don't count FPS playing, last time i was exposed to windows was when we uploaded the GPS maps from your windows box to my GPS 15:50 < podman99a> easier to log i presume 15:50 < reiffert> easier to anything. 15:50 < Bushmills> that's so long ago, there could be iptables in windows by now :D 15:50 < reiffert> reliable. 15:50 < reiffert> working. 15:55 < podman99a> just finding a spare box i can break in my rack... when i have played ill be back... THANKS so far ... lots of great ideas 16:00 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:04 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 16:06 < ecrist> evening, folks 16:27 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Read error: 110 (Connection timed out)] 17:03 -!- iMatter [n=iMatter@unaffiliated/imatter] has joined ##openvpn 17:03 < iMatter> Im having errors with OpenVPN 17:04 < iMatter> it keeps asking me to source the vars file 17:04 < iMatter> i did it and now when i do ./clean-all it just gives me the warning 17:04 < iMatter> i tried the ./build-ca but its telling me to source the vars file 17:05 < iMatter> !howto 17:05 < vpnHelper> iMatter: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:41 -!- pmguy [n=ekjsdm@c-24-5-243-180.hsd1.ca.comcast.net] has quit [] 17:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:00 < ecrist> iMatter: those issues are with easy-rsa 18:00 < ecrist> to source the vars file, if you're using bash, use the command 18:00 < ecrist> . ./vars 18:00 < ecrist> or source ./vars 18:00 < iMatter> did that 18:00 < iMatter> a couple times.. 18:01 < ecrist> that's all you gotta do 18:01 < iMatter> same error thing 18:01 < iMatter> when i try anything else 18:06 < ecrist> what shell are you using? 18:18 < iMatter> bash 18:18 < iMatter> well the default one on Ubuntu 8.04 18:31 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 18:31 < podman99b> hey all... when i connect to my VPN server (New Setup) i get a default gateway of 10.8.0.5, however my servers IP (which i can ping) is 10.8.0.1 ?? how can i set the correct gateway? 18:47 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 19:29 -!- iMatter [n=iMatter@unaffiliated/imatter] has left ##openvpn ["Ex-Chat"] 19:30 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 19:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:56 -!- nemysis [n=nemysis@149-63.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:57 -!- nemysis [n=nemysis@173-48.3-85.cust.bluewin.ch] has joined ##openvpn 20:00 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 21:17 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 21:24 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 22:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 23:07 -!- eliasp_ [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 23:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:23 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:26 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 54 (Connection reset by peer)] 23:26 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:26 -!- Kurogane [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:30 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:30 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:36 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:41 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:41 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn --- Day changed Thu Mar 19 2009 00:40 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 01:13 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:41 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 110 (Connection timed out)] 01:41 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has joined ##openvpn 01:47 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has quit [Read error: 104 (Connection reset by peer)] 01:47 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has joined ##openvpn 01:54 < reiffert> Chrnos: fix your client please. 02:01 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:09 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has quit [Read error: 110 (Connection timed out)] 02:16 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 02:18 -!- betabot is now known as simplechat_ 02:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:58 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 03:25 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:32 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 03:33 < podman99a> hey all... how can i set my gateway on my clients to the correct IP, my VPN server is 10.8.0.1 however my client gets assigned a gateway of 10.8.0.5 03:42 < podman99a> to help assist her are my configs / ipconfig from my winblows client 03:45 < podman99a> and here is my route? 192.168.239.0 255.255.255.0 10.8.0.5 10.8.0.6 30 03:45 < podman99a> the ip of 10.8.0.5 does not exist?? how can i change that assignment? or make it exist 03:50 < hads> !/30 03:50 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 03:50 < podman99a> hads is that for me? 03:50 < hads> Ya 03:50 < podman99a> thanks 03:50 < hads> np 03:53 < mjt> damn that fake ip on the server to which routes are assigned.. the p2p one... I wonder how to make it to respond to pings... 03:54 < podman99a> hads, so i should be able to see the remote lan then ?... just i cant ping that gateway which now makes sense... time to check my routing is correct .. Thanks 03:54 < podman99a> !route 03:54 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:56 < podman99a> Oops! This link appears broken. ... damn was working yesterday 03:56 < podman99a> google cache rocks 04:03 < podman99a> yea still unable to ping my remote lan ... 192.168.239.100 is a server i know exists 04:07 < mjt> . o O { tcpdump } 04:07 < podman99a> can someone please check that paste bin then slap me up a little.... im unable to access remote stuffs like i would expect 04:08 < podman99a> 09:08:14.544307 IP 10.8.0.6 > 192.168.239.100: ICMP echo request, id 1, seq 23014, length 40 .... but no response 04:08 < mjt> does it arrive on the other end? 04:09 < mjt> ie, follow the path and see where it breaks. 04:09 < podman99a> tracert ? 04:09 < mjt> tcpdump 04:09 < mjt> tcpdump -npi $interface proto ICMP 04:10 < mjt> unless... your other machine is windows. 04:10 < mjt> in which case it becomes more complicated. 04:10 < podman99a> my client is winblows server is ubuntu 04:11 < mjt> well, there is windump but i failed to run it a few times i tried. 04:11 < mjt> <== not a 'doze expert.... 04:11 < podman99a> ah ... HANG ON..... ok... let me explain... 04:12 < podman99a> my vpn server is assigned an internal lan IP of 192.168.239.200 (I can ping this and get responses)... however my exchange server is on the same remote lan with 192.168.239.100 and im unable to ping that. 04:12 < mjt> no... i'll go eat something first... ;) 04:13 < podman99a> hehe its only other hardward within the remote lan i cant access the server is ok but nothing else works... this is something simple hwoever thats why i cant do it lol 04:30 < Bushmills> mjt> does it arrive on the other end? 04:33 < podman99a> the ping request gets to the vpn server but goes no further 04:47 < dazo> podman99a: check your routing and firewall ... also on the clients you try to reach on the other network (via VPN) 04:48 * dazo did a read-up 04:49 < dazo> podman99a: are you saying that ping packets from vpn-client -> vpn-server -> exchange server ... goes fine, from exchange server -> vpn-server, goes also fine ... but from vpn-server -> vpn-client fails? 04:49 < dazo> podman99a: if that's the case, you either have a routing and/or firewall issue on the vpn server 04:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 04:56 < podman99a> only pinging from client to stuff..... so client->server (PING OK) ... client->Server->otherhost (Fails) 04:58 < podman99a> any posts for routing from the server to other stuffs ... im guessing iptables and route add ? 05:15 < dazo> podman99a: that's a classic routing and/or firewall issue (including wrong configured NAT) 05:16 < dazo> podman99a: you're guessing right ... remember that routes can also be set in openvpn configs as well 05:18 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 05:22 < podman99a> dazo, great news im not far from working ... however... any docs which would help me with my routing issues? 05:23 < dazo> podman99a: have you looked at !route? 05:23 < dazo> !route 05:23 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:23 < podman99a> thourght u would say that ... lol... been through that several times and cant work it out... but ... if at first you dont succeed etc... 05:24 < hads> ip_forward 05:27 < dazo> podman99a: hads mentions something I had forgotten .... check if /proc/sys/net/ipv4/ip_forward is set to 1 ... 05:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:34 < podman99a> dazo, ip forwarding = 0 05:34 < dazo> podman99a: thats your problem 05:34 < dazo> podman99a: echo 1 > /proc/sys/net/ipv4/ip_forward 05:35 < dazo> podman99a: you might also want to edit /etc/sysctl.conf as well to enable it at boot time 05:36 < Bushmills> NAT: http://scarydevilmonastery.net/masq 05:37 < podman99a> Bushmills, mynet = (MY REMOTE LAN IP's)..... 05:37 < podman99a> ? 05:37 < Bushmills> what are "remote LANs" ? 05:38 < Bushmills> lan = local area network 05:38 < podman99a> the VPN server side lan 05:38 < podman99a> not my client lan 05:40 < Bushmills> server does NAT for packets coming from MYNET 05:40 < podman99a> umm..... iptables v1.3.8: Couldn't load target `MASQUERAD':/lib/iptables/libipt_MASQUERAD.so: cannot open shared object file: No such file or directory 05:40 < podman99a> my bad on last error 05:41 < Bushmills> why don't you read what you typed (and spot possible mistakes) before you paste in her? 05:41 < Bushmills> here 05:41 < podman99a> i copied from that site... fixed now... 05:42 < Bushmills> well, it says " -j MASQUERADE" there 05:42 < podman99a> ok im guessing im missing a route somewhere as my pings from client hit the server but dont hit the lan 05:43 < dazo> podman99a: are you sure you really want MASQ? .... it's usually not needed at all for VPN to an internal network 05:44 < dazo> podman99a: and it adds just more complexity 05:44 < Bushmills> he want's to see networks behind the vpn server 05:44 < podman99a> im not sure what i need... all i know is packets are hitting Server and not going any further ... i need to able to access whole server lan from client 05:45 < Bushmills> there was mention of default route through vpn 05:46 < podman99a> my route on client says 192.168.239.0/24 > 10.8.0.5 05:47 < dazo> Bushmills: yeah, but that's no reason to add MASQ as well ... it's all about routing 05:48 < dazo> podman99a: is your openvpn server also the default gateway on your internal network? 05:49 < podman99a> yes through the virtual address of .5 05:49 < dazo> so your internal network uses .5 as default gateway ... and your openvpn server uses .5 on the internal interface? 05:50 < podman99a> no ... sorry just understood the lingo and changing default gateway on that interface.... as you can see... noob and 1st time setup 05:51 < dazo> podman99a: being a noob and first setup is no limitations for learning new things ;) 05:51 < podman99a> getting there... although now that machine has dissappeared... whoops 05:52 < dazo> podman99a: okey ... in that case, since the default gateway is another host .... you need to add the VPN route on your default gateway, pointing at your openvpn box 05:52 < dazo> podman99a: so if your VPN network is 10.8.0.0/255.255.255.0 .... you'll need a route like this: route add -net 10.8.0.0 netmask 255.255.255 gw x.x.x.5 05:53 < dazo> and that route needs to be on your default gateway .... some routers do not like that, or do not process it properly ... and then you can work around that with just adding that route on your hosts which you want to be available via VPN 05:53 < podman99a> AHH.. ok any one know how to remove all routes .... ? 05:54 < podman99a> box not accessible from outside world... but works internal so need to remove routes and get back to workin state 05:54 < dazo> podman99a: you'll need to pick them down one by one :( 05:55 < podman99a> iptables -L lists no routes 05:56 < dazo> podman99a: iptables do not do anything with routing ... that's firewalling 05:56 < dazo> podman99a: you need to look at the route command 05:57 < podman99a> yea ive removed routes by stoping openvpn but didnt resolve... am restarting networking and see if it comes back 05:57 < Bushmills> i suggest some reading up on networking, routing, and NAT in general 05:58 < dazo> Bushmills: using NAT in VPN .... is a horrible hack if you do not understand the basic concepts of routing 05:59 < dazo> podman99a: did you also remove your original default gw? That will stop resolving 05:59 < Bushmills> dazo, again, this is meant in combination with the vpn server also being meant as the wan gateway, and going there through default route 05:59 < podman99a> ok thats back up ... now to test routing 06:00 < dazo> Bushmills: if you want to redirect traffic from VPN and out "to the world" .... I agree, NAT is needed .... but for the traffic hitting the internal network from VPN, NAT should not be used at all, IMHO 06:02 < Bushmills> dazo, podman meant to connect to wan through the vpn server 06:02 < podman99a> ok so my server needs route to lan --- 192.168.239.0(Dest) - 10.8.0.2(gateway) 06:03 < Bushmills> at least, that was still the intention yesterday 06:03 < dazo> podman99a: let's get things clear now .... which network segments do you have ... and where? 06:04 < podman99a> Client 192.168.1.0/24 -- VPN Network 10.8.0.0/24 -- ServerNetwork 192.168.239.0/24 06:04 < dazo> podman99a: Client is the side of the VPN client? 06:04 < podman99a> yes 06:04 < dazo> podman99a: and you want the VPN client to access ServerNetwork only? 06:05 < dazo> via tha VPN 06:05 < podman99a> yes (proxy will do rest later so no need for nat) 06:05 < dazo> podman99a: perfect 06:06 < dazo> podman99a: the you need on your default gateway .... route add -net 10.8.0.0 netmask 255.255.255.0 gw 06:07 < dazo> podman99a: if that route on your default gw do not work .... you will also need that route on your internal boxes which you want to be exposed for the VPN clients 06:08 < dazo> podman99a: on your VPN client ... in the config .... you can add this line: route 192.168.239 255.255.255.0 10.8.0.2 06:08 < dazo> whoops .... missing something 06:08 < dazo> route 192.168.239.0 255.255.255.0 10.8.0.2 06:09 < dazo> (I presume that 10.8.0.2 is the IP address which is the "other side" of the VPN tunnel on your VPN client) 06:10 < podman99a> those routes are in place as standard... i believe from my ovpn config 06:12 < podman99a> http://pastebin.ca/1365149 06:12 < podman99a> my routing when connected to vpn 06:16 < dazo> dr-peper is your openvpn server? 06:17 < podman99a> yea 06:17 < dazo> 192.168.239.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 <<--- then this route should not be there 06:17 < dazo> you don't want to route traffic aimed for your local network back to your VPN tunnel :) 06:17 < podman99a> ok, that im guessing is on the Server, so i need to remove that from the VPN server.conf file ? 06:19 < dazo> podman99a: probably, if that's where you added it 06:20 < dazo> podman99a: except for that, the routing seems fine .... you also most probably do not need this route on your server as well 06:20 < dazo> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 06:20 < dazo> if you do, that should be an iroute in the client config 06:25 < podman99a> that last route is for server to communicate with client ... i believe, in which case allows me remote access to connected clients from server ?? 06:25 < podman99a> OHHHHH# 06:26 < dazo> podman99a: if you want to access the VPN client (initiate the contact) from the server side network ... then it needs to be an iroute in the client config to make it work 06:26 < podman99a> yea i have an i roue... and due to your pure genius i can ping network 06:26 < podman99a> now to try the other way 06:28 < podman99a> ok i cant get from server to my clients lan... which would be the iroute yea? 06:29 < dazo> podman99a: that's correct 06:30 < dazo> podman99a: but remember to also check your firewall settings on your openvpn client then 06:30 < podman99a> iroute 192.168.1.0 255.255.255.0 -<< is in my ccd/client1 file? 06:30 < dazo> podman99a: ahh ... almost 06:31 < dazo> podman99a: since that's on the server side .... you'll need to use push ...... push "iroute 192.168.1.0 255.255.255.0" 06:32 < dazo> podman99a: I initially meant in the config file on the physical openvpn client .... but by using push, you can push things to the client config from the openvpn server config 06:38 < podman99a> dazo, but is the server being able to see the client lan a routing thing for the server 06:39 < dazo> podman99a: need to run ... back in an hour 06:39 < podman99a> k thanks ... a great help... pleasure speaking to you 06:40 < dazo> podman99a: you will of course need to add extra routes on your default gw for the 192.168.1.0 ... and set your VPN server as the gateway 06:40 < dazo> podman99a: np! A pleasure to help! 06:50 < podman99a> ok... anyone else... this one less technical... lol... can i make openvpn connect to vpn server before login screen on windows 2k+ server ... as im going to try hosted AD 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:06 < mjt> try running it as service 07:07 < mjt> (just enable it -- it's already there) 07:07 < podman99a> cool.... mjt, how can i give that client a static IP address through the VPN save using the vpnn DHCP ... ccd/clien2 ..?? 07:07 < ecrist> morning, kids 07:08 < mjt> podman99a: is it a question, or an answer? 07:08 < mjt> Hi ecrist 07:08 < ecrist> howdy 07:09 < podman99a> hopefully both ? 07:09 * mjt is fighting with IBM's support today... 07:19 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 07:21 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:46 -!- gebi [n=gebi@84-119-57-55.dynamic.xdsl-line.inode.at] has joined ##openvpn 08:46 < gebi> hi all :) 08:47 < gebi> how can i configure openvpn on the clientsite with auth-user-pass, but without pull 08:47 < ecrist> gebi: not sure what you mean, exactly 08:48 < gebi> with pull openvpn gets a wrong route setup from server and kills my internet conectivity 08:48 < gebi> but it says i need pull in order to use auth-user-pass 08:48 < gebi> can i somehow ignore the pushed routes from the server in openvpn? 08:52 < ecrist> don't think so. 08:55 < mjt> ecrist: btw, that 'node unreach' ICMP code is not being returned by openvpn (when the IP address belongs to some client but that client isn't connected) 08:56 < mjt> so someone has to write code to do that ;) 09:17 < ecrist> mjt: have at it. ;) 09:17 < CybDev> 'route-nopull' 09:18 < CybDev> read the manpage :-) 09:19 < gebi> CybDev: hm... nopull doesn't give a single match in http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 09:19 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 09:19 < CybDev> http://openvpn.net/index.php/documentation/manuals/openvpn-21.html 09:19 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 09:19 < CybDev> not in 20 no 09:20 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:21 < gebi> for 2.0 i've just started openvpn in his own namespace and changed the ip binary to a wrapperscript which just returns true for every ip route invocation ;) 09:21 < gebi> CybDev: thx :) 09:21 < CybDev> you didn't say which version you were running :P 09:21 < gebi> np, it's easier to upgrade 09:22 < CybDev> i suppose so 09:28 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 09:33 -!- srg [n=srg@dsbg-4db5624d.pool.einsundeins.de] has joined ##openvpn 09:37 < ecrist> ugh, I hate building mail servers. 09:42 -!- srg is now known as SubZero273 09:56 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 10:03 < podman99a> wow all ... im back... bad news... lol 10:04 < podman99a> i am unable to route from my lan (vpn) to my client any ideas? 10:04 < CybDev> topic? 10:05 < podman99a> i think i need to set a default gateway for the 192.168.1.0 range however as my lan is winblows (in this case) setting up the route causes all kinds of errors mainly unable to create route 10:06 < dazo> podman99a: you should never ever change the default route unless you want all kinds of traffic through your tunnel 10:07 < podman99a> no ive left them alone since the 1st error.... so my box has a default ip of 213.146.186.xxx and secondary ip of 192.168.239.100, my client has an ip of 192.168.1.67, i can ping box from client but not other way 10:08 < dazo> podman99a: would you be willing to share your configs with us? 10:08 < dazo> !configs 10:08 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:08 < dazo> podman99a: both server (including --ccd's) and client 10:12 < podman99a> dazo: http://pastebin.ca/1365308 10:12 < podman99a> thanks loads 10:13 < CybDev> err 10:13 < dazo> podman99a: first comment ... in server config .... you have push "route 192.168.1.0 255.255.255.0" .... this will cause problems 10:13 < CybDev> you have route directives in the server conf?! 10:13 < dazo> podman99a: change that to push iroute 10:14 < dazo> CybDev: what's wrong about that? In many cases thats fine 10:14 < dazo> podman99a: I saw your iroute in addition .... just remove the first push route 10:14 < podman99a> dazo: removed now 10:14 < dazo> podman99a: and you must also remove the route 192.168.1.0 255.255.255.0 10:15 < podman99a> this is still server yea 10:15 < podman99a> k done 10:15 < dazo> podman99a: yes, in server 10:16 < dazo> okey ... now you can try and see how it works 10:16 < dazo> podman99a: sorry 10:16 < dazo> podman99a: you have one more issue ... the very last iroute in the config (line 33), remove that one too 10:17 < podman99a> k removed testing now 10:19 < CybDev> ah, my bad, i never thought of using it that way 10:19 < dazo> CybDev: np! :) 10:19 < podman99a> Client: ping OVPN Server OK -- ping InsideLan box OK 10:20 < podman99a> Server: Ping client FAIL -- InsideLan box ping client FAIL 10:20 < dazo> podman99a: so you cannot ping your internal LAN from your openvpn server? 10:20 < podman99a> yes internal lan can ping vpn server 10:20 < podman99a> internal lan cannot ping client 10:21 < CybDev> those windows boxes with the firewall enabled? 10:21 < podman99a> firewall off 10:21 < dazo> podman99a: also on the TAP interface in Windows? 10:21 < podman99a> completly 10:21 < podman99a> i hate windows firewall... never use it 10:21 < dazo> podman99a: so you are also saying that the openvpn server cannot ping your VPN client? 10:22 < dazo> podman99a: well ... in Windows you _should__definitely_ use it ....... 10:22 < dazo> even if it's horribly inflexible ... but it's still better than nothing 10:22 < CybDev> unless you use some other software 10:22 < CybDev> how does openvpn like zonealarm and such? 10:23 < podman99a> my routes: http://pastebin.ca/1365311 10:23 < podman99a> to the outside world i have a cisco so no one gets in on anything other than std web ports... a patch for a bigger problem, but it works 10:24 < podman99a> only full access client is my office lan 10:24 < dazo> podman99a: your ovpn server routes looks very fine 10:25 < dazo> which IP address do you use to ping your client? 10:25 < podman99a> my client it 192.168.1.67 , which is my internal IP range, 10:25 < dazo> podman99a: can you try to ping the ovpn IP address the client have? 10:26 < dazo> from both openvpn server and the other internal LAN clients? 10:26 < podman99a> ovpn server OK, internal lan FAIL 10:26 < podman99a> 10.8.0.6 is what i pinged 10:27 < dazo> sounds good ... that means that your windows box do not route traffic from it's TUN/TAP device to the proper interface on your windows box ... that's probably why it doesn't work 10:28 < podman99a> windows box does not have tap device??... tap/tun is my ubuntu box 10:28 < podman99a> or are we talkin "client" 10:29 < podman99a> its the RC stuff from ovpn site... so hope so lol 10:29 < dazo> podman99a: sorry, the openvpn client yes 10:29 < podman99a> umm... fix? 10:29 < dazo> podman99a: what kind of OS do you have on your client? 10:30 < dazo> podman99a: somehow I thought it was Windows ... but I might be wrong 10:30 < podman99a> *COUGH* vista *COUGH* 10:30 < dazo> podman99a: yeah, I thought I had caught that already 10:31 < podman99a> TAP-Win32 Adapter V9 10:31 < dazo> podman99a: okey ... I'm not a windows person at all .... I've tried Vista 5-6 times in my life .... so I know close to nothing about it 10:31 < dazo> podman99a: you might want to try one thing 10:31 < podman99a> do tell... 10:31 < dazo> which I overlooked now 10:32 < dazo> dazo: run this command in a command line on your openvpn server: route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 10:32 < dazo> and try pinging the 192.168.1.x address from the openvpn server 10:34 < podman99a> TCP dump shows the request but no reply 10:34 < dazo> podman99a: on which interface did you run tcpdump? 10:34 < podman99a> tun0 10:34 < podman99a> sorry on server not client that was 10:35 < dazo> podman99a: that's fine ... if you run tcpdump -i tun0 on the server .... and you see ICMP ECHO request going on the tunnel without response back .... it means that the routing on the openvpn server is correct 10:35 < dazo> podman99a: but Vista do not respond to it 10:35 < podman99a> bastads 10:35 < podman99a> lol 10:36 < podman99a> so would a tcpdump .. thing on windows help? 10:36 < dazo> podman99a: can you, just to be sure, try to ping the 192.168.1.67 (your Vista IP addr) on the Vista box? 10:36 < podman99a> replied 10:36 < podman99a> tap adapter im guesing? 10:36 < dazo> podman99a: maybe ... you could see what happens on both the TUN/TAP interface ... and on the eth0 of Vista 10:37 < dazo> podman99a: that's probably the right IP answering, the physical interface ... so that means ping is enabled on that IP addr ... that was what I tried to make sure was enabled 10:37 < podman99a> does it matter that in the advanced settings for the tap adapter have no mac address ... grasping at straws 10:38 < dazo> podman99a: nope, not important when you run in TUN mode 10:38 < podman99a> it does ne way just gui says it dont.... 10:38 < dazo> podman99a: you'll need to figure out how to enable routing in vista 10:38 < podman99a> i can modify routes in vista 10:38 < dazo> podman99a: if you figure out that .... ping from openvpn server should work 10:39 < podman99a> what would i be looking to do ... route from 10.8.0.6 to 192.168.1.0 10:39 < dazo> podman99a: this is not a routing table issue ... this is to enable IP traffic forwarding, to be precise 10:39 < podman99a> ah oic 10:39 < dazo> podman99a: you have the needed routes ... so this is kind of a /proc/sys/net/ipv4/ip_forward setting for Vista, kind of 10:40 < podman99a> would bridging the 2 connections solve that ? 10:40 < podman99a> the tap and eth 10:42 < dazo> podman99a: that would be a solution ... but then you need to change your openvpn config to TAP 10:43 < dazo> podman99a: but that's more a hack around the proper solution ... but I also assume Vista can do basic routing 10:43 < podman99a> ah ... think i have found the enable routing in vista 10:43 < dazo> podman99a: what did you find? 10:45 < podman99a> et IPEnableRouter=0x01 in the registry HKLM\System\CurrentControlSet\Services\TCPIP\Parameters. Note: the default value is 0. 10:45 < podman99a> still no reply though 10:46 < podman99a> plodding on through google 10:46 < dazo> podman99a: that sounds right .... but you might need further help from Windows/Vista guru's now .... as I've said earlier, I'm not that .... I'm more deeper into Linux :) 10:49 < podman99a> no winbloz gurus in here then no? lol 10:50 < dazo> podman99a: there are some .... but I've forgotten who it was .... :-P 10:50 < podman99a> man that room sucks... ##windows seems antivirus nightmare.... why wont someone make evolution easily exchange compatible and id be using linux full time lol 10:52 < dazo> podman99a: evolution is not the evolution it should be .... more unstable than outlook, even without the exchange plugin .... but evolution can connect to exchange now, but I don't remember if the OWA must be enabled on the server 10:53 < podman99a> yea must be but ... its such a mission... 10:54 < dazo> podman99a: you have also the openexchange project too ... not sure about the progress though 10:54 < podman99a> dazo: sucks... too complex 10:54 < podman99a> dazo: exchange server has lovley interfaces and management tools (although slow) lol 10:55 < podman99a> AND NO ROUTING lol 10:55 < CybDev> screw exchange, use online collaboration tools instead :-) 10:55 < podman99a> comment of the day "if your using vista and know what ip routing is there is a problem" 10:55 < ecrist> this isn't #windows-bashing 10:56 < CybDev> no, #exchange-bashing ! 10:56 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:57 < podman99a> ne way ... routing enable routing on vista... any vpn/windows nerds in 10:57 < ecrist> podman99a: what are you trying to do? 10:58 < podman99a> enable routing in vista... apparently i have to reboot ... so ill be back 10:58 < dazo> ecrist: ping from server to client's internal network is not replying 10:58 < podman99a> 2 mins peeps 10:59 < ecrist> has !route been referenced? 10:59 < dazo> ecrist: yes 11:00 < dazo> ecrist: I've helped him through the config ... all routes and config is sane now .... and tcpdump on openvpn server see the ICMP ECHO req on the tun0 interface, but no reply 11:00 < dazo> ecrist: and firewall is disabled 11:01 < CybDev> can you ping the pvn client from the lan computer at all? 11:01 < CybDev> *vpn 11:01 < CybDev> and to the lan interface, not the ip it gets on the tun interface 11:01 < ecrist> and the client LAN has a route for the VPN subnet? 11:02 < dazo> CybDev: podman99a tried to ping the VPN IP address from server and it answered .... from client pinging local net IP and VPN IP worked 11:02 < CybDev> what's the default gw on that LAN? 11:03 < dazo> ecrist: VPN client can ping servers behind the openvpn server 11:03 < CybDev> is it the vpn client, or some other box? 11:03 < dazo> CybDev: ^^ 11:03 < ecrist> that's not what I asked. 11:03 < ecrist> do other computers on the client LAN have a route to the VPN? 11:03 < dazo> CybDev: default gateway issues should also be fixed and covered 11:03 < CybDev> is the lan computer using the vpn client as a default gw? 11:04 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [] 11:04 < dazo> ecrist: we're not that far .... seems his client is a roadwarrior .... but he wants network behind the openvpn server to access the openvpn client 11:04 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 11:05 < CybDev> that requires routes to be in place on the network behind the openvpn server 11:05 < dazo> CybDev: nope ... but it has explicit route to the VPN tunnel .... as I said earlier, openvpn client can ping machines behind the openvpn server ... it's the other way around which is the issue 11:06 < CybDev> ok, so if i get this right 11:06 < dazo> CybDev: and we see traffic reaching the tun0 interface on the openvpn server .... but no reply back from the openvpn client on the tun0 interface 11:07 < dazo> CybDev: my conclusion is that the Vista box do not forward IP traffic between the interfaces 11:07 < CybDev> is the vista box the vpn server or the client? 11:07 < CybDev> i'm confused 11:07 < dazo> CybDev: the client 11:08 < CybDev> didn't he post the routing tables somewhere? 11:08 -!- SubZero273 [n=srg@dsbg-4db5624d.pool.einsundeins.de] has quit ["Konversation terminated!"] 11:08 < dazo> Vista/openvpn client <---> Ubuntu/openvpn server <---> (LAN) <---> internal server 11:08 < dazo> CybDev: he did pastebin it yes 11:09 < CybDev> and there is a LAN behind the openvpn client aswell i take it? 11:09 < dazo> http://pastebin.ca/1365311 11:09 < CybDev> thanks 11:09 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 11:10 < dazo> CybDev: That I really do not know explicit ... but I presume so, as that's IP address is 192.168.1.67 11:10 < podman99a> hey all ... routing appears to be enabled now ... acording to ipconfig /all 11:10 < dazo> (yeah, I know ... bad range ... but there's no conflicting zones here) 11:10 < podman99a> wow ur talking about me 11:10 < dazo> podman99a: yeah, I've been updating some other people here :) 11:10 < CybDev> mm-kay 11:10 < podman99a> cool 11:11 < CybDev> and can the client ping the openvpn server at all? 11:11 < podman99a> yes 11:11 < CybDev> and the server can ping the clients tun ip? 11:11 < CybDev> but not the clients lan ip? 11:11 < dazo> podman99a: you can take over the answers here ... 11:11 < dazo> CybDev: that's my impression yes 11:11 < podman99a> in my case i believe that to be 10.8.0.6 if so then yes 11:12 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:12 < CybDev> run 'ipconfig /all' on the windows boxes(i wonder if that command still is around in vista? :P) and 'ip a sh' on the linux server? 11:13 < CybDev> just after the ip for lan and vpn interfaces 11:13 < podman99a> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 <-- is my ovpn route to my client 11:14 < podman99a> 10.8.0.6 on client .1 on server however server uses virtual ip's 2-5 for windows clients 11:16 < CybDev> um 11:16 < CybDev> maybe i'm a bit rusy on those tun devices 11:17 < CybDev> but shouldnt the route be using 10.8.0.6 as a gateway to reach 192.168.1.0/24 ? 11:17 < dazo> CybDev: they're confusing .... you have different p-t-p addresses on client and server, usually .... unless topology /30 is used, iirc 11:20 < CybDev> still got that url for the config paste aswell? 11:21 * CybDev increases buffer size on his irc client while he's at it :P 11:21 < podman99a> however just noticed i cant ping the Server Lan from client, however can ping the server 11:21 < podman99a> http://pastebin.ca/1365308 11:21 < podman99a> but thats old configs now 11:21 < dazo> podman99a: does that reflect changes we did? 11:22 < podman99a> na ... will paste new 11:22 < dazo> podman99a: server config is all we changed ... so that should be enough 11:23 < podman99a> http://pastebin.ca/1365348 11:25 < dazo> CybDev: we did add one more manual route at the end .... route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 on the openvpn server 11:25 < CybDev> i'm curious as to that 10.8.0.2 thing 11:25 < CybDev> which interface actually has that address? 11:26 < dazo> CybDev: that should be the interface for 10.8.0.0/24 network 11:26 < podman99a> CybDev: tun0 = 10.8.0.1 (2-5) 11:30 < CybDev> 2-5? 11:30 < CybDev> grmbl 11:30 < CybDev> !/30 11:30 < vpnHelper> CybDev: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 11:30 < podman99a> my client's dhcp server/gateway is .5 11:35 < CybDev> i still can't make sense of that 10.8.0.2 route... if i understand it correctly, the openvpn server has a "iron" ip 10.8.0.1 and "virtual" 10.8.0.2, but that's just between the openvpn and server stack, now according to the manual the first available range for a client is 10.8.0.4/30, which assigns .5 to a fake dhcp server, and .6 to the client (4 and 7 lost in net/bcast) -> shouldn't the gw statement be either 10.8.0.1 or 10.8.0.6? 11:36 < CybDev> but hey, i've been wrong before :P 11:36 < CybDev> in fact, i usually can't get those things right, which is why i went with the good old tried and tested tap/bridge model ^^ 11:38 < podman99a> i would use tap/bridge but would i not need 2 nics on the server? 11:39 < ecrist> no, you wouldn't 11:39 < dazo> podman99a: no, not at all 11:39 < CybDev> it just sets up a virtual subnet on vpn only 11:39 < dazo> podman99a: but it's more overhead on the traffic on the VPN tunnel 11:39 < CybDev> how you choose to use it is ofc up to you 11:40 < ecrist> CybDev: I've stopped trying to wrap my head around how OpenVPN does some routing. generally, routes will point to the other end of a client's /30 11:40 < CybDev> on the client the "destination" should be the first available address on the 30 net afaik? 11:41 < CybDev> so it should be the other way around when coming from the server? 11:41 < podman99a> ok... someone point me in the right direction adn ill setup bridgeing tonight and play 11:41 < dazo> podman99a: you don't need bridging to use tap .... 11:41 < dazo> podman99a: but tap can enable bridging if you want that 11:48 < podman99a> ??... now im getting lost again... should i use routed or bridged? 11:51 -!- Zeti [n=gs@e180031019.adsl.alicedsl.de] has joined ##openvpn 11:51 < Zeti> hi folks 11:51 < Zeti> almost everthing is running fine 11:51 < CybDev> http://pastebin.ca/1365369 <-- granted i've never mixed in your stuff with iroutes and such on it, this just adds an extra virtual subnet, used for some gaming stuff i think (h00ray for multiplayer games that works without cracks on the same subnet :P) 11:51 < Zeti> only redirect-gateway makes some problems 11:52 < Zeti> no matter what the client always reports Thu Mar 19 17:49:41 2009 ROUTE default_gateway=192.168.0.1 with it being my router and not the server 11:52 < Zeti> any ideas where to take a look? 11:53 < dazo> podman99a: aim for routed ... that's the easiest, and that can also work over TAP 11:57 < podman99a> ok ... so CybDev is your pastebin link there for my benifit? 11:58 < diegoviola> hi everyone... is there a way that a lan and a vpn could interact together, between the two... applications on it, etc 11:59 < CybDev> i don't know podman99a, like i said i've never tried it with iroute etc... 11:59 < CybDev> that particular config (on different nets and such ofc) does all such things via iptables and nat 12:05 < podman99a> ok well making my way home now so ill have a play tonight and see what i can do ... 12:05 < podman99a> thanks 12:05 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Read error: 60 (Operation timed out)] 12:09 -!- Zeti [n=gs@e180031019.adsl.alicedsl.de] has quit ["Verlassend"] 12:10 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 145 (Connection timed out)] 12:10 -!- CybDev [n=cybdev@unaffiliated/cybdev] has joined ##openvpn 12:15 < CybDev> if it wasn't so cheap i'd switch coloc provider in the blink of an eye :-/ 12:15 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [Read error: 60 (Operation timed out)] 12:19 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 12:31 < Bushmills> diegoviola, yes. pinging one from the other is a way of interaction. 12:34 < diegoviola> Bushmills: so lan and vpn is perfectly interactable? 12:35 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 12:37 < Bushmills> yes, sure 12:38 < Bushmills> it helps viewing vpn as wire, and the interface as ... interface 12:39 < diegoviola> yep, thanks 12:40 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 12:44 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 12:46 < mjt> what's the way to assign an IP address to a given client without PUSHing it? 12:46 -!- waKKu [n=vaKKu@unaffiliated/wakku] has joined ##openvpn 12:46 < waKKu> hi folks.. 12:47 < waKKu> what is the right command to perform after logrotate for openvpn.log ? 12:47 < waKKu> my new logs are getting empty :( 12:48 < mjt> i'd say it's --syslog 12:49 < waKKu> hm.. no 13:02 < CybDev> have to agree with mjt on that one :P 13:16 < dazo> waKKu: to do log rotates, you most probably need to restart the openvpn process after rotating the file .... and if that's not a good approach, logging via syslog is the way to go, and to let syslog handle log rotation 13:20 < waKKu> dazo thanks.. i found an option on logrotate "copytruncate" that says work with this case 13:21 < waKKu> but syslog is a better option, sure. 13:50 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:56 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 13:59 < hagna> would you call vpn without encryption a vlan? 13:59 < hagna> can I do that with openvpn? 14:05 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:05 < podman99a> hey all ... bad news im back 14:05 < ecrist> dammit 14:05 < hagna> rats 14:06 * ecrist kills himself 14:06 < podman99a> gonna do some tests to work out where im at then ill be back for help! lol 14:07 < podman99a> ok ... client can ping vpnserver and vpnserver lan, vpn server is unable to ping my clients remote lan 14:07 < podman99a> sorry ... my client (ignore remote lan) 14:08 < ecrist> podman99a: do you have iroute setup? 14:08 < podman99a> prob not but ill check ... i know i did but advise here said not to... one min 14:08 < podman99a> push "iroute 192.168.1.0 255.255.255.0" is the only iroute i have and thats in ccd/client1 14:09 < ecrist> and client1 is the client with the LAN issue? 14:09 < podman99a> client1 is my vpn client which cannot be pinged from the VPN 14:09 < ecrist> do you have client-to-client enabled on the server? 14:10 < podman99a> yes 14:10 < podman99a> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 ---- is the route to client on VPNServer 14:10 < ecrist> the vpn server cannot ping the vpn ip of client1? 14:11 < podman99a> vpn ip of client being my 192 range assigned by my router or my 10.8.0.?? address assigned by the VPN? 14:11 < ecrist> VPN ip would the the IP address for the VPN. :\ 14:11 < podman99a> the vpn server can ping the 10.8.0.6 address of client1 14:12 < ecrist> ok, what is the 192 ip for client1? 14:12 < podman99a> 192.168.1.67 which is client-side lan ip address 14:12 < ecrist> can you ping that address from the VPN server? 14:12 < podman99a> no 14:13 < ecrist> what OS is that system? 14:13 < podman99a> vista 14:14 < ecrist> do you have ip forwarding enabled? 14:14 < podman99a> IP Routing Enabled. . . . . . . . : Yes 14:14 < ecrist> windows firewall enabled or no? 14:14 < podman99a> Off 14:16 < ecrist> hrm 14:16 < ecrist> vista *is* the devil 14:16 < podman99a> yea but ubuntu does not support my tablepc very well... else id be using that lol 14:17 < podman99a> but thats another story... this should work?? i think? 14:17 < ecrist> well, your problem appears to be a routing issue on client1, not routing traffic between 10.8/x and 192/x 14:18 < ecrist> see this: http://www.computing.net/answers/networking/how-to-connect-two-different-subnets/4545.html 14:18 < vpnHelper> Title: How to connect two different subnets (at www.computing.net) 14:19 < podman99a> reading now 14:19 < ecrist> I think youv'e got that covered, but worth a shot. 14:19 < ecrist> I think your issue is OS-level, at the least. 14:20 < podman99a> could the beta openvpn (the vista one) have a broken tap driver? 14:21 < ecrist> doubt it 14:21 < ecrist> you can communicate with the VPN. it's a routing issue, not a TAP issue 14:21 < podman99a> k 14:21 < podman99a> downloading wireshark for vista see if i can see a problem 14:22 < ecrist> podman99a: your issue is vista is not forwarding packets from one interface to the other 14:22 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: worch, pa 14:22 < ecrist> from another machine on client1's LAN, can you pint 10.8.0.6? 14:22 < podman99a> ecrist: and hopefully with an error or bounce?... unless vista is (and very likley) screwed ... may give me something to google for 14:22 -!- Netsplit over, joins: worch, pa 14:25 < ecrist> totally separate, http://www.microsoft.com/mac/products/remote-desktop/default.mspx 14:25 < vpnHelper> Title: Connect Across Platforms with Remote Desktop Connection | Mactopia (at www.microsoft.com) 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:10 < podman99a> ok... still no luck peeps 15:10 < ecrist> podman99a: throw out vista 15:11 * podman99a moans at ##ubuntu to make hptouchsmart tx2 better compatible with touch screen 15:12 * ecrist points out this is ##openvpn 15:16 < podman99a> soo.. does this work ok with XP or 2008Server? 15:25 < ecrist> should work OK on XP 15:36 < podman99a> no news on 2k8 15:36 < podman99a> ok ... well... im gonna try my updates and see if i can make this work on ubu 15:37 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 15:37 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:42 < mjt> so.. any way to configure an IP address on a server for a client without actually pushing it? 15:43 < mjt> iroute? 15:45 < CybDev> why wouldn't you want to push it? 15:45 < mjt> i don't want to accept network config requests on the other side. 15:45 < mjt> ie, don't want to --pull 15:45 < CybDev> 2.0 or 2.1? 15:45 < mjt> 2.1 15:46 < CybDev> 2.1 has a route-nopull option 15:46 < CybDev> for the client that is 15:46 < mjt> well, the question isn't about client, but about server 15:46 < mjt> everything just work on the client, except that it logs warnings about options being pushed which it does not accept. 15:47 < mjt> so i want to stop server from pushing them 15:47 < mjt> and without --ifconfig-push the server does not know that client's IP. 15:47 < CybDev> obviously :P 15:51 * mjt still can't replace vtun and tinc -- both are still in use, and openvpn is the 3rd... 15:53 -!- Viper550 [i=Viper550@d57-220-221.home.cgocable.net] has joined ##openvpn 15:53 < Viper550> !howto 15:53 < vpnHelper> Viper550: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:23 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has joined ##openvpn 16:23 < Evilliksass> !howto 16:23 < vpnHelper> Evilliksass: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:26 < Evilliksass> If I want to use pre shared keys with openvpn what are the requirements? I am using pfsense and all it tells me is that the shared key I input is not valid 16:36 < CybDev> is it the same key on both the server and the client? 16:52 < Evilliksass> CybDev: yes. 17:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:19 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 17:19 < podman99a> hey all.. bad news... ne way... any ideas on my routing problems with vista? 17:24 < podman99a> !vista 17:24 < vpnHelper> podman99a: Error: "vista" is not a valid command. 17:24 < podman99a> !route 17:24 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:36 < podman99a> ne one here use openvpn and vista? 17:50 -!- nemysis [n=nemysis@173-48.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 17:50 -!- nemysis [n=nemysis@69-188.3-85.cust.bluewin.ch] has joined ##openvpn 17:55 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:35 -!- menace [n=knorr@unaffiliated/menace] has joined ##openvpn 18:37 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 18:50 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Connection timed out] 19:59 -!- menace [n=knorr@unaffiliated/menace] has left ##openvpn [] 20:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:27 < Bushmills> vista! /me fetches a crucifix and some garlic 20:38 < Bushmills> vista isn't the answer 20:38 < Bushmills> vista is the question. the answer is "no" :D 21:01 -!- hads [n=hads@argon.nice.net.nz] has left ##openvpn [] 21:06 -!- mepholic_ is now known as mepholic 21:19 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 22:16 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 60 (Operation timed out)] 22:18 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 22:30 -!- Viper550 [i=Viper550@d57-220-221.home.cgocable.net] has quit ["THANK YOU FOR PLAYING"] 22:53 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:26 -!- smk [n=scott@cobra.httpd.org] has quit ["rebooting"] --- Day changed Fri Mar 20 2009 00:28 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 00:29 < Kurogane> I have a problem in my vpn the clients when connect to the vpn is working but i have 2 problems 00:30 < Kurogane> 1. a client can't ping on the ip node (10.10.0.1) give him TTL expired in transit 00:31 < Kurogane> 2. if client ping other client give him the same error 00:32 < Kurogane> but only one client not have this problems the others yes. 00:32 < Kurogane> what you think causing this problem? 00:34 < Kurogane> forget to mencion when say TTL expired in transit on vpn server give him a strange ip (is not setting in anywhere 10.192.68.x) and when ping the client happend the same but with other ip 0.192.68.x 00:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:38 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has joined ##openvpn 01:38 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has left ##openvpn [] 01:55 -!- pmguy [n=ekjsdm@82-34-204-54.cable.ubr13.enfi.blueyonder.co.uk] has joined ##openvpn 01:55 < pmguy> How does one specifically configure your ROUTER or COMPUTER to allow Internet access via OpenVPN _only_? That is-- including all forms of javascript and Java. 01:57 < reiffert> redirect-gateway def1 01:58 < pmguy> ok how do you do that? 01:59 < reiffert> Do you have a running openvpn setup? 02:01 < pmguy> yes 02:09 < pmguy> no one? 03:03 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 03:11 < podman99a> hey guys... ok have same problems on my ubuntu machine at work... my windows client has been taken offline from VPN, now testing my ubuntu version (From APT) its connected and i ca ping its vpn address of 10.8.0.6, but not its real ip of 192.168.1.73 03:12 < dazo> podman99a: have you enabled ip_forward? /proc/sys/net/ipv4/ip_forward 03:12 -!- simplechat_ is now known as simplechat 03:13 < dazo> podman99a: anyway ... Ubuntu is almost like Vista :-P .... Get a real distro, not a spaceman distro :-P 03:13 < podman99a> dazo.... true... enable and restart networking? 03:13 < dazo> podman99a: did cat /proc/sys/net/ipv4/ip_forward give you 1? 03:14 * dazo got unsure if podman99a's "true" was aimed at ip_forward or Vista/Ubuntu comment 03:15 < podman99a> yes 03:15 < podman99a> enabled 03:15 < podman99a> testing ping now 03:16 < podman99a> ping to 10.8 success.... localnet of 192.168.1.73 failed (BOTH from server)# 03:16 < dazo> podman99a: and you have checked that firewalling is not blocking the traffic? 03:16 < podman99a> no iptables rules setup 03:17 < dazo> podman99a: oki ... I need to restart my box now ... in the mean time, can you put configs on pastebin ... and also all routes and iptables-save dump from your Ubuntu client on pastebin too? 03:18 < podman99a> k 03:18 -!- dazo [n=dazo@nat/redhat/x-b03334b74c651cde] has quit ["Leaving"] 03:23 -!- dazo [n=dazo@nat/redhat/x-799df3ba13b2efcc] has joined ##openvpn 03:24 < podman99a> wb .. http://pastebin.com/m13948e6b 03:24 < dazo> podman99a: oki ... I'm back ... wherever you put your pastebin, I'm ready 03:25 * dazo wonders if he is blind :-P 03:25 < podman99a> wb .. http://pastebin.com/m13948e6b 03:25 * dazo looks at pastbin 03:25 < podman99a> ah k 03:26 < dazo> podman99a: ccd/client1 .... you have disabled push iroute 03:27 < dazo> podman99a: and you are also missing a crucial route on the server as well 03:27 < podman99a> ? 03:27 < podman99a> ok have enabled the CCD iroutee 03:28 < dazo> podman99a: the server route, you can enable by doing this from command line, just for testing .... route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 03:28 < podman99a> still nothing 03:29 < dazo> podman99a: oki ... time for tcpdump ... on both ubuntu client and openvpn server 03:30 < podman99a> SERVER -> 08:29:46.993074 IP 10.8.0.1 > 192.168.1.73: ICMP echo request, id 42557, seq 6, length 64 03:30 < podman99a> client shows nothing 03:30 < dazo> podman99a: and that was on tun0 or eth0? 03:30 < podman99a> tun0 03:31 < podman99a> also eth0 shows nothing 03:31 < dazo> podman99a: interesting ... the packet disappears in the tunnel 03:31 < podman99a> wish my car would do that.... how can we get more debugging info on that packet? 03:31 < dazo> podman99a: by nothing, you mean no ICMP traffic? .... you should see openvpn traffic, though 03:32 < podman99a> using proto ICMP 03:32 < pmguy> dazo do you know how to keep executables like Java or Flash from returning IP information? 03:33 < dazo> pmguy: nope ... I'm not using Java nor Flash .... and I'm in #openvpn mode now, not #devel :-P 03:33 < pmguy> im referring to while using OpenVPN 03:33 < podman99a> yea i see UDP packets from time to time but not same ammount as lines in tcpdump on servers tun0 03:34 < dazo> podman99a: I am really puzzled by this ... that you do not even see the packet coming in on your client 03:34 < dazo> podman99a: that's good ... Which openvpn versions are you running? 03:34 < podman99a> client 2.1_rc11 03:34 < dazo> pmguy: I don't see the connection between openvpn and java/flash .... 03:35 < dazo> podman99a: could you please try to upgrade both sides to 2.1_rc15? .... compiling from source code is piece of cake with openvpn 03:35 < podman99a> server 2.1_rc6 ... WOW thats old 03:36 < dazo> podman99a: _that_ could be an issue 03:36 < podman99a> possibly the vista issue too... since its doing it both sides 03:36 < dazo> podman99a: it might be .... because what you experience here is very very odd 03:37 < podman99a> this is gonna put files in weird places... but ill have to fix that later 03:37 < dazo> podman99a: even though I don't like Ubuntu ... the network stack in the kernel to other Linux distros is the same, so that's why I'm really puzzled that even the Ubuntu based client don't respond on ICMP .... unless ..... 03:38 < dazo> podman99a: let me check one thing .... it is possible to disable ping response on kernel level in Linux ... can you try to ping localhost on your Ubuntu client? ... if that works, ping response is enabled 03:38 < podman99a> response OK 03:39 < dazo> pmguy: I would guess you need to figure out the network stack from java/flash ... which is OS dependent, and not openvpn dependent ... as openvpn just creates and uses a virtual network interface 03:40 < dazo> podman99a: good ... that means that no strange blocks should be present ... your ubuntu client should be open then 03:40 < podman99a> making server now 03:40 < dazo> podman99a: cool! do the same on the client as well, please .... using the same version both places usually removes other issues as well 03:40 < dazo> other possible issues, I mean 03:43 < pmguy> whats the network stack from java/flash ???? 03:46 < reiffert> http://freshmeat.net/projects/jnetstack/ 03:46 < vpnHelper> Title: Java Network Stack | freshmeat.net (at freshmeat.net) 03:47 < podman99a> dazo, pings still not getting through to that address.... and have added route manually and no pings - 10.8 address works 03:48 < dazo> podman99a: this is absolutely absurd ....... 03:49 * dazo is about go mentally crazy .... 03:50 < dazo> podman99a: can you setup your configs to verb 4 ... do a complete reconnect and pastebin the result? 03:52 < podman99a> server and client or just server? 03:52 < dazo> podman99a: both 03:53 < dazo> podman99a: and then after that, you can update configs to verb 6 and run the daemons without logging and without putting them in the background (not daemon).... and to do the ping exercise again .... iirc correctly, you should see streams of rrWWWwwRrrRwWWw ... spawning out an both sides ... this r's are openvpn is reading/receiving traffic .... w's are writing .... and small/capital letters is if it is the local instance or the remote insta 03:53 < dazo> nce performing the action 03:54 < dazo> s/run the daemons/run openvpn/ 03:56 < podman99a> 200+ lines on server... 03:56 < dazo> podman99a: but both r and w's? Or a majority of of w's? 03:58 < podman99a> http://pastebin.com/m2cfed8b5 --> done... its the winbloz client though 04:00 * dazo reads logs 04:01 < podman99a> the ping packet is not being sent through the tunnel? 04:02 < dazo> podman99a: I think I see an issue .... 04:02 < podman99a> ive pinnged with log=6 and when i ping the 10 address i get loads and quick... when i ping the 192 i get bugger all ???? 04:02 < dazo> # 04:02 < dazo> Fri Mar 20 08:55:18 2009 us=865787 78.86.189.73:63189 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1442' 04:02 < dazo> # 04:02 < dazo> Fri Mar 20 08:55:18 2009 us=865843 78.86.189.73:63189 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1400' 04:02 < podman99a> ah 04:03 < dazo> podman99a: you might want to explicit set those values to the lowest reported values here .... just so they will agree 04:03 < podman99a> specify tun-mtu=1500 in both configs? or remove from client 04:03 < podman99a> both to 1400? 04:03 * dazo continues to read 04:03 < dazo> podman99a: both to 1400 with tun-mtu .... and 1442 for link-mtu 04:05 < podman99a> only one of tun-mtu or link-mtu may be used? ... which one is best? 04:05 < dazo> podman99a: good question ... the one which works :-P try link-mtu first 04:07 < podman99a> no better in data transfer 04:07 < dazo> do you see the same errors on the log? 04:07 < podman99a> na not there 04:08 < dazo> podman99a: so no tun-mtu nor link-mtu errors reported in the log at all now? 04:08 < podman99a> not that ive seen 04:09 < dazo> podman99a: okey 04:09 * dazo continues to read logs 04:09 < dazo> podman99a: I got the impression you are testing ubuntu on the client side, are you not? 04:09 < podman99a> WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) ------->>> ill change to tun-mtu 04:10 < podman99a> client was ubuntu but using windows for the moment can go back to that if needed 04:10 < dazo> podman99a: grrr ..... we need to have some consistency here now ... you might as well also have ip_forward issues in Vista, remember? 04:11 < podman99a> ill change to ubuntu for both sides 04:11 < podman99a> saves me windows on taskbar that way 04:11 < dazo> podman99a: yeah, I read the man pages for openvpn .... might be that --fragment 1500 would be better than link-mtu 04:14 < podman99a> just setting that up and testing be a few mins 04:19 < podman99a> pings still not going into the tunnel? 04:19 < podman99a> well .... IP 10.8.0.1 > 192.168.1.73: ICMP echo request, id 9222, seq 31, length 64 04:20 < podman99a> but no reply 04:20 < podman99a> so they hitting tunnel but not getting to client 04:20 < dazo> podman99a: and what does verb 6 activity show you? 04:20 < dazo> on the server 04:20 < podman99a> i start ping and after 10 seconds nothing been sent 04:21 < podman99a> then i get a few of ----> Fri Mar 20 09:20:38 2009 us=107709 client1/78.86.189.73:64172 UDPv4 READ [61] from 78.86.189.73:64172: P_DATA_V1 kid=0 DATA len=60 04:21 < dazo> podman99a: so you do not see any RW's at all? Or they simply stops... get's silent? 04:21 < podman99a> which im guessing is keep alive stuff 04:21 < podman99a> no R/W although get READ/WRITE messages 04:21 < podman99a> is response from previous ---- >Fri Mar 20 09:20:38 2009 us=107828 client1/78.86.189.73:64172 UDPv4 WRITE [61] to 78.86.189.73:64172: P_DATA_V1 kid=0 DATA len=60 04:22 < podman99a> i have 10 pairs of that in log but sent 86 ping packets... all were lost 04:22 < dazo> podman99a: oki ... I begin to wonder if it is something really odd on your server now .... as long as the traffic hits the tun0 but do not reach the openvpn process 04:23 < podman99a> true.... latest verion... AH HANG ON 04:23 < dazo> podman99a: do you get more log entries if you ping the VPN address of your client 04:23 < podman99a> no that therry is pants /proc/sys/net/ipv4/ip_forward = 1 on server 04:23 < podman99a> yes 04:23 < podman99a> read writes in line/time with pings 04:24 < podman99a> Fri Mar 20 09:24:04 2009 us=201853 client1/78.86.189.73:64172 TUN WRITE [84] --- >and read straight after 04:24 < dazo> podman99a: good 04:24 < podman99a> is the 10.8.0.2 the correct gateway for 192.168.1.0 packets? 04:25 < podman99a> must be as its hits the tun0 but not the vpn process 04:25 < dazo> podman99a: I'm just wondering ... this is really odd ... yes, 10.8.0.2 should be the proper gateway 04:25 < podman99a> i take it u have this working??.... lol 04:25 < dazo> podman99a: can you do a ifconfig -a on your box and pastebin that? 04:26 < podman99a> serever -- >http://pastebin.com/mfe4c179 04:26 < dazo> podman99a: I'm using openvpn a lot .... not often I do the iroute stuff though, but I have got it working pretty easily enough thouhg 04:27 < podman99a> my idea was if urs works... see if configs are diffent... but that wouldnt matter... as this is simple stuff from what i can see... just not working 04:27 < podman99a> lol 04:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:28 < dazo> podman99a: I've done the comparing already ;-) ... but this begins to be outside openvpn now, how I see it ... or somewhere in between the openvpn process, the tun.ko driver and the tun interface 04:28 < dazo> podman99a: so it can be kernel stuff, it can be a config issue .... but it's getting pretty tricky by now 04:28 < podman99a> i like giving a challenge.. 04:29 < dazo> podman99a: anyway, any reason you want to access the 192.168.1.x address of your box? Why not access the VPN address? 04:29 < podman99a> has to be server side as not working on 2 clients and different versions 04:29 < podman99a> now.... thats a good question that i hope u can answer... lol 04:29 < podman99a> im setting up remote sites for active directoty 04:29 < podman99a> so windows server in rack and server on client 04:29 < podman99a> 2 way comms.... ? 04:29 < dazo> podman99a: that's what I'm feeling .... running Ubuntu on server side? 04:30 < podman99a> yea 04:30 < podman99a> 2.6.24-16-server 04:30 < dazo> podman99a: I see ... but does the server side need to initiate contact with the clients at all? 04:30 < podman99a> AD replication ... clients will do all accessing of internet/vpn with server 04:31 < dazo> podman99a: I've never tried Ubuntu on server side ... I got Ubuntu Ibix (started with Gutsy->Hardy->Ibix) on my private laptop, but I am planning to scrap it, because it's really a crappy distro 04:31 < dazo> podman99a: aha ... I see 04:32 < dazo> podman99a: sounds convenient then to have subnet access then 04:32 < podman99a> yea... makes everything seem like they in same office althoguh 10 miles+ appart 04:33 < dazo> podman99a: Well, this whole issue is getting incredibly complex now .... you've done now everything by the book, as far as I can tell from what I've seen 04:33 < podman99a> ummm... work arounds? 04:34 < podman99a> im avoiding windows server VPN's as i want to keep things secure 04:35 < dazo> podman99a: this might be something to bring up further to ubuntu people actually ... all distroes have their own tweaks, but Ubuntu is known for having the most dirty ones, to "make it work now!(tm)" .... and that can often backfire ... I'm wondering if that's something you might hit into now 04:35 < podman99a> ok ... which distro would you recommend for this kind of thing? 04:35 < podman99a> im easy have no real preference 04:36 < dazo> podman99a: totally agreed ... did you say you ran the openvpn server in virt? 04:36 < podman99a> hell no ... hate virtuals 04:36 < dazo> podman99a: sorry ... I mixed you with another one then :-p 04:37 < podman99a> nothing beats the feel of a whole and real processor running your services 04:38 < dazo> podman99a: you have several distro options .... I'm using Gentoo, but that's not easy to install .... You have Novel SuSE Linux Server (SLES), which I also do not recommend due to how they do their community work, and mingling a little bit too much with Microsoft - but it could be a good option for you, just because of that mingling ..... And then you have Fedora, Red Hat Enterprise Linux and CentOS 04:39 < podman99a> gentoo it is ..... lol... ill play with windows VPN for now so this client can get on with his life... lol... but for my proper vpn ill create gentoo one 04:39 < dazo> podman99a: if you don't want commercial support at all .... I probably would go for CentOS or Fedora .... the advantage of CentOS is that it is basically a Red Hat Enterprise Linux with pretty good updates and migration later on from CentOS to RHEL is not that painful, it is said 04:40 < dazo> podman99a: If you're considering commercial support .... RHEL or SLES is good options 04:40 < podman99a> i am the commercial support 04:40 < podman99a> lol 04:40 < CybDev> poor bastards ;-) 04:40 < podman99a> i know ... bad aint it 04:41 < dazo> podman99a: heh ... well, with RHEL at least, you have pretty good community and pretty good responses on support issues as well 04:41 < podman99a> the only payments i do for linux is donations to the people who make it happen 04:42 < dazo> podman99a: and that's what you also do when you pay for a RHEL or SLES distribution .... Red Hat employs some thousands of developers working with Fedora and RHEL 04:42 < CybDev> RHEL is nice when you need someone to blame :P 04:42 < dazo> CybDev: +1 04:43 < podman99a> but package updates to latest are slow i find... well found... not used RHEL for 2 years now 04:43 < CybDev> gentoo is ace when you need to fix things yourself :-) 04:43 < CybDev> RHEL is slow for a reason, same as debian 04:43 < CybDev> bleeding edge software and commercially stable software are two entirely different worlds :P 04:44 < dazo> podman99a: RHEL is slow because if you get a RHEL5.3 installation, it is guaranteed support and full functionality for all software for 7 years since release 04:44 < podman99a> CybDev: i have a gentoo server which runs my monitoring,... and sun server... thats a sexy distro.... ill make that happen on a now box though as have not updated gentoo in AGES 04:44 < dazo> podman99a: updating any linux distro is just as crucial as updating Windows every day 04:46 < podman99a> dazo, yea but i was a novice at these things when i set gentoo up over 2 years ago, and didnt want to break things... and have no KVM at my rack, have one now so can keep better eye on things, but as i say .... its been a while... im phasing out the old in favor of new so will take a while 04:46 < dazo> podman99a: fair enough 04:47 < dazo> podman99a: anyway ... choose a distro you are familiar with and feel comfortable with ... and combine that with which support possibilities you got 04:47 < podman99a> running 3000+ domains (hosting) and about 50 servers (dedicated) have got calls down to about 10 a day, so thats all good, have developer making my new clever things in to automated functions on my website... just a slow process.... 04:48 < dazo> podman99a: pretty awesome :) 04:48 < podman99a> dazo, i know gentoo is good and great support/documentation so will use that 04:48 < podman99a> ne way... 04:48 < podman99a> on with vpn... so ill speak later guys... thanks loads... shame my servers suck lol 04:48 < dazo> podman99a: heh ... no prob! :) 04:49 < dazo> podman99a: I just hope that Gentoo will work better .... I really do ... or else I'm gonna feel baaaaad :-P 04:50 < podman99a> lol 04:51 < dazo> podman99a: just one last really desperate attempt .... try to switch openvpn configs from UDP to TCP ... just have that one ruled out 04:51 * dazo remember he had to do that in one network to make it work 04:51 < dazo> podman99a: but I don't expect it to help ... since traffic to VPN IP's seems to work 04:52 < podman99a> umm... good point... ill try in a bit... damn phone ... lol 04:56 < CybDev> ,eh 04:56 < CybDev> gentoo is going down the drain :-( 04:56 < CybDev> half (or more?) of the package maintainers switched over to ubuntu or arch :-/ 04:56 < CybDev> such a shame :-( 04:57 < dazo> CybDev: Didn't know that ... but Ubuntu maintainers escape further again to other distros as well .... so I think that's just normal "circulation" ... but if Gentoo is loosing more than it manages to get in, it's big big shame 04:59 < CybDev> yeah, gentoo has been suffering for the last couple of years tbh 04:59 < CybDev> i'm still using it, but my overlay has grown a lot and is starting to be a pain to maintain :-/ 04:59 < dazo> CybDev: I've noticed that the Hardened team is struggling ... but on the other hand, it seems to get the most important CVE fixes and keeps it in pretty good shape ... but, yeah, it's not too quick updates 05:00 * dazo noticed that 2.6.28 kernel was recently available .... a jump from 2.6.25 05:00 * dazo imagines ecrist will complain about non-openvpn discussions here now :-P 05:01 < CybDev> hardened was always struggeling :P 05:01 < reiffert> I've heared that bridging is broken in 2.6.28 so its back at openvpn. 05:01 < CybDev> it is? 05:02 < CybDev> oh yeh, forced to run -27 since my fking raid controller drivers won't compile on 28 or later :-( 05:02 < reiffert> from what I've heared the bridge doesnt learn mac addresses, so sends every frame to all interfaces. 05:31 < dazo> reiffert: that's only when doing bridging? brctl stuff ... not the tun/tap driver, I hope? 05:33 < reiffert> when doing bridging, brctl stuff. 05:41 < dazo> reiffert: good .... I got worried for a 2.6.28 upgrade now .... thx! 05:48 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 06:20 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:04 < ecrist> morning folks 07:05 < ecrist> dazo: I have no problem with non-openvpn discussion provided a couple conditions are met. 1) other users aren't trying to have openvpn discussions and 2) it's not a typical BS Windows-bashing convo. 07:10 * CybDev slaps ecrist around a bit with a Windows Vista installation disk 07:10 < CybDev> <3 07:11 < reiffert> That doesnt hurt that much 07:15 < dazo> reiffert: if that would happen to me .... I would have kicked him out! :-P 07:16 * ecrist wedges said install disk into CybDev's rectum, next to his size 13 combat boot. 07:16 < dazo> ecrist: morning! :) I'm happy there are flexible people here :) 07:23 < ecrist> morning 07:29 < podman99a> ok ... time for the gentoo... out with the big guns.... dont know how long it will take to install may be a min ... maybe an hour... 07:29 < ecrist> ew, linux 07:31 < podman99a> ecrist: surly you weapon of choice isnt windows? 07:32 < podman99a> OMG... its installing openvpn 2.0.7-r2 07:39 < dazo> podman99a: yeah ... the openvpn maintainer is not paying attention to the radar at all 07:39 < dazo> podman99a: I believe 2.1_RC15 is masked now 07:42 < podman99a> no im using VERY old portage... time to learn how to update..... just downloading latest now 07:43 < dazo> podman99a: emerge --sync 07:43 < dazo> podman99a: but still, the latest sync will give 2.0.7 last time I checked ... .2.1 is masked 07:43 < ecrist> podman99a: I use Windows ME for everything I do. 07:44 < podman99a> ecrist: wow, you rock! 98 with tweaks 07:45 < ecrist> I don't even update the system. 07:46 < ecrist> I kid, I'm a FreeBSD guy 07:47 < ecrist> 07:47 CTCP VERSION reply from ecrist: irssi v0.8.12 - running on FreeBSD i386 07:54 < podman99a> ecrist, ummmmm.... 07:59 < ecrist> podman99a: ? 08:05 -!- waKKu [n=vaKKu@unaffiliated/wakku] has left ##openvpn [] 08:11 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has joined ##openvpn 08:15 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has left ##openvpn [] 08:18 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has joined ##openvpn 08:25 -!- bsund [n=bsund@unaffiliated/bsund] has joined ##openvpn 08:42 -!- mooncup [n=a@unaffiliated/mooncup] has joined ##openvpn 08:42 < mooncup> heya 08:42 < mooncup> !howto 08:42 < vpnHelper> mooncup: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:43 < ecrist> mooncup: how goes? 08:43 < mooncup> best check if it's in there before I actually ask my question 08:43 < mooncup> not bad ecrist 08:43 < mooncup> finally penetrated my uni firewall 08:43 < mooncup> I've had to listen on port 22 08:43 < mooncup> Now I need to work out how to actually route my internet through the vpn 08:44 < mooncup> my client is running on vista 08:44 < mooncup> Do I need to do anything special serverside first, or is it all clientside conf for this? 08:45 < ecrist> on server side, you need to setup NAT for VPN clients, and add redirect-gateway def1 to the server config 08:46 < mooncup> I'm gonna have to learn networking 08:46 < mooncup> this should be interesting :P 08:47 < mooncup> Oh, do I just uncomment push "redirect-gateway" 08:47 < mooncup> ? 08:48 < ecrist> add def1 to the end, before the final " 08:49 < mooncup> push "redirect-gatewaydef1" 08:51 < mooncup> What do I do clientside? 08:51 < ecrist> push "redirect-gateway def1" 08:51 < ecrist> nothing to do client side. 08:52 < mooncup> but how does vista know to route my internet through the vpn> 08:53 < ecrist> because the server is pushing the 'redirect-gateway def1' to the client 08:54 < mooncup> If I visit a site in firefox, I'm still connecting from my normal ip :/ 08:55 < ecrist> mooncup: did you restart the openvpn server? 08:55 < mooncup> yeah 08:55 < ecrist> post your logs on the client 08:55 < ecrist> s/on/from/ 08:56 < mooncup> Fri Mar 20 04:53:51 2009 you.just.lostthega.me/144.124.140.106:55972 SENT CONTROL [you.just.lostthega.me]: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) 08:56 < mooncup> That's from the server 08:56 < mooncup> I'll just get the client ones 08:56 < ecrist> pastebin.ca 08:56 < ecrist> or .com 08:56 < mooncup> yeah 08:56 < mooncup> http://mooncup.pastebin.com/m694df0fc 08:57 < mooncup> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=10] 08:57 < mooncup> I'm guessing that relates to the problem 08:59 < ecrist> mooncup: upgrade to 2.1-rc15 08:59 < ecrist> or later, I think there's an RC16 now 08:59 < ecrist> see this link for reference: http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/ 08:59 < mooncup> Is the config the same? >.< 08:59 < vpnHelper> Title: OpenVPN GUI on Windows Vista skriptd (at skriptd.wordpress.com) 09:00 < ecrist> yes, the config is the same. 09:00 < mooncup> Alrighty 09:00 < ecrist> you only need to change the client, server should be OK 09:00 < mooncup> cool stuff 09:00 < ecrist> more help on routing at the following link: 09:00 < ecrist> !route 09:00 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:01 < mooncup> OpenVPN 2.1_beta7 & OpenVPN GUI 1.0.3 09:01 < mooncup> Is that what I want? 09:02 < mooncup> or should I get openvpn from the official website 09:02 < ecrist> get openvpn from the official site 09:02 < ecrist> bet7 is broken. 09:03 < ecrist> beta7 09:03 < mooncup> kk 09:08 < mooncup> strange 09:08 < mooncup> it seems to be ignoring my port and trying to connect to 1194 09:09 < mooncup> remote you.just.lostthega.me 22 is quite definately in the conf 09:09 < mooncup> Fri Mar 20 14:09:09 2009 Attempting to establish TCP connection with 173.65.196.9:1194 09:10 < ecrist> try 09:10 < ecrist> remote you.just.lostthega.me 09:10 < ecrist> port 1194 09:11 < mooncup> same problem 09:11 < ecrist> hrm 09:12 < mooncup> It did this before 09:12 < mooncup> I can't remember how I fixed it 09:12 < mooncup> well I made a new conf file 09:12 < mooncup> that seems to have worked 09:12 < mooncup> maybe it caches it somewhere 09:13 < ecrist> I'm not a windows guy, so my windows-specific support ability is limited. sorry 09:13 < mooncup> Nah that's cool 09:13 < mooncup> thanks for all the help so far 09:14 < mooncup> ok so the vpn is connected again 09:14 < mooncup> but I still don't seem to be routing my net through it 09:14 < mooncup> I'm gonna go reread that blogpost I think 09:14 < ecrist> logs, again? 09:15 < mooncup> http://mooncup.pastebin.com/m66b55363 09:15 < mooncup> hang on 09:15 < mooncup> let me run it as administrator 09:15 < mooncup> I just realised I'm not 09:16 < mooncup> aha 09:16 -!- dergringo [n=philipp@63-112.105-92.cust.bluewin.ch] has joined ##openvpn 09:17 < mooncup> I think my net is now being routed through it 09:17 < mooncup> but I can't seem to resolve domains 09:17 < ecrist> you need to have DNS accessible via the VPN when you're redirecting your gateway 09:17 < ecrist> another push option in the config 09:17 < mooncup> ahh 09:19 < dergringo> Hi. I just set up ovpn for the first time. Server is a Windows 2k3 and clients are linux and windows. Connection goes fine. No problems so far. But there is one thing: From the client I can ping 10.18.14.1, I can ping 192.168.1.130 (servers lan address) but I can't ping any other machine in the server lan. 09:19 < ecrist> http://www.secure-computing.net/ip.php will tell you which IP you're coming from. 09:19 < ecrist> dergringo: you need to have proper routing setup on the server LAN. it's my guess that your other machines don't know how to route to the VPN subnet 09:20 < mooncup> push "dhcp-option DNS 10.8.0.1" 09:20 < mooncup> do I just need to uncomment that? 09:20 < ecrist> so, you need to either 1) add a static route to the VPN on each machine on the server LAN, or 2) put a route on your default gateway, pointing to the VPN server for that subnet 09:20 < ecrist> mooncup: do you have a DNS server running on your VPN server? 09:20 < mooncup> No 09:20 < mooncup> I can install one if I need to though I suppose 09:21 < ecrist> then i'd change the IP to a DNS server IP your VPN server uses. 09:21 < mooncup> Ahh 09:21 < mooncup> I see what you mean 09:22 < dergringo> ecrist, thanks. Well I need to find out how to set routes on that D-Ling Gateway. 09:24 < mooncup> I still seem unable to resolve 09:25 < dergringo> What happens when the client's AND server's subnet is 192.168.1.0 255.255.255.0 09:27 < mooncup> I just tried to ping an ip and it timed out 09:27 < mooncup> So I'm wonderif I've i've done the routing wrong somewhere too 09:27 < mooncup> *wondering if 09:36 < dergringo> Can I display a message on the client after successful connect? 09:36 < ecrist> sure, --up-script 09:37 < dergringo> ecrist, great! Everything works fine. I love it! Can I set the message in the config file? 09:42 < nemysis> What is the best DNS Server for Linux on Sever? 09:43 < dergringo> bind9 ? 09:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:01 -!- hagna_ [n=hagna@70.102.57.178] has joined ##openvpn 10:17 < mooncup> cheers for the help ecrist 10:17 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 10:17 < mooncup> I'm going afk now, I'll carry on messing with settings when I get back 10:21 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has quit [Client Quit] 10:21 < bsund> I use openvpn to get through firewalled schoolnet. It works with openvpn, but when I snat my xbox to the tunnel nothing happens. I can snat it through the wlan (internet) succesfully. Any one have any idea what to do? 10:22 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has joined ##openvpn 10:23 < bsund> IE ping -I tun0, works but ping -I eth0 doesn't, even though is is snat/masquerade to the tunnel 10:24 < bsund> is/it 10:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 10:28 < l2trace99> is there a way to have the openvpn daemon reread its config without kicking everybody ? 10:30 < l2trace99> SIGUSR1 ? 10:32 < l2trace99> hmmm roll the dice 10:34 < dazo> l2trace99: in general, it's usually SIGHUP ... but I'm not sure if openvpn kicks out anyone on that 10:37 < l2trace99> just did it 10:37 < l2trace99> no one complained so i guess it doesn't 10:37 < l2trace99> ;) 10:38 < l2trace99> but I don't have a lot of users on it right now 10:47 < ecrist> l2trace99: yes, using the mgmt interface 10:52 < hagna_> so can I configure openvpn to work with a mediation server and clients like hamachi? 10:52 < ecrist> hagna_: not sure. iirc, hamachi is a customized version of openvpn. 10:53 < l2trace99> yes 10:54 < hagna_> customized as in configured or significantly altered 10:54 < l2trace99> ecrist: I connected to the management interface and send SIGHUP. It is all good. I just wasn't sure 10:55 < l2trace99> ecrist: so I took a chance and it worked out 10:55 < ecrist> gratz 10:55 < l2trace99> ecrist: I got a an empty chamber so I get to pull again 10:56 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:56 < ecrist> l2trace99: there is a mgmt interface command to tell the server to reread the config. 10:57 < ecrist> it's not sighup, but similar. 10:57 < ecrist> should be covered in the docs 11:00 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has joined ##openvpn 11:00 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has left ##openvpn [] 11:26 < dergringo> The openvpn tray Icon shows no "connect" on Win XP SP3 even though there is a test.ovpn file in the config dir 11:47 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 11:55 -!- dergringo [n=philipp@63-112.105-92.cust.bluewin.ch] has quit ["Leaving"] 12:05 -!- meshuga [i=meshuga@lenin.ww88.org] has quit ["Changing server"] 12:10 -!- fedya [n=fedya@75.112.143.226] has joined ##openvpn 12:12 < fedya> i can't ping machines through the vpn tun, i checked the firewall, there are no rules and policy set to ACCEPT on all chains 12:15 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn 12:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 12:32 < fedya> WRFri Mar 20 13:32:16 2009 us=58225 ted/75.112.143.226:51529 Bad LZO decompression header byte: 69 12:32 < fedya> i keep getting these on verb 5 when trying to ping the server 12:41 -!- atomic__ [n=atomic@78.157.9.222] has joined ##openvpn 12:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:43 < atomic__> hi, i've setup a openvpn infrastructure to connect two networks for the sole purpose of H323 hardware based video conferencing (Polycom solution) 12:43 < atomic__> i am experiencing garbled audio and low frame rate, could using LZO compression be an issue here ? 12:44 < atomic__> anyone with a similar experience ? 12:45 < ecrist> fedya: have you tried turning off compression? 12:45 < fedya> i'm trying that now, i think one side was set for compression and the other wasnt 12:51 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [Read error: 110 (Connection timed out)] 12:51 < fedya> got it 12:51 < fedya> i changed the wrong thing in the client config 13:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 13:44 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has left ##openvpn [] 13:54 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [No route to host] 13:58 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:25 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 14:26 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:30 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:31 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 104 (Connection reset by peer)] 14:31 -!- fedya [n=fedya@75.112.143.226] has quit [] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:57 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:17 < hagna_> so what's the tun equivalent in freebsd? 15:37 < reiffert> tun. 15:37 < hagna_> yep I see it 15:37 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 15:45 -!- nemysis [n=nemysis@69-188.3-85.cust.bluewin.ch] has quit [Connection timed out] 15:46 -!- nemysis [n=nemysis@141-87.3-85.cust.bluewin.ch] has joined ##openvpn 15:46 < pmguy> How does one specifically configure your ROUTER and/or COMPUTER to allow Internet access via OpenVPN _only_? That is-- including all forms of javascript and Java. 15:47 < pmguy> Does anyone know? 16:01 < reiffert> redirect-gateway def1 16:03 < Roman123> any gentoo user here? 16:03 < pmguy> and what the heck is that 16:03 < pmguy> i did a search on that 16:03 < reiffert> Roman123: There is nothing special about openvpn and gentoo. 16:03 < reiffert> pmguy: it's an openvpn option. 16:04 < reiffert> Roman123: just ask your questions. 16:04 < pmguy> how do i know if its set or not? 16:04 < reiffert> You have a look inside the server config. 16:04 < reiffert> Or - you take a close look to the clients routing table. 16:04 < pmguy> what file is that? 16:05 < pmguy> whereabouts? 16:05 < reiffert> pmguy: I name them s.conf, other people might call them server.conf or openvpn.conf, whatever. 16:05 < pmguy> reiffert: may i pm 16:05 < reiffert> pmguy: let me ask my crystal ball, I'll be back in a minute. 16:07 < pmguy> reiffert: can you just tell me how to set that option on? 16:07 < reiffert> pmguy: you edit the server configuration. 16:08 < reiffert> and add this line: 16:08 < reiffert> push "redirect-gateway def1" 16:08 < reiffert> save the config file. 16:08 < reiffert> restart the openvpn server. 16:08 < reiffert> connect a client 16:08 < reiffert> and there you are. 16:08 < pmguy> im not running the server 16:09 -!- atomic__ [n=atomic@78.157.9.222] has quit ["Leaving."] 16:09 < Roman123> my question is about handling different openvpn client configurations in gentoo 16:09 < reiffert> pmguy: then ask the guy who is running the server, to add this line for your config. 16:09 < Roman123> they are located in /etc/openvpn/*.ovpn 16:10 < pmguy> and that will protect me from ActiveX ? 16:10 < Roman123> how can I establish a certain client connection, e.g., mynetwork1.ovpn 16:11 < Roman123> I guess there is a gentoo specific solution. 16:11 < reiffert> pmguy: look, this channel is about openvpn, it's not about browsers, not about microsoft, not about activex, not about javascript and even not about java. your openvpn question is? 16:11 < pmguy> and Flash 16:11 < Roman123> and not openvpn --config xxxx 16:12 < reiffert> Roman123: allright, I'd probably just enter openvpn --config foo.ovpn into a shell, I have no idea about mouse clicking. 16:12 < Roman123> reiffert: me too 16:12 < Roman123> there is a short command line solution (except from --config) 16:13 < pmguy> my openvpn question is: how can it protect my anonymity while still allowing me to access the full range of the internet 16:13 < reiffert> alias of="openvpn --config foo.ovpn"? 16:14 < reiffert> pmguy: openvpn can add a new default route for you, so that ALL traffic will travel through the openvpn tunnel. 16:14 < reiffert> pmguy: is this what ya want? 16:14 < pmguy> yes 16:14 < pmguy> BUT 16:14 < pmguy> is openvpn also a proxy? 16:14 < reiffert> no. 16:15 < pmguy> ok 16:16 < reiffert> so tell the administrator of your openvpnserver: Please add that line to your config, you might want to check out client-config-dir to have that option only for one specific client. 16:17 -!- pmguy [n=ekjsdm@82-34-204-54.cable.ubr13.enfi.blueyonder.co.uk] has left ##openvpn [] 16:22 < hagna_> so can I connect a client from behind a stateful firewall to a server that has port 1194 udp open? 16:24 < reiffert> depends on that firewall, might work. 16:24 < hagna_> reiffert: just to test I use the command openvpn --remote josh --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 16:24 < hagna_> on the client 16:39 < ecrist> evening, bitches 16:39 < ecrist> hagna_: most firewalls should allow it, yes. 16:40 < ecrist> keep in mind that udp is a stateless protocol, but there are firewall packages out there that put fake 'state' on udp sessions. 16:40 < ecrist> namely, pf 16:40 * ecrist goes back out to the living room 16:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:44 < hagna_> hmm how do I know it's working or not? 16:47 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:48 < hagna_> ping from the client says operation not permitted but the server has RECEIVED PING PACKET in the log 16:55 < hagna_> oh nm when I switched back to tun0 on the client it worked 16:56 < reiffert> :) 17:02 < Kurogane> I have a problem in my vpn. the clients when connect to the vpn is working but i have 2 problems 17:03 < Kurogane> 1. a client can't ping on the ip node (10.10.0.1) give him TTL expired in transit. when say TTL expired in transit on vpn server give him a strange ip (is not setting in anywhere 10.192.68.x) and when ping the client happend the same but with other ip 10.192.68.x 17:03 < Kurogane> 2. if client ping other client give him the same error but only one client not have this problems the others yes. 17:04 < Kurogane> what you think causing this problem? here the config http://pastebin.com/d1b7e3fe8 17:14 < hagna_> how do you turn on ip_forward in freebsd? 17:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:15 < reiffert> hagna_: sysctl 17:16 < hagna_> reiffert: oh dang it is on hmm 17:17 < reiffert> Kurogane: can you please rephrase. Please make short sentences. So people can understand you. Thanks. 17:17 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 17:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:22 < hagna_> my setup is A -- B --(vpn)-- C 17:22 < hagna_> on A I ping C 17:22 < hagna_> packets seem to transmit but not return 17:23 < hagna_> forwarding is turned on on B the freebsd box 17:23 < hagna_> running pfsense 17:26 < reiffert> run tcpdumpm on B to see the packets travel 17:27 < reiffert> tcpdump -n -i en0 proto ICMP 17:27 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 110 (Connection timed out)] 17:30 < hagna_> reiffert: yep that's what is happening 17:30 < hagna_> tcpdump -n -i em3 proto ICMP shows icmp requests but not responses 17:30 < hagna_> also B has two nics and it's a bridge 17:30 < hagna_> em3 and em2 17:35 < reiffert> And B talks to C over the tun device? 17:36 < reiffert> Well, time to add some network adresses and masks, interfaces and such information for me then. 17:37 < hagna_> ok 17:37 < hagna_> 22:35:36.450273 IP 10.1.2.201 > 10.4.0.1: ICMP echo request, id 25424, seq 1, length 64 17:37 < hagna_> 22:35:37.450059 IP 10.1.2.201 > 10.4.0.1: ICMP echo request, id 25424, seq 2, length 64 17:37 < hagna_> is what I get with tcpdump -n -i tun0 proto ICMP 17:37 < hagna_> when I ping from B to C I get 17:37 < hagna_> 22:36:05.919415 IP 10.4.0.2 > 10.4.0.1: ICMP echo request, id 22888, seq 0, length 64 17:37 < hagna_> 22:36:06.141482 IP 10.4.0.1 > 10.4.0.2: ICMP echo reply, id 22888, seq 0, length 64 17:37 < hagna_> netmasks are all 255.255.255.0 17:38 < reiffert> k, show routing table of C. 17:38 < hagna_> how do you do that on freebsd? 17:38 < reiffert> netstat -nr 17:40 < hagna_> http://pastebin.com/d4667e200 17:40 < reiffert> allright. look. 17:40 < reiffert> When C wants to send an answer it is going to send it to 10.1.2.201 17:41 < reiffert> but it doesnt know what to do with such a packet and sends it to its default gw 166.70.something 17:41 < hagna_> oh interesting 17:41 < reiffert> so what you need is a route back to B 17:42 < hagna_> ahh yes 17:43 < reiffert> btw, I cant find tun0 or 10.4.0.2 on your routing table. 17:44 < hagna_> reiffert: oh that's because the vpn is off 17:45 < reiffert> sigh. 17:45 < reiffert> :) 17:46 < hagna_> http://pastebin.com/d73fdc7d6 17:46 < reiffert> what you need is 17:46 < hagna_> a bigger monitor 17:46 < reiffert> push "route 10.1.2.0 255.255.255.0" in openvpn server config 17:46 < reiffert> and thats it 17:47 < hagna_> since I'm not using config files would I just route -net 10.1.2.0 255.255.255.0 gw 10.4.0.2 ? 17:54 < reiffert> route add -net ... 17:55 < reiffert> you'll need to do this whenever the tunnel comes up. 17:57 < Kurogane> lets try again i repharse my question 17:57 < Kurogane> I have a problem, when clients are connected to the vpn works fine but I have 2 problems. 17:58 < reiffert> ok, understoof. 17:58 < Kurogane> 1. Clients can not ping the vpn lan, if the client makes ping the vpn server in this case (10.10.0.1) shows an error "TTL expired in transit." That shows you an error when given ip 10.192.68.4 ping the server and that IP is not registered with the vpn. 17:58 < reiffert> stop. 17:58 < reiffert> sentence too long parse error. 17:58 < Kurogane> uh? 17:59 < Kurogane> my problem is too complex for simple words 17:59 < reiffert> what exactly is "the vpn lan"? 17:59 < Kurogane> the vpn ip? 17:59 < reiffert> IP or LAN? 18:00 < Kurogane> ip 18:00 < reiffert> So VPN Clients cannot ping the VPN-Server IP? 18:01 < Kurogane> yes and not, yes because give an answer not because reply TTL expired in transit. 18:02 < reiffert> !configs 18:02 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:03 < Kurogane> http://pastebin.com/d1b7e3fe8 18:04 < reiffert> Server OS? 18:05 < Kurogane> Gentoo Linux 18:06 < reiffert> connect a client, then paste: 18:06 < reiffert> ifconfig -a 18:11 < Kurogane> http://pastebin.com/d5938e913 18:13 < Bushmills> TTL expired sounds like a loop to me 18:14 < reiffert> Bushmills: as you can see he is offering 10.10.1.2 to his client, but the client's IP adress is 10.8.0.3 18:14 < reiffert> Kurogane: ifconfig -a <- run this on the openvpn server. 18:15 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has quit ["leaving"] 18:17 < Bushmills> can't see that. the DHCP server is 10.8.0.3, client and server are both 10.10.... 18:18 < Bushmills> ehm no. 18:18 < reiffert> Bushmills: you are wrong: http://pastebin.com/d5938e913 18:20 < Kurogane> http://pastebin.com/d28c7649a 18:20 < Bushmills> then, why is client ip address 10.8.xx while vpn net has a netmask of /24? 18:21 < Kurogane> Bushmills, huh? 18:22 < reiffert> Kurogane: what are you trying to do, talk to virtual machines? 18:22 < Bushmills> server is 10.10.x.x, pushed route is 10.10.x.0/24, client is 10.8.x.x. should that work? 18:23 < reiffert> Kurogane: http://pastebin.com/d1b7e3fe8 line: 8, 30 and 34: Change that from 10.10.x.x to 10.8.x.x restart the server 18:24 < Kurogane> Bushmills, no. i change the config previously10.10.x.0/24 and now is 10.8.x.x/24 sorry for confused you 18:24 < reiffert> Kurogane: please, send us new !configs then 18:24 < Kurogane> i send you the good ones 18:25 < reiffert> http://pastebin.com/d1b7e3fe8 18:25 < reiffert> you need to adjust line 8, 30 and 34 in there. 18:27 < Kurogane> http://pastebin.com/d22d7e6bc 18:28 < reiffert> ok. now it looks like a working openvpn tunnel. 18:28 < reiffert> on the client enter: ping 10.8.0.1 ... works? 18:33 < Kurogane> is not works still give me TTL expired in transit 18:34 < reiffert> Kurogane: windows does not support topology subnet. 18:34 < reiffert> !/30 18:34 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 18:34 < reiffert> !topology 18:34 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:34 < Kurogane> but, i shutdown the modem (client) and restart a now it is work the causing is the dam..... modem 18:35 < Kurogane> not works? topology subnet? 18:37 < Kurogane> and that why i upgrape becuase i need host /24 becuase the default have openvpn is only /30 18:37 < reiffert> subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local 18:37 < reiffert> IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode 18:37 < reiffert> allocates a single IP address per connecting client and works on Windows as well. Only available when serv- 18:37 < reiffert> er and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topol- 18:37 < reiffert> ogy directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When 18:37 < reiffert> used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a 18:37 < reiffert> remote endpoint IP address. 18:38 < reiffert> Ah, sorry, I was wrong. 18:39 < Kurogane> so topology works in linux and windows 100%? 18:40 < reiffert> DOES IT WORK FOR YOU? 18:40 < reiffert> woups 18:46 < Kurogane> yes, but i see is not work 100% is connect and ping now, but does not act as / 24 i can not see in LAN, as with tap device in there i can see in LAN 18:47 < Kurogane> and you asking why not use tap is becuase i have high lactency 18:48 < reiffert> Kurogane: sorry, but I dont understand your 2nd last sentence. 18:48 < Kurogane> what 2nd last sentence? 18:49 < Kurogane> lactency? 18:49 < Bushmills> lactose allergy? 18:49 < reiffert> that one: 18:49 < reiffert> 00:46 < Kurogane> yes, but i see is not work 100% is connect and ping now, but does not act as / 24 i can not see in LAN, as with tap device in there i can see in LAN 18:53 < Kurogane> the topolgy feature is create becuase tun have a problem to work in /24 host right? 18:57 < reiffert> No, because of windows not capable of point to point routes. 18:57 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has left ##openvpn ["Leaving"] 19:10 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:15 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has joined ##openvpn 19:16 < hagna> so client connects to server vpn how does the client map the server's subnet into ips that don't conflict with the client's subnet? 19:29 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 19:55 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 20:24 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:40 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has quit [Read error: 110 (Connection timed out)] 21:53 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 21:56 -!- Kurogane [i=Kuro@190.53.8.79] has quit ["Saliendo"] 21:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:03 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:09 < rashed2020> Guys, can I have openVPN act as an extension to my local network? 22:09 < rashed2020> So that all connecting clients get an IP that's accessible by any of the local machines 22:34 < krzie> yes 22:34 < krzie> see this page i wrote up describing how 22:34 < krzie> !route 22:34 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 22:34 < krzie> that describes how to hookup lans on either side of the openvpn connection 22:34 < krzie> behind the server and behind the client 22:35 < krzie> you can even connect multiple lans 22:35 < rashed2020> klj 22:35 < rashed2020> I think I disconnected, so if someone answered my question could you please say it again 22:36 < krzie> i worked hard on that, please read the whole thing thoroughly 22:36 < krzie> you didnt disconnect, i just answered you 22:40 < rashed2020> Oh, great! Thank you. 22:42 < krzie> np =] 22:43 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:49 < rashed2020> krzie: Just one real fast question 22:49 < rashed2020> Wait, you wrote that page, right? So I can ask you something using the example on the page? 23:00 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:03 < krzie> you could if i wasnt leaving, bbl 23:03 < krzie> ask it and ill answer later 23:09 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 23:20 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 110 (Connection timed out)] 23:41 < rashed2020> Nah, nevermind. I figured out. 23:41 < rashed2020> Great howto. Thank you! 23:55 < krzee> np =] 23:55 < krzee> glad it helped you --- Day changed Sat Mar 21 2009 00:30 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 03:33 < ecrist> evening, motha fuckas 03:37 < ecrist> krzee: I'm going to rewrite the routing page a bit tomorrow or sunday to be more generic and add some content. you can still claim it as yours, as most of the content will remain the same, but I'll be either added content to describe redirecting default gateway or adding a page and rewriting the routing page for compat with redirect of default gateway 04:00 -!- KSB [n=chatzill@77.223.78.76] has joined ##openvpn 04:00 < KSB> hello 04:01 < KSB> anyone try to run two VPN-servers on one machine? I run OpenVPN and MPD on same machine, and they serving one subnet, somebody do thing like this? 04:01 < KSB> th problem is bridging between MPD and OVPN clients 04:01 < jpalmer> t/win 21 04:02 -!- KSB is now known as KpeHDeJIb 04:02 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 04:02 < reiffert> MPD? 04:03 < KpeHDeJIb> mpd, yes 04:03 < KpeHDeJIb> FreeBSD 04:03 < reiffert> that freebsd ppp vpnd? 04:03 < KpeHDeJIb> Multi-link PPP daemon 04:03 < KpeHDeJIb> for Windows-clients 04:06 < reiffert> bridging those adapter is pointless. those are point to point adapters. 04:07 < KpeHDeJIb> yes I know that is PPP, but how can I route traffic between MPD-clients and OpenVPN-clients? 04:09 < KpeHDeJIb> for instance, I connect to OVPN server from one machine and take IP 192.168.10.10, then I connect from another machine from Windows to MPD and take IP 192.168.10.2 04:09 < KpeHDeJIb> OVPN-client can ping server and Windows-client can ping server 04:10 < KpeHDeJIb> but then I try to ping each over - fail 04:10 < reiffert> put them in different subnets. 04:10 < KpeHDeJIb> hm, and route between subnets? 04:11 < reiffert> y 04:11 < KpeHDeJIb> oh, I don't think about this... 04:11 < KpeHDeJIb> I can try, thx 04:11 < reiffert> Or - use openvpn on windows as well. 04:15 < KpeHDeJIb> the point is use two VPN-servers, if only I could use OVPN on Windows-clients, but I can't, I'm not the person who take decisions 04:16 < reiffert> security of mppp is bad. 04:16 < reiffert> You just need to capture 3 packets at connection and you can bruteforce on 3des md4. 04:17 < reiffert> at the start of the connection that is 04:17 < reiffert> So if you already run openvpn, it should be easy for the decision makers of switching windows to openvpn as well. 04:18 < reiffert> mac os x also comes with a nice openvpn GUI. windows as well. 04:18 < KpeHDeJIb> yes, maybe I can explain this to them, thx 04:19 < reiffert> can be configured with and without passwords. 04:19 < reiffert> so for those who like to type their password, just encrypt their key with theit own password. 04:19 < KpeHDeJIb> ah, yes, I use username/password scheme 04:20 < KpeHDeJIb> and no certificates ( 04:21 < reiffert> You should use certificates 04:22 < KpeHDeJIb> only ca.crt 04:23 < reiffert> no client certs? 04:23 < KpeHDeJIb> yes 04:24 < reiffert> well, no security then. 04:24 < KpeHDeJIb> yes 04:24 < reiffert> want security? 04:24 < KpeHDeJIb> this is one of my stupid requirements 04:25 < reiffert> "No security" or "use username + password"? 04:25 < KpeHDeJIb> username and password, and external authenticate script for OpenVPN 04:26 < KpeHDeJIb> because, and this is my favorite place, we can't let one person to connect to both VPN-servers at one time 04:27 < reiffert> Use certificates and encrypt the certificate with their password. 04:28 < reiffert> however, you should use certificates and use an additional auth-user-pass-verify if you stick to user/pass. 04:30 < KpeHDeJIb> thx for advice 04:33 < reiffert> welcome 04:35 < reiffert> You are from Yekatarinenburg? 04:35 < KpeHDeJIb> yes 04:36 < KpeHDeJIb> why you asking? 04:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:36 < reiffert> What about the weather in that region, do you still have ice and snow? 04:37 < KpeHDeJIb> ) yes, some snow on the street 04:38 < reiffert> And how long will that weather last in spring? April? 04:41 < KpeHDeJIb> each time is differ, for example on the last year at this time we haven't snow or ice on the street 04:41 < KpeHDeJIb> and sry for my english, btw 04:43 < reiffert> Your english is quite well, at least I can understand you :) 04:45 < reiffert> Do people from your region already have asian style faces? Are there many asia lookalike people living in your city? 04:45 < KpeHDeJIb> but April is usually that month when snow on the street is disappearing 04:47 < KpeHDeJIb> no, I see asian-like faces very rarely, usualy on China-market :) 04:47 < reiffert> Sounds like a short summer to me. What do people do during short period of summer, going crazy? 04:48 < KpeHDeJIb> yes, we have very short summer, and everyone want get vacation on this period, to go away from our country and get some rest ) 04:50 < reiffert> People like to go away during summer? Do they travel to the northern regions then (to get more ice and snow)? 04:51 < KpeHDeJIb> btw the climat is quite hard, on the winter we have -40 C and on the summer we have +40 C 04:51 < KpeHDeJIb> :D no of course 04:52 < KpeHDeJIb> but usualy our summer is cold, +40C is rare temp 04:53 < KpeHDeJIb> and this is the reason, why people fly away to some sunny places 04:54 < reiffert> it sounds like a crazy place to be. 04:55 < KpeHDeJIb> the climat is not our main problem ;) 04:55 < reiffert> heat-pipes during winter? 04:55 < reiffert> No girls? 04:56 < KpeHDeJIb> no we have lot of beutiful girls 04:56 < KpeHDeJIb> :) 04:59 < reiffert> thanks for the nice talking 04:59 < KpeHDeJIb> you are welcome 05:00 < KpeHDeJIb> ok, bye, I go to do my fraking job ) 05:00 -!- KpeHDeJIb [n=chatzill@77.223.78.76] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 05:44 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 07:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:58 -!- ctx144k_ [n=andre@p5B0DEE55.dip.t-dialin.net] has joined ##openvpn 07:58 < ctx144k_> hello all... 08:02 < ctx144k_> my openvpn-server will get tonight a new ip-adress... how should i change the clients remote-adress? is there a way to give a fallback remote-adress? if the first willnot be active, the second willbe use? 08:09 < reiffert> !man 08:09 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:09 < reiffert> checkout --remote 08:11 < ctx144k_> thanks 08:38 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 08:40 < Snicks|TWw> hi, i'm trying to create a vpn-connection, using network-manager(ubuntu 8.10), i can't click the ok-button, so i should give more information, but which info is needed? 08:40 < CybDev> !logs 08:40 < vpnHelper> CybDev: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:48 < ecrist> ctx144k_: try using a domain name you can update, rather than an IP address 09:50 < reiffert> ecrist: and what about DNS TTL? 09:50 < ctx144k_> iam trying 2 remote-values in my config... 09:50 < ctx144k_> ill see tonight :) 09:50 < reiffert> ctx144k_: as far as I understand you will have to deply new configs to every client, dont you? 09:51 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 09:53 -!- sunta49 [n=user@achilles.raytion.com] has joined ##openvpn 09:53 < sunta49> krzie or krzee 09:53 < sunta49> just passin by to say thx for your great tutorial;) 09:54 < sunta49> hi to peru from germany 09:54 < ctx144k_> yes, i did 09:54 < ctx144k_> 90 clients with a new remote ip-adress 09:54 < ctx144k_> and the old as fallback.... 09:55 < sunta49> !route 09:55 < vpnHelper> sunta49: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:55 < reiffert> ctx144k_: why not just deply them a config with the new address? 09:55 < ctx144k_> i dont understand... 09:56 < reiffert> ctx144k_: when you have to hand a new config file to 90 clients, why dont you just put in the new ip address into that config file? 09:57 < ctx144k_> i could download every reboot a default vpn.conf... but its to oversized... the changing of the servers ip should configure every day 09:57 < ctx144k_> yes i did 09:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:57 < sunta49> !rout/dis 09:57 < vpnHelper> sunta49: Error: "rout/dis" is not a valid command. 09:57 -!- sunta49 [n=user@achilles.raytion.com] has quit ["Disconnecting"] 09:57 < ctx144k_> i created a new vpn.conf - and deployed on the 90 clients 09:58 < ctx144k_> iam ready with that 10:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:16 < roentgen> !route 10:16 < vpnHelper> roentgen: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:29 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:13 < krzee> that was very nice of sunta49 11:20 -!- ctx144k_ [n=andre@p5B0DEE55.dip.t-dialin.net] has quit ["Verlassend"] 11:53 < reiffert> want a Kleenex? 12:26 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 12:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 12:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 13:05 -!- nemysis [n=nemysis@141-87.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:06 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 13:06 -!- mepholic [n=what@hydra.weserv.in] has quit [Remote closed the connection] 13:34 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 13:38 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 14:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:16 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 15:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:46 < mjt> i wonder.. what's the IP address to use on the "other end" of the openvpn tun device -- the fake one? 15:47 < mjt> i don't have any dedicated network for openvpn, but use addresses that are on eth0 interfaces 15:48 < mjt> ie, the same on eth0 and openvpn -- that's on all ends. 15:59 < krzie> depends on your config... 16:02 < krzie> but if using a very standard config, with server 10.8.0.0, then server will be 10.8.0.1 and first client will be 10.8.0.6 16:02 < krzie> because of: 16:02 < krzie> !/30 16:02 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:07 < mjt> i've, say, 192.168.1.1/24 on eth0 on host1, and 192.168.2.1/24 on eth0 on host2 16:08 < mjt> and i'm using THE SAME addresses for the openvpn endpoints too 16:08 < krzie> bad call 16:08 < mjt> don't see why 16:08 < krzie> you understand routing? 16:08 < mjt> this way, each host has only one address 16:08 < mjt> sure 16:08 < mjt> well, i think i am, and guess it depends on what you mean. 16:08 < krzie> you saying that actually works? 16:09 < krzie> cause it sure as hell shouldnt 16:09 < mjt> it works for over 10 years already 16:09 < krzie> ok 16:09 < krzie> *shrug* 16:09 < mjt> and i don't see a single reason why it shouldn't 16:09 < krzie> you're using tun and not tap? 16:09 < mjt> well 16:09 < mjt> it really does not matter much 16:09 < mjt> both ways works 16:09 < krzie> *shrug* ok 16:09 < krzie> whats your question...? 16:09 < reiffert> well, not ok if you ask me. 16:09 < mjt> provided the rest of config is ok 16:10 < mjt> heh 16:10 < krzie> reiffert i agree, but see no reason to argue 16:10 < krzie> lol 16:10 < krzie> if hes happy, fine by me 16:10 < mjt> but i am interested really. why the setup we've here shouldn't work,. 16:10 < mjt> the above simple example 16:10 < mjt> with two /24 networks and two nodes 16:11 < mjt> why should not it work? 16:11 < reiffert> mjt: so you are saying that on host 1, eth0 and tun0 got 192.168.1.1? 16:11 < mjt> yes 16:11 < mjt> all ifaces has the same address. 16:11 < krzie> because your internal vpn network should be different than existing networks to not confuse the shit out of routing tables 16:11 < mjt> why there should be any confusion?? 16:12 < reiffert> mjt: if you like to reach 192.168.1.100, how does host1 know if he has to send the frame to tun0 or to eth0? 16:12 < mjt> on host 1, network 192.168.1.0/24 gets routed to eth0 and ..2.0/24 to openvpn 16:12 < krzie> exactly 16:12 < mjt> ^^ 16:12 < reiffert> krzie: well the question is, if arp who has packets get out on both interfaces. 16:12 < mjt> damn 16:12 < mjt> well. 16:12 < krzie> reiffert hes saying tun 16:13 < mjt> there's no need to arp for the other network 16:13 < mjt> because it's not directly connected 16:13 < krzie> hes also saying host1 has vpn ip in .1.x and host2 has vpn ip of .2.x 16:13 < krzie> which is not possible 16:13 < mjt> trying to arp it means we've error 16:13 < reiffert> then why eth0 got an ip addr at all? 16:13 < mjt> why not possible??? :) 16:13 < krzie> because thats not how tun works... 16:13 < mjt> to be fair, there's no need to assign any address to any interface at all 16:14 < krzie> you're using ptp or server? 16:14 < krzie> how bout this mjt, show us your configs pls 16:14 < krzie> !configs 16:14 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:14 < mjt> internally, on linux at least, assigning 192,168.1.1/24 to eth0 means exactly 2 things: 16:14 < mjt> internally, on linux at least, assigning 192,168.1.1/24 to eth0 means exactly 2 things: 16:14 < mjt> 1) makeing the host to recognize the single address as its own, to answer on pings etc 16:15 < krzie> pete and repeat were on a boat, pete fell off... who was still on the boat?> 16:15 < mjt> and 2) to add a single line to routing table saying that the rest of /24 should arp on eth0 16:15 < mjt> for 1), that address is not assotiated with eth0 16:15 < reiffert> krzie: the driver 16:15 < krzie> lol reif 16:15 < reiffert> mjt: paste ifconfig -a as well 16:16 < mjt> well, that'd be long 16:16 < krzie> mjt, back to my real question, whats your question? 16:16 < mjt> we've about 50 hosts here 16:16 < reiffert> just do it 16:16 < reiffert> and while beeing there, netstat -nr 16:16 < krzie> since you're saying everything works, i think this conversation has no point 16:16 < reiffert> argh. 16:16 < mjt> if you want it, i can make a simple 2-host config on pair of virtual machines for that 16:16 < krzie> or is something not working as expected? 16:17 < mjt> well, i had one question, more academical. but no i'm curious why you guys don't understand such a simple thing as routing... 16:17 < krzie> lol 16:18 < krzie> i wrote the comprehensive doc on openvpn routing, and i know reif knows all of it too 16:18 < krzie> but sure, we dont get it ;] 16:18 < mjt> i'm serious 16:18 * reiffert is too 16:19 -!- onats [n=onats@unaffiliated/onats] has quit [Success] 16:19 < mjt> both understand `ip addr add' and `ip route add' commands, right? 16:19 < mjt> on linux 16:19 < krzie> i dont use linux, but im pretty sure i get the point 16:19 < krzie> <-- bsd guy 16:19 < mjt> ok 16:19 < mjt> so lemme paste something... 16:19 < krzie> paste this... 16:19 < krzie> !config 16:19 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 16:19 < reiffert> equal to me, linux >> bsd 16:19 < krzie> err 16:19 < krzie> !configs 16:19 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:20 < reiffert> and ifconfig eth0 tun0, netstat -nr 16:20 < mjt> no, i refuse to paste configs for those systems 16:20 < mjt> i'll sanitize things first 16:20 < krzie> ok then whats our conversation actually going to lead to? 16:20 < reiffert> meanwhile ... 16:20 < krzie> you wanted to know the endpoint for your first client 16:20 < reiffert> anyone into racedriving? 16:20 < krzie> which cant be answered without your config file 16:20 < krzie> reif, im gunna build by new nfs today! 16:21 < krzie> dual core amd64 with 4x1.5TB drives in fbsd8 ZFS raidz 16:21 < krzie> and 8GB ram 16:23 < reiffert> I'm lying down with a terrible cold, watching 12h sebring while trying to migrate a php webserver to a fastcgi+php webserver 16:23 < reiffert> hardware raidcontroller? 16:23 < krzie> nah bro, ZFS raidz 16:23 < krzie> filesystem raid 16:24 < krzie> check out zfs, its fucking sweetness 16:24 < reiffert> heard of it, no native zfs on linux 16:24 < krzie> still experimental in fbsd, but i been using it for a yr and stay up to date about it on freebsd-current maillist 16:24 < krzie> ya its only on solaris, opensolaris, freebsd, and osx 16:25 < reiffert> osx? together with macfuse or native on 10.5? 16:25 < krzie> native read only on 10.5 i THINK, 10.6 they'll get it crackin better 16:25 < krzie> 10.6 is only for improving already existing features from 10.5 16:26 < krzie> ie: making EVERYTHING even network stack and whatnot shared acrossed cores and stuff 16:26 < reiffert> time to get some jobs to get some new hardware, I'm on ancient stuff like 1200Mhz PPC and AMD Athlon 32bit 16:26 < krzie> hehe 16:26 < Bushmills> reiffert, hot lemon with slivovitz tends to help me with those colds 16:26 < krzie> ya i have first gen macbook pro and an old ass amd 2400+ currently 16:27 < krzie> so that amd is getting replaced by amd dual core 64bit, since ZFS really really wants 64bit 16:27 < mjt> http://pastebin.com/m115538f3 -- here 16:27 < krzie> and ill stop using my laptop as my primary desktop 16:27 < krzie> oh, and i grabbed a 42" sharp aquos to be my new monitor 16:27 < krzie> =] 16:27 < reiffert> Bushmills: it looks like I'm suffering from a virus, I doubt alcohol will fight the virus down, but Ute already got me some Honey and ginger-tea 16:28 < krzie> # 16:28 < krzie> ifconfig 10.0.1.1 10.0.2.1 16:28 < krzie> # 16:28 < krzie> route 10.0.2.0 255.255.255.0 # why openvpn does not understand /24? 16:28 < krzie> # 16:28 < krzie> ifconfig-push 10.0.2.1 10.0.1.1 16:28 < krzie> # 16:28 < Bushmills> during my munich stay i liked to serve hot apfelkorn 16:28 < krzie> push "route 10.0.1.0 255.255.255.0" 16:28 < krzie> there we go 16:28 < krzie> you arent using 192.x for internal vpn ips 16:28 < krzie> told you so! 16:28 < mjt> s/10.0/192.168/g 16:28 < Bushmills> deadly stuff 16:28 < mjt> less typing 16:29 < krzie> lol 16:29 < krzie> whatev 16:29 < krzie> these configs arent even real *ignores* 16:29 < krzie> plus its ptp, very different than anything i was talking about 16:29 < krzie> i was talking about server 16:29 < mjt> add one more client 16:29 < mjt> and it will be server 16:30 < krzie> negative 16:30 < mjt> and here will be my questin 16:30 < mjt> ok 16:30 < krzie> ptp setup doesnt do 3 ways 16:30 < krzie> and doesnt have clients 16:30 < krzie> or servers 16:30 < krzie> just 2 peers 16:30 < mjt> exactly 16:30 < mjt> so what's the p2p addy to use? ;) 16:30 < mjt> here was my first question ;) 16:30 < Bushmills> mjt, that's the proverbial pearls for pigs, as you discovered that those guys know zilch about routing anyway 16:30 < krzie> on 1 side its 10.0.1.1, on the other its 10.0.2.1 16:31 < Bushmills> :P 16:31 < mjt> yes 16:31 < krzie> and there will be no 3rd side 16:31 < krzie> if you want to use 3, need server statement instead, and need to use a diff network for internal vpn stuff 16:31 < mjt> false 16:31 < krzie> Bushmills you have a clue what you're talking about? 16:31 < krzie> mjt, ok... proive me wrong 16:31 < krzie> prove 16:31 < Bushmills> routing .. hmm .. that's what people use a GPS for ? 16:32 < mjt> 00:29 < krzie> these configs arent even real *ignores* 16:32 < mjt> how? 16:32 < krzie> that is NOT a full config file 16:32 < krzie> just some bs you whipped up for the sake of argument, not what was asked for 16:32 < mjt> ok 16:32 < mjt> moment. 16:32 < krzie> but anyways, its a moot point 16:33 < krzie> cause now i know its ptp 16:33 < krzie> ptp you can do what we said you couldnt, but you cant have a 3rd peer 16:33 < krzie> without another openvpn instance at least 16:33 < krzie> cause theres no server 16:33 < Bushmills> krzie, think so. i forgot the ... tags 16:34 < krzie> if you want more than a peer to peer, you need to use server/client setup and use a seperate network for internal vpn 16:34 < krzie> Bushmills, ahh 16:34 < krzie> ;] 16:34 < reiffert> or several openvpn instances. 16:35 < reiffert> plus some intresting algorithm to get from one "client" to another. 16:35 < mjt> http://pastebin.com/m608a9eb7 16:36 < krzie> if you can push routes in ptp that would handle that, but could potentially get ugly to manage 16:36 < mjt> 3 hosts, with server 16:36 < mjt> so 3rd peer 16:36 < krzie> just use the server statement, will make your life easier 16:37 < krzie> !sample 16:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:37 < mjt> my question was about how to choose that fake p2p address... academical question, i wanted some network that's unroutable now and in the future... ;) 16:37 < reiffert> http://speed.edgeboss.net/wmedia-live/speed/8999/300_speed-lms_video_1_050720.asx 16:38 < vpnHelper> Title: American Le Mans SeriesAmerican Le Mans SeriesAmerican Le Mans Series (at speed.edgeboss.net) 16:38 < reiffert> for the flash guys: http://almsacura.globalmediaservices.tv/ 16:39 < vpnHelper> Title: SpeedTV (at almsacura.globalmediaservices.tv) 16:39 < mjt> krzie: --server introduces that fake openvpn network, -- exactly the thing i don't see reason to have... 16:39 < reiffert> and the live timings http://www.americanlemans.com/index_live.php 16:42 < mjt> krzie: so can you explain why do you think p2p can't have 3rd peer? 16:43 < krzie> its peer to peer 16:43 < mjt> and? 16:43 < krzie> not peer to peers 16:43 < mjt> it's the interface which is p2p 16:43 < krzie> thats how it was made... 16:44 < mjt> so you refuse to make your points? 16:44 < mjt> or for proof you need my real configs? 16:44 < krzie> lets just put it this way, if you're doing it im happy for you 16:45 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 16:45 < mjt> well, you're here telling people how to do things. And you're telling them wrong. And refuse to describe why you're saying what you say? 16:45 < mjt> that's nice of you. 16:45 < mjt> and selfish. 16:46 < krzie> all docs ive read say im right 16:46 < krzie> which is what i go by 16:46 < mjt> openvpn docs? 16:46 < krzie> the manual + howto 16:46 < mjt> yeah 16:46 < reiffert> mjt: erm, I think you've made it to one corner of a possible configuration, are you porposing to send all people into that corner? 16:46 < krzie> if you made it work differently than they say it works, im happy for you and surprised 16:47 < krzie> as for me, ill point people to the solutions the developers intended 16:48 < mjt> krzie: do you have good understanding on how rouding works on bsd? Because i want to understand if linux is different here or it's just that only very few people understand the things (so that there's no docs) 16:48 < krzie> (as i have been for over a yr or 2 now) 16:49 < krzie> standard routing, sure... i dont use any special routing protocols or anything as i have yet to have a need for them 16:49 < krzie> i havnt dug into the code or anything, but ive accomplished everything ive set out to do 16:49 < mjt> what i have in mind is the p2p *interface* (not necessary related to openvpn), or, rather, the "peer" address of it (like ifconfig foo 1.2.3.4 pointopoing 4.3.2.1) 16:50 < mjt> what it is used for in routing in bsd 16:52 < krzie> route add -host 1.2.3.4 4.3.2.1 16:52 < mjt> to make long story short. I had a p2p tunnel between two hosts, and i always used the same IP addresses on eth0 and on p2p iface as i described above (not openvpn and pure p2p, think ppp). And once I had to move one endpoint to another host, but wasn't able to reconfigure the remote end. 16:52 < krzie> you're using such a nonstandard setup i may not be of much help, as i thought it wouldnt work in openvpn 16:52 < mjt> so it was 10.0.0.5 on my end, both ppp and eth0. And i had to move it to machine with ip 10.0.0.9. 16:53 < krzie> im more accostomed to what the developers had in mind 16:53 < mjt> obviously i wasn't able to assign .5 on my end of ppp on that new machine, because that way real .5 will be unaccessible. 16:53 < krzie> you say what you're doing works, so im happy for you on that, but i sure didnt expect it to work 16:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:54 < mjt> so i assigned .9 to it. the other end was thinking we've .5 here, but we didn't, but we had ANOTHER machine with .5. 16:54 < mjt> and on the other end.. i pinged .5, and it.. worked. 16:54 < mjt> and i started thinking why. 16:54 < krzie> see how much easier it would be to just use server with an internal vpn network and a correct routing setup? :-p 16:54 < krzie> !route 16:54 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:55 < krzie> why you're against using openvpn as the devs intended is beyond me, do you expect to gain some sort of security from doing it that way? 16:57 < mjt> the thing is, for the remote, the endpoint (.5) was meant NOTHING. It sent packets to the tunnel without saying it meant to send it for .5 as on an ethernet segment (nexthop). our end didn't know to which nexthop the remote sent it either - it just was receiving packets destined for given IP and routed it - .5 for another machine on ether segment etc. 16:58 < mjt> but ok 16:58 < krzie> so your setup didnt work as intended at all times...? im shocked 16:58 < mjt> i think it's not interesting to you 16:58 < mjt> it was 16:58 < reiffert> just go on, I'm still reading. 17:00 < mjt> blah. rc15 now warns me about missing --keepalive for server. 17:00 < mjt> but --keepalive does not work correctly for a server with static ip. 17:01 < krzie> how so? 17:02 < mjt> in case ping went w/o reply i want the server to "close" the connection with the client instead of looping forever filling logs with connection-retries. 17:03 < krzie> ahh, keep-alive expands to have ping-restart 17:03 < krzie> its doing what it should 17:03 < mjt> --keepalive expands to --restart, i need --exit 17:03 < krzie> but there is an option for what you want, lemme find it for ya 17:03 < krzie> !man 17:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:03 < mjt> man openvpn works ;) 17:03 < krzie> sure does, but im at work 17:04 < mjt> aha, here we go 17:04 < mjt> --server example in the manpage 17:04 < krzie> --ping-exit n 17:04 < mjt> yes 17:04 < krzie> openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 17:04 < krzie> when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged. 17:05 < mjt> lol 17:05 < mjt> 01:03 < mjt> --keepalive expands to --restart, i need --exit 17:05 < mjt> i meant --ping-exit and --ping-restart 17:05 < krzie> cool, so you know what you want 17:05 < mjt> openvpn complains that --keepalive is missing in server config 17:05 < mjt> and THAT i don't want ;) 17:05 < krzie> just ignore the complaint... it still runs doesnt it...? 17:06 < mjt> sure 17:06 < mjt> heh 17:06 < krzie> its there for those who know less than you 17:06 < mjt> looks like i'm not good at describing things... 17:06 < krzie> you know enough to ignore that 17:07 < mjt> and here for my first question -- see --server in the manpage. be it net30 or p2p (note p2p here for a server - it's for something, you said p2p is only 2 peers) 17:08 < krzie> --server implies it is NOT ptp 17:08 < mjt> --topoligy p2p, and the interface is POINTOPOINT (it's the flag, in all caps) 17:08 < mjt> can you say why 10.8.0.2 is used here? 17:08 < mjt> do you see it's 100% fake and dead? 17:08 < krzie> !/30 17:08 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:09 < krzie> explained in detail there 17:09 < krzie> first link 17:09 < krzie> can be avoided with: 17:09 < krzie> !topology 17:09 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:09 < mjt> krzie: it's not a question from someone who does not understand it. 17:09 < mjt> i'm asking if YOU understand it ;) 17:09 < krzie> can you say why 10.8.0.2 is used here? 17:09 < krzie> do you see it's 100% fake and dead? 17:09 < krzie> yes, and i pointed to the explanation 17:10 < krzie> it was only done that way as a hack around lame windowsness 17:10 < krzie> as explained in http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 17:10 < vpnHelper> Title: New subnet topology feature ready for testing: msg#00020 network.openvpn.devel (at osdir.com) 17:10 < krzie> til they found a better way and made topology subnet 17:11 < mjt> lame windowsness. ok, that's good explanation 17:11 < krzie> i gave links 17:11 < mjt> yeah 17:11 < krzie> i dont need to repeat them 17:11 < mjt> that's good explanation, and i mean that, no sarcasm 17:12 < mjt> because now i understand that things i'm doing here aren't quite possible on 'doze 17:12 < mjt> hence, i think, all the docs say to use "traditional" ways, compatible with doze. 17:13 < krzie> makes sense 17:13 < mjt> i've seen that message when looking at the topology thing about a week ago 17:13 < mjt> that your mesage that is 17:13 < mjt> was trying to understadn why it looked so.. hackish, so to say 17:14 < mjt> (still in my browser cache :) 17:14 < krzie> hehe 17:16 < mjt> "If all O/S would have supported true PtP links over the tun interface, this could have been done with the OpenVPN server using only one IP address and each client using another IP address." 17:16 < mjt> that's what i'm using here 17:17 < krzie> gotchya 17:17 < mjt> and it really does not matter if that one ip address is also used on eth0 or even lo (if it's not 127/8) 17:17 < mjt> ok 17:18 < krzie> welp, that explains why i never seen your setup used 17:18 < krzie> and i think you found the answer to your question as well 17:18 < krzie> so everyones happy 17:18 < mjt> heh yeah ;) 17:19 < krzie> except reif, hes still sick =/ 17:20 < reiffert> I'm fine, watching a heavy weight boxing match and 12h of sebring at the same time 17:20 < mjt> krzie: what i really wanted after seeing your replies/suggestions is just to bring this stuff to your attention. That one-IP-per-host-doesn't-matter-if-used-elsewhere. 17:20 < mjt> and my question went unanswered. but it's academical anyway. 17:21 < krzie> watching the gomez fight? 17:21 < reiffert> yep 17:21 < reiffert> klitschko doesnt look well, much too defensive in the 1st 3 rounds 17:21 < krzie> yup i got it on too 17:22 < reiffert> still open end, I think fitness will decide 17:22 < reiffert> s,,endurance, 17:22 < krzie> klitschko was a HUGE favorite too 17:23 < krzie> like - 8 dollars 17:23 < mjt> hmm. I can use anything from 127/8 for that fake address. 17:24 < reiffert> let's estimate time differences between you and me, it'm at 1:22 17:24 < reiffert> 1:20 17:24 < reiffert> :15 17:24 < reiffert> 1:10 17:24 < krzie> 6:20ish here (pm) 17:24 < reiffert> 1:00 17:24 < krzie> im on EST right now 17:24 < reiffert> the fight round timer ... 17:24 < reiffert> 0:30 17:25 < reiffert> 0:20 17:25 < krzie> ohhh 17:25 < krzie> lol 17:25 < reiffert> 0:10 17:25 < krzie> 20 17:25 < krzie> (im on satelite) 17:25 < reiffert> 0 17:25 < reiffert> I'm on satelite as well 17:25 < krzie> 0 17:26 < krzie> you got a few seconds on me 17:26 < reiffert> aprox. another 10 secs, more than I was expecting (2-3s) 17:26 < krzie> and less than a sec of lag between us 17:26 < krzie> ... CTCP PING reply from reiffert: 0.996 seconds 17:28 < mjt> btw, is there a way to call real `route' or `ip' command but without using script? 17:28 < mjt> instead of using the wrapper provided by --route 17:29 < mjt> (why not script is -- when it all is in one config file it's easier to understand) 17:29 < krzie> by without using script, you mean without calling an external script, or without using the wrapper? 17:30 < krzie> (or both) 17:30 < mjt> there are 2 ways to set up routes: using --route and using --up script and doing it all there 17:30 < mjt> (or both) 17:30 < krzie> i believe ive seen what you want 17:31 < mjt> when using --up all the stuff is within that script, not visible from the config 17:31 < krzie> lemme give a look in a min 17:31 < krzie> its busy here for a min 17:31 < mjt> but --route is very limited wrapper... ;) 17:31 < mjt> and if there's quite some routes to set up, it all becomes somewhat clumsy. maybe just for me who used openvpn for a few days only. 17:33 < mjt> and oh, i've one more question too. Which probably should go to the mailinglist -- I asked it here already... 17:33 < reiffert> without a vpn subnet? 17:33 < mjt> hmm? 17:33 < mjt> ah 17:34 < mjt> well, it makes no difference really - imagine there are many clients with their own LANs, so all the routes has to be specified anyway. 17:34 < reiffert> SCNR 17:34 < krzie> !factoids search route 17:34 < vpnHelper> krzie: 'winroute', 'iroute', 'router', and 'route' 17:34 < mjt> !router 17:34 < vpnHelper> mjt: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:34 < mjt> lol 17:34 < reiffert> krzie: That round was close to a KO for both. 17:35 < reiffert> krzie: worth watching next rounds. 17:35 < mjt> !winroute 17:35 < vpnHelper> mjt: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:37 < mjt> krzie: you know the code a bit? Where it descides that it does not know the destination IP address in a packet it just read from the tun device and discards it? I want it to return ICMP host unreach or something in that case instead of dropping the packet. 17:41 < krzie> i sure dont 17:41 < krzie> =/ 17:42 < krzie> what i was looking for was the limit for adding routes 17:42 < krzie> !factoids search limit 17:42 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 17:42 < krzie> there it is! 17:42 < krzie> but i guess thats for pushing routes, maybe not for adding them 17:45 < krzie> looks like the up script may be what you gotta settle for, i cant find the option im looking for right now 17:47 < mjt> there was some other option? 17:48 < mjt> route-up, route-method 17:48 < krzie> i coulda sworn i saw a way to specify how to add the routes, but i may have been thinking of this 17:48 < krzie> --route-noexec 17:48 < krzie> Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 17:49 < krzie> which isnt what you want 17:49 < krzie> --route-method is for windows 17:49 < mjt> well, that's too much attention for mere 'cosmetic' thing, i think 17:50 < krzie> agreed 17:50 < mjt> nothing wrong with --up script 17:50 < krzie> i think an up script is the best 17:50 < krzie> yup 17:51 < krzie> hey look at that, we agreed! 17:51 < krzie> ;] 17:52 < mjt> ;) 17:53 < mjt> "WARNING: 'ifconfig' is present in local config but missing in remote config" -- that's just because it didn't --pull ;) 17:53 < mjt> looks like i'll go patch all those warnings again. 17:53 < mjt> just too much noise in logs. 17:55 < krzie> --ifconfig-nowarn 17:56 < mjt> aha! 17:56 < krzie> --disable-occ 17:56 < krzie> Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses --dev tun while the other peer uses --dev tap. 17:57 < mjt> that --ifconfig one is really useful 17:57 < mjt> thanks! 17:57 < mjt> so far all its warnings is false alarms here. 18:02 < krzie> np 18:02 < krzie> ya they're useful for new users using standard setups 18:04 < mjt> like --keepalive one? :) 18:04 < krzie> exactly like that 18:05 < mjt> or new (in rc14) --script-security warning (3 variants of it) which cant be turned off at all? :) 18:05 < krzie> ya that ones important, many peoples stuff breaks because of that new feature 18:06 < krzie> (until they add --script-security that is) 18:06 < mjt> it already logs a warning when it actually comes to execution of a script 18:07 < mjt> no need to warn beforehead, "just for sake of warning" 18:07 < mjt> (i had to patch the whole thing out) 18:10 < ecrist> evening, fuckers 18:10 < mjt> heh 18:10 < mjt> before it was "kids". Now its something else. what next ? :) 18:11 < ecrist> usually it's fuckers or bitches 18:11 < ecrist> kids comes out when I'm either tired or not feeling well. ;) 18:11 < krzie> lol 18:11 < krzie> g'evening 18:11 < krzie> im finally back to the island, now im paying for the length of my vacation 18:11 < krzie> it was a lil bit extended 18:12 < ecrist> lol 18:12 < krzie> (stayed gone 2 months instead of 1) 18:12 < mjt> hmm 18:12 < mjt> !router 18:12 < vpnHelper> mjt: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 18:13 < krzie> every factoid on that bot comes from needing to be said (usually many times) 18:13 < krzie> lol 18:13 < mjt> so openwrt guys package openvpn wiht logging turned off by default? 18:13 < ecrist> krzie: when will you fix my bot access? 18:13 < krzie> "please post your logs" "i dont have any" 18:13 < krzie> sorry ecrist, ill get to it soon i promise 18:14 < krzie> mjt, they need to, very small filesystem cant handle logs 18:14 < krzie> it logs nothing 18:14 < mjt> ever heard of logrotate or busybox's in-memory log buffer? 18:14 < krzie> prolly doesnt even run sysylog at all 18:14 < mjt> it does 18:14 < ecrist> mjt: it's still a performance hit, regardless 18:15 < reiffert> nextversion openwrt comes with in-memory buffer logs. 18:15 < krzie> mjt, i dunno man... i dont use any of that stuff... i just know that its common that people running that asking for help dont have logs til i say !router 18:15 < mjt> i use it (openwrt) here and hacked kernels for it before... 18:16 < mjt> (but not used openvpn - only vtun, -- which I modified quite alot before too, when it was with Max still) 18:16 < krzie> mjt, then we'ld likely never need to type !router at you 18:17 < mjt> ;) 18:18 * ecrist goes to play CoD 18:18 < krzie> cash on delivery! 18:18 < reiffert> ecrist: 4 or 5? 18:19 < mjt> i wonder why explicit-exit-notify does not work... looking at the code again... 18:20 < krzie> heh, i somehow never saw that option before 18:21 < mjt> the server never notices the client has quit even if explicit-exit-notify is set. 18:22 < krzie> and you're using udp, right? 18:22 < mjt> yes 18:23 < krzie> no ideas here 18:23 < mjt> the server receives the packets (both, as i used 2 for notify) 18:23 < krzie> quitting with CTRL C, kill -9? 18:23 < krzie> or like ping-exit 18:23 < krzie> ahh so they are sent 18:23 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 18:31 < mjt> so it really should be --up. because of this: 18:31 < mjt> ERROR: Linux route delete command failed: could not execute external program 18:32 < mjt> (that's because it's chrooted and run as user - it will not be able to modify routes anuyway) 18:32 < krzie> that would be --down, but will still have the same problem 18:33 < krzie> unless you give the user to access it, or call sudo from within the script and give the user access that way 18:33 < mjt> if i use --route it has the above problem 18:33 < mjt> so the solution is to use --up instead of --route 18:33 < krzie> it'll still have that problem 18:33 < mjt> no 18:33 < krzie> well kinda 18:33 < mjt> it will not error out in logs 18:33 < mjt> which is the only prob 18:33 < krzie> it wont attempt to delete the routes 18:33 < krzie> oh ok 18:34 < krzie> then correct 18:34 < mjt> routes will be deleted automatically together with interface. 18:34 < mjt> like malloc'ed memory with the process ;) 18:35 < krzie> ahh ok, you're using dynamic interfaces =] 18:35 < mjt> no 18:36 < krzie> if the interface gets removed on exit you are 18:36 < krzie> (static would be made with openvpn --mktun) 18:36 < mjt> yup 18:38 < mjt> and so i need something in-between verb 0 and verb 1. 18:38 < krzie> the warnings are that much of a bother? dont they only occur on connect? 18:39 < mjt> to log connects/disconnects but not all the other cruft (reusing/lzo initalized) 18:39 < mjt> when they connect/disconnect all the time... ;) 18:40 < krzie> ahh, i take it you log to syslog and tail your syslogs...? 18:40 < krzie> i could see it being annoying in that situation 18:40 < mjt> that or just search for particular events and what was around them 18:40 < mjt> and WARNING and ERROR in logs scares me 18:41 < mjt> my eyes are trained to be able to catch those in a log being cat'ed onto the screen.. ;) 18:41 < krzie> haha 18:41 < krzie> i dont actually get any warnings 18:41 < krzie> but i use very standard style setups 18:41 < krzie> (as we went over earlier, lol) 18:42 < krzie> in fact !sample is from me, but dummied down a lil) 18:42 < mjt> heh 18:42 < mjt> . o O { Dummied down } 18:42 < mjt> i like that "term" 18:43 < mjt> (english isn't my native language) 18:48 < krzie> ahh, you speak it well 18:48 < mjt> don't tell me how i *speak* it as you don't know.. and believe me, you really don't! :) 18:48 < mjt> lol 18:49 < krzie> well you type it well *shrug* 18:49 < mjt> (i don't know how to pronounce half the words) 18:49 < mjt> ;) 18:49 < krzie> those of us that spend too much time online usually just call it talking although it is typing 18:50 < krzie> but your spelling and grammar is better than many native english speakers on IRC 18:56 < mjt> heh thanks. Some time ago when I was new on IRC it was difficult for me to understand what others says, esp. various shorthands (ur a here). So I was thinking that my statements are also difficult to understand, and tried to use accurate language... ;) 18:57 < mjt> lol. 18:57 < mjt> --up ip route add foo bar baz # 18:57 < mjt> the `#' at the end to stop `ip' from recognizing the stuff passed by openvpn :) 18:58 < mjt> (actually doesn't work) 18:58 < krzie> nope, gotta toss it into a script 18:58 < krzie> good try tho 19:01 < mjt> heh 19:01 < mjt> it works 19:01 < mjt> has to be in quotes 19:01 < krzie> ahh 19:01 < mjt> --up "foo bar baz #" 19:01 < krzie> i had tried something similar before and it didnt, i guess i never tried quotes 19:02 < krzie> duely noted 19:02 < krzie> you may not need the # with the quotes 19:02 < mjt> without # it passes all the rest as described in man for --up 19:03 < mjt> ..in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the shell. 19:04 < mjt> the # gets interpreted by the shell. 19:05 < krzie> werd 19:07 < mjt> and it wont work on windows! :) 19:08 < krzie> ya no ip command hehe 19:08 < krzie> and # may not be a windows comment, dont rememeber 19:08 < krzie> but --route will work ;) 19:08 < krzie> then again, most your setup doesnt work on windows anyways 19:09 < krzie> so why stop now! 19:12 < mjt> eh. so now i see why using 127.something for that fake p2p "endpoint" IP didn't work. 19:13 < mjt> ..because --route is not able to specify the device and by default 'lo' was used. 19:13 < mjt> now it all works. 19:14 < mjt> i used 127.1.2.3 (arbitrary) for the ovpn `endpoint' on the server (instead of 10.8.0.2 as in --server example in the manpage) 19:15 < mjt> and routed all the client networks "via" it 19:15 < mjt> fun. 19:17 < mjt> 192.168.1.0/24 via 127.3.2.1 dev vrgs src 10.77.240.9 19:17 < mjt> (the key word was `dev' which --route does not provide) 19:18 < mjt> heh. 19:18 < mjt> --up accepts an inline script too 19:18 < krzie> the string *dev* doesnt even appear in bsd manpage for route 19:19 < mjt> --up "for r in 1/2 3/4 5/6; do ip route add $r via $ifconfig_remote dev $dev; done #" (don't forget #) 19:19 < mjt> it can't be.. lemme look at it... 19:19 < mjt> hmm 19:19 < krzie> well its easy to tell, /dev and no matches 19:19 < mjt> i used to avoid /30 networks on real ethernet, and it worked on freebsd too 19:20 < mjt> ip addr add $foo/32 dev eth0; ip route add $gw/32 dev eth0; ip roue add default via $gw 19:20 < krzie> oh bleh 19:20 < krzie> -interface 19:20 < krzie> hehe 19:20 < mjt> yeah 19:21 < mjt> route [-v] [-A family] add [-net|-host] target [netmask Nm] [gw Gw] [metric N] [mss M] [window W] [irtt I] [reject] [mod] [dyn] [reinstate] [[interface] If] 19:21 < krzie> helps when i look for the right string ;] 19:23 < mjt> so in terms of route.. route add -host $gw dev eth0; route add default gw $gw 19:23 < mjt> er s/dev/interface/ 19:24 < krzie> s/dev/-interface/ 19:24 < mjt> linux accepts all 3 forms it sems 19:24 < mjt> ok it's enough for today -- it's 03:24 here already, night 19:25 < krzie> gnite 19:25 < mjt> thank you for my good mood! bbl 19:25 < krzie> haha, later 19:26 * krzie enters ecrist's game and shoots him, then leaves the game 19:26 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Nick collision from services.] 19:27 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 19:43 < ecrist> sup guys 19:44 < ecrist> reiffert: world at war 19:44 < krzie> just recovering from learning about mjt's setup, you 19:44 < krzie> ? 19:45 < ecrist> lots of people cheating with lag switches tonight 19:45 < krzie> cheaters! 19:45 < ecrist> world at war is smart enough to end the game when it detects it, so in the last couple hours, I've only been able to complete about 4 matches. all the others exited due to 'poor connection quality to the host' 19:47 < ecrist> sweet, my mn tax return came is last night 19:47 < ecrist> extra $1200 in the bank. :D 19:47 < krzie> why cant it just boot the ofender...? 19:48 < krzie> 1200, sweet! 19:48 < ecrist> the only system a lag switch works for it the one hosting the game. if you boot the host, the game is over. 19:48 < krzie> thats 10 1.5 TB hds 19:48 < ecrist> xbox live 19:48 < krzie> oh i see 19:48 < ecrist> a host is randomly chosen at the start of a match 19:48 < krzie> i dont play games so im not savvy to that 19:49 < ecrist> my backup server has 2 750GB drives in mirror, all I need. 19:49 < krzie> im tossing 4 1.5's into my NFS tonight 19:49 < krzie> (into my new nfs) 19:50 < ecrist> I don't have anything in which I need that much space. 19:50 < ecrist> my two macs back up to a single 250GB drive 19:52 < ecrist> now, the backup server at work is a sexy beast, IMHO 19:52 < ecrist> 12x500GB SATA2 drives in RAID 60 19:52 < ecrist> faaaaast 19:54 < krzie> hrm never seen a 60 19:54 < krzie> seen a 50 19:54 < ecrist> fucking sweet. Theo et al finally pulled their heads out of their asses and made chroot part of base openssh. 19:54 < krzie> but i get the idea 19:54 < krzie> 6/0 19:54 < ecrist> 60 is a 50 with an extra parity drive 19:54 < krzie> ahh gotchya 19:54 < krzie> that makes me wrong then, lol 19:55 < krzie> so its striped 5's with an extra parity-only drive...? 19:55 < ecrist> bye bye to our proprietary ssh server. 19:55 < ecrist> right, RAID 5 is a stripe with one parity. RAID 6 is a stripe with 2 parity. 19:56 < ecrist> and RAID 0 is a stripe, put it together, you've got two RAID 6s striped together, each with two parity drives. 19:56 < ecrist> essentially, I can lose 4 disks, simultaneously out of the 12, and still be operational. 19:56 < krzie> hardcore 19:56 < ecrist> did I mention it's fast? 19:57 < krzie> nope, but you mentioned its faaaaast 19:57 < ecrist> price tag for that box was just this side of $11k 19:57 < ecrist> much of that was the ass-raping for 'universal sata drives' from dell. 19:57 < ecrist> :\ 19:58 < ecrist> they won't sell just the hot-swap caddy. gotta buy a drive with them. 500GB SATA2 drives were $350 each, or so. 19:58 < ecrist> boss didn't seem to care, so why should I? :) 20:04 < krzie> for sure 20:04 < krzie> and you KNOW that data is safe 20:04 < krzie> short of a fire 20:04 < krzie> (or something similar) 20:04 < ecrist> we do off-site backups for that. 20:04 < krzie> then again with that kinda onsite backup im sure you have offsite too 20:04 < krzie> hehe exactly 20:10 < ecrist> well, I'm out. going to party tonight. ttyl8r 20:11 < krzie> sweet, have fun 20:14 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 20:20 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 113 (No route to host)] 20:29 -!- mepholic [n=what@hydra.weserv.in] has joined ##openvpn 21:01 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 21:49 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has joined ##openvpn 21:50 < hagna> so if the vpn client is not the gateway of the lan how do the other machines on the lan know how to route across the vpn for the remote? 21:51 < hagna> I'll assume one remote in this case 21:53 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 21:56 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Client Quit] 22:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 22:24 < krzie> !route 22:24 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 22:24 < krzie> see the bottom 22:24 < krzie> under the picture 22:39 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:56 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sun Mar 22 2009 01:54 -!- znoG [n=gs@host167.190-31-166.telecom.net.ar] has quit [Read error: 60 (Operation timed out)] 01:56 -!- znoG [n=gs@host24.190-226-185.telecom.net.ar] has joined ##openvpn 04:14 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 04:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:35 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 05:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:02 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 05:22 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:29 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 05:29 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 05:29 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 07:12 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 07:13 < reiffert> Bushmills: might be intresting for you as well:# 07:13 < reiffert> I got a public root server with a public /29 net. I was bridging eth0 and tap0 to br0 and connecting a client (my laptop) 07:14 < reiffert> now my laptop got a public IP address 07:17 < reiffert> Is this possible without bridging and redirect-gateway? 07:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:52 < ecrist> morning folks 08:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:17 < reiffert> hi ecrist 08:19 < ecrist> morning, reiffert 08:26 -!- waxman [n=cfluegel@static.88-198-83-123.clients.your-server.de] has joined ##openvpn 08:26 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 08:27 -!- waxman [n=cfluegel@static.88-198-83-123.clients.your-server.de] has left ##openvpn [":q"] 08:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:12 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Connection timed out] 10:13 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 10:14 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:31 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 11:07 -!- scott_ [i=scott@207.126.166.46] has joined ##openvpn 11:07 < scott_> I can seem to connect to the openvpn but then I'm unable to surf the internet 11:07 < scott_> What could cause this? 11:09 < Bushmills> scott_, your inability to read topic 11:09 < scott_> Firewall is disaled 11:09 < Bushmills> try the "route" bit 11:10 < scott_> this was being tested on a dedi serv 11:10 < scott_> !route 11:10 < vpnHelper> scott_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:10 < Bushmills> scott_, try http://scarydevilmonastery.net/masq 11:11 < scott_> thx 11:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:13 < scott_> hrmm 11:13 * scott_ activates ip forward 11:14 < scott_> i'm using push "redirect-gateway" so I can use the vpn to connect out to anywhere I want 11:14 < ecrist> scott_: you'll need proper NAT set up as well 11:15 < scott_> Yeah I'm nat'ing the vpn ips 10.x.x.x over the external interface 11:15 < scott_> and the vpn interface "tun0" I'm allowing everything on it 11:15 < scott_> I can connect I even get assigned a 10.x.x.x ip 11:16 < scott_> just cant connect to anything afterwards 11:16 < Bushmills> server masq config, extremely likely 11:16 -!- scott_ [i=scott@207.126.166.46] has quit [Read error: 131 (Connection reset by peer)] 11:16 -!- scott_ [i=scott@gotpot.org] has joined ##openvpn 11:17 < scott_> just loaded the firewall up again 11:17 * scott_ connects again 11:20 < scott_> newp even still 11:20 < scott_> deny's my internet's 11:22 < ecrist> scott_: sounds to me like your NAT is broken 11:24 < scott_> eouch 11:24 < scott_> nat on $ext from $vpn_net to any -> ($ext) 11:25 < scott_> $vpn_net="10.x.x.x/24' 11:25 < scott_> $vpn_net="10.x.x.x/24" 11:27 < ecrist> looks like pf, freebsd? 11:28 < ecrist> can you post your configs? 11:28 < scott_> yep 11:28 < scott_> sure 11:28 < scott_> just a sec 11:28 < scott_> what my pf.conf/openvpn.conf? 11:33 * scott_ tries to get them rdy 11:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:39 < ecrist> scott_: openvpn configs 11:39 < ecrist> hey krzee 11:39 < krzee> hey man! 11:51 < scott_> damn 11:51 < scott_> this is not working 11:52 < krzee> you might need to be more specific... 11:53 < scott_> getting my configs to pastebin.ca 11:53 < krzee> should be easy 11:53 < scott_> i know 11:53 < scott_> lol 11:53 < krzee> !configs 11:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:53 < scott_> I'm going to re-read the example server.conf before I post 11:53 < krzee> hehe 11:56 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 60 (Operation timed out)] 11:59 < scott_> i followed http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ 11:59 < vpnHelper> Title: OpenVPN on FreeBSD with PF and Windows XP Howto | Ubergeek Technical Howtos' (at www.ubergeek.co.uk) 11:59 < scott_> same exact conf 12:00 < scott_> only i didnt use the route option 12:04 < krzee> funny i find myself not wanting to go to the walkthrough site 12:06 < ecrist> !freebsd 12:06 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:07 < scott_> thx 12:11 < scott_> yeah i've done that 12:11 < scott_> I can connect I get my 10.x ip but I cant go anywhere 12:11 < scott_> no websites or nothing' 12:12 < krzee> lol 12:12 < krzee> theres the prob! 12:12 < scott_> \? 12:12 < scott_> cant have 10.x ip? 12:13 < krzee> sure you can 12:13 < krzee> but your vpn is fine 12:13 < krzee> you are redirecting gateway 12:13 < krzee> right? 12:13 < scott_> yes 12:13 < krzee> you enabled ip forwarding? 12:13 < krzee> turned on NAT on your server? 12:13 < scott_> yes 12:13 < scott_> yes 12:13 < krzee> you sure...? 12:14 < scott_> positive 12:14 < krzee> its not in the walkthrough 12:14 < scott_> I'm using pf for nat 12:14 < krzee> err wait ya it is 12:14 < scott_> and sysctl net.inet.ip.forward 12:14 < scott_> thats set to 1 12:15 < scott_> Now i'm trying to vpn from my windows box to my fbsd server (vpn) 12:15 < krzee> !configs 12:15 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:15 < scott_> I installed the .exe of the openvpn copy'd the keys/client config 12:15 < krzee> i dont care bout the walkthrough, i wanna see yours 12:16 < scott_> and it connects just no internet 12:16 * scott_ will have to email to self then post 12:16 < krzee> ssh in? 12:16 < krzee> copy paste? 12:17 < scott_> server.conf 12:17 < scott_> http://pastebin.ca/1368184 12:17 < ecrist> scott_: there is a freebsd port, pastebinit 12:19 < krzee> hah didint know that 12:19 < scott_> both server/client config http://pastebin.ca/1368186 12:19 < krzee> push "redirect-gateway" 12:19 < krzee> !def1 12:19 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:19 < krzee> !pushdns 12:19 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 12:20 < scott_> ehrmm 12:20 < scott_> so my push dns / gateway I need to fix? 12:21 < krzee> well 12:21 < krzee> to push dns you need a script as described in the link 12:22 < krzee> for the pushing gateway, you should use def1 if you want it to have inet after tunnel is killed 12:22 < krzee> also, ifconfig-pool-persist ipp.txt will NOT make the client have a static ip 12:22 < krzee> its more of a suggestion 12:22 < krzee> if that matters to you 12:22 < krzee> !iporder 12:22 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 12:25 < scott_> do i need to push the dns? 12:25 < ecrist> you may 12:26 < ecrist> more than likely 12:38 < krzee> is 207.126.166.43 a dns server? 12:40 < krzee> connect to your vpn, then ping 74.125.45.100 12:40 < krzee> does it work? 12:42 < mjt> btw, what's the `Use --client-config-dir file' method? How exactly it works? :) 12:43 < mjt> in !iporder 12:43 < krzee> !ccd 12:43 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:43 < mjt> or, rather, which directive(s) it is looking for? 12:44 < mjt> that !iporder really talks about ALL client-specific settings, not bout just IP address(se). 12:45 < mjt> (--ifconfig-pool is one exception) 12:45 < mjt> i know only one directive to assign an ip address to a given client (without pool) -- it's ifconfig-push (probably misnamed). Are there others? 12:46 < krzee> umm 12:46 < krzee> no, it talks about ip addresses 12:46 < krzee> but in !ccd you can use much more 12:46 < krzee> read about it in !man 12:46 < krzee> !man 12:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:47 < mjt> read it many times in last few days ;) 12:48 < mjt> so --ifconfig-push and --ifconfig-pool are the only options right? I mean, there's no way to assign an IP but not push it -- something like --peer-ip foo ? 12:51 < krzee> The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config. 12:51 < krzee> thats from --client-config-dir in the manual 12:52 < krzee> so, right 12:52 < krzee> well 1/2 right 12:52 < krzee> you cant push ifconfig-pool 12:52 < krzee> but ya ifconfig-push is what you were looking for 12:56 -!- bandini [n=bandini@host81-105-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 13:08 < scott_> sorry was on the phone 13:08 * scott_ scrolls up 13:08 < scott_> krzee: yes that .43 ip is the dns server ip 13:09 < scott_> krzee: connecting to the vpn allows me to ping nothing or surf to nothing 13:09 < scott_> krzee: I need to still fix the redirect-gateway 13:12 < krzee> ya but that wont be your problem 13:13 < krzee> im thinking its something to do with your nat 13:13 < krzee> check if the nat rule is getting hit 13:17 < scott_> hrmm 13:18 < scott_> I use PF/FreeBSD and I have the following nat rule with vpn="tun0" as the vpn interface and ext="em0" has the external interface 13:18 < scott_> nat on $vpn from $vpn_net to any -> ($ext) 13:18 < scott_> I even changed $vpn to $ext 13:18 < scott_> vpn_net="10.x.x.x/24" 13:18 < scott_> Ip.forwarding is active 13:19 < scott_> do I need to activate hte box to act as a gateway asweLL?\ 13:24 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:24 < scott_> I'm using def1 for redirect-gateway 13:24 < scott_> but its using the cable connection and not the server's connection 13:25 < krzee> client log at verb 6 please 13:25 < scott_> just a sec 13:27 < scott_> woah 13:27 < scott_> alotta info 13:28 < krzee> yup 13:29 < scott_> what info you looking for in there 13:29 < krzee> i want everything from start to connect completed 13:29 < krzee> like completely completed 13:30 < scott_> http://pastebin.ca/1368249 13:30 < scott_> there u go 13:30 < krzee> !mitm 13:30 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 13:31 < krzee> !winroute 13:31 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 13:31 < krzee> try route-method exe 13:31 < krzee> in client config 13:32 < krzee> which windows ya using? 13:32 < scott_> vista 13:32 < krzee> eww 13:32 < krzee> !factoids search vista 13:32 < vpnHelper> krzee: No keys matched that query. 13:32 < krzee> try route-method exe 13:34 < scott_> hrmm 13:36 < krzee> then tell me if you still get ROUTE: route addition failed errors 13:36 < krzee> oh dude 13:36 < krzee> you're starting openvpn as admin right 13:36 < krzee> ? 13:37 < scott_> ok 13:37 < scott_> so I used the remote-method 13:37 < scott_> now no internet 13:37 < scott_> and the dns isn't being used 13:37 < krzee> remote-method? 13:37 < krzee> route-method 13:37 < scott_> yeah 13:38 < scott_> thats what I ment 13:38 < krzee> and i didnt ask about internet 13:38 < scott_> route-method exe 13:38 < krzee> i asked if that error was still present 13:38 < scott_> in the log? 13:38 < krzee> yes 13:39 < krzee> just paste the log again with verb 6 13:39 < krzee> after adding that entry 13:39 < scott_> no no route errors 13:39 < scott_> I will paste anyway 13:41 < krzee> haha my neighbor started blasting music in spanish 13:41 < scott_> http://pastebin.ca/1368260 13:41 < krzee> (i live in a spanish speaking country) 13:41 < krzee> now he knows who has the louder sound system 13:41 < scott_> ahh 13:41 < scott_> hahahahaha 13:41 < krzee> ping 74.125.45.100 13:41 < krzee> from client 13:42 < krzee> routes were added right this time 13:42 < krzee> Sun Mar 22 14:34:03 2009 us=192340 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up 13:42 < krzee> Sun Mar 22 14:34:03 2009 us=192386 route ADD 207.126.166.42 MASK 255.255.255.255 192.168.1.1 13:42 < krzee> OK! 13:42 < scott_> let me reconnect 13:43 < scott_> yes I can ping it 13:43 < krzee> show me: 13:44 < krzee> cat /etc/resolv.conf 13:44 < krzee> oh wait its windows 13:44 < krzee> lol 13:44 * scott_ nods 13:44 < scott_> lol 13:44 < krzee> !pushdns 13:44 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:44 < krzee> see the link 13:44 < krzee> you now only have a dns problem 13:44 < krzee> you can manually override dns to be 4.2.2.1 and it will work 13:45 < krzee> or 13:45 < krzee> if you are pushing 13:45 < krzee> goto a command prompt 13:45 < krzee> net stop dnscache 13:45 < krzee> net start dnscache 13:45 < krzee> (that can be run from a script that you tell openvpn to run) 13:46 < scott_> i did 13:46 < scott_> and on nslookups I'm getting bad error valure 13:46 < scott_> value 13:46 < krzee> go make it 4.2.2.1 13:47 < scott_> whois dns server is that? 13:47 < krzee> make that your dns server 13:47 < krzee> manually in tcp/ip options 13:48 < krzee> bigboy-2:~ Jeff$ whois 4.2.2.1 13:48 < krzee> OrgName: Level 3 Communications, Inc. 13:48 < krzee> NameServer: NS1.LEVEL3.NET 13:48 < krzee> NameServer: NS2.LEVEL3.NET 13:49 < krzee> its an easy to remember, open to the world, recursive dns server 13:49 < krzee> its been up for many yrs 13:52 < scott_> damn 13:52 < scott_> so when I connect to the vpn 13:52 < scott_> I cant access my other internal boxes at home where I connect from 13:52 < scott_> ? 13:55 < krzee> !route 13:55 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:00 -!- bandini [n=bandini@host81-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:27 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has joined ##openvpn 15:20 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:22 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has quit [Remote closed the connection] 15:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:42 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 16:01 -!- onats__ [n=onats@122.53.131.243] has joined ##openvpn 16:09 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 145 (Connection timed out)] 16:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 16:33 < krzie> scott_ howd !route help ya? 16:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:38 -!- brimstone [n=brimston@pdpc/sponsor/digium/brimstone] has joined ##openvpn 16:38 < brimstone> !route 16:38 < vpnHelper> brimstone: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:39 < brimstone> heh, i was just skimming that 16:39 * brimstone goes back to read it completely 16:41 < krzie> lol 16:42 < reiffert> :) 16:42 < brimstone> in the example on the page, what's the server's "server" line? 16:43 < krzie> that doesnt come into play until under the picture, then i assumed it was server 10.8.0.0 255.255.255.0 16:44 < krzie> 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10... 16:44 < brimstone> right right 16:44 < krzie> "for example, 10.8.0.x" means it would be server 10.8.0.0 255.255.255.0 16:45 < krzie> the only thing that matters is its not = to any of the lans 16:45 * brimstone goes off to tinker with stuff for a bit 16:45 < krzie> (or other clients) 16:46 < krzie> the manual / howto uses 10.8.0.0 because its basically never used 16:47 < krzie> so i use the same for the same reason (and to be less confusing) 16:47 < krzie> hey ecrist 16:48 < krzie> i see you linked something at the end of my writeup 16:48 < krzie> that guy scott earlier had that exact error mentioned in the link 16:48 < krzie> it was fixed easy by route-method exe 16:50 < krzie> ahh i see people in comments mention that too in that link 16:59 < krzie> there, i changed the caveats section 17:00 < krzie> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing#Caveats 17:00 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 17:01 < krzie> that error is new with vista, but xp was known to have the same problem with a diff error msg, which was and is fixed by !winroute 17:01 < krzie> !winroute 17:01 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:03 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 17:05 -!- znoG [n=gs@host24.190-226-185.telecom.net.ar] has quit [Read error: 110 (Connection timed out)] 17:17 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 17:42 < scott_> hrmm 17:42 < scott_> sigh 17:42 < scott_> still no internet 18:10 < krzie> you already proved you had internet 18:10 < krzie> the ping worked 18:10 < krzie> no DNS you mean 18:13 < brimstone> ok, so, i seem to be missing something simple 18:14 < brimstone> i have a vps with a static public address, and 2 clients on dynamic public addresses, one of these clients is the router for a LAN i'd like all vpn machines to access 18:15 < brimstone> i can setup a simple routed vpn and push routes to the hosts, but i can't seem to expose the LAN of one of the clients correctly 18:15 < brimstone> thoughts? 18:16 < krzie> brimstone 2 things 18:16 < brimstone> only 2? wow 18:16 < krzie> 1) the lans do NOT use the same subnet, right? 18:16 < krzie> ie: both are not 192.168.0.x 18:17 < brimstone> the vpn subnet and the client subnet are different 18:17 < krzie> theres more than 1 client, theres also a server 18:17 < krzie> NONE are the same, right? 18:17 < brimstone> nope 18:17 < scott_> krzie: I want to use m vpn's internet 18:17 < scott_> krzie: not my own internet 18:18 < krzie> scott_ after we fixed your route problem, you could ping 18:18 < krzie> that was through the vps inet 18:18 < krzie> but your dns wasnt working 18:18 < krzie> i thought we figured that out hours ago 18:18 < krzie> brimstone, ok... 18:18 < scott_> krzie my dns server does work tho 18:19 < krzie> brimstone: so heres #2... the client who is the router for its lan works for routing the lan, but the client who is not does not 18:19 < krzie> am i correct? 18:19 < brimstone> krzie: right, one client is the router for the lan, the other client is just a simple node on the vpn behind a linksys router or something 18:21 < krzie> ok 18:21 < krzie> !route 18:21 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:21 < krzie> see right under the picture 18:22 < krzie> ROUTES TO ADD OUTSIDE OF OPENVPN 18:22 < scott_> when I go to whats my ip i get my own ip addy and not the vpns 18:22 < scott_> :( 18:23 < krzie> you need to add a route to its router telling it that for every lan you want to communicate with, including vpn network, it must send packets to the vpn node 18:23 < krzie> scott_ 18:23 < krzie> !configs 18:23 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:23 < krzie> !logs 18:23 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:24 < krzie> (scott, not brimstone) 18:26 < krzie> brimstone, to see whats happening currently, read ROUTES TO ADD OUTSIDE OF OPENVPN again 18:26 < krzie> i give a step by step of why its not working for you 18:26 < krzie> and 2 ways to fix it 18:26 < krzie> the easy way and the bitch of a way 18:26 < brimstone> alright, thanks 18:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:32 < scott_> krzie: http://pastebin.ca/1368548 18:33 < scott_> dev tun damn maybe it should be dev tun0 18:39 < scott_> I'm connected to the vpn now and it seems the dns lookups go threw the vpn 18:39 < scott_> but not the web traffic 18:41 < krzie> that makes less than no sense 18:41 < krzie> show me client's route print 18:42 < scott_> hrmm 18:44 < krzie> cause... 18:44 < krzie> Sun Mar 22 19:20:56 2009 us=408643 route ADD 0.0.0.0 MASK 128.0.0.0 10.249.20.5 18:44 < krzie> OK! 18:44 < krzie> Sun Mar 22 19:20:56 2009 us=527462 route ADD 128.0.0.0 MASK 128.0.0.0 10.249.20.5 18:44 < krzie> OK! 18:44 < krzie> that means it successfully redirected gateway 18:44 < krzie> and if it hadnt, youd dns wouldnt go over vpn without another route entry 18:45 < krzie> unless that link i looked at earlier was right and route-method exe just made it ACT like it worked 18:45 < krzie> when you show me route print ill know 18:45 -!- brimstone is now known as Brimstone 18:45 -!- Brimstone is now known as brimstone 18:47 < scott_> krzie: http://pastebin.ca/1368559 18:47 < scott_> i'm still using route-method exe 18:48 < krzie> i know, if you werent youd be getting that error 18:49 < scott_> ah 18:50 < krzie> your routing table looks right to me 18:50 < krzie> try removing def1 and reconnecting, i wanna see it then 18:50 < krzie> then gimme the same info 18:52 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 18:53 < scott_> hrmm 18:53 < scott_> it will not work 18:53 < scott_> without def1 18:53 < krzie> it should 18:53 < krzie> def1 only changes how it does it 18:53 < krzie> !def1 18:53 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:54 < scott_> when i add def1 what info do you want? the clients route print? 18:54 < krzie> what wont work is getting out to the inet after shutting down openvpn 18:54 < krzie> unless it can add the route back 18:54 < krzie> which it should be able to since you arent dropping perms 18:54 < brimstone> ooh! i think i have it working 18:55 < bn43> hi - I've been working on this for hours now - when I start openvpn on my ubuntu box, it asks me for aut username and password - no matter what i do client fails but server passes 18:55 < bn43> I'd like to know what I'm doing wrong pls 18:55 < scott_> flag removed restarted openvpn 18:55 < scott_> now i will reconnect 18:56 < krzie> bn43, how are you starting it? 18:56 < krzie> im guessing networkmanager 18:56 < bn43> /etc/init.d/openvpn start 18:56 < scott_> ok reconnected 18:56 < scott_> wow dns still going over vpn 18:56 < krzie> bn43, as root? 18:57 < bn43> i followed http://www.thebakershome.net/?q=node/56 18:57 < bn43> yes 18:57 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 18:57 < scott_> I can't access web-traffic tho 18:57 < krzie> bn43 why would it want a password, you using some sort of PW auth? 18:58 < scott_> and I cant access any boxes on my own lan 18:58 < bn43> I suppose it has to do with me doing "./build-key-pass username" ? 19:00 < bn43> I've added a client.conf in /etc/openvpn to test if client can login - this is where I'm getting stuck 19:00 < bn43> even tried this from a windows client 19:01 < bn43> this is so frustrating! I think I'm almost there! 19:02 < bn43> krzie: when I do ./build-key-pass username - I use that username when asked for Auth Username right? 19:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:08 < krzie> only if you want your keys locally password protected 19:08 < krzie> i personally never do that 19:11 < brimstone> you can also stuff the keys in a p12 so you can change the passwords without rebuilding the keys 19:16 < bn43> aaaargh! I did not do the client.conf file properly - left a character out - fixed and now no errors! 19:17 < bn43> next issue - copied the client.conf accross to the config folder on windows machine and renamed extension to .ovpn 19:17 < bn43> um sorry its 2:15 in the morning here - not thinking lucidly 19:18 < bn43> should I be copying the the clients crt, csr and key file to the windows machine too? 19:19 < krzie> seperate client? 19:19 < bn43> yeah 19:20 < bn43> now I'm testing with an external machine - loaded the openvpn gui 19:20 < bn43> um - exits with error saying cannot load certificate file 19:20 < krzie> if its a different client, give it a different key 19:21 < krzie> and csr is a request, only needed on the CA 19:21 < krzie> (for adding the a CRL if ever needed) 19:22 < bn43> now I'm confused - I created a test user and tested locally via client.conf file on my ubuntu box 19:22 < bn43> now I want to move this user to an external box 19:22 < bn43> which is a windows box 19:22 < brimstone> krzie: thanks for your help, i got it all sorted out and working 19:22 < brimstone> this is exciting! 19:23 < krzie> np =] 19:23 < bn43> when I say created, I did this via ./build-key-pass username 19:23 < bn43> where username=test1 19:28 < krzie> cool 19:32 -!- brimstone [n=brimston@pdpc/sponsor/digium/brimstone] has left ##openvpn ["WeeChat 0.2.6"] 19:37 < krzie> in the howto it tells you which files go to the client machine 19:37 < krzie> in fact it says which files go in each machine 19:37 < krzie> !howto 19:37 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:42 < krzie> !factoids search file 19:42 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 19:42 < krzie> heh, ignore that 20:03 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 20:19 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 20:27 < scott_> sorry lost my internets 20:28 < scott_> krzie: so what can I do? 20:40 < krzie> http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/ 20:40 < vpnHelper> Title: OpenVPN GUI on Windows Vista skriptd (at skriptd.wordpress.com) 20:41 < scott_> Yeah I have it installed etc 20:41 < scott_> I have all the certs copy'd over 20:41 < krzie> umm no 20:41 < krzie> you're using 2.0.9 20:42 < krzie> try 2.1_rc15 20:42 < krzie> http://openvpn.net/release/openvpn-2.1_rc15-install.exe 20:43 < scott_> hrmm 20:44 * scott_ downloads 20:47 < scott_> installed 20:47 < scott_> connected 20:47 < scott_> same result 20:49 < scott_> ahh 20:49 < scott_> cant access my lan 20:49 < scott_> or internet 20:49 < krzie> you havnt set up anything for accessing the lan yet 20:49 < krzie> and i still believe the problem has to do with NAT for internet 20:49 < scott_> christ 20:50 < krzie> because your routes are being added 20:50 < krzie> as we proved 20:50 < krzie> did you remove def1 and give me a link to your route print? 20:50 < krzie> if so i missed it 20:51 < scott_> mmm i'll do it again 20:59 < scott_> damnit 21:00 < scott_> http://pastebin.ca/1368669\ 21:00 < scott_> there http://pastebin.ca/1368669 21:12 < scott_> so what you think? 21:19 < krzie> i think your machine now has NO route to the internet (besides its gateway (192.168.1.1) and the vpn machine (207.126.166.42) 21:19 < scott_> krzie: your right it was a nat issue 21:19 < krzie> so ANY inet traffic is going over the vpn 21:19 < scott_> I now have internet 21:19 < scott_> and whats my ip shows the vpn ip 21:20 < krzie> thats why its first part of the topic ;] 21:20 < scott_> I just cant access my own lan tho 21:20 < krzie> go add def1 back now that you fixed that 21:20 < scott_> oh ok 21:20 < krzie> for accessing your lan, you do diff stuff 21:20 < krzie> you shouldnt be able to yet 21:20 < krzie> !route 21:20 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:20 < scott_> Ok so we keep def1 now ? 21:21 < krzie> !def1 21:21 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:21 < krzie> we always wanted def1 21:21 < krzie> i just had you remove it so i could say this: 21:21 < krzie> your machine now has NO route to the internet (besides its 21:21 < krzie> gateway (192.168.1.1) and the vpn machine (207.126.166.42) 21:21 < krzie> so ANY inet traffic is going over the vpn 21:21 < krzie> but yes, you always wanted def1 21:22 < scott_> ok 21:22 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:23 * scott_ adds def1 back and reads the route 21:23 < krzie> dont need to read anything 21:23 < scott_> oh 21:23 < scott_> I need need to add any route's 21:23 < krzie> ohhh 21:24 < krzie> duh right 21:24 < krzie> the !route 21:24 < krzie> my bad 21:24 < krzie> you definitely need to read that, lol 21:24 < krzie> bbiaf 21:24 -!- Dralspire [n=dral@unaffiliated/dralspire] has joined ##openvpn 21:26 < scott_> thanks again 21:27 < Dralspire> I have been reading like a crazy monkey about redirect-gateway with the standard .conf files. Is there a reason why standard gateway and DHCP server are pushed as 10.8.0.5 with those standard files? 21:40 < krzee> huh? 21:40 < krzee> ohh 21:40 < krzee> well gateway is obvious 21:41 < krzee> it IS called redirect-gateway 21:41 < krzee> BUT 21:41 < krzee> !def1 21:41 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:41 < krzee> and for dhcp... i think you are talking about the problem where dhcp requests go over the tunnel and get lost... 21:41 < krzee> !dhcp 21:41 < vpnHelper> krzee: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1 21:41 < krzee> so you want redirect-gateway bypass-dhcp def1 21:42 < krzee> if i understood your problem right 21:42 < krzee> would have been an easy find in the manual, harder in google 21:42 < krzee> scott_, no problem 21:45 -!- Dralspire [n=dral@unaffiliated/dralspire] has quit [Nick collision from services.] 21:51 < scott_> hrmm 21:51 < scott_> I added the push 21:51 < scott_> still no work 21:51 < scott_> maybe just mnaybe hrmm 21:55 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:02 < krzee> read the whole thing 22:02 < krzee> thoroughly 22:03 < krzee> before you ask ANYTHING about it 22:03 < scott_> I did 22:03 < scott_> I want to use push/route before I do iroute configs 22:03 < scott_> for diff clients etc 22:04 < krzee> hah 22:04 < krzee> this isnt an and/or type of thing 22:05 < krzee> it MUST be done a certain way to work 22:05 < krzee> !iroute 22:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 22:06 < scott_> ahh is ee 22:06 * scott_ changes some settings 22:07 < scott_> !ccd 22:07 < vpnHelper> scott_: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 22:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 22:22 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 22:42 < scott_> hrmm 22:46 < scott_> krzee: still around? 23:18 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:19 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 23:23 -!- mepholic_ [n=what@67.159.9.139] has joined ##openvpn 23:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:28 -!- mepholic [n=what@hydra.weserv.in] has quit [Nick collision from services.] 23:28 -!- mepholic_ is now known as mepholic 23:28 < krzee> just ask your ? 23:29 < krzee> others here know as much as me about openvpn as well 23:29 < krzee> im in and out, building some computers 23:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:47 < scott_> krzee: Ok here is my setup OpenVPN (FreeBSD / Dedi Serv) and a Win2k3 Serv (VPN @ home) how can I vpn to the openvpn box and still access my win2k3 serv at home ? 23:50 < krzee> whats the home lan? 23:51 < krzee> for lan behind server its just a push route in server config 23:51 < scott_> 192.168.249.0 23:51 < krzee> push "route lan_subnet 255.255.255.0" 23:51 < krzee> so... 23:51 < krzee> push "route 192.168.249.0 255.255.255.0" 23:51 < scott_> now the lan isn't on the vpn server 23:51 < krzee> dude 23:52 < krzee> i made that !route writeup for a reason 23:52 < krzee> its an iroute and a push route 23:52 < scott_> with a ccd config? 23:55 < scott_> damn can't do openvpn or regular vpn at the sametime 23:57 < scott_> !iroute 23:57 < vpnHelper> scott_: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 23:57 < scott_> i've been doing the same thing over and over --- Day changed Mon Mar 23 2009 00:05 -!- mepholic_ [n=what@66.90.73.234] has joined ##openvpn 00:06 < krzee> !insanity 00:06 < vpnHelper> krzee: "insanity" is doing the same thing over and over expecting different results 00:06 < krzee> LOL 00:07 < krzee> if you dont have it by tomorrow ill help 00:07 < krzee> but im busy for now 00:07 < krzee> putting together computers with a girl waiting impatiently in my bed 00:07 < krzee> (and shes not a wife / girlfriend / serious) 00:11 < scott_> I see 00:11 * scott_ needs it for work tomo 00:11 < scott_> I think i'ma have a win2k box in the dc that'll make things much easier.. 00:12 -!- mepholic [n=what@67.159.9.139] has quit [Read error: 113 (No route to host)] 00:12 < scott_> krzee: thx for the support & tine tho been really helpfull 00:12 < scott_> gn ppl 00:13 -!- scott_ [i=scott@gotpot.org] has left ##openvpn [] 00:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 01:13 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 01:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:23 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 03:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:44 < joelsolanki> !route 03:44 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:44 < joelsolanki> Hi all 03:45 < joelsolanki> i have few vpn setups already running and i use push route to accessing lan and that works good. 03:45 < joelsolanki> but right now i have some different scenario 03:45 < joelsolanki> push "route 192.168.1.0 255.255.255.0" 03:46 < joelsolanki> vpn server is a vps machine. 03:46 < joelsolanki> it has 1 public ip and 1 private ip. and has 1 lan card only. 03:46 < joelsolanki> so private ip is virtual ethernet. 03:46 < joelsolanki> and one tunnel that what openvpn creates 03:47 < joelsolanki> now all is good. i can ping 192.168.1.50 that is vpn server's private ip. 03:47 < joelsolanki> but i have few server that is 192.168.1.101 but i cant ping it or access it. 03:47 < joelsolanki> tracert shows me that it routing is good. it goes thru tunnel 03:48 < joelsolanki> from vpn server i can access 192.168.1.101 server easily. 03:48 < joelsolanki> i have never implemented lan routing on vps scenario. 03:48 < joelsolanki> any hints plz ? 03:59 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 04:06 < bn43> hi - I'm almost getting to get the openvpn-gui to work - I get an error when it connects - tls key negotiation fails. I'm on an internal lan which I've assumed is not firewalled for internal traffic. I can ping the server from the client - what should I look out for? 04:08 < dazo> bn43: tls key neg. error is a bit vague .... but it can mean that either a static key used in --tls-auth is wrong or that you have another certificate issue as well 04:08 < dazo> bn43: if you send complete logs, it will help us help you 04:08 < dazo> !logs 04:08 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:10 < dazo> joelsolanki: you might need to setup a route in your .101 box ... to route your VPN addresses back via the .50 (your openvpn server) 04:10 < bn43> um I just have the client's - I'm running an ubuntu hardy heron desktop and have been to /var/log/ and don't see a openvpn log file 04:10 < joelsolanki> dazo: oh ok 04:11 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:11 < dazo> bn43: well, openvpn-gui logs will be fine enough (from the client) ... I presume that a windows client, isn't it? 04:12 < dazo> bn43: on the server you might check your config for how logging is setup 04:12 < bn43> where should I be looking for the openvpn logs server 04:12 < dazo> bn43: lets start with the client side first, and we'll look into the server if needed 04:12 < bn43> where do I pastebin? 04:12 < dazo> !pastebin 04:12 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 04:18 < bn43> http://www.pastebin.ca/1368937 04:19 < dazo> bn43: would you please edit the client config and add "verb 6" in it ... and add pastebin the log again? 04:19 < bn43> note that I changed the port to 8001 as I know I can use that with another application 04:21 < dazo> bn43: I noticed that port number ... be aware that that could mean that the traffic might go via a proxy ... esp. if your other application is web based 04:21 < bn43> ok - won't be able to do right now but will get on later - thank you for being so helpful 04:21 < dazo> bn43: np! 04:21 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 04:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:49 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: eliasp, floyd_n_milan, huslu_, CybDev, vpnHelper, simplechat, Typone 05:57 -!- Netsplit over, joins: floyd_n_milan, CybDev, eliasp, simplechat, vpnHelper, Typone, huslu_ 06:20 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:09 < ecrist> morning, folks 07:12 < krzee> mornin 07:12 < krzee> my nfs box is beefy 07:12 < krzee> unfortunately im having issues with fbsd8-current bootonly snapshot 07:12 < krzee> ftp install doesnt wanna happen 07:12 < krzee> so im downloading the dvd snapshot 07:13 < ecrist> why would you run 8 right now? 07:13 < ecrist> ZFS? 07:13 < krzee> exactly 07:14 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:14 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has joined ##openvpn 07:16 < krzee> turns out my NFS box has 5 onboard sata ports 07:16 < krzee> so i might toss in the backup 1.5TB drive and let ZFS know its for hot spare 07:17 < krzee> but im thinking i prolly wont, no reason to make it spin when the machine is on if im not using it 07:27 < ecrist> the drive should sleep if it's not being used 07:27 < ecrist> it'll spin up on boot, but that's it 07:27 < ecrist> q 07:32 -!- Kvajnto [n=ls@116.232.76.93] has joined ##openvpn 07:34 < Kvajnto> !howto 07:34 < vpnHelper> Kvajnto: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:05 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 08:17 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 08:18 < lukask> !howto 08:18 < vpnHelper> lukask: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:23 < ecrist> krzee: how soon until you want that server online? I've got to get another power strip; starting to run out of space. 08:23 < krzee> prolly a week or so 08:23 < krzee> should be plenty of time to make your upgrade 08:24 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 08:25 < ecrist> ah, excellent. I'm going to put a second circuit in that rack, too. 08:26 < ecrist> most of the servers in there have multiple power supplies. going to pick a second up for that 1850 I just got on ebay today. only a 15A circuit in there right now, got 7 systems on one circuit and all the switches/routers 08:26 < ecrist> and, supposedly, a couple more servers from a buddy on the way 08:29 < lukask> Hi! I just happened to solve a problem, but I don't really understand why it was solved. OpenVPN host-to-host via UDP between two sites; "tun-mtu 1500 fragment 1200 mssfix" on both sides. The vpn dropped packets bigger than 1392Bytes (including overhead). I now removed 'fragment 1200', and the connection works ? 08:32 < krzee> solved it by getting rid of the options you didnt understand therefore shouldnt have been using ;) 08:32 < krzee> !man 08:32 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:32 < lukask> krzee, you're too right 08:33 < lukask> I just *know* I had a reason to put the fragment option there in the first place ... just that it was a year ago ;) 08:33 < lukask> Yes, I tried to wrap my head around this for the last few hours :/ 08:35 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:55 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has quit ["Ex-Chat"] 08:55 < ecrist> krzee: take a look at http://www.secure-computing.net/images/test1.bmp (look at test1.bmp, test2.bmp, and test3.bmp) and tell me what you think 08:55 < ecrist> please 09:01 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has joined ##openvpn 09:02 < fixxxermet> !howto 09:02 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:03 < fixxxermet> great. My boss has openvpn.net blocked 09:06 < ecrist> fixxxermet: the entire domain? 09:06 < ecrist> use a proxy, or try beta.openvpn.net 09:06 < fixxxermet> The whole domain. Looking up a proxy now 09:07 < fixxxermet> Google's cache might work 09:12 < fixxxermet> http://openvpn.net/howto gives a 404 09:15 < ecrist> http://openvpn.net/index.php/documentation/howto.html 09:15 < vpnHelper> Title: HOWTO (at openvpn.net) 09:19 < fixxxermet> Yeah I found it - was just reporting the 404 09:20 < fixxxermet> "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel." - Which files need to be copied to my client, and where to on that machine? 09:21 < ecrist> clients need four files, the config, the ca certificate (not key), and the client certificate/key pair 09:23 < fixxxermet> so ca.crt, client.crt, client.key, and the config file (which I haven't mad yet)? 09:23 < fixxxermet> made* 09:23 < ecrist> yep 09:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:49 -!- c64zottel [n=hans@cust.static.84-253-61-19.cybernet.ch] has joined ##openvpn 09:49 -!- c64zottel [n=hans@cust.static.84-253-61-19.cybernet.ch] has left ##openvpn [] 09:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:11 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 10:11 < sunta> yo 10:11 < sunta> !route 10:11 < vpnHelper> sunta: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:12 < sunta> krzee, got my thanks? 10:15 -!- stuarta [n=stuarta@unaffiliated/stuarta] has joined ##openvpn 10:20 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 10:29 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:49 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 10:57 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 11:06 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:25 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 11:27 -!- Skered [n=dereks@c-71-60-49-148.hsd1.pa.comcast.net] has joined ##openvpn 11:31 < Skered> !howto 11:31 < vpnHelper> Skered: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:32 < Skered> http://openvpn.net/index.php/documentation/howto.html maybe? 11:32 < vpnHelper> Title: HOWTO (at openvpn.net) 11:38 < ecrist> yeah, they changed their link 11:38 < ecrist> ping krzee 11:38 < ecrist> can you fix the bot, since you won't give me access? 11:42 -!- bn43 [n=dhashen@196.212.81.58] has quit [Read error: 104 (Connection reset by peer)] 11:42 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 11:43 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:46 < ecrist> I sent an email to Francis, hopefully he can fix the redirect 11:46 < bn43> Hi I have a problem with openvpn-gui that does not connect - I have changed the configs to verb 6 - in pastebin http://www.pastebin.ca/1369266 11:46 < bn43> Can someone help pls? 11:50 < ecrist> verb 3 is usually sufficient 11:50 < bn43> someone called dars asked me to do that before posting 11:51 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has joined ##openvpn 11:51 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 11:52 < ecrist> did you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 11:52 < ecrist> !logs 11:52 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:52 < bn43> yes 11:52 < ecrist> and? 11:53 < bn43> but I'm not sure what to do about that - google search says make sure firewall not blocking- have checked that 11:53 < ecrist> see here: http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html 11:53 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at www.imped.net) 11:54 < ecrist> search for your error I posted. there are some solutions mentioned 11:54 < bn43> I can ping the server from the client and I have connected my ubuntu desktop directly to pc via a hub 11:54 < bn43> ok 11:54 < ecrist> ping is different than udp 11:56 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Client Quit] 11:59 < bn43> ecrist: page states exact problem but I an not running a firewall on either the server or client 12:02 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 12:03 < ecrist> FYI folks: 12:03 < ecrist> Eric, 12:03 < ecrist> Sorry about this.. We are in the process of moving the files to a new provider.. I will make sure that my engineers will take care of this problem.. 12:03 < ecrist> Francis 12:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:13 < Kvajnto> I have a openvpn connection running now, but apart from pinging the openvpn server I can't access anything. I'm pretty sure I need to route the traffic to the default gateway somehow, but I'm not sure how to do this. I included everything I could think of and pasted on pastebin (ifconfig eth0, /etc/network/interfaces and my server/client configs). I'm really new to this, so my configs might look a bit messed up... 12:14 < Kvajnto> Using routing. 12:15 < Kvajnto> Maybe should add that the server machine is a VPS running on XEN. 12:19 < dazo> !route 12:19 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:19 < dazo> Kvajnto: ^^^ 12:20 < Kvajnto> Ok, cool. I'll have a look. 12:22 < dazo> Kvajnto: in general, if you can ping over the tunnel, the other host ... and you can access services on the openvpn server from the client ... you basically have the configs pretty nicely working, it's just routing and/or firewalling missing 12:25 < Kvajnto> Sounds good. All of this is a bit overwealming to be honest. Hopefully that link will shed some light on all of this =) 12:26 < bn43> I still can't get anywhere with my problem - I have checked as best I can on what to do in http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html 12:26 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at www.imped.net) 12:29 < fixxxermet> ecrist: Sorry - where do I copy the PKI files that I created on my server to on my client? 12:29 < fixxxermet> to the easy-rsa/keys dir? 12:31 < dazo> fixxxermet: wherever you want .... you define locations in your openvpn configs 12:31 < fixxxermet> You are right. 12:31 < fixxxermet> Thanks. 12:31 -!- stuarta [n=stuarta@unaffiliated/stuarta] has left ##openvpn [] 12:31 < dazo> fixxxermet: but on your server ... you only want the key and crt file for the server + CA crt .... and on client only client keys + CA.crt 12:32 < fixxxermet> right 12:33 < bn43> pls anyone? I'm getting a TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:34 < dazo> fixxxermet: and never ever ever ever share the ca.key .... that's the most sacred file you'll have ... because with this one you sign new certificates which will be accepted by the server .... the best location for such files are off-line storage 12:37 < Kvajnto> On my XP client, if I do "route print" I'm supposed to see the routes that were pushed to me, right? Because I don't =) 12:38 < dazo> Kvajnto: are you running openvpn client with admin privileges? 12:38 < Kvajnto> Yes. 12:38 < dazo> Kvajnto: which win version and which openvpn version? 12:38 < dazo> Kvajnto: strike win version ... xp 12:38 < Kvajnto> 2.0 12:39 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 12:39 < Kvajnto> I'm doing: push "redirect-gateway" also, if that will interfere. 12:39 < dazo> Kvajnto: that can be one reason .... try upgrading to 2.1_RC15 ... but that might require an upgrade on your server as well .... a few openvpn versions do not work well together 12:39 < dazo> Kvajnto: no, that should be fine 12:39 < Kvajnto> The gateway gets pushed, though. 12:40 < chrisbdaemon> are there any known issues with the openvpn client and windows xp sp3? I have openvpn setup on an openbsd firewall and mac os x clients are able to connect just fine but windows xp users have their connections dropped after about 30 seconds 12:40 < dazo> Kvajnto: well, actually ... when you push a default gateway, no other explicit routes should be needed on the client though 12:40 < dazo> chrisbdaemon: not if you run openvpn 2.1_rc15 12:41 < Kvajnto> chrisbdaemon: Maybe you need to allow ping in the windows firewall? 12:42 < chrisbdaemon> dazo: are there fixes in openvpn 2.1_rc15? 12:42 < dazo> chrisbdaemon: a lot 12:42 < dazo> chrisbdaemon: 2.1_rc15 is actually the most stable and bug free release so far 12:42 < bn43> pls anyon 12:43 < chrisbdaemon> dazo: Excellent, I'll make my own port for that then :) and see if the openbsd port maintainer will update the port :P 12:46 < Kvajnto> dazo: I couldn't really find anything about this in that link you provided, so how would I go about making a route between the default gateway I get on my client (10.8.0.5) and my actual default gateway (222.222.165.129)? Must be some simple route command =) 12:46 < dazo> Kvajnto: if you skip the redirect-gateway first ... and try to get basic routing working first, it might go easier 12:47 < dazo> Kvajnto: and then you need the route options in your configs 12:47 < Kvajnto> Did say something about "ip forwardning", but didn't really explain anything about it. I'm quite sure I haven't enabled anything like that. 12:47 < dazo> Kvajnto: ahh ... sorry .... of course, that's a good thing to check 12:47 < dazo> Kvajnto: cat /proc/sys/net/ipv4/ip_forward 12:48 < dazo> Kvajnto: that should give you "1" as a result .... if not .... echo "1" to that file 12:48 < Kvajnto> 0 =) 12:48 < Kvajnto> Ok. I'll try again. 12:48 < chrisbdaemon> dazo: would openvpn 2.1_rc7 have those fixes in it that i need? 12:48 < chrisbdaemon> or does it need to be rc15 12:49 < dazo> chrisbdaemon: some, but not all ... rc15 is safest ... and rc7 do have some issues when using it against other versions as well 12:49 < chrisbdaemon> alright, thanks 12:50 < chrisbdaemon> dazo: also, I have never had to upgrade openvpn before, would I just drop in the new binaries or do I have reconfigure things? 12:51 < chrisbdaemon> have to* 12:52 < Skered> Anyone using Tunnelblick on MacOS X? It no longer changes my DNS settings if I push dhcp-option DNS x.x.x.x 12:52 < dazo> chrisbdaemon: configs should basically be the same, but you might get some warnings you didn't get before ... because some options have been misunderstood before .... can be pretty annoying to get them everytime you startup ... but that's usually it 12:52 < dazo> chrisbdaemon: script-security is one thing you might need to look at if you use scripts in openvpn 12:53 < Skered> doh stupid me.... 12:53 < Skered> nm that message. I know why it's not. 12:54 < bn43> hi I'm having a problem - TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) - I have copied the ta.key from the server to the client and ensured there are no firewall issues - please can someone help? 12:55 < Skered> bn43: You're using tls-auth in both your server conf and client conf? 12:56 < bn43> yes 12:56 < dazo> bn43: does it work without tls-auth? 12:56 < bn43> I've comment out on both client and server and still same error 12:57 < dazo> bn43: are you using udp or tcp? have you tried tcp if you're using udp? .... might be you have some network issues which do not like udp 12:57 < Skered> What about the permissions on the key file? 12:57 < dazo> that's also a good thing to check 13:00 < bn43> changing to tcp does not help 13:00 < bn43> permissions on which key file? 13:01 < Skered> bn43: What tls-auth is pointing to. 13:01 < Skered> I think it has to be not readable by group and other. 13:02 -!- pons [n=pons@pc-66-126-83-200.cm.vtr.net] has joined ##openvpn 13:02 < pons> guys, is it possible to create a vlan over a tap tunnel? 13:02 < pons> i mean, vconfig add tap0 99 13:02 < pons> creates tap0.99 13:02 < chrisbdaemon> dazo: alright, i'm going to do some testing I guess and start using the latest, thanks a ton for the info, been fighting with the windows openvpn clients for weeks :P 13:02 < dazo> pons: I don't think that is supported yet 13:02 < bn43> ta.key is has root.root group and owner 13:03 < pons> but it doesn't work 13:03 < dazo> pons: I don't think that is supported yet 13:03 < pons> dazo: mmm, how could i implement something similar? 13:03 < pons> other paralel vpn ? 13:03 < mjt> bn43: how about increasing the verbosity level and seeing which packets gets sent and received? 13:03 < dazo> pons: yeah, that might be a solution 13:04 < pons> a vpn inside this vpn 13:04 < bn43> mjt: I raised it to 6 on client and server 13:04 < dazo> pons: uhhh .... sounds like wasting of CPU time ... parallel tunnels, not inside each other 13:06 < pons> dazo: my infrastructure works with a main server and other 2 clients that connect 2 different networks together, and by bridging both networks works, but mixes traffic. 13:06 < pons> a vlan would have been the best 13:07 < dazo> pons: but you have other option, as vlan is not implemented .... at least I've never heard about vlan implementation .... so you'll need to route that traffic into separate tunnels and on the vpn server you'll need to tag each of the tun/tap devices accordingly to your wishes 13:08 < bn43> I pastebin my server.conf and client - http://www.pastebin.ca/1369337 13:08 < pons> and an unencrypted tap between this 2 machines? 13:08 < pons> is it possible? 13:09 < Skered> !route 13:09 < vpnHelper> Skered: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:09 < bn43> Skered: is that for me? 13:10 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 13:14 < bn43> pls anyone - this is driving me nuts - I've been trying to get this to work for the past 2 days now 13:15 < Skered> bn43: No 13:15 < Skered> bn43: What are the permissions on the key files? 13:15 < Skered> ta.key 13:16 < bn43> root.root 13:17 < Skered> ls -l ta.key 13:18 < bn43> oh man I'm dense - thats just ownership 13:18 < bn43> -rw------- 13:19 < Skered> How are you running openvpn? 13:19 < bn43> as a service - on ubuntu hardy heron 13:19 < bn43> /etc/init.d/openvpn start 13:20 < bn43> I installed via aptitude 13:20 < Skered> On the client side. 13:20 < bn43> oh - openvpn-gui 13:21 < Skered> What are the permissions of the ta.key on the client side? 13:22 < bn43> funny thing is xp does not list a security option when looking at properties of the file 13:25 < bn43> any other ideas? 13:27 < Skered> Do you have 'ns-cert-type server' in the client conf? 13:28 < bn43> http://www.pastebin.ca/1369337 13:31 < Skered> Change tls-client to client 13:32 -!- pons [n=pons@unaffiliated/pons] has quit [] 13:34 < bn43> is there a way to test the bridge connection? I followed this : http://www.thebakershome.net/?q=node/56 - could it be something to do with that? 13:34 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 13:35 < bn43> Skered: no difference 13:35 < bn43> with changing tls-client to client 13:35 < Skered> bn43: Just to check. When you changed to tcp you changed that on both ther server and the client right? 13:35 < bn43> yes 13:36 < Skered> Ok 13:37 < Skered> No idea then. Only other idea might be if the server is behind a firewall but if you're connecting to it I don't think that's the issue 13:37 < Skered> Or your client is behind a software XP firewall? 13:38 < bn43> ok thanks for the help! I'm going to have to tackle this tomorrow 13:38 < bn43> no 13:38 < bn43> disabled 13:38 < bn43> made sure of that :-) 13:39 -!- achilles [n=achilles@62.90.14.151] has joined ##openvpn 13:39 < bn43> thanks all for trying to help 13:39 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 13:40 < achilles> hello, one question please, I'm trying to connect site-to-site vpn, the headQ 192.168.1.0/16 and the branch 192.168.2.0, the question is, should the Tun0 devices has a different subnet and then I should route between them ? 13:41 < achilles> or just getting the two sites on the same subnet ? 13:41 -!- martian67 [i=user5490@about/linux/regular/martian67] has joined ##openvpn 13:42 < martian67> for some reason my windows client is getting a netmask of "10.8.0.5" from the server 13:42 < martian67> but the config file has no mention of that address 13:42 < ecrist> martian67: that's not a net mask 13:42 < martian67> i know :) 13:42 < ecrist> !/30 13:42 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:43 < martian67> Ethernet adapter Local Area Connection 6: 13:43 < martian67> Connection-specific DNS Suffix . : 13:43 < martian67> IP Address. . . . . . . . . . . . : 10.8.0.6 13:43 < martian67> Subnet Mask . . . . . . . . . . . : 10.8.0.5 13:43 < ecrist> no pasting here, please 13:43 < martian67> IP Address. . . . . . . . . . . . : fe80::2ff:dcff:fe22:9eaa%10 13:43 < martian67> Default Gateway . . . . . . . . . : 13:43 < martian67> is the output of ipconfig 13:43 < martian67> on windows 13:43 < martian67> i cant ping the vpn gateway 13:43 < martian67> sorry 13:43 < ecrist> paste your server and client configs 13:43 < ecrist> !configs 13:43 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:44 < martian67> whats ccd? 13:44 < ecrist> client-specific configs on the server side 13:44 < martian67> oh right 13:44 < ecrist> if you don't know what they are, you likely don't have any 13:44 < martian67> i dont have that 13:47 < mjt> Subnet Mask is umm... nice. 13:48 < martian67> yea i dont get it o.O 13:48 < martian67> http://pastebin.com/m1c12e144 13:48 < martian67> server config 13:49 < Skered> I can send data to a machine that's on the same network as the OpenVPN server. However when the data is sent to the machine it asks who 10.0.8.6 is via a arp request. Nothing replies. I need a 'route 10.0.8.0 255.255.255.0' in my server's conf to fix this? I can see all this network activity by using tcpdump on the LAN machine. 13:52 < martian67> OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 13:52 < martian67> Developed by James Yonan 13:52 < martian67> Copyright (C) 2002-2005 OpenVPN Solutions LLC 13:52 < martian67> oops 13:52 < martian67> sorry 13:52 < martian67> http://pastebin.com/m382768b 13:52 < martian67> thats my client config 13:53 < martian67> i really dont get whats going wrong in such a simple setup :s 13:53 < martian67> Skered, openVPN is not layer 2 by default 13:55 < martian67> any light you care to shed on this issue would be appricated 13:57 < Skered> ah I think i need client-to-client. 13:57 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 13:59 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 14:00 < ecrist> martian67: FYI, 2.1_rc16 is current version 14:00 < ecrist> nm, 2.1_rc15 14:02 < martian67> i dont want to run an rc 14:02 < martian67> its outside my distro's package managment 14:02 < martian67> makes things very messy :/ 14:03 < ecrist> you're currently running an rc 14:03 < ecrist> rc11 14:03 < ecrist> :\ 14:03 < ecrist> OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 14:03 < martian67> oh lol 14:03 < martian67> its just what came with debian 14:03 < ecrist> and it's out of date 14:03 < martian67> shrug lol 14:03 < ecrist> update it to rc15 14:04 < ecrist> there is a bug in ipp pools in rc11 14:06 < martian67> is there a workaround? 14:07 < krzee> not using ipp / not using rc11 ! 14:08 < martian67> so if i use a ccd to assign an ip 14:08 < martian67> i shouldnt have an issue? 14:08 < krzee> thats better anyways 14:08 < krzee> ipp is a suggestion 14:08 < martian67> ok thank you 14:08 < krzee> ccd is a real way to assign static ips 14:08 < krzee> !iporder 14:08 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:08 < martian67> well i dont really care one way or another 14:08 < martian67> i just want it to work heh 14:09 < krzee> !ipp 14:09 < vpnHelper> krzee: "ipp" is Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 14:09 < martian67> its a single client anyways 14:09 < krzee> hrm 14:09 < krzee> !static 14:09 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 14:09 < martian67> !ccd 14:09 < vpnHelper> martian67: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:10 < krzee> brb 14:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:11 < martian67> willl ifconfig-push work properly on windows? 14:11 < martian67> !ifconfig-push 14:11 < vpnHelper> martian67: Error: "ifconfig-push" is not a valid command. 14:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:20 < hagna_> so what's the major and minor number of tunl0 on linux? 14:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:22 < martian67> krzee, how do i disable ipp 14:24 -!- dazo_ [n=dazo@nat/redhat/x-3d9e8b90d961bc23] has joined ##openvpn 14:27 < Kvajnto> Okay. Now I finally got everything to work thanks to "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE". Do I need to add this somewhere so that it will be that way everytime I reboot my computer? 14:28 < Kvajnto> dazo: Thanks for the help by the way. 14:29 -!- dazo [n=dazo@nat/redhat/x-799df3ba13b2efcc] has quit [Read error: 113 (No route to host)] 14:35 < ecrist> martian67: just remove the ipp options from the config 14:35 < martian67> yes, its working now 14:35 < dazo_> Kvajnto: be sure you only MASQ traffic going out on the Internet .... internal network traffic to your own net on the remote site should not be masq'd 14:35 < martian67> correct subnet, but now i cant ping 14:35 < martian67> grrr 14:35 < martian67> no iptables rules or firewalls in the way 14:35 < martian67> both are off/blank 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 < Kvajnto> dazo: Ehm... how do I know if that's the case? 14:40 < Kvajnto> ?= 14:40 < Kvajnto> =) 14:40 < ecrist> martian67: client-to-client 14:40 < martian67> ecrist, its enabled 14:40 < martian67> irrelivant anyways, i cant ping the vpn host address 14:41 < ecrist> you should be able to ping the VPN server address, if not, it's a firewall issue 14:41 < martian67> there is no firewall 14:42 < ecrist> ok, sure, but, if you're connected to the VPN, and you've been assigned an IP, and the logs look OK, if you can't ping the VPN server address, it's a firewall issue. 14:42 < martian67> sigh 14:42 < martian67> the only thing i could be 14:42 < martian67> is either windows firewall 14:42 < martian67> or iptables 14:42 < martian67> iptables rules are blank 14:42 < martian67> and windows firewall is totally disabled 14:42 < ecrist> martian67: we get ~200 people in/out of here a week with similar problems. There's a reason our channel topic is what it is. 14:43 < martian67> it cant possibky BE a firewall 14:43 < ecrist> ok, show me the latest logs from server and client showing a successful connection. 14:44 < martian67> sec 14:55 < martian67> ecrist, http://pastebin.com/m373f46bf 14:58 < martian67> # 14:58 < martian67> # 14:58 < martian67> Mon Mar 23 13:47:37 2009 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.8.0.0 14:58 < martian67> im not sure what that in particular is refering to 14:58 < martian67> i have no routes IN my server.conf :/ 15:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 15:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 15:03 < ecrist> krzie: new logo on the site, lemme know what you thinkn 15:11 < martian67> ecrist, http://openvpn.net/howto.html#policy 15:11 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 15:11 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 15:11 < martian67> it says i need to have a pair of ifconfig-push addresses 15:11 < martian67> but, when i set that, i gives me a netmask of 10.8.0.6 15:12 < chrisbdaemon> hey, I could use a bit of help, i'm trying to set up openvpn 2.1_rc15 on openbsd 4.4 and I got the client connecting just fine after setting up the configuration and copying the keys over and everything but I'm getting a bunch of "Authenticate/Decrypt packet error: cipher final failed" errors 15:12 < chrisbdaemon> what would cause those? 15:13 < chrisbdaemon> the configurations were copied from a working openvpn 2.0.9 installation 15:16 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:16 < krzie> chrisbdaemon you using any special cipher settings? 15:17 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 15:17 < krzie> !route 15:17 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:19 < krzie> i like it, but suddenly dont remember the old one 15:19 -!- achilles [n=achilles@62.90.14.151] has quit ["Leaving"] 15:20 < chrisbdaemon> krzie: Ah, I found it, when I copied over the configuration file from the working installation of it I tried to strip out the comments but it took out some important things with it P 15:20 < chrisbdaemon> :P * 15:31 < krzie> !configs 15:31 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:31 < krzie> theres the regex to strip comments 15:36 < chrisbdaemon> alright, got that working 15:40 -!- dazo_ is now known as dazo 15:43 < chrisbdaemon> !logs 15:43 < vpnHelper> chrisbdaemon: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:48 < chrisbdaemon> alright, now i have a bit of another problem. I'm able to get my client to connect and ping the internal address of the box running openvpn but traffic doesn't go past that to other hosts on the lan 15:48 < chrisbdaemon> using ethernet bridging 15:49 < chrisbdaemon> arp traffic doesn't get passed through like it should 15:49 < chrisbdaemon> or at least arp, probably more 15:50 < martian67> ok for some reason, my windows hostmask is being set to 10.8.0.5 15:50 < krzie> why are you briding? 15:50 < martian67> rather than what it should be 15:51 < martian67> err netmask 15:51 < chrisbdaemon> krzie: because thats what I had set up before :P to allow broadcasts through 15:51 < chrisbdaemon> unless theres a good reason not to allow broadcasts through 15:54 < krzie> broadcasts will go through in a routed tap setup 15:54 < krzie> without layer2 15:54 < chrisbdaemon> so i should change it to routing mode instead of bridging? 15:54 < chrisbdaemon> does nfs and samba still work over that? 15:55 < martian67> samba and nfs dont rely on broadcast anyways 15:55 < martian67> you can use them both over the internet if you wish 15:55 < chrisbdaemon> ok 15:55 < martian67> (not that its a good idea) 15:55 < krzie> samba you should enable wins 15:55 < krzie> !wins 15:55 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:56 < krzie> nfs you dont need anything special 15:56 < chrisbdaemon> thanks 15:56 < krzie> np 15:56 < martian67> im really stumped :/ 15:56 < krzie> so why do you even want broadcasts? 15:57 < martian67> i have the latest version of openVPN on both ends 15:57 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 15:58 < diegoviola> hi 15:58 < diegoviola> is there a way to see if a client is connected to my vpn? 15:58 < diegoviola> like a status or something 15:58 < krzie> management interface 15:59 < chrisbdaemon> krzie: I forget my reasoning behind it to be honest, i set it up a while ago 15:59 < krzie> !tunortap 15:59 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:03 -!- blaxthos [n=blaxthos@64.94.108.181] has quit [Read error: 113 (No route to host)] 16:04 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has quit ["Leaving."] 16:07 -!- Kvajnto [n=ls@116.232.76.93] has quit [] 16:10 < chrisbdaemon> alright.. i changed it to routing and its still not working quite right, should i pastebin my config file or something? 16:10 < chrisbdaemon> the client connects alright but traffic doen't get from tun0 to the physical interface 16:14 < krzie> !configs 16:14 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 < chrisbdaemon> http://pastebin.com/d2afdf566 16:18 < chrisbdaemon> thats on openbsd 4.4 16:18 < chrisbdaemon> server running openbsd 4.4, client running tunnelblick on mac os x 16:21 < krzie> # 16:21 < krzie> push "route 10.0.0.1 255.255.255.0" 16:21 < krzie> unnecessary 16:23 < chrisbdaemon> hmm, does this look right? 16:23 < chrisbdaemon> tun0: flags=8051 mtu 1500 16:23 < chrisbdaemon> groups: tun 16:23 < chrisbdaemon> inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff 16:23 < krzie> yes 16:23 < krzie> !/30 16:23 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:23 < krzie> that explains why 16:23 < krzie> and the link in !topology explains why they did it that way 16:24 < chrisbdaemon> ya, opening it up 16:25 < krzie> you prolly wanna remove ipp.txt after changing from bridge to tun 16:25 < krzie> also good to know: 16:25 < krzie> !ipp 16:25 < vpnHelper> krzie: "ipp" is Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 16:25 < krzie> !learn ipp as also see !iporder 16:25 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:25 < krzie> !learn ipp as also see !iporder 16:25 < vpnHelper> krzie: Joo got it. 16:26 < chrisbdaemon> oh, that output from ifconfig was from the server 16:26 < chrisbdaemon> that i pasted 16:26 < chrisbdaemon> not a client 16:26 < krzie> i know 16:26 < chrisbdaemon> ok 16:26 < krzie> only the server would take .1 16:27 < krzie> first client would own .6 16:27 < krzie> with .5 as the internal virtual side of the tunnel 16:27 < chrisbdaemon> i was curious why it would show a tunnel between the server and a client on the vpn thats not associated with openvpn 16:27 < krzie> as explained in the link you opened 16:27 < krzie> huh? 16:27 < chrisbdaemon> the server is at 10.0.0.1, theres another server at 10.0.0.2 16:28 < krzie> not another server 16:28 < chrisbdaemon> ifconfig tun0 shows a tunnel between 10.0.0.1 and 10.0.0.2 16:28 < krzie> did you read !/30 16:28 < krzie> the link 16:28 < chrisbdaemon> i skimmed it, yes 16:28 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 16:29 < mindframe-> is it possible to run an openvpn server in windows without administrative privileges? 16:29 < diegoviola> is there a way to run openvpn on the background? 16:30 < krzie> !winnoadmin 16:30 < vpnHelper> krzie: Error: "winnoadmin" is not a valid command. 16:30 < krzie> !factoids search win 16:30 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 16:30 < krzie> !win_noadmin 16:30 < vpnHelper> krzie: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 16:30 < mindframe-> thanks 16:30 < krzie> diegoviola of course, i believe its --daemon or something like that 16:30 < mindframe-> thats the document I found, was hoping there was another way 16:31 < krzie> mindframe- negative 16:31 < mindframe-> I was hoping to not have to create the TAP interface 16:31 < krzie> lol 16:31 < krzie> not a chancxe 16:31 < krzie> -x 16:32 < krzie> --daemon [progname] 16:32 < krzie> Become a daemon after all initialization functions are completed. This option will cause all message and error output to be sent to the syslog file (such as /var/log/messages), except for the output of shell scripts and ifconfig commands, which will go to /dev/null unless otherwise redirected. 16:32 < krzie> i was right, its --daemon 16:33 < diegoviola> whats that progname argument 16:33 < krzie> !man 16:33 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 16:33 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:33 < krzie> go read about it 16:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:35 < diegoviola> ok thanks 16:36 < mindframe-> "There is work in progress to enhance the OpenVPN Service so it can be controlled via a TCP socket" 16:36 < mindframe-> what's the status on that? 16:36 < krzie> its called the management interface 16:36 < krzie> its been around awhile, ive never used it 16:36 < mindframe-> so it's in beta? 16:36 < krzie> no idea, never used it 16:37 < krzie> but its been around for awhile as i said 16:37 < mindframe-> going to check it ouut:) 16:37 < krzie> its made for programs to use it, as opposed to humans... so it shouldnt be extremely user friendly 16:37 < krzie> werd, should be plenty of info in the manpage 16:37 < krzie> and likely some good stuff in the mail list 16:37 < krzie> !mail 16:37 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 16:38 * krzie does a doubletake on #2 and #3 16:39 < chrisbdaemon> does openvpn handle dhcp on its own for the vpn clients? 16:40 < chrisbdaemon> heres the doc on it.. http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 16:40 < vpnHelper> Title: Management Interface (at openvpn.net) 16:41 * Skered learns about tap vs tun OpenVPN.. so that's why I can't connect to the network machines 16:47 < krzie> !route 16:47 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:47 < krzie> thats for connecting the lans in on a routed setup 16:47 < krzie> (aka tun) 17:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 17:02 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:02 < rashed2020> What 17:03 < rashed2020> What's the difference between using !route and tun? 17:04 < krzie> umm 17:05 < krzie> !route is a document for setting up a tun routed setup to allow communication between lan/lans and vpn 17:05 < vpnHelper> krzie: Error: "route" is not a valid command. 17:05 < krzie> heh 17:07 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 17:10 < diegoviola> --management IP port [pw-file] 17:10 < diegoviola> does the password has to be a file 17:11 < diegoviola> ? 17:17 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 17:18 < krzie> well since it says pwfile, im guessing so 17:18 < krzie> as i said 2x, ive never used it 17:18 < krzie> nor have i heard of anyone in here using it (which doesnt mean they havnt) 17:33 -!- pons [n=pons@190.162.32.183] has joined ##openvpn 17:33 < pons> guys, is it possible to have 2 tap devices for 1 vpn? 17:41 < krzie> hows that make sense in your head>? 17:46 < pons> instead of creating 1 tap device, create 2 with the same auth, but different devices, like 2 different networks going on the same vpn link 17:46 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 17:47 < krzie> are you trying to have failover over 2 inet connections? 17:47 < krzie> also, why are you using tap? 17:48 < pons> because of bridging 17:48 < pons> don't like tun 17:48 < krzie> ... why are you bridging? 17:48 < krzie> !tunortap 17:48 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 17:48 < pons> maybe that's because? 17:48 < krzie> if you have no answer you dont want bridge 17:49 < krzie> !bridge 17:49 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 17:49 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 17:49 < krzie> see #3 17:49 < pons> i mean, that's why 17:49 < krzie> what are you using 17:50 < pons> i'm using tap because i'm bridging a lan that's far away to another network and i need to get there as if i'm connected directly in that cable 17:51 < pons> so, i use tap 17:51 < pons> a couple of bridges 17:51 < pons> and tada 17:51 < pons> everything works 17:52 < pons> just that now i'm mixing traffic so i'm thinking on a way of separating it or spliting it, but the thing i think i'm gonna do is make another link 17:52 < krzie> umm 17:53 < krzie> you did not give an actual reason to use tap 17:53 < krzie> tun can do what you said, and do it faster 17:53 < krzie> less overhead, and more secure 17:53 < krzie> wanna try again? 17:54 < pons> i need layer 2 17:54 < pons> that's it 17:54 < krzie> but to simplify the answer to your actual question, with tun yes with tap i dont think so 17:54 < krzie> what layer2 stuff do you use? 17:54 < krzie> lol 17:54 < pons> there was an answer to my question? 17:54 < krzie> yes, i just gave it 17:54 < krzie> but to simplify the answer to your actual question, with tun yes with 17:54 < krzie> tap i dont think so 17:55 < krzie> theres could be a longer answer, thats the simple answer 18:14 < krzie> actually maybe it could be done 18:14 < krzie> with tun i know it can 18:15 < krzie> but basically just forget that its a vpn, and look for the OS's way of accomplishing that normally 18:30 < reiffert> Heard about the netcomm home dsl router botnet including 80.000 hacked dsl modems? 18:33 < krzie> the router itself was remotely vuln? 18:33 < reiffert> http://www.h-online.com/security/Botnet-based-on-home-network-routers--/news/112913 18:33 < vpnHelper> Title: Botnet based on home network routers - News - The H Security: News and features (at www.h-online.com) 18:33 < reiffert> ssh without password 18:33 < krzie> oh god 18:33 < krzie> thats bad 18:35 < reiffert> My first thought was "wow, cool, hehe!", 2nd one "crazy shit" and then repetitive "I'm scared" 18:35 < krzie> no kidding 18:35 < krzie> i skipped #1 18:35 < krzie> straight to #2, #3 18:35 < reiffert> :) 18:36 < reiffert> Oh and this is what bablefish made from the original german article: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2FBot-Netz-aus-Heimnetz-Routern--%2Fmeldung%2F134992&lp=de_en&btnTrUrl=Translate 18:36 < vpnHelper> Title: Translation result for http://www.heise.de/newsticker/Bot-Netz-aus-Heimnetz-Routern--/meldung/134992 (at babelfish.yahoo.com) 18:37 < reiffert> Which makes you believe that backwards writing germans are we 18:40 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [No route to host] 18:42 < krzie> Psybot demonstrates that the botnet problem is not something that only affects Windows PCs. 18:42 < krzie> LOL 18:42 < krzie> no kidding *eyeroll* 18:42 < krzie> it effects anything that could be manually exploited 18:42 < krzie> otherwise known as ANYTHING 18:43 < krzie> just a matter if work vs payout makes it worth doing to the guys scripting it 18:46 < reiffert> I'm waiting for the day a major windows antivirus software get's involved in acting as a trojan horse 18:46 < reiffert> At least it's running in kernel space :) 18:47 < reiffert> Oh, wasn't that one supposed to be used by government? 18:49 -!- pons [n=pons@unaffiliated/pons] has quit [] 18:51 -!- pons [n=pons@190.162.32.183] has joined ##openvpn 18:58 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:32 < krzie> norton has been exploited before 19:57 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:36 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:37 -!- mepholic_ [n=what@66.90.73.234] has quit [Remote closed the connection] 20:37 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 20:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 20:38 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Excess Flood] 20:38 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 20:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 20:52 -!- marek__ [n=marek@78.8.139.58] has joined ##openvpn 20:52 < marek__> hi, can you help me with seting up openvpn? 20:54 < krzie> we wont hold any hands or do it for you, but we'll answer some questions or point you the right way 20:55 < krzie> you have a specific question? 20:55 < marek__> yup, ue Mar 24 02:55:13 2009 SIGUSR1[soft,connection-reset] received, process restarting 20:55 < marek__> i did something wrong with configuration 20:55 < marek__> im beginner in it 20:56 < marek__> i used how to 20:56 < krzie> !logs 20:56 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:56 < krzie> !configs 20:56 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:56 < marek__> ok it will take some time 20:57 < krzie> well im sure im not going anywhere for about an hour 20:57 < marek__> this is on server side: 20:57 < marek__> http://pastebin.com/m2ed8612b 20:57 < krzie> but after that ill prolly disapeer 20:57 < krzie> ahh, a ptp tunnel 20:58 < krzie> not that it matters, but you prolly misspelt .log in log-append /var/log/openvpn.og 20:58 < marek__> client side: 20:58 < marek__> http://pastebin.com/m4ed1ff51 20:59 < krzie> welp it doesnt get more simple than that... 21:00 < marek__> how can i check logs? there are no log files at /var/log/openvpn.log 21:01 < krzie> on server it would be /var/log/openvpn.og on yours 21:01 < krzie> since you misspelt 21:01 < marek__> http://pastebin.com/m45cf5254 21:01 < marek__> this is from console 21:01 < krzie> but both are prolly in /var/log/messages 21:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:01 < krzie> (thats where mine are by default...) 21:02 < krzie> thats not verb 6 21:02 < krzie> !logs 21:02 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:02 < marek__> cat: /var/log/openvpn.og: No such file or directory 21:02 < krzie> remove tcp-server / tcp-client 21:02 < marek__> what does it mean - "verb set to 6"? 21:03 < krzie> its over-riding your proto udp 21:03 < marek__> krzien how can i remove them? 21:03 -!- rubydiam_ [n=rubydiam@123.236.183.188] has joined ##openvpn 21:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 21:03 < krzie> by removing the line from the configs! 21:03 < krzie> with whatever your text editor is!? 21:04 < krzie> you see where your configs say verb 4 21:04 < krzie> make it verb 6 21:04 < krzie> if you dunno how to edit a file in your os you need to learn your OS before setting up a vpn 21:05 < marek__> sorry krzie 21:05 < marek__> i didnt get it 21:05 < krzie> no reason to appologize 21:06 < marek__> i removed thoose lines 21:06 < marek__> http://pastebin.com/m7bbd64e 21:06 < krzie> you must be root 21:07 < krzie> start it with sudo or be root first 21:08 -!- marek__ [n=marek@78.8.139.58] has quit [Remote closed the connection] 21:10 -!- marek__ [n=marek@78.8.139.58] has joined ##openvpn 21:11 < marek__> http://pastebin.com/m537bd3e8 21:11 < marek__> :/ 21:11 < krzie> server log 21:13 < marek__> hmmm 21:13 < marek__> "/var/log/messages - nothing interesting 21:13 < marek__> "/var/log/openvpn.og - no file 21:13 < krzie> welp, you'll find it 21:13 < krzie> ill be in the bathroom while you do 21:14 < krzie> make sure you start it as root 21:16 < marek__> http://pastebin.com/m2c83e8da 21:16 < marek__> :/ 21:17 < krzie> # 21:17 < krzie> Tue Mar 24 03:14:43 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:17 < krzie> that doesnt seem obvious to ya? 21:18 < marek__> no 21:18 < marek__> i tried to restart openvpn 21:18 < krzie> its already running 21:18 < krzie> kill the old one 21:18 < marek__> ok 21:18 < marek__> but still connection refused 21:19 < krzie> still # 21:19 < krzie> Tue Mar 24 03:14:43 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:19 < krzie> ? 21:20 < marek__> Tue Mar 24 03:20:02 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 21:20 < krzie> thats not the real error 21:20 < krzie> thats the result of some other error 21:21 < krzie> log from server... 21:21 < marek__> where can i find them? 21:21 < krzie> not my job 21:21 < marek__> http://pastebin.com/m484582f0 21:21 < krzie> but from console works for me 21:22 < krzie> thats a kernel message, i want openvpn 21:22 < krzie> but do you have something like selinux or whatever those kernel protection things are called in linux running? 21:22 < marek__> http://pastebin.com/m2b16c2df 21:23 < krzie> hey hey, finally using verb 6 21:23 < krzie> good job 21:23 < krzie> # 21:23 < krzie> Tue Mar 24 03:20:04 2009 us=898733 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:23 < krzie> ITS STILL ALREADY RUNNING 21:23 < krzie> ps auxw|grep openvpn 21:23 < marek__> i kiled it on server first 21:24 < krzie> obviously not 21:25 < marek__> i killed it once again 21:25 < marek__> ere are the logs from server 21:25 < marek__> http://pastebin.com/m44996fdb 21:25 < marek__> are they ok? 21:28 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, pa, worch 21:28 -!- Netsplit over, joins: krzie, worch, pa 21:30 < Skered> I'm finding conflicting reports about tun interfaces. I can't communicate with machines on the LAN with a tun device? I have to use tap? 21:30 < krzie> Skered, read my doc on how to do it 21:30 < krzie> !route 21:30 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:30 < krzie> definitely not a reason to use tap 21:32 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 21:42 < Skered> This really only works if you know the client's network subnet? 21:43 < krzie> if you're trying to route to the clients lan, of course 21:43 < krzie> in my example im connecting a lan behind the server, and a lan behind each of the 2 clients 21:44 < krzie> there could be tons more clients, and all would be able to reach those 3 lans 21:44 < Skered> I was looking at page today and I wass thinking ROUTES TO ADD OUTSIDE OF OPENVPN is what I should be looking at because it seeems that's what is happening. 21:44 < krzie> very commonly overlooked 21:45 < Skered> Because what is happening is I can send pings to a machine that's on the LAN but then it asks via arp who is 10.0.8.6 with no reply. 21:45 < Skered> Is that the same case? It doesn't send the packets on to it default route however like the examples hsows 21:45 < Skered> shows 21:46 < krzie> ya it has no clue where to send the packets 21:46 < Skered> btw on my setup the router and the openvpn are on the same machine. 21:46 < krzie> hrm 21:46 < Skered> er the router is the OpenVPN server. 21:47 < krzie> the vpn is running on router for the lan you wanna reach? 21:47 < Skered> Yes 21:47 < krzie> ok, and the lan you wanna connect is behind the server? 21:47 < krzie> then all you should need is a push route 21:47 < Skered> Yes 21:47 < krzie> nothing more 21:47 < krzie> and ip forwarding enabled 21:47 < krzie> and firewall rules allowing it to work 21:47 < Skered> push route 10.0.0.0 255.0.0.0 is in the server.conf 21:48 < krzie> thats a huge push 21:48 < krzie> whats the internal vpn network? 21:48 < Skered> 10.0.8.0/24 21:48 < krzie> you can very very likely make it a smaller route than that 21:49 < krzie> and whats the LAN? 21:49 < Skered> 10.0.0.0/8 21:49 < krzie> the lan is really a /8? 21:49 < Skered> Right now yes 21:49 < krzie> thats why it isnt working 21:49 < krzie> cant make the internal vpn network inside the lan subnet 21:50 < Skered> So I should make that /24 not /8? 21:50 < krzie> if you cant change the lan, change the vpn network to a 192.168.8.x/24 21:50 < krzie> yes 21:50 < krzie> if you can change the lan, you should 21:50 < krzie> its unnecessarily big 21:51 < Skered> Ok let me try that. 21:52 < Skered> I think Iwas using 10.0.8.0/24 because that's what the example was using 21:52 < krzie> example woulda been 10.8.0.0/24 21:52 < krzie> at least if you were using openvpn docs 21:55 < krzie> also 21:55 < krzie> when you push a route 21:55 < krzie> its push "route network netmask" 21:55 < krzie> in quotes 21:56 < krzie> (just in case that wasnt there) 21:56 < krzie> i figure it was tho, but worth mentioning 21:56 < krzie> but ya, what i said does explain why it was arping 21:56 < krzie> it expected the stuff to be on local network 21:57 < krzie> and routing table will shoot for layer2 before layer3 if its told it can 21:58 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 22:00 < Skered> Yeah, that works 22:00 < Skered> Thanks. 22:01 < krzie> np 22:01 < Skered> However I can't get out to the Internet now. I'll check that out later 22:01 < Skered> But I can connect any LAN machine. 22:01 < krzie> you using redirect gateway? 22:01 < Skered> Yes 22:01 < Skered> redirect gateway def1 22:02 < krzie> you were using the existing nat rules because of being in the other subnet 22:02 < krzie> now you need new nat rules 22:02 < krzie> (another nat rule i mean) 22:02 < krzie> i take it you changed the vpn network instead of the lan 22:03 < Skered> Yes 22:03 < krzie> so you need a new nat rule for the new network 22:04 < Skered> Otherwise I would have to put on pants and go to the LAN machine that's a coule blocks away 22:04 < krzie> haha understood 22:04 < krzie> although that would be good, i totally understand 22:04 < krzie> and prolly would choose the same 22:04 < krzie> hah 22:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:16 < krzie> Skered and since i t worked before you know its just a matter of copying and very slightly modifying (only on the copy) some of your existing rules on the server 22:16 < krzie> so it should be very easy for you 22:26 -!- rubydiam_ [n=rubydiam@123.236.183.188] has quit [Read error: 60 (Operation timed out)] 22:46 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:58 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 23:16 -!- caturdayz [n=caturday@cpe-74-74-232-154.rochester.res.rr.com] has joined ##openvpn 23:16 < caturdayz> i've got a vpn set up to bridge onto my home network 23:17 < caturdayz> does anyone know how to tell the vpn client about the proper route for getting to the other things on the network? --- Day changed Tue Mar 24 2009 00:19 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:56 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:27 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 01:46 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 01:49 -!- pons [n=pons@unaffiliated/pons] has quit [] 02:32 -!- marek__ [n=marek@78.8.139.58] has quit [Read error: 110 (Connection timed out)] 03:10 -!- marek__ [n=marek@195-254-156-98.wro-com.net] has joined ##openvpn 03:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:31 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:31 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 03:41 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:48 -!- marek__ [n=marek@195-254-156-98.wro-com.net] has quit [Read error: 104 (Connection reset by peer)] 04:14 < reiffert> caturdayz: push "route netaddr mask" 04:29 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:30 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 04:35 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 04:36 < andriijas> Hi, im trying to setup an openvpn server home on a machine running os x. I can connect to it from work but the server log is filled with write to TUN/TAP : Input/output error (code=5) 04:36 < andriijas> when i google that i only find people who gets that in their client log 04:48 -!- maijadoo [n=Miranda@77.119.56.123.wireless.dyn.drei.com] has joined ##openvpn 04:59 < maijadoo> hi, i'm trying to start openvpn and get the following messages .. any ideas? device br0 already exists; can't create bridge with the same name 04:59 < maijadoo> device eth0 is already a member of a bridge; can't enslave it to bridge br0. 04:59 < maijadoo> device tap0 is already a member of a bridge; can't enslave it to bridge br0. 04:59 < maijadoo> SIOCADDRT: Network is unreachable 05:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:16 < maijadoo> no ideas? 05:24 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 05:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:37 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 05:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:07 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has quit ["reboot"] 06:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:41 < mjt> maijadoo: only you can say what's going on and why your startup script (--up command?) tries to set up a bridge that's already up-n-running. 06:42 < mjt> i think anyway. To be fair, I've no idea how openvpn manages bridges. 07:03 < ecrist> morning, folks 07:03 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:03 < maijadoo> mjt: no ... i had a wrong ip config ... it's running now ;) thx 07:31 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 07:31 < andriijas> i have an openvpn server running on my mac mini in os x at home and im running openvpn on my macbook in os x when im at office to connect to home 07:32 < andriijas> is it possible to get bonjour working over the vpn? 07:32 < andriijas> very hard to find facts about this on google 07:32 < ecrist> yes, but you need to use tap, instead of tun 07:33 < ecrist> which I don't think you can actually do with OS X, as there's no way to bridge ethernet interfaces in the OS, I'm aware of. 07:34 < ecrist> actually, read this: 07:34 < ecrist> http://forums.macosxhints.com/archive/index.php/t-58909.html 07:34 < vpnHelper> Title: Bonjour across subnets [Archive] - The macosxhints Forums (at forums.macosxhints.com) 07:37 < andriijas> ecrist: okay. i have a linux server at home, if i set up openvpnserver on that one instead bridging should be possible? 07:38 < ecrist> yes, should work OK 07:39 < andriijas> 3. Does Bonjour work between multiple subnets? 07:39 < andriijas> Yes. The first release of DNS Service Discovery [DNS-SD] for Mac OS X concentrated on Multicast DNS [mDNS] for single-link networks because this was the environment worst served by IP software. Starting in Mac OS X 10.4, Bonjour now uses Dynamic DNS Update [RFC 2316] and unicast DNS queries to enable wide-area service discovery. 07:41 < andriijas> not possible to forward "unicast dns queries" in routed openvpn? 07:42 < ecrist> openvpn doesn't really handle that. it's an os-level thing 07:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 07:43 < andriijas> hmmm ok. 07:45 < andriijas> its wierd os x doesnt have any ethernet bridging 07:46 < ecrist> it might, and I just might not know where to find it. 07:49 < andriijas> nah i dont think so, i read something about it via google 07:49 < andriijas> only some commercial software 07:49 -!- asdf [n=wtf@pessa.net] has joined ##openvpn 07:50 < asdf> we have a cisco vpn and are using a group username/password. how should i configure openvpn client to connect? 07:50 < asdf> i have the cisco pcf file 07:53 < ecrist> asdf: you can't use openvpn for cisco vpns 07:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 07:56 < asdf> funny, i thought that was the case, and i asked my boss how i'd connect and he said cisco uses "open standards"? :x 07:58 < ecrist> yes and no 07:58 < ecrist> most SSL vpns are incompatible with eachother. 07:58 < ecrist> Cisco IPSec VPNs are vanilla, but that's it. 07:58 < ecrist> Cisco does have an OS X client, as well as a Linux client. 07:59 < ecrist> you will need a CCO login to download the software, which you can register for if you've got a piece of hardware with a current service plan. 07:59 < asdf> oh i didn't know they had a linux client 07:59 < ecrist> I might even have a copy of one. hang on 07:59 < asdf> rock, thanks 08:00 -!- onats__ is now known as onats 08:01 < ecrist> I've got them somewhere, just don't know where. I was going to upload them to my wiki, and apparently failed to do so. 08:01 < onats> hi all 08:01 < ecrist> hi onats 08:01 < onats> hey ecrist 08:01 < asdf> ecrist: no worries, i can dig a copy up at work, thanks for the help. much appreciated! :) 08:03 < ecrist> asdf: if you can get copies of the client software, I'd appreciate a copy of all three 08:03 < ecrist> I think I know where my copies are, just not available here. I think they're on an old linux box at home. 08:03 < ecrist> if I find them, obtain different ones, I'll make the available here: http://www.secure-computing.net/wiki/index.php/Cisco_VPN_Clients 08:04 < vpnHelper> Title: Cisco VPN Clients - Secure Computing Wiki (at www.secure-computing.net) 08:04 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 08:04 < ecrist> andriijas: man ifconfig on your mac os x box, look for an option called bonddev 08:04 < ecrist> that is the new bridging, perhaps. 08:04 < ecrist> it's technically link aggregation, but that's really all bridging is. 08:05 < ecrist> nm, It is not possible to associate a bond with pseudo interfaces such as vlan. Only physical eth- ernet interfaces may be associated with a bond. 08:07 < ecrist> perhaps man networksetup is informative? 08:07 < andriijas> damn it takes a lot of different args :) 08:10 < andriijas> setting up openvpn with tap and bridging on os x seems like breaking new water 08:12 -!- maijadoo [n=Miranda@77.119.56.123.wireless.dyn.drei.com] has quit [Read error: 110 (Connection timed out)] 08:13 < ecrist> only because os x doesn't have proper bridging 08:13 < ecrist> :\ 08:13 < ecrist> one of the major beefs I've got with the os 08:15 < andriijas> i guess i could live iwth routed vpn. hehe. works like a charm. 08:22 < andriijas> ecrist: hmm, do i really need a virtual device to be able to bridge? 08:23 < andriijas> its not possible to bridge through a pyshical interface? 08:23 < caturdayz> reiffert: thanks, i'll see if that works when i go to work today 08:25 < ecrist> andriijas: bridging is usually accomplished at the OS level, with a pseudo device being the aggreagte between two other interfaces, pseudo or real 08:25 < ecrist> s/two/two or more/ 08:26 < andriijas> hence the need for kernel support 08:27 -!- caturdayz [n=caturday@cpe-74-74-232-154.rochester.res.rr.com] has quit ["Leaving"] 08:27 < andriijas> shit the same. ill just stick with my working routed vpn 08:27 < andriijas> :) 08:27 < andriijas> thanks ecrist 08:27 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has left ##openvpn [] 08:27 < ecrist> np 08:44 -!- buzzDrive [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:44 < buzzDrive> Can someone have issues about collision packet in a vpn network? 08:45 < reiffert> Collision on layer1? 08:45 < buzzDrive> I don't know, there are two networks links with vpn but both are 192.168.0.0/24 08:46 < ecrist> easy, change the IP range on one of them. 08:46 < buzzDrive> someone here told me it was source of problem, right? 08:46 < ecrist> !1918 08:46 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:47 < buzzDrive> ok thanx 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 < buzzDrive> The server are windows server what is the issue to change the ip range? 09:08 < reiffert> ? 09:09 < reiffert> You cant connect two subnets with openvpn when the two subnets are identical. 09:10 < Bushmills> the router wouldn't know what interface packet must be routed to 09:11 < ecrist> now, there are some *VERY* hacky things you can do with NAT/PAT and duplicate subnets with policy-based routing, but it's a little wacky 09:14 < reiffert> buzzDrive: do you feel ready for evil hackery? 09:14 < buzzDrive> reiffert: ? 09:14 < ecrist> even if he is, I'm not going to try and explain it. 09:14 < reiffert> Bushmills: thats not right. The router knows exactly where to route a packet to. 09:15 < reiffert> buzzDrive: question is: you have a problem, you where told a solution. Does it work? 09:15 < reiffert> you were told a solution 09:15 < Bushmills> when destination is one subnet for two interfaces are in? 09:15 < Bushmills> oh right, to the first interface it finds in the routing table 09:15 < buzzDrive> buzzDrive: I have the hand on the server it was just to explain why it doesn't works all the time 09:16 < reiffert> Bushmills: the router knows the network and a vpn transfer network. 09:17 < Bushmills> two vpn interfaces, like tun0 and tun1, in the described case 09:17 < Bushmills> both in the same subnet 09:17 < reiffert> Bushmills: If I understand 14:45 < buzzDrive> I don't know, there are two networks links with vpn but both are 192.168.0.0/24 09:18 < reiffert> Bushmills: right, than there are two networks with identical addresses and one vpn link between them. 09:19 < reiffert> we could of course ask buzzDrive to explain the setup 09:19 < Bushmills> i th 09:20 < Bushmills> i think i am losing interest 09:20 < buzzDrive> do you know an article a wiki which explain that openvpn cannot be linked between 2 identical subnet, it s for justifying to the administrator 09:21 -!- pons [n=pons@pc-66-126-83-200.cm.vtr.net] has joined ##openvpn 09:23 < reiffert> it's plain logic. 09:24 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:27 < ecrist> buzzDrive: I've got a link to a wiki whcih states it. gimme a sec 09:29 < ecrist> http://www.secure-computing.net/wiki/index.php/Durrrr 09:29 < vpnHelper> Title: Durrrr - Secure Computing Wiki (at www.secure-computing.net) 09:30 < reiffert> hehe 09:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:33 -!- pons [n=pons@unaffiliated/pons] has quit [] 09:35 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 09:42 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 09:42 < jul_> hello, can i push a route with interface ? 09:43 < ecrist> yes, I think so. 09:43 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:43 < ecrist> jul_: have you read the man page? 09:43 < jul_> i try route ip netmask tun0 but it doesn't works 09:44 < jul_> ecrist: yes i read but i don't find it 09:44 < jul_> -route network/IP [netmask] [gateway] [metric] 09:44 < ecrist> looks like no. you can route to a gateway, but not an interface with openvpn 09:44 < ecrist> --route network [netmask] [gateway] [metric] 09:45 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 09:45 < jul_> but: pn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 09:46 < jul_> i don't understand this 09:47 < jul_> because when i push a route, the client add route but not with the device tun0 :( 09:48 < ecrist> it should add a correct route to the vpn, automatically 09:49 < jul_> ecrist: yes but with wrong device 09:51 < jul_> maybe with route-up 10:06 < jul_> or not 10:12 -!- fixxxermet [n=kjohnson@69.85.26.2] has joined ##openvpn 10:13 -!- mooncup [n=a@unaffiliated/mooncup] has quit [Excess Flood] 10:13 -!- mooncup [n=a@haha.you.lostthega.me] has joined ##openvpn 10:22 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 10:27 < fixxxermet> So I just setup my first openvpn vpn. My client can ping the server's subnet, but the server can not ping the client's subnet? 10:29 < mjt> RESOLVE: Cannot resolve host address: : [TRY_AGAIN] A temporary error occurred on an authoritative name server. 10:30 < mjt> who the f* was that helpful and translated the error codes? 10:32 < mjt> really, that's fascinating. I never saw a piece of software which is this good and sucky at the same time. 10:32 < mjt> usually it either sucks or not. this one -- it's both. 10:37 < ecrist> mjt: what is your big beef with that error? 10:41 -!- n0u [i=Chaton@unaffiliated/nou] has joined ##openvpn 10:41 < mjt> the translation is nonsense 10:41 < mjt> "error on auth nameserver" - thats plain frong 10:41 < mjt> wrong even 10:41 < ecrist> o.O 10:42 < mjt> the error was due to openvpn running chrooted and i forgot persist-remote-ip, it has exactly _nothing_ to do with "auth nameserver" 10:42 < mjt> but i had some debugging with a chain of nameservers here, to determine which auth ns has a problem... 10:43 < mjt> it's sorta like all those useless-annoying-"helpful" warnings all over which I had to patch out, but worse. 10:44 < mjt> openvpn needs a good, massive, friendly cleanup 10:45 < n0u> is there a way to run a script when a connection has been initiated ? (in tls-{server,client} mode) 10:45 < mjt> n0u: --up script 10:45 < mjt> er 10:45 < n0u> i said "connection initiated" 10:46 < n0u> not tun up 10:46 < mjt> yeah. 10:46 < n0u> route-up doesn't fit either 10:46 < mjt> that's my 'er' ;) 10:46 < n0u> ok 10:46 < n0u> something like the client-connect for tls-server 10:46 < mjt> just wasn't fast enough to type.. and esp. to *think* before typing :) 10:47 < n0u> because i don't want some routes to stay when the tunnel link is not up 10:47 < mjt> !iporder 10:47 < vpnHelper> mjt: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 10:48 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 10:48 < mjt> --client-connect script 10:48 < mjt> that's in tls-server 10:49 < mjt> as of client, it really does not matter if it's --up or --post-up (so to say) 10:49 < mjt> because it's done very close to each other 10:49 < n0u> Options error: --client-connect requires --mode server 10:49 < mjt> yes 10:50 < n0u> i said tls-server :) 10:50 < mjt> blame openvpn for misleading options ;) 10:50 < mjt> as i just did for wrong error code tranlation 10:50 < ecrist> mjt, you complain a lot. 10:50 < mjt> and read the difference 10:50 < n0u> i agree :) 10:50 < mjt> ecrist: i know 10:50 < n0u> (with ecrist) :) 10:51 < mjt> heh 10:51 < mjt> but i think (hope?) i'm complaining not about nothing 10:51 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 10:51 < mjt> ie, most my complaints are valid. 10:52 < mjt> (i'd love to know if i wrong. seriously) 10:52 < n0u> another one, is there a way to specify the local ip openvpn (in server mode this time) would use in case the server has several ip ? (haven't really searched for this one) 10:53 < n0u> specify on per client basis 10:53 < mjt> n0u: no 10:53 < mjt> n0u: it listens on only one IP 10:53 < n0u> no 10:53 < mjt> i mean it's global, not client-specific 10:53 < n0u> it listen to all ip by default, you mean there's no source ip selection configuration 10:54 < achilles> hello, I have simple question please, I'm running openvpn for site to site connectivity, it's okay and everything is well, I just wonder how can the head quarter get another branch ? I mean, now it's site to site, how can I make it site to many sites ? 10:54 < mjt> you can tell it to listen on that ip or this 10:54 < mjt> but that's global option 10:55 < mjt> n0u: see --local 10:55 < n0u> sure, that's not the question :) when it binds to ANY i'd like to be able to select the source ip 10:55 < mjt> that depends on the client 10:55 < n0u> nope 10:55 < n0u> nevermind 10:55 < mjt> heh ok 10:56 < mjt> achilles: 2.0 introduced --mode server 10:56 < mjt> achilles: so you can have "star"-like config - one server in the center and many branches connecting to it. 10:56 < achilles> mjt, yes exactly this is what I want 10:56 < achilles> mjt, thank you very much 10:57 < mjt> heh, it wasn't difficult ;) 10:57 < achilles> mjt, but how can I assign an IP to each branch connection point to define routing rules 10:58 < mjt> see the many examples. tls-server is probably what you want 10:58 < mjt> it's pointless to repeat the docs here 10:58 < mjt> !howto 10:58 < vpnHelper> mjt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:59 < achilles> mjt, thank you very very much 10:59 < achilles> absolutely I will 10:59 < achilles> mjt, I got an idea, what If I started many vpn servers on different ports ? 11:00 < mjt> that'll work too 11:00 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 11:00 < achilles> okay great, I will see the HowTo and see what is the best 11:00 < achilles> mjt, thank you again 11:00 < mjt> you may also consider tinc and vtun for that -- first also has server mode, vtun can run from inetd and use only one port. 11:00 < mjt> (just few more alternatives ;) 11:01 < achilles> aah thank you for telling me 11:01 < mjt> heh n/p 11:01 < achilles> :) 11:01 < ecrist> you can specify the IP openvpn listens on... 11:01 < mjt> --local 11:02 < mjt> achilles: you'll find mentions of me in both, btw :) 11:02 < achilles> :) 11:10 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:17 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:37 < n0u> "--multihome : Configure a multi-homed UDP server.\n" 11:37 < n0u> \o/ 11:37 < n0u> should have read the source right away :) 11:38 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 11:39 < diegoviola> hi, i have a vpn working with openvpn, multiples users, etc... the ip of my vpn server is 10.8.0.1, but i would like to have vpn.foo.org, do i need to run a local domain server on my vpn server for that? 11:39 < achilles> mjt, you sure it's written how to implement like a start vpn connections in HowTo ? 11:39 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has joined ##openvpn 11:40 < ecrist> achilles: what are you lookin gofr? 11:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:40 < achilles> ecrist, thank you, I'm trying to get multiple branches connected the headquarter as site-to-site to route voip calls 11:41 < pielgrzym> hi peeps - I'm trying to run openvpn client to connect to my work network - I've got two files from my admin .crt and .key shall I use .crt for ca as well as for cert in client config? Now I get auth errors while connecting and I'm frustrated with vague documentation for the client ;P 11:41 < achilles> ecrist, I established site-to-site and it's perfect 11:41 < ecrist> achilles: you don't want site-to-site, you want a server a multiple clients. 11:41 < ecrist> voip will work fine on routed VPN, so go with that. 11:41 < achilles> ecrist, ah .. hmm, but in this scenario, can I know each client what IP does it take ? 11:42 < achilles> which is the branch actually the client 11:42 < ecrist> pielgrzym: you need the ca.crt and also the config 11:42 < ecrist> you can use client-config-dir 11:42 < pielgrzym> ecrist: I see :) error=self signed certificate in certificate chain - this is the error for not having this file? 11:43 < pielgrzym> ecrist: just to be sure - my admin has this ca.crt file, right? Only the server should generate the keys for the clients right? 11:45 < ecrist> pielgrzym: in a strict SSL environment, the root ca has the root certificate and root key. all certificates can be (and should be) freely distributed. keys should always be kept secret. so, users don't get the CA key, and really, the root ca shouldn't have the client keys. 11:45 < ecrist> in the reality of VPNs, however, the root ca is administered by the network admin, who will usually auto-generate a certificate/key pair for each client. 11:45 < pielgrzym> ecrist: I see 11:45 < ecrist> you should be distributed four files, ca.crt, client.crt, client.key and client.conf 11:46 < ecrist> your vpn client needs a copy of the ca certificate to compare things to 11:46 < pielgrzym> ecrist: got all of them apart ca.crt ;) 11:47 < pielgrzym> ecrist: thanks! :) 11:47 < ecrist> np 11:52 < achilles> guys, when configuring client-specific rules as sysadmin1,contractor1 ..etc in the the HowTo, how can I refer that this client is sysadmn1 this is contractor .. is it configured from the client configurations ? 11:57 -!- cQix [n=attse@host86-132-121-65.range86-132.btcentralplus.com] has joined ##openvpn 11:59 < mjt> achilles: each client gets its own cert, with its own unique common name. that's basically 11:59 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:59 < mjt> all 12:00 < mjt> you can use one cert for all, in which case there will be impossible to know who's who 12:00 < mjt> (at least as far as openvpn is concerned) 12:00 < cQix> Hi there. I've a problem with openvpn bridging. I actually followed http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html and set it up as described. The VPN connection is open "Initialization Sequence Completed" but the ping does not go through. I've wiresharked the communication on tap0 and can see the arp request going out, but no reply at all. Firewall where deactivated - No result. 12:00 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 12:01 < mjt> cQix: but do you see the packets on other side? 12:01 < mjt> arriving there, that is 12:01 < achilles> mjt, ah the with preshared key this is not possible 12:01 < achilles> right > 12:01 < achilles> ? 12:02 < mjt> never used and actualy never tried to look how psk mode works 12:02 < cQix> mjt: No. Tested also the other way (Client -> Server)No arp 12:02 < mjt> cQix: so turn on debugging? 12:02 < achilles> mjt, okay thank you very much 12:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:04 < cQix> mjt: Client init: http://pastebin.com/m186e3d03 12:04 -!- achilles [n=achilles@82.205.120.165] has quit ["Leaving"] 12:05 < mjt> well.. nope. 12:05 < mjt> i mean. 12:05 < cQix> What would you need 12:06 < mjt> i'm not an expert here, come to openvpn about a week ago. Before i tried tinc, which had a mode where it logged every packet it received from tun/tap device and sent to 'net. 12:06 < mjt> and in that logging it was almost always obvious where things went wrong. 12:06 < mjt> i didn't try that with openvpn yet 12:07 < cQix> Ok. Will try to set wireshark to log everything from the inital start. 12:07 -!- n0u [i=Chaton@unaffiliated/nou] has left ##openvpn [] 12:07 < mjt> o 12:08 < mjt> i'm not saying about 'from initial' 12:08 < mjt> i mean the actual exchange of arp packets 12:08 < mjt> you do understand this stuff, it seems 12:08 < cQix> Afterwards there's nothing of interest 12:08 < cQix> little 12:09 < mjt> well, running wireshark and knowing what ARP is -- that's very, very good signs. 12:09 < cQix> But as it seems, not enought for this 12:09 < mjt> seriously 12:09 < mjt> many ppl who come here uses nmap to see which ports are open on their unix box, instead of netstat... 12:10 < mjt> but if arp packets are not forwarded.. well, it's openvpn's settings somehow. 12:11 < mjt> and i don't know how bridging works with it. 12:11 < cQix> It uses the basic brctl and then says that ip ...128 to ...254 is for the clients 12:12 < mjt> as far as i understand, openvpn should forward just any packet to the other side. 12:12 < cQix> should, that's the problem 12:13 < cQix> But anyway. Bad day. The powersupply started burning and so on 12:13 < mjt> bad day - that's for sure ;) every day's bad ;) 12:14 < mjt> (I don't even remember what i started fixing today -- trying fixin that i encountered another issue, tried to fix it, but failed because another bug, tried to fix that and... that was a long one ;) 12:14 < cQix> yep 12:14 < cQix> and 4 me it started 2 days ago like this 12:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 12:18 < mjt> cQix: lucky you 12:18 < mjt> i'm about 1.5 years in this mode already :) 12:19 < cQix> ok. I'm not full time sysadmin 12:19 < cQix> most of the time webdev 12:20 < cQix> But now we need this vpn server set up newly 12:20 < cQix> and so on 12:20 < ecrist> freebsd has sockstat, which is the best method to determine which ports are open. 12:20 < ecrist> actually doing a port scan on localhost with nmap is silly 12:24 -!- buzzDrive [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 12:26 -!- cpm_ is now known as cpm 12:28 < hagna_> so how do I tell this vpn client machine to route inbound packets to tun0? 12:28 < hagna_> on linux 12:30 -!- TigerDuck [i=ralf@port-92-194-48-119.dynamic.qsc.de] has joined ##openvpn 12:30 < TigerDuck> hi 12:31 < TigerDuck> !howto 12:31 < vpnHelper> TigerDuck: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:34 < krzee> inbound packets? 12:34 < krzee> what are you actually trying to do hagna_ 12:35 < hagna_> krzee: A -- B -- GW and B -- VPN 12:36 < krzee> thats giberish to me 12:36 < hagna_> yeah hang on 12:36 < krzee> try using your words pls 12:36 < hagna_> machine A connects to B which connects to the gateway 12:36 < hagna_> B also connects to a vpn via openvpn 12:36 < krzee> is a and b on the same lan? 12:36 < hagna_> and I want B to route packets from A destined for 10.4.0.1 to the right place 12:36 < hagna_> krzee: yes and B is a bridge 12:37 < krzee> are you using tun? 12:37 < hagna_> yep 12:37 < TigerDuck> Where could I find hints on how to use the update-resolv-conf script correctly? 12:37 < krzee> !pushdns 12:37 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 12:37 < TigerDuck> Thanks 12:37 < krzee> np, i think that thread will lead you somewhere 12:38 < krzee> so what is 10.4.0.1? 12:38 < hagna_> krzee: the ip of the other side of the vpn 12:38 < hagna_> on B it's 10.4.0.2 12:38 < krzee> and B talks to the vpn fine? 12:38 < hagna_> yes 12:38 < hagna_> I can ping 10.4.0.1 just fine 12:38 < krzee> your question contained your answer 12:39 < hagna_> so I would win at jeaopardy 12:39 < hagna_> jeapordy 12:39 < krzee> just give A a route to 10.4.0.0 255.255.255.0 pointing at lan ip of B 12:39 < krzee> if there are many A's, add the route to their default gateway 12:39 < hagna_> krzee: I think there is a way to do it without changing the route on A 12:40 < krzee> yes, by changing the route on their default gateway 12:40 < hagna_> I'd like to do the routing on the bridge 12:40 < krzee> well, too bad 12:40 < krzee> its their default gateway or them 12:40 < krzee> BUT 12:40 < hagna_> you can tell the bridge to route packets 12:40 < krzee> the other side of the vpn must know about the network that is talking to it 12:40 < krzee> or it cant respond 12:41 < krzee> so other side needs to know to route A's lan through the vpn 12:41 < hagna_> yes 12:41 < krzee> which could be done through a push route if you werent using ptp 12:41 < hagna_> ptp? 12:41 < krzee> or are you using topology subnet? 12:41 < hagna_> haven't picked one yet 12:42 < krzee> server / client or ifconfig 10.4.0.1 10.4.0.2 ? 12:42 < krzee> whats A's lan? 12:42 < hagna_> 10.1.2.0/24 12:44 < krzee> try adding to the other side of config , route 10.1.2.0 255.255.255.0 12:44 < krzee> that will instruct openvpn to add the route to that lan to go over vpn 12:44 < krzee> and how do you specify ips in openvpn? 12:45 < krzee> im guessing ifconfig 10.4.0.1 10.4.0.2 12:45 < hagna_> yes 12:45 < krzee> which means its point to point (ptp) 12:45 < krzee> so you did choose 12:45 < hagna_> openvpn --remote $REMOTE --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 --float 12:45 < hagna_> that's on B 12:45 < krzee> then on other side add --route 10.1.2.0 255.255.255.0 12:46 < krzee> (NOT ON B) 12:47 < hagna_> ok thanks I'll try it when I get a chance 12:47 < krzee> but you also need the route i said on A 12:48 < krzee> unless B is A' default gateway 12:48 < krzee> in which case the route is already there when openvpn is running 12:48 < krzee> if the router behind B is the gateway (transparent bridge) then either A or it must have the route 12:49 < krzee> btw, that tunnel will have no encryption 12:50 < hagna_> wow seems like you are really familiar with this 12:50 < krzee> hehe 12:50 < krzee> aye 12:50 < TigerDuck> Quite funny. Using my configuration in WinXP it smoothly enables name resolution. In Ubuntu it connects equally smooth but does not add the extra dns server to /etc/resolv.conf 12:51 < TigerDuck> When I add the nameserver manually, everything is just perfect 12:51 < krzee> ive never used that included script 12:52 < krzee> but basically you want a script in the up option 12:52 < krzee> ild prolly make my own 12:52 < krzee> that just mv's the file to a backup 12:52 < TigerDuck> I see 12:52 < TigerDuck> good point 12:52 < krzee> then echo's the new NS to new resolv.conf 12:52 < krzee> then down script to mv the backup over the new one 12:53 < TigerDuck> I'll do that, too. Thanks for the hint 12:53 < krzee> but ild read that script too 12:53 < krzee> cause it may have thought of stuff i didnt 12:53 < TigerDuck> I'll do 12:53 < krzee> =] 12:53 < krzee> yw 13:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:21 < TigerDuck> krzee: My resolving problem seems to be rather common and there seem to be no proper solution at hand if one wants to stick to update-resolv-conf as it seems in https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/226185 13:21 < vpnHelper> Title: Bug #226185 in openvpn (Ubuntu): "update-resolv-conf script does not restore old values" (at bugs.launchpad.net) 13:21 < TigerDuck> So, I'll write my own replace scripts for up and down 13:21 < TigerDuck> Thanks for the enlightenment 13:22 < TigerDuck> bye 13:22 -!- TigerDuck [i=ralf@port-92-194-48-119.dynamic.qsc.de] has left ##openvpn ["Leaving."] 13:24 < mjt> for that thing i had a special file included from named.conf, -- named.conf.forwarders. Various pieces were writing/rewriting it and triggered named reload. 13:24 < mjt> that works much more reliable. 13:25 < mjt> (named running on local machine, resolv.conf is static) 13:25 -!- PeoplesAdvocate [n=chatzill@adsl-75-63-149-29.dsl.snantx.sbcglobal.net] has joined ##openvpn 13:25 < mjt> it's strange this quite obvious and trivial method isn't used by linux distributions 13:28 < PeoplesAdvocate> Hello, Im running Ubuntu 8.04. When I run the Command openvpn path/to/server.conf it goes all the way to this message " Tue Mar 24 13:10:14 2009 Initialization Sequence Completed" then my terminal hangs, I cannot enter anymore commands. Is this normal or am I running it wrong? 13:29 < krzee> mjt, good thinking 13:30 < krzee> your console hangs? are you remote? 13:30 < PeoplesAdvocate> yes im ssh into the system 13:30 < krzee> and it is the client, and you are using redirect-gateway? 13:30 < PeoplesAdvocate> we are under same lan 13:31 < krzee> securing wireless? 13:31 < krzee> and it is the client, and you are using redirect-gateway? 13:31 < PeoplesAdvocate> no im trying to get openvpn server running 13:32 < krzee> so its the server? 13:32 < PeoplesAdvocate> yes 13:32 < krzee> are you using tun or tap 13:32 < PeoplesAdvocate> tap 13:32 < krzee> you're bridging? 13:32 < PeoplesAdvocate> yes 13:32 < krzee> while already on the same lan? 13:33 * krzee expects thunder and lightning 13:33 < PeoplesAdvocate> yes im ssh into my server cause no monitor on it. Im setting up openvpn so someone can login 13:33 -!- cQix [n=attse@host86-132-121-65.range86-132.btcentralplus.com] has quit [] 13:33 < krzee> first of all, why do you want a bridge 13:34 < krzee> (90% of the time this question leads to me saying you dont want a bridge) 13:34 < ecrist> krzee: did you look at my new site logo? 13:34 < PeoplesAdvocate> no i do want a bridge, Im running my server from a fujitsu p1120, LOL 13:34 < krzee> ya ecrist i like it 13:34 < krzee> but suddenly cant remember what the old logo looked like 13:35 < krzee> PeoplesAdvocate, didnt you say you are using a tap bridge? 13:35 < ecrist> just a padlog 13:35 < ecrist> padlock 13:35 < PeoplesAdvocate> yes 13:35 < krzee> ok ya i like the new one 13:35 < krzee> PeoplesAdvocate, if you dont want a bridge, why are you doing it? 13:35 < PeoplesAdvocate> no i do want a bridge 13:35 < krzee> ok, why?\ 13:35 < PeoplesAdvocate> that is the only option for me 13:36 < krzee> what layer2 protocol are you running over the vpn that requires you to bridge? 13:36 < PeoplesAdvocate> if you look at pic of a fujitsu p1110 netbook I cannot upgrade anything on it. 13:36 < krzee> lol 13:37 < krzee> you dont need to to use routing 13:37 < krzee> i only have 1 nic on all my systems 13:37 < krzee> well, on most 13:37 < krzee> but openvpn never requires 2 nics 13:37 < krzee> or any other upgrades you're thinking of 13:37 < krzee> in fact a bridge will use more resources than routed tun 13:37 < krzee> so... 13:37 < PeoplesAdvocate> the way i understand it you need to nics to run openvpn on routing right? 13:37 < krzee> what layer2 protocol are you running over the vpn that requires you to bridge? 13:37 < krzee> no 13:37 < krzee> 1 nic for either setup 13:38 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:38 < PeoplesAdvocate> hmm 13:38 < krzee> !tunortap 13:38 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 13:39 < PeoplesAdvocate> lets say a friend and I want to play a lan game will it work with routing? 13:39 < krzee> lan gaming would be a reason to use a bridge 13:39 < krzee> as most use layer2 protocols 13:39 < krzee> is that what your vpn is for? 13:39 < PeoplesAdvocate> yeah 13:39 < PeoplesAdvocate> LOL 13:39 < krzee> there ya go 13:39 < krzee> thats a valid answer 13:40 < krzee> BUT 13:40 < krzee> you cant bridge while on the same lan 13:40 < krzee> you're prolly starting a storm on your switch 13:41 < krzee> everything layer2 is being forwarded to the other side of the bridge, which is the same lan 13:41 < krzee> which causes more 13:41 < krzee> which causes more 13:41 < krzee> which causes more 13:41 < krzee> kaboom 13:41 < PeoplesAdvocate> so if im on the same lan as the server and my router assigns the IP to me, if my friend gets into the vpn server it wont act as we are in the same server? 13:42 < krzee> im saying server and client cant be on same lan 13:42 < krzee> which is what it sounded like you were saying... 13:42 < PeoplesAdvocate> we no he is elsewhere 13:42 < krzee> ok 13:42 < PeoplesAdvocate> he will connect to me to play, get it? 13:42 < krzee> lets see your configs 13:42 < krzee> !configs 13:42 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:43 < krzee> im no bridging expert, i havnt used a bridge in years 13:43 < krzee> (cause i have no layer2 protocols to vpn) 13:43 < krzee> hey ecrist 13:44 < krzee> ZFS filesystem version 13 13:44 < krzee> [14:01] FreeBSD 8.0-CURRENT-200902 #0: Mon Feb 16 22:17:04 UTC 2009 13:44 < krzee> [14:01] CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ (2204.71-MHz K8-class CPU) 13:44 < krzee> [14:01] usable memory = 8030814208 (7658 MB) 13:44 < krzee> [14:02] rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto 13:44 < krzee> [14:02] acd0: DVDR at ata0-slave UDMA33 13:44 < krzee> [14:02] ad4: 1430799MB at ata2-master SATA300 13:44 < krzee> [14:02] ad6: 1430799MB at ata3-master SATA300 13:44 < krzee> [14:02] ad8: 1430799MB at ata4-master SATA300 13:44 < krzee> [14:02] ad10: 1430799MB at ata5-master SATA300 13:44 < krzee> storage/nfs 3.7T 128K 3.7T 0% /nfs 13:44 < krzee> =] =] 13:45 < PeoplesAdvocate> my configs are fine, its just that when I enter this command "sudo openvpn /path/to/server.conf" it runs sucessfully, it gives me this message at the end " 13:45 < PeoplesAdvocate> Tue Mar 24 13:10:14 2009 Initialization Sequence Completed 13:45 < PeoplesAdvocate> then i cant enter no more commands 13:45 < krzee> !logs 13:45 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:45 < krzee> how can you say your configs are fine when it isnt working... 13:45 < krzee> can you log back in over ssh after? 13:46 < PeoplesAdvocate> yes 13:46 < krzee> you wouldnt be here if you could garuntee your configs are fine 13:46 < krzee> so... 13:46 < krzee> oh wait 13:46 < krzee> you can log back in... 13:46 < PeoplesAdvocate> yes 13:46 < krzee> then is the vpn working...? 13:46 < krzee> after you log back in 13:46 < PeoplesAdvocate> its just i dont know if im running it right 13:46 < krzee> can you ping the client? 13:47 < krzee> well its a bridge, the ip is changing when you start openvpn 13:47 < krzee> so relogging in is expected to me 13:47 < PeoplesAdvocate> i have to open up another connection because if i ctrl-c it will terminate openvpn 13:47 < krzee> you can run openvpn is daemon more by adding daemon to the config also 13:47 < krzee> that way you can close that dead term 13:47 < krzee> and it'll keep running 13:48 < PeoplesAdvocate> ohhh 13:48 < reiffert> krzee: 3.7TB netto made from? 13:48 < PeoplesAdvocate> i see now 13:48 < krzee> reiffert, huh? 13:48 < krzee> netto? 13:48 < PeoplesAdvocate> let me try that 13:48 < PeoplesAdvocate> hold on 13:48 < reiffert> krzee: e.g. 4 x 1 TB raid5 brutto will give you 3TB netto 13:48 < krzee> ahh 13:49 < krzee> NAME STATE READ WRITE CKSUM 13:49 < krzee> storage ONLINE 0 0 0 13:49 < krzee> raidz1 ONLINE 0 0 0 13:49 < krzee> ad10s1g ONLINE 0 0 0 13:49 < krzee> ad4 ONLINE 0 0 0 13:49 < krzee> ad6 ONLINE 0 0 0 13:49 < krzee> ad8 ONLINE 0 0 0 13:49 < krzee> 100G reserved for the OS 13:49 < krzee> not using zfsONroot this time 13:49 < krzee> 4x 1.5's 13:50 < reiffert> and how many disks may fail? 13:50 < krzee> 1 iirc, i could have more fail by using raidz2 13:50 < krzee> but this is as much for play as real usage 13:50 < PeoplesAdvocate> ahhh, its working now, I just added daemon to top of server config file and now its running with hanging my term 13:50 < reiffert> raidz2 implies adding more disks I guess? 13:51 < PeoplesAdvocate> top 13:51 < krzee> im not too sure of raidz2, i just know it offers more redundancy 13:51 < krzee> 4 is prolly enough to use it 13:51 < reiffert> reducing available disk space below 50% I guess. 13:51 < reiffert> I really should get new hardware :) 13:52 < krzee> i would expect so 13:52 < PeoplesAdvocate> krzee I appreciate your time and help. 13:52 < krzee> np =] 13:52 < PeoplesAdvocate> got it working 13:52 < krzee> i really really hope my new intel system runs osx86 13:52 < krzee> intel q9400 proc 13:52 < krzee> mmmm 13:53 -!- PeoplesAdvocate [n=chatzill@adsl-75-63-149-29.dsl.snantx.sbcglobal.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 13:53 < krzee> also with 8gb ram, and a 1.5TB drive 13:53 < krzee> but ill build that later 13:53 < krzee> i still need to get my new TV here first 13:53 < krzee> until the new TV is here that system is somewhat pointless to me 13:53 < krzee> so im spending my time on my nfs first 13:53 < reiffert> Is there virtualisation support for os x as guest available yet? 13:54 < krzee> no idea, but that would be AWESOMENESS 13:54 < krzee> ild love to run that vmware host OS 13:54 < krzee> and run a few OS's in parallel 13:55 < reiffert> yep 13:55 < krzee> ehxi or whatever that acronym is 13:55 < reiffert> how many q9400 you got, two? 13:55 < krzee> nah, 1 13:55 < krzee> the nfs is amd64 13:55 < krzee> for increased zfs love 13:56 < krzee> but shit, the q9400 is quad core 13:56 < reiffert> But just one :) 13:56 < krzee> thats plenty! =] 13:56 < krzee> haha 13:56 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has joined ##openvpn 13:56 < krzee> price tag on my suitcase of hardware was plenty enough as is 13:56 < krzee> im so glad i made it through customs without harassment 13:57 < krzee> i had an escort through ;] 13:57 < krzee> otherwise the pricetag woulda been WAY higher 13:57 < reiffert> I dont see an intel equiv. for amd hypertransport yet, so I just dont know what to get, quadcore opterons or xeons. 13:58 < krzee> time to see how zfs likes my tweaks 13:58 < reiffert> tweaks? 13:58 < krzee> tuning 13:58 < krzee> nothing too crazy 13:58 < krzee> just the suggested stuffs 13:58 < Great_Anta_baka> hi. when i add the following routes I can no longer ping any hosts (0.0.0.0/1 and 128.0.0.0/1.) why is that? 13:58 < krzee> (for now) 13:58 < krzee> !def1 13:59 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:59 < krzee> you did it manual or used def1? 13:59 < Great_Anta_baka> manual 13:59 < Great_Anta_baka> def1 doesnt work 13:59 < krzee> def1 sure does work 13:59 < Great_Anta_baka> says it cant read my gateway 13:59 < krzee> ohh 13:59 < krzee> you on ppp? 13:59 < Great_Anta_baka> ya 13:59 < krzee> ahh 13:59 < krzee> gimme a few 13:59 < Great_Anta_baka> thought that might be the issue 14:00 < Great_Anta_baka> ty 14:00 < krzee> its in the mail list somewhere 14:00 < Great_Anta_baka> ah 14:00 < Great_Anta_baka> been going through them 14:00 < krzee> !mail 14:00 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 14:00 < Great_Anta_baka> but couldnt find anything 14:00 < krzee> the gmane is the one to search 14:00 < krzee> the openvpn.net archive blows 14:00 < krzee> no searchability or scanning threads 14:00 < Great_Anta_baka> i see 14:00 < Great_Anta_baka> thats where i was 14:01 < krzee> subject openvpn and ppp 14:01 < krzee> date dec 18, 2008 14:03 < Great_Anta_baka> yeah think i am on that thread now 14:03 < krzee> Subject: [Openvpn-users] Fix for "Cannot read current default gateway" problem on Linux 14:04 < krzee> that was the title of the final post 14:04 < krzee> Hi! 14:04 < krzee> In the diff (agains 2.1_rc15) is the solution for the old* 14:04 < krzee> problem of (not) detecting default gateway on linux systems 14:04 < krzee> if it is a device route. 14:04 < krzee> The patch is attached as a gzipped diff output to this mail message : 14:04 < krzee> http://thread.gmane.org/gmane.network.openvpn.user/25117/focus=25127 14:04 < krzee> (direct link to patch : 14:04 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:04 < krzee> http://cache.gmane.org//gmane/network/openvpn/user/25127-001.bin 14:04 < krzee> rename to patch.gz after download) 14:04 < krzee> It was tested by one affected user (Antonis Tsolomitis, see the 14:04 < krzee> thread "openvpn and ppp" on the openvpn-users list) 14:04 < krzee> If I forgor anything, ask. 14:04 < krzee> Regards, 14:04 < krzee> David 14:04 < krzee> *See mail list threads: 14:05 < krzee> "Redirect-gateway on dialup" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "redirect-gateway + http-proxy + ppp problem" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "Cannot redirect gateway after pppd connection" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "openvpn and ppp" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> there ya go 14:05 * mjt looks around... 14:05 < krzee> lol sorry 14:05 < Great_Anta_baka> arent you gonna get banned for that? 14:05 < mjt> ;) 14:05 < krzee> not likely ;] 14:05 < Great_Anta_baka> but ty :P 14:06 < krzee> (im an op, and it was only used to help you) 14:06 < mjt> poor vpnHelper - now he had some work to do ;) 14:06 < Great_Anta_baka> hehe 14:06 < krzee> haha i was thinking that too mjt 14:06 < krzee> see how he lagged 14:06 < krzee> lol 14:06 < Great_Anta_baka> haha 14:07 < mjt> it was asleep. but awake at the end. 14:08 < krzee> i think he was checking the pacthes for a title 14:08 < krzee> haha 14:09 < krzee> prolly a bug to be found there 14:16 < Great_Anta_baka> ok 14:16 < Great_Anta_baka> sweeet 14:16 < Great_Anta_baka> its detecting the gatway 14:16 < Great_Anta_baka> but now getting no route to host :/ 14:16 < Great_Anta_baka> if i remove the 128.0.0.0/1 route i can ping some of the hosts on the office network 14:17 < Great_Anta_baka> but when its there i can ping nada 14:18 < Great_Anta_baka> i cant even ping the bridge interface on the openvpn server 14:19 < krzee> im out of help for awhile, gotta finish my nfs before heading out to work 14:19 < ecrist> krzee: sup? 14:19 < krzee> but im sure others here will pick it up 14:19 < Great_Anta_baka> kk 14:19 < Great_Anta_baka> thanks for the help tho 14:19 < ecrist> oh, see your 8.0-CURRENT running 14:19 < ecrist> nice 14:19 < krzee> ecrist, im just all happy bout my new nfs, was pasting stuff from it 14:19 < krzee> ya! 14:20 < krzee> time to see if 900G can be copied via sata2 drives without a crash 14:20 < krzee> from UFS to ZFS 14:20 < krzee> if it does that ill be satisfied that the upgrade went well 14:20 < ecrist> sweet 14:20 < krzee> then ill stress test with some torrents 14:20 < krzee> always crashed fbsd7+zfs within 3 days 14:20 < krzee> but that was zfs6 14:20 < ecrist> I stress-tested our system here, but it's just regular ol' UFS 14:20 < krzee> also was on i386 14:21 < krzee> amd64 has much more love for ZFS 14:21 < ecrist> /dev/mfid0 3.5T 1.2T 2.1T 37% /d 14:21 < ecrist> you has more space than me. and my server was much more 'spensive 14:22 < krzee> storage/nfs 3.7T 10G 3.7T 0% /nfs 14:22 < krzee> /dev/ad12 1.3T 827G 418G 66% /backup 14:22 < krzee> copying * from /backup to /nfs now 14:22 < krzee> we'll see how it goes =] 14:22 < krzee> ya but my system is using experimental stuffs 14:22 < krzee> not wise for importantness 14:23 < mjt> is zfs really that good compared with others? 14:24 < krzee> it will be when its not experimental 14:24 < mjt> with all the buzz around... 14:24 < krzee> http://en.wikipedia.org/wiki/Comparison_of_file_systems 14:24 < vpnHelper> Title: Comparison of file systems - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:24 < krzee> check it out 14:24 < krzee> plus the snapshots are <3 14:24 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:25 < chrisbdaemon> !routing 14:25 < vpnHelper> chrisbdaemon: Error: "routing" is not a valid command. 14:25 < Great_Anta_baka> what is the default mtu on openvpn? 14:25 < krzee> !route 14:25 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:25 < chrisbdaemon> thanks 14:25 < krzee> Great_Anta_baka, see manual --mtu 14:25 < krzee> !manual 14:25 < vpnHelper> krzee: Error: "manual" is not a valid command. 14:25 < krzee> err 14:25 < Great_Anta_baka> ty 14:25 < krzee> !man 14:25 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:25 < Great_Anta_baka> lol 14:25 < krzee> also see --mtu-test 14:25 < krzee> expecially for your setup 14:25 < krzee> !mtu 14:25 < Great_Anta_baka> i see 14:25 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 14:26 < krzee> #2 14:26 < mjt> that's the next topic of my interest - mtu ;) 14:27 < mjt> because all previous tunnel solutions had... umm... issues here. 14:27 < krzee> mjt, cool you can show me the intricacies of the settings after you learn them ;] 14:27 < hagna_> oh ip forwarding 14:27 < hagna_> hehe 14:27 < mjt> damn 14:27 < mjt> i wanted to ask questions... ;) 14:28 < krzee> lol im sure others can answer 14:28 < hagna_> so client can push routes to server? 14:28 < krzee> no 14:28 < krzee> but server can specify routes 14:28 < hagna_> dang 14:28 < krzee> if client could push to server ild call that a problem 14:28 < mjt> krzee: you sure for the 'no' ? 14:28 < krzee> think of situation where clients are just users and server is production 14:28 < mjt> i didn't try, but how about --pull on SERVER ? :) 14:29 < krzee> read on pull 14:29 < mjt> i mean in theory 14:29 < mjt> ok 14:29 < krzee> --pull 14:29 < krzee> This option must be used on a client which is connecting to a multi-client server. 14:30 < mjt> another helpful restriction i guess 14:30 < mjt> ;) 14:30 < krzee> aye 14:30 < hagna_> hrm 14:30 < ecrist> krzee: http://www.secure-computing.net/images/clx_rack1.jpg 14:30 < krzee> but server can specify routes 14:30 < krzee> the whole idea of push is to control clients from server 14:30 < hagna_> krzee: server doesn't know in this case 14:30 < hagna_> ok I'll rethink this 14:30 < ecrist> the 1u and 3u boxes above the one with all the blue lights is our backup server 14:30 < krzee> traveling lan? 14:30 < krzee> the whole lan is moving? 14:31 < krzee> damn! 14:31 < hagna_> krzee: no, but say there are 10 14:31 < krzee> i wanna visit and play!!! 14:31 < hagna_> :) 14:31 < krzee> 10 what 14:31 < hagna_> 10 lans not moving 14:31 < krzee> !route 14:31 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:31 < krzee> thats no problem 14:31 < krzee> server will know 14:31 < krzee> !iroute 14:31 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:32 < ecrist> that 4u of equipment was ~$11,000 14:32 < krzee> server needs to know based on clients common-name 14:32 < krzee> DAMN ecrist 14:32 < krzee> oh ok thats work related 14:32 < ecrist> oh, yeah, not my lan 14:32 < krzee> i was thinking that was where my box was 14:32 < krzee> hahah 14:32 < ecrist> oh, no, my rack isn't so impressive 14:32 < hagna_> heh 14:32 < krzee> i would assume not! 14:32 < krzee> lol 14:33 < ecrist> *but* someone may be financing a generator for me. ;) 14:33 < krzee> awesome!! 14:33 < krzee> 33G copied over and i must leave 14:33 < krzee> i hope it doesnt blow up while im gone 14:33 < ecrist> l8r 14:33 < krzee> i wont know for a couple hrs 14:33 < krzee> hrm 14:34 < hagna_> so server knows my lan subnet? 14:34 < krzee> ecrist, you know the ssh option to allow connect-back? 14:34 < hagna_> ok I should read that 14:34 < ecrist> krzee: no, I use screen 14:34 < krzee> so i can allow myself to get in from a box while im at work today 14:34 < mjt> it's port-forwarding 14:34 < mjt> or something else? 14:35 < mjt> it can share one connection with other ssh'es 14:35 < krzee> nah not openvpn related 14:35 < krzee> i dont have time to setup a vpn on it 14:35 < mjt> yeah 14:35 < mjt> openssh can use a connection established by another openssh 14:36 < krzee> oh right 14:36 < krzee> ya thats what i want 14:36 < krzee> connect out to a server and allow it to connect back over that 14:36 < mjt> but it works in one direction 14:36 < mjt> -o ControlMaster=auto -o ControlPath=/some/where/socket 14:37 < mjt> it does not work back 14:38 -!- Alocado [n=matthias@dslb-088-068-039-189.pools.arcor-ip.net] has joined ##openvpn 14:38 < Alocado> hello 14:39 < Alocado> it's possible to have an encrypted user/passwort auth for openvpn? 14:40 -!- martian67 [i=user5490@about/linux/regular/martian67] has quit [Excess Flood] 14:40 -!- martian67 [i=user5490@about/linux/regular/martian67] has joined ##openvpn 14:41 < krzee> !passwd 14:41 < vpnHelper> krzee: Error: "passwd" is not a valid command. 14:41 < kala> Alocado: what do you mean? 14:41 < krzee> !pass 14:41 < vpnHelper> krzee: Error: "pass" is not a valid command. 14:41 < krzee> !factoids search pass 14:41 < vpnHelper> krzee: 'winpass', '2.1-winpass-script', 'password', and 'authpass' 14:41 < krzee> !authpas 14:41 < vpnHelper> krzee: Error: "authpas" is not a valid command. 14:41 < krzee> !authpass 14:41 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 14:42 < Alocado> kala, if a openvpn client connects to a server, i could use certificate authentification or username/password auth 14:42 < Alocado> but: 14:42 < Alocado> user/password is (afaik) not encrypted while transferring the login credentials 14:43 < Alocado> is that correct? 14:43 < kala> its transmitted over the openvpn tunnel 14:43 < krzee> doubt that 14:43 < krzee> (doubt that its correct, sniff to check) 14:43 < krzee> auth isnt the only encryption that goes on in ovpn) 14:44 < kala> Alocado: the client configuration options and everything whats transmitted between the client and server should be secure 14:45 < Alocado> so i need no client certificates? 14:45 < krzee> HIGHLY NOT RECOMMENDED 14:48 < kala> hmm ... 14:49 < kala> Alocado: it seems that if you don't have client certificates, then you need to provide pre-shared secret to setp up the secure channel 14:49 < kala> and the pre-shared secret is the same over all clients, which is bad 14:49 < chrisbdaemon> i could use some help, i'm trying to setup openvpn to allow users access to a lan at 10.0.0.0/24 and put the users on the 10.0.1.0/24 range. they can connect just fine and can ping the 10.0.0.1 server but pings don't reach clients behind the openbsd firewall that runs openvpn 14:50 < chrisbdaemon> heres the server config file 14:50 < chrisbdaemon> http://pastebin.com/d320bf678 14:50 < mjt> Alocado: it's not difficult at all to follow easy-rsa howto steps to create your certs 14:50 < chrisbdaemon> i read the !routing doc and did what it said, but its still not quite working 14:51 < mjt> . o O { tcpdump } 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 < Alocado> mjt, i know, but i need to have a VERY DYNAMIC structure 14:54 < chrisbdaemon> can anyone see if i'm doing something horribly wrong in my configuration? 14:54 < Alocado> i have to activate, deactivate and reactive vpn clients without accessing the clients 14:55 < kala> then the client certs are the only option? 14:57 < Alocado> can i "un-revoke" certificates? 14:58 < kala> umm ... 14:58 < kala> good question :) 14:58 < kala> you could separate authentication and authorization perhaps. 14:59 < Alocado> once i created the certificate i have NO possibility to change it later... it's bound to hardware ;) 14:59 < chrisbdaemon> Alocado: if you have to be able to take away access from clients can't you use ccd to put them into a subnet that doesn't connect to anything else? 14:59 < kala> authentication as "having valid cert" and authorization as "being memeber if certain LDAP group" 14:59 < chrisbdaemon> then take it back out when they get it back 15:00 < Alocado> ok, next question: what happens if my root certificate gets out of date? 15:01 < kala> then you need to supply the next root cert 15:01 < kala> which is bad, I suppose :) 15:02 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 15:02 < Alocado> ;) 15:02 < Alocado> oh yes 15:02 < kala> Alocado: thats a good question. In my country, they have smart-card issuer root cert valid until 2016 15:03 < kala> should ask them, what they plan to do in 7 years 15:03 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has joined ##openvpn 15:05 < Alocado> ok... what happens if all clients have the same client certificate? is this a problem? 15:06 < hagna_> hmm odd I can ping 10.1.2.201 from across the vpn but nmap says WARNING: Unable to find appropriate interface for system route to 10.4.0.2 15:07 < kala> Alocado: what do you do, if one of your client is compromised? 15:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:08 < Alocado> then i have a problem :D 15:08 < Great_Anta_baka> ok my adsl mtu is 1492 and my openvpn mtu is 1500... will this cause problems when using udp to connect the client to the server? 15:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:09 -!- achilles [n=achilles@62.90.14.151] has joined ##openvpn 15:12 -!- achilles [n=achilles@62.90.14.151] has quit [Client Quit] 15:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:14 -!- Alocado [n=matthias@dslb-088-068-039-189.pools.arcor-ip.net] has quit ["Ex-Chat"] 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:20 < mjt> usually it does not 15:20 < mjt> Great_Anta_baka: usually it does not 15:20 < Great_Anta_baka> kk 15:21 < mjt> i'm with 1492 mtu too. openvpn does mss-fixing 15:21 < Great_Anta_baka> mmm then i really dont know why i am getting No route to host (code=113) 15:21 < mjt> routes has nothing to do with MTU 15:22 < Great_Anta_baka> thought it might be frame/packet loss 15:22 < mjt> it'd be timeout or whatnot, but not no route. 15:22 < mjt> (unless you're bridgin and losing arp packets) 15:22 < Great_Anta_baka> mmm.. can you elaborate? 15:23 < Great_Anta_baka> well it works when i dont have the route 128.0.0.0/0 15:23 < Great_Anta_baka> well it works when i dont have the route 128.0.0.0/1 15:23 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 15:23 < mjt> that's a good route... 15:23 < Great_Anta_baka> :/ 15:23 < Great_Anta_baka> so it must be on the server side then? 15:23 < mjt> "it" = what? 15:24 < Great_Anta_baka> the problem 15:24 < Great_Anta_baka> wait 15:24 < Great_Anta_baka> i am too confused 15:24 < Great_Anta_baka> aarhg 15:24 * Great_Anta_baka reads some more man pages 15:29 < Great_Anta_baka> what is the 128.0.0.0/1 route for? 15:31 < kala> its almost the same effect as 0/0 route, but doesn't conflict with existing 0/0 route 15:32 -!- diegovio1a [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 15:36 < Great_Anta_baka> i see 15:36 < Great_Anta_baka> so that compliments the 0.0.0.0/1 15:36 < Great_Anta_baka> to cover the entire range 15:36 < Great_Anta_baka> ? 15:36 < kala> yes 15:40 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 15:45 < Great_Anta_baka> ok so i got both those routes on my client machine. But I cannot even ping the VPN server and I creep getting no route to host errors in the client openvpn window 15:45 < Great_Anta_baka> keep* 15:49 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 15:49 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [Connection timed out] 15:49 < reiffert> Great_Anta_baka: did you show us your config yet? 15:50 < Great_Anta_baka> no will pastie it 15:50 < reiffert> !configs 15:50 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:52 < Great_Anta_baka> http://pastie.org/425804 15:53 < Great_Anta_baka> servr 15:53 < Great_Anta_baka> http://pastie.org/425805 15:54 < reiffert> paste /etc/openvpn/up.sh 15:55 < Great_Anta_baka> in a sec.. link went down :/ 15:55 < reiffert> why tcp? 15:55 < reiffert> status: openvpn NOT connected: are client and server in the same subnet? 15:55 < Great_Anta_baka> was udp was just trying tcp out 15:56 < Great_Anta_baka> it connects fine 15:56 < Great_Anta_baka> and when i dont do routing 15:56 < Great_Anta_baka> i can ping the work computers 15:56 < reiffert> I cant see any routing attempts. 15:56 < Great_Anta_baka> but can ping computers out of the network 15:56 < reiffert> and please answer my 2nd question. 15:57 < Great_Anta_baka> what is this push "redirect-gateway local def1" .. i will past the file in a second 15:57 < reiffert> status: openvpn NOT connected: are client and server in the same subnet? 15:58 < Great_Anta_baka> yes 15:58 < reiffert> like e.g. connected via wireless? 15:58 < Great_Anta_baka> no its an adsl connection 15:58 < reiffert> when you dont start openvpn 15:58 < reiffert> whats the IP of the client? 15:59 < Great_Anta_baka> 41.245.171.2XX 15:59 < Great_Anta_baka> thats my ppp ip 15:59 < reiffert> allright, what are you trying to achive? 15:59 < Great_Anta_baka> i am trying to route all my traffic through the vpn 16:00 < reiffert> does everything else work when you remove that line from the server.config: 16:00 < reiffert> push "redirect-gateway local def1" 16:00 < reiffert> ? 16:00 < Great_Anta_baka> yes 16:00 < reiffert> sure? 16:00 < Great_Anta_baka> ya 16:00 < reiffert> really? 16:00 < Great_Anta_baka> i can ping all the office computers 16:00 < reiffert> then change that line to push "redirect-gateway def1" 16:01 < Great_Anta_baka> just not further than that 16:01 < Great_Anta_baka> both of them have the same effect 16:01 < reiffert> then dont. 16:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 16:01 < reiffert> s,then,they, 16:02 < Great_Anta_baka> so then is it impossible for me to reach computers out side of the office network without adding a route for each network outside it? 16:02 < reiffert> would you please try it again with push "redirect-gateway def1" 16:02 < reiffert> without the local flag 16:02 < Great_Anta_baka> thats what it is on at the moment.. 16:03 < Great_Anta_baka> but i think that comp jsut crashed... AAARRRRHHHGGG 16:03 < reiffert> from what I can see on http://pastie.org/425804 you are using local. 16:03 < Great_Anta_baka> oh 16:03 < Great_Anta_baka> soz 16:03 < reiffert> s.o.ss? 16:03 < Great_Anta_baka> indeed 16:04 < Great_Anta_baka> will have to come back here when i get back to work tomorrow 16:04 < Great_Anta_baka> ooh its back 16:04 < Great_Anta_baka> wee 16:05 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 16:05 < RUS> hi anybody ? can you help me to configure my openvpn ? 16:05 < reiffert> RUS: 16:06 < reiffert> !howto 16:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:07 < RUS> reiffert i read it. and configure well, but i have some troubles 16:07 < RUS> you see my topic on centos.org 16:07 < RUS> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246&forum=40 16:07 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 16:08 < reiffert> Why are you using openvpn to get packets from one vmware client to another? 16:09 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:10 < reiffert> RUS: however, what you need to do is changing the subnet of windows xp to be outside of 192.168.0.0/24 16:10 < RUS> i try to configure. it's a training server 16:10 < RUS> reiffert why i must change? 16:11 < reiffert> http://www.secure-computing.net/wiki/index.php/Durrrr 16:11 < vpnHelper> Title: Durrrr - Secure Computing Wiki (at www.secure-computing.net) 16:11 < RUS> hm...will try. it's a good skill for me :) 16:17 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 16:18 -!- Great_Anta_baka [n=tensai@196-209-178-64-wrbs-esr-2.dynamic.isadsl.co.za] has joined ##openvpn 16:20 -!- Great_Anta_baka [n=tensai@196-209-178-64-wrbs-esr-2.dynamic.isadsl.co.za] has quit [Client Quit] 16:20 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 16:21 -!- tensai_ [n=tensai@196.33.159.83] has quit [Client Quit] 16:21 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 16:21 -!- tensai_ [n=tensai@196.33.159.83] has quit [Client Quit] 16:21 -!- Great_Anta_baka [n=tensai@196.33.159.83] has joined ##openvpn 16:24 < mjt> identical subnets? What's that? 16:25 < mjt> i had to connect two offices using the same 192.168.1.1/24 network 16:25 < mjt> (ie, both were using it, with .1 being the gateway) 16:26 < mjt> it worked after some ugly NATing 16:26 < reiffert> mjt: I was doing the same with bridging :) 16:26 < reiffert> cause I couldnt replace the default gateways there. 16:27 < mjt> heh. i think we had this discussion before ;) 16:27 < reiffert> probably :) 16:27 < mjt> were half the office was on one side and another on another, with intermixed IPs 16:27 < mjt> it was my situation too, at another time in another place. 16:28 < mjt> (one dhcp server for both ends assigning addresses from the same common pool) 16:28 -!- bandini [n=bandini@host152-105-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 16:29 < reiffert> I run two dhcp servers with firewalls on both vpn ends 16:30 -!- RUS [n=Mirc@88.214.199.27] has quit [Remote closed the connection] 16:31 < mjt> that my case was a temporary hack that lasted for about a month -- $boss was afraid that an ethernet cable between two parts of the building is too easy target for the (non-our) rooms on the way so I had to set up that tunnel. Later on we moved to another office. 16:38 -!- fixxxermet [n=kjohnson@69.85.26.2] has quit ["Leaving."] 16:41 -!- Great_Anta_baka [n=tensai@196.33.159.83] has quit [No route to host] 16:46 -!- Great_Anta_baka [n=tensai@dsl-245-151-145.telkomadsl.co.za] has joined ##openvpn 16:46 < Great_Anta_baka> reiffert, thank you 16:46 < Great_Anta_baka> that worked 16:46 < Great_Anta_baka> seems i was trying the local option with the unpatched version of openvpn 16:47 < Great_Anta_baka> only problem is after running the vpn for a few seconds the connection dies 16:48 < Great_Anta_baka> but if i ssh in the connection is permanently on 16:48 < Great_Anta_baka> i cant even ping it for a couple of minutes after it after i close the vpn connection 16:48 < Great_Anta_baka> the vpn server that is 16:50 < reiffert> use keepalive 10 120 16:50 < reiffert> on server and client 16:50 < reiffert> i'd also switch to udp and i'd probably dont touch mtu settings. 16:50 < Great_Anta_baka> ty 16:51 < reiffert> and remove comp lzo from both 16:51 < Great_Anta_baka> will try that out now 16:51 < Great_Anta_baka> kk 16:54 < reiffert> erm, explicitly disable comp lzo 17:03 < Great_Anta_baka> do i do that with a flag when i start the server 17:03 < Great_Anta_baka> i am just using "service openvpn restart" 17:04 < reiffert> "do that"=? 17:07 < Great_Anta_baka> explicitly disable comp lzo 17:07 < Great_Anta_baka> i just commented it out 17:09 < reiffert> default is adaptive, you should use no instead. 17:10 < reiffert> and read the manpage entry for every option 17:12 < Great_Anta_baka> ya saw the options now.. seems like there is a problem with the routerboard that is forwarding the public ip to my machine.. until i get this sorted out it looks like there is no vpn access for me :/ 17:13 -!- benedictus [n=chatzill@99.156-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 17:21 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 17:22 < krzie> reif, he'll want to play with mtu cause he is on ppp iirc 17:23 < krzie> i think it was him 17:23 < krzie> ya it was (after scrolling up) 17:25 -!- bandini [n=bandini@host152-105-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:25 -!- Great_Anta_baka [n=tensai@dsl-245-151-145.telkomadsl.co.za] has quit [Client Quit] 17:26 -!- Great_Anta_baka [n=tensai@196.33.159.83] has joined ##openvpn 17:27 < Great_Anta_baka> well.. i have to be off.. work in 8 hours 17:27 < Great_Anta_baka> thanks for all the help 17:28 -!- benedictus [n=chatzill@99.156-244-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 17:28 < krzie> Great_Anta_baka 17:28 < Great_Anta_baka> yup 17:28 < krzie> did you mention to reif that you were on ppp? 17:28 < Great_Anta_baka> ya 17:28 < krzie> ok cool 17:28 < Great_Anta_baka> he said mtu was fine.. at least i think it was him 17:28 < krzie> use mtu-test on client to see if mtu is fine 17:28 < krzie> ya he did, i figured he didnt know you were on ppp 17:29 < Great_Anta_baka> i mentioned it a couple of times 17:29 < Great_Anta_baka> so think he knew 17:29 < krzie> with mtu-test on client openvpn will tell you 17:29 < Great_Anta_baka> well i am chatting to you through the vpn connection now 17:29 < Great_Anta_baka> so i am guessing its ok 17:30 < Great_Anta_baka> and no errors showing up 17:30 < Great_Anta_baka> on client screen 17:30 < Great_Anta_baka> but will try it out later 17:30 < krzie> nice =] 17:31 < krzie> normally i say dont play with mtu, ild definitely try mtu-test on ppp or satelite tho 17:31 < krzie> just to be sure 17:31 < Great_Anta_baka> although i would be interested in finding out if its possible that if the connection breaks and the client is still trying to reconnect.. if its possible to use the normal ppp gateway 17:31 < Great_Anta_baka> cos the route only gets removed once the client openvpn program is terminated 17:32 < Great_Anta_baka> but i will do that when i wake up 17:32 < Great_Anta_baka> now its sleepy time 17:32 < Great_Anta_baka> :] 17:32 < krzie> sure it is 17:32 < krzie> !def1 17:32 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:32 < krzie> ohh i see what you mean 17:32 < krzie> my bad 17:32 < Great_Anta_baka> ;) 17:43 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 17:43 < RUS> hi again 17:45 < RUS> help me please. 17:45 < RUS> i have openvvpn server configured on centos OS 17:45 < RUS> i connect to openvpn server nice. but internet on client don't work 17:45 < RUS> now vpn server is dedicated in datacenter 17:46 < krzie> so in other words you are using redirect-gateway 17:46 < krzie> and thats the only part not working, you can ping across the vpn 17:46 < krzie> right? 17:46 < RUS> redirect-gateway def1 17:47 < krzie> and thats the only part not working, you can ping across the vpn 17:48 < RUS> WOW yes i can ping internet adresses now its COOL 17:48 < krzie> haha i was only talking about vpn ips 17:48 < krzie> but cool ;] 17:48 < krzie> can you resolv hostnames? 17:48 < RUS> nslookup ? 17:48 < krzie> sure 17:48 < krzie> or ping a hostname 17:48 < krzie> same stuff 17:49 < RUS> i can ping internet addresses 17:49 < krzie> i take it you mean by hostname 17:49 < krzie> so cool 17:49 < RUS> no ip addresse 17:49 < krzie> glad to have attempted to help 17:49 < RUS> s 17:49 < krzie> (seems you didnt need any) 17:49 < RUS> whait plz. 17:49 < RUS> i try to configure dns pushing 17:49 < krzie> well ping a hostname! 17:50 < RUS> just see my server conf 17:50 < krzie> exactly, thats what i was thinking 17:50 < krzie> CAN YOU PING A HOSTNAME? 17:50 < RUS> yes 17:50 < krzie> ok, you're done 17:50 < RUS> but 17:50 < krzie> its using old ns? 17:51 < RUS> i have server.conf thats string push "dhcp-option DNS 10.8.0.1" but nsllokup shom me a dns ips from my internet connection 17:51 < krzie> !pushdns 17:51 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 17:51 < krzie> see #3 17:51 < krzie> err #2 17:51 < reiffert> did RUS change the identical subnets yet? 17:51 < krzie> also be sure your NS is listening on 10.8.0.1 17:52 < RUS> yes it is. see that please 17:52 < krzie> reif: no clue, lets see what he says 17:52 < krzie> ... 17:53 < RUS> http://pastebin.com/d5ea53ab9 17:53 < reiffert> RUS: still trying the xp vmware centos thing? 17:53 < RUS> reiffert no i try to setting up on dedicated serv now 17:53 < RUS> no vmware 17:54 < reiffert> k 17:54 < RUS> but now 10.8.0.1 don't resolve for me webnames 17:54 < reiffert> RUS: paste: 17:54 < krzie> i told you rus 17:54 < krzie> see #2 17:54 < krzie> !pushdns 17:55 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 17:55 < krzie> read that link, or dont 17:55 < krzie> but your solution is there 17:56 * reiffert was about to ask for ipconfig and client log, but stops here. 17:57 < krzie> hes pushing dns, and is caught by the standard caveat that catches everyone 17:57 < krzie> all he has to do is listen to vpnHelper ;] 17:57 < RUS> ok i read that. this is xp bug. 17:58 < krzie> and you ran the commands Jan tells you fixes it? 17:58 < krzie> (and it fixed it?) 17:58 < krzie> if so, script it into a batch file and use it in a script that openvpn runs 18:01 < reiffert> Be sure to read the reply from Peter 18:01 < hagna_> what's the deal with nmap it won't use the same route as ping 18:02 < reiffert> whats the deal with my bike, it doesnt act like my car? 18:03 < RUS> i need to reboot after adding this reg patch ? 18:04 < reiffert> krzie: what about Jonathans last statement? 18:05 < reiffert> krzie: cause I never ran into this. 18:05 < krzie> oh no kidding, i didnt see peters response 18:05 < krzie> that deserves to be in vpnhelper! 18:06 < krzie> interesting on the last statement... 18:06 < krzie> RUS, could you try upgrading to 2.1_RC15 and not using any other fixes please? 18:06 < krzie> ill happily link you to it even 18:07 < krzie> http://openvpn.net/release/openvpn-2.1_rc15-install.exe 18:07 < RUS> 18:07 < RUS> ok 18:07 < RUS> thats a good reason 18:07 < krzie> if that works it will be good for us to know 18:07 < krzie> its a very common problem 18:07 < krzie> reif, funny i never read that whole thread 18:08 < krzie> i saw jans response on the list, found it in archive, and linked to it 18:08 < krzie> responses came later 18:08 < reiffert> RUS: which version were you using until now? 18:08 < RUS> 2.0.9 18:09 < reiffert> uh. 18:09 < reiffert> krzie: any idea when 2.1 gets released? 18:09 < krzie> heh, less than none 18:10 < RUS> openvpn-2.0.9-gui-1.0.3-install.exe 18:10 < RUS> i use that 18:10 < reiffert> RUS: 2.0.9 is 2.5 years old. 18:10 < ecrist> !irclogs 18:10 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 18:11 < RUS> reiffert i like openvpn gui. can i use it ? 18:11 < reiffert> RUS: yes 18:13 < reiffert> http://slashdot.org/pollBooth.pl?qid=1749&aid=-1 18:13 < vpnHelper> Title: Slashdot Poll (at slashdot.org) 18:15 < hagna_> reiffert: ping works fine do you why nmap wont? 18:15 < krzie> how isnt it 18:16 < hagna_> Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 17:14 MDT 18:16 < hagna_> WARNING: Unable to find appropriate interface for system route to 10.4.0.2 18:16 < vpnHelper> Title: Nmap - Free Security Scanner For Network Exploration & Security Audits. (at nmap.org) 18:16 < krzie> you using redirect-gateway? 18:16 < krzie> im thinking no and that its a ptp link 18:16 < hagna_> yes right 18:16 < hagna_> I added a route and it's pingable at least 18:17 < hagna_> I added a route on the server and it's pingable 18:17 < krzie> why dont you read the nmap man page and start it correctly then 18:17 < hagna_> nmap 10.1.2.201 -e tun0 gives the same message 18:17 * krzie notes this isnt the nmap help chan 18:17 < krzie> you're trying to port scan over your vpn? 18:17 < krzie> LOL 18:18 < krzie> hallarious 18:18 < hagna_> you are hilarious 18:18 < krzie> sure 18:18 < hagna_> :) 18:19 < RUS> people 18:19 < RUS> i have installed that new version openvpn-2.1_rc15-install 18:19 < RUS> but it work also with that error 18:19 < krzie> ahh, too bad 18:20 < RUS> this is openvpvn serv bug... 18:20 < RUS> outpost firewall show me that he says destination unreachable. i need to configure iptables now for dns forwarding 18:21 * reiffert head -> table 18:21 < RUS> wich table ? 18:22 < krzie> he basically facepalmed 18:22 < krzie> but skipped the palm and went straight to his desk 18:23 < RUS> i smile too. but i don't understand :) 18:24 < krzie> go back to the mail list we linked you to 18:24 < krzie> if your pings are routed right, your dns traffic is too (unless you somehow decided to block it in your firewall) 18:28 < RUS> it's hard to understand 18:28 < RUS> i download registry patch and exec it 18:28 < krzie> and rebooted? 18:29 < RUS> no 18:29 < RUS> :) 18:29 < krzie> ... 18:29 < krzie> welcome to windows 18:29 < RUS> :) 18:29 < RUS> LOL 18:30 < krzie> please report back on the reg patch too 18:30 < krzie> if it works for you i want to link it in to vpnHelper 18:34 < hagna_> oh I found out it needs -m state --state INVALID 18:34 < hagna_> anyway just fyi 18:34 < ecrist> holy crap krzie 18:34 < ecrist> http://www.secure-computing.net/logs/openvpn.html 18:34 < vpnHelper> Title: ##openvpn statistics created with mIRCStats v1.23 by ecrist (at www.secure-computing.net) 18:34 < ecrist> look down at activity stats 18:35 < RUS> friends 18:35 < RUS> i go to smoke and i'll be back with my troubles LOL 18:36 < krzie> so you did this 18:36 < krzie> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache] 18:36 < krzie> "Start"=dword:00000002 18:36 < krzie> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] 18:36 < krzie> "MaxCacheTtl"=dword:0000003c 18:36 < krzie> "MaxNegativeCacheTtl"=dword:00000000 18:36 < krzie> "ServerPriorityTimeLimit"=dword:00000000 18:36 < krzie> "NetFailureCacheTime"=dword:00000000 18:36 < krzie> "NegativeSOACacheTime"=dword:00000000 18:36 < krzie> right? 18:36 < krzie> damn ecrist 18:36 < reiffert> Well, I dont see how this changes the behaviour.. 18:36 < krzie> im pretty damn active 18:37 < reiffert> oh, really? 18:37 < krzie> can that even be right!? 18:37 < krzie> 1 krzee [5098] [2741] [7408] [6025] 21272 "so without looking for the formatting" 18:37 < krzie> 2 @ecrist [307] [3439] [3262] [2057] 9065 "sounds like a problem with the private key" 18:37 < reiffert> ? 18:38 < krzie> holy crap krzie 18:38 < krzie> http://www.secure-computing.net/logs/openvpn.html 18:38 < vpnHelper> Title: ##openvpn statistics created with mIRCStats v1.23 by ecrist (at www.secure-computing.net) 18:38 < ecrist> krzie: that's my irssi log file starting august 1, 2008 18:38 * xor| i just figured out that openvpn does not support ipv6 :( 18:39 < ecrist> xor|: the *internet* just started supporting it... 18:39 < xor|> :b 18:39 < krzie> xor| correct, it'll tunnel ipv6 traffic just fine, but will not bind to ipv6 18:39 < xor|> its ok :) i guess that will be fixed soon :D 18:40 < krzie> dont hold your breath 18:40 < krzie> it'll likely be supported at some point, i dont expect it in 2.1 18:40 < reiffert> nice stats btw. 18:40 < xor|> nah, i can use IPsec instead :) 18:41 < ecrist> the relation map is interesting 18:41 < krzie> agreed 18:41 < reiffert> --tun-ipv6 18:41 < reiffert> Build a tun link capable of forwarding IPv6 traffic. 18:41 < krzie> with you and i in the middle 18:41 < krzie> reiffert, yup but no binding to ipv6 socket 18:47 < krzie> damn i knew i was active here, but those stats make me think i need a life 18:52 < ecrist> lol 18:52 < ecrist> jeev didn't take "no" for an answer and ended up getting kicked out 6 times. 18:52 < ecrist> Example: 23:54 < jeev> assmuncher 18:52 < ecrist> 00:00 -!- jeev was kicked from ##openvpn by ecrist [ecrist] 18:52 < krzie> oh page 2! 18:53 < ecrist> ecrist couldn't handle the responsibility and had to be deopped 7 times. 18:53 < krzie> (by himself!) 18:54 < krzie> well it got who i like talking to correct 18:54 < krzie> except jeev 18:54 < krzie> (whom i banned, lol) 18:55 < krzie> vpnHelper got kicked 6 times, lol 18:55 < vpnHelper> krzie: Error: "got" is not a valid command. 18:56 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has joined ##openvpn 18:57 -!- mode/##openvpn [+o krzie] by ChanServ 18:57 -!- vpnHelper was kicked from ##openvpn by krzie [lets make it 7] 18:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 18:57 -!- mode/##openvpn [-o krzee] by krzie 18:57 -!- mode/##openvpn [-o krzie] by krzie 18:58 < pauten> hey, I was reading through the howto and i found something that didn't look like it was completely explained. when you want to assign a user a static ip address the example is "ifconfig-push 10.9.0.1 10.9.0.2" to give the user 10.9.0.1, whats the point of the second address? 18:58 < pauten> if its being pushed to ifconfig shouldn't it be a netmask? 18:58 < krzie> !man 18:58 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:58 < RUS> ppl thats work fine thanks. 18:58 < krzie> RUS, the regedit? 18:58 < RUS> YES i have an IP from panama now !!! :L) 18:59 < RUS> krzie : yes regedit only with hands 18:59 < krzie> sweet, time to update the bot 18:59 < RUS> why ? 18:59 < RUS> i saved that link in my openvpn distr folder 19:00 < krzie> for others ;] 19:00 < RUS> for me for other systems 19:00 < krzie> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 19:00 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:01 < RUS> i need another help with startup my serv. When i rebbot it file /proc/sys/net/ipv4/ip_forward set to 0 again and iptables rules set to 0 too. I think it's a not cool init scripts do that...i wanna find them 19:02 < krzie> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 19:02 < vpnHelper> krzie: Joo got it. 19:07 < RUS> anybody thanks to YOU 19:07 < RUS> you are welcome always for me 19:07 < RUS> maybe sombody wanna buy iphone with a lowest price ? :) 19:08 < krzie> !factoids search lin 19:08 < vpnHelper> krzie: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 19:08 < krzie> !linipforward 19:08 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:08 < RUS> ohhh thanks 19:08 < krzie> np 19:09 < RUS> i have a cheapest iphone on my us friend hands. and we sold it on ebay. nobody wants to buy it for enjoy? 19:09 < RUS> i like iphones it's very good phone i think 19:10 * krzie loves that bot 19:10 < krzie> what price? 19:10 < ecrist> ok, I tuned the stats, lots more data now. 19:10 < RUS> 600$ 19:10 < RUS> it's never opened and work with any cell providers 19:11 < krzie> are you joking? $600 is WAY too much 19:11 < krzie> and i can crack those in a second anyways 19:11 < krzie> lol 19:11 < krzie> if you were talkin $200 ild consider it 19:11 < krzie> 600 i LOL 19:11 < krzie> "cheapest" 19:12 < RUS> hm...you can see pricegrabber or other sites 19:12 < RUS> and find it for 800 or 750 19:12 < krzie> ild get cheaper than that at the local store 19:12 < ecrist> this != ##buy-my-shit 19:13 < krzie> oh ya, and that 19:14 < RUS> ok :) 19:14 < RUS> lol 19:14 < krzie> ill happily trade your iphone for my openvpn support 19:14 < krzie> :-p 19:14 < RUS> :))) 19:15 < RUS> very very much thanks guys 19:15 -!- diegovio1a [n=diego@adsl-136-248.click.com.py] has quit ["Reconnecting"] 19:15 < krzie> yw 19:15 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 19:15 < RUS> it's very very deep night in my GMT 19:15 < RUS> im very sleepy and go home now 19:15 < krzie> 8:20 here 19:16 < RUS> 3.16AM 19:16 < reiffert> GMT is on 00:16 atm 19:18 < RUS> bb all see ya 19:18 < RUS> very very good mood today 19:18 -!- RUS [n=Mirc@88.214.199.27] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 19:31 < krzie> lol everyone like talking with me according to detailed stats 19:39 < ecrist> I'm working on automating that stats page to be updated on the :15 and :45 of every hour 19:39 < krzie> windows generated? 19:39 < ecrist> and, I'm going to restart the stats for 2009, with a separate page for 2008 19:39 < ecrist> yeah, paid for the registered version a few years ago, still have it 19:40 < ecrist> so figured i'd use it. 19:40 < krzie> werd 19:40 < ecrist> I've got a windows server in my home rack for some security software I run for my side business 19:40 < krzie> i dislike the windows scheduler (their crontab) 19:40 < ecrist> figure, if it's using power, might as well do something with the cycles 19:40 < krzie> haha ya 19:40 < ecrist> meh, I've gotten used to it over the years. 19:42 < krzie> thats my favorite part of not being a pro tech anymore 19:42 < krzie> no more getting used and being used to the windows way 19:43 < ecrist> it's what makes me a fat paycheck 19:44 < krzie> dont get me wrong, i understand 19:46 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has quit ["Leaving"] 20:15 < ecrist> ok, mircstats is updated 20:16 < ecrist> krzie: can you update !irclogs to include http://www.secure-computing.net/logs/openvpn.html please? 20:16 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) (at www.secure-computing.net) 20:18 < krzie> replace or include? 20:18 < krzie> !irclogs 20:18 < vpnHelper> krzie: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 20:18 < krzie> ahh, include 20:19 < krzie> !learn irclogs as http://www.secure-computing.net/logs/openvpn.html for the stats 20:19 < vpnHelper> krzie: Joo got it. 20:33 < ecrist> ok, I changed some settings, removed vpnHelper from the list, and removed mention of operator status in the stats 20:33 < krzie> werd 20:33 < krzie> and im looking up how to give you factoid access 20:33 < ecrist> lol, my current quote is 'what a pretty little cuchie' 20:34 < krzie> hahaha 20:34 < krzie> you rigged it! 20:35 -!- huckleberry [n=tom@OL169-205.fibertel.com.ar] has joined ##openvpn 20:36 < huckleberry> !howto 20:36 < vpnHelper> huckleberry: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:36 < huckleberry> !configs 20:37 < vpnHelper> huckleberry: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:40 < ecrist> sweet, I can include images and such in the output, so I've got my new logo as my image. 20:40 < huckleberry> !logs 20:40 < vpnHelper> huckleberry: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:43 < ecrist> krzie: http://www.secure-computing.net/logs/openvpn_page_2.html#urltr 20:43 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) - Detailed info (at www.secure-computing.net) 20:43 < ecrist> sorry, http://www.secure-computing.net/logs/openvpn_page_2.html 20:43 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) - Detailed info (at www.secure-computing.net) 20:43 < ecrist> look at the ecrist entry 20:43 < krzie> hahaha 20:44 < krzie> www.ircpimps.org/pimpin.jpg 20:44 < krzie> my pic (scaled down maybe) ? 20:46 < ecrist> I'll scale it 20:48 < ecrist> would you like a slogan? 20:48 < ecrist> mine is 'Boats and Hos' 20:49 < krzie> "...They must find it difficult ... Those who have taken authority as the truth, rather than truth as the authority..." 20:50 < ecrist> done 20:52 < krzie> thx =] 20:52 < ecrist> as much as I'm not a fan of mIRC, mIRCstats is pretty tight 20:52 < ecrist> I wish there was a FreeBSD port for it. 20:54 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 20:55 < ecrist> I'm out for the night. see you folks tomorrow 20:55 < krzie> gnite, im still trying to give you factoid access, lol 20:55 < krzie> i may just kill the bot and mod the config 20:56 < huckleberry> I'm following the static key mini-howto, and I'm having trouble getting it to work. 20:56 -!- mepholic_ [n=what@hydra.weserv.in] has quit ["Leaving"] 20:56 < huckleberry> Openvpn server running on Ubuntu 8.04. My Macbook Pro as the client. 20:58 < huckleberry> The client never connects to the client. And, I can't ping the IP address that is assigned to the tun0 interface on the client. 20:58 < krzie> [msg(vpnHelper)] admin capability add ecrist +Factoids 20:58 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] Joo got it. 20:58 < krzie> booya 20:58 < huckleberry> Tail of the log and output from some troubleshooting commands here: http://pastebin.com/d5ed685d0 20:58 < krzie> ecrist if still here, can you identify and try to add a factoid? 21:02 < huckleberry> I apologize for the dumb question...can anyone help? 21:02 < krzie> firewall 21:02 < krzie> its writing with no reads 21:02 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:03 < krzie> =] 21:03 < huckleberry> I thought it might be the firewall on the mac, so I went to System Preferences->Security and checked "Allow all incoming connections" 21:04 < krzie> welp 21:04 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:05 < huckleberry> if the client assigns its own tun0 interface the 10.8.0.2 IP address, then shouldn't I be able to ping 10.8.0.2 from itself? 21:05 < huckleberry> kind of like pinging 127.0.0.1? 21:05 < krzie> makes sense to me 21:06 < krzie> but 21:06 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:06 < huckleberry> but it's not even able to ping itself 21:06 * krzie wonders how many pastes it'll take 21:07 -!- Great_Anta_baka [n=tensai@196.33.159.83] has quit [No route to host] 21:10 < huckleberry> all right, you don't have to paste any more.. 21:10 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:11 < huckleberry> on the client, 'tcpdump -i tun0' shows 0 packets 21:11 < krzie> and on the server...? 21:11 < huckleberry> on the client, 'tcpdump -i en1' shows UDP packets heading to the openvpn server 21:11 < krzie> tun if is good 21:12 < huckleberry> on the server, no packets received 21:12 < huckleberry> so, I shouldn't be concerned that I'm not capturing packets on tun0 on the client? 21:12 < huckleberry> that's normal? 21:27 < krzie> no, firewall issue 21:27 < krzie> so niether side is getting packets? 21:27 < huckleberry> nope 21:27 < huckleberry> afraid not 21:28 < krzie> !logs 21:28 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:28 < krzie> not a tail, the whole thing at verb 6 21:28 < krzie> (both sides) 21:28 < huckleberry> ok...give me just a few minutes 21:40 < huckleberry> client log: http://pastebin.com/d22542724 21:42 < huckleberry> server log: http://pastebin.com/d4e3c249d 21:45 < huckleberry> server log seems pretty straightforward...it starts up, then waits, and never receives anything. 21:45 < huckleberry> i notice there's an ifconfig error message on line 182 of the client log: 21:45 < huckleberry> ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 21:52 < krzie> # 21:52 < krzie> Tue Mar 24 23:38:50 2009 us=793278 /sbin/ifconfig tun0 delete 21:52 < krzie> # 21:52 < krzie> ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 21:52 < krzie> # 21:52 < krzie> Tue Mar 24 23:38:50 2009 us=798407 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 21:53 < krzie> !configs 21:53 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:54 < krzie> looks like the link that is listening cant be reached at all 21:54 < krzie> is it behind a router? 21:54 < krzie> if so, check your port forwarding 21:54 < krzie> is it behind a firewall? if so check that the port is open 22:03 < huckleberry> server config: http://pastebin.com/d217b02b1 22:03 < huckleberry> client config: http://pastebin.com/dc7aa16 22:04 < huckleberry> nothing exciting in the configs...just cut-and-pasted from the howto 22:05 < huckleberry> the server is an amazon ec2 instance. Port 1194 is open. 22:05 < huckleberry> I was able to set up a second ec2 instance as an openvpn client and connect it to the openvpn server successfully. 22:05 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:05 < huckleberry> just can't get it to work with my laptop. 22:06 < krzie> niether config has an option to connect out 22:07 < huckleberry> (of course the two ec2 servers are on the same network, so they wouldn't have firewall issues like I may be having.) 22:07 < ftp3> hi, i want to setup openvpn on a server, so that i can connect (via openvpn) to the server (from my laptop) and surf the net over the server, using an IP the server assigns me. I am looking for a tutorial, but I am not sure what I am wanting to do is called, so I can find the proper tutorial. 22:07 < krzie> one needs to connect to the other... 22:07 < huckleberry> option to connect out? 22:07 < krzie> remote ip port 22:07 < krzie> ftp3 22:07 < krzie> !sample 22:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:07 < krzie> then !def1 22:07 < krzie> !def1 22:07 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:08 < krzie> then turn on ip forwarding 22:08 < krzie> !lin_ipforward 22:08 < vpnHelper> krzie: Error: "lin_ipforward" is not a valid command. 22:08 < krzie> !factoids search lin 22:08 < vpnHelper> krzie: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 22:08 < krzie> !linipforward 22:08 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 22:08 < krzie> then setup NAT 22:08 < krzie> !linnat 22:08 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 22:09 < huckleberry> krzie: doesn't the remote ip port default to 1194 if not specified? 22:09 < krzie> dunno, does it hurt to specify it? 22:09 < huckleberry> krzie: there is no port in the configs from the static key mini-howto 22:09 < huckleberry> which I'm following exactly 22:10 < krzie> ild assume theres a remote option in it 22:10 < krzie> which you dont have 22:11 < huckleberry> i see what you're saying..cut and paste error on my part 22:11 < huckleberry> i fixed the pastebin now 22:12 < huckleberry> i left off the first line with the 'remote ...' config in the past 22:12 < krzie> thats all that was missing? 22:12 < huckleberry> e 22:12 < huckleberry> yes 22:12 < huckleberry> sorry about that 22:12 < krzie> try proto tcp in both 22:12 < huckleberry> I totally understand your skepticism at this point! 22:12 < huckleberry> :) 22:12 < krzie> maybe that provider you mentioned blocks udp at the border 22:13 < krzie> if tcp works, lets try udp 53 if you dont run a NS on it 22:14 < huckleberry> i just add 'proto tcp' lines to both configs? 22:14 < krzie> ya 22:14 < huckleberry> ok 22:14 < huckleberry> hang on... 22:16 < huckleberry> oops...I got this: Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client 22:23 < huckleberry> good news 22:23 < huckleberry> I set proto tcp-server on server, and proto tcp-client on client 22:24 < huckleberry> and they connected! 22:24 < huckleberry> Wed Mar 25 00:21:59 2009 us=592799 Peer Connection Initiated with 75.101.200.162:1194 22:24 < huckleberry> I can ping the 10.8.0.1 server from the client! 22:25 < huckleberry> now I just need to go figure out what's blocking udp packets 22:25 < krzie> their border gateway 22:25 < krzie> try udp 53 22:25 < huckleberry> ok, will do 22:27 < huckleberry> no love with udp 53 22:28 < huckleberry> writes in client log, nothing in server log 22:30 < ftp3> krzie: which were you pointing out to me? "remote ip port" or "! sample" ? 22:31 < huckleberry> allright, I see what the problem was... 22:31 < huckleberry> amazon ec2 has a command to open ports: 'ec2-authorize' 22:32 < huckleberry> I specified opening port 1194, and I thought it would open it for tcp and udp traffic 22:32 < huckleberry> but it didn't 22:32 < huckleberry> it defaults to tcp only 22:32 < huckleberry> so, I never had it open for udp 22:33 < huckleberry> krzie: thanks so much for your help 22:34 < huckleberry> I really appreciate your patience with what I know is a totally commonplace problem. 22:35 < krzie> yw 22:37 < ftp3> krzie: can you tell me which thing you were telling me? I did not follow which was directed to me 22:37 < krzie> everything from ftp3 to !linnat 22:37 < krzie> was at you 22:39 < ftp3> oh, lol 22:39 < ftp3> ok, thanks! 22:39 < ftp3> reading now 22:41 < krzie> np 22:45 < krzie> !irclogs 22:45 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats 22:51 -!- huckleberry [n=tom@OL169-205.fibertel.com.ar] has quit [] --- Day changed Wed Mar 25 2009 00:08 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has joined ##openvpn 00:08 < pauten> !configs 00:08 < vpnHelper> pauten: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:08 < pauten> just wanted the magic regex :) 00:14 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:39 < Skered> Unless the VPN client allows you to accept a different cert a mitm attack should just fail to connect? 00:47 -!- tensai_ [n=tensai@196.33.159.83] has quit [Read error: 113 (No route to host)] 00:53 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [Success] 01:04 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:13 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has quit ["Leaving"] 01:20 < krzee> Skered, 01:20 < krzee> !mitm 01:20 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 01:20 < krzee> otherwise a client cert signed by same CA could be used in a MITM attack 01:29 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 01:29 < RUS> hi everybody 01:38 < RUS> wich logs with ip addresses you can find in Dedicated Server logs ? i use only ssh and openvpn services 01:42 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:24 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 02:25 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 02:30 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 02:32 < krzee> while you try to find a way to say that in better english im going to hookup my new gigabit ethernet switch 02:32 < krzee> brb 02:37 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:43 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 02:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:55 < reiffert> moin 03:00 < krzy> moin 03:00 -!- krzy is now known as krzee 03:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:04 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 03:09 < krzee> yay for gigabit to my NFS 03:09 < krzee> gigabit rocks! 03:09 < krzee> im so glad i always bought cat5e or cat6 now 03:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:14 -!- RUS [n=Mirc@88.214.199.27] has quit [Read error: 113 (No route to host)] 03:19 -!- reallove [n=dan@unaffiliated/reallove] has joined ##openvpn 03:19 < reallove> Hi. I have setup the server with ifconfig-pool-persist ipp.txt , the content of ipp.txt looks like "client,192.168.168.254" , but the client with the key client.key does NOT get the specified IP address. 03:19 < reallove> where can be the issue ? 03:36 < krzee> !ipp 03:36 < vpnHelper> krzee: "ipp" is (#1) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static, or (#2) also see !iporder 03:37 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 03:37 < krzee> also, if you are using tun and not topology subnet, .254 isnt even a valid ip 03:37 < reallove> !static 03:37 < vpnHelper> reallove: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 03:37 < krzee> !iporder 03:37 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 03:42 < reallove> I don't exactly get what the 1st choice can be 03:42 < reallove> the --client-connect script 03:42 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 110 (Connection timed out)] 03:46 < krzee> !man 03:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:50 < krzee> choice #2 is easiest 03:50 < krzee> choice #1 is more flexible 03:50 < krzee> choice #3 is dynamic 03:50 < krzee> ipp.txt is basically a suggestion 03:51 < reallove> krzee: thanks for the hints,I solved the 'issue' 03:51 < reiffert> !ipp 03:51 < vpnHelper> reiffert: "ipp" is (#1) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static, or (#2) also see !iporder 03:51 < reiffert> we should add: ipp is ifconfig-pool-persist 03:51 < reiffert> cause openvpn manpage doesnt know the word ipp 03:52 < reallove> added client-config-dir ccd in server.conf , and in ccd I created a file named client , with the content ifconfig-push 192.168.168.253 255.255.255.0 03:52 < reallove> and it's working like desired,the client got the IP 192.168.168.253 . 03:52 < krzee> reiffert, good point 03:52 < krzee> !forget ipp 03:52 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 03:52 < krzee> !forget ipp * 03:52 < vpnHelper> krzee: Joo got it. 03:53 < reiffert> !ccd 03:53 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 03:54 < reiffert> must-see: http://www.spiegel.de/video/video-57488.html 03:54 < vpnHelper> Title: Video - SPIEGEL ONLINE - Nachrichten (at www.spiegel.de) 03:54 < reiffert> carrying 180KG 03:55 < krzee> !learn ipp as the option --ifconfig-pool-persist ipp.txt does NOT create static ips 03:55 < vpnHelper> krzee: Joo got it. 03:55 < reiffert> The one after side-kick is on ice 03:55 < krzee> !learn ipp as Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 03:55 < vpnHelper> krzee: Joo got it. 03:56 < krzee> !ipp 03:56 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 03:56 < reiffert> !iporder 03:56 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 03:56 < reiffert> !static 03:56 < vpnHelper> reiffert: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 03:57 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 03:57 < vpnHelper> krzee: Joo got it. 03:57 < krzee> !iporder 03:57 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 03:58 < krzee> 1048 root 4 50 0 4692K 1200K RUN 0 5:18 28.42% nfsd 03:58 < krzee> wow 03:59 < krzee> on a dual core amd64 4200+ 03:59 < krzee> (gigabit lan tho) 03:59 < reiffert> :) 04:00 < reiffert> 28% looks like a too high value to me. 04:00 < krzee> my laptop is using about 30% too tho 04:00 < krzee> and thats dual core 2.16 macbook pro 04:01 < krzee> i guess gigabit takes some CPU 04:01 < krzee> i wouldnt have guessed it 04:02 < krzee> ya seems high to me too tho, thats why i pasted it 04:02 < krzee> 28% for nfsd just cause im copying at 10MB/s over the lan 04:03 < krzee> ild hate to see what it does with fiber 04:03 < krzee> im also using -mapall, but that cant be that much cpu 04:03 < krzee> 19% now 04:04 < reiffert> nfsv4? udp, tcp? 04:04 < krzee> whatever fbsd default is 04:04 < krzee> good question tho 04:04 < krzee> time to tcpdump 04:04 < reiffert> 10MB/s is nothing. 04:05 < reiffert> even on 60MB/s I didnt see anything like this before. 04:05 < krzee> tcp 04:05 < reiffert> even my Pentium 1, 233Mhz works for 10MB/s 04:05 < krzee> i need to make that udp 04:05 < reiffert> Try it again with udp pls 04:05 < krzee> ya 04:06 < krzee> once i google how 04:08 < reiffert> are you saying that on gbit you manage 10MB/s? 04:09 < krzee> peaks at 11MB/s 04:09 < krzee> yes 04:09 < reiffert> thats 100mbit/s u know? 04:09 < reiffert> far from gbit 04:09 < krzee> wait you're right 04:09 < krzee> wtf 04:10 < reiffert> IIRC udp is just a mount option for the client 04:10 < reiffert> -o udp 04:10 < krzee> hrm does gigabit have diff cable length restrictions? 04:10 < krzee> im in apple, APPLE K doesnt give that option 04:11 < reiffert> open up a terminal and enter all your knowledge with your fingers 04:11 -!- reallove [n=dan@unaffiliated/reallove] has left ##openvpn [] 04:11 < krzee> apple + K, nfs://10.0.0.69/nfs 04:11 < reiffert> sigh. 04:11 < krzee> ya but i love mounting from the finder 04:11 < reiffert> sigh 04:11 < krzee> ill do it for the sake of testing tho 04:12 < krzee> i wonder if my very very long cat5e cable is at fault 04:12 < reiffert> mount_nfs -U 04:12 < reiffert> how long long? 04:12 < reiffert> specs are 100meter 04:12 < krzee> nah under 100ft 04:12 < krzee> like 80 i think 04:12 < reiffert> approx 330 feet 04:13 < krzee> autoselect did make me use 100baseTX 04:13 < krzee> so i used media 1000baseT mediaopt full-duplex 04:13 < krzee> media: Ethernet 1000baseT (100baseTX ) 04:13 < reiffert> which is full duplex, aint it? 04:13 < reiffert> oh, just 100Base... 04:13 < krzee> still says that in parens tho 04:13 < reiffert> I guess one of your NIC's is 100mbit only? 04:14 < krzee> the mac reports 1000 04:14 < reiffert> k. 04:14 < krzee> and the nfs.. 04:14 < krzee> supported media: 04:14 < krzee> media autoselect 04:14 < krzee> media 1000baseT mediaopt full-duplex 04:14 < krzee> media 1000baseT 04:14 < krzee> media 100baseTX mediaopt full-duplex 04:14 < krzee> media 100baseTX 04:14 < reiffert> let's assume thats ok for a minute and test nfs on udp 04:14 < krzee> ok 04:15 < reiffert> btw, whats the distance unit in .us, is it feet? 04:15 < krzee> yes 04:16 < reiffert> however, lets do it over udp, then exchange the media 04:17 < reiffert> just a guess, could you login via ftp and do something like: put "| dd if=/dev/zero bs=1M count=100 " zero 04:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 04:19 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:20 < krzee> bash-3.2# mount_nfs -o udp 10.0.0.69:/nfs /nfs 04:20 < reiffert> -U on my 10.4 osx 04:20 < reiffert> -U Force the mount protocol to use UDP transport, even for TCP NFS 04:20 < reiffert> mounts. (Necessary for some old BSD servers.) 04:20 < krzee> only a -o on 10.5 04:21 < reiffert> speed? 04:21 < krzee> thats -o mntudp here 04:21 < krzee> remounted with that 04:21 < krzee> bash-3.2# mount_nfs -o mntudp 10.0.0.69:/nfs /nfs 04:23 < reiffert> -o should be enough, ensure that your nfsd is listening on udp 04:23 < reiffert> -o udp 04:23 < krzee> theres the prob 04:23 < krzee> its not 04:23 < reiffert> that might explain the mount to fail :) 04:23 < krzee> [root@nfs /root]# sockstat -l4|grep nfs 04:23 < krzee> root nfsd 1046 3 tcp4 *:2049 *:* 04:24 < krzee> it didnt fail tho, it just mounted tcp 04:24 < reiffert> damn 04:24 < krzee> tcp4 10136 492 nfs.nfsd bigboy.lan.52984 ESTABLISHED 04:24 < reiffert> meanwhile pipe some dev/zero over the wire.. 04:24 < reiffert> put "| dd if=/dev/zero bs=1M count=100 " zero 04:25 < krzee> sftp> put "| dd if=/dev/zero bs=1M count=100 " zero 04:25 < krzee> not gunna open a ftp server just for that 04:25 < krzee> lemme get udp working 04:26 < reiffert> or use netcat 04:36 < krzee> weird 04:36 < krzee> nfsd wont start up for me with just -u -n 4 04:36 < krzee> but will with -t -u -n -4 04:36 < krzee> err 04:36 < krzee> but will with -t -u -n 4 04:36 < reiffert> however, bsd details I can proove atm, what about speed? 04:37 < krzee> media: Ethernet 1000baseT (100baseTX ) 04:37 < krzee> i bet its the parens 04:37 < krzee> im thinking to blame the cable 04:37 < reiffert> it's not. 04:37 < krzee> lemme try another by moving it closer 04:38 < reiffert> how many MB/s over udp? 04:39 < krzee> 7 04:40 < reiffert> outch 04:40 < krzee> peaking at 8 04:40 < reiffert> My cdrom drive is faster than your Gbit 04:40 < reiffert> hehe 04:40 < krzee> now im moving the box to test the cable 04:40 < krzee> brb in 1 sec 04:41 < krzee> oh easier 04:41 < krzee> ill plug in the laptop over there 04:41 < krzee> brb 04:41 < reiffert> laptop gbit? 04:41 < krzee> yup 04:42 < krzee> all macbook pro's got it 04:42 < krzee> media: autoselect (1000baseT ) status: active 04:42 < reiffert> ah, sounds better 04:42 < krzee> right 04:42 < krzee> the 100baseTX in parens aint right 04:42 < reiffert> time to udp/tcp then 04:42 < krzee> on the bsd box 04:42 < krzee> that was udp 04:43 < krzee> 8MB/s 04:43 < krzee> tcp got me 10-11 04:43 < krzee> time to plugin over there 04:43 < krzee> brb in 1 sec 04:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 04:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:44 < krzee> media: autoselect (100baseTX ) status: active 04:44 < krzee> yup 04:44 < krzee> i was right 04:45 < reiffert> hm, cat5e is enough for gbit per definition 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:47 < krzee> hrmm 04:47 < reiffert> sounds bad. 04:47 < krzee> looks like i got a cat5 cable with cat5.E written on it 04:47 < krzee> fuggers 04:47 < reiffert> UTP? 04:48 < krzee> aye 04:48 < reiffert> FTP? S/FTP? 04:48 < reiffert> forget that unshielded crap. 04:48 < krzee> im on a UTP right now too 04:48 < reiffert> where it comes to upper bounds like 80meters 04:49 < krzee> ahh so it prolly is my length 04:49 < krzee> well, i think i know what i gotta do 04:50 < krzee> move my setup so the long cable goes from switch to router 04:50 < krzee> ;] 04:50 < krzee> laptop is normally on wifi, i can goto livingroom to plugin when i need gigabit to the nfs 04:50 < reiffert> Uh, David Sommerseth is going to rewrite openvpn for a proper multithreading, wtf? 04:50 < krzee> whaaat? 04:50 < reiffert> it works so perectly, he's going to break the bunny 04:51 < reiffert> openvpn-devel 04:51 < krzee> craziness 04:51 < reiffert> To my mind, he just should add an udp socket and put that into the select() RFDS and WFDS sets 04:52 * krzee digs through bins for more cat5.e or cat6 cables 04:52 < reiffert> :) 04:52 < reiffert> so your short cable didnt make it as well? 04:53 < reiffert> oh btw, are you running a switch inbetween? 04:53 < krzee> they're all on the gigabit switch i just picked up 04:53 < krzee> which is plugged into the router 04:54 < krzee> booya, both cables in the laptop bag were cat5E 04:54 < krzee> time to move stuffs 04:54 < krzee> brb again 04:54 < reiffert> what kind of gbit switch, vendor, model? 04:55 < krzee> airlink 101 04:55 < krzee> AGIGA5SW-B 04:55 < krzee> nothing special, but isnt at fault here 04:55 < krzee> proved it was the cable 04:56 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 04:58 < reiffert> Just curious, could you link them directly, without anything inbetween, just for a test_ 04:59 < reiffert> A straight through cable should be enough, the NIC's most probably will handle it right. 05:00 < krzy> sure, after i test it my way 05:00 < krzy> if we dont get results i want 05:01 < reiffert> 60MB/s is a minimum. 05:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:02 < krzy> there 05:02 < krzy> now media autoselect works right 05:03 < krzy> (well it worked right before, but now it does what i want) 05:06 < reiffert> even with the 80m cable? 05:06 < krzy> no i moved my switch 05:06 < krzy> 80M cable will give switch to router 05:15 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Read error: 104 (Connection reset by peer)] 05:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:18 < krzee> 15MB/s peaks at 18MB/s 05:18 < krzee> so we broke the 100mbit barrier, but still WEAK 05:18 < krzee> time for xover cable 05:19 < krzee> which im not against using all the time for nfs if really needed 05:19 < krzee> not most convenient , but will teach me to buy a $12 switch, lol 05:20 < reiffert> 15-18 = udp? 05:20 < reiffert> a straight cable most prob will do 05:21 < krzee> well i have cat5e xover 05:21 < krzee> right here 05:22 < krzee> same speed 05:22 < krzee> tcp again, ill try udp again now 05:22 < krzee> i went back to normal after our previous test showed less BW 05:22 < krzee> throughput rather 05:24 < krzee> 8MB - 10MB with udp 05:24 < krzee> im getting faster tcp than udp 05:24 < krzee> (again) 05:24 < reiffert> thats very uncommon. 05:24 < krzee> even with my xover 05:24 < reiffert> these are the results for xover? 05:25 < reiffert> got any S/FTP Cat6 around? 05:25 < krzee> dont think so, will look 05:26 < reiffert> what kind of NIC's do you have in there, any Intel stuff_ 05:27 < reiffert> Doh, I should stop using german style keyboards. 05:32 < krzee> realtek in the bsd box 05:32 < krzee> found a cat6 cable 05:32 -!- dazo [n=dazo@nat/redhat/x-3d9e8b90d961bc23] has quit ["Leaving"] 05:33 < krzee> stranded 05:35 < krzee> same 05:35 < krzee> im thinking it could be the re0 drivers in fbsd8-current 05:35 -!- dazo [n=dazo@nat/redhat/x-f73bd4897b4bd55b] has joined ##openvpn 05:37 -!- dazo [n=dazo@nat/redhat/x-f73bd4897b4bd55b] has quit [Client Quit] 05:37 < krzee> cause im out of other ideas 05:37 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 05:38 < reiffert> uh, realtek, we call them realdreck, which prounounces the same and means real-dirt 05:38 < krzee> onboard 05:39 < krzee> ill pick up a card in the daytime 05:39 < krzee> see how that goes 05:39 < reiffert> time to get some cool ones then 05:41 < krzee> thanx for bouncing ideas around with me 05:41 < reiffert> I wanna be somebody, be somebody soon! 05:44 < krzee> hah 05:44 < krzee> further idea that its the driver 05:45 < krzee> now the cat6 to the switch gets sensed as 100 TX 05:45 < reiffert> wow. 05:45 < krzee> whereas a 5.e sensed as 1000 05:46 < reiffert> same cable between both PC's? 05:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:46 < reiffert> means, does it get sensed as 1000 when you plug it between the PCs? 05:46 < krzee> actually, yes it does 05:47 < krzee> but the 5.E gets 1000 to same port on switch 05:47 < reiffert> looks like the switch is causing it to get sensed as 100 then, right? 05:47 < krzee> weirdness 05:48 < krzee> would seem that way til i plug in the 5.e cable 05:48 < krzee> and that one works fine 05:48 < krzee> makes me think the driver is goofy 05:48 < krzee> i AM using -current... 05:49 < reiffert> which means? 05:49 < krzee> err no it switched back to 100 05:49 < krzee> started as 1000 05:49 < reiffert> "it"? 05:49 < krzee> then went back 05:49 < reiffert> cat6 between PCs? 05:49 < krzee> it being bsd box's autosense 05:49 < krzee> nah cat6 between pc's was same as cat5.e between them 05:49 < krzee> i was seeing if i could at least plug them in via switch 05:50 < reiffert> well, sounds really strange to me. Mind putting in two linux live boot cds? 05:50 < krzee> i think its the switch with the bsd box 05:50 < krzee> it tried for 1000 so i thought it had it (reported it for a minute) 05:50 < reiffert> from what I can"t follow you, it sounds like the switch, yes 05:51 < krzee> sorry its getting late, im getting harder to understand 05:51 < krzee> 7am 05:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:55 < krzee> hrm ya i can blame the switch for some stuff 05:55 < krzee> for sure 05:55 < krzee> this cable gets sensed as 100mbit in port2 05:55 < krzee> and 1000 in port 3 05:56 < krzee> on my mac even 05:56 < krzee> but since crossover didnt get me over 20, thats not the only issue 05:57 < dazo> krzee: do you have tools like ethtool? ... could it be that 1GB is disabled in software? 05:57 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 05:57 < krzee> tbh ive never even heard of that 05:58 < krzee> but im getting up to 18MB/s 05:58 < krzee> think i should download some tools? 05:58 < dazo> ethtool is brilliant for checking the flags on NICs ... and reconfigure it, if needed .... not sure if it's Linux only, or Posix compatible 05:59 < dazo> you also have mii-tool as well 05:59 < Flumdahl> hmm, i have an little problem with bridged openvpn server in debian. wount allow traffic over the brigde 05:59 < krzee> first things first 05:59 < krzee> why do you want a bridge? 05:59 * dazo expected that question 05:59 < krzee> ;] 06:00 < Flumdahl> krzee: did you ask me ? 06:00 < krzee> yes 06:00 < krzee> dzo, noticed how often they actually want a bridge? 06:00 < Flumdahl> i want to route out some real ips instead of use a nat ip 06:01 < dazo> krzee: bridge sounds cool, you know ... :-P 06:01 < krzee> haha 06:01 < krzee> i have a big red one in the bay area for sale! 06:01 < Flumdahl> !configs 06:01 < vpnHelper> Flumdahl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:02 < Flumdahl> !howto 06:02 < vpnHelper> Flumdahl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:02 < dazo> Flumdahl: it's very seldom bridge is the solution ... very honestly ... unless you need to do layer2 traffic between sites 06:02 < krzee> yup 06:02 < krzee> !tunortap 06:02 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 06:03 < krzee> just do a bi-directional nat 06:03 < krzee> a 1:1 nat 06:03 < mjt> NAT is EVIL (tm) 06:03 < mjt> ;) 06:03 < dazo> Flumdahl: using NAT on the VPN tunnel ... that's also a lazy way how to sort routing in the proper way .... NAT on VPN are for users who are too lazy or not willing to understand routing concepts 06:03 < krzee> Flumdahl, mjt will help ya with your bridge! 06:03 < mjt> lol 06:04 < Flumdahl> dazo: that i have working but htat is not the correct way i want it 06:04 < reiffert> a bridge is the way to use. 06:04 < krzee> dazo, not if he wants to access inet over the vpn 06:04 < Flumdahl> i have some ips at my home i want to share with a friend 06:04 * mjt did not even try bridge with openvpn. 06:04 < dazo> krzee: yeah, that's true .... 06:04 < krzee> but i got what ya meant, and for what you meant you were right (as a way out of !route) 06:05 < Flumdahl> !route 06:05 < vpnHelper> Flumdahl: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:05 * dazo needs to be clearer about what he means 06:06 < krzee> im taking it Flumdahl doesnt even use nat at home 06:06 < krzee> has external ips for every machine 06:06 < Flumdahl> yes 06:06 < krzee> and even has extra (lucky!) 06:07 < krzee> so Flumdahl where do you run into your problem? 06:07 < Flumdahl> that is what we want to do with my friends network to. i have 10 more ips that i dont use. and i want to setup an bridged vpn server so he can use some of those 10 ips 06:07 < krzee> hes aware his inet will be slower? 06:07 < Flumdahl> krzee: vpn server works. and vpn client connects to vpn server. but i cant connect to anything the other side of bridge 06:07 < Flumdahl> yes we know that 06:07 < krzee> lets see !configs 06:07 < krzee> !configs 06:07 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:08 < Flumdahl> what is ccd entries ? 06:08 < krzee> !ccd 06:08 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:08 < Flumdahl> ah 06:08 < Flumdahl> hold 06:10 < krzee> reiffert, i have a backtrack2 image handy, think thats good enough? 06:10 < krzee> (for booting my bsd box with to test gigalan with xover) 06:11 < Flumdahl> http://pastebin.com/m75018c10 06:11 < Flumdahl> there u have my setup 06:12 < krzee> version of openvpn? 06:13 < reiffert> krzee: I have no idea what you are talking about. backtrack2 image 06:13 < reiffert> ? 06:13 < Flumdahl> OpenVPN 2.1_rc11 and debian 5 on both servers 06:13 < krzee> .200 is the gateway for your lan Flumdahl ? 06:13 < krzee> reiffert, its a pentesting livecd based on linux 06:13 < Flumdahl> krzee: no . 06:14 < krzee> Flumdahl, theres your problem prolly 06:14 < Flumdahl> hold then 06:14 < krzee> --server-bridge [ gateway netmask pool-start-IP pool-end-IP ] 06:14 < krzee> give it the gateway it would be using if it were plugged into your lan 06:15 < krzee> (because once its bridged in, it IS plugged into your lan) 06:15 < reiffert> krzee: sure, give it a try. Know what ya doing or need some help with it? 06:15 < krzee> i expect ill be fine 06:16 < Flumdahl> krzee: now is all up and running again with .199 (my gw ip) instead of .200 ... i can still not ping .199 from my vpn client server.... and i have added routes to 06:17 < krzee> routes? 06:17 < krzee> no routes needed, this is layer2 06:17 < Flumdahl> krzee: if i dont do routes the client connects with my main network 06:17 < Flumdahl> not over the tunnel 06:17 -!- onats_ is now known as onats 06:17 < krzee> huh? 06:17 < Flumdahl> yah, i want all trafic to go over the vpn tunnel 06:18 < krzee> my brain is turning to mush, someone else will need to help ya 06:18 < krzee> seems 7:20 am is my cutoff tonight 06:18 < reiffert> we need a pointnclick browser thing, for people drawing their networks for us. It's always the same. People think wrong, tell us 20% and expect a solution. 06:18 < krzee> reiffert, thanx for the help troubleshooting the gigalan 06:19 < reiffert> krzee: it's keeping me off doing stupid work, yw :) 06:19 < krzee> reiffert, http://www.gliffy.com/ 06:19 < vpnHelper> Title: Gliffy Online Diagram Software (at www.gliffy.com) 06:20 < krzee> thats how i made the network drawing on !route 06:20 < onats> has anyone here used an alix board? 06:20 < krzee> its sweet for just that 06:20 < onats> krzee? 06:20 < krzee> i havnt 06:21 < onats> something similar? 06:21 -!- Flumdahl [i=n30@shell.auth.se] has left ##openvpn [] 06:22 < reiffert> will have to remember that. Hm I was about to help Flumdahl 06:22 < krzee> ya i guess he's got better things to do 06:23 < krzee> especially better than reading the manual 06:23 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:23 < krzee> 06:23 < krzee> mode server 06:23 < krzee> tls-server 06:23 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:23 < krzee> push "route-gateway 10.8.0.4" 06:23 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 06:23 < krzee> the push route needed is automatic 06:23 < reiffert> Flumdahl: ok, please explain your setup to me and paste !configs for me 06:23 < krzee> as i was just saying while you were gone... 06:23 < reiffert> Flumdahl: and your goal and problems. 06:24 < krzee> the only push route needed for making inet flow over bridge 06:24 < krzee> is automated in server-bridge 06:24 < krzee> from manual: 06:24 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:24 < krzee> 06:24 < krzee> mode server 06:24 < krzee> tls-server 06:24 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:24 < krzee> push "route-gateway 10.8.0.4" 06:25 < krzee> which is why i told you to fix the first argument to be the gateway that he would use if plugged into your LAN 06:25 * krzee lets reiffert take over 06:25 < krzee> goodnight guys! 06:25 < Flumdahl> reiffert: hold 2 sec 06:26 < reiffert> Flumdahl: k, I'm doing some stupid work on another screen, I'll check back from time to time. 06:27 < Flumdahl> reiffert: http://pastebin.com/m1decba42 06:28 < Flumdahl> reiffert: i can not ping 88.80.13.199 from my vpn client (88.80.13.201) ... the goal is to have all routing from client server over the tunnel and not over the main network... 06:28 < krzee> that pastebin is wrong 06:29 < krzee> you already said .200 isnt your lan's gateway 06:29 < Flumdahl> krzee: i did change. 88.80.13.199 is gateway for my lan 06:29 < Flumdahl> .200 is bridge ip 06:29 < krzee> so fix the pastebin before giving to reiffert 06:29 < Flumdahl> krzee: i did ? 06:29 < Flumdahl> line 12: server-bridge 88.80.13.199 255.255.255.192 88.80.13.201 88.80.13.202 06:29 < reiffert> Where the difference between "bridge script on vpn server:" and "Server vpn conf:"? 06:29 < krzee> server-bridge 88.80.13.200 255.255.255.192 88.80.13.201 88.80.13.202 06:30 < krzee> line 36 06:30 < krzee> maybe only do each config 1x 06:30 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 06:30 < Flumdahl> wtf have i paste : 06:30 < Flumdahl> hahaha 06:31 < reiffert> :) 06:31 < reiffert> krzee: you know what happens when you close your laptops screen? 06:31 < krzee> my transfers stop =[ 06:31 < krzee> but ya, i need to step away from the laptop 06:31 < krzee> lol 06:32 < krzee> <-- laptop crackhead 06:32 < reiffert> Flumdahl: while pasting: paste: brctl show 06:32 < reiffert> Flumdahl: ifconfig -a 06:34 < Flumdahl> http://pastebin.com/m29d892d9 06:35 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:35 -!- aaa320 [n=chatzill@83.125.45.111] has joined ##openvpn 06:35 < stephenh> hi, do i need to make use of iroute when i have routed WAN links as well as VPN links? I would like a subnet on the other side of a serial link to access a remote openvpn subnet (if that makes sense) 06:35 < Flumdahl> reiffert: but a question. shall there not be a /dev/tap* ? 06:35 -!- aaa320 [n=chatzill@83.125.45.111] has quit [Client Quit] 06:35 < Flumdahl> brb, will just go smoke 06:36 < krzee> stephenh, 06:36 < krzee> !iroute 06:36 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:36 < reiffert> Flumdahl: /dev/net/tun is required. 06:37 < reiffert> Flumdahl: after that openvpn --mktun --dev tap0 will work 06:37 < reiffert> Flumdahl: mknod c /dev/net/tun 10 200 06:38 < reiffert> Flumdahl: or whatever your mknod takes. 06:38 < reiffert> mknod /dev/net/tun c 10 200 06:40 < mjt> on modern systems it's done automatically (udev) 06:41 < mjt> the only thing needed is to load the module 06:42 < reiffert> mjt: When I'm setting up a new server the first thing I remove is udev 06:42 < mjt> i don't install it :) 06:42 < reiffert> ah well, might be an option for me :) 06:43 < mjt> but dynamic /dev is a good thing imho. I was against it for many years but linux forced it on me and now i sorta like it. 06:43 < Flumdahl> reiffert: /dev/net/tun exist 06:43 < reiffert> Flumdahl: enter: ifconfig tap0 up 06:43 < stephenh> krzee, i'll try it out, what confused me was i'm not going openvpn lan to openvpn lan, but coming from a lan via serial link, to openvpn client via the openvpn server 06:43 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 06:43 < mjt> (forced by changing major/minor numbers of my boot device (vda) on every boot) 06:44 < stephenh> makes sense though, 'the network is not one that openvpn knows about' 06:44 < reiffert> Flumdahl: however, back to: what is working and what is not? 06:44 < krzee> stephenh, if its behind the client its behind the client 06:45 < krzee> if behind the server its behind the server 06:45 < krzee> regardless of what the link is 06:45 < Flumdahl> reiffert: from the client... i can ping brigde ip on vpn server ... nothing else 06:45 < krzee> serial, ethernet, fiber... same idea 06:45 < reiffert> Flumdahl: that is .199? 06:45 < stephenh> i understand 06:46 < Flumdahl> reiffert: gateway is .199 06:46 < reiffert> Flumdahl: your networks gateway is .199? 06:46 < Flumdahl> .199 is my gw on my lan 06:46 < reiffert> then why do you use it in server-bridge 88.80.13.199? 06:47 < reiffert> ah, allright, forget it. 06:47 < Flumdahl> reiffert: krzee said it or i missunderstood him 06:47 < Flumdahl> gw netmask starip endip 06:47 < Flumdahl> for the vpn client 06:47 < reiffert> just curious, where's differnce between 06:47 < reiffert> # 06:47 < reiffert> vpn server config: 06:47 < reiffert> and 06:47 < reiffert> # 06:47 < reiffert> vpn server bridge script: 06:48 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:48 < krzee> 06:48 < krzee> mode server 06:48 < krzee> tls-server 06:48 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:48 < krzee> push "route-gateway 10.8.0.4" 06:48 < krzee> gateway does go there 06:48 < Flumdahl> reiffert: what i know its so i can use my local network over the vpn 06:48 < stephenh> krzee: and if i just want to get to the vpn client and not into the lan behind it? i would use the openvpn assigned client IP not the vpn client LAN IP of vpn client ? 06:48 < reiffert> krzee: thanks, I'm already reading the manpage. It discovers what I made wrong two days ago, I took it as net-address :) 06:48 < Flumdahl> so i dont need to use any iptables or other stuff 06:49 < krzee> hehe gotchya 06:49 < krzee> and now my xfers are done 06:49 < krzee> so im really leaving this time! 06:49 < reiffert> Flumdahl: # 06:49 < reiffert> vpn server config: 06:49 < reiffert> Flumdahl: what file did you take to paste this? 06:49 < krzee> stephenh, you dont do any iroute or routes to just reach the vpn client 06:49 < Flumdahl> reiffert: huh? what you mean ? 06:50 < krzee> and yes, vpn internal ip 06:50 < Flumdahl> reiffert: i pasted my vpn server.conf and client.conf 06:50 < reiffert> Flumdahl: line 1 to 21 on http://pastebin.com/m29d892d9 06:50 < stephenh> thanks, :-) 06:50 < reiffert> Flumdahl: and line 23 to 42? 06:51 < Flumdahl> reiffert: 1-21 that is on the vpn server. 23-42 is the vpn client 06:51 < reiffert> Flumdahl: bullshit 06:51 < krzee> no, its an accidental repaste (i hope) 06:51 < reiffert> vpn client is 93-110 06:51 < Flumdahl> reiffert: no? 06:51 < Flumdahl> ah 06:52 < reiffert> and why does eth0 still have an inet4 address .231? 06:52 < Flumdahl> reiffert: eth0 has .231 yes 06:52 < reiffert> thats supposed to be an additional IP of br0- 06:52 < ecrist> morning guys 06:52 < Flumdahl> reiffert: br0 has 88.80.13.200 06:52 < reiffert> Flumdahl: sorry, I mixed up eth0 and eth1. 06:52 < reiffert> my fault. 06:53 < reiffert> Flumdahl: from the client paste: 06:53 < reiffert> Flumdahl: ifconfig -a 06:53 < onats> need a console cable! demmit! 06:53 < reiffert> Flumdahl: route -n 06:54 < reiffert> Flumdahl: add it to http://pastebin.com/m1557c8c2 06:54 < Flumdahl> http://pastebin.com/m7aaac609 06:54 < Flumdahl> ahh already make a new one 06:55 < reiffert> Flumdahl: connect the client to the server, then redo ifconfig -a and route -n pls 06:56 < Flumdahl> http://pastebin.com/m52733e32 06:56 < reiffert> dont do additional route commands 06:56 < reiffert> from another PC from your server network do: ping 88.80.13.201 06:56 < reiffert> works? 06:56 < Flumdahl> no 06:57 < Flumdahl> i did try that from my gw 06:57 < reiffert> paste route -n from server 06:57 < Flumdahl> vpn server? 06:58 < reiffert> yes 06:59 < Flumdahl> http://pastebin.com/ma5df7b1 06:59 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 06:59 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:00 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 07:00 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:00 < ecrist> krzee: no go on the learn. :( 07:00 < ecrist> I re-identified, too. 07:04 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 07:04 < onats> people here on serious mode? 07:10 < ecrist> why you ask, onats? 07:11 < onats> well just wanted to chat chat 07:11 < onats> :D 07:13 < ecrist> oh, that's fine, unless people are trying to get openvpn help 07:13 < ecrist> krzee, got another config. I'm going to build a home page with an iframe later today, but in the mean time, look at this: 07:13 < ecrist> http://www.secure-computing.net/logs/openvpn-last30.html 07:13 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) (at www.secure-computing.net) 07:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:19 < onats> whee! i'm 22! 07:19 < onats> hehehe 07:20 < ecrist> onats, remove -last30 from the URL, get full stats starting aug 1, 2008 07:20 < ecrist> at least from when I was online/available 07:20 < onats> whee! i'm 21! 07:20 < onats> lol 07:24 < onats> ecrist, what do you do for work? 07:24 < onats> security? 07:26 < ecrist> one of the things, yes. 07:26 < ecrist> my 'day' job is a FreeBSD admin for a medical claim clearing house 07:26 < ecrist> I also own a small business which installs/services/etc security and access control systems 07:27 < ecrist> last, I'm a reserve deputy for the local sheriff's dept 07:29 < onats> multitasking! 07:31 < onats> US based? 07:31 < ecrist> yes 07:31 < onats> hows the recession affecting you / your business? 07:34 < onats> forget i asked:D 07:34 < ecrist> why? 07:35 < onats> dunno... it might be a sensitive topic? 07:36 < ecrist> going good. two of the best industries to be in right now are IT and health care. I'm an IT guy in the health care industry. 07:36 < onats> healthcare maybe.. but IT? isn't that the first to go in companies there? 07:36 < ecrist> no 07:44 < ecrist> not touchy for me, either. was on the phone 07:45 < ecrist> in my particular field, there's been a lot of regulatory changes in the last year, which ensure employment of myself and the company I work for. 07:45 < onats> HIPAA or something like that? 07:45 < onats> not familiar with it that much though 07:45 < ecrist> well, HIPAA's been around a while 07:46 < ecrist> the changes I'm talking are in reference to switching from print-image and paper submissions to all electronic submissions. 07:46 < onats> ahhhh 07:46 < onats> document imaging? 07:46 < ecrist> I live in Minnesota, and as of Jan 8th or something, all medical claims are required to be submitted electronically. There are a ton of clinics and small practices that have been submitting paper claims 07:47 < ecrist> where I work, we provide the electronic transmittal. So, these companies can submit a print-image claim, and we can electronically convert and submit it to the insurance companies. 07:48 < ecrist> we have other value-added services, such as claim tracking, and we automatically fix common errors, such as omitted NPI/Provider IDs, incorrect zip codes, etc. 07:48 < onats> i see. 07:48 < onats> st. paul or MN? 07:48 < onats> i mean minneapolis? 07:48 < ecrist> fwiw, we do all of this on FreeBSD servers. :) 07:49 < ecrist> technically, Minnetonka, which is the minneapolis side of the river. 07:49 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has quit [Read error: 104 (Connection reset by peer)] 07:49 < ecrist> St. Paul and Minneapolis are only ~10 miles apart 07:49 < onats> i see 07:49 < onats> i've been to St. Paul 07:49 < onats> everything closes down after 5! 07:49 < onats> lol 07:49 < ecrist> our servers are in Minneapolis downtown. 07:49 < ecrist> very true. it's been a problem St. Paul has been trying to fix for a long time. 07:50 < ecrist> about eight to ten years ago, not only was St. Paul desolate after 5pm, but it was scary too. they've done a lot to clean that town up. 07:50 < onats> there's still a lot of people there asking you for a dollar! lol 07:51 < onats> "got some change?" then these guys are pretty big! lol 07:51 < ecrist> worse in Minneapolis. 07:53 -!- belZe [i=server3@p5091D32C.dip.t-dialin.net] has joined ##openvpn 07:53 < belZe> good day together 07:54 < ecrist> I'm a fan of the twin cities, though. the cold weather keeps much of the crud out 07:56 < belZe> i am trying to run openvpn with bridge but got a little problem. the bridge doesnt seem to accept/forward/learn arp request coming from the openvpn-side. if im trying to ping a host in the lan of the openvpn server from my openvpn-client it doesnt work. if i try it the other way around it works suddenly. my config: http://np.megab.it/250a3f7ed5.html 07:56 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 07:56 < belZe> creating the bridge using the predefined script coming with openvpn 07:57 < ecrist> belZe: can I inquire as to why you're using bridge vs tun? 07:57 < belZe> the openvpn-server is a vm running on an esx host where i already enabled/allowed promisc mode on the vswitch 07:58 < belZe> @ecrist: we are running several application using broadcasts 07:58 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has joined ##openvpn 07:58 < belZe> and while we dont want to play with bcrelay or something bridging is the easier way to go 07:59 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 07:59 < ecrist> ok, we ask because most of the people who come in here don't actually need bridging. 08:00 < belZe> we also got some old apps using ipx and appletalk 08:00 < ecrist> eew 08:00 < belZe> but thats not the point and cant be the reason not to work :D 08:01 < ecrist> !logs 08:01 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:01 < belZe> alright. sec 08:07 < belZe> server log: http://np.megab.it/8c22631e0f.html client log: http://np.megab.it/b06fe146a6.html 08:07 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:08 < ecrist> ok, gimme a few to review them 08:09 < belZe> localnet of client is != net of openvpn 08:09 < ecrist> you need to update your version of OpenVPN 08:10 < ecrist> you're running 2.1rc11, latest version is 2.1rc15, which fixes bugs present in your version 08:10 < belZe> are there any issues with that version related to my problem? or just security based? :) 08:10 < ecrist> see here http://openvpn.net/index.php/documentation/change-log/changelog-21.html 08:10 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 08:10 < ecrist> rc12 fixed a bug in --lladdr, which is present in your config 08:11 < belZe> alright, was lazy there and got the one from the debian repo ;) 08:13 < ecrist> if you're running an RC, it's always a good idea to run the latest version, and expected if you're seeking support. ;) 08:17 < ecrist> also, if you're going to obfuscate the IP addresses, make sure your email domain doesn't resolve in such as way as to identify the obfuscated part of the IP address. 08:18 < belZe> email domain resolves to a different subnet ;) 08:18 < belZe> (to say: not my section :P) 08:18 < ecrist> sure, but I'm aware of the class B: 08:18 < ecrist> % Information related to '132.176.0.0 - 132.176.255.255' 08:18 < ecrist> inetnum: 132.176.0.0 - 132.176.255.255 08:18 < ecrist> netname: FERNUNI-NET 08:18 < ecrist> descr: FernUniversitaet Hagen 08:19 < ecrist> I don't see anything else interesting in the logs. upgrade your server/client version and try again. 08:19 < belZe> yep, but its not one huge class B of course :) but youre right, noticed the cert line too late :) 08:20 < ecrist> if it still doesn't work, post the new logs. 08:21 < belZe> yep 08:21 < belZe> thanks so far *turns his screen black with /bin/bash again* 08:27 < belZe> alright, that didnt make it. preparing logs 08:28 < ecrist> one thing at a time. we'll get it working. 08:29 < belZe> i can't escape the feeling that its still something with the esx vswitch 08:30 < ecrist> it could be, setting up bridging can be a pain, especially with VMs 08:33 < belZe> server: http://np.megab.it/954234c1bc.html client: http://np.megab.it/94ee85ac22.html 08:33 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:34 < ecrist> ok, here's some silly tests. can the connected client ping the VPN interface of the server? 08:34 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 08:34 < belZe> yep, can ping the bridge 08:34 < ecrist> have you tried *disabling* iptables? 08:36 < belZe> you mean by unloading the modules? 08:37 < belZe> they arent loaded by default, getting loaded first time i run iptables 08:38 < ecrist> often, users think their firewall is disabled or set to allow all traffic, and they're mistaken. only way to test is to fully disable the firewall. I'm not familiar at all with iptables, so I couldn't tell you how to do it. With pf, it's just pfctl -d to disable all rules and pfctl -e to enable all rules 08:39 < ecrist> does br0 have a different IP than eth0? 08:39 < ecrist> or are they one and the same? 08:40 < ecrist> you can't ping anything on the rest of the LAN, right? 08:40 < belZe> br0 gets the ip eth0 had before setting up the bridge. handled through the bridge-start script 08:40 < belZe> eth0 and tap0 dont have adressed when bridge is set up, as seen above 08:40 < belZe> d=s 08:41 < ecrist> ok, ignoring the VPN, can the vpn server ping other machines on it's own LAN? 08:42 < belZe> yep 08:43 < belZe> and clients can ping each other (client-to-client should secure that) 08:43 < ecrist> but VPN clients cannot ping other machines on the LAN. 08:44 < belZe> i can set up continuing ping from client -> server in lan and it doenst work. if i ping server in lan -> client it works on the client all of a sudden. therefore i think its some arp issue on the bridge 08:45 < ecrist> iptables, accept rules reference br0, correct? 08:48 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 08:48 < ecrist> are tap0 and eth0 promiscuous? 08:48 < belZe> everythings empty and there hasnt ever been anything :) 08:48 < belZe> yep they are 08:48 < belZe> http://np.megab.it/250a3f7ed5.html 08:48 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:49 < ecrist> sorry, can't read the german options. 08:49 < ecrist> what does this say: G"ultigkeitsbereich:Verbindung 08:49 < belZe> oh 08:50 < belZe> scope 08:50 < belZe> that is 08:50 < belZe> verbindung = connection 08:51 < belZe> thats the fe80 ipv6 address, its ok 08:51 < ecrist> http://openvpn.net/archive/openvpn-users/2004-02/msg00248.html 08:51 < vpnHelper> Title: [Openvpn-users] OpenVPN and bridging: ARP problem? (at openvpn.net) 08:51 < ecrist> I'm reading that thread, see if anything applies. 08:51 < belZe> yeah saw that too 08:55 < ecrist> I'm not seeing anything right away. Perhaps krzee knows? 08:55 < ecrist> !bridge 08:55 < vpnHelper> ecrist: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 08:55 < vpnHelper> ecrist: the protocol uses MAC addresses instead of IP addresses. 08:55 < belZe> it was the rp_filter 08:55 < belZe> ! 08:55 < belZe> oh man 08:55 < ecrist> what is rp_filter? 08:55 < belZe> good question 08:55 < ecrist> so, you have it working? 08:55 < ecrist> if so, what did you do to fix it? 08:55 < belZe> at least echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter allows me pinging all servers on the lan now 08:56 < ecrist> adding to wiki page for future reference 08:58 < belZe> reverse path filter; it is a check to see if, for a packet arriving on an interface, a packet sent to the original packet's source address would be sent out on that interface; if not, the arriving packet is dropped. it can be considered an attempt at detecting packets with spoofed source addresses. 08:58 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#I_seem_to_be_having_problems_with_ARP_requests_reaching_the_VPN_from_my_server.27s_LAN._How_do_I_fix_this.3F 08:58 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 08:59 < ecrist> there, added that to our FAQ 09:00 < ecrist> thanks for the information 09:00 < ecrist> sorry I wasn't more helpful. :) 09:01 < mjt> hmm that's... wrong. 09:02 < ecrist> mjt: fix it 09:02 < mjt> unless you're multihomed, rp_filter usually does not do any bad. 09:02 < ecrist> bridgine a LAN in the way belZe is, would be considered multi-homed 09:03 < belZe> im gonna try that on a fresh environment 09:03 < mjt> rp_filter stays on the way when packets goes different ways back and forth 09:04 < mjt> with a "help" of advanced routing capabilities (policy routing) too 09:04 < mjt> in almost all other cases it's a sign that routing isn't set up correctly 09:05 < mjt> btw, there's log_martians knob in the same dir, to make rp_filter verbose. 09:05 < ecrist> mjt: can you offer the 'correct' fix, then? 09:05 < mjt> i just switched to this very window.. reading the scrollback now. 09:05 < mjt> -ENOCONTEXT ;) 09:06 < mjt> ghrm 09:06 < mjt> but for br0, tap0 and eth0 - which iface has which IP? 09:06 < mjt> only br0 should have an IP. 09:07 < belZe> yep, thats the way it is and tap0 and eth0 are on promisc 09:07 < mjt> what's "G"ultigkeitsbereich:Verbindung " ? 09:08 < ecrist> IPv6 scope 09:08 < belZe> Scope:Link 09:08 < belZe> or Connection, whatever 09:08 < mjt> oh ok 09:08 < mjt> where's the routing table? 09:09 < ecrist> he posted, above 09:09 < mjt> damn, and i asked the same q ecrist asked :) 09:10 < belZe> routing was only localnet and default gateway 09:10 < mjt> i don't see the routing table 09:10 < mjt> http://np.megab.it/250a3f7ed5.html -- shows ifconfig, brctl, iptables and configs 09:10 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 09:11 < belZe> yep, its not there 09:11 < belZe> but its only localnet and default gw 09:11 < mjt> (btw, i prefer to use ip utility instead of ifconfig+route) 09:11 < belZe> for routes and tunnels im using it, yep 09:11 < mjt> can you show `ip r' please? It'll be 2 lines in that case. 09:12 -!- n0u [i=Chaton@unaffiliated/nou] has joined ##openvpn 09:12 < mjt> i think i know what's the prob 09:12 < n0u> mjt: in the end i agree with you, openvpn SUX ! ;-) 09:12 < belZe> cleaning the machine right now, changed something on hardware config etc. can take up a few moments :) 09:12 < mjt> ok ;) 09:12 < mjt> n0u: lol 09:13 < mjt> n0u: but believe me, it suxx less (in some areas anyway) than others ;) 09:13 < ecrist> I don't understand why you think OpenVPN sucks... 09:13 < n0u> i've been using others in the past :) 09:13 < n0u> it's time to see if others have evolved :) 09:14 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:15 < ecrist> n0u: what sucks about openvpn? 09:16 < mjt> n0u: to me, openvpn has 2 good things. It's much more secure (or at least in theory) - i mean various measures against potential bugs, like ta.key, dropping privs and chrooting. And usage of udp for everything, with nat/firewall-friendly design. 09:16 < mjt> no other solution i know has that 09:17 < n0u> i've been a openvpn user for a long long time 09:17 < mjt> and also the MTU thing which, with openvpn, basically just works. 09:17 < n0u> when the server feature appeared i was not very happy with the way i would have to setup network routes on both the system & openvpn 09:17 < mjt> but openvpn lacks general "architecture". Most its options are quite.. random. 09:18 < n0u> now i need some feature that the tls-server/tls-client mode doesn't have 09:19 < ecrist> n0u: which features? 09:19 < ecrist> mjt: why do you say that? 09:19 < mjt> it's almost complete opposite to tinc in this area. Tinc is well-designed. But some just does not work and has never been tested... F.e. mtu probes - they generate a random data and *comress* it to determine the MTU... ;) 09:19 < n0u> so i had to test the server and i'm angry because of the way network is handled 09:19 < mjt> ecrist: because i see it? 09:21 < ecrist> mjt: something I've noticed about you, which honestly seems overly counter-productive, is you complain about many things, and whine about how things work, yet you offer no better method or alternatives. 09:21 < ecrist> to me, this is being a troll 09:21 < n0u> ecrist: i want to be able to launch a script when a tls-client is connected/( authenticated) 09:21 < mjt> --connet-script 09:21 < ecrist> that's easy 09:21 < mjt> er 09:21 < n0u> ecrist: the --client-{dis,}connect option are only available to the server mode 09:21 < mjt> --client-script 09:21 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:22 < ecrist> on the client, --up-script 09:22 < mjt> y 09:22 < n0u> --up is run when the tun is setup 09:23 < n0u> as i said before i've been using openvpn for a long time 09:23 < mjt> for client, the two events becomes one 09:23 < n0u> nope 09:23 < n0u> not with persist-tun 09:23 < mjt> aha. now i see what you mean, finally 09:24 < mjt> you need to run something when client lost connection with the server? 09:24 < mjt> and "reconnected" again 09:24 < n0u> i have quite a complex network setup, load balancing/source routing. and i don't want to use the server mode because it can't handle this complex setup 09:24 < n0u> i need --client-{dis,}connect for tls-server 09:25 < n0u> it can't be clearer 09:26 < mjt> ghrm 09:26 < mjt> i don't get it. 09:26 < mjt> re-read it some 10 times ;) 09:27 < ecrist> n0u: perhaps you need to fix your network setup? 09:27 < n0u> you can't, nevermind 09:27 < mjt> --mode server and --tls-server 09:27 < n0u> ecrist: perhaps i don't 09:27 < ecrist> ok, so openvpn can't do what you want, what can we help you with today? 09:28 < n0u> you can't help me with anything, i just came to kid a bit since last time mjt was complaining a lot 09:28 < n0u> my time now 09:29 < n0u> don't be angry if you can't help, that's ok :) 09:29 < ecrist> not angry, just don't want trolls. I'm on a troll-cleaning mission today 09:29 * ecrist eyes mjt 09:30 < n0u> troll ? i thought we were grownups 09:30 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 09:30 < sunta> hi 09:31 < ecrist> hi sunta 09:31 < ecrist> n0u: perhaps you need to come around more often. many in here are not grown ups 09:31 < reiffert> like me and Bushmills 09:32 < ecrist> especially reiffert 09:32 < belZe> alright 09:32 < mjt> by the way, where i complained today? 09:32 < mjt> i think i said something good about openvpn 09:33 < n0u> anyway troll is a kiddies' word :) when they don't understand something they use it ;-) 09:33 < ecrist> I guess I am a kiddie, then. 09:33 < belZe> @mjt: so im here in the non-working state again, rp_filter 0 09:33 < belZe> u wanted ip r, right? 09:33 < sunta> problem: VPNclients cannot mount NFS-volumes. I see mount-request on the server " authenticated mount request from 10.8.0.6:1013 for /softarchiv (/softarchiv)" and no further error on the server. the client though gets "mount.nfs: access denied by server while mounting (null)". anyone familiar with such a problem? 09:33 < mjt> yeah 09:33 < belZe> 10.66.6.0/24 dev br0 proto kernel scope link src 10.66.6.200 09:33 < belZe> default via 10.66.6.254 dev br0 09:34 < mjt> and.. no lo? 09:34 < n0u> ecrist: ;-) sorry to tease you :) 09:34 < belZe> @mjt: no lo 09:34 < belZe> did the script flush there anything it shouldnt do? 09:34 < n0u> i'll be serious and find a solution based on openvpn in silence 09:35 < mjt> belZe: and what did you ping from what when it didn't work? 09:35 < belZe> client -> server on lan (not the bridge) 09:35 < n0u> i was thinking i could replace several instances of openvpn running in --tls-server by one running in --server, a solution could be to run several instance of openvpn running in --server mode \o/ sounds good, init ? 09:35 < mjt> aha 09:37 < belZe> @mjt: like "aha! *bling bling*" or "aha ... oh ... hm"? :) 09:37 < Bushmills> being grown-up is overrated 09:38 < mjt> belZe: thinking :) 09:38 < belZe> hehe ok 09:38 < mjt> well, there definitely should be a route for lo (127/8) 09:40 < mjt> (but it should not change things) 09:40 < belZe> @ecrist: maybe you should hide that solution on your wiki again, because it isnt working anymore :) 09:42 < ecrist> belZe: really? 09:43 < belZe> yeah, set up the machine with a fresh debian and rp_filter doesnt help anymore 09:43 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 09:44 < belZe> same effect again. client->server doesnt work but as soon as i do server->client the client->server works 09:44 < ecrist> page edited. 09:45 < belZe> and as soon as i delete the arp entry for the server on the client it doesnt work anymore 09:46 < mjt> so basically, you've a single bridge which joins your lan (10.66.6.0/24) and the tun device. 09:46 < belZe> yep 09:46 < mjt> and the only other machine is the default gw (10.66.6.254) 09:46 < mjt> on local end 09:46 < belZe> nah theres me on the one hand and another server 09:52 < mjt> (this damn phone...) 09:53 -!- Irssi: ##openvpn: Total of 54 nicks [0 ops, 0 halfops, 0 voices, 54 normal] 09:53 < mjt> the gw (.254) - is it on the lan or on the other end? 09:53 < mjt> (just to be sure :) 09:54 < belZe> errr...the route table abose is from the server 09:54 < mjt> yeah 09:54 < belZe> therefore its ofc on the local net of the openvpn server 09:54 < mjt> ok 09:54 < belZe> openvpn server = .200 09:54 < mjt> yeah 09:55 < belZe> gw = .254, another server=.10, i am=.220 and vpnclient is .201 09:55 < mjt> does your lan completely works when tun is up? 09:55 < belZe> local net of the vpnclient is completely different to the localnet the vpnserver has 09:55 < mjt> yup 09:56 < belZe> at least windows tells me hes ready :) i can reach the bridge and other clients (client-to-client). i can see arp requests coming through 09:56 < mjt> bridge = .200 you mean? 09:57 < belZe> bridge = openvpn server, yeah :) 09:57 < mjt> so, what does not work? .199 to .201 and back? 09:58 < mjt> do you see arp packets on tun0? 09:58 < mjt> (btw, promisc mode makes no sense on tun as it receives everything anyway) 09:58 < mjt> (or tap, for that matter) 10:00 < belZe> 201->10 doesnt work 10:00 < belZe> but works all of a sudden when i try 10->201 10:00 < mjt> so follow the arp packets. 10:00 < mjt> do you see arp requests on tap0 when pinging .10 from .201 ? 10:00 < mjt> do they propagate to br0 and eth0? 10:01 < mjt> note that this setup is quite unsafe for the server 10:01 < mjt> (vpn server that is) 10:02 < mjt> any client can set up any address from this /24 on its end and start replying to arp requets, and vpn server will think that, say, .10 is thaaat way instead of on the lan. 10:03 < belZe> thats no problem, all clients are under my control 10:03 < mjt> (it's the same on the lan, any wksta can stole that .10 too, but it's easier to deal with compared with when that wksta is remote) 10:05 < belZe> sorry to interrup this discussion. i need to get home now. 4pm. otherwise i wont get lunch 10:06 < belZe> gonna check that tomorrow again 10:06 < mjt> k 10:22 -!- c64zottel [n=hans@62.12.213.52] has joined ##openvpn 10:23 -!- c64zottel [n=hans@62.12.213.52] has left ##openvpn [] 10:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:40 -!- n0u [i=Chaton@unaffiliated/nou] has left ##openvpn ["server mode SUCKS ;-) suck=kiddies's verb"] 10:43 -!- mode/##openvpn [+o ecrist] by ChanServ 10:43 -!- mode/##openvpn [+b *!*@unaffiliated/nou] by ecrist 10:43 -!- mode/##openvpn [-o ecrist] by ecrist 10:59 < mjt> that's an interesting setup belZe have 11:00 < mjt> suppose there was no network activity for quite some time, so that all ARP caches are cleaned. 11:00 < mjt> now vpn server sends out a packet destined for one of vpn clients 11:00 < mjt> it gets wrapped into openvpn protocol and sent to the gateway 11:01 < mjt> and now, vpn server has to send ARP to its interface to determine who's .254 (the gateway) 11:01 < mjt> it sends out the ARP request to br0, which forwards it to eth0 AND tun0 11:01 < mjt> so openvpn gets a packet which should be sent to tunnel. 11:02 -!- caotic [n=ccolorad@201.101.15.197] has joined ##openvpn 11:02 < mjt> wrapping it to its protocol, sending out to br0 to the gateway.. but we had there already. 11:02 < mjt> s/had/was/ 11:04 < mjt> the good thing is that the IP stack will not send ANOTHER ARP in this case, knowing that it already sent one a few moments before and is awaiting for the reply. 11:07 < caotic> Hi, can someone please help me. I am trying to connect from my linux box to a windows server and I only know the server Ip user/password. Right now I am ussing openbpn-admin but havent really make sense of it 11:08 < ecrist> caotic: we need to know more about your setup 11:08 < ecrist> !configs 11:08 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < caotic> I do have Remote Desktop acces to the server ... 11:11 < caotic> ecrist: how can I find out what configs the window server has ? 11:12 < ecrist> they're going to be in text files, don't remember where they're kept, hang on 11:13 < ecrist> C:\Program Files\OpenVPN\config 11:13 < ecrist> should be a config file in there 11:14 < caotic> so openvpn cannot interface with winodws native vpn support ? 11:16 < ecrist> no 11:17 < ecrist> windows native VPN is L2TP/PPTP 11:17 < ecrist> openvpn is SSL 11:17 * caotic facepalm I wasted a half day of work yesterday :P 11:17 < caotic> openvpn connections can ocurr without certificates without that much security risk ? 11:18 < caotic> any solution for loging in a winodws vpn without openvpn ? 11:22 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:30 < mjt> there's pptp server software for windows 11:30 < mjt> i think it's included into server version 11:30 < mjt> but i'm not 100% sure 11:36 < ecrist> see here http://www.onecomputerguy.com/networking/xp_vpn_server.htm 11:36 < vpnHelper> Title: WindowsXP VPN Server (at www.onecomputerguy.com) 11:37 < ecrist> !irclogs 11:37 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats 11:37 < ecrist> !learn irclogs as http://www.secure-computing.net/log/openvpn-last30.html for stats from the last 30 days. 11:37 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:39 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 11:43 < mjt> ecrist: why you banned n0u ? 11:44 < mjt> btw, that URL (last30) does not work (404) 11:45 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 11:45 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:45 < ecrist> forgot the s on logs 11:46 < mjt> stupid helper ;) 11:58 -!- c64zottel [n=hans@62.12.213.52] has joined ##openvpn 11:59 -!- c64zottel [n=hans@62.12.213.52] has left ##openvpn [] 12:31 -!- caotic_ [n=ccolorad@201.101.15.197] has joined ##openvpn 12:32 -!- caotic [n=ccolorad@201.101.15.197] has quit [Read error: 113 (No route to host)] 12:43 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 12:49 -!- localadmin [n=chatzill@75.53.44.51] has joined ##openvpn 12:50 < localadmin> hello 12:50 < localadmin> I have looked around and can't tell if openvpn can cat as a ssl client for checkpoint network extender 12:51 -!- localadmin is now known as mikeones_ 12:53 < ecrist> mikeones_: I don't believe so. 12:55 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 60 (Operation timed out)] 12:58 -!- caotic_ [n=ccolorad@201.101.15.197] has quit [Read error: 110 (Connection timed out)] 12:59 -!- mjt [n=mjt@isrv.corpit.ru] has quit ["reboot!..."] 13:06 -!- mikeones_ [n=chatzill@75.53.44.51] has quit [Read error: 104 (Connection reset by peer)] 13:14 -!- Kvajnto [n=ls@116.233.5.100] has joined ##openvpn 13:14 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 13:17 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 13:20 -!- caotic_ [n=ccolorad@201.101.15.197] has joined ##openvpn 13:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 13:47 < RUS> hi anybody 13:49 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 13:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:54 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 13:55 < jul_> how can i desactive encryptation of data between client and server ? 13:57 < krzee> you sure? 13:58 < RUS> oh krzee hi my friend 13:58 < krzee> heyhey 14:07 < RUS> may be you wanna my iphone ?:) 14:07 < RUS> ;-) 14:07 < krzee> maybe you didnt catch that this isnt #buymystuff 14:08 < RUS> it's a joke krzee 14:08 * krzee pets the banhammer 14:08 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- eWizard [n=identd@78.63.180.97] has joined ##openvpn 14:48 < martian67> can openvpn do ip-in-ip ? 14:50 -!- suprsonic [n=suprsoni@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:51 < suprsonic> in a client/server role can the client and server be assigned a static key or does it require separate keys? 14:59 -!- sunga [n=naft@77.109.123.56] has joined ##openvpn 14:59 < sunga> hi people 14:59 < sunga> !howto 14:59 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:00 < sunga> !logs 15:00 < vpnHelper> sunga: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:00 < sunga> !configs 15:00 < vpnHelper> sunga: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:00 < sunga> !route 15:00 < vpnHelper> sunga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:05 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:11 -!- suprsonic [n=suprsoni@97-87-2-183.dhcp.mdsn.wi.charter.com] has left ##openvpn [] 15:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 15:32 < krzie> hi sunga 15:33 -!- Kvajnto [n=ls@116.233.5.100] has quit [] 15:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 15:43 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:05 < ecrist> krzee: bot still doesn't work for me, btw 16:13 -!- RUS [n=Mirc@88.214.199.27] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 16:20 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:27 -!- MrDusty [n=dusty@88-105-71-110.dynamic.dsl.as9105.com] has joined ##openvpn 16:28 < MrDusty> Hey guys, I am using a PPTP connection to my work's VPN to access the intranet. It all works fine. However when I try to do system stuff like apt-get update; apt-ge tupgrade -y ; apt-get dist-upgrade -y it times out, when i try to do any downloading it timesout or comes down in bytes.. its almost as if, the pc gets confused as to which connection to send the packets out (vpn, or wifi) and timesout thinking about it, im not sure bu 16:28 < MrDusty> t it means when I am connected to the vpn using the internet as normal is near enough impossible ? 16:29 < ecrist> what VPN software are you using? 16:29 < ecrist> are you the admin? 16:30 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 16:31 * mjt suspects usual MTU probs.... 16:32 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:33 < krzie> ahh cool, you're playing with mtu mjt? 16:34 < krzie> you first checked whats up with --mtu-test? 16:34 < krzie> im curious if when it sees mtu issues if it suggests settings or not 16:34 < krzie> i guess i could dig through the code if i cared enough tho, lol 16:34 < mjt> i'm not 16:35 < mjt> MrDusty said he has download probs (timeout/stalls) with his PPTP-based VPN. 16:35 < mjt> i've no idea how it relates to openvpn, but it looks like typical MTU prob. 16:36 < krzie> ahh 16:36 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 16:36 < mjt> i yet to play with openvpn's mtu stuff. 16:36 < mjt> had no chance this far. 16:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:38 -!- temba_alternativ [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 16:39 < mjt> i know only one vpn so far that messes up^W^Wfixes tcp mss window 16:39 < mjt> also many cheap home routers based on linux does that. 16:39 < mjt> wonder why. 16:41 < krzie> ya so far ive had no reason to play with mtu 16:50 -!- eWizard [n=identd@78.63.180.97] has quit [Read error: 104 (Connection reset by peer)] 16:51 < mjt> there should be problems still, with !tcp 16:51 < mjt> mtu probs are always.. fun 16:52 < mjt> about a month ago i were dealing with an.. fantastic situation here, with an isp that's named.. mtu.ru 16:52 < mjt> :) 16:52 < mjt> it's adsl with typical 1492 (8 bytes for the adsl header) 16:52 < mjt> everything works on their side, with one.. issue. 16:53 < mjt> the equipment that delivers traffic to me, the pre-last hop, the one which knows the MTU is non-standard, has address in private 10.something range. 16:53 < krzie> oh ya if MrDusty is tunneling tcp over tcp thats likely his problem 16:54 < krzie> haha my isp does that to me too 16:54 < krzie> uses 10.x internal 16:54 < mjt> so the ICMP must-fragment is being sent with 10.xsomething source address 16:54 < mjt> and gets dropped on the way by other transit ISPs who does proper filtering 16:55 < krzie> hah that sucks 16:55 < mjt> i had two places trying to reach my machine, one place worked and another not. 16:55 < mjt> and just by some luck or what, i noticed the source of that damn ICMP. 16:55 < mjt> on the side that worked 16:56 < mjt> the other place was connected to an ISP who did proper filtering 16:57 < mjt> talked with mtu.ru (irony) support monkeys the other day, almost 4 hours on the phone. 16:57 < krzie> ya that is good irony 16:57 < mjt> trying to describe "which site does not work for me in which MSIE version" 16:57 < krzie> i still cant believe you think your english isnt very good... 16:57 < krzie> you type better than many native americans 16:57 < mjt> only type ;) 16:58 < krzie> hahha 16:58 < krzie> you called mtu.ru with mtu issues on their network, and the guy didnt seem to understand what the mtu problem means 16:58 < krzie> classic 16:59 < mjt> lost time it was really, and i sorta knew it will be that way... 17:00 < mjt> but i was disappointed that i had to debug the thing almost whole night.... :) 17:00 < mjt> and that was my last usage of tinc. sadly. 17:03 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 17:19 < ftp3> I have a question.. lets say my home has no firewall.. so, i connect my laptop (via openvpn) to our openvpn server at our office. Is my laptop safe? (does this question make sense?) 17:20 < mjt> very little sense... 17:20 < ftp3> ok let me rephrase it 17:20 < mjt> it'll be possible to connect to your laptop from office 17:20 < mjt> just like if you connected it into office LAN 17:21 < ftp3> i am trying to surf securely into our office vpn. if i have no firewall at home, and i just connected through my home isp to "somesite" my computer would be vulnerable to scans, etc.. I am thinking, if I am connecting to the office vpn.. i would not have a public ip anymore and be safe? or an i being stupid? 17:22 < mjt> i'd not say "stupid" about someone who's trying to think about his security 17:23 < ftp3> right.. thanks. but i mean.. when i connect to the office vpn, it says my ip is now "192.168.x.x" instead of before that it says the IP my isp gives me 17:23 < mjt> but you'll have to be connected to your home ISP anyway, in order to connect to your office. 17:23 < ftp3> exactly 17:23 < mjt> and this is where you'll get all the scans from. 17:24 < ftp3> extactly.. so, even though openvpn has me connected to my office, and gives me an IP there.. my home computer still also pings as the isp IP? 17:24 < mjt> openvpn makes "second network card" 17:25 < ftp3> because once i connect to the office lan, if i goto: http://www.whatismyip it says the office IP 17:25 < mjt> redirect-gateway or proxy 17:25 < ftp3> i see.. so, the first network card is not being used for my outgoing stuff.. but it is still vulnerable to an incoming attack.. correct? 17:25 < mjt> sorta 17:26 < mjt> very close 17:26 < mjt> but with your setup, i guess you actually ARE safe. 17:26 < mjt> hm 17:26 < mjt> difficult to say for windows. 17:26 < ftp3> i'm thinking.. if i goto starbucks.. am i safe :-) ya know 17:27 < ftp3> not that i am the kinda guy that sits in starbucks on his laptop.. so lets say airport 17:27 < ftp3> :-) 17:27 * mjt has no idea what starbucks is... 17:27 < ftp3> i guess the best way to find out is to scan myself when i am connected that way ;-) 17:27 < mjt> it looks like you will be open still 17:28 < mjt> but i've an idea for you 17:28 < ftp3> yes? 17:28 < mjt> you can see which services are "exported" to your network card 17:28 < mjt> and just disable them. 17:28 < mjt> THAT will work. 17:28 < ftp3> i see 17:29 < ftp3> ok, thank you ;-D 17:29 < mjt> starting with disabling "File and Print sharing for windows networks" in your network adaptor config. 17:29 < mjt> and "client for microsoft networks" 17:29 < mjt> (not sure for exact names, it was quite some time ago) 17:30 < ftp3> right.. i get your idea.. makes sense. Thanks. I am going to check on that now 17:30 < mjt> `netstat -a' command will show you 17:30 < mjt> which ports are listening 17:30 < mjt> closed port = no way to exploit it. 17:31 < krzie> if you redirect-gateway and only have a route to their gateway, you wont be able to reply to others on the lan 17:31 < mjt> if you're going via your office network, i guess it's the effect of redirect-gateway 17:31 < krzie> assuming its a 255.255.255.255 to their gateway, which i believe it is 17:31 < krzie> your replies will go over the vpn and disappear 17:32 < krzie> still, not as good as turning on yourfirewall 17:32 < mjt> well, lan is not a problem usually 17:32 < krzie> and even better than firewall, turning off the stuff like mjt said 17:32 < krzie> i'm thinking.. if i goto starbucks.. am i safe :-) ya know 17:32 < krzie> not that i am the kinda guy that sits in starbucks on his laptop.. so lets say airport 17:32 < krzie> hes talking bout lan 17:32 < ftp3> when i look at the results in netstat -a and I concerned with EVERYTHING (ie 127.0.0.1:port) or just my.isp.ip:port ? 17:32 < krzie> lan in the wild 17:33 < krzie> not 127.0.0.1:port 17:33 < krzie> but anything else really 17:33 < ftp3> ok good.. thats a lot less ;-) 17:33 < mjt> 0.0.0.0:port too 17:33 < ftp3> anyway, firewall is clearly the answer 17:33 < krzie> very much 0.0.0.0:port 17:33 < mjt> strictly speaking, it's trivial to connect to 127.1 over network too. 17:34 < mjt> to windows anyway 17:34 < mjt> but that's advanced... ;) 17:34 < mjt> and requires direct (on-lan) access. 17:34 < MrDusty> mjt, sorry for the late reply. No I am an employee trying to connect to my works vpn, its a PPTP vpn not sure the server side software. I use Ubuntu network manager client for PPTP connections .. 17:34 < ftp3> it would just be great if i could (easily) disallow anything either way over network1 and force anything else to come/go through network2 (openvpn) 17:34 < krzie> mjt: how? 17:35 < MrDusty> I connect from laptop -> adsl router -> internet -> work vpn. 17:35 < MrDusty> Never used a VPN before .. 17:35 < mjt> krzie: the same as on unix 17:36 < mjt> you remove your loopback route and IP and pretend it's on the lan. 17:36 < mjt> on another machine that is 17:37 < mjt> and just connect to it 17:37 < krzie> and the target will reply even with its loopback route? 17:37 < mjt> most unixes now has protection for that 17:37 < mjt> it's done differently in different OSes 17:37 < mjt> in linux it's controlled by rp_fiter, it's more general than just 'lo' 17:38 < mjt> (reverse path filter, -- checking if a reply to incoming packet will go to the same iface as the packet comes from and dropping if not) 17:39 < mjt> MrDusty: reduce MTU of your pptp interface, on both ends, if you can. that's about it. 17:39 < mjt> MrDusty: and it has nothing to do with openvpn really 17:39 -!- caotic_ [n=ccolorad@201.101.15.197] has quit [Read error: 54 (Connection reset by peer)] 17:39 < mjt> different software different vendors different protocols 17:40 < krzie> MrDusty, this isnt #pptp 17:41 < krzie> if you switch to openvpn this is the right place 17:41 < mjt> MrDusty: (another option is to find who's breaking PMTUD and fix it... but oh well.) 17:41 < krzie> otherwise, you found the wrong channel 17:41 * mjt expects another 3-hour delay before the next reply... ;) 17:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:42 < MrDusty> mjt, Ok, I am not the server admin, just the end user. What can I do about it ? 17:42 < krzie> you can go to a channel where they help with pptp 17:43 < krzie> or you can switch to openvpn 17:43 < krzie> or you can go idle 17:43 < krzie> really its between those 3 choices... 17:43 < mjt> MrDusty: for reference: MTU stands for Maximum Transmission Unit, or the max size of data packet that can be sent/accepted. PMTUD = Path MTU discovery. Somehow you have to ensure the packets the two systems sends can be transmitted all the way from one to another. 17:44 < mjt> in theory it should work, but there are many places when it breaks, usually misconfig 17:44 < mjt> hm 17:44 < krzie> and if your tunnel is tcp, thats likely your problem, but i wouldnt know cause we dont help poeople with pptp here 17:44 < MrDusty> i doubt its misconfig on there part - we're talking about Message Labs. 17:45 * krzie grabs his banhammer 17:45 < mjt> i think it'll be sufficient to reduce mtu on only one end, so that his system will send proper mss 17:45 < mjt> MrDusty: misconfig anywhere on the way between the two systems 17:45 < mjt> including your home router and your isp and whatnot 17:45 < MrDusty> hrm 17:45 < MrDusty> how do normal people connect to a vpn then ? 17:46 < mjt> what's vpn? 17:46 < MrDusty> is it possible to use openvpn to connect to a vpn that requires PPTP? 17:46 < mjt> no 17:46 < MrDusty> ok 17:46 < mjt> different protocol 17:46 < mjt> krzie: pptp is gre 17:46 < mjt> not tcp 17:47 < mjt> and any encapsulation means one or another issue with MTU 17:47 < MrDusty> mjt, ok, so if your employer said connect to this vpn it requires PPTP heres the username and password how would you connect to it ? 17:47 < mjt> because it reduces the MTU obviously 17:47 < mjt> i'd killed pptp and replaced it with something else ;) 17:47 -!- mode/##openvpn [+o krzie] by ChanServ 17:48 -!- MrDusty was kicked from ##openvpn by krzie [maybe you didnt catch it... but this isnt #ptpp] 17:48 < mjt> oh 17:48 < mjt> ok 17:48 -!- mode/##openvpn [-o krzie] by krzie 17:48 < mjt> off-topic, i know. 17:48 -!- MrDusty [n=dusty@88-105-71-110.dynamic.dsl.as9105.com] has joined ##openvpn 17:48 < mjt> sometimes i just can't stop :) 17:49 < MrDusty> why such an attitude? 17:49 < krzie> mjt, not your fault... you're just being helpful 17:49 < krzie> but i did tell him a few times 17:49 < krzie> MrDusty, YOURE IN THE WRONG CHAN 17:49 < MrDusty> krzie, omg, your such an arrogant fuck. 17:49 < krzie> i only said it and got ignored 3 times 17:49 < krzie> ok... 17:49 -!- mode/##openvpn [+o krzie] by ChanServ 17:49 -!- mode/##openvpn [-o+b MrDusty *!*n=dusty@*.as9105.com] by krzie 17:50 -!- MrDusty was kicked from ##openvpn by krzie [bye] 17:50 -!- mode/##openvpn [-o krzie] by krzie 17:50 < mjt> dusty - it's when there's a lot of dust on something, right? :) 17:51 < krzie> correct =] 17:51 < krzie> [MrDusty(n=dusty@88-105-71-110.dynamic.dsl.as9105.com)] you are one dumb fucker, op in a channel about vpns and 17:51 < krzie> you think PPTP is TCP based LOL - WHAT A DUMB CUNT YOU ARE!!!!!!!!!!!!!!!!!!!!!!! 17:51 < krzie> ... Ignoring ALL messages from *!*dusty@88-105-71-110.dynamic.dsl.as9105.com 17:51 < krzie> lol 17:52 < mjt> sigh. 17:52 < krzie> ya 17:52 < krzie> he got 3 warnings, then a kick without ban to see if he got the point 17:52 < krzie> obviously not 17:52 < krzie> and i dont know a THING bout pptp, by choice 17:53 < krzie> which is why im not in #pptp (if that exists) 17:53 < mjt> ppp-over-GRE it is, basically. 17:53 < krzie> ahh 17:54 < mjt> with tcp control connection, encryption and compression. (C) M$. 18:00 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:00 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 18:03 < ecrist> nice, second time today the banhammer came out 18:05 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:05 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 18:05 -!- krzie [i=krzee@joogot.noskills.net] has left ##openvpn [] 18:06 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:06 < mjt> eth-tls: port 45(tls-win2x4) entering forwarding state 18:06 < ecrist> what happened to you? 18:06 < mjt> er 18:06 < krzie> rtorrent is crashing joogot 18:06 < krzie> but instead of fixing it im just letting it crash it up 18:06 < krzie> lol 18:06 < krzie> should have 1 more before im done getting osx86 18:06 < mjt> bad rtorrent, bad! :) 18:07 < ecrist> when it's done crashing, fix my bot access. ;) 18:07 < krzie> iDeneb_v1.4_OSx86_ISO 18:07 < krzie> shit i thought i did, you werent here to test 18:07 < krzie> lemme look at it 18:07 < ecrist> ah, I tested, and it didn't work. 18:08 < krzie> ya see i made my second ban in bout a yr? 18:08 < krzie> hehe 18:09 < ecrist> yes, second ban today, actually 18:09 < krzie> wow 18:09 < krzie> channel record i think 18:09 < krzie> 2 in 1 day 18:09 -!- temba_alternativ [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:09 < ecrist> heh, probably. 18:10 < krzie> last i remember was jeev 18:10 < krzie> we like never ban people 18:10 < ecrist> that was the last person 18:10 < krzie> and usually only kick eachother, lol 18:10 < ecrist> exactly 18:10 < ecrist> once or twice I've had to op up, then people start behaving. 18:14 * mjt still doesn't understand why ecrist banned n0u... 18:17 < krzie> [msg(vpnHelper)] user list --capability=+factoid 18:17 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] ecrist and krzee 18:18 < krzie> you should be fine 18:18 < ecrist> ok 18:18 < krzie> now to make sure it writes to disk 18:18 < krzie> prolly lost it after i did it yesterday cause of crash 18:18 < ecrist> learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:18 < vpnHelper> Title: ##openvpn stats from ecrist! (at www.secure-computing.net) 18:18 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:18 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:19 < ecrist> lemme re-auth 18:19 < krzie> be sure that you are identified before trying again 18:20 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:20 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:20 < krzie> ahh 18:20 < ecrist> grumble.. 18:20 < krzie> 1sec 18:20 < krzie> [msg(vpnHelper)] user list --capability=+factoids.learn 18:20 < krzie> err 18:21 < krzie> there 18:21 < krzie> now go for it 18:21 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:21 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:21 < ecrist> lemme re-auth 18:21 < krzie> show me whoami 18:21 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:21 < krzie> !whoami 18:21 < vpnHelper> krzie: krzee 18:21 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:21 < ecrist> !whoami 18:21 < vpnHelper> ecrist: ecrist 18:21 < krzie> wtf 18:22 * ecrist is not worthy. 18:22 < krzie> [msg(vpnHelper)] user list --capability=+factoids.learn 18:22 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] ecrist and krzee 18:22 < krzie> ecrist: Error: You don't have the factoids.learn capability. 18:22 < krzie> that makes no sense to me 18:22 < ecrist> me either 18:23 < ecrist> krzie: get rid of the + 18:23 < krzie> nah thats needed 18:23 < mjt> !whoami 18:23 < vpnHelper> mjt: I don't recognize you. 18:23 < ecrist> !user list --capability=factoids.learn 18:23 < vpnHelper> ecrist: krzee 18:23 < krzie> + to add, - to remove 18:24 < ecrist> I think it's being globbed funny 18:24 < krzie> !user list --capability=+factoids.* 18:24 < vpnHelper> krzie: ecrist and krzee 18:24 < ecrist> !user list --capability=factoids.* 18:24 < vpnHelper> ecrist: krzee 18:24 < krzie> !user list --capability=+factoids.learn 18:24 < vpnHelper> krzie: ecrist and krzee 18:24 < krzie> hah 18:24 < mjt> ok, time to go to bed.. bye. 18:24 < krzie> screw it im putting you in the config manually 18:24 < krzie> brb 18:24 < ecrist> lol 18:24 < krzie> later mjt 18:25 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 18:28 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:28 < krzie> i think i see what it is 18:28 < ecrist> fixed? 18:29 < ecrist> should I try again? 18:29 < krzie> nope 18:29 < krzie> 1sec 18:29 < krzie> !user list --capability=+factoids.* 18:29 < vpnHelper> krzie: ecrist and krzee 18:29 < krzie> now try 18:30 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:30 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:30 < krzie> !user list --capability=+admin 18:30 < vpnHelper> krzie: ecrist and krzee 18:30 < ecrist> LOL 18:30 < krzie> you are identified since it came back? 18:30 < ecrist> yep, just did 18:30 < ecrist> !whoami 18:30 < vpnHelper> ecrist: ecrist 18:30 < ecrist> before I did learn 18:31 < krzie> ecrist message it this: 18:31 < krzie> admin capability add ecrist +factoids.learn 18:31 < krzie> wtf 18:31 < ecrist> error 18:32 < krzie> WARNING 2009-03-25T16:31:51 Denying ecrist!n=ecrist@mr.garrison.secure- 18:32 < krzie> computing.net for lacking "admin" capability. 18:32 < krzie> !user list --capability=admin 18:32 < vpnHelper> krzie: krzee 18:32 < ecrist> krzie: here's what I'm thinking 18:32 < krzie> hrm maybe you're right 18:32 < ecrist> the + is being globbed wrong 18:32 < krzie> maybe no + in messaging 18:32 < krzie> in config its needed 18:33 < krzie> try now... 18:33 < krzie> !user list --capability=admin 18:33 < vpnHelper> krzie: ecrist and krzee 18:33 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:33 < vpnHelper> ecrist: Joo got it. 18:33 < ecrist> bingo 18:33 < krzie> yeee 18:34 < krzie> try again pls 18:35 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:35 < vpnHelper> ecrist: Joo got it. 18:35 < ecrist> !irclogs 18:35 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days., or (#4) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the 18:35 < vpnHelper> ecrist: last 30 days. 18:35 < krzie> now forget irclogs 4 18:35 < ecrist> !forget irclogs 4 18:35 < vpnHelper> ecrist: Joo got it. 18:35 < krzie> nice 18:36 < krzie> their docs are outdated 18:36 < krzie> what the manual says todo is wrong 18:36 < ecrist> typical of OSS 18:38 < krzie> there, i removed all the + stuffs 18:38 < krzie> should be good now 18:38 < ecrist> thanks! 18:38 < krzie> lemme kill the bot to make sure it writes stuff out to disk 18:38 < krzie> np 18:39 < krzie> vpnHelper die 18:39 < vpnHelper> krzie: Error: "die" is not a valid command. 18:39 < ecrist> heh, the jabber bot I wrote does that automatically. 18:39 < krzie> vpnHelper quit 18:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["krzie"] 18:39 < krzie> so does supybot 18:39 < krzie> unless the system crashes 18:39 < krzie> as rtorrent has caused 2x today 18:40 < ecrist> no, I mean, it does it as soon as a config change is made via messages 18:40 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:40 < krzie> ahh 18:41 < krzie> [msg(vpnHelper)] rss info feed://ovpnforum.com/external.php?type=RSS2 18:41 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] Error: I couldn't retrieve that RSS feed. 18:41 < krzie> that explains that 18:42 < krzie> oh no it doesnt cause the whole site is down 18:42 < krzie> lol 18:43 < krzie> i find this funny bout the firefox error for address not found 18:43 < ecrist> the site is down? 18:43 < krzie> Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org") 18:43 < krzie> their example is a typo in the HOST not domain 18:44 < krzie> yup, its down 18:44 < ecrist> DNS failure 18:44 < ecrist> the site is up - against my advice, Dougy chose to host DNS at bergenhosting.net 18:44 < ecrist> I'm getting SRVFAIL 18:44 < krzie> haha 18:45 < krzie> i run some ns, im sure you do too 18:45 < krzie> and he leaves it at some hosting co 18:45 < ecrist> I've got a ton of NS stuff going on 18:45 < ecrist> I've got secondaries in WI, and I'm hosting secondaries for a couple small ISPs out there. 18:45 < ecrist> I'll send him an email. 18:46 < ecrist> sent 18:46 < ecrist> I tell you, me and my dsl/cable are more reliable than most data centers. 18:48 < ecrist> I'm going out for a walk. One of my dogs is driving me crazy. 18:48 < ecrist> back later. 18:49 < krzie> cool 18:49 < krzie> after you got that box running fbsd i know the support is better than most DC's 18:50 < krzie> lol 18:53 -!- the_mo [i=mo@team-aow.de] has joined ##openvpn 19:04 < the_mo> !route 19:04 < vpnHelper> the_mo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 19:04 -!- duxex [n=duxex@63.214.229.20] has joined ##openvpn 19:06 < the_mo> it seems like im having some sort of routing/forwarding problem. i want the vpn to work as an encrypted connection to the internet. the vpn tunnel is correctly set up and working. 19:07 < the_mo> using tcpdump i can see the tun0 device getting the ICMP echo requests im sending from the client 19:07 < the_mo> yet, the eth0 device doesnt get these packets so they aint forwarded from the tun0 device to the eth0 device 19:08 < duxex> did you use redirect-gateway? 19:08 < the_mo> yep 19:08 < duxex> :( 19:08 < the_mo> ipv4 forwarding is also enabled server-side 19:08 < krzie> using tun, right? 19:08 < krzie> oh duh, tun0 19:08 < the_mo> yea 19:09 < duxex> I also setup iptables rules that restrict any adapter to my VPN host and allow all other traffic out my VPN tun0 device 19:09 < duxex> to be 100% sure 19:09 < the_mo> ive been using the exact same setup on another server, where it did work, so i figured its gotta be some server-side stuff 19:09 < duxex> did you do your iptables stuff? 19:09 < duxex> on the server 19:10 < duxex> iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE is on my server 19:10 < krzie> prolly NAT 19:10 < krzie> can you reach the server vpn ip via ping? 19:10 < krzie> the internal address 19:10 < the_mo> yea 19:10 < krzie> oh, prolly nat 19:10 < krzie> !linnat 19:10 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:10 < krzie> using linux? 19:10 < the_mo> ye 19:11 < the_mo> ive set up iptables with that postrouting stuff, yep 19:12 < duxex> I have one too, does anybody know a way I can push clients hostnames up to my VPN server so I can easily differentiate the hosts, I have the same key for guest hosts 19:12 < krzie> !def1 19:12 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:12 < duxex> !dns 19:12 < vpnHelper> duxex: Error: "dns" is not a valid command. 19:12 < krzie> push clients hostnames? 19:13 < krzie> a) clients dont push ANYTHING to the server 19:13 < krzie> b) what are you wanting? 19:13 < the_mo> setup is: client pc is supposed to use the vpn tunnel to access the internet 19:13 < krzie> the_mo so you're using redirect-gateway def1, right? 19:14 < the_mo> yep 19:14 < krzie> what os is the client? 19:14 < the_mo> client is linux as well 19:14 < krzie> both sides started as root? 19:15 < the_mo> yep 19:15 < the_mo> ive got the clients conf right here: http://rafb.net/p/n7cidc22.html 19:15 < vpnHelper> Title: Nopaste - No description (at rafb.net) 19:15 < krzie> yup i was bout to say.. 19:15 < krzie> !configs 19:15 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:15 < krzie> !logs 19:15 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:16 < krzie> hrm, didnt know you could redirect-gateway over a ptp link 19:16 < krzie> but i guess i dont see why not 19:16 < krzie> route 0.0.0.0 0.0.0.0 19:16 < krzie> remove that 19:17 < krzie> also 19:17 < krzie> why are you using tcp? 19:17 < krzie> firewall wont allow for udp? 19:17 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 19:17 < the_mo> exactly 19:17 < krzie> pro! 19:17 < krzie> wassup brutha 19:17 < krzie> mah brutha from another country 19:18 < prxtien> not much mayne 19:18 < prxtien> you? 19:18 < krzie> just got back to my island this last week 19:18 < krzie> building some new boxen and whatnot 19:18 -!- duxex [n=duxex@63.214.229.20] has quit ["Leaving"] 19:18 < prxtien> sweet 19:19 < prxtien> in another week or so i should be outta here 19:19 < krzie> ya i came back with a whole suitcase full of parts 19:19 < krzie> nice! 19:19 < krzie> i cant believe you're still in there 19:19 < krzie> gotta be getting old 19:19 < the_mo> hm.. wth, i was pushing the route 0000 0000 stuff from the server side as well, i guess ima remove that too -.- 19:19 < prxtien> 3 1/2 weeks so far this time 19:19 < krzie> the_mo yup 19:20 < the_mo> ok didnt change nything sadly 19:20 < prxtien> kr hows the girls goin 19:20 < krzie> good pro, i had me a lil brazillian model in peru while i was out there 19:21 < the_mo> both openvpns are running verb6 currently and the packets show up nicely in both consoles, yet i dont get ping replies to my client when pining the internet 19:21 < prxtien> ehehe nice 19:21 < prxtien> kr, you ever see problems with site-to-site always open bridge between sites having problems with certificates? 19:22 < krzie> wouldnt know, i never use bridge 19:22 < krzie> why are you using it? 19:22 < prxtien> after maybe 1-2 days the latency goes from 40ms to about 300-1000 ms 19:22 < krzie> prxtien you using tcp? 19:22 < prxtien> im not using bridge, i just ment i am bridging the sites together eheh 19:22 < prxtien> nah udp 19:22 < krzie> umm 19:22 < prxtien> if i use statickey it works nie 19:22 < prxtien> nice even 19:22 < krzie> if you arent using bridge you arent bridging them together 19:22 < krzie> hehe 19:22 < the_mo> so heres server config, no surprise there i guess http://rafb.net/p/zsPECz84.html 19:22 < vpnHelper> Title: Nopaste - server side conf (at rafb.net) 19:22 < krzie> you are connecting them using routing 19:22 < prxtien> mmmm 19:23 < prxtien> im using tun 19:23 < krzie> the_mo remove the push from server 19:23 < krzie> you already defined it in client 19:23 < krzie> and you cant push anyways 19:23 < krzie> no pull in client, and not using client/server mode 19:24 < the_mo> aight 19:24 < the_mo> just a style change i guess but thx 19:24 < krzie> np 19:25 < krzie> also add def1 to your redirect-gateway 19:25 < krzie> oh nm its on the client one 19:33 < the_mo> hm okay, i just tried stopping the firewall for a sec (server side), didnt change nything 19:34 < the_mo> gotta be sumthin else 19:35 < krzie> !linfw 19:35 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:35 < krzie> (as well as) 19:35 < krzie> !linnat 19:35 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:38 < krzie> !linipforward 19:38 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:39 < krzie> also check client firewall 19:39 < krzie> make sure its gunna allow stuff from the server 19:39 < the_mo> it does, since im getting replies from the server just fine 19:40 < the_mo> ive been running tcpdump on both devices (server side) while running a PING on client side 19:40 < the_mo> while the dump at the tun device got the request, eth0 didnt, so i guess its not being forwarded 19:40 < krzie> that means its allowing the source of server from the server 19:40 < krzie> make sure it allows any source, from the server 19:41 < the_mo> uhm... hu? sorry :) 19:44 < the_mo> im having a 'iptables -A FORWARD -i tun0 -j ACCEPT' rule if thats what ya meant 19:45 * ecrist starts work on recoding his site 19:47 < krzie> !logs 19:47 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:47 < krzie> ecrist, gunna do adwords? 19:47 < ecrist> not redoing the wiki, atm, but i don't think I'm going to 19:48 < ecrist> I might actually proposition some folks I know for posting ads directly 19:49 < ecrist> I've run into Ethan Galstad a number of times, might call him and ask if he wants to advert nagios, and I might hit up the openvpn folks for ads for their commercial stuff. 19:49 < ecrist> ;) 19:49 < ecrist> adwords is crap, imho 19:49 < ecrist> speaking as a former advertiser, as well as a former adwords lister 19:53 < ecrist> maybe I should just drupal my site. 19:54 < ecrist> odds are, I'm not going to do any ads. 19:54 < krzie> werd 19:54 < krzie> funny how we changed sides on that one 19:54 < krzie> lol 19:56 < the_mo> PM'd the log files if thats ok 19:57 < krzie> its ok if you dont want much help 19:57 < krzie> theres many more here than me that know whats up 19:57 < krzie> wouldnt be the first time they found something i miss 19:57 < krzie> but thats your gamble to make 19:59 < the_mo> havent seen that much activity in ere right now, its pretty late now anyhow. lets just see if theres something in there that i didnt think is looking wrong :) 19:59 < the_mo> ... for now 20:00 < krzie> late? 9est, 6pst for americans 20:00 < the_mo> uhm... yea nvm that, silly me 20:03 < the_mo> gah screw it, ma box is connected to the internet anyways, no need to keep the ip secret i guess 20:03 < the_mo> http://rafb.net/p/fJ92mz82.html 20:03 < vpnHelper> Title: Nopaste - client log (at rafb.net) 20:03 < the_mo> http://rafb.net/p/LWhHwF30.html 20:03 < vpnHelper> Title: Nopaste - No description (at rafb.net) 20:04 < the_mo> hm.. lazy me, later is the server side log 20:04 < reiffert> moin 20:04 < krzie> moin reif 20:05 < krzie> the_mo is having a problem with his redirect-gateway stuff, configs (ptp) and logs looked fine to me 20:05 < krzie> he says his firewall is right, i havnt looked at it yet 20:05 < reiffert> the_mo: using vmware? 20:05 < the_mo> no 20:05 < reiffert> krzie: "having a problem" ? 20:06 < krzie> he can ping acrossed the firewall but not getting anything from inet 20:06 < krzie> the_mo you trying to ping inet ip by ip to test? 20:06 < reiffert> client os? 20:06 < krzie> (not by hostname) 20:06 < the_mo> yep, tried ip as well 20:06 < the_mo> client is linux as well currently 20:06 < reiffert> the_mo: paste routing table 20:07 < reiffert> route -n 20:07 < reiffert> when beeing connected 20:07 < the_mo> client/serv 20:07 < krzie> client 20:07 < reiffert> openvpn version? 20:07 < reiffert> the_mo: paste routing table from the client 20:08 < the_mo> http://rafb.net/p/ZL3PiQ43.html 20:08 < vpnHelper> Title: Nopaste - route -n client side (at rafb.net) 20:08 < reiffert> the_mo: and: ifconfig -a 20:09 < reiffert> the_mo: disconnect openvpn, paste route -n again please 20:10 < the_mo> only 3 lines now 20:10 < the_mo> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 20:10 < the_mo> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 20:10 < the_mo> 0.0.0.0 10.1.1.254 0.0.0.0 UG 1 0 0 eth0 20:10 < the_mo> http://rafb.net/p/NvCkN221.html 20:10 < vpnHelper> Title: Nopaste - ifconfig -a client side (at rafb.net) 20:11 < reiffert> krzie: r u sure the routing table looks ok when beeing connected? 20:12 < ecrist> should I bother including a big library like dojo or jquery? 20:12 < reiffert> the_mo: however, connect the client to your server and run tcpdump on the server, like this: 20:12 < reiffert> tcpdump -n -i tun0 proto ICMP 20:12 < reiffert> then run: ping 193.99.144.80 on the client 20:13 < reiffert> paste what tcpdump puts out. 2-3 lines are enough. paste it to IRC 20:13 < the_mo> mmh.. you like using heise for ping tests as well dont you ;) 20:13 < reiffert> no. I like the dns server from my university. 20:14 < the_mo> 02:17:31.756946 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 4, length 64 20:14 < the_mo> 02:17:32.757396 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 5, length 64 20:14 < the_mo> 02:17:33.757276 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 6, length 64 20:14 < the_mo> ive said it before :), the tun device gets the echo requests 20:14 < reiffert> ok, the problem is your server. 20:14 < the_mo> the eth0 doesnt 20:14 < reiffert> you fucked up masquerading. 20:14 < the_mo> yea 20:14 < reiffert> iptables -t nat -v -n -L 20:14 < reiffert> paste 20:14 < reiffert> as well as 20:14 < reiffert> iptables -t filter -v -n -L 20:15 < reiffert> !ip_forward 20:15 < vpnHelper> reiffert: Error: "ip_forward" is not a valid command. 20:15 < the_mo> first one doesnt return any rules *scratchhead* 20:15 < reiffert> !ip_forward 20:15 < vpnHelper> reiffert: Error: "ip_forward" is not a valid command. 20:15 < reiffert> /proc/sys/net/ipv4/ip_forward 20:15 < the_mo> set to 1, yep 20:16 < reiffert> !learn ip_forward as dont forget to echo 1 > /proc/sys/net/ipv4/ip_forward when doing masquerading on linux. See netfilter.org Masquerading Howto, Chapter 4.2 "Help! I just want masquerading" 20:16 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:16 < reiffert> vpnHelper: fuck off 20:16 < vpnHelper> reiffert: Error: "fuck" is not a valid command. 20:16 < reiffert> the_mo: please, do what I was asking for. 20:16 < krzie> reif 20:16 < krzie> !linipforward 20:17 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:17 < reiffert> vpnHelper: whoami 20:17 < vpnHelper> reiffert: I don't recognize you. 20:17 < reiffert> vpnHelper: may I introduce myself? 20:17 < vpnHelper> reiffert: Error: "may" is not a valid command. 20:17 < krzie> you could find it with: 20:17 < krzie> !factoids search forward 20:17 < vpnHelper> krzie: 'winipforward' and 'linipforward' 20:18 < reiffert> the_mo: as you seem to refuse to give further information ... netfilter.org is your friend. 20:18 < the_mo> http://rafb.net/p/y74XAN95.html 20:18 < vpnHelper> Title: Nopaste - iptables -t nat -v -n -L (at rafb.net) 20:18 < reiffert> krzie: lets add the netfilter.org masquerading howto 20:18 < the_mo> im still here :o 20:18 < reiffert> the_mo: 2nd cmd 20:18 < krzie> !learn linipforward as See netfilter.org Masquerading Howto, Chapter 4.2 "Help! I just want masquerading" 20:18 < vpnHelper> krzie: Joo got it. 20:19 < the_mo> incomming 20:19 < reiffert> krzie: it's called nat howto, sorry. 20:19 < reiffert> krzie: http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 20:19 < reiffert> chap 4.1 20:19 < vpnHelper> Title: Linux 2.4 NAT HOWTO: Quick Translation From 2.0 and 2.2 Kernels (at netfilter.org) 20:19 < krzie> !linnat 20:19 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 20:19 < krzie> already there ;] 20:19 < the_mo> http://rafb.net/p/6muVzx73.html (2nd) 20:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 20:19 < krzie> !forget linipforward 2 20:19 < vpnHelper> krzie: Joo got it. 20:20 < reiffert> the_mo: iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT 20:20 < reiffert> the_mo: iptables -I FORWARD -o tun0 -i eth0 -j ACCEPT 20:20 < reiffert> the_mo: both commands and you are done. 20:20 < the_mo> jeez 20:20 < the_mo> awesome 20:20 < reiffert> the_mo: note, your firewall is fucked up, too. Especially chain OUTPUT 20:21 < the_mo> yea i know 20:21 < the_mo> dont hit me, its a system a friend set up, and it runs suse :X 20:21 < krzie> eww 20:21 < reiffert> eww. 20:21 < reiffert> does it work now? 20:21 < the_mo> yep, thats what my awesome was sposed to mean, thanks a lot 20:22 < krzie> reif++ 20:22 < reiffert> welcome 20:22 < reiffert> !configs 20:22 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:22 < krzie> i should add that to the bot, theres a tote board plugin for that 20:22 < krzie> where we can ++ eachother 20:22 < krzie> haha 20:23 < reiffert> krzie: learn configs as paste interface configuration from both, client and server, when beeing disconnected and when beeing connected. Be sure to add the routing tables for both situations from client and from server 20:23 < the_mo> ok awesome, now onto getting that stupid suse firewall script to not overwrite that rules, wheres my hammer 20:23 < krzie> !interface 20:23 < vpnHelper> krzie: Error: "interface" is not a valid command. 20:23 < reiffert> krzie: ... that is route -n or netstat -nr. Interface config windows: ipconfig /all, linux/bsd: ifconfig -a 20:23 < reiffert> the_mo: hammer is in rc.conf iirc 20:23 < the_mo> haha 20:23 < reiffert> the_mo: or in yast. 20:24 < the_mo> na, the script has some place to add custom rules 20:24 < ecrist> krzie: dougy fixed the dns for ovpnforum.com 20:24 < krzie> !learn interface as paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server 20:24 < vpnHelper> krzie: Joo got it. 20:24 < krzie> funny i had JUST tried refreshing before you said that 20:24 < krzie> didnt work, now it does 20:24 < krzie> lol 20:24 < ecrist> just got an email from him 20:25 < ecrist> not that anyone uses the site. 20:25 * ecrist is out 20:26 < the_mo> yast doesnt let you directly specify custom iptables rules and only has a very limited (as always) window to allow/disallow stuff 20:28 -!- mode/##openvpn [+o krzie] by ChanServ 20:28 < reiffert> yeah, let's do a kick party 20:29 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 20:29 -!- krzie was kicked from ##openvpn by krzie [topic changer!!!] 20:29 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 20:30 < krzie> hehe 20:30 -!- reiffert changed the topic of ##openvpn to: foo 20:30 < krzie> aww common 20:30 -!- reiffert changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 20:31 < krzie> =] 20:34 < reiffert> please add to !interface: hint: ipconfig /all ifconfig -a route -n netstat -nr 20:37 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 20:37 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 20:37 < krzie> !learn interface as in windows: ipconfig /all - in unix, ifconfig -a , for both netstat -rn 20:37 < vpnHelper> krzie: Joo got it. 20:38 < krzie> netstat -rn works in win and bsd, im sure lin too 20:39 < reiffert> works on linux as well 20:39 < reiffert> route -n looks more familiar than netstat -nr 20:39 < reiffert> thomas@mail:~$ /sbin/route -n 20:39 < reiffert> Kernel IP routing table 20:39 < reiffert> Destination Gateway Genmask Flags Metric Ref Use Iface 20:39 < reiffert> 88.198.83.80 0.0.0.0 255.255.255.248 U 0 0 0 br0 20:39 < reiffert> 88.198.83.80 0.0.0.0 255.255.255.240 U 0 0 0 br0 20:39 < reiffert> 78.46.105.64 0.0.0.0 255.255.255.224 U 0 0 0 br0 20:39 < krzie> route print as well for windows 20:39 < reiffert> 0.0.0.0 78.46.105.65 0.0.0.0 UG 0 0 0 br0 20:39 < reiffert> well on linux it's exactly the same.. 20:40 < krzie> its just easier to say 1 command for all 3 20:40 < krzie> when that can happen 20:40 < reiffert> netstat -nr 20:41 < krzie> -rn ;] 20:41 < krzie> lol 20:41 < krzie> !forget interface 2 20:41 < vpnHelper> krzie: Joo got it. 20:42 < krzie> !learn interface as in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 20:42 < vpnHelper> krzie: Joo got it. 20:48 < reiffert> bbl 21:03 < krzie> werd 21:07 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:22 -!- the_mo [i=mo@team-aow.de] has left ##openvpn ["thanks again"] 21:25 -!- belZe [i=server3@p5091D32C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:25 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has joined ##openvpn 21:36 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 21:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:34 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Connection timed out] 22:35 -!- nemysis [n=nemysis@74-130.3-85.cust.bluewin.ch] has joined ##openvpn --- Day changed Thu Mar 26 2009 00:04 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 00:06 < _jack--> I have installed openvpn in linux server. I can access web port(80) of all network computer(servers) but i can't access the web port of openvpn installed server.. 00:06 < _jack--> can anybody have any ideas? 01:13 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 104 (Connection reset by peer)] 01:26 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 01:32 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:42 < _jack--> i have installed openvpn server in linux computer. i can access the web (port 80) of other computer in the network but can't access the web(port 80) of openvpn installed computer... 01:43 < _jack--> how can i do that? anybody have any idea? 02:18 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 02:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:48 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:10 -!- polaru [n=polaru@93.113.192.70] has quit [No route to host] 03:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:23 < mjt> !interface 03:23 < vpnHelper> mjt: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 03:26 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 03:58 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 04:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:16 < reiffert> moin 04:34 < _jack--> moin 04:47 < _jack--> how can i open web pages(port 80) of openvpn installed linux server machine? 04:47 < _jack--> i can access web pages of all server in openvpn server's network servers... 04:50 < krzee> use the vpn ip of the vpn machine for it 04:51 < krzee> (after making sure webserver listens on it) 04:51 < krzee> !dh 04:51 < vpnHelper> krzee: Error: "dh" is not a valid command. 04:51 < krzee> !actoids search dh 04:51 < vpnHelper> krzee: Error: "actoids" is not a valid command. 04:51 < krzee> !factoids search dh 04:51 < vpnHelper> krzee: 'bridge-dhcp' and 'dhcp' 04:51 < krzee> bleh 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:53 < krzee> ecrist, when you get this, i am using ssl-admin on fbsd8-current with up to date openssl from ports, and the dh menu item does nothing for me, just hangs... may wanna test 05:07 < reiffert> found some time to plug in some NICs for your gbit lan? 05:07 < krzee> didnt have time to pick any up 05:08 < krzee> but i notice serious delay on getting a connection to anything on the inet when plugged into that switch 05:08 < krzee> vs direct on wifi 05:08 < krzee> so i think i need a NIC for the bsd box and a new switch =/ 05:08 < krzee> ill get the NIC first tho so i can check out the xover cable 05:13 < _jack--> krzee: i have using ip of vpn machine..but can' access the web... 05:13 < krzee> make sure its listening on the vpn ip 05:13 < krzee> (webserver) 05:14 < _jack--> krzee: is there firewall issues? but i can access the other web server of vpn machine's network.. 05:14 < krzee> sure could be 05:17 < _jack--> krzee: i can't ping vpn machine? but can ping other 05:18 < krzee> welcome to your firewall issue 05:18 < krzee> !linfw 05:18 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 05:18 < krzee> howd you set it up so you could access the lan? 05:56 < mjt> . o O { gbit lan... } 05:56 < mjt> with my switch @home, using jumbo frames slows things down. Linearly with frame size. 05:57 < mjt> (nothing to do with openwrt but.. fun) 05:57 -!- zheng [n=Miranda@222.66.224.110] has joined ##openvpn 05:58 < mjt> I tried to stream hd video. gbe is almost enough. i was hoping to reduce overhead by using jumbo frames (less interrupts etc). The speed dropped from 980mbps to about 400mbps when increasing packet size from 1500 to 7200 bytes. 06:00 < mjt> i can only guess that the switch i use splits and reassembles packets internally hence slows down quite alot. because when connecting two PCs directly, increasing MTU actually increases speed. 06:00 < zheng> hi 06:00 < zheng> Hi, all, openvpn can act as a server and a client synchronously? how to config it? 06:00 < zheng> Just like this: 06:00 < zheng> Host.A(clt)--->(svr)Host.B(clt)----->(svr)Host.C 06:01 < zheng> How to config Host.B? 06:01 < mjt> zheng: two instances 06:01 < mjt> two separate interfaces and two configs 06:02 < zheng> two instances? it's the only method? 06:02 < mjt> yes 06:02 < mjt> another method is to modify the source. patches welcome, i guess ;) 06:02 < mjt> technically there's nothing to stop it from acting as both client and server. 06:02 < zheng> oh, isee, so bad, 06:03 < mjt> but that code isn't written 06:03 < zheng> mjt, thx, 06:03 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:03 < zheng> I'll read the source. 06:11 < _jack--> krzee: i can ping tap0 ip but can't public ip of vpn machine.... 06:24 -!- bsund [n=bsund@unaffiliated/bsund] has left ##openvpn [] 06:42 < ecrist> morning, folks 06:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:06 < reiffert> moin 07:15 -!- zheng [n=Miranda@222.66.224.110] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 07:32 < ecrist> his setup is flawed. 07:32 < ecrist> was about to tell him, until I saw he left. 07:32 < ecrist> *shrug* 07:38 < mjt> what's flawed in his setup? 07:39 < mjt> (i think you're talking about zheng, right?) 07:39 < ecrist> unless he's doing some weird gateway redirection, there's no reason to run a server on Host.C. Host.C and Host.A could connect to a server running on Host.B 07:40 < mjt> aha 07:40 < mjt> well, the question he asked -- that's the same queston i asked some time ago as well. 07:40 < mjt> and it was for a reason. 07:40 < mjt> here, i've two separate networks that belongs to two separate organisations. 07:40 < ecrist> there are few good reasons to do it that way 07:41 < mjt> we run our own network, and need to access "their" network 07:41 < mjt> so there's 2 servers, and one of them acts as client for another. 07:42 < mjt> (actually we've 4 servers running like that, but that's details) 07:43 < ecrist> if you don't control all of the servers, there's potential for ip address duplication, which breaks the whole thing 07:43 < ecrist> last I checked, VPNs pass traffic in both directions... 07:43 < mjt> the client that's running on the server does not accept options from other server 07:44 < mjt> ie, it does not have --pull option 07:44 < ecrist> sure, but you need an ip address, regardless 07:44 < mjt> and it will only pass whatever traffic i'll tell it. 07:44 < mjt> yes 07:44 < ecrist> and, again, you run the risk of duplicate IPs, unless you control all the servers 07:45 < mjt> there are 2 aspects here - just potential conflict of address space and deliberate attempt(s) to break into someone's net. 07:45 < belZe> hey guys, been busy all day. no time trying openvpn today :( 07:46 < mjt> ecrist: we agreed on the former, and i took care of the latter by adding necessary constraints on my side. 07:47 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 07:48 < mjt> omg. 07:48 < mjt> speaking of address space conflicts... 07:48 < js_> when a second user in my lan tries to connect to the same openvpn endpoint as i, he gets connection refused, why is that? 07:48 < mjt> a client of ours is using 169.254.244.0/24 for their lan 07:48 < ecrist> lol 07:49 < ecrist> really, there isn't anything too wrong with that. systems that auto-assign the address space should detect useds IPs 07:49 < mjt> and they asked for tunnel from "outside" to that their lan 07:50 < mjt> some renumber is in order. i can't let them out (even into our infrastructure) with those IPs. 07:51 < _jack--> public ip of openvpn linux machine is not pinging...how to make it pingable? 07:51 < mjt> js_: sure it's not some firewall prob and he actually tries to send packet to that host? 07:51 < mjt> _jack--: if it's not "pingable", how can you connect to it in order to set up tunnel? 07:52 < mjt> (assuming that by "pingable" you actually mean "reachable" or somesuch) 07:52 < _jack--> mjt: i have used natting 07:53 < _jack--> i can ping the private ip assigned by openvpn ...ie tap0 07:53 < mjt> belZe: by the way, just in case... is your nat table empty (iptables)? 07:55 < js_> mjt: apparently it was a config error on his side, but we ran into a second problem 07:55 < ecrist> _jack--: you need to enable ip forwarding 07:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:56 < js_> both of us can't be connected at the same time 07:56 < mjt> _jack--: if you want help, please, descrbe your problem cleanly. Before typing it in there, re-read it and try to see it from a point of view of someone who has no idea at all how your config looks like. 07:56 < ecrist> js_: do you have mode --server? 07:56 < js_> if i'm connected and he connects, my tunnel dies 07:56 < ecrist> !configs 07:56 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:56 < mjt> js_: using the same cert? 07:57 < ecrist> mjt: same cert wouldn't get connection refused 07:57 < ecrist> either, it would work, or the first connection would be dropped 07:57 < js_> i got rid of connection refused, that was because he had set tcp instead of udp 07:57 < js_> mjt: hmm, i made different certs, but i'll check anyway 07:58 < mjt> ecrist: < js_> if i'm connected and he connects, my tunnel dies 07:58 < ecrist> ah, I didn't see that line. was responding to lines above that 08:00 < js_> we use the same "ca", but "cert" and "key" differ 08:00 < ecrist> js_: can you pastebin your server logs, please? 08:00 < _jack--> mjt: actually i have setup openvpn in linux machine. it is working....this machine is also web server...from vpn client machine, i can ping private ip assigned by openvpn(tap0) but can't ping public ip of openvpn machine...anyhow i want to access the web server.. 08:00 < js_> ecrist: one sec 08:00 < ecrist> _jack--: see my message to you, above 08:01 < js_> ecrist: hehe, thanks for that, i just found this "MULTI: new connection by client 'trodon.se' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want mu 08:01 < js_> ltiple clients using the same certificate or username to concurrently connect." 08:02 < ecrist> :P 08:02 < js_> is it the ca.crt that causes the conflict then? 08:03 < _jack--> ecrist: i have no idea about ip forwarding?...how can do that? 08:03 < mjt> client.key 08:03 < ecrist> no, it's the CN of the client cert 08:03 < mjt> and cert 08:03 < js_> they can be the same even if "diff" shows they're not? 08:03 < ecrist> so, if you created two client certs with the same CN, you'll run in to that problem. 08:04 < js_> ahhh 08:04 < js_> i see 08:04 < js_> thanks a lot 08:04 < ecrist> diff will show different certificates, because of the encryption 08:04 < js_> yeah, i thought so 08:07 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 08:51 -!- fraggan [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 08:54 < ecrist> hi, fraggan 09:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:20 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: rdz, l2trace99, krzie, RexMundi_, clustermagnet, dazo, xor|, pa, hagna_, worch, (+19 more, use /NETSPLIT to show all of them) 09:20 -!- Irssi: ##openvpn: Total of 28 nicks [0 ops, 0 halfops, 0 voices, 28 normal] 09:21 -!- Netsplit over, joins: tarbo2 09:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:22 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has joined ##openvpn 09:22 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:22 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has joined ##openvpn 09:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:22 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has joined ##openvpn 09:22 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 09:22 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 09:22 -!- Bushmills [n=nnnnl@verhau.de] has joined ##openvpn 09:22 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 09:29 -!- sunga [n=naft@77.109.123.56] has joined ##openvpn 09:29 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 09:29 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 09:29 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 09:29 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 09:29 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 09:29 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 09:32 < ecrist> I want to shoot our web developer 09:33 < ecrist> we spent an entire year normalizing our web code and making it compliant to standards. 09:33 < ecrist> all of the code he's written since has been cobbled-together crap 09:35 < SuperEvilDeath15> standards are for pussy's if it works in IE7 then its fine :P 09:35 -!- frhe_ [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 09:35 -!- fraggan [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 09:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:35 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 09:35 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 09:35 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 09:35 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 09:35 -!- hagna_ [n=hagna@70.102.57.178] has joined ##openvpn 09:35 -!- rdz [i=roman@netpd.org] has joined ##openvpn 09:35 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 09:35 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 09:36 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, fraggan, rdz, frhe_, hagna_, troy-, Kreg-Work, Gumbler, reiffert, prxtien, (+1 more, use /NETSPLIT to show all of them) 09:36 < ecrist> SuperEvilDeath15: funny, but it's just the inverse. he builds his code testing in firefox. ~70% f our user base uses IE. his code isn't working in IE 09:37 < ecrist> he told me he assumes it's because IE isn't compliant. turns out, it's his code. 09:37 < ecrist> one fairly simple page has ~100 errors 09:38 < ecrist> missing tags, duplicate tags, unclosed divs, etc. 09:41 -!- Netsplit over, joins: frhe_, fraggan, mikkel, krzie, prxtien, Kreg-Work, reiffert, hagna_, rdz, Gumbler (+1 more) 09:43 -!- frhe_ [n=frhe@gate-kd.krsystem.se] has quit [Read error: 104 (Connection reset by peer)] 09:48 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, rdz, fraggan, hagna_, troy-, Kreg-Work, Gumbler, reiffert, prxtien, mikkel 09:54 -!- Netsplit over, joins: reiffert 09:54 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 09:54 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 09:54 -!- Netsplit over, joins: prxtien 09:54 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 09:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:56 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 09:56 -!- Gumbler_ is now known as Gumbler 09:56 < ecrist> so many netsplits today 09:56 -!- rdz [i=roman@195.176.254.176] has joined ##openvpn 09:57 -!- troy- [n=troy@38.103.146.115] has joined ##openvpn 10:02 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has left ##openvpn [] 10:12 -!- worch [i=worch@battletoad.com] has joined ##openvpn 10:12 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:17 < cpm> enjoy the ride 10:36 * ecrist shoots above-referenced developer. 10:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 10:44 -!- Netsplit over, joins: worch, pa 10:53 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 11:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:05 -!- Netsplit over, joins: worch, pa 11:08 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:08 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:09 -!- Netsplit over, joins: pa, worch 11:10 < achilles> hello guys, I have a simple problem, I have site to site vpn, one is server and the another is client, the tunnel is perfect but if the tunnel is idle for short time, it loses the connectivity and I have to ping a server from the another end point to return back in life, the tun0 device doesn't go off 11:12 < Bushmills> achilles, won't any activity, not just ping, make it active again? 11:12 < achilles> just ping make it again 11:13 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:13 < Bushmills> only ping, i.e. no connection if you don't ping before? 11:13 -!- Netsplit over, joins: pa, worch 11:14 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:15 < Bushmills> you might want to check out the keepalive option - though it is meant to detect if the other side went down, not to keep it active. 11:15 -!- mikkel_ is now known as mikkel 11:15 < Bushmills> but as it pings in interval specified, it should do the job 11:16 < achilles> Bushmills, yes I run a process ping -i 10 ... in the background 11:16 < achilles> and it's ok with it I think 11:17 -!- Netsplit over, joins: worch, pa 11:17 < Bushmills> server has a keepalive option, which would probably make your extra ping process unnecessary 11:20 < achilles> that would be great 11:20 < ecrist> recommend --keepalive 10 120 11:29 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:29 -!- Netsplit over, joins: worch, pa 11:40 < achilles> Bushmills, ecrist thank you very much 11:46 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 12:06 -!- Netsplit over, joins: worch, pa 12:13 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 12:19 -!- Netsplit over, joins: pa, worch 12:19 -!- achilles [n=achilles@82.205.120.165] has quit ["Leaving"] 13:14 -!- znoG [n=gs@host131.190-139-153.telecom.net.ar] has joined ##openvpn 13:14 < znoG> hey all.. i've got an openvpn server in shared key mode, and i want to setup different routes depending on which client connects .. is there a way to specify them on the client side and not server side? 13:15 < znoG> ie. client 1 connects with the key .. route 192.168.100.0/24 on the server to client 1 ... client 2 connects with the same key -> route 192.168.1.0/24 to client 2 13:15 < znoG> ideally i'd like to specify the routes on the client side openvpn 13:15 < znoG> ie. tell the server which networks to route to the connecting client 14:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:22 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 14:22 -!- SuperEvilDeath16 [n=death@212.206.209.177] has joined ##openvpn 14:22 < Improv> Is there a way to have a single OpenVPN server serve both TCP and UDP clients yet? 14:23 < reiffert> No, but there is a discussion on the mailinglist. 14:23 < Improv> reiffert: Ahh. I'll take a look. I desperately need this function - running two instances of OpenVPN would not work well for our needs. 14:28 < reiffert> Then take a seat, add an additonal socket() bind() and put the resulting filedescriptor into the rfds and wfds select sets, done. 14:28 < Improv> I would prefer not to patch it myself if at all possible :) 14:29 < reiffert> else explain why running two instances would not work for you. 14:29 < reiffert> well, you can hire a programmer doing the job for you. 14:30 < Improv> reiffert: OpenVPN is embedded into a network testbed infrastructure, and we already have code that manages routes between our networks - running two instances with their own IP pools and stuff would make that code very hairy 14:31 < ecrist> Improv: they would need their own pools, but could serve the same subnet 14:31 < Improv> reiffert: As it so happens, I am a programmer, I just *like* thinking of OpenVPN as a black box. 14:31 < Improv> ecrist: Right, but if a node falls back to UDP, it can't keep its assigned IP 14:31 < reiffert> sure it does. 14:32 < reiffert> it's a matter of configuration. 14:32 < Improv> I thought the OpenVPNs have a range of IPs they hand out 14:33 < Improv> and if a node's IP is assigned to it, it would have to be within the range of that OpenVPN 14:33 < Improv> Lol, this is like thinking about phone# portability :) 14:33 < reiffert> Improv: if a client "falls back from tcp to udp" or "from one instance to another", it is allready disconnected, right? 14:33 < reiffert> and even if not. 14:34 < Improv> In a perfectly ideal world, I'd be able to tell the openvpn server to serve both tcp and udp, and have clients try udp first and if it fails then try udp... 14:34 < reiffert> the client comes up with a unique identifier 14:34 < reiffert> the certificate 14:34 < Improv> reiffert: Yes, but the IP address is in all sorts of databases 14:34 < reiffert> just hand out the same ip to that particular certificate 14:34 < reiffert> done 14:34 < reiffert> Improv: so? 14:35 < Improv> reiffert: ... Ok, maybe I am not getting something here. 14:35 < Improv> 2 instances of OpenVPN - do they need their own IP pools or not? 14:35 < reiffert> Where exactly did you stop getting things? 14:35 < Improv> Let's find out :) 14:35 < reiffert> Improv: they could have their own IP pools, but they dont need to. 14:36 < Improv> If I want the "node can automatically ping all other nodes on the same openvpn server" config, can that work across openvpns without enabling general routing? 14:36 < reiffert> yes. 14:37 < Improv> Really? That's handy. The openvpns somehow will spot each other and forward traffic without my needing to tell the OS anything? 14:38 < Improv> I'll have to read up more about setting that up 14:38 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 14:39 < Improv> With any luck all this will be academic - still arguing with the sysadmins at Intel about their stupidly restrictive firewall. ... 14:39 < reiffert> I just wonder what those last things have to do with where you stopped getting things. 14:41 < ecrist> Improv: I hate to tell you, but your config is broken 14:41 < reiffert> ? 14:42 < Improv> reiffert: I was under the impression that I would need to set up a separate pool of IPs on a separate "subnet" for each openvpn to hand out, and that I would need to set up routing between those pools in order for vpn clients to see each other for "client-to-client" to work, and also that they would not be able to retain the same IP when moving from tcp to udp or vice versa 14:42 < ecrist> Improv: Openvpn doesn't require it's own subnet 14:42 < ecrist> subnet != pool 14:42 < ecrist> an openvpn pool of addresses can be within an existing subnet on a LAN 14:43 < reiffert> Improv: you can do soo many things with openvpn, howabout you start now and learn them, step by step or get lost in docs first? 14:43 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 14:43 < ecrist> for that matter, why not run a bridged VPN, assigning IPs from a non-openvpn DHCP server to begin with. 14:43 < Improv> reiffert: I do like powerful software - I guess I should learn more about it. 14:43 < ecrist> all that stuff goes away. 14:44 < Improv> ecrist: I'll look into that. Thanks for the suggestion. 14:45 < Improv> I only looked into OpenVPN for a few hours before I started to integrate it into our network testbed software - maybe I should've spent more time on it. 14:46 < reiffert> Improv: openvpn can pass layer 3 packets from one side to another. thats were a transfer-subnet takes part. 14:46 < reiffert> Improv: it also can pass layer 2 frames from side to side, thats where the latter happens. 14:47 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 14:47 < reiffert> Improv: with the former (tun), basic routing rules may or may not take part 14:47 < Improv> reiffert: The way we're using OpenVPN is just meant to traverse NAT/provide "static" IPs to remote parts of our network testbed.. 14:47 < reiffert> Improv: passing ethernet frames is done with the tap adapter, which may be used to take part in a bridge. 14:48 < Improv> I'm presently using tun - I'm hoping not to change that unless I must. 14:48 < reiffert> Improv: openvpn can handle ip pools just like a dhcp server would. It even can act as a dhcp server (just basic stuff) 14:49 < reiffert> Improv: another option is to hand out static ip addresses. so everytime the same client connects, it will get the same ip address. 14:49 < reiffert> you can even mix both situations. 14:49 < reiffert> !ccd 14:49 < reiffert> !ipp 14:49 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:49 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 14:50 < reiffert> hope you get the idea(s) 14:50 < Improv> reiffert: so long as the client-to-client stuff works across different openvpns and I can use truly static IPs, all using tun rather than tue, I will be happy. 14:50 < Improv> I clearly have more reading to do. 14:52 < Improv> So far I am quite happy with OpenVPN (although I still think allowing both tcp and udp in the same daemon would be a plus) 14:52 < Improv> Thanks for the help, reiffert and ecrist 14:53 < ecrist> np 15:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:15 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 15:16 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 15:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:41 < mjt> !static 15:41 < vpnHelper> mjt: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 16:05 -!- jameswhite [n=james@fapestniegd.jameswhite.org] has joined ##openvpn 16:17 -!- dazo_home [n=David@r9dm48.net.upc.cz] has joined ##openvpn 16:17 < dazo_home> !howto 16:17 < vpnHelper> dazo_home: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:17 < dazo_home> !route 16:17 < vpnHelper> dazo_home: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:27 < dazo_home> krzee: ecrist: any of you on now? anyone know about where tunnelblick hides the openvpn binary? 16:27 * dazo_home is helping out a friend on mac over the phone 16:30 < dazo_home> By the way ... any known issues with tunnelblick and --auth-user-pass ? 17:08 < dazo_home> never mind ... we managed to enable sshd .... so openvpn got compiled from scratch 17:10 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 17:28 < krzie> just got in 17:28 < krzie> tunnelblick doesnt control anything i know of 17:28 < krzie> it just runs openvpnj 17:28 < krzie> err -j 17:28 < krzie> so there should be no issues with tunnelblick + * 17:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:32 < krzie> and if there are, just dont use tunnelblick 17:32 < krzie> its simple enough to make a script double-clickable in osX 17:32 < krzie> you just make a bash script, and make it named something.command 17:33 < krzie> then they close the window to kill the vpn 17:33 < krzie> hell i think thats easier than tunnelblick 17:42 -!- dli [n=dli@adsl-75-22-21-198.dsl.chcgil.sbcglobal.net] has joined ##openvpn 17:42 < dli> hi, "tcpdump -i tun0" can shows traffic, but I couldn't ping either way 17:43 < dli> no firewall 17:43 < krzie> firewall 17:43 < krzie> lol 17:43 < krzie> !linfw 17:43 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 17:45 < dli> krzee, I don't have any firewall both side:( default to accept 17:48 < krzie> default to accept on all those chains? 17:49 < dli> krzee, let pastebin iptables -L 17:49 < dli> krzie, http://pastebin.ca/1373444 17:49 < reiffert> dli: use -n on tcpdump 17:50 < reiffert> and when pasting iptables use iptables -t filter -v -n -L and iptables -t nat -v -n -L 17:50 < reiffert> !interface 17:50 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:52 < krzie> dli, what are you trying to ping? 17:54 < dli> krzie: new iptables -F, http://pastebin.ca/1373450 17:54 < dli> krzie: IP of the other end 17:55 < dli> krzie: tcpdump -i tun0, http://pastebin.ca/1373446 17:56 < reiffert> dli: tell him to use -n on tcpdump as well 17:56 -!- huslu_ is now known as huslu 17:58 < krzie> hehe 17:58 < krzie> use -n on tcpdump as well! 17:58 < krzie> and more importantly to me, 17:58 < krzie> !logs 17:58 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:58 < dli> reiffert, krzie : tcpdump -n -i tun0: http://pastebin.ca/1373453 17:58 < reiffert> what is he trying to achive anyway? 17:58 < krzie> reiffert, you seen everything i did 17:58 < dli> reiffert, I couldn't ping, or use any service at all 17:59 < krzie> you popped in right at the start 17:59 < dli> krzie, let me do verb 6 17:59 < reiffert> dli: tcpdump tells us: you can. 17:59 < reiffert> dli: looks like a phone call to your mama 17:59 < krzie> reiffert, good call... i need to call my mama too 18:00 < reiffert> however, 192.168.2.2 fucked up routing. 18:00 < krzie> !configs 18:00 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:00 < reiffert> krzie: I did today, birthday 18:00 < dli> reiffert, ping 192.168.2.2 with 100% packet loss 18:00 < krzie> lets see those configs 18:00 < krzie> even before the logs 18:01 < reiffert> dli: do as you were told: !logs !configs and more important: !interface 18:01 < dli> !interface 18:01 < vpnHelper> dli: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:02 < krzie> i think !configs is most important if you say routing got messed up, prolly quickest way to his solution 18:03 < reiffert> dli: that tcpdump you were pasting, where did that come from, client or server_ 18:03 < dli> reiffert, from the server 18:03 < dli> reiffert, krzie: interfaces with openvpn on: http://pastebin.ca/1373460 18:04 < reiffert> dli: why are there three different subnets on tun0? 18:04 < reiffert> dli: yong = serverss 18:06 < dli> reiffert, aha, might be the problem 18:06 < dli> reiffert, configs: http://pastebin.ca/1373461 18:07 < dli> reiffert, double checked, don't see 3 subnets 18:08 < dli> reiffert: just 192.168.2.1/32 192.168.2.2/32 18:08 < reiffert> dli: from the tcpdump you were pasting, I can see three. 18:09 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:09 < dli> reiffert, 192.168.1.3 is the IP of wlan0 on yong 18:09 < dli> reiffert, 192.168.2.2 is tun0 on yong 18:09 < reiffert> dli: and that packet belongs to tun0? 18:10 < dli> reiffert, 18:07:29.557373 IP 192.168.1.3.5060 > 192.168.2.1.5060: SIP, length: 596 18:10 < dli> reiffert, yes, from "tcpdum -n -i tun0" 18:14 < dli> reiffert, logs at the client side: http://pastebin.ca/1373473 18:14 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 18:14 < dazo_home> krzee: thanks! Yeah, I don't know what was wrong with tunnelblick ... but the guy is not too advanced at all, but when he managed to enable ssh ... I got into the box, downloaded and compiled openvpn ... put a shell script on the desktop ... and it worked out pretty nicely :) 18:14 < dazo_home> krzee: thanks anyway! :) 18:16 < krzie> perfect, exactly what i woulda done 18:16 < krzie> you made the shell script named something.command? 18:16 < krzie> if so its double clickable for him 18:16 < dli> krzie, logs at the server side: http://pastebin.ca/1373475 18:17 < dazo_home> krzee: no, I didn't know about that extension .... I called startvpn.sh ... and he figured out that he could click on it somehow, and the terminal fired and he could log in 18:17 < krzie> wow theres a lot of people needing help with ptp setups lately 18:17 < dazo_home> krzee: I'll try to remember to tell him to rename it, though ;-) 18:17 < krzie> he prolly had to right click and tell it to run in term 18:17 < krzie> yup, once its .command he just clicks and boom 18:18 < krzie> my boy at apple told me that one =] 18:19 < dazo_home> krzie: cool ... I'll pass the info further ... anyway, tunnelblick sounds like a nice option .... but when I tried to figure out things about it, it's a dead silent community around it .... kinda disappointing, considering it's one of the few gui tools for openvpn and osx ... I'd expect more response 18:19 < krzie> hrm, those logs tell me openvpn is working fine 18:20 < krzie> dazo_home ya back when i tried it all it would do is crash 18:20 < krzie> maybe ill try it again so i can help people with it 18:20 < krzie> but to me its always been pointless as i wanna see the stuff in the term anyways 18:20 < krzie> so i make the shell script like you did, then put a shortcut to it in stacks 18:20 < krzie> (i use a shortcut so i can change the icon on it) 18:21 < krzie> my scripts are all in stacks and all use www.ircpimps.org/pimpin.jpg as their icon) 18:21 < dazo_home> krzie: yeah, but for such point'n'click people, they don't like terminals, as it disrupts their karma 18:21 < dazo_home> cool icon 18:21 < krzie> hehe, ya gui's for commandline tools disrupts mine, so i understand 18:22 < krzie> thanx =] 18:22 < krzie> i had a guy make it for me (im graphicly retarded) 18:22 < krzie> and i hosted his private web stuff for a yr or 2 18:22 < dazo_home> nice deal :) 18:22 < dazo_home> well ... I'm headed for bed now .... c'ya guys tomorrow! 18:22 < krzie> yup, he loved it and i love what i got 18:22 < krzie> later! 18:22 -!- dazo_home [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 18:28 < dli> krzie, any idea? 18:29 < krzie> get on yong and ping 192.168.2.1 18:29 < krzie> also those logs you sent me were useless kinda 18:30 < krzie> i need both sides, and i need them from the very start 18:30 < krzie> logs from after the connection dont mean anything to me 18:30 < krzie> except that packets are being grabbed and responded to 18:31 < dli> krzie, one moment 18:32 < reiffert> he also forgot routing tables and all the stuff when beeing not connected. 18:32 < krzie> ild also like to congratulate you on following directions from !logs and !configs better than many people 18:32 < krzie> doh, i guess not from !interface tho 18:32 < krzie> lol 18:33 < krzie> !interface 18:33 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:33 < krzie> follow that one to a T please 18:37 < dli> krzie, logs from the client side: http://pastebin.ca/1373490 18:38 < dli> krzie, server side logs: http://pastebin.ca/1373491 18:39 < dli> reiffert, route at the server side: http://pastebin.ca/1373492 18:39 < krzie> # 18:39 < krzie> Mar 26 18:31:44 localhost openvpn[24169]: OpenVPN 2.0.7 x86_64-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 10 2008 18:39 < krzie> dude 18:40 < krzie> updaten that 18:40 < krzie> any idea how many yrs old that is? 18:40 < krzie> 2.0.9 is like 4 yrs old 18:41 < dli> reiffert, route at the client end: http://pastebin.ca/1373494 18:41 < reiffert> dli: sorry, I'm watching latest episodes on heroes and 24, I lost interest. 18:42 < dli> krzie, I can upgrade to 2.1_rc15 18:42 < krzie> good, upgrade both sies to that 18:42 < krzie> sides 18:44 < krzie> howd you even find that old code? 18:45 < dli> krzie, it's stable version on gentoo :( 18:45 < krzie> i been helping in this chan for like 2 yrs and never seen a version that old 18:45 < krzie> no way, ive installed from gentoo portage before 18:45 < dli> Available versions: 2.0.6 2.0.7-r2!t (~)2.0.9!t (~)2.1_rc15 18:45 < krzie> it for sure was at least 2.0.9 18:45 < dli> 2.0.9 is masked by ~amd64 18:45 < krzie> o 18:45 < krzie> ya i wasnt using amd64 18:46 < krzie> install from source if you must 18:46 < krzie> but 2.1_rc15 is what you want 18:46 < krzie> so if you can use portage for that, go for it 18:46 < dli> krzie, 2.0.9 also masked by ~x86 18:48 < krzie> i have no gentoo now, but get 2.1_rc15 running 18:48 < krzie> however you gotta do it 18:51 < dli> krzie, great, it simply works with 2.1_rc15 18:51 < krzie> right on 18:51 < krzie> reiffert, it was his old ovpn version 18:51 < krzie> (2.0.7) 18:51 < dli> krzie, let me see whether I can bug bugs.gentoo.org 18:52 < krzie> cool, always appreciate someone helping us see the same problem less times 18:53 < reiffert> :) 19:01 -!- nemysis [n=nemysis@74-130.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:02 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 19:20 < krzie> !learn allinfo as Please type !configs !logs and !interface to see all the info we want to be able to help you 19:20 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:20 < krzie> bleh 19:20 < krzie> !learn allinfo as Please type !configs !logs and !interface to see all the info we want to be able to help you 19:20 < vpnHelper> krzie: Joo got it. 19:20 < reiffert> hehehe 19:20 < krzie> vpnHelper whoami 19:20 < vpnHelper> krzie: krzee 19:20 < krzie> thats right, and dont you forget it! 19:21 < reiffert> make the bot paste that info to everyone joining automatically 19:21 * krzie threatens vpnHelper with a kill -9 19:21 < krzie> reiffert, thing is we often dont need all that 19:21 < reiffert> people even dont put "all that" online, even if we need it 19:21 < krzie> many times i just give them !route or !linfw etc 19:22 < krzie> lol no kidding 19:22 < krzie> ie: his problem, with !configs if he gave us version as it asked, we woulda stopped right there 19:22 < reiffert> yep 19:22 < krzie> but im so accustomed to not getting it, i forgot to demand it 19:23 < reiffert> 2nd time in the last 24hours 19:23 < krzie> i was just happy he used verb 6 and didnt have comments in the configs 19:23 < reiffert> :)) 19:23 < krzie> why is everyone who needs help using ptp lately? 19:23 < krzie> must be some new writeup high on google or something 19:23 < reiffert> Just like I am for every guy removing the comments, hell yeah 19:24 < reiffert> krzie: two answers: everyone is using tun as you tell them not to use briding, so all the problems are with ptp 19:24 < reiffert> I forgot the 2nd one 19:25 < krzie> but tun with server (net30) seems like the more common approach to me 19:25 < krzie> i seem to be mistaken lately 19:25 < krzie> but ya, i am a tun nazi 19:25 < krzie> lol 19:25 < reiffert> people should get an idea of basic routing ... 19:26 < krzie> totally, bridging is so rarely actually the solution 19:26 < krzie> and its actually less easy to setup! 19:26 < krzie> (imho) 19:27 < krzie> ild really like to make a writeup for default routing over the vpn, but i just dont know where to start 19:27 < krzie> it would have so many 'ifs' 19:28 < krzie> with links to other writeups 19:28 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 19:28 < krzie> 3 for like each thing, win lin and bsd 19:28 < reiffert> let's start with !howto :) 19:29 < krzie> ya but i believe my walkthrough on !route is better than the howto for that purpose 19:29 < krzie> i wish i had !route when i was learning it 19:29 < krzie> i actually had to dig through the code before i fully understood iroute 19:30 < krzie> (when i was chaining ovpn's for anonymizing) 19:30 < krzie> 1 machine with 2 clients, routing from 1 server to other to go to another client doing same thing 19:31 < krzie> took really understanding iroute to accomplish 19:32 < reiffert> Never used iroute yet, guess I'll have to learn it some day 19:33 < krzie> !iroute 19:33 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 19:33 < krzie> now you fully understand it 19:33 < krzie> =] 19:45 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 20:07 < dli> now, I'm doing ekiga voip through openvpn, no need for SIP accounts 20:08 < ecrist> dazo: did you get your question answered? 20:09 < ecrist> I see you sort of did. 20:10 < ecrist> for the record, the openvpn binary is kept in /Applications/Tunnelblick.app/Contents/Resources on default-installed Tunnelblick 20:10 < ecrist> there is no problem replacing the binary with self-compiled copies, as I did so before they supported rc15 on 2.1 20:20 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 20:33 -!- znoG [n=gs@host131.190-139-153.telecom.net.ar] has quit [Read error: 110 (Connection timed out)] 21:23 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:23 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has joined ##openvpn 22:08 < krzie> oh hey ecrist 22:08 < krzie> did you see my message about ssl-admin and dh? 22:09 < krzie> (not that it effected me, i just thought youd like to know) 22:09 < krzie> when i ran the openssl command as stolen from easy-rsa2 it worked just fine 22:13 < krzie> but when i ran dh from ssl-admin, it just froze up, required a ctrl C, checked top and it wasnt trying to do anything, no cpu usage 22:13 < krzie> when i ran it manually it used 100% of a core 22:14 < krzie> i can check what was wrong when i get home if you like 22:17 < ecrist> krzie: no, I didn't 22:17 < ecrist> please, otherwise hit me up tomorrow and I'll look into it. 22:17 * ecrist is working on a basic blackberry theme 22:18 < krzie> sweet 22:19 < krzie> ill take a look tonight while im building my new desktop 22:19 < ecrist> there's a free 'today' theme for my 8900 curve, but it requires Desktop Manager - a windows app 22:19 < ecrist> I don't have a windows box 22:19 < krzie> (and while i teach myself how to burn dvds in fbsd) 22:19 < ecrist> so I'm building a theme for OTA download 22:19 < krzie> i thought you said you had a winbdows box for work stuffs 22:20 < ecrist> ok, s/$/ that I want to install a 300MB app on simply to install a theme/ 22:20 < krzie> haha 23:39 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit ["leaving"] --- Day changed Fri Mar 27 2009 00:00 * ecrist buys another domain. 00:00 < ecrist> bbthe.me 00:02 < krzee> ? 00:02 < krzee> oh 00:02 < krzee> bb theme 00:02 < krzee> gotchya 00:22 < Flumdahl> any one that running vpn client on openbsd ? 00:25 < krzee> neg but it shouldnt be hard... 00:25 < Flumdahl> need to use it with tun* interface 00:25 < Flumdahl> do i need to have tun interface on the server to? 00:26 < krzee> sure 00:26 < krzee> what os is server? 00:26 < Flumdahl> debian 00:27 < krzee> ok 00:27 < krzee> wheres the problem you're running into? 00:27 < krzee> i was thinking server was windows and you were confused bout howto use tun on win 00:28 < krzee> cause it only has tap device, but that "tap" can emulate tun 00:28 < krzee> but thats not it, so whats up? 00:30 < Flumdahl> have not tested it yet. just know that a real tap interface wont work in openbsd cuz they have no support for that. only tun interfaces. so my question was just if i can mix it up with a tap interface on the server and tun on client 00:31 < krzee> why would you even want to do that? 00:31 < krzee> tun sends layer3 00:31 < krzee> tap sends layer2 00:31 < krzee> besides, for 99% of stuff you only want layer3 00:31 < krzee> and thats hilarious theres no tap for obsd 00:32 < Flumdahl> hmm 00:45 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 00:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Nick collision from services.] 00:46 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit] 00:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:38 < krzee> Flumdahl, http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 01:38 < vpnHelper> Title: Re: openvpn client with tap device | KernelTrap (at kerneltrap.org) 01:39 < krzee> !learn obsdtap as http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways) 01:39 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 01:40 < krzee> !learn obsdtap as http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways) 01:40 < vpnHelper> krzee: Joo got it. 01:53 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 02:30 < krzee> ecrist, i dont see why dh in ssl-admin didnt work, looks good to me in the code 02:30 < krzee> only thing i could think is to brace the vars 02:30 < krzee> for extra protection for them 02:30 < krzee> but shouldnt need it 02:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:45 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 04:46 -!- xipo [n=x@81-229-83-53-no65.business.telia.com] has joined ##openvpn 04:50 < xipo> !route 04:50 < vpnHelper> xipo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:08 < xipo> !logs 05:08 < vpnHelper> xipo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:09 < xipo> !howto 05:09 < vpnHelper> xipo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: stephenh, xor|, sunga, ropetin 06:05 -!- Netsplit over, joins: sunga, ropetin, xor|, stephenh 06:06 * cpm kicks things 06:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:41 -!- dli [n=dli@adsl-75-22-21-198.dsl.chcgil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 06:41 -!- dli [n=dli@adsl-75-22-28-192.dsl.chcgil.sbcglobal.net] has joined ##openvpn 07:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 07:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:34 < ecrist> morning, folks 08:01 < xipo> Im very novice with openvpn. Would it be easy to add a second computer on the server side? I have one server that one can access externally with a VPN. On that server there is a couple of virtual servers running and I want to be able to access them without installing openvpn on them aswell. 08:02 < xipo> Im going to read the manual but thought I asked first to see if it is easy todo, otherwise I don't want to fiddle with it. 08:07 < dazo> xipo: with openvpn you have a variety of different ways how to connect computers and networks together in a pretty secure way (depending on the configuration you end up with) 08:07 < dazo> xipo: read the docs ... google for openvpn tutorials as well ... I believe Linux Journal has an old article about it, and it gives you the basic knowledge as well 08:07 < dazo> xipo: and have a look at the !howto 08:08 < dazo> !howto 08:08 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:10 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has joined ##openvpn 08:12 < fixxxermet> !interface 08:12 < vpnHelper> fixxxermet: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 08:12 < ecrist> xipo: see here: 08:12 < ecrist> !route 08:12 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:12 < ecrist> dazo: use the bot, man 08:12 < ecrist> ;) 08:13 < dazo> dazo: heh ... I try to ... but I don't remember all those fancy things you've put into it ;-) 08:15 < fixxxermet> !configs 08:15 < vpnHelper> fixxxermet: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:20 < kala> is there a way for openvpn server to register client's name and IP-aadress in a DNS server ? 08:20 < fixxxermet> I have 8 hosts up on my server's network, but the client is only able to reach 3 of them. And vice versa - the server can not reach all hosts on the client's network. server is ubuntu, ovpn 2.0.6. client is centos, ovpn 2.0.9. http://pastebin.com/d7b791116 should be my relevant info. 08:20 < kala> I don't want to set up a DHCP server on the LAN and use --server-bridge for that purpose. It feels kind of bad and the tunnel setup-time is probably longer? 08:22 < ecrist> fixxxermet: sounds like a routing issue 08:22 < ecrist> kala: not really 08:26 < kala> ecrist: I could perhaps write a custom script wich --client-connect 08:27 < kala> but this is the only way I could think of 08:29 < ecrist> kala: the built-in dhcp server for openvpn is poorly-featured. your best bet is to either use static IPs, or run bridged with a 'real' DHCP server. 08:30 < Bushmills> kala, you could assign fixed addresses for vpn clients, and use a DNS which also serves from /etc/hosts (where you add the vpn names and addresses) or add them to to dns zone file 08:30 < fixxxermet> ecrist: Any recommendations? I am having trouble wrapping my head around routing tables for VPNs 08:31 < ecrist> fixxxermet: there's two options, really. you either need to put a static route for the VPN on each client system on the server lan, or you can put one route on your LAN default gateway, pointing to the VPN subnet 08:33 < fixxxermet> So if the client network is 192.168.8.0/24 and the server network is 192.168.0.0/24... Client: route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.47 (eth1 on server) Server: route add -net 192.168.8.0 netmask 255.255.255.0 gw 192.168.8.10 (eth1 on client) ? 08:34 < ecrist> yes 08:34 < ecrist> well 08:34 < kala> Bushmills: if I run a DNS server on the OpenVPN server machine, then I would need to have two separate zones for "vpn-connected clients" and "LAN-connected" clients 08:34 < ecrist> no 08:34 < ecrist> fixxxermet: see here 08:34 < ecrist> !route 08:34 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:34 < fixxxermet> alright, thanks 08:34 < Bushmills> kala, wouldn't matter as the DNS can serve both 08:35 < Bushmills> kala, if you mean, that DNS should resolve differently depending on what interface the resolve request came in, that's more like a DNS issue 08:40 < kala> no, I mean if a client support needs to connect to the machine, he needs to know, if they need to do RDP to machine.openvpn.company.com or machine.lan.company.com 08:40 < fixxxermet> I am so used to skimming that I've almost forgotten how to read. 09:13 < fixxxermet> ecrist: OK, I believe my openvpn configuration is now correct. I haven't added any custom routing as I am doing the testing from the openvpn server itself. Both my client and server can ping hosts on the other's subnet, but not all of them. Why would this happen? 09:16 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 09:23 < ecrist> fixxxermet: hard to say, without bein on your LAN 09:23 < ecrist> my guess would be you've got incorrect routing or conflicting IPs. 10:24 -!- eWizard [n=identd@78.63.180.97] has joined ##openvpn 10:50 -!- xipo [n=x@81-229-83-53-no65.business.telia.com] has quit [] 10:54 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has joined ##openvpn 10:55 < isox> hello, I'm having a bit of a major performance problem with openvpn 2.1. I've got a setup where I have two /24's vpn'ed into a central server... after about 2 minutes the connection between site a -> site b becomes unusable (however the connection to the central server seems fine) 10:56 < ecrist> isox: can you paste your configs? 10:56 < ecrist> !configs 10:56 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:56 < isox> yeah one second. 10:58 < reiffert> tcp and comp lzo 11:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:02 < isox> ecrist http://pastebin.ca/1374084 11:03 < isox> ecrist, its openvpn OpenVPN 2.1_rc7 on the clints, and the latest openvpn 2.1 series from the openvpn site. 11:09 < isox> ecrist you take a look at those? 11:24 < kala> reiffert: tcp and comp lzo is bad? 11:30 -!- lifeforms [n=walter@tau.lfms.nl] has left ##openvpn [] 11:43 < eWizard> !topology 11:43 < vpnHelper> eWizard: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 11:43 < eWizard> !/30 11:43 < vpnHelper> eWizard: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 11:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:16 -!- thm [n=thomas@fedora/thm] has joined ##openvpn 12:17 < thm> hi! is it true that one openvpn cannot listen on TCP and UDP at the same time? 12:19 < dazo> thm: there's no way to configure that, afaik 12:23 < thm> one could run a second openvpn instance, but then IPs would change depending which one you connect to 12:39 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 12:41 < krzee> correct 12:41 < krzee> although if you are a good scripter the ips can stay the same 12:41 < krzee> !iporder 12:41 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 12:41 < krzee> first method gives ip based on a script 12:44 < krzee> i take it back, you dont need to be that good to do it, lol 12:46 < eWizard> Hello. I can't get server and/or client to ping each other. I think the problem is with wrong routes. I'm using a bridged connection. Short information: http://www.paste.lt/paste/0020b428a484a32f0205ceaa701b5605 More detailed description: http://www.paste.lt/paste/63074c8fbe5271ed4c15728dd28f396b 12:46 < krzee> a) why are you bridging? 12:47 < krzee> b) if you are bridging, why would it be wrong routes? (bridging is layer2, routes are layer3) 12:47 < krzee> pls focus on a) 12:48 < eWizard> a) for smb share on local network 12:48 < krzee> omg do not use 2.0.6 12:48 < krzee> upgrade to 2.1_rc15 12:49 < krzee> and use wins on the smb share, then use tun 12:49 < eWizard> b) I think routing table on client side is not filled corectly :) 12:49 < krzee> !wins 12:49 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 12:49 < thm> krzee: that might solve the problem assigning IPs at first glance, but not the problem that both openvpn instances shouldn't use the same subset 12:49 < eWizard> Ok, I'll try to upgrade. Thats the version from freebsd port and mac ports :) 12:49 < thm> s/subset/subnet 12:50 < krzee> thm, split a /24 in half for each 12:50 < krzee> eWizard, someone had a gentoo problem yesterday that amounted to him using 2.0.7 12:51 < thm> krzee: doesn't help, if a client connects to one instance one time, and to the other second time 12:51 < krzee> (which was what he got from portage) 12:51 < ecrist> isox: if it hasn't been said, update all clients/servers to rc15 12:51 < krzee> hrm ya you're right 12:51 < krzee> isox, also be sure you're using UDP 12:52 < krzee> isox, i guess they gotta use diff ips, but routing can all work the same still 12:52 < krzee> err 12:52 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 12:52 < krzee> i mean thm , i guess they gotta use diff ips, but routing can all work the same still 12:52 < kraut> hi 12:52 < kraut> any ideas why i'll get this message? 12:52 < krzee> kraut!! 12:52 < kraut> read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 12:52 < krzee> ltns man 12:52 < kraut> what? 12:53 < krzee> long time no see 12:53 < kraut> do we know each other? 12:53 < krzee> moin 12:53 < kraut> moin ;) 12:53 < kraut> this openvpn drives me crazy 12:54 < krzee> you used to idle here like a year or so ago =] 12:54 < krzee> hrm 12:54 < krzee> kraut, 12:54 < krzee> !allinfo 12:54 < vpnHelper> krzee: "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you 12:55 < krzee> eWizard, switch to tun after enabling wins, you'll be happier with the performance once you get it working 12:56 < eWizard> ok, I'll try. 12:57 < eWizard> But first I'll upgrade to newer version. 12:57 < krzee> perfect =] 12:58 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 12:59 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has joined ##openvpn 13:07 < isox> im getting pretty poor throughput with openvpn 2.1. I have a master server with 2 clients connected... when transfering from client to client through th master server i only se about 50k/s and this is on a 10MB link 13:07 < isox> my configs are at http://pastebin.ca/1374084 13:08 < isox> if someone could take a look and suggest options I'd appreciate it 13:08 < krzee> isox, i take it you've tried removing all mtu options, and using --mtu-test on the client? 13:09 < krzee> also removing fragment option 13:11 < isox> yeah i've tried without the options 13:12 < isox> i'v not tried mtu-test, what does that do? 13:12 < krzee> !man 13:12 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:12 < krzee> bbiaf, looking at a new apt i may buy 13:18 < eWizard> Upgrading to 2.1 rc15 didn't work. Time to try routing. :) 13:57 < ecrist> isox: did you upgrade your clients and server? 14:08 < mjt> is there some "MAC address space" for private use, anyone know? 14:09 < mjt> to be used for mac addresses on virtual tunnels and the like? 14:09 < mjt> like 192.168/16 and 10/8 in IP world 14:13 < mjt> 'hwell. 14:13 < mjt> http://en.wikipedia.org/wiki/MAC_address#Address_details -- locally administered address 14:13 < vpnHelper> Title: MAC address - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 < krzie> eWizard, hows the routing going? 14:31 < krzie> mjt, umm since MAC addresses dont go outside the lan, ild say they're all for private use 14:32 -!- eWizard [n=identd@78.63.180.97] has quit [Remote closed the connection] 14:33 < krzie> hah must have went well (or very bad) 14:33 < mjt> \u0448 \u043e\u0433\u044b\u0435 \u0432\u0449\u0442\u044d\u0435 \u0446\u0444\u0442\u0435 \u0437\u0449\u0435\u0444\u0442\u0435\u0448\u0444\u0434 \u0441\u0434\u0444\u044b\u0440\u0443\u044b\u044e\u044e\u044e 14:33 < mjt> errr 14:33 < mjt> i just don't want potential clashes 14:33 < mjt> with other physical NICs on the same LAN 14:34 < mjt> I had to debug such an issue today (two virtual interfaces), -- believe me, it's diffucult to debug :) 14:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:35 < Bushmills> mjt, 00-01-01-xx-xx-xx are private 15:35 < Bushmills> i.e. not assigned to any vendor 15:35 < Bushmills> so are 00-05-4F-xx-xx-xx macs 15:36 < Bushmills> mjt, there are more unassigned ranges, you can look them up for example here: http://standards.ieee.org/regauth/oui/oui.txt 15:37 -!- mjt [n=mjt@isrv.corpit.ru] has quit [Remote closed the connection] 15:38 < Bushmills> you're welcome 15:48 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 16:02 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 16:09 -!- b00jit [n=boojit@gw.carter.to] has joined ##openvpn 16:16 < b00jit> Hi: I'm having an issue where when I run my vpn over UDP I experience PL, but not when i run it over TCP. I'm wondering if someone can give me some pointers on the best way to go about debugging this. 16:18 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 16:21 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 110 (Connection timed out)] 16:22 -!- b00jit is now known as boojit 16:39 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Connection timed out] 16:39 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has left ##openvpn [] 16:40 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 16:41 < reiffert> PL? 16:42 < boojit> packet loss 16:43 < boojit> here's how it cropped up: our DSL connection at work is a bit dodgy right now, this is a seperate issue. so just pinging the first hop from my DSL modem to the first ISP router, i'm getting 1-2% packet loss. 16:43 < boojit> So that needs to be fixed, obviously. 16:44 < boojit> But interestingly, I'm finding that if i connect to my openvpn server over this dodgy connection using UDP, I get anywhere bedween 5-7% PL. If I use TCP i get like 0% PL 16:46 < reiffert> see how many loss you have, when you transfer TCP payload over the UDP link, instead of sending ICMP payload over the UDP link. 16:46 < reiffert> s,see,look, 16:47 < reiffert> !factoids search tcp 16:47 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:47 < boojit> i see where you're coming from, acutally i have just been setting up tests of this nature. 16:48 < boojit> yes i've read this which is why I'm compelled to use UDP, but my actual test results are not helping to convince me. 16:48 < reiffert> allright. From my standpoint it's just plain logic. 16:49 < boojit> thanks for the pointers btw. 16:49 < reiffert> udp is a connectionless and stateless protocol. 16:49 < reiffert> icmp is as well. 16:49 < reiffert> so whenever openvpn is loosing udp packets, it doesnt recognize this. 16:49 < boojit> whereas tcp does. right. 16:50 < reiffert> loosing icmp packets on the payload side is recognized, but does not lead to a retransveral 16:50 < reiffert> whenever you are transmitting tcp on the payload side, tcp will take care for every single bit from the transport stream. 16:51 < boojit> right so you're saying that the delivery safeguards built into TCP are helping that icmp packet make it there when I'm using openvpn/tcp, because of retransmission, etc. I'm not getting that with openvpn/udp. 16:51 < boojit> yes i see. 16:51 < reiffert> I'd say forget all those icmp stuff and think about your payload. is it mainly udp or tcp? 16:52 < boojit> So it's false to assume that my performance over the UDP is worse simply because i'm seeing more PL with ICMP ping 16:52 < boojit> it's all TCP 16:52 < reiffert> right. TCP? use openvpn/udp then. 16:52 < reiffert> you might use tcptraceroute for your tests here. 16:53 < boojit> ok. So what I really want to do is design my test so I'm looking at TCP performance and then I'll get a real view of which one has the better connection 16:53 < reiffert> but a simple wget and checksumming algorithm will do as well 16:53 < boojit> yeah 16:53 < boojit> yeah that actually makes a lot of sense. 16:53 -!- thm [n=thomas@fedora/thm] has left ##openvpn [] 16:54 < reiffert> where as tcp already contains checksumming for every packet. 16:54 < reiffert> a simple wget will do. 16:54 < reiffert> you might try many small files, starting from 50 bytes, up to 1500 bytes and beyond 16:54 < boojit> yeah so really, when you think about it, particularly if the underlying link is a bit dodgy, you don't want to use openvpn/TCP while sending TCP data 16:54 < reiffert> or just one big file. 16:54 < reiffert> depends on what your payload will lookalike 16:54 < boojit> because of the retransmit issue described in your prev. link. 16:55 < reiffert> boojit: it's called segmenting and windowing, or in other words: acknowledgements 16:55 < reiffert> send packet, get ack, send packet, get ack 16:55 < reiffert> send packet, get no ack, resend packet 16:56 < reiffert> which is just a simple example. 16:56 < boojit> right and if you're using openvpn/tcp and sending tcp data over it, then you're going to have that whole conversation going on at both levels 16:56 < reiffert> send packet, send packet, send packet, get ack from all three, send packet andsoon 16:56 < reiffert> boojit: exactly 16:57 < boojit> ok well thanks for the tips reiffert, that makes a lot of sense. I appreciate your time. 16:57 < reiffert> welcome 16:57 < reiffert> you might wanna have a look on comp-lzo as well. I dont like it, I disable it every time. 16:57 < reiffert> your tests might discover. 16:58 < reiffert> (even the opposite) 17:01 < boojit> really 17:01 < boojit> well that's interesting, because i always enable it every time 17:02 < boojit> what's the theory behind comp-lzo causing issues? 17:02 < reiffert> small lags that occur when typing on remote ssh sessions 17:02 < reiffert> let's say 100-250ms 17:03 < reiffert> I dont get them putting comp-lzo off 17:03 < boojit> i'll test that as well then 17:04 < boojit> latencies are really my biggest concern -- my payloads are pretty small in size, but they are latency sensitive 17:04 < reiffert> Be sure to use the latest openvpn beta. 2.1rc15 or sth 17:04 < reiffert> doing ancient database stuff? 17:05 < boojit> no this is a custom application that we're developing 17:05 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 17:06 < boojit> we have some legacy hardware that is serial. We are writing a proxy to send the serial conversation to a remote machine 17:06 < reiffert> I'd be very intrested in your results, I really like to see them, once you've made them 17:06 < reiffert> Bushmills: any idea on boojit? 17:06 < Bushmills> hang on, need to read up first 17:07 < reiffert> Bushmills: last 20 lines will do 17:07 < Bushmills> latency? 17:07 < boojit> what happens is there are heartbeats sent every second between the hardware and the receiver -- if the receiver doesn't get them in time, it assumes the hardware has dropped. 17:07 < Bushmills> try reducing MTU 17:08 < reiffert> Bushmills: latency, serial conversation 17:08 < boojit> I will write up a little bit more about what we are doing and post a link so you can see what is going on. 17:09 < reiffert> boojit: why not let the hardware talk to your application on the hardware side, and have that application talk to another application over openvpn? Advantage of that is that the application on the hardwareside can handle situations like this. 17:09 < reiffert> ... and keep the conversation running to the hardware device 17:11 < boojit> well--it's a bit complicated to explain quickly. Better if i write it up a little more fully. This serial hardware device is a custom wireless base station that is handling communication from our custom wireless handsets. What we're trying to do is make it so we can have the base station in NY and the controlling application in London, for example 17:11 < Bushmills> boojit, i hade latency problems with WLAN when auto speed select was enabled 17:12 < reiffert> I guess that custom wireless base station already got an ethernet connector and is capable of 802.1Q VLANs? 17:12 < Bushmills> whenever speed changed, and it did so frequently, i experienced short phases with traffic low 17:13 < boojit> no, that's not it. I'm doing a terrible job of explaining. I'll write it up more fully and then that will explain it better. 17:13 < reiffert> boojit: Or do you want to stick on a external management device? 17:13 < reiffert> boojit: will it be worth waiting? 17:14 < reiffert> boojit: or is it a matter of days? 17:15 < boojit> Ok so the way our solution works (this is all custom hardware and software developed by us) is you have a base station that connects to a laptop via serial. This base station controls the wireless handsets. Now on the laptop side, we have a program that sits on the serial port and handles conversations to/from the base station (and therefor the handsets) 17:16 < Bushmills> heartbeat of a second without queuing between NY and London may be on the short side too when you rely on shared international lines. 17:16 < boojit> now what we're doing is writing a serial proxy. The idea is that this proxy sits on the serial port on NYCmachine. On LondonMachine, we have modified the IMLPort program (the program that normally sits on the serial port) to connect to this proxy over TCP 17:17 < reiffert> boojit: you are describing just one possible solution. Why not let openvpn run on the base station itself? 17:17 < boojit> so all the serial data between the NYCmachine and Londonmachine is just sent back and forth through this stuff 17:17 -!- petrolhead [i=blaat@77.109.123.56] has joined ##openvpn 17:17 < boojit> the base station isn't capable of running OpenVPN. 17:17 -!- sunga [n=naft@77.109.123.56] has quit [Read error: 104 (Connection reset by peer)] 17:17 < reiffert> CPU Arch? 17:18 < boojit> I don't know, i have to talk to the hardware guys. This is "legacy" stuff -- it's old, custom hardware. Don't know the arch 17:18 < reiffert> (and OS) 17:19 < reiffert> boojit: but the base station can talk ethernet over a wire? 17:19 < boojit> so i should also point out that this proxy solution is really a quick bodge to get us over the hump until our new hardware devices come out -- they will be all ethernet based, no serial coms at all 17:19 < Bushmills> just serial, i understood 17:19 < boojit> reiffert: no it cannot. It's a little black box with an antenna and a serial port 17:19 < reiffert> Bushmills: very strange piece of hardware for talking to handsets, isnt it? 17:19 < Bushmills> so i'll be connected to a box with network and serial 17:20 < Bushmills> reiffert, not really. custom design can be odd 17:20 < reiffert> Ok. 17:21 < boojit> so anyway, it's latency sensitive because the IMLPort program is listening for heartbeats from the base station and the handsets. If they don't get there in time, IMLPort dumps the base station. 17:21 < reiffert> boojit: I would not transfer serial communication around the world, but instead run an application on that laptop, that a) talks to the device via serial b) talks to an application running on the computer in london over openvpn 17:22 < Bushmills> that's what the serial proxy is all about, i reckon 17:22 < boojit> yes 17:22 < Bushmills> whether it does protocol translation or 1:1 is another matter 17:22 < reiffert> Bushmills: that application I'm talking about is handling basestation and handsets. 17:22 < boojit> except that it's kind of a dumb proxy -- it's literally just sending the serial coms back and forth exactly as they come off the serial port 17:23 < reiffert> It just dont cares about wether london is connected or not. 17:23 < Bushmills> i suppose you could fake the heartbeat 17:23 < Bushmills> and update it from real counterpart once every so often 17:23 < Bushmills> but decoupled from the 1 sec requirement 17:23 < reiffert> Bushmills: you talking to me or him? 17:23 < Bushmills> i'm shouting to world 17:24 < boojit> that's somjething we are considering, and will probably have to do. In any case, it's latency sensitive for other reasons. Latency issues will never go away because of what is expected from these devices. 17:24 < reiffert> boojit: are there any latency issues between station and laptop? 17:25 < Bushmills> IMLPort runs in NY? 17:25 < Bushmills> and base station sits in London? 17:25 < reiffert> I would run a webserver on that laptop and control it from a browser in London 17:25 < reiffert> Laptop can talk to base station, no latency issues 17:26 < reiffert> link can do down, no problem 17:26 < reiffert> link = openvpn link 17:26 < reiffert> Problem is: you need to rewrite the ILMPort whatever program. 17:26 < boojit> yeah, well i'm sort of running to a point where I can't give much more detail. In any case, can I ask a little bit more about this MTU stuff? what MTU setting do you recommend? 17:27 < Bushmills> try 1.5 ... 2 times heartbeat package size 17:27 < boojit> ok 17:27 < Bushmills> or heartbeeat payload +16 or +24 17:27 < boojit> ok i will fart around with that then. 17:28 < reiffert> whenever the openvpn link goes down, the base station will be lost. 17:28 < Bushmills> packet size .. 17:29 < boojit> ok i will try that. reiffert, Bushmills thanks so much for the insight and listening to me ramble on 17:30 < Bushmills> gl 17:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:32 < reiffert> How long will that periodic crypt authentication handshake last on openvpn? 17:33 < reiffert> Bushmills: as far as I understood boojit, they are sending the serial communication over a tcp connection 17:33 < Bushmills> sounds like it. 17:35 < Bushmills> hm .. with smaller packet sizes, prioritizing smaller packets with some load balancing setup could be helpful too 19:29 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:48 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 19:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:26 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:23 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:24 -!- belZe [i=server3@p5091CCCC.dip.t-dialin.net] has joined ##openvpn 21:43 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 22:50 -!- martian67 [i=user5490@about/linux/regular/martian67] has left ##openvpn ["Leaving"] 23:35 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Mar 28 2009 00:00 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 00:00 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 00:34 -!- sunga [n=naft@77.109.122.179] has joined ##openvpn 00:45 -!- petrolhead [i=blaat@77.109.123.56] has quit [Read error: 110 (Connection timed out)] 01:06 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 01:06 < dan__t> Hello. 01:09 < dan__t> So, would I use --client-connect to, say, run some iptables command based on the client connecting to OpenVPN? 01:10 < reiffert> Hi dan__t 01:10 < reiffert> yes, you would. 01:10 < dan__t> Excellent. That's perfect. 01:11 < dan__t> And the env var 'bytes_sent'. Is that a cumulative total on a per-user per-session basis? 01:11 < dan__t> Would I use that if I wanted to find out how many bytes a user used in one session? 01:11 < reiffert> Yes. 01:11 < dan__t> well, bytes that were sent to the client, anyway. 01:11 < reiffert> From the manpage: 01:11 < dan__t> But that would only be available to me after the client had disconnected, correct? 01:11 < reiffert> bytes_sent 01:11 < reiffert> Total number of bytes sent to client during VPN session. Set 01:11 < reiffert> prior to execution of the --client-disconnect script. 01:11 < dan__t> Ah hah. 01:12 < dan__t> Ok, so only the --client-disconnect script can interpret that env var 01:12 < reiffert> you will find it in the status log as well. 01:12 < reiffert> dan__t: what OS are you running? 01:12 < dan__t> Linux, 2.6 01:13 < reiffert> dan__t: which version of openvpn are you running? 01:13 < dan__t> 2.1 01:13 < reiffert> e 01:13 < reiffert> dan__t: which version of openvpn are you running? 01:13 < dan__t> ? 01:14 < reiffert> 2.1 rc? 01:14 < dan__t> 2.1-0.29.rc15.el5 01:14 < dan__t> Why? 01:14 < dan__t> I'm just testing a proof of concept here. 01:14 < reiffert> 0.29? el5? 01:14 < dan__t> centos package. 01:14 < reiffert> However. Type man openvpn to your terminal 01:15 < reiffert> You know how to move within and search through manpages? 01:15 < dan__t> I've been reading the manual page. 01:16 < dan__t> I'm reading it. I just want to know at what *times* I can query those env vars. 01:16 < dan__t> And it looks like I can't just pick a connection, at any point in time, and expect to snag something like 'bytes_sent' 01:16 < dan__t> Like I can't poll the value of 'bytes_sent' off of a client session every 10 seconds. 01:16 < reiffert> status log 01:17 < dan__t> Yeah I can only get that after the client disconnects. 01:17 < dan__t> Which, again, has nothing to do with me polling the existing connection at set intervals. 01:17 < reiffert> wrong. 01:17 < reiffert> status log 01:17 < dan__t> So if I see an OpenVPN session, I can query that connection for its current value of bytes_sent? 01:17 < reiffert> yes. 01:17 < dan__t> !howto 01:17 < vpnHelper> dan__t: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:17 < dan__t> How do I do that, reiffert? 01:18 < reiffert> dan__t: status log 01:18 < dan__t> !topology 01:18 < vpnHelper> dan__t: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:18 < dan__t> So the status log, logs all the data for all those env vars, at set intervals? 01:18 < dan__t> !/30 01:18 < vpnHelper> dan__t: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:18 < reiffert> dan__t: no. 01:18 < dan__t> So why od you keep saying "status log" 01:19 < reiffert> dan__t: it does not log all the data for all "those" env vars, but it does log bytes_sent, among others. 01:19 < dan__t> At what interval? 01:19 < reiffert> you define. 01:19 < dan__t> How? 01:19 < dan__t> With what directive? 01:19 < reiffert> read the manpage. 01:20 < dan__t> I've bene reading it. Can you hint me towards it? I wouldn't be asking in here if I didn't first read the manpage. 01:20 < dan__t> I have a clue. I assure you. 01:20 < dan__t> I promise you. 01:20 < reiffert> status log 01:20 < dan__t> right, there's no entry for "status log" 01:20 < reiffert> oh, really. 01:21 < reiffert> what might it be then? 01:21 < reiffert> --umbrella maybe? 01:21 < reiffert> or --fridge? 01:21 < reiffert> or --status? 01:21 < reiffert> you were reading the manpage, you should know. 01:21 < reiffert> You promised me. 01:22 < dan__t> I see --log, but it mentions nothing of an interval. 01:22 < reiffert> You see so many things, but what you dont see is what I type here. 01:27 < dan__t> Right. 01:27 < dan__t> That was hidden. 01:28 < dan__t> Guess the man page is wrong, there is no "log" argument to --status 01:29 < dan__t> (joke) 01:30 < dan__t> Thanks. 01:32 < dan__t> I'll have to F with that when I have a live client I can R&D with 01:36 -!- dli [n=dli@adsl-75-22-28-192.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 01:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:57 < krzee> lol 02:57 < krzee> funny scroll is funny 03:42 -!- c64zottel [n=hans@p5B17B1D5.dip0.t-ipconnect.de] has joined ##openvpn 03:42 -!- c64zottel [n=hans@p5B17B1D5.dip0.t-ipconnect.de] has left ##openvpn [] 03:45 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:53 -!- sunga [n=naft@77.109.122.179] has quit [Read error: 104 (Connection reset by peer)] 03:53 -!- gallatin [n=gallatin@dslb-092-073-117-171.pools.arcor-ip.net] has joined ##OpenVPN 03:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:13 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 05:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:56 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:59 < onats> anyone up? I need some help. is it possible for ISP to block UDP traffic? 05:59 < onats> how do i test it? 06:01 < krzee> of course it is, they can block anything they want 06:01 < krzee> easiest way is with netcat 06:01 < krzee> *goes to sleep* 06:02 < onats> thanks krzee 06:02 < onats> checking 06:17 -!- bandini [n=bandini@host186-21-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 06:29 < onats> Sat Mar 28 12:28:03 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 06:29 < onats> does that mean that the network on the other side is not accepting the connection? 06:39 < Skered> onats: telnet host 1194 06:39 < Skered> That's a quick way to see if you're able to connect 06:51 < ecrist> morning, folks 06:54 < ecrist> Skered: you can't telnet to a UDP port. 07:08 -!- Snicks|TWw is now known as Snicks|eat 07:20 -!- satman [n=satman@135.166-245-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 07:22 < satman> what happens on a linux box if you have a tun device (eg 10.10.10.10/24) and you create a route to a network with as next-hop this tun-device (10.10.10.10), but no application is processing the packets? are the packets simply dropped? 07:32 < ecrist> sure, where would they go? 07:33 < ecrist> however, if you've got a route on that host for those, then the kernel *would* be handling those packets, so they wouldn't be dropped. 07:38 < reiffert> Moin 07:38 < reiffert> satman: kernel handles routing, applications do not. 07:44 < ecrist> reiffert: that's mostly true. OpenVPN does some routing. As a general rule, though, you're correct. 07:46 -!- Snicks|eat is now known as Snicks|afk 07:48 < reiffert> ecrist: I doubt that openvpn will actually route packets 07:48 < ecrist> reiffert: it actually *does* route packets for clients with iroute statements. This is all handled internally to the daemon 07:48 < ecrist> it's limited routing, but it is there. 07:49 < reiffert> ah, I defenitly need to read that pieace of code 07:49 < ecrist> kernel passes the packet to tun0, which is the interface controlled by openvpn, which the routes the packet to the correct client. 07:50 < ecrist> it was all kernel driven before openvpn had server mode (with one tun interface) 07:57 < reiffert> I see. 08:35 -!- gallatin [n=gallatin@dslb-092-073-117-171.pools.arcor-ip.net] has quit ["Client exiting"] 08:47 -!- bandini [n=bandini@host186-21-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 08:53 -!- boojit [n=boojit@gw.carter.to] has quit [Remote closed the connection] 08:58 -!- boojit [n=boojit@216.160.8.126] has joined ##openvpn 10:13 < reiffert> boojit: any news yet? 10:29 -!- satman_ [n=satman@235.153-246-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 10:43 -!- satman [n=satman@135.166-245-81.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 10:50 -!- Snicks|afk [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 11:14 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 11:17 -!- satman_ [n=satman@235.153-246-81.adsl-dyn.isp.belgacom.be] has quit [Remote closed the connection] 11:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 -!- k12linux [n=k12linux@206.40.109.153] has joined ##openvpn 12:08 < k12linux> Some change with openVPN between Fedora9 and F10 is preventing me from reaching anything except the openvpn server. (after upgrading server to F10). SElinux is permissive right now. Suggestions? 12:08 < k12linux> Pings to remote LAN make it to VPN server but are not forwarded out to lan. 12:08 < reiffert> read the openvpn changelog. 12:09 < reiffert> k12linux: which sounds like it is a routing problem. 12:09 < reiffert> k12linux: or firewalling issue. 12:09 < k12linux> nod. That's what I thought at first. Routes appear correct on both ends and FW is off on server. 12:09 < k12linux> (temporarily for testing) 12:13 < reiffert> proove the latter. 12:14 < k12linux> remote is assigned 192.168.77.6: routing table on server shows: 192.168.88.0 192.168.88.2 255.255.255.248 UG 0 0 0 tun0 12:14 < k12linux> typo 12:15 < k12linux> remote client is 192.168.88.6 12:15 < reiffert> stop. 12:15 < reiffert> just paste your firewall to a paste service. 12:15 < reiffert> like this: iptables -t filter -v -n -L 12:15 < reiffert> and: iptables -t nat -v -n -L 12:16 < reiffert> !factoids search ip forward 12:16 < vpnHelper> reiffert: 'winipforward' and 'linipforward' 12:16 < reiffert> !linipforward 12:16 < vpnHelper> reiffert: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:16 < reiffert> check this. 12:19 < reiffert> and while pasting paste: 12:19 < k12linux> bleh... reading that last bit I know what happend.. DOH! I never updated /etc/sysctl.conf 12:19 < reiffert> ifconfig -a and route -n 12:19 < k12linux> after new install 12:19 < reiffert> bad bad bunny 12:19 < k12linux> yep.. that fixed it. Feel like an idiot. lol 12:20 -!- jave [n=user@95.209.51.93] has joined ##openvpn 12:20 < jave> hello 12:20 < jave> I'm having some trouble getting an openvpn tunnel working 12:21 < k12linux> reiffert: I've set up enough of these that I should have thought of that. 12:21 < jave> I cant ping a machine on the network inside of an openvpn server from a openvpn client 12:21 < jave> but I can ping the client from a machine inside the openvpn 12:24 < k12linux> jave: are you talking about a setupl like: client-LAN <-> OpenVPN-Client <-> OpenVPN-Server <-> Server-LAN ? 12:25 < reiffert> k12linux: he is not. 12:25 < reiffert> jave: 12:25 < reiffert> !configs 12:25 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:28 -!- prattfall [n=sten@c-71-194-163-213.hsd1.il.comcast.net] has joined ##openvpn 12:28 -!- prattfall [n=sten@c-71-194-163-213.hsd1.il.comcast.net] has left ##openvpn [] 12:58 < Dougy> oO 12:59 < reiffert> . 12:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:08 < Bushmills> problem description misleading. "trouble getting vpn tunnel working". as you can ping client over vpn, tunnel is up. 13:09 < Bushmills> in ner guten stunde fngt die dark hour an. werd dann wohl mal mit netbook-backlight beleuchten. 13:09 < Bushmills> und meine led taschenlampe dazu. 13:09 < Bushmills> vielleicht mein avr stadion einschalten. 13:10 < Dougy> sprechen se englisch 13:10 * Dougy can't spell 13:10 < Bushmills> oh sorry 13:10 < Bushmills> thought i was on a different channel 13:10 < Bushmills> my mad 13:10 < Bushmills> ehm 13:10 < Bushmills> bad 13:10 < Dougy> haha 13:10 * Dougy doesn't speak german 13:11 < Dougy> that's nearly everything i know in german and its still wrong 13:11 < Bushmills> neither did I. I was writing this. 13:12 < Bushmills> the chat client has channel tabs selectable by mouse wheel, seems i hit the wheel accidentally. 13:15 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Success] 13:16 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 13:16 -!- k12linux [n=k12linux@206.40.109.153] has left ##openvpn ["Leaving"] 13:23 < kraut> where is openvpn looking for client certs and keys? 13:23 < kraut> i have them in /etc/openvpn/keys 13:23 < kraut> is that a default? 13:23 < reiffert> moin kraut 13:23 < kraut> moin reiffert 13:23 < kraut> i got a strange issue with a client, since i updated it, i get all the time "no route to host" 13:24 < reiffert> /etc/openvpn is a default, so it will have to tell openvpn to find them like this 13:24 < reiffert> crt keys/foo.crt 13:24 < kraut> and i think the cert-authentification fails 13:24 < kraut> i did that 13:24 < reiffert> !configs 13:24 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:24 < kraut> ca /etc/openvpn/keys/ca.crt 13:25 < reiffert> just paste the bunch of stuff 13:25 < reiffert> and have openssl x509 -in foo.crt -text -noout validate the time period for that this certificate should be valid 13:25 < reiffert> | End or something 13:25 < kraut> http://pastebin.com/m7774692b 13:25 < reiffert> | grep End 13:25 < kraut> that's my server config 13:25 < kraut> the client is a avm fritzbox 13:26 < kraut> not that easy to paste that ;) 13:26 < kraut> hmmmm 13:26 < kraut> http://pastebin.com/m539d7489 13:27 < kraut> # 13:27 < kraut> ar 28 19:25:56 exodus ovpn-server[12388]: 91.97.3.40:2057 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 13:27 < kraut> # 13:27 < kraut> but wtf, why? 13:27 < kraut> Mar 28 19:25:56 exodus ovpn-server[12388]: 91.97.3.40:2057 TLS Error: TLS handshake failed 13:27 < reiffert> verb 6 might tell ya 13:28 < kraut> http://pastebin.com/m66ac4dd4 13:28 < kraut> not really 13:29 < kraut> the cert is called freedom2.netzdeponie.de, why don't i see that in the lgos? 13:30 < kraut> something changed on the client side, but i don't know what 13:32 < kraut> reiffert: any ideas? 13:33 < reiffert> kraut: yeah, send client config and client log and 19:25 < reiffert> and have openssl x509 -in foo.crt -text -noout validate the time period for that this certificate should be valid 13:34 < kraut> ah, with tcp it's looking like a cert problem 13:34 < kraut> need to check that tomorrow 13:34 < kraut> must go now 13:34 < reiffert> k cu 14:04 -!- jave [n=user@95.209.51.93] has quit [Read error: 60 (Operation timed out)] 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 145 (Connection timed out)] 15:30 < krzie> sup guys 15:34 < krzie> damn kraut still having tha tproblem =/ 15:41 < Dougy> my head is pounding 15:42 < krzie> haha 15:42 < krzie> hangover? 15:42 < Dougy> nope 15:42 * Dougy doens't drink 15:42 < Dougy> doesn't 15:44 * krzie does 15:45 < Dougy> <16 15:46 < krzie> i spent every weekend of my 14 yr old life with a hangover 15:46 < Dougy> lmfao 15:53 < Bushmills> krzee, then you don't know submarine special. 15:54 < krzie> i guess not 15:54 < Dougy> hrmm 15:54 * Dougy can build a nice server for not that much 15:55 < krzie> cool, colo it and gimme root! 15:55 < krzie> freebsd please 15:55 < Bushmills> krzee, hangover relief 15:56 < Dougy> krzie: no to both 15:56 * Dougy is gonna rent it 15:56 < krzie> Bushmills i always used weed for that 15:56 < Bushmills> http://forthfreak.net/snap/submarine.png 15:56 < Bushmills> sorry, babelfished. 15:57 < krzie> oh hell no 15:57 < krzie> milk + alcohol is asking for it 15:58 < Bushmills> well, it's your hangover, not mine, 15:58 < krzie> im not 14 anymore 15:58 < krzie> i barely ever get a hangover 15:58 < krzie> i find 2 things help 15:59 < krzie> 1) lots of sex and water before bed 15:59 < krzie> 2) if you do get a hangover, smoke some hash in the morning 16:00 < Bushmills> some would say that lots of alcohol and lots of sex are mutually exclusive. 16:00 < krzie> no way 16:00 < krzie> the drunk dick comes with much power 16:00 < Dougy> lots of sex ft dubs 16:06 -!- damentz [i=damentz@support.team.at.shellium.org] has joined ##openvpn 16:06 < damentz> hello everyone 16:06 < krzie> hello 16:07 < damentz> hey i have a question 16:07 < krzie> ... 16:07 < damentz> i'm using openvpn to setup a vpn in my house using a bridge 16:07 < krzie> why bridge? 16:07 < damentz> so i can access other systems on my network 16:07 < krzie> !route 16:07 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:07 < krzie> you can do that with tun 16:07 < krzie> i even made a walkthrough for it 16:08 < damentz> !!! 16:08 < vpnHelper> damentz: Error: "!!" is not a valid command. 16:08 < damentz> krzie, what about if you were to play a game 16:08 < krzie> the game operates over layer2? 16:09 < damentz> hmm, udp 16:09 < damentz> so that's.. transport level? 16:09 < damentz> layer* 16:09 < krzie> tun 16:09 < damentz> really? 16:09 < damentz> ok 16:09 < krzie> udp / tcp = layer3 16:09 < krzie> layers is protocols that use MAC address 16:09 < krzie> like ethernet packets 16:10 < damentz> ok 16:10 < damentz> but then why are there bridges at all? 16:11 < Dougy> krzie: 16:11 < Dougy> if you buy chassis/ram/drives etc 16:11 < krzie> for layer2 VPNs 16:11 < Dougy> i got two xeon 5050s that you can have 16:11 < krzie> which you dont need (and most dont) 16:11 < krzie> but some do 16:11 < krzie> sweet 16:11 < krzie> very kind donation of you, i will sing your praises for years to come 16:12 < damentz> krzie, ok i see what's going on 16:13 < krzie> dougy, but actually i dunno what ild do with them 16:13 < krzie> i even have an extra box sitting in ecrists basement i cant figure out what to do with 16:13 < krzie> 1/2 of me wants to just buy a 1u case and have him rack it up 16:14 < krzie> the other 1/2 wonders who in my family could use a computer 16:15 < krzie> nevertheless, very kind of you to offer 16:16 < damentz> using routes, every person must add a route to see your system right? 16:16 < krzie> no 16:16 < damentz> hmm? 16:16 < krzie> you just add the route to their default route 16:16 < krzie> (aka the router) 16:16 < damentz> hmm 16:16 < krzie> its all in my writeup! 16:17 < krzie> thats why i say: 16:17 < krzie> READ IT DONT SKIM IT 16:17 < damentz> hehe, ok 16:17 < krzie> !route 16:17 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:20 < Dougy> krzie: np 16:20 < Dougy> chips arent cheap either 16:21 < Dougy> krzie: http://www.fadfusion.com/selection.php?product_item_number=10026801984 16:21 < vpnHelper> Title: INTEL BX805555050P XEON 5050 DC LGA771 3.0G 2X2MB 65NM 667MHZ BOX PASSIVE (at www.fadfusion.com) 16:26 < damentz> krzie, i added a route to my router 16:28 < krzie> damn, i wish i had something to do with them 16:28 < damentz> i still wish to do a bridge though 16:28 < krzie> damentz, you already switched to routed tun? 16:28 < damentz> for some reason it makes more sense 16:28 < Dougy> krzie: i should just build a srever and rent it 16:28 < krzie> no, it doesnt 16:28 < Dougy> server 16:28 < krzie> !bridge 16:28 < Dougy> except its expensive as balls 16:28 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 16:28 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 16:28 < krzie> !tunortap 16:28 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:28 < damentz> hmm 16:29 < damentz> i'm still confused by your article 16:29 < damentz> it's saying i must add an iroute entry for the clients? 16:30 < krzie> is the lan behind the client or server? 16:30 < krzie> !iroute 16:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:30 < damentz> behind the server 16:30 < damentz> i don't care about the client's lan 16:30 < krzie> then no 16:30 < krzie> all you need is a push route 16:30 < damentz> ok 16:30 < damentz> umm, i did that on the router 16:30 < reiffert> saving the world again by converting another poor guy .. yeah it must be krzie 16:30 < damentz> is that ok? 16:30 < krzie> as is done in my article with the servers lan 16:30 < krzie> lol reif 16:30 < krzie> everyone thinks bridging is what they need 16:31 < krzie> and like 0.5% is correct 16:31 < reiffert> 7topic be prepared to say bye bye bridge 16:31 < krzie> hell, my first setup was bridged 16:31 < krzie> cause i ddint know any better 16:32 < reiffert> I was reading that howto ... it said something like tun is much easier. bridge is for nerds, so I decided to have a bridge in the 2nd attempt :) 16:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:33 < damentz> krzie, in the configuration for openvpn, one of the comments say, "remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/255.255.255.0) back to the openvpn server 16:33 < reiffert> I really dont remember about my first openvpn setup ... hmmm. 16:33 < damentz> my router supports static routes 16:33 < damentz> would that be good enough? 16:33 < krzie> its only a static route that you could want 16:33 < krzie> give the client a LAN static ip 16:34 < damentz> ok 16:34 < damentz> so like 10.8.0.5 16:34 < damentz> bingo 16:34 < damentz> and redirect the gateway back to the openvpn server? 16:34 < damentz> err, sorry for all the questions, i've been working on this since yesterday for fun 16:34 < krzie> no, a LAN static ip 16:34 < krzie> not the vpn ip, the lan ip 16:35 < krzie> whats your clients ip on the lan? 16:35 < reiffert> maybe we should teach an eliza bot. 16:36 < krzie> eliza? 16:36 < damentz> what do you mean? 16:36 < reiffert> http://nlp-addiction.com/eliza/ 16:36 < vpnHelper> Title: Eliza Chat bot (at nlp-addiction.com) 16:36 < damentz> what is it set up to be in openvpn? 16:36 < krzie> damentz 16:36 < krzie> you know what a LAN is? 16:36 < damentz> the 10.8.0.0 subnet 16:36 < damentz> ya, the local one i'm in 16:36 < reiffert> http://nlp-addiction.com/chatbot/ 16:36 < vpnHelper> Title: Chatbot List (at nlp-addiction.com) 16:37 < krzie> 10.8.0.x is likely your VPN network 16:37 < krzie> which is NOT a lan 16:38 < krzie> forget about the vpn for a second 16:38 < Bushmills> grin, reiffert, rookies here. 16:38 < krzie> what is the LAN ip 16:39 < krzie> hahaha reif, that bot would be fun 16:39 < krzie> would be cool to have it just idle until we unleash it 16:39 < reiffert> we would have to create a new one, answering all the openvpn questions the people ask. 16:39 < damentz> krzie, ok 16:39 < damentz> yes 16:40 < reiffert> maybe from the ecrist chatlog. 16:40 < damentz> that 10.8 is designated by the openvpn config 16:40 < krzie> good call! 16:40 < krzie> tons of seed to feed it 16:40 < krzie> it would probably have no problem debating bridge vs tun 16:40 < krzie> damentz might be an eliza bot 16:40 < damentz> lol nah 16:41 < krzie> hes taken me in quite a circle without telling me his lan ip 16:41 < damentz> i'm not even female 16:41 < reiffert> it will has to learn about a conversation taking place between several users about a subject 16:41 < damentz> 192.168.0.108 16:41 < reiffert> and crap 16:42 * krzie claps for damentz 16:42 < krzie> so tell the router that for any traffic going to 10.8.0.0 255.255.255.0 to send it to 192.168.0.108 16:42 < krzie> then make sure that 192.168.0.108 never changes ips 16:43 < reiffert> or use a dynamic routing protocol 16:43 < damentz> !! 16:43 < vpnHelper> damentz: Error: "!" is not a valid command. 16:43 < damentz> wait 16:43 < damentz> that doesn't make sense 16:43 < krzie> then be sure to add this line to server config: push "route 192.168.0.0 255.255.255.0: 16:43 < damentz> my vpn server is 192.168.0.150 16:43 < krzie> err 16:43 < krzie> then be sure to add this line to server config: push "route 192.168.0.0 255.255.255.0" 16:43 < krzie> DUDE I WAS ASKING YOU THAT 16:43 < damentz> yes, i have that line 16:43 < damentz> you asked what my client ip was 16:43 < damentz> so i told you 16:43 < damentz> not my server 16:43 < krzie> ok well 16:44 < krzie> you cant have them on the same network 16:44 < krzie> one must be changed 16:44 < krzie> cant have both on 192.168.0.x 16:44 < reiffert> 192.168.0.200 wants to send a packet to 10.8.0.6, which travels to your LAN router, which will tell the LAN Client to re-send the packet to the openvpn server, which sends it to the openvpn client 16:44 < krzie> which is all clearly explained in my article under the pretty picture 16:45 < reiffert> tits? 16:45 < krzie> reiffert i should add a picture of tits, would prolly get people to pay attention to the article 16:45 < reiffert> the !route one? 16:45 < damentz> krzie, i don't think that was explained 16:45 < reiffert> (which I still didnt read yet) 16:45 < reiffert> !route 16:45 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:45 < krzie> yes 16:46 < krzie> damentz thats cause you didnt read everything 16:46 < krzie> cause it is! 16:46 < krzie> although the part about lans having diff subnets wasnt 16:46 < krzie> i will add that 16:46 < reiffert> it starts with an example. I hate it. :) 16:48 < krzie> haha 16:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:48 < krzie> reiffert feel free to help with it if you like 16:49 < reiffert> it will end in briding :) 16:49 < damentz> krzie, ok well i think it is setup 16:49 < krzie> lol reif 16:50 < krzie> damentz, so you changed a lan to another network? 16:50 < damentz> what? 16:50 < krzie> ie: a side is no longer 192.168.0.x 16:50 < damentz> krzie, that will be my next test 16:50 < krzie> you cant have them on the same network 16:50 < krzie> one must be changed 16:50 < krzie> cant have both on 192.168.0.x 16:50 < krzie> no test 16:50 < damentz> i'll be heading to dunkin donuts 16:50 < krzie> im telling you what must happen 16:50 < krzie> best if you change the server 16:50 < damentz> change the dhcp leases to like something odd right? 16:51 < damentz> right 16:51 < damentz> so my home network can't be 192.168.0 16:51 < krzie> to something like 192.168.50.x 16:51 < damentz> probably something weird like .7 16:51 < damentz> or ya 16:51 < damentz> these public wifi spots are not like that though 16:51 < krzie> welp, many places are 16:51 < krzie> but you've been told it wont work in that situation, the rest is up to you 16:52 < damentz> krzie, is there a way to ignore the local network? 16:52 < damentz> like i want all of my connections to route through vpn 16:52 < damentz> i saw an option for that 16:52 < krzie> doesnt change my day any if you choose to ignore me 16:52 < krzie> !def1 16:52 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:52 < krzie> !man 16:52 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:52 < damentz> lol 16:52 < damentz> oh boy, more reading 16:53 < krzie> you will also need to turn on NAT and ip forwarding on your server 16:53 < krzie> server is linux? 16:53 < damentz> yes 16:53 < damentz> i have ip forwarding 16:53 < krzie> !linnat 16:53 < damentz> but NAT? 16:53 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:53 < krzie> !linipforward 16:53 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:54 < damentz> oh! 16:54 < krzie> yes, you are saying you want a 10.8.0.x ip to be NATed to the outside world 16:54 < damentz> ok ipforwarding i already did 16:54 < damentz> umm, yes 16:54 < krzie> just like your server lan already is 16:54 < damentz> so dunkin donuts -> house -> online 16:54 < damentz> basically i don't care what local network i'm in when i'm not in my house 16:54 < damentz> i want the network environment to be about the same 16:54 < damentz> but thanks for the nat tip 16:55 < krzie> so change your home network to something never used 16:55 < krzie> like 192.168.50.x or 10.100.10.x 16:55 < krzie> something the outside world will never have their lan set to 16:55 < damentz> yes 16:55 < krzie> then setup NAT on the vpn server machine as described above 16:55 < damentz> i'll do it when everyones out of my house 16:55 < krzie> then push redirect-gateway def1 to the client 16:56 < damentz> ya, i saw that directive 16:56 < damentz> i didn't know an iptables rule was required 16:56 < krzie> yup, since 10.8.0.x isnt a routeable ip on the internet 16:56 < krzie> just like your router must nat your current 192.168.0.x ips 16:59 < damentz> ok awesome 16:59 < damentz> just enabled that rule 17:10 < reiffert> 172.16.0.0/12 17:11 < krzie> !factoids search 19 17:11 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 17:12 < reiffert> came to mind when reading 17:12 < reiffert> 22:55 < krzie> so change your home network to something never used 17:15 < krzie> ya thats one isnt used too often 18:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:04 < damentz> thank you krzie for all the help 18:04 < damentz> i just tested my vpn, it works! 18:04 < damentz> everything is tunneled through my house 18:04 < damentz> too bad my upload speed is slow 18:08 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 18:18 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 18:36 -!- portishead [n=micha@HSI-KBW-091-089-136-168.hsi2.kabel-badenwuerttemberg.de] has joined ##openvpn 18:47 -!- portishead [n=micha@HSI-KBW-091-089-136-168.hsi2.kabel-badenwuerttemberg.de] has left ##openvpn ["Verlassend"] 18:55 < krzie> yw 19:01 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:30 < dan__t> Hi. 19:30 < krzie> high 19:30 < dan__t> what's up. 19:31 < krzie> killing time, bout to roll out for a min for a smoke 19:31 < dan__t> word. 19:31 < krzie> but lots of time to be killed 19:31 < krzie> like 4 hours hah 19:31 < krzie> then i get to go pickup some hash! 19:32 < krzie> and maybe roll out to a party my lil bro is singing at 19:33 < dan__t> oic. 19:34 < krzie> but more likely to just go home smoke some hash and work on my systems 19:34 < krzie> haha 19:35 < krzie> need help with anything or just killing time like me? 19:35 < dan__t> Naw just bored. I was trying to think of a way to solve a high availability problem with OpenVPN, but it would be the wrong tool for the job. 19:36 < krzie> by high avail you mean like running it over 2 uplinks 19:36 < krzie> ? 19:36 < dan__t> Naw, by having a failover disaster recovery site. 19:36 < dan__t> Looks like BGP is the answer. 19:36 < krzie> ahh right 19:36 < dan__t> OpenVPN would be neat - map one IP to two RFC1918 IPs and go nuts using NAT 19:36 < dan__t> but that still leaves me with a single point of failure. 19:37 < dan__t> Unless I had two OpenVPN servers doing that type of thing. 19:37 < dan__t> But even with them, I'd need BGP. 19:37 < krzie> can always BGP over vpn links as well 19:37 < krzie> exactly 19:37 < krzie> openvpn isnt your answer, but can fit in if required to 19:38 < dan__t> And my customer doesn't understand that you can't just make up BGP shit. You can't have a datacenter location with a provider who delegates BGP to you, and have some VPS place across the country do the same thing. 19:38 < dan__t> Providers with ASNs and IP space don't jive like that, yo. 19:38 < dan__t> apples/oranges 19:38 < krzie> tbh i dunno much about real routing protocols like BGP 19:39 < krzie> never had excuses to play with them yet 19:39 < dan__t> eh I'm AWARE, I have a good overview of how it works 19:39 < dan__t> never implemented it, probably never will. 19:39 < krzie> im sure once i have a reason and opportunity to, i will learn it no prob 19:39 < dan__t> Yeah exactly. 19:39 < krzie> werd so we're bout = there 19:39 < dan__t> werd. 19:45 < dan__t> root 522 58.6 3.1 36391284 1031776 pts/0 Sl+ 20:44 0:25 java 19:47 < krzie> damn, whatchya running on java? 19:47 < dan__t> wowza streaming server 19:58 < krzie> werd 19:58 < dan__t> piece of shit 19:58 < dan__t> but its good for porn so whatever. 20:23 -!- belZe [i=server3@p5091CCCC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:24 -!- belZe [i=server3@p5091C717.dip.t-dialin.net] has joined ##openvpn 21:05 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 113 (No route to host)] 21:06 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:16 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:34 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:44 -!- j3g [n=andrer@200.130.18.1] has joined ##openvpn 21:44 < j3g> !route for lans behind openvpn 21:44 < vpnHelper> j3g: Error: "route" is not a valid command. 21:44 < j3g> oh 21:44 < j3g> !route 21:44 < vpnHelper> j3g: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:44 < j3g> lol 21:48 < j3g> Anyone know if it is possible to run two openvpn instances on 2 computers (2 clients on one box, 2 servers on the other) and have just some specific kind of traffic (ie: voip) using one of the tunnels? 21:48 < j3g> I want to have voip going on another wan tunnel 21:54 < onats_> krzee you there? 21:55 < krzie> yup 21:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:55 < krzie> j3g, thats called source based routing, what os? 21:55 < krzie> i know linux can do it via iptables, but i dont know exactly how 21:55 < krzie> i never had a reason to do it 21:56 < onats_> can you help me out with something? 21:56 < krzie> depends, but ill tyr 21:56 < onats_> i have this vpn setup... only one client can connect to the server 21:56 < onats_> well actually the only one is currently connected to it 21:57 < onats_> when i try to connect the other clients, it always times out 21:57 < krzie> !configs 21:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:58 < onats_> what about the configs? 21:58 < krzie> vpnHelper told you 21:58 < vpnHelper> krzie: Error: "told" is not a valid command. 21:58 < onats_> it was actually working fine for a couple of months already 21:58 < krzie> !configs 21:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:59 < onats_> ahh ok sorry 21:59 < onats_> :D 22:00 < krzie> ;] 22:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 22:04 < onats_> krzee, http://pastebin.ca/1375381 22:06 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 22:06 < ploo> anyone ever have issues with packets coming up short? 22:07 < ploo> im in a terminal through openvpn and it freezes, tcpdump shows packets short on both ends 22:08 < krzie> short? 22:08 < krzie> you mean like some being dropped? 22:09 < ploo> full length of packet doesn't make it 22:10 < ploo> 66 some bytes 22:10 < krzie> using tcp or any mtu options? 22:11 < ploo> its intermittent, my ssh sessions sometimes freeze also 22:11 < ploo> mtu is set to 1500 22:11 < krzie> onats_, could it have to do with a firewall somewhere in between? 22:11 < onats_> krzie, i'm considering that possibility... the devices are remote from me.. 22:11 < krzie> that seems most likely to me 22:11 < onats_> i can't telnet to the port 2000 from the client though 22:12 < ploo> tun-mtu 1500 proto tcp-client dev tun 22:12 < krzie> ahh hah! 22:12 < krzie> tcp 22:12 < krzie> !tcp 22:12 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:12 < krzie> thats likely your problem ploo 22:13 < krzie> onats_, telnet doesnt operate on udp... you could test with netcat tho 22:13 < onats_> krzie, however, there's one client that connects successfully... 22:13 < krzie> so we have an idea where the firewall or other issue would be then 22:14 < krzie> ive seen ISPs and DCs do all sorts of dumbness 22:15 < ploo> krzie, so UDP then ? :p 22:16 < krzie> right 22:16 < onats_> im hoping its not the ISP that's blocking the port. it would be quite difficult to talk to the ISP tech guys 22:17 < krzie> i hope the same for you, shouldnt be hard to check with netcat 22:17 < damentz> hey krzie, guess what 22:17 < damentz> i'm at dunkin donuts using vpn 22:17 < ploo> so configure udp on both ends and I should be ok 22:17 < krzie> =] 22:17 < damentz> all connections are going through my house :) 22:18 < damentz> just the way i wanted it 22:18 < ploo> thought I tried that before, I'll change it up thanks 22:18 < krzie> cool, grab me a jelly donut 22:18 < damentz> then i took the time to setup a caching nameserver which turned out was very easy 22:18 < damentz> bind9 in debian is preset to be a caching nameserver, i just set the precedence to the opendns servers 22:18 < damentz> next i might setup polipo or squid 22:18 < onats_> how do i know if netcat got through? 22:18 < onats_> nc -u right? 22:19 < krzie> damentz you might like socks as well, dante is a nice package for it 22:19 < krzie> onats_, read its manpage 22:19 < damentz> i was reading about dante 22:19 < krzie> !google udp test netcat 22:19 < damentz> i tried setting it up, never finished 22:19 < vpnHelper> krzie: Netcat - The TCP/IP Swiss Army Knife: ; {LANG_NAVORIGIN}: ; Having fun with netcat. - Linux Forums: 22:21 < damentz> krzie, so give me an example of using dante 22:21 < damentz> like, what would i need it to 22:21 < damentz> just read the package information 22:21 < krzie> damentz, read the docs, this is a help channel for openvpn 22:21 < damentz> what does circuit level mean? 22:21 < damentz> oh well 22:21 < damentz> let me find their irc channel, lol 22:21 < krzie> ive setup dante a few times, but i dont know it well enough to give support 22:22 < krzie> i just read the docs and do what they say... 22:22 < damentz> i know, but what is it for? 22:22 < damentz> that's what i don't know 22:22 < krzie> its a socks5 daemon 22:22 < damentz> i don't know what i could use it for, it's just a name to me 22:22 < damentz> err, right 22:22 < damentz> so a proxy? 22:23 < krzie> yes an encrypted proxy 22:23 < damentz> ohhh, that's cool 22:23 < damentz> hmm, i could have used this information while at school 22:23 < damentz> i'll set one up for my friend, he's at baylor university 22:23 < damentz> so he can play warsow or something online 22:23 < damentz> though, openvpn would work just fine 22:24 < damentz> no well 22:24 < damentz> he already uses tor for sites he can't get to 22:24 < krzie> bbiaf 22:24 < damentz> be back in a fickle? 23:58 < damentz> hey krzie, are there any books or online resources to learn more about networking in general? --- Day changed Sun Mar 29 2009 00:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:09 -!- derick_d [n=derick@61.49.254.120] has joined ##openvpn 00:25 < j3g> krzie: sorry for the delay in answering, the OS is linux (ubuntu 8.04) 00:25 < j3g> i was away :) 00:25 < j3g> the original question was 00:25 < j3g> Anyone know if it is possible to run two openvpn instances on 2 computers (2 clients on one box, 2 servers on the other) and have just some specific kind of traffic (ie: voip) using one of the tunnels? 00:25 < j3g> I want to have voip going on another wan tunnel 00:25 < j3g> you said it's about source based routing 00:26 < j3g> so regular routing (adding a route just for that IP) won't do, right? 00:26 -!- dan__t [n=dant@ns1.hitb.net] has quit [Read error: 104 (Connection reset by peer)] 00:26 -!- _dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 00:47 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 00:48 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 01:02 -!- derick_d [n=derick@61.49.254.120] has quit ["\u6682\u79bb"] 01:14 < krzee> j3g, well depends... 01:14 < krzee> if you set your voip app to use the ip range of the other vpn, no problem 01:14 < krzee> very simple 01:15 < krzee> but if you will be connecting out to the inet to an ip you dont want to specify by itself, then no 01:15 < krzee> if you already know the exact ips you need to connect to through the special vpn, there isnt many many of those ips, then its easy 01:15 < krzee> so i guess i need more info the answer the question right 01:18 < reiffert> moin 01:19 < krzee> moin 01:20 < reiffert> back to CEST (Summertime) 01:29 < krzee> sweet 01:29 < krzee> i should come out that way sometime 01:29 < krzee> met some cool german girls back in SD, im sure they could show me cool places to go 01:32 < reiffert> SD? 01:34 < krzee> san diego 01:34 < reiffert> :) 02:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 02:15 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:22 < krzee> !forum 02:22 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 02:49 -!- _dan__t is now known as dan__t 02:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:00 -!- rashed2020 [n=shabati@67.205.245.208] has quit [] 03:15 -!- c64zottel [n=hans@p5B179258.dip0.t-ipconnect.de] has joined ##openvpn 03:53 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 03:55 < bn43> hello all - I'm having problems connecting to my openvpn server via a windows client - says handshake failed after trying via openvpn-gui. Is there a way for me to test via my ubuntu box that I can login locally to see that it works?> 03:59 < krzee> !logs 03:59 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 03:59 < krzee> !clients 03:59 < vpnHelper> krzee: Error: "clients" is not a valid command. 03:59 < krzee> err 03:59 < krzee> !configs 03:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:13 < krzee> One night, Pinnochio's girlfriend says to him, "This stinks. Every time we make love I get splinters." So Pinnochio goes to Gepetto to ask his advice. Gepetto says, "Sandpaper, my boy, that's all you need." A few days later Gepetto runs into Pinnochio and says, "So how are you doing with the girls now?" Pinnochio says, "Who needs girls?" 04:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:21 < bn43> krzee: ROFL 04:21 < krzee> =] 04:22 < krzee> you gunna post !logs and !configs? 04:22 < krzee> (that was directed at you) 04:22 < bn43> ok I tested on my ubuntu box and I think its to do with my bridge - ran openvpn client on the box itself and get this error Sun Mar 29 11:14:35 2009 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 04:22 < bn43> Sun Mar 29 11:14:35 2009 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 04:22 < bn43> Sun Mar 29 11:14:35 2009 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 04:22 < bn43> Sun Mar 29 11:14:35 2009 Exiting 04:24 < krzee> http://www.timesonline.co.uk/tol/news/uk/health/article5993187.ece 04:24 < vpnHelper> Title: Stem cells to grow bigger breasts - Times Online (at www.timesonline.co.uk) 04:24 < krzee> you started it as root? 04:24 < krzee> also 04:24 < krzee> why do you want bridge? 04:25 < bn43> following a howto that said I need a bridge for vpn to work 04:25 < bn43> yes I have 04:25 < krzee> !tunortap 04:25 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:25 < krzee> !sample 04:25 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:29 < bn43> um - I followed this - http://www.thebakershome.net/openvpn_tutorial and followed the script to make the bridge 04:29 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 04:30 < bn43> I don't think I need to specifically address traffic to a MAC - just contact via IP 04:30 < bn43> how do I fix this> 04:30 < bn43> this? 04:31 < krzee> welp 04:31 < krzee> we're gunna start by putting you with the right config 04:31 < krzee> no reason to fix the wrong one 04:31 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:32 < krzee> not my fault you used some walkthrough you shouldnt have used instead of reading the howto 04:32 < krzee> i can either point you to the howto or help you do it right... 04:32 < krzee> upto you 04:32 < bn43> yes I know - I just googled it 04:32 < krzee> for the howto option, !howto 04:32 < bn43> help me do it right would really be great! 04:32 < krzee> for the other one, see above 04:33 < bn43> I'm just worried that the bridge script will conflict with trying to put it right 04:34 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 04:36 < krzee> unbridge 04:40 < bn43> i had to stop openvpn before stoping the bridge script 04:40 < bn43> now ifconfig does not show br0 or tap0 04:41 < bn43> sorry my routing got messed up when I stopped the bridge 04:41 < bn43> krzee: u still there? 04:41 < krzee> there ya go... 04:41 < krzee> ya 04:42 < bn43> ok stopped the bridge now - whats next? 04:42 < krzee> reboot if you messed up routing 04:42 < krzee> it'll be fresh 04:42 < krzee> then look at my !sample 04:42 < krzee> change it to your needs 04:43 < Flumdahl> !sample 04:43 < vpnHelper> Flumdahl: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:43 * krzee posted that 20min ago 04:43 < krzee> we're going at a pretty slow pace :-p 04:44 < krzee> you're lucky scanning these harddrives is taking FOREVER 04:44 < bn43> krzee: how does the tun device get create? does openvpn server do it automatically? 04:44 < krzee> ive gone up 13% in 27min 04:44 < Flumdahl> your bridge script will probably create your tun interface 04:44 < krzee> so basically 1% every 2 minutes 04:45 < bn43> ya but I have stopped the bridge script 04:45 < krzee> which means its like an 3 hrs to scan a drive =[ 04:45 < krzee> yes, automagical 04:45 < bn43> ok brb 04:45 < krzee> although you can make it manually if you need it static 04:45 < krzee> no reason to if only 1 openvpn running on a box and nothing else using tuns 04:45 < Flumdahl> !float 04:45 < vpnHelper> Flumdahl: Error: "float" is not a valid command. 04:45 < Flumdahl> :S 04:46 < krzee> !man 04:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:46 < krzee> what versions are you running? 04:46 < krzee> (as my bot asked you 47 minutes ago) 04:47 < krzee> aka 24% of my scan ago 04:54 < bn43> root@dhashen-laptop:/etc/openvpn# /etc/init.d/openvpn restart 04:54 < bn43> * Stopping virtual private network daemon. [ OK ] 04:54 < bn43> * Starting virtual private network daemon. Segmentation fault 04:54 < bn43> * server (FAILED) 04:54 < bn43> sumthing wong 04:58 < bn43> krzee: I think something wrong with creating the tun device 04:59 < bn43> ifconfig does not show tun 04:59 < krzee> !logs 04:59 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:59 < krzee> do you have tuntap loaded into the kernel? 05:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 05:02 < bn43> how do I see if tuntap is loaded into kernel? 05:02 < krzee> by learning how to use your operating system 05:03 < krzee> kldstat | grep tun maybe 05:03 < krzee> i dont really use linux 05:03 < krzee> that'll check for a loaded module 05:04 < krzee> i think 05:04 < krzee> either way 05:04 < krzee> !logs 05:04 < bn43> kldstat not found 05:04 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:04 < krzee> !logs 05:04 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:04 < bn43> posting server log 05:05 < bn43> ok this is curious - server.conf has verb set to 9 but I don't have much in the server log 05:05 < krzee> then you arent looking at the server log 05:06 < krzee> prolly a status file 05:06 < krzee> vpnHelper, factoids search log 05:06 < vpnHelper> krzee: 'logs', 'irclogs', and 'topology' 05:06 < krzee> nm there 05:06 < krzee> check system logs 05:10 < bn43> http://www.pastebin.ca/1375590 05:14 < bn43> sorry - after looking at the log I realised I did not save my server.conf properly! 05:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 05:22 < krzee> did you also realize you barely gave me any of the log? 05:22 < krzee> which doesnt matter if you fixed it 05:24 < bn43> yeah fixed it! 05:24 < bn43> I did a tail of syslog 05:25 < krzee> now whats your end goal 05:25 < krzee> access the whole lan? redirect all traffic over vpn? or just securely access the machine 05:26 < bn43> access the whole lan securely 05:26 < krzee> !learn redirect as please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 05:26 < vpnHelper> krzee: Joo got it. 05:26 < krzee> ok 05:26 < krzee> !route 05:26 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:26 < krzee> read it DONT SKIM IT 05:26 < krzee> read it DONT SKIM IT 05:26 < krzee> !learn route as READ IT DONT SKIM IT 05:26 < vpnHelper> krzee: Joo got it. 05:27 < bn43> i'm testing this on my laptop - I will then be installing on a file and internet gateway server 05:27 < bn43> yes windows clients 05:27 < bn43> cool will read it 05:27 < krzee> dont skim it =] 05:32 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:43 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 113 (No route to host)] 06:21 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 06:26 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 06:28 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:32 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 06:34 < bn43> krzee: u still there? 06:43 < bn43> hi all I've been reading the !route howto and I'm a little confused - the ccd file specified in server.conf - that does not exist - where must I create it? 06:44 < bn43> I point the ca, cert files to /etc/openvpn/easy-rsa/2.0/keys/ 06:44 < bn43> must I create a ccd file for each windows client connecting? 06:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:47 < bn43> krzee: ok I got it right! I've been spending long hours on this and my config files where not configured right! 06:51 -!- dazo_home [n=David@r9dm48.net.upc.cz] has joined ##openvpn 06:52 * dazo_home is reading http://beta.openvpn.net/images/pdf/openvpn_access_server_system_admin_guide.pdf ... OpenVPN access server ... To work, SELinux must be disabled, default values for OpenVPN server port is 443/tcp ... what the heck!?!?!? 06:55 * dazo_home finds it a pity that OpenVPN Access Server is closed source as well 07:01 < onats> the guy's gotta make some money 07:03 < dazo_home> onats: I can live with that, but closing the software is a old fashioned way how to make money ... just look at what Novell and Red Hat does ... 07:03 < dazo_home> onats: and closing the software, does not make the software more secure 07:04 < onats> true... 07:04 < onats> i guess its more of protecting interests... 07:04 < dazo_home> yeah ... 07:06 < onats> dazo, are you familiar with DMZ? 07:06 < dazo_home> onats: yeah 07:06 < dazo_home> onats: what are you wondering about? 07:07 < onats> if a host is set into the dmz port, does that mean all traffic / ports get routed to that host? 07:07 < dazo_home> onats: ahh ... on such SOHO routers? Yeah, usually it means that 07:07 < onats> i mean a host is set to be in the DMZ? 07:07 < onats> DAMMIT! 07:07 < onats> i've been figuring out since yesterday why the clients couldn't connect 07:08 < dazo_home> onats: but if you only want some ports .... just use port fwd and route the different ports to your inside hosts 07:08 < onats> there's this other guy who configured the security camera and put the DVR in the DMZ 07:08 < onats> i know!!! 07:08 < onats> i just found it now 07:08 < dazo_home> aha 07:08 < onats> next time i'm going to change the passwords and any changes have to go through me 07:08 < dazo_home> clever guy .... not 07:08 < onats> putting the device in DMZ is really not the right solution. dumbass 07:08 < dazo_home> I always do it like that .... I shall know about any changes in the network 07:09 < dazo_home> exactly 07:09 * onats is fuming 07:09 < onats> i just wasted lots of hours on that. my fault too for not checking the DMZ soon enough 07:09 * dazo_home heads for some food 07:10 < dazo_home> heh ... such things happens ... "Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement." 07:11 < onats> the configuration i put in those routers were already stable 07:12 < onats> have been stable for a couple of months 07:12 < onats> i was already reaching the point that i was doubting maybe the ISP was blocking UDP traffic.. 07:12 < onats> hehehe 07:12 < dazo_home> ouch 07:13 < dazo_home> well .... the password of the routers was probably the weak link here :-P 07:22 < onats> i had to give it to the owners 07:25 < bn43> hi I still need some clarification on routing plz - I have been reading !route and not getting the routing right 07:27 < bn43> I have a laptop running ubuntu - I get my network access via 192.168.27.0 net via wifi which is eth1, have configured the openvpn server to the ethernet card which is eth0 on 192.168.1.0 net 07:27 < bn43> openvpn privides client with 10.8.1.0 net 07:29 < bn43> I'm trying to get client to ping 192.168.27.0 net - in server.conf I have put in 'push "192.168.27.0 255.255.255.0" ' 07:29 < bn43> what am I missing here? 07:31 < bn43> um so client connects to 2 nets - 192.168.1.0 which is how it connects to my laptop, and then the openvpn client over 192.168.1.0 to the openvpn network 10.8.1.0 07:36 < dazo_home> bn43: have you enabled ip_forward? .... have you checked firewall? (esp. the FORWARD chain) 07:37 < bn43> no firewall - I'm reading about forward 07:37 < dazo_home> cat /proc/sys/net/ipv4/ip_forward ... If I recall correctly 07:39 < bn43> If I'm understanding this correctly, because the client is connecting to 192.168.1.0 net, that net on my laptop needs to have routing to the 192.168.27.0 right? 07:40 < onats> dazo, have you played with SoC devices that boot from CF cards? 07:41 < dazo_home> onats: nope ... but I'm considering to buy a Soekris Engineering box ... 07:41 < onats> i just got an alix board 07:41 < onats> i can't boot it yet! argh! 07:41 < onats> heheh 07:41 < onats> i wonder which channel i can ask for help for this one 07:41 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:41 < dazo_home> bn43: yes, your client needs a route for the network on the server side ... the gateway would then be your VPN address on the server side 07:42 < dazo_home> onats: silly board :-P 07:42 < onats> dazo_home, it is? this board sucks? 07:42 < bn43> um - right - been working on this for 6 hours straight and my head is swimming - think I gotta take a break and get back to this soon 07:43 < dazo_home> onats: no, I have no idea ;-) ... I haven't tried any SoC boards at all, but I'm getting one for sure :-P 07:43 < dazo_home> bn43: good plan :) 07:43 < dazo_home> onats: I've heard several people mentioning Alix boards .... but I don't remember any pointers right now 07:44 < onats> oh ok.. 07:44 < onats> i think its pretty good (have yet to be seen) 07:44 < onats> i've read that the amd geode has a hw based AES encryption chip, or something like that... 07:44 < onats> which makes vpn throughput faster 07:45 < dazo_home> I'll ping you about your experiences when you've had it in production for a little while ;) 07:45 < bn43> thanks all 07:45 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 07:46 < onats> yeah.. that is if i can get it to boot! ahhaha 07:46 < dazo_home> onats: yeah ... that's a big plus with Geode .... what I also like about the Soekris (which is also Geode, iirc) is that they even have a PCI based VPN accelerator as well .... but Linux drivers seems not to be worked on :( 07:46 < onats> so what OS are you supposed to run on it? 07:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:48 < dazo_home> I'm planning on a Linux distro, but I'm primarily getting soekris due to a PCI slot .... put in a Firewire card ... 4-5 disks on firewire and put them into a raid and hook it up to the network .... 07:48 < dazo_home> my own little NAS box .... cheaper and much more flexible, as I can install boxbackup more easily as backup client as well 07:49 < dazo_home> s/client/server/ 07:53 < onats> alix board has a mPCI slot 07:53 < onats> ahhh PCI slot! 07:53 < onats> sorry 07:53 < onats> why don't you just get an atom integrated board? 07:53 < onats> that's got a 1.6GHz processor! 07:53 < onats> heheh 08:19 -!- bn43 [n=dhashen@41.28.164.102] has joined ##openvpn 08:27 < dazo_home> Been considering that ... but I want something which can work without screen, and which I even can install without a screen .... and soekris got serial port console .... My plan is to but this box somewhere well hidden, just supply power and network, unless I add a miniPCI card with wifi ... not sure about that yet ... so I want it to consume next to nothing of power, low heat and silent ... the only thing which may make noise is the disks 08:27 -!- bn43 [n=dhashen@41.28.164.102] has quit ["Ex-Chat"] 08:27 < dazo_home> http://www.soekris.com/net5501.htm 08:27 < vpnHelper> Title: Soekris Engineering > net5501 (at www.soekris.com) 08:39 < ecrist> dazo_home: soekris + SSD 08:40 < dazo_home> ecrist: yeah ... but I want 1TB in RAID5 for all my stuff .... I have photography as a hobby ;-) 08:41 < dazo_home> ecrist: so that's why I want to put things on real disks ... and in firewire to get some speed 08:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:58 < ecrist> dazo_home: firewire is slower than PCI bus. You'd see better performance with SATA2 or SAS 09:00 < dazo_home> ecrist: hmm ... true ... sata2 would be better actually, but I will also be limited to 100Mbit on the NICs on this box as well, so I have no expectations to go higher ... even though I might wait until a version with 1Gbit comes and the price is right 09:02 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 09:08 < ecrist> dazo_home: why do RAID5? 09:09 < dazo_home> ecrist: data integrity ... I want to be sure that even if 2 disks fails that I can restore most of the data 09:09 < ecrist> RAID5 you get one disk failure 09:09 < ecrist> RAID6 you can have two failures 09:10 < ecrist> neither one provide data integrity 09:10 < dazo_home> heh ... I meant RAID6 ... 09:10 * dazo_home is too used to write RAID5 09:11 -!- nemysis [n=nemysis@37-16.107-92.cust.bluewin.ch] has joined ##openvpn 09:12 < dazo_home> ecrist: depends on what you mean with data integrity .... I don't mean that data cannot be modified or that changes are tracked .... purely meant as a security mechanism in case of hardware failure 09:18 < ecrist> RAID6 is the sexy. 09:18 < ecrist> out backup system at the office uses it. 09:18 < ecrist> 12 SATA2 drives, 500GB each, RAID6+0 09:19 < ecrist> /dev/mfid0 3.5T 1.2T 2.0T 37% /d 09:19 < Dougy> hayyyyyy ecrist 09:19 < ecrist> sup Dougy? haven't seen you around in a while. 09:19 < Dougy> notta 09:19 < Dougy> yeah been busy sick.. you name it i got it 09:19 < Dougy> lol 09:19 < Dougy> RAID 10 is cool too 09:20 < ecrist> dazo_home: with 6+0, can have 4 drive failures simultaneously, and still keep going. :) 09:20 < Dougy> Unit UnitType Status %RCmpl %V/I/M Stripe Size(GB) Cache AVrfy 09:20 < Dougy> ------------------------------------------------------------------------------ 09:20 < Dougy> u0 RAID-10 OK - - 64K 1396.96 OFF OFF 09:20 < Dougy> oO 09:21 < dazo_home> Dougy: but I want a setup where at least 2 drives can fail at the same point .... 09:21 < Dougy> talk to ecrist :) 09:21 < dazo_home> Dougy: heh 09:21 < Dougy> all i said was raid10 is cool 09:21 < Dougy> never said its good for you ot r anyone else :p 09:21 < dazo_home> ecrist: yeah, that's more like a setup I'd prefer ;-) 09:22 < Dougy> meh im tired of this new office already 09:22 < ecrist> dazo_home: out system cost us ~$11,000 to build 09:22 < ecrist> s/out/our/ 09:23 < Dougy> ecrist: have you any use for two 5050s 09:23 < ecrist> what are 5050s? 09:23 < Dougy> LGA 771 dempsey dual core xeons 09:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:24 < dazo_home> ecrist: yeah .... I'm planning for something cheaper ... and I'll start with less disks ... but I'm also building up a NAS for media streaming another place as well .... so that might be worth caring with me 09:24 < ecrist> just the procs? don't think I've got anything that will take them. 09:24 < Dougy> k 09:24 < Dougy> yeah 09:24 < Dougy> hrmmmmmm 09:24 < Dougy> CentOS 5.3 is due out today.. 09:24 < ecrist> dazo_home: why don't you go with FreeBSD 8.0-current and ZFS? krzee just got it set up, loving it from what I read. 09:25 < ecrist> Dougy: what did they come out of? 09:25 < ecrist> I *may* have a place for them in my new box. 09:25 < Dougy> ecrist: a box sitting in my room 09:25 < Dougy> theyve been there for serveral months 09:26 < dazo_home> ecrist: I know Linux to my fingertips, been using that since 96 or so ..... but yeah, I probably should investigate the *BSD family .... I know just ZFS from what I've read, and it seems neat ... but ext3 has never ever failed me .... reiserfs has failed me once, but managed to restore 98% 09:27 < ecrist> Dougy: they might fit in this dell server I've got here, 1850, what do you want for them? 09:27 < Dougy> you pay me to ship them 09:27 < Dougy> they are yours 09:27 < Dougy> fwiw - 667 mhz fsb 09:28 < Dougy> They are 3.0 ghz, 4mb cache xeons 09:28 < Dougy> dual core, 667 mhz fsb 09:29 < ecrist> mm, 2.8Ghz w/800Mhz FSB 09:29 < ecrist> http://www.ecomhost.net/dedicated/pe1850_specs.pdf 09:29 < ecrist> don't think I can use them. 09:29 < Dougy> k 09:29 < Dougy> lol 09:30 < ecrist> that system is going to be my new primary server 09:30 < Dougy> cool stuff 09:31 * Dougy will just build a box and rent it with the 5050s 09:31 < ecrist> 1x2.8Ghz Xeon, 4GB RAM, FreeBSD 64-bit, 2x15k 73GB disks in gmirror, dual 550W power supplies and 2 years of on-site service remaining. All for the low, low, price of $200 curteousy of craigslist. ;) 09:32 < Dougy> wow nice 09:33 < Dougy> i'm gonna order a couple of servers worth of parts 09:33 < Dougy> build myself like 7k worth 09:33 < ecrist> my current webserver is a dell 1750, 2x2.4GHz Xeon, 1GB RAM, FreeBSD 32-bit, 2x36GB 10k drives, dual power supplies. 09:33 < Dougy> yuck 09:34 < ecrist> load avg is only 0.9 09:34 < Dougy> so? old xeons lol 09:34 < Dougy> i just unlodaed both my old dells 09:34 < Dougy> had a dual 3.6 ghz with 2 satas and a dual 3.2 with 2 sata 09:34 * ecrist <3 Dell 09:34 * Dougy <3 SuperMicro 09:34 < ecrist> eew 09:35 < ecrist> we have nothing but problems with supermicro, and parts are hard to find for them after they're EOL 09:35 * Dougy has never had a problem with SM 09:37 < ecrist> we've got a server, about 3 years old, power supplies were EOL's by SM. it took almost a month to find a replacement 09:37 < Dougy> eew 09:37 < kraut> moin 09:37 < Dougy> ey 09:48 < ecrist> wow, I started a blackberry theme hosting site last friday. someone asked me to post a donation link. I did, they donated $10 towards me developing the site. 09:48 < ecrist> that was fast turn around. 09:48 < Dougy> lol 09:48 < Dougy> nice 09:49 < Dougy> my client owns e107designs.org 09:49 < ecrist> that site times out 09:49 < Dougy> oO 09:49 < Dougy> works fine for me 09:50 < ecrist> now it works. 09:50 < Dougy> intersting 09:50 < Dougy> its a google Pr5 09:50 < ecrist> I got what looks like an internal redirect 09:50 * Dougy got a link back on there for free 09:50 < ecrist> what is an e107? 09:51 < ecrist> nm, google didn't fail me. 09:51 < Dougy> e107 is an extremely populra CMS 09:51 < Dougy> popular 09:51 < ecrist> http://lmgtfy.com/?q=e107designs 09:51 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 09:51 < Dougy> nice 09:57 < Dougy> e107 is nice 10:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 10:22 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 11:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 12:00 < mRCUTEO> !/30 12:00 < vpnHelper> mRCUTEO: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 < mRCUTEO> !topology 12:00 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:00 < mRCUTEO> !interface 12:00 < vpnHelper> mRCUTEO: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 12:07 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:12 -!- Diddi [n=diddi@colalapp.bsnet.se] has joined ##openvpn 14:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:14 < Diddi> hm.. without trying all too hard to find the answer; is it possible to have openvpn using a remote and/or secondary CA to check the certs with? 14:15 < Diddi> or is it perhaps rather an openssl issue ? 14:15 < kraut> reiffert: got my vpn running again. the strange thing is, that udp is not working, tcp is working like a charm. 14:16 < kraut> reiffert: i think that is an issue within the firmware-modification. need to investigate that. 14:34 < reiffert> kraut: which one, freetz or avm? 14:35 < kraut> freetz 14:35 < kraut> this dsld is teh sucks 14:35 < kraut> total blackbox... you through a ip-packet in and hope, it comes out on the other side 14:35 < reiffert> yeah. How about paying someone for getting avm's svn repo? 14:36 < kraut> na, actually we are planing to replace dsld with iptables and pppd 14:36 < reiffert> and kernel pppoe? 14:36 < kraut> yep 14:36 < reiffert> or userland, well whatever 14:37 < kraut> the problem is to size that for the capacity of the flash 14:37 < reiffert> do you know anything about that magical number of possible voice call recordings on an USB stick? 14:37 < kraut> 20 or 30 was it 14:37 < reiffert> when there are 255 on an USB stick, the voice recording function stops working 14:38 < kraut> ah, 255 makes more sense 14:38 < kraut> yep. i heard about it 14:39 < reiffert> ah well, how stupid is this? 14:39 < kraut> don't ask me, it sucks also hell 14:39 < reiffert> some avm support guy told me, that they opened an internal ticket for this case, but after 4 months and many new updates, no changes at all. 14:40 < kraut> yep and there is also no really soloution to delete them 14:40 < kraut> you need to do this by hand or with a cronjob 14:40 < reiffert> It just sucks so much. Imagine this box at a business place like a car repair station ... voice recorder stops working every week. 14:40 < reiffert> yeah 14:40 < kraut> yep, i know 14:42 < reiffert> is there any freetz software replacing this piece of avm hell by any chances? 14:42 < kraut> not at the moment 14:42 < kraut> but perhaps you could do this on your own with dtmfbox? 14:43 < reiffert> I have no idea. dtmfbox is avm stuff or free software? Allready part of freetz? 14:44 < kraut> free 14:44 < kraut> yep 14:45 < kraut> but it's more a kind of a softswitch 14:45 < kraut> i have less skills concerning this telephone stuff :) 14:47 < reiffert> Once I had a voice recorder built from vgetty, 250 funny messages playing one on random 14:48 < kraut> hrhr 14:48 < reiffert> capisuite was replacing it 2 years later (vgetty = modem hell). 14:49 < reiffert> at least both voice recorders didnt have any limits. 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: boojit 15:03 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 15:18 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 15:27 < reiffert> boojit: any news? 15:29 -!- Flumdahl [i=n30@shell.auth.se] has left ##openvpn [] 15:31 < krzie> kraut still having your problem in ivpn? 15:31 < krzie> ovpn? 15:35 < reiffert> 21:15 < kraut> reiffert: got my vpn running again. the strange thing is, that udp is not working, tcp is working like a charm. 15:35 < reiffert> 21:16 < kraut> reiffert: i think that is an issue within the firmware-modification. need to investigate that. 15:35 < reiffert> 21:34 < reiffert> kraut: which one, freetz or avm? 15:35 < reiffert> 21:35 < kraut> freetz 15:39 < krzie> firmware mod? 15:39 < krzie> he using some sort of hardware auth? 15:39 < krzie> like those lil secure keychain dongles? 15:40 < reiffert> adsl router 15:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:41 < krzie> umm, i dont think so 15:41 < krzie> if his adsl router wouldnt allow udp to pass, he'ld have no DNS 15:42 < krzie> does he use one of those linux ones? 15:42 < reiffert> yep 15:42 < krzie> checked out his firewall and whatnot? 15:42 < reiffert> dunno 15:43 < krzie> he could be blocking his own stuffs 15:43 < reiffert> problem is, all this network stuff on his hardware was replace by vendor. closed source. 15:43 < reiffert> replaced 15:43 < krzie> i have a hard time believing his router wont allow udp passthrough 15:43 < krzie> because of firmware 15:48 < Bushmills> many routers can operate as dns proxies, and their dhcp server tells client to use routers as dns. with this setup, udp doesn't need to go "through" router 15:49 < Bushmills> i suppose dig @remotedns hostname would tell 15:56 < mjt> speaking of voip and stuff like that. Here, we're using voice applications over openvpn connections. I wonder if it'll be better to set proper MTU on the tunnel interface. 15:56 < mjt> (instead of relying on -mssfix which obviously does not work for udp) 16:04 < krzie> mjt, mtu-test would tell you 16:04 < krzie> which i remember telling you 16:05 < mjt> i know mtu-test. i just wonder if it is really necessary :) 16:07 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Solver, bandini, kaii 16:07 -!- Netsplit over, joins: bandini, Solver, kaii 16:08 < krzie> you dont need to change mtu unless mtu-test says so 16:08 < krzie> in fact changing the mtu when it doesnt say so will probably hurt more than it could help 16:09 < mjt> it's.. interesting. 16:09 < mjt> note that most of the time, there will be no problems/issues at all -- with TCP connections, due to mssfix. 16:10 < mjt> but "some other" packets will be fragmented 16:10 < mjt> including udp 16:10 < mjt> which is all voip 16:10 < mjt> so yeah, there's no need to touch mtu because in "almost all cases" it just works. 16:12 < mjt> i'll experiment tomorrow -- wonder if setting up real MTU will change quality of voice anyhow... 16:13 < mjt> (it sucks since i switched to openvpn, but i didn't know because i don't use it - my collegues told me) 16:13 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 16:13 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 16:14 < mjt> and i wonder if openvpn needs it per-client instead of per-interface... 16:28 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 16:51 -!- Dougy is now known as Dougy[Office] 17:03 -!- c64zottel [n=hans@p5B179258.dip0.t-ipconnect.de] has quit ["Leaving."] 17:31 < krzie> !route 17:31 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:32 < krzie> mjt, you gotta realize, you have udp going over udp 17:32 < krzie> so now 2 layers that can drop packets instead of 1 17:32 < krzie> dont get me wrong, you're doing it right 17:32 < krzie> but ya... 17:32 < krzie> anyways tho, SIP works great for me over UDP, and i have 300ms latency from me to my openvpn server 17:33 < krzie> which then connects to the next place before the sip connecting is really established 17:33 < krzie> (my pbx isnt directly connected to the PSTN) 17:40 -!- dazo_home [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 17:49 < ecrist> ARAHADAHDA!!! 17:49 < ecrist> my bank is run by tight asses 17:50 < ecrist> they charge $9, yes, N I N E DOLLARS for use of an ATM that's not theirs. 17:50 < ecrist> ON TOP OF the standard ATM fee. 17:52 < krzie> bank of america? 17:52 < ecrist> no, TCF 17:52 < krzie> dunno them 17:52 < krzie> but wash mutual kicks ass 17:52 < krzie> they dont even charge for international wire transfers 17:53 < ecrist> cool 18:01 < dan__t> hm 18:10 < krzie> !irclogs 18:10 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:33 -!- ToXo [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 18:33 < ToXo> Hii Rooom !!! 18:33 < ToXo> If i wll install and configure OPen VPN on Fedora... 18:34 < ToXo> then do i also need open client or window XP built in connection can connect with this server ???? 18:35 < ToXo> 58 people sitting here !! 18:35 < ToXo> HellOoo !!!! any one 18:38 < dan__t> Chill. 18:39 < dan__t> No, the built-in cannot. 18:39 < dan__t> OpenVPN GUI is a good option in that case, though. 18:39 < dan__t> Windows' "VPN" client uses PPTP, and MPEE, which is a horridly shitty excuse for a VPN. OpenVPN is SSL-based. Different mechanisms, they are not compatible. 18:42 < krzie> !learn notcompat as ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible 18:42 < vpnHelper> krzie: Joo got it. 18:42 < ToXo> if we dont implement security thing still it will not compatible ? 18:42 < krzie> IT IS NOT COMPAT 18:42 < krzie> and wont be, i dont care what you do 18:42 < krzie> but you can run openvpn on windows as well 18:43 < ToXo> hmm.. which vpn server will be nice in which we dont hav to use any client software ? 18:43 < ToXo> openVPN server ? 18:43 < krzie> we only help with openvpn 18:43 < krzie> if you want openvpn, you need openvpn on ALL machines which will directly connect 18:43 < krzie> but you only need 1 machine running openvpn in each network, even if you want the whole lan connected 18:44 < ToXo> hmm.. 18:45 < ToXo> but i heard some where that windows client can work with openvpn server.. 18:46 < ToXo> anywayz... the story is that.. i want to browse the service which is only available in that country 18:47 < ToXo> so .. i wll connect my system with that country server.. and then use that particular service 18:47 < ToXo> for that i thought i should install openvpn on that server 18:48 < krzie> well, openvpn can work on windows 18:48 < krzie> if you install openvpn on it 18:48 < krzie> but listen to me, OPENVPN ONLY CONNECTS WITH OPENVPN 18:48 < ToXo> yes .. offcourse.. 18:49 < ToXo> i was just unsure that.. why not only windows XP/ Vista client can connect to OPENVPN 18:49 < ToXo> vista also ? 18:49 < krzie> yes, you can have the client default route over the server 18:49 < krzie> yes, with 2.1 rc15 18:49 < ToXo> means ? 2.1 18:49 < krzie> the version 18:50 < krzie> you really should read the howto 18:50 < krzie> !howto 18:50 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:50 < krzie> also 18:50 < krzie> !sample 18:50 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:50 < krzie> then if you want to connect lans: 18:50 < krzie> !route 18:50 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:50 < krzie> for default routing over the vpn: 18:50 < krzie> !redirect 18:50 < vpnHelper> krzie: "redirect" is please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 18:50 < ToXo> hmm. thanks.. !! but you said that yes with 2.1 of vpns .. 18:51 < krzie> openvpn 2.1 rc15 18:51 < krzie> its the version you want 18:51 < ToXo> oh i see !! 18:55 < ToXo> Thanks alot... !! Guys!! 18:55 < krzie> yw 18:55 < krzie> !learn notcompat as openvpn only connects to openvpn 18:55 < vpnHelper> krzie: Joo got it. 18:55 < ToXo> ----<-<--@ 18:56 < ToXo> taket this flower and put it at door of this room :) 18:56 < ToXo> bye all !! 18:56 < krzie> lol 18:56 < krzie> bye 18:56 < krzie> hey you never read !redirect 18:56 < krzie> you'll want that info when it comes time 18:56 < ToXo> redirect where ? 18:56 < krzie> !redirect 18:56 < vpnHelper> krzie: "redirect" is please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 18:57 < ToXo> oh ok !!.. 18:57 < krzie> for sending your traffic from client through server's inet connection 18:57 < ToXo> see ya 18:57 -!- ToXo [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 18:59 < krzie> lol 19:21 < onats1> is there a way to scan the irc logs, even if i wasn't online that time? 19:24 < krzie> !irclogs 19:24 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 19:25 < onats1> if ecrist isn't online, no logs? 19:25 < krzie> right 19:25 < krzie> thats who collects them 19:26 < krzie> but hes on more than the bot 19:26 < krzie> lol 19:26 < krzie> and he has a very good connection 19:26 < krzie> so trust me, its best that way anyways 19:27 < onats1> alright.. might need to go back on irc logs. was able to boot up my alix already! wheee! heheh 19:27 < krzie> alix? 19:27 < onats1> wait 19:28 < krzie> my nfs took a fatty shit 19:29 < krzie> 3 of 4 of the drives are bad 19:29 < krzie> 2 ofthe 4 crash the diag disk (SeaTools) 19:29 < krzie> and i always bought seagate to avoid this crap 19:31 < onats1> well at least its lifetime warranty! 19:31 < krzie> ya great, now i get to send them to usa and get raped by customs when they come back 19:31 < onats1> krzie, http://www.pcengines.ch/alix2d3.htm 19:31 < vpnHelper> Title: PC Engines alix2d3 product file (at www.pcengines.ch) 19:32 < onats1> where are you based again? 19:32 < onats1> try sending to SG 19:32 < krzie> caribbean 19:32 < krzie> same deal 19:33 < krzie> oh basically like a soekris box 19:33 < onats1> yes 19:34 < krzie> how much? 19:45 < Bushmills> krzee, try clicking the "shop" button, there are prices 19:45 < krzie> he may not have bought from them 20:03 < onats1> i bought it from netgate 20:03 < onats1> total cost around $230 including shipping, casing, wifi card 20:03 < onats1> from pcengines direct it comes out cheaper, but shipping is more expensive 20:03 < krzie> right on 20:13 -!- belZe [i=server3@p5091C717.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:14 -!- belZe [i=noone@p5091CCF4.dip.t-dialin.net] has joined ##openvpn 20:33 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 21:26 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 21:27 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 21:57 -!- dli_ [n=dli@adsl-75-21-88-19.dsl.chcgil.sbcglobal.net] has joined ##openvpn 21:59 < dli_> can I run two VPNs simultaneously, A->B, and B->A, each one serves as server in once. so, I can always have VPN as far as one way port forwarding works 22:55 < ecrist> onats1: my irssi session is the one doing the logging. 22:57 < ecrist> dli_: that will break horribly 23:04 < onats1> ecrist, how do i get it? download the logs from the link: http://www.secure-computing.net/logs/openvpn.txt.gz 23:04 < onats1> ? 23:04 < ecrist> yes 23:04 < ecrist> it's all the logs from aug 1 2008 till now 23:04 < dli_> ecrist, why? 23:05 < ecrist> gzipped it's like 3MB 23:05 * ecrist goes to bed. 23:09 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn --- Day changed Mon Mar 30 2009 01:00 < reiffert> moin 01:10 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:19 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:20 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- qkit [n=kiew@203.82.91.34] has joined ##openvpn 02:30 < qkit> afternoon all. 02:30 < qkit> Guys, i have a question. Was UDP connection are faster then TCP connection in openvpn? can i used both in the openvpn setting? 02:35 < qkit> ? 02:40 -!- qkit [n=kiew@203.82.91.34] has left ##openvpn [] 02:48 < kala> both simultaneusly? 02:50 < kala> the --learn-address script could be used to update the client's dynamic DNS name, after connection and disconnection, right? 03:06 < onats1> !configs 03:06 < vpnHelper> onats1: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:06 < onats1> !sampleconfigs 03:06 < vpnHelper> onats1: Error: "sampleconfigs" is not a valid command. 03:06 < onats1> !sampleconfig 03:06 < vpnHelper> onats1: Error: "sampleconfig" is not a valid command. 03:06 < onats1> !sample 03:06 < vpnHelper> onats1: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:07 < onats1> krzee, are you awake? 03:20 < Bushmills> onats1, ls -l /usr/share/doc/openvpn/examples/sample-scripts 03:24 < onats1> thanks Bushmills. looking. 03:26 < onats1> Bushmills, do you have a format for ifconfig-pool-persist file? 03:26 < onats1> !ifconfig-pool-persist 03:26 < vpnHelper> onats1: Error: "ifconfig-pool-persist" is not a valid command. 03:27 -!- onats1 is now known as onats 03:27 < Bushmills> that's on of the files in the ccd dir? 03:27 < Bushmills> one 03:27 < onats> i dont think it has to be in ccd 03:27 < onats> basically i want to assign static IP's to the clients connecting 03:29 < Bushmills> yes. put a file, containing s.t. like ifconfig-push 10.86.80.6 10.86.80.7, with name of key (without the key extension), into ccd subdirectory of openvpn dir 03:30 < kraut> moin 03:34 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 03:34 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 03:34 < Bushmills> and make sure the server config has a line like client-config-dir ccd 03:34 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:35 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 -!- FuraX [n=cp@umb-sls99-003.u-strasbg.fr] has joined ##openvpn 03:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:40 -!- dli__ [n=dli@adsl-75-22-17-129.dsl.chcgil.sbcglobal.net] has joined ##openvpn 03:52 < onats> that's for ccd... ok. i'm trying out this ifconfig-pool-persist first.. 03:53 < onats> problem with this router i'm using, there's no other directory i can write files to, except temp 03:55 -!- dli_ [n=dli@adsl-75-21-88-19.dsl.chcgil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:58 < Bushmills> i vaguely seem to remember that i switched to ccd config since ipp.txt entries weren't reliably assigning the same ip address upon reconnection. 03:59 < Bushmills> but - how can ipp.txt be updated if /tmp is the only dir you can write to? 04:00 < onats> there's a section there on the router config where i can run scripts on startup 04:00 < onats> it creates the files in temp dir 04:00 < onats> this is only temporary 04:01 < onats> great. now vpn wont start on my device 04:20 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 04:24 < reiffert> moin 04:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:03 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 05:49 -!- overrider [n=override@unaffiliated/overrider] has joined ##openvpn 05:51 < overrider> hello there, id like to install openvpn on a server i have in another country, and then connect to it and surf the web via it, sort of using it as a secure proxy. can this be done? i mean, i dont need the server to issue me any IP or anything, it cant, it just has 1 public IP. maybe set it up so it issues me a localhost ip, eg 127.0.10.10 or so? 05:53 < overrider> !howto 05:53 < vpnHelper> overrider: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:46 -!- nemysis [n=nemysis@37-16.107-92.cust.bluewin.ch] has quit [Connection timed out] 06:49 -!- nemysis [n=nemysis@226-12.107-92.cust.bluewin.ch] has joined ##openvpn 07:10 -!- overrider [n=override@unaffiliated/overrider] has quit ["leaving"] 07:17 < c64zottel> hello 07:17 < c64zottel> i am port forwarding through a rv042 router to the openvpn-server 07:18 < c64zottel> i can see the incoming packages with tshark, but the openvpn-server is not responding, i tried verb9, and i can't see any reaction of the server when a package is arriving 07:22 < dazo> c64zottel: check your firewall config .... might be that you're blocking something in either filter or nat table 07:22 < dazo> c64zottel: also check with netstat -lnptu ... if you find openvpn process there 07:23 < c64zottel> dazo: openvpn is running, i could connect without the port forwarding 07:23 < c64zottel> the machine has no fw 07:24 < dazo> c64zottel: where does the portfwd happen? On the same box as openvpn, or on a box in front of openvpn box? 07:24 < c64zottel> different box 07:24 < c64zottel> the openvpn server is on an esx, the router is a r042 07:25 < c64zottel> and i can see the incoming packages on the esx 07:25 < dazo> c64zottel: then something goes wrong with the portfwd some how .... have you checked if both tcp and udp port forwarding is supported? And what about the openvpn box? tcp or udp? 07:26 < dazo> c64zottel: ahh 07:26 < c64zottel> vpn-esx:/etc/openvpn# tshark -i eth1 -f "port 1194" 07:26 < c64zottel> Running as user "root" and group "root". This could be dangerous. 07:26 < c64zottel> Capturing on eth1 07:26 < c64zottel> 0.000000 84.x.x.x -> 10.10.1.74 UDP Source port: 57360 Destination port: openvpn 07:26 < dazo> c64zottel: sounds fair enough 07:26 < c64zottel> all udp 07:27 < c64zottel> there is not much to make wrong 07:27 < dazo> c64zottel: then you really do have a firewall issue somehow .... if the openvpn process do not react to those packages at all 07:27 < c64zottel> ovpn-esx:/etc/openvpn# iptables -L 07:27 < c64zottel> Chain INPUT (policy ACCEPT) 07:27 < c64zottel> target prot opt source destination 07:27 < c64zottel> Chain FORWARD (policy ACCEPT) 07:27 < c64zottel> target prot opt source destination 07:27 < c64zottel> ACCEPT all -- anywhere anywhere 07:27 < c64zottel> ACCEPT all -- anywhere anywhere 07:27 < c64zottel> Chain OUTPUT (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < dazo> c64zottel: what about the nat table? 07:28 < c64zottel> ovpn-esx:/etc/openvpn# iptables -L -t nat 07:28 < c64zottel> Chain PREROUTING (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> Chain POSTROUTING (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> MASQUERADE all -- anywhere anywhere 07:28 < c64zottel> Chain OUTPUT (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> i hope its ok posting like a pig here... 07:28 < dazo> c64zottel: that MASQUERADE rule seems odd .... 07:28 < c64zottel> this once 07:29 < dazo> c64zottel: you might get some complaints by the others here .... 07:29 < c64zottel> hm, that comes from a 2nd nic, which is disabled 07:29 < dazo> c64zottel: can you try to do iptables -t nat -F && iptables -F ... just to have them really clean 07:30 < c64zottel> echo 1 > /proc/sys/net/ipv4/ip_forward 07:30 < c64zottel> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 07:30 < c64zottel> /sbin/iptables -A PREROUTING -p udp --dport 1194 -i eth0 -t mangle -j ACCEPT 07:30 < c64zottel> /sbin/iptables -A PREROUTING -i eth0 -t mangle -j DROP 07:30 < c64zottel> /sbin/iptables -A FORWARD -i tap0 -o eth1 -j ACCEPT 07:30 < c64zottel> /sbin/iptables -A FORWARD -i eth1 -o tap0 -j ACCEPT 07:30 < c64zottel> that is the fw 07:30 < reiffert> why that mangle table magic? 07:31 < dazo> c64zottel: I have no idea .... 07:32 < dazo> c64zottel: please try to flush all tables .... because those FORWARD rules makes absolutely no sense at all ... default policy is ACCEPT for all your chains, you cannot make it even more explicit than that 07:32 < c64zottel> ok, i did iptalbes -F {-t nat, -t mangle } 07:32 < dazo> c64zottel: do the filter table as well ... without -t 07:33 < c64zottel> i did 07:33 < dazo> c64zottel: good 07:33 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:33 < c64zottel> no effect 07:34 < reiffert> he needs to flush the mangle table as well 07:34 < reiffert> c64zottel: paste on pastebin: 07:34 < c64zottel> reiffert: no sure anymore, once i wanted just to open 1194 07:34 < reiffert> iptables -t filter -L -v -n 07:34 < reiffert> iptables -t mangle -L -v -n 07:34 < c64zottel> reiffert: mangle is flushed 07:34 < reiffert> iptables -t nat -L -v -n 07:34 < dazo> c64zottel: oki ... add some logging on the INPUT and OUTPUT rules now ..... -I INPUT --dport -j LOG --log-prefix " INPUT >>" ... and similar for output ... and have a look at dmesg 07:34 < reiffert> opening a port: filter table 07:35 * reiffert better keeps his mouth shut now 07:35 < dazo> c64zottel: mangle table is used to change things inside the tcp/ip package ... not to block or open access ... that's all done in the filter table, thus the name filter 07:37 < c64zottel> dazo: right, but there were a problem, i can't remember, but filter has not accepted the rule 07:37 < reiffert> btw, what is c64zottel's Problem? 07:38 < dazo> c64zottel: then something was wrong in the rule definition .... you never want to filter in mangle, that's chaotic 07:38 < reiffert> did he mention that he is running on vmware? 07:38 < dazo> reiffert: yes ... esx 07:38 < reiffert> last week there's been a guy with problems on vmware as well 07:39 < dazo> reiffert: when enabling portfwd on the router in front, the traffic hits the vm but not the openvpn process ... without portfwd all is fine 07:39 < reiffert> I think it was Flumdahl 07:39 < dazo> reiffert: that's neat info .... might be some vmware issues then .... 07:39 * dazo looks in scrollback 07:39 < reiffert> dazo: how does that paket get to openvpn without portfwd? 07:40 < reiffert> dazo: I was handling Flumdahl by privat chat, plenty of ssh sessions. 07:40 < c64zottel> ovpn-esx:~# iptables -I INPUT --dport 1194 -j LOG --log-prefix "INPUT>>" 07:40 < c64zottel> iptables v1.4.2: Unknown arg `(null)' 07:40 < c64zottel> ok, whats wrong? 07:40 < dazo> reiffert: that beats me .... that's why I began to suspect something in the iptables 07:40 * dazo will double check syntax 07:41 < reiffert> tcpdump should help you. 07:41 < dazo> reiffert: he's been using tshark .... seems reasonable 07:41 < c64zottel> reiffert: dazo: there is a 2nd nic, and i used it as a normal server with an external ip-address, but now we want to save the external ip-address 07:41 < dazo> reiffert: but not sure if that hooks unto the device before or after the netfilter 07:42 < mjt> iptables -I requires 2 arguments, not one 07:42 < dazo> iptables -I INPUT -j LOG --log-prefix "[INPUT ]" 07:42 < mjt> iptables -I $CHANNEL $number 07:42 < dazo> mjt: if you skip the number, it goes at the top 07:42 < mjt> aha. didn't know 07:43 < reiffert> dazo: before. 07:43 < reiffert> dazo: (when using libpcap) 07:44 < dazo> reiffert: yeah, I thought so ... that's why I would like to do logging in iptables ... to see what passes 07:44 < reiffert> mjt: number is optional. 07:45 < dazo> c64zottel: did you see my "modified" log change? ... not sure if it was those >> which could give an issue 07:45 < mjt> when you used all 3 - ipfw, ipchains and iptables (and now they proposed nftables)... it's not that difficult to misremember some things :) 07:45 < c64zottel> dazo: the --dport was the issue 07:45 < mjt> and dport requires proto 07:45 < dazo> mjt: well ... ipfw and ipchains have been dead since .... 2000 or so? 07:46 < dazo> c64zottel: yeah ... sorry! I forgot to add -p udp 07:46 < c64zottel> http://pastebin.com/m6b44949a 07:47 < c64zottel> ok, here are the lines, without port 1194 07:47 < c64zottel> i will change it now... 07:47 < reiffert> dazo: ah well, tcpdump captures before netfilter magic. 07:47 < reiffert> dazo: I'd preferr tcpdump. afk 07:49 < c64zottel> iptables -A OUTPUT -j LOG --dport 1194 -p udp 07:49 < c64zottel> iptables v1.4.2: Unknown arg `(null)' 07:49 < mjt> dazo: yeah, ipchains was gone together with kernel v. 2.2. But i still - sometimes - don't remember if something was that way in iptables or ipchains :) 07:49 < mjt> c64zottel: put -p udp before 07:50 < c64zottel> ok 07:50 < mjt> before dport, that is 07:50 < reiffert> I think he's missing the ulog/log module 07:51 < reiffert> try ulog when log fails 07:51 < dazo> reiffert: log worked ... it was just issues with --dport ... and missing -p udp 07:51 < mjt> in that case the error message is differrent 07:51 < mjt> iptables correctly handles missing modules - both kernel and userspace 07:52 < mjt> ("correctly" = with clean error messages in this case) 07:52 < mjt> esp. 1.4+ 07:52 < c64zottel> but there is nothing in /var/log/{messages,kern.log} 07:52 < mjt> but is your sys[k]log[d] running to start with? :) 07:53 < c64zottel> probably i have to give a log-file? 07:53 < dazo> c64zottel: dmesg should give you everything 07:53 < c64zottel> mjt: yes 07:53 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 113 (No route to host)] 07:53 < dazo> c64zottel: it logs via klog .... and klog messages are viewable via dmesg 07:53 < mjt> dmesg will show everything, yeah 07:53 < c64zottel> dazo: and that's still nothing 07:54 < dazo> c64zottel: then your packets gets lost in the kernel somehow 07:54 < c64zottel> Mar 30 15:54:38 ovpn-esx kernel: [615534.830425] device eth1 entered promiscuous mode 07:54 < c64zottel> Mar 30 15:54:42 ovpn-esx kernel: [615538.580614] device eth1 left promiscuous mode 07:54 < mjt> dazo: btw, there are several syslogds out there. I prefer the one from inetutils, which includes klogd into the same binary. 07:54 < mjt> lovely 07:54 < c64zottel> these two line are in /var/log/messages and are shown by dmesg 07:54 * dazo prefers syslog-ng ... due to the flexible and more understandable configs 07:55 < mjt> i prefer old-scool things ;) 07:55 < mjt> c64zottel: what's the system? kernel? 07:55 < c64zottel> Linux ovpn-esx 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 GNU/Linux 07:55 < mjt> ok 07:55 < c64zottel> but how can that be? iptables shows nothing but tshark does? 07:56 < mjt> easy 07:56 < mjt> 16:49 < c64zottel> iptables -A OUTPUT -j LOG --dport 1194 -p udp 07:56 < dazo> c64zottel: that's because the packages do not reach the netfilter somehow .... and that can be either a bug in the vmware's NIC driver ... or a kernel bug 07:56 < mjt> i note the -A option 07:56 < c64zottel> ok 07:56 < mjt> -A means adding the LAST rule 07:57 < mjt> not the FIRST. 07:57 < c64zottel> mjt: but thats the only rule 07:57 < mjt> heh 07:57 < dazo> mjt: that's why I used -I ... to get it first in the chain ... because the package needs to pass the first rule 07:57 < c64zottel> ovpn-esx:~# iptables -L 07:57 < c64zottel> Chain INPUT (policy ACCEPT) 07:57 < c64zottel> target prot opt source destination 07:57 < c64zottel> LOG udp -- anywhere anywhere udp dpt:openvpn LOG level warning prefix `input>>' 07:57 < mjt> and OUTPUT chain 07:57 < c64zottel> for output the same 07:58 < mjt> do you use bridge by a chance? 07:58 < c64zottel> i agree, but we flushed it before, right? 07:58 < c64zottel> its a tap device, yepp 07:58 < mjt> i mean, --dport in OUTPUT 07:58 < dazo> c64zottel: yeah... I just wanted to be absolutely safe'n'sure 07:58 < c64zottel> ah, damn 07:58 < mjt> c64zottel: the thing is: if it's bridging, iptables wont see it 07:58 < mjt> ebtables will 07:59 < mjt> UNLESS the packets are destined for your host 07:59 < mjt> and for input/output and dport. If one side has --no-bind (or how it is), the port on that side will be different 08:00 < mjt> s/different/random/ 08:00 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has joined ##openvpn 08:00 < c64zottel> mjt: yes, i understand 08:00 < c64zottel> i deleted the --dport on output 08:00 < c64zottel> i installed ebtables 08:00 < AdvoWork> hi there,i need to edit my server.conf but ive got no idea where it is, what file references server.conf so i can work out where it is? 08:00 < c64zottel> i guess, it uses the same rules like iptables 08:01 < dazo> AdvoWork: whic OS? 08:01 < dazo> c64zottel: nope 08:01 < c64zottel> does the logging works equally? 08:01 < mjt> c64zottel: it's different - it works on ethernet level, not IP level 08:01 < AdvoWork> dazo, ubuntu 08:01 < dazo> AdvoWork: have you looked under /etc/openvpn/ ? 08:01 < mjt> c64zottel: i mean, it knows nothing about ip addresses, ports and the like 08:02 < AdvoWork> dazo, ive got a folder in there calle examples 08:02 < AdvoWork> ive been following this guide http://www.thebakershome.net/?q=node/56 08:02 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 08:02 < AdvoWork> and im now on step 12 08:03 < c64zottel> ok 08:03 < c64zottel> then i gonna read the manual first... 08:03 < mjt> c64zottel: but what are you trying to do? 08:03 < mjt> why did you install ebtables? 08:04 < AdvoWork> dazo, do i need to copy server.conf and client.conf from examples to /etc/openvpn/ ? 08:04 < c64zottel> because, i guessed its helpful to find the error... 08:04 < mjt> and how do you think ebtables will help you? :) 08:04 < dazo> AdvoWork: you probably need to create that file yourself .... but I'm not sure I would recommend starting with setting up bridging if you do not explicitly need layer2 network traffic passing 08:04 < c64zottel> i have no idea, because, i don't know what ebtabels does 08:05 < dazo> mjt: maybe he wanted to install that because you talked about it? ;-) 08:05 -!- onats__ [n=onats@122.53.131.243] has joined ##openvpn 08:05 < c64zottel> mjt: but i am very open for suggestions 08:05 < AdvoWork> dazo, how do i know if i need that then? 08:05 < mjt> ebtables is like iptables but on the "ethernet" layer 08:05 < mjt> lets one restricts mac addresses for example 08:05 < c64zottel> i got that 08:06 < mjt> c64zottel: as far as i understand you've 3 interfaces - the real nic, a bridge, and your virtual nic, right? 08:06 < c64zottel> mjt: right 08:06 < mjt> (maybe others but that's details) 08:06 < c64zottel> the 2nd nic is down 08:07 < mjt> so are the packets shown on real nic AND the virtual iface? 08:07 < mjt> tcpdump/wireshark/whatever 08:07 < c64zottel> just on the real nic 08:07 < c64zottel> eth1 08:08 < mjt> lovely. 08:09 < mjt> so check the ARP table too (ip neigh show) 08:09 < mjt> can you ping your virtual machine? 08:09 < c64zottel> 10.10.1.190 dev eth1 lladdr 00:16:b6:87:54:76 STALE 08:09 < c64zottel> 10.10.2.34 dev eth1 lladdr 00:17:08:48:d5:46 REACHABLE 08:09 < c64zottel> i am connected via ssh to the virtual machine 08:10 < mjt> dev eth1??? 08:10 < mjt> that's... wrong. 08:10 < mjt> it should be on the bridge 08:10 < c64zottel> ok, i am sorry, i mixed it 08:10 < c64zottel> i use bridging in openvpn 08:11 < c64zottel> i am confused, what do you mean with it should be on the bridge? 08:11 < mjt> i was thinking you're bridging your real nic (eth1) with your openvpn virtual nic. 08:12 < mjt> if that's not the case, scratch just everything i said so far.... 08:12 < c64zottel> i guess not, the config is pretty simple, openvpn uses tap0, and i have a normal nic, eth1 which is connected to the lan 10.10.1.74 08:14 < c64zottel> ok, i tried the same with ssh, and the same problem 08:14 < c64zottel> hm 08:14 < c64zottel> maybe, i should try another kernel, or? 08:16 < mjt> the same with ssh? 08:16 < c64zottel> yepp 08:20 < mjt> it's not kernel-related, or should not be. 08:21 < mjt> but what did you do with ssh? 08:21 * mjt were reading scrollback... 08:21 -!- Diddi [n=diddi@colalapp.bsnet.se] has quit [Read error: 113 (No route to host)] 08:22 < c64zottel> mjt: i tried to port forward port 22 08:22 < mjt> note it's tcp not udp 08:22 < mjt> (jfyi) 08:22 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 08:23 < mjt> where your default route goes on this box? 08:23 -!- Diddi [n=diddi@colalapp.bsnet.se] has joined ##openvpn 08:23 < mjt> (i mean: might it be rp_filter?) 08:23 < mjt> or maybe some routing entry to that client IP... 08:24 < mjt> rp_filter works right between tcpdump (libpcap) and iptables `nat' and `filter' tables. Not sure about `mangle' table. 08:26 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:34 < c64zottel> i tried not that hard... 08:38 < mjt> bah 08:38 < c64zottel> i guess its better to try i different machine, but i have to eat first... 08:39 < c64zottel> dazo: mjt: thanks for the great help 08:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:04 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 09:04 < Georgio> Hi can anyone help me with openvpn? 09:04 < Georgio> can i get help here or should i find a different channel? 09:06 < Georgio> I keep getting a "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain" 09:06 < dazo> Georgio: if you give more info .... some people here might jump up and volunteer in helping you out 09:06 < Georgio> can anyone help 09:06 < dazo> Georgio: see !logs and !configs 09:06 < dazo> !logs 09:06 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:06 < dazo> !configs 09:06 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:06 < Georgio> cool thanks dazo 09:06 < mjt> help. help! HELP! 09:06 < mjt> ;) 09:07 < dazo> Georgio: seems like mjt wants to help out ;-) 09:07 < mjt> i want to go really 09:07 < dazo> heh 09:07 < mjt> it's boring to stay in office 09:07 < Georgio> basically i have setup openvpn server on a ubuntu machine and am now trying to start the openvpn client (from windows) 09:07 < mjt> and i want to eat. 09:08 < Georgio> mjt 09:08 < Georgio> could you help 09:08 < Georgio> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain 09:08 < Georgio> what could the cause of this be 09:08 < dazo> Georgio: which version of openvpn are you using? 09:09 < Georgio> i copied the ca.crt, client.crt and client.key from the server 09:09 * mjt has no idea 09:09 < mjt> that's not my area 09:09 < dazo> Georgio: from that error ... you have some certificate issues .... where did you copy those files from? Did you generate them? 09:09 < Georgio> i generated them on the server 09:09 < Georgio> and then copied them over to the client 09:10 < dazo> Georgio: with easy-rsa? 09:10 < Georgio> OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008 09:10 < Georgio> Developed by James Yonan 09:10 < Georgio> Copyright (C) 2002-2005 OpenVPN Solutions LLC 09:10 < dazo> Georgio: and you get that error on the client or server? 09:10 < Georgio> client 09:11 < dazo> Georgio: okey ... first you need to upgrade to openvpn 2.1_rc15 .... the rc7 on ubuntu is veeeery troublesome 09:11 < mjt> they have rc11 packaged 09:11 < Georgio> i'm using openvpn client for windows 09:11 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 09:11 -!- onats__ is now known as onats 09:11 < dazo> Georgio: and in the client you should also go for the latest version .... it's a lot of small fixes which is included into RC15 09:12 < dazo> Georgio: yeah, but make sure you're running RC15 on both sides ... that'll take away some issues and possible issues 09:12 < Georgio> okay 09:12 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 09:13 < Georgio> Once i have upgraded... Do i need to copy the certificates from the ubuntu server to the windows machine? 09:14 < dazo> Georgio: the releases between rc7-rc11 came rapidly ... then it was a few months and then a race from rc11 to rc15, which I'm guessing most probably will be the final 2.1 release 09:14 < dazo> Georgio: nope ... not yet 09:14 < dazo> Georgio: but we might need to have a look unto how you created the certificates, they might have been created wrong in addition ... but since I know Ubuntu+rc7 is a tragedy, I want to have tried that upgrade first 09:15 < Georgio> cool 09:15 < Georgio> will try and upgrade it now 09:15 < dazo> Georgio: have fun :) .... And compiling from source, if that's needed, is not difficult at all with openvpn 09:16 < Georgio> I think i will have to compile from source 09:16 < Georgio> apt-get says i have the latest one. 09:16 < Georgio> should i remove my exisitng version of openvpn first? 09:24 < onats> how do you connect the pigtail antenna cable to a wifi card? push it in? 09:24 < dazo> Georgio: apt-get might say that ... but that do not mean that apt-get is right ;-) 09:24 < dazo> Georgio: you need to uninstall openvpn from apt-get .... and probably compile from source 09:24 < Georgio> cool 09:24 < Georgio> thanks 09:24 < dazo> Georgio: fetch the latest and greatest from http://openvpn.net/ 09:24 < dazo> np 09:24 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 09:25 < mjt> http://www.corpit.ru/debian/tls/openvpn/ will work on ubuntu too. 09:25 < vpnHelper> Title: Index of /debian/tls/openvpn (at www.corpit.ru) 09:25 < dazo> mjt: is that patched somehow? 09:26 < mjt> lemme look... 09:26 < dazo> just wondered about that ~rc15 .... that ~ makes me worried :-P 09:27 < mjt> it's now-standard debian thing 09:27 < dazo> as the official package name is openvpn-2.1_rc15 09:27 < mjt> yes 09:27 < mjt> but _ is forbidden in debian package names 09:27 < dazo> aha 09:27 < dazo> silly restriction :-P 09:27 < mjt> ~ sorts before all other chars, including "" (empty string" 09:28 < mjt> in debian version string anyway 09:28 < mjt> and the underscore (_) is used as delimiter between package name, version and architecture 09:28 < ecrist> morning, folks 09:28 < dazo> ecrist: morning! :) 09:28 < mjt> and nope, not much patches. 09:28 < mjt> hi ecrist 09:29 < mjt> i took rc11 from debian 09:29 < mjt> well, and removed some silly warnings 09:30 < mjt> (tzset-before-chroot still does not work - yet to figure what's wrong) 09:31 < dazo> mjt: Have you tried to send your patches upstream? 09:31 < krzee> folks!? 09:31 < krzee> ecrist must be sick 09:31 < mjt> hmm? 09:31 < mjt> dazo: it's on my todo list :) 09:31 < Georgio> dazo: i get this message when i try and build it 09:31 < Georgio> error: Failed build dependencies: 09:31 < Georgio> openssl-devel >= 0.9.6 is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> lzo-devel >= 1.07 is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> pam-devel is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> pkcs11-helper-devel is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> should i download each of those apps? 09:32 < Georgio> seperately? 09:32 < mjt> wtf is that?? 09:32 < dazo> Georgio: those packages should be available in apt-get 09:32 < krzee> your package manager should 09:32 < dazo> Georgio: just take them from there ... and retry the compilation 09:32 < mjt> which repository it is? 09:33 < mjt> some ubuntu thing? 09:33 < dazo> Georgio: but I think I would recommend you the upstream version .... from http://openvpn.net/ .... just to be sure you are on the top level 09:33 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 09:33 < Georgio> i downloaded version 2.1 rc15 09:33 < mjt> rpm? 09:34 < Georgio> yes 09:34 < Georgio> rpm 09:34 < mjt> aha, makes sense ;) 09:34 < Georgio> what makes sense? 09:34 < mjt> i wondered where that funny package name come from... :) 09:34 < dazo> Georgio: http://www.openvpn.net/release/openvpn-2.1_rc15.tar.gz 09:34 < mjt> now it all clear. 09:35 < Georgio> i got that one 09:35 < dazo> Georgio: did you do rpmbuild then? That's not needed 09:35 < Georgio> and ran this command: rpmbuild -tb openvpn-2.1_rc15.tar.gz 09:35 < Georgio> oh 09:35 < dazo> Georgio: aha ... oki .. have you installed those missing packages? 09:35 < dazo> Georgio: you need them anyway .... and then you can do .... ./configure && make 09:36 < mjt> they're named differently on debian/ubuntu 09:36 < Georgio> couldn't be found in the apt-get 09:36 < mjt> first it's not -devel but -dev 09:36 < mjt> and second it's libpam0g-dev, not pam-dev etc. 09:36 < Georgio> right 09:36 < Georgio> ;-) sorry i'm new at this 09:37 < mjt> it's distro-specific things 09:37 < ecrist> krzee: not sick, just tired today. ;) 09:37 < mjt> happens when you try to build rpm on dpkg-based distro 09:37 < Georgio> E: Couldn't find package openssl-dev 09:37 < mjt> libssl-dev 09:38 < Georgio> that seemed to work 09:38 < Georgio> right 23 megs downloading 09:40 < Georgio> rrr 09:40 < Georgio> still not working 09:40 < Georgio> rpmbuild -tb openvpn-2.1_rc15.tar.gz 09:40 < Georgio> error: Failed build dependencies: 09:40 < Georgio> openssl-devel >= 0.9.6 is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> lzo-devel >= 1.07 is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> pam-devel is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> pkcs11-helper-devel is needed by openvpn-2.1_rc15-1.i386 09:42 < dazo> Georgio: try to search up openssl, lzo, pam and pkcs11 in synaptic (or whichever tool you prefer) ... and install the latest available development packages 09:42 < dazo> Georgio: and then you just need to unpack that tar-ball .... run ./configure inside it .... and the make command ..... and it will start compiling 09:43 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has joined ##openvpn 09:44 < miguelcma> hi. anyone knows why OpenVPN gives a segmentation fault on OpenWRT Kamikaze 8.09? 09:45 < dazo> miguelcma: ouch ... that's a tricky one .... how big filesystem do you have on that box? 09:45 < miguelcma> dazo: 512 MB 09:45 < dazo> miguelcma: flash? or HD? 09:45 < miguelcma> flash 09:46 < dazo> miguelcma: I see ... you could try to install gdb package .... ipkg tool, I believe .... or strace .... and run openvpn via those utilities 09:46 < mjt> is it a common prob - free-space-in-filesystem-related crashes? 09:46 < dazo> miguelcma: you might get a little hint then what goes wrong 09:47 < dazo> mjt: if the gdb package can fit ... you don't have to worry about core files 09:47 < miguelcma> what do you mean with gdb? debugging openvpn? 09:47 < dazo> mjt: the default openwrt openvpn package do not need any extra space, as logging is disabled usually 09:48 < Georgio> dazo: i did the make 09:48 < Georgio> everything seemed okay 09:49 < Georgio> how can i check if it worked? 09:49 < dazo> Georgio: so now you have an openvpn binary in that directory? 09:49 < dazo> Georgio: ./openvpn --help 09:49 < Bushmills> Georgio, you dance around it and chant 09:49 < dazo> lol 09:49 < miguelcma> dazo: do you think the problem is my 512MB CFlash? 09:50 < Georgio> Bushmills 09:50 < dazo> miguelcma: no, not really ... gdb is just a utility for debugging programs 09:50 < Georgio> i'm dancing 09:50 < Georgio> seems like it worked 09:50 < dazo> Georgio: then you can do: sudo make install 09:50 < Bushmills> see, unconventinal measures often help 09:51 < Georgio> install or install-sh? 09:51 < dazo> Georgio: no .... sudo make install 09:51 < dazo> Georgio: just those 3 words 09:51 < miguelcma> ok, dazo, thanks for your help :) i'll try something 09:52 < Georgio> done 09:52 < dazo> miguelcma: you can try to do verb 6 or something ... log to stdout .... and maybe you get a clue 09:52 < dazo> Georgio: you have now installed openvpn from source ;-) 09:52 < dazo> Georgio: now start up your server with your config .... openvpn --config ..... and see how it worls 09:52 < dazo> works 09:53 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 09:53 < Georgio_> sorry 09:54 < Georgio_> don't know what happened there 09:55 < dazo> Georgio_: something happened? 09:55 < miguelcma> dazo: openvpn --verb 6... nothing special :\ just the segmentation fault 09:55 < Georgio_> umm 09:56 < Georgio_> yes 09:56 < dazo> miguelcma: and that comes immediately? No log lines at all? 09:56 < Georgio_> hahaha not sure what though 09:56 < dazo> Georgio_: try connecting you client 09:56 < dazo> Georgio_: try connecting you _openvpn_ client, that is 09:56 < miguelcma> dazo: no, I get all the lines ok.. until the segmentation fault 09:56 < dazo> miguelcma: can you pastebin that log? 09:57 < Georgio_> if i type openvpn outside of that directory it gives me this message 09:57 < Georgio_> bash: /usr/sbin/openvpn: No such file or directory 09:58 < miguelcma> sure: http://pastebin.com/d7951d88b 09:58 < dazo> Georgio_: ahh ... it's probably under /usr/local/sbin/openvpn .... sorry, forgot to mention a little detail under configure 09:59 < dazo> Georgio_: but that's not so important .... close the shell and reopen it, and it'll work again 10:00 < Georgio_> i'm logged in via ssh 10:00 < Georgio_> i'll close the session 10:01 < Georgio_> and start it again 10:01 < Georgio_> or should i restart the server? 10:03 < Georgio_> okay openvpn is working 10:03 < Georgio_> how do i set it up? 10:03 < dazo> Georgio: it's enough to restart the session .... it's a hashing table in your shell which needs to be updated :) 10:03 < Georgio_> cool 10:03 < Georgio_> sorted 10:04 < dazo> Georgio: have you configured openvpn? 10:04 < Georgio_> no 10:04 < dazo> Georgio: aha ... I thought you said you had a config already earlier on .... you could use that as a starting point 10:05 < Georgio_> you said i'd need to look at how to create certificates 10:05 < Georgio_> the /etc/openvpn directory is still around 10:05 < Georgio_> with my previous setupo 10:05 < dazo> Georgio: that's the next thing .... first we will try to startup the server .... and you need to setup the server config and try starting openvpn with that .... then we'll look at the logs 10:05 < dazo> Georgio: I hoped for that ;-) 10:06 < miguelcma> dazo: http://pastebin.com/d7951d88b 10:06 < Georgio_> cool 10:06 < Georgio_> where is the new openvpn 10:06 < Georgio_> obviously under /usr/sbin/openvpn 10:07 < Georgio_> should i copy the config file there? 10:07 < dazo> Georgio: nope ... leave it where it is 10:07 < Georgio_> oh 10:07 < Georgio_> okay 10:07 < dazo> Georgio: we will use start openvpn like this: openvpn --config /etc/openvpn/server.conf .... or whatever is the right path for your config 10:07 < dazo> miguelcma: that's a hard nut 10:08 < dazo> miguelcma: is your openvpn box client or server? 10:08 < miguelcma> dazo: client 10:08 < miguelcma> dazo: i think it will be difficult to solve :\ i don't get any clue 10:08 < Georgio_> cool 10:08 < Georgio_> it seemed to work 10:10 < dazo> miguelcma: hmmm .... Nope, you would really need gdb on this one, to hopefully get a better clue .... or you could try to run ulimit -c 5242880 ... which might give you a core file which can be investigated on another box 10:11 < Georgio_> dazo: i run "openvpn --config /etc/openvpn/easy-rsa/openvpn.conf" it returned to the new line 10:11 < Georgio_> where to now? 10:11 < dazo> Georgio: that's expected as you probably have a line in the config saying: daemon 10:11 < dazo> Georgio: try to connect your client now 10:12 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:12 < miguelcma> dazo: ok, i'll try to investigate this issue. thanks for you time :) 10:12 < dazo> miguelcma: no prob! :) Hope you'll fix it soon! 10:12 < Georgio_> so i run /etc/init.d/openvpn start? 10:12 < miguelcma> thnks 10:12 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has quit ["Leaving"] 10:12 < dazo> Georgio_: do you still have that file there? 10:13 < dazo> Georgio_: that openvpn --config line which you ran, really started your openvpn server 10:13 < Georgio_> right 10:13 < Georgio_> that file was still there 10:13 < Georgio_> must i try start the client now? 10:13 -!- afonso [n=afonso@bl7-96-151.dsl.telepac.pt] has joined ##openvpn 10:14 < dazo> Georgio_: yeah ... that's what I've been trying to say now 3 times ;-) 10:14 < Georgio_> sorry 10:14 < Georgio_> i thought i'd have to build the certificates or something 10:15 < dazo> Georgio_: we will see that now soon 10:15 < Georgio_> i will install the client on windows now 10:15 < Georgio_> might take a while 10:16 < dazo> Georgio_: sure ... If I'm not here when you're back, others here might take over 10:16 < Georgio_> okay 10:17 < Georgio_> thanks 10:17 < dazo> Georgio_: np! 10:18 * mjt is back and is reading the scrollback... 10:20 < mjt> yay. 10:20 < mjt> and i'm going home, finally. Oh well, it was a stoooopid day. Monday, as usual ;) 10:22 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 10:28 < Georgio_> okay dzo 10:28 < Georgio_> i ran the client 10:29 < Georgio_> i get a warning and an error 10:29 < Georgio_> do you want them? 10:29 < Georgio_> WARNING: No server certificate verification method has been enabled 10:30 < Georgio_> NOTE: OPenVPN 2.1 requires '--script-security 2' or higher 10:31 < Georgio_> right i copied the same certificate files back 10:32 < Georgio_> and i'm getting the same error i was getting with the previous version 10:34 < Georgio_> It looks like this:::: 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 LZO compression initialized 10:34 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Excess Flood] 10:34 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 10:34 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 10:35 < Georgio> sorry i pasted more than 5 lines 10:35 < Georgio> can anyone help me? 10:39 < dazo> Georgio: time to paste config files :) 10:39 < dazo> !configs 10:39 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:39 < dazo> !pastebin 10:39 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:40 < Georgio> ??? 10:40 < Georgio> dazo: which config file would you like to see? 10:40 < dazo> Georgio: openvpn server and client configs 10:41 < Georgio> dazo: can i paste it in a private message? 10:41 < Georgio> dazo: otherwise i will get booted again 10:41 < dazo> Georgio: pastebin please .... quicker and easier 10:41 < Georgio> right 10:44 < Georgio> :-D how do i pastebin 10:44 < Georgio> to pastebin.ca? 10:44 < krzee> !pastebin 10:44 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:45 < krzee> oops, didnt see dazo said that 10:45 < krzee> <--- serious hangover, gunna be 1/2 retarded today 10:45 < dazo> krzee: I was about to answer the same any way ;-) 10:45 < Georgio> 403 -forbidden??? 10:45 < dazo> uhh? 10:45 < krzee> !google pastebin 10:45 < vpnHelper> krzee: pastebin - collaborative debugging tool: ; pastebin - Wikipedia, the free encyclopedia: ; Nopaste: 10:46 < Georgio> http://pastebin.com/d71361309 10:46 < Georgio> that is the server config file 10:46 < Georgio> http://pastebin.com/d7de58d0a 10:46 < Georgio> that is the client config 10:46 < dazo> Georgio: can you also pastebin /var/log/openvpn/openvpn.log from the server? 10:47 < krzee> at verb 6 10:47 < krzee> also 10:47 < krzee> !ipp 10:47 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 10:54 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has joined ##openvpn 10:54 < miguelcma> dazo: hi again. I've found the problem! I forgot the dh.pem file 10:55 < dazo> miguelcma: uhh ... and that causes segfault? that's nasty 10:55 < dazo> miguelcma: congrats! 10:55 < miguelcma> yup. it's strange. but is working now :) 10:56 < miguelcma> thnaks again for your time 10:57 < dazo> miguelcma: no prob! Nice to know about this one actually 10:57 < dazo> miguelcma: which openvpn version was this? 10:57 * dazo will consider to have a look at the source 10:57 < miguelcma> OpenVPN 2.0.9 i386-linux [SSL] built on Feb 8 2009 10:58 < miguelcma> running on OpenWrt Kamikaze 8.09 10:58 -!- SuperEvilDeath16 [n=death@212.206.209.177] has quit [Success] 10:59 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has quit ["Leaving"] 11:00 < Georgio> Sorry dazo this file is huge 11:00 < Georgio> just adding the end of it 11:00 < dazo> Georgio: ah ... okey ... delete it ... and restart openvpn and send that log 11:00 < miguelcma> this silent segmentation caused by dh.pem is an known issue? it can be an openwrt specific issue 11:01 < Georgio> http://pastebin.com/d5864d2d 11:02 < Georgio> there is the last one 11:02 < Georgio> that is the end of log file 11:02 < krzee> miguelcma, never heard anything about it 11:03 < krzee> and dh is not a mandatory feature 11:03 < krzee> (its a good idea, but plenty of openvpn users go without it) 11:04 < miguelcma> hum.. should i report a bug on your tracker? 11:05 < krzee> no, you arent using the most up to date version 11:05 < krzee> so its pointless 11:05 < krzee> 2.1 rc15 is the up to date version 11:05 < krzee> 2.0.9 is 4+ yrs old 11:05 < miguelcma> ouch.. 4 years is a lot 11:06 < miguelcma> i'm using this one because it was the openwrt buildroot default 11:06 -!- ikla [n=lbz@fw1.aspsys.com] has joined ##openvpn 11:07 < dazo> miguelcma: that's what I'm not sure about .... 11:07 < dazo> miguelcma: that's why I'm wondering about openvpn version 11:07 < dazo> Georgio: thanks! I'll have a look at it soon 11:07 < Georgio> great thank you dazo! 11:15 < Georgio> hey Dazo 11:15 < Georgio> have you managed to have a look 11:15 < Georgio> sorry if i'm pestering 11:15 < dazo> Georgio: I'm looking at your log 11:15 < Georgio> thanks 11:15 < miguelcma> hope no one asks for this segmentation fault 11:16 < miguelcma> bye. thanks again 11:16 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has quit ["Leaving"] 11:16 < dazo> Georgio: it do not give enough info :( ... But that's changeable :) 11:16 < Georgio> good grief okat 11:17 < Georgio> what do you need me to do? 11:17 < dazo> Georgio: can you please change the server config a little bit? ... stop the openvpn process ... delete the old log file ... edit the config, on line 26 you have verb4 ... increase that to verb 5 11:18 < dazo> and then start openvpn again 11:19 < Georgio> how do i stop the opwnvpn 11:20 < dazo> killall openvpn 11:20 < Georgio> ps -ef 11:20 < krzee> ps auxw|grep openvpn 11:20 < Georgio> didn't show openvpn running 11:20 < Georgio> weird 11:20 < krzee> kill -9 11:20 < dazo> Georgio: since we started it manually, we'll need to stop it like this 11:21 < Georgio> openvpn: no process killed 11:21 < dazo> krzee: kill -9 ... it too much at the beginning .... kill -TERM is usually enough 11:21 < dazo> Georgio: ps axuw| grep openvpn .... does that give you anything? 11:21 < krzee> kill -9 `ps auxw|grep openvpn|awk '{print $2}'` 11:21 < krzee> hehe 11:22 < Georgio> root 7134 0.0 0.0 3004 764 pts/0 S+ 18:37 0:00 grep openvpn 11:22 < krzee> dazo, cool... i always -9 stuff 11:22 < krzee> Georgio might not be starting it in daemon mode 11:22 < krzee> (i didnt look at his confs) 11:23 < dazo> krzee: -9 == -KILL .... which is the most nasty way to stop a process, the process have no chance to shutdown properly ... while -TERM will allow it to do a graceful shutdown 11:23 -!- Diddi [n=diddi@colalapp.bsnet.se] has quit [Read error: 113 (No route to host)] 11:23 < krzee> graceful smasheful 11:23 < krzee> i kill like a barbarian! 11:23 < dazo> krzee: I've noticed :-P 11:23 < krzee> lol 11:23 < dazo> TERM = -15 11:23 < krzee> i club the process until it submits 11:24 < dazo> krzee: until it comes sneaking out of the ethernet? 11:24 < krzee> i dont even kill it til its already begging for it 11:24 < krzee> leaking memory and stuff 11:24 < krzee> then i kill -9 11:25 < dazo> krzee: in emergency situation that's needed ..... sounds like apache processes though :-P 11:26 < dazo> krzee: my normal routine it kill -15 / -TERM .... kill -3 / -QUIT .... and then kill -9 / -KILL .... but I've began to use the kill names, because I mixed some of the numbers a couple of times :-P 11:26 < krzee> (or windows, lol) 11:27 < dazo> krzee: Reminds me of an old Windows joke ..... "How to execute Windows? format c:" 11:27 < krzee> hahah 11:27 < Georgio> hmm 11:27 < Georgio> i don't think openvpn was running 11:27 < krzee> no kidding 11:28 < dazo> Georgio: then we're unto something 11:28 < dazo> Georgio: okey ... then, lets make sure we have absolutely controll 11:28 < Georgio> i am root 11:28 < dazo> Georgio: in the config .... hash out the "daemon" sentence .... #daemon 11:28 < Georgio> okay 11:29 < dazo> Georgio: and do the same with the log-append sentence .... now we will get all logging to screen 11:29 < dazo> line 24 - log-append 11:29 < dazo> 25 11:29 < Georgio> done 11:29 < Georgio> now? 11:30 < dazo> Georgio: good! then lets start openvpn: openvpn --config 11:30 < dazo> Georgio: and it should now print a lot of stuff to the screen .... I want that stuff .... especially after you try to connect from your windows client 11:31 < Georgio> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/easy-rsa/openvpn.conf:17: comp-lzo (2.1_rc15) 11:31 < krzee> not compiled with comp-lzo 11:31 < Georgio> i had to compile openvpn with lzo disabled 11:31 < Georgio> yes 11:31 < Georgio> there was an error on lzo 11:31 < krzee> if you know that, you should know to comment that from both configs 11:31 < dazo> Georgio: okey .... hash out that line as well 11:33 < Georgio> http://pastebin.com/d4b9efeb4 11:33 < Georgio> output\ 11:35 * dazo looks 11:36 < dazo> Georgio: if you look at line 26 ......... 11:36 < Georgio> yes 11:36 < dazo> Cannot open /etc/openvpn/dh1024.pem 11:36 < Georgio> right 11:37 < Georgio> will look at this 11:37 < dazo> where do you have that file? you need to fix that 11:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:39 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:41 < Georgio> Sorry that was a stupid mistake 11:41 < Georgio> check the output file now :http://pastebin.com/db5a5ed1 11:42 < dazo> Georgio: this seems more reasonable .... can you try to connect your client? 11:42 < Georgio> looks better 11:42 < dazo> sure does! Now openvpn is actually running ;-) 11:42 < Georgio> hahah 11:43 < Georgio> Here is the output: http://pastebin.com/d3995509e 11:45 < dazo> Georgio: was this the output from the client? 11:45 < Georgio> yes 11:47 < dazo> Georgio: okey ... lets do some config changes on the client as well 11:47 < Georgio> cool 11:47 < Georgio> what must i change 11:47 < dazo> comp-lzo is disabled on the server, so we must disable it on the client as well 11:48 < dazo> increase verb to 5 there as well 11:48 < Georgio> okay should i send you the output? 11:49 < dazo> Georgio: please do 11:49 < Georgio> http://pastebin.com/d5ac60a99 11:50 < dazo> Georgio: how is it with the firewall settings on your server? Have you opened up for openvpn? udp port 1194 11:50 < Georgio> will check 11:52 < Georgio> just trying to see 11:56 < Georgio> okay it seems the port is open 11:57 < dazo> Georgio: when you have sorted out the firewall ... you would see that the openvpn server process would begin to write things unto the screen on client connects 11:57 < dazo> Georgio: so unless nothing happes here, just the same openvpn screen ... you do not manage to get a connection through 11:57 < Georgio> the server seems to be doing nothing 11:58 < Georgio> would the only reason for this be the firewall? 11:58 * ecrist points to channel topic. 11:58 < dazo> Georgio: usually that's the case yes 11:58 < ecrist> Georgio: turn of your firewall. if it starts working, you've found your problem. 11:59 < Georgio> firewall is completely off 11:59 < Georgio> no luck 11:59 < Georgio> the server is on my local network 12:00 < Georgio> just for testing now 12:00 < dazo> Georgio: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT ; iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X .... that would cleaup and open it completely up 12:01 < dazo> I missed one ... iptables -t -P POSTROUTING 12:01 < Georgio> where do i put this? 12:01 < dazo> I missed one ... iptables -t -P POSTROUTING ACCEPT 12:01 < dazo> run them in a root shell 12:01 < Georgio> would this affect security? 12:01 < dazo> Georgio: make sure you run the -P ones first 12:02 < dazo> Georgio: yeah, it turns off firewalling, until you reload your firewall rules again 12:03 < Georgio> nervous to turn my server firewall off 12:03 < Georgio> how do i turn it all back on? 12:03 < dazo> Georgio: you can make a backup 12:03 < dazo> iptables-save > fw-backup.ipt 12:04 < dazo> Georgio: and to restore it .... iptables-restore < fw-backup.ipt 12:06 < Georgio> what is the opposite of accept? decline? 12:07 < Georgio> as decline didn't work 12:07 < dazo> DROP or REJECT 12:07 < dazo> Georgio: but ... you are closing the firewall again? 12:07 < dazo> Georgio: did you run a test with it completely open? 12:08 < Georgio> postrouting says bad argument 12:09 < Georgio> i tried it with all the other options and still didn't work 12:09 < dazo> Georgio: ahh .... I see something is missing 12:09 < Georgio> okay 12:09 < dazo> sorry! iptables -t nat -P POSTROUTING ACCEPT 12:09 < dazo> forgot 'nat' 12:10 < Georgio> still no luck 12:10 < dazo> show me your cmd line 12:10 < Georgio> server cmd line?\ 12:10 < dazo> which fails ... or you meant connecting still failed? 12:11 < Georgio> connection still failing 12:11 < dazo> Georgio: okey ... please do iptables-save ... and pastbin the result 12:12 < Georgio> http://pastebin.com/d7f7bfe09 12:13 < dazo> please check that the port numbers are identical in server and client configs .... your fw is open now 12:13 < dazo> please check that IP addresses are correct as well 12:14 < Georgio> yes it the same ports. 12:14 < Georgio> and the same ip addresses. 12:14 < dazo> and the remote statement is the ip address of the server? 12:14 < Georgio> yes 12:14 < dazo> Georgio: is openvpn running on bare metal or in a virtual machine? 12:15 < Georgio> bare metal 12:15 < dazo> okey ... time to dig up tcpdump 12:15 < dazo> install that if it's not available 12:15 < dazo> and run tcpdump -n -i 12:16 < dazo> and see if something happens here when you try to connect from the client 12:16 < Georgio> 19:31:59.658074 IP 192.168.1.98.1808 > 192.168.1.1.22: . ack 3713296 win 64351 12:16 < Georgio> 19:31:59.658081 IP 192.168.1.1.22 > 192.168.1.98.1808: P 3718184:3718412(228) ack 16485 win 18224 12:16 < Georgio> 19:31:59.658104 IP 192.168.1.1.22 > 192.168.1.98.1808: P 3718412:3718560(148) ack 16485 win 18224 12:17 < Georgio> that is the repetitive 3 line output 12:17 < dazo> .98 is your client .... and .22 is your server? 12:17 < Georgio> .98 is my client 12:17 < dazo> heh 12:17 < Georgio> .1 should be the server 12:17 < dazo> my fault 12:17 < dazo> tcpdump -n -i port ! 22 12:17 < dazo> you say ssh traffic 12:17 < dazo> saw 12:18 < Georgio> tcpdump -n -i eth0 port ! 22 12:18 < Georgio> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 12:18 < Georgio> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:18 < dazo> and complete silence? 12:18 < Georgio> 19:33:26.738078 IP 192.168.1.98.3620 > 192.168.1.1.1194: UDP, length 14 12:18 < Georgio> 19:33:26.738167 IP 192.168.1.1 > 192.168.1.98: ICMP 192.168.1.1 udp port 1194 unreachable, length 50 12:18 < Georgio> 19:33:28.772731 arp who-has 192.168.1.67 tell 192.168.1.5 12:19 < dazo> Georgio: is openvpn running on the server? 12:19 < dazo> silly question, I know ..... but need to be sure 12:19 < Georgio> no as it wasn't running as daemon 12:19 < Georgio> SORRY 12:19 < dazo> Georgio: it may run in a console .... that's fine ... as long as it's running 12:19 < Georgio> let me get it running and then check that output 12:20 < dazo> Georgio: it's just good to have it visible in another console now .... then you see if it connects or not 12:22 < Georgio> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 12:22 < Georgio> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:22 < Georgio> 19:37:16.966303 IP 192.168.1.98.3629 > 192.168.1.1.1194: UDP, length 14 12:22 < Georgio> 19:37:16.966365 IP 192.168.1.1 > 192.168.1.98: ICMP 192.168.1.1 udp port 1194 un reachable, length 50 12:23 < dazo> Georgio: I have not idea what's blocking you on your server .... but something is surely blocking you 12:23 < Georgio> right 12:23 < dazo> Georgio: you need to figure out what blocks you .... when that's done ..... you might see things working again 12:24 < Georgio> okay 12:24 < dazo> Georgio: or at least, when you get a connection through, we can play further with your config 12:24 < Georgio> okay 12:24 -!- afonso is now known as afonso|away 12:24 < Georgio> might you be on the forum tomorrow? 12:25 < dazo> Georgio: I might be .... but it's my working hours, so I might be more busy ... I have several meetings tomorrow .... but there are others here who might be helpful as well 12:25 < Georgio> thank you thank you thank you dazo 12:25 < Georgio> you are a legend... 12:25 < dazo> Georgio: you're welcome! 12:25 < dazo> Georgio: oh no .... far from that ;-) 12:26 < Georgio> i really appreciate all your help 12:26 < Georgio> if i could by you a beer i would 12:26 < Georgio> (b) 12:29 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit ["If at first you don't succeed, skydiving is not for you"] 12:32 < krzee> he wouldnt buy you one 12:32 < krzee> but he'ld by you one 12:32 < krzee> ;] 12:34 < dazo> heh .... maybe he saw his empty wallet :-P 12:36 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 < reiffert> moin 12:56 < reiffert> dazo: did you get c64's stuff running? 12:57 < dazo> reiffert: I withdrew from the discussion after mjt entered into it .... not sure how it ended 12:57 < reiffert> 15:38 < c64zottel> i guess its better to try i different machine, but i have to eat first... 12:57 < dazo> reiffert: didn't have time to check my logs, so I didn't see if Flumdahls experiences ..... oh ... good, probably a good attempt 12:59 < dazo> reiffert: it's pretty strange case ... tcpdump/tshark catches the packet in the interface ... but it never reached netfilter log .... so somewhere those packages got lost .... 13:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 13:23 -!- sunga [n=naft@77.109.122.179] has joined ##openvpn 13:23 < sunga> good evening 13:24 < ecrist> howdy 13:25 < sunga> a quick and simple question: I want to set up openvpn this evening but I cant afford to lose any wan connectivity nor reboot...is this possible? 13:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:41 < reiffert> dazo: well, he didnt tell us anything about where he actually is doing stuff, either on guest or host OS. 13:42 < dazo> reiffert: I got the impression it was inside a guest os ... but true, it was not explicit 13:45 < Bushmills> sunga, yes, possible 13:45 < sunga> ok then im going to take a shot 13:46 < Bushmills> sunga, stick to the howto, don't set up bridging config, and things should be fine 13:47 < sunga> im having the install menu right in front of menu 13:47 < sunga> of me* 13:47 * Bushmills can't remember any install menu 13:47 < sunga> I should select all things at the choose components window I presume? 13:47 < Bushmills> is that windows? 13:48 < sunga> like TAP virtual adaptor etc 13:48 < Bushmills> no tap. tun you want 13:48 < Bushmills> but if you install on windows, my suggestions may be ill-advised 13:49 < sunga> it is windows yes 13:49 * Bushmills knows about windows about as much as an innuit of sun screen factor 13:49 < sunga> hahaha 13:49 < sunga> ok then ill get to the hotwo 13:49 < sunga> !howto 13:49 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:50 < sunga> it doesnt say anything about that adaptor 13:50 < sunga> but I think a virtual one is quite handy for e.g. firewalling purposes 13:50 < sunga> so Ill just select all and carry one 13:50 < sunga> on 13:51 < mjt> where by default configs stored on windows? ProgramFiles\OpenVPN\{...} -- what's in {...} ? 13:54 < sunga> btw Bushmills I should use routing instead of bridging? I dont need to share samba over vpn 13:54 < sunga> nor play games or so 13:54 < Bushmills> sunga, yes, routing, definitely 13:54 < ecrist> mjt: what are you talking about? 13:55 < mjt> about location of configs? 13:56 < sunga> ok thanks 13:56 < sunga> seems like the installer is hanging or so :/ 13:57 < ecrist> mjt: configs 13:57 < ecrist> or just config, can't remember 13:58 < mjt> got it. OpenVPN\config\ 13:58 < mjt> i don't have windows handy and am writing a small instruction for my collegue 14:05 < reiffert> Bushmills: no tun on windows. 14:05 < reiffert> Bushmills: tap adapter handles it on win 14:06 < reiffert> Bushmills: I was just licking at one of my fingers ... 14:07 < reiffert> Bushmills: 10 minutes before I was using them to handle a bunch of dry chilis for making chili pouder... 14:07 < reiffert> Bushmills: yam yam 14:07 < Bushmills> try to stick it in your nose :) 14:08 < sunga> ok tried again openvpn is nog installed 14:08 < Bushmills> greek chilies? 14:08 < sunga> lets continue with reading the howto 14:08 < reiffert> Bushmills: I now _know_ what your father meant by "dont open the pouder-maker inside a room" 14:09 < Bushmills> hehe 14:09 < reiffert> Bushmills: My nose allready is free now 14:09 < reiffert> yeah, the greek chilies from croatia 14:09 < Bushmills> how do they compare in terms of spicyness to the powdered ones you had before? 14:10 < reiffert> the bigger ones all were containing mold, the smaller ones have been ok 14:10 < reiffert> Very spicey I guess from licking my fingers, but I didnt try them yet.. 14:11 < Bushmills> try to dry the bigger ones in a dehydrator next time 14:11 < reiffert> Mildew 14:11 < reiffert> yeah, window-bar or something .. next time 14:12 < Bushmills> in two years there'll probably be weapons-grade ground chili 14:13 < reiffert> :) 14:13 < reiffert> Might be effective on close distance combats, like streets and houses 14:14 < Bushmills> when the postpones dorset naga came through 14:14 < Bushmills> postponed 14:14 < Bushmills> and i know who has such a dehydrator... the same folks there the spice grinder came from. 14:14 < Bushmills> where .. 14:15 < reiffert> dorset naga? 14:15 < sunga> ok after install I think the first thing that I should do is setting up the PKI? 14:15 < sunga> as in, generating certificates 14:15 < reiffert> ah 14:15 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: xor|, krzee, pa, huslu_, damentz, Solver, worch, stephenh 14:15 < reiffert> sunga: when the howto says so .. yes 14:15 < Bushmills> rumoured to be originally developed by thai army 14:15 < reiffert> if not, then continue whatever the howto proposes 14:16 -!- Netsplit over, joins: krzee, huslu_, Solver, damentz, stephenh, xor|, pa, worch 14:16 < reiffert> http://reallycoolseeds.co.uk/shop/catalog/product_info.php?products_id=29&osCsid=a956dd2abb165611a090d1bf18dbd660 14:16 < vpnHelper> Title: Really Cool Seeds (at reallycoolseeds.co.uk) 14:16 < reiffert> Approx number of seed per pack: 20 14:16 < reiffert> 6 Pound 14:17 < reiffert> ritish 14:17 < sunga> ok reiffert 14:17 < Bushmills> seen them for about 4 quid (around 5 E) 14:20 < Bushmills> i suppose the advise then will not be "don't open grinder in room" but "don't open it in the same town" :D 14:22 < reiffert> hehe 14:22 < reiffert> wear a mask 14:25 < reiffert> 21:24 [freenode] freenode-connect [freenode@freenode/bot/connect] requested CTCP VERSION from reiffert: 14:25 < reiffert> ? 14:25 < reiffert> did I say FBI triggerable words? 14:25 < reiffert> Like C4, Bomb, Clinton? 14:29 -!- afonso|away is now known as afonso 14:30 < reiffert> What do you think about the german big mobile phone provider's thought of preventing VOIP and Skype for Mobile Internet Connections? 14:30 < reiffert> T-Online that is 14:30 < sunga> sucks 14:30 < sunga> but makes sence for them 14:30 < sunga> its all about the profits 14:32 < reiffert> It's preventing technical progress I think. 14:35 < Bushmills> try one of these: http://forthfreak.net/echelon 14:35 < Bushmills> though it might need some updating 14:36 < Bushmills> doesn't even mention "Osama" 14:37 < reiffert> I'd add M4. 14:37 < reiffert> the M16 is somewhat old 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 -!- znh [n=hans@unaffiliated/znh] has joined ##openvpn 14:44 < znh> Good day! 14:45 < znh> I successfully managed to get an OpenVPN server up and running. I however accidently lost the client's key. how does one generate a client certificate and private key? 14:56 < sunga> should be in the howto 14:56 < sunga> !howto 14:56 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:58 < znh> Yes but this howto assumes to follow all steps 14:58 < znh> I copied the keys to different directories.. so the howto doesn't match no more 15:00 < mjt> so correct the howto to match your config 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:13 < ecrist> bitches ain't shit but hos and tricks, so lick on these nuts and suck a dick. get the fuck out after you're done... 15:14 < reiffert> "hos and tricks"? 15:15 -!- afonso is now known as afonso|away 15:17 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:22 < Bushmills> znh, what did you learn from that experience? 15:23 < znh> The hos and tricks experience? Well.. It was awesome 15:23 < Bushmills> the "accidentally losing things" experience 15:23 < znh> It sucked. Why? 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:24 < Bushmills> znh, some learn that it may be beneficial to take steps which help to prevent those accidents 15:24 < znh> that's a nice way of putting that 15:26 < znh> Actually I took measurements to avoid that situation. They however, failed. 15:26 < Bushmills> well, nobody is perfect. 15:26 < znh> I disagree. 15:26 < Bushmills> here's your chance to try again 15:27 < znh> Certainly. 15:36 -!- afonso|away is now known as afonso 16:04 -!- znh [n=hans@unaffiliated/znh] has quit [Remote closed the connection] 16:13 < ecrist> reiffert: http://www.azlyrics.com/lyrics/drdre/bitchesaintshit.html 16:13 < vpnHelper> Title: DR DRE LYRICS - Bitches Ain't Shit (at www.azlyrics.com) 17:03 < Bushmills> mask 17:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:44 < ecrist> what? 19:11 -!- afonso is now known as afonso|away 19:30 -!- afonso|away is now known as afonso 20:02 < krzie> bleh 20:03 < krzie> my laptop socks app musta crashed 20:11 -!- belZe [i=noone@p5091CCF4.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:11 -!- belZe [i=noone@p5091CC0A.dip.t-dialin.net] has joined ##openvpn 20:46 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 20:48 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 21:15 -!- afonso [n=afonso@bl7-96-151.dsl.telepac.pt] has quit [] 21:21 < onats1> howdy 21:21 * onats1 is still dizzy 21:25 < krzie> wassup 21:25 < krzie> why dizzy? 21:35 < onats1> too much to drink:| 21:36 < krzie> haha 21:46 < dan__t> Hi. 21:46 < krzie> doesnt anyone need help? im bored 21:46 < dan__t> I do. 21:46 < dan__t> You familiar with openssl.cnf? 21:46 < krzie> lol that was easy 21:46 < krzie> not overly, but somewhat 21:47 < krzie> whats your question? 21:47 < dan__t> As I understand, you need to reference it when using the openssl utility, right? 21:47 < krzie> if its not where expected... 21:47 < dan__t> so I set values in openssl.conf, yet I'm prompted for those values when using the openssl utility. 21:47 < dan__t> I'm expecting to see like a "provided" keyword or something. 21:48 < krzie> when prompted are they the default (shown to you when prompted)? 21:48 < onats1> krzie, me, i need help 21:49 < dan__t> Yes, they are the values which I have defined through env vars. 21:49 < onats1> do you have a sample file for ifconfig-pool-persist 21:49 < onats1> ? 21:49 < krzie> onats1, openvpn makes that file itself 21:49 < krzie> !ipp 21:49 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 21:49 < krzie> dan__t thats what should be 21:50 < dan__t> I don't want to be prompted for it. 21:50 < krzie> dan__t, is something not working as expected? 21:50 < krzie> oh you building an automated tool? 21:50 < dan__t> Its working as expected. I simply don't want to be prompted for these values, when the defaults are clearly correct and present. 21:50 < dan__t> Well, thinking about it. 21:51 < onats1> !iporder 21:51 < vpnHelper> onats1: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 21:51 < onats1> !static 21:51 < vpnHelper> onats1: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 21:51 < krzie> dan__t, im not sure how to turn that off 21:52 < dan__t> Ok, so, when you asked if I had a question, that was it. 21:53 < krzie> i just looked in openssl manpage and it doesnt have like --silent or anything 21:53 < dan__t> Yeah, I didn't see that either. 21:57 < krzie> but that manpage doesnt even contain the string config 21:57 < krzie> so theres gotta be better docs 21:57 < dan__t> prompt = no 21:57 < dan__t> per openssl.cnf 21:57 < dan__t> I believe... 21:57 < dan__t> The manpage is pretty shitty. 21:57 < dan__t> it references all the sub-commands as individual man pages. 21:59 < krzie> ya prompt=no 21:59 < krzie> http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html 21:59 < vpnHelper> Title: Re: Automating Openssl commands (at www.mail-archive.com) 22:00 < dan__t> its part of 'man req' 22:00 < krzie> weak 22:00 < krzie> should be a single, but large, comprehensive manpage 22:00 < krzie> imho 22:00 < dan__t> indeed. 22:04 < dan__t> 4691:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 22:04 < dan__t> Bullshit. 22:04 < dan__t> KEY_COUNTRY is two characters long. 22:05 < krzie> aye 22:06 < krzie> everytime i tried to use USA i was reminded of that 22:06 < dan__t> I'm using "US" 22:06 < krzie> btw you ever check out ssl-admin? 22:06 < krzie> its pretty lazy 22:06 < krzie> and will package up your client stuff into a zip for ya 22:06 < dan__t> no, i'll check it out 22:07 < krzie> (assuming you gave it a sample openvpn config) 22:07 < krzie> !ssl-admin 22:07 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:07 < krzie> coded by ecrist =] 22:08 < krzie> !learn static as also see !ccd 22:08 < vpnHelper> krzie: Joo got it. 22:09 < dan__t> haha god damnit 22:09 < dan__t> then why the f am i wasting my time on ths. 22:09 < dan__t> that's exactly what i was looking for like two weeks ago. 22:09 < krzie> !learn quietopenssl as see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you 22:09 < vpnHelper> krzie: Joo got it. 22:10 < krzie> !learn quietopenssl as also see !ssl-admin for a sweet tool for managing your certs 22:10 < vpnHelper> krzie: Joo got it. 22:10 < krzie> hehe glad to help =] 22:11 < onats1> hey what's this?!?! 22:11 < onats1> certificate management? 22:13 < krzie> yup 22:13 < krzie> !ssl-admin 22:13 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:19 < dan__t> thank yo 22:19 < dan__t> you 22:19 < dan__t> so the CRL URI/URL, i can just serve that up unprotected, right 22:19 < krzie> yup 22:19 < krzie> doesnt matter who sees it in my opinion 22:20 < krzie> all they could know is which certs cant connect 22:20 < dan__t> yeah. 22:24 < dan__t> Man what a bad-ass utility. 22:24 < dan__t> That's perfect. 22:24 < krzie> i agree 22:24 < krzie> hey does it build dh keys good for you? 22:24 < dan__t> hmmm 22:25 < dan__t> yeah there's an option 22:25 < dan__t> I don't quite understand the significance of the DH params 22:25 < krzie> right, use it pls 22:25 < dan__t> Can you elaborate? 22:25 < krzie> !dh 22:25 < vpnHelper> krzie: Error: "dh" is not a valid command. 22:25 < krzie> hrms 22:25 < krzie> basically its a random seed 22:25 < krzie> !security 22:25 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 22:25 < dan__t> yeah 22:25 < krzie> 1sec 22:25 < dan__t> sure. 22:26 < krzie> oh hey does ssl-admin offer to build a TLS static key? 22:27 < dan__t> not that far yet. 22:27 < krzie> i wanna find a simple explanation 22:27 < krzie> foir my bot 22:39 < krzie> !learn dh as build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 22:39 < vpnHelper> krzie: Joo got it. 22:48 < krzie> there ya go 22:48 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit [Remote closed the connection] 22:51 < krzie> that simple but effective as an answer? 22:54 < krzie> damn now i see why so many people think they want bridging 22:54 < krzie> all walkthroughs seem to have briding 22:54 < krzie> bridging 22:56 < krzie> welp, ill bbl =] 22:56 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:56 < lolipop> !route 22:56 < vpnHelper> lolipop: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:00 < dan__t> hrm, wondering if there's a way to throw command-line arguments at ssl-admin 23:00 < dan__t> ecrist, thank you, bw. 23:00 < dan__t> btw, too. 23:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 23:59 -!- Skered [n=dereks@c-71-60-49-148.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Mar 31 2009 00:19 < dan__t> Hi. 00:47 -!- onats1 is now known as onats 00:47 < onats> Hi 00:48 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:10 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:31 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:42 -!- Skered [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:37 < kraut> moin 02:51 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:52 -!- Skered [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [SendQ exceeded] 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [Remote closed the connection] 03:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:12 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:43 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 03:51 -!- nemysis [n=nemysis@226-12.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:52 -!- nemysis [n=nemysis@61-28.107-92.cust.bluewin.ch] has joined ##openvpn 04:37 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:41 < Georgio> Hello all. Could someone please help me. I have a a internal server that has all our work files, etc. we are running a samba server, as all the other office machines run off windows (i know, boo). I want to get openvpn to tunnel from our public ip 41.240.0.0 to our internal server ip 192.168.1.1. How do i do this? 04:43 < dazo> Georgio: have a look at !route 04:43 < dazo> !route 04:43 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:44 < reiffert> did anyone play with http://labs.mozilla.com/projects/ubiquity/ yet? 04:44 < vpnHelper> Title: Mozilla Labs Ubiquity (at labs.mozilla.com) 04:46 < Georgio> anyone :-) 04:48 < Georgio> in the config file? 04:52 < dazo> reiffert: that looks neat! 05:00 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 05:14 < onats> what is this? in a nutshell? 05:16 -!- dli__ [n=dli@adsl-75-22-17-129.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 05:18 < Georgio> dazo i'm so lost with that document 05:18 < dazo> Georgio: hmmm .... where do you get lost? 05:20 < Georgio> the server on the lan has an ip of 192.168.1.1. The public ip is 41.240.0.0 05:22 < dazo> Georgio: how is your knowledge about basic network routing? 05:26 < dazo> Georgio: I'm headed out for lunch now .... but if you do not know too much about network routing ... this link gives an introduction to that: http://www.scribd.com/doc/10245818/Networking-Tutorial-TCPIP-Over-Ethernet 05:26 < vpnHelper> Title: Networking Tutorial - TCPIP Over Ethernet - Internet & Technology, Research, and networking tcp ip ethernet router mac address cidr (at www.scribd.com) 05:26 < dazo> Georgio: and in your network setup .... you need to play with the route parameter 05:27 < Georgio> wow where to start 05:28 < Georgio> okay thanks 05:43 -!- Sinky_ [n=stancho@78.90.99.168] has joined ##openvpn 05:43 < Sinky_> Hi guys 05:43 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 05:44 < Sinky_> Are there any statistics about the maximum users that can connect with openvpn to server (1 ghz, 256 DDR2) ? About the PC overload and so on ? 05:52 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:14 < _jack--> vpnHelper: i have some trouble in routing...I have installed openvpn server in my linux machine..this machine is also web server...all things are working. i can access other computers in openvpn server network from client....But the problem is that i can't access the web server.. 06:14 < vpnHelper> _jack--: Error: "i" is not a valid command. 06:15 < _jack--> vpnHelper: i have some trouble in routing...I have installed openvpn server in my linux machine..this machine is also web server...all things are working. other computers in openvpn server network from client are accessible....But the problem is that can't access the web server.. 06:15 < vpnHelper> _jack--: Error: "i" is not a valid command. 06:15 < _jack--> vpnHelper: have some trouble in routing...we have installed openvpn server in my linux machine..this machine is also web server...all things are working. other computers in openvpn server network from client are accessible....But the problem is that can't access the web server.. 06:15 < vpnHelper> _jack--: Error: "have" is not a valid command. 06:20 -!- Georgio_ [n=IceChat7@41.4.171.182] has joined ##openvpn 06:25 -!- Georgio_ [n=IceChat7@41.4.171.182] has quit [Read error: 104 (Connection reset by peer)] 06:25 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 06:37 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Read error: 113 (No route to host)] 07:01 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:02 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:03 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:12 -!- _jack-- [n=kaushal@202.79.41.215] has left ##openvpn ["Leaving"] 07:12 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 07:17 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:17 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:23 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 54 (Connection reset by peer)] 07:24 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:29 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:33 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 07:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:47 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:48 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:48 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 131 (Connection reset by peer)] 07:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:52 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:55 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 54 (Connection reset by peer)] 08:03 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 08:25 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has left ##openvpn [] 08:53 < onats_> WASSUPER! 08:53 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 08:53 -!- onats_ is now known as onats 08:54 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 08:55 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 08:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:05 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:21 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 09:24 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 09:25 < vlt> Hello. Any idea how to examine the certificate of a remote OpenVPN server? 09:29 < dazo> vlt: have a look at --tls-verify ... works for sure on server, but should work on client as well 09:31 < dazo> vlt: or if you want to do the validation in C ... the info is also available when writing a plug-in and using the --plugin option 09:34 < vlt> dazo: Is "--tls-verify" an openssl or ovpn option? 09:34 < dazo> vlt: openvpn 09:35 < dazo> vlt: it will provide you with some info from the certificate which you then can use for controls .... unfortunately certificate digest is not one of the parameters .... but I have a patch for openvpn which provides that as well 09:36 < vlt> dazo: hmmm ... I'll try to explain. There's a remote ovpn server listening on 1194 but I don't know anything about it. I want it to tell me the SSL cert data. Can I use --tls-verify then? 09:36 < dazo> vlt: yes, but you need to write a script which do the verification based on the info you receive 09:39 < vlt> dazo: Something like `openvpn --tls-verify ` doesn't work. It expects a whole bunch of further options like --dev ... 09:39 < vlt> dazo: Can I find a docu somewhere? 09:40 < reiffert> 5su 09:40 < dazo> vlt: you'll need to dig up some docs on the plug-in interface .... I'm in a meeting now, but I'll have a look when it's over 09:45 < ecrist> morning, bitches 09:54 < onats> morning slut 09:54 -!- NaomiCruz [n=chatzill@user-0ccejib.cable.mindspring.com] has joined ##openvpn 09:55 -!- NaomiCruz [n=chatzill@user-0ccejib.cable.mindspring.com] has left ##openvpn [] 10:33 -!- mRCUTEO [n=IRCLUNAT@124.13.93.105] has joined ##openvpn 10:39 -!- mRCUTEO [n=IRCLUNAT@124.13.93.105] has quit [] 11:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:59 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 113 (No route to host)] 12:08 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 12:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:56 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 12:56 < Optic> hello... I have a system with a broken RTC. Is it possible to get openvpn to ignore the dates on the SSL/TLS certificate files? 12:57 < Optic> system always boots up in 1999 and the keys aren't valid yet :( 12:58 < dazo> Optic: why not run ntpdate on boot ... and the ntpd? ... then your clocks should be fine .... it's not that difficult to setup, and then you have solved your real issue 12:59 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:59 < Optic> dazo: yes, i'm going to be trying that. Will openvpn magically pick up the new date and connect, or do I have to restart it when the clock gets set? 13:00 < Optic> ah, openvpn handles it fine once the clock is set 13:00 < dazo> Optic: openvpn uses gettimeofday() or something similar to catch the clock .... so openvpn uses whatever system time you have present at that point 13:00 < dazo> (gettimeofday() == system call / os cal) 13:01 * dazo need to run 13:01 < Optic> thanks! 13:40 -!- j3g [n=andrer@200.130.18.1] has quit ["Thanks folks!"] 13:55 < ikla> whats the default mtu setting for openvpn server? 14:05 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 14:06 < tsunami> is it possible to link the gui to the server. i.e. whne you shut the gui down you stop the service 14:06 < tsunami> !howto 14:06 < vpnHelper> tsunami: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:06 < tsunami> !configs 14:06 < vpnHelper> tsunami: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:09 < ecrist> tsunami: not that I'm aware 14:10 < tsunami> our challenge here is allowing our users (who are users on the system) to enable and disable the vpn connection 14:10 < ecrist> just run it as a service, sans GUI 14:11 < ecrist> open up the services window and start/stop the service 14:12 < tsunami> were worried about the service being left on for prolonged periods of time 14:12 < tsunami> in the background 14:16 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 14:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:26 < ecrist> tsunami: so what if it is? 14:29 < tsunami> security 14:31 < ecrist> heh, not really. 14:35 < krzie> lol 14:36 < krzie> just dont bridge and theres no added security risk 14:36 < krzie> and use a tls static key for HMAC 14:36 < krzie> !hmac 14:36 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:36 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:40 < krzie> the server could kill itself when the client disconnects, but you have no way of restarting it when another client wants to reconnect 14:40 < tsunami> in the config file how do you add directories with spaces in them? 14:40 < krzie> my guess would be with "'s 14:41 < krzie> but im 99% sure the example in the howto (aka the sample config has an example with a windows dir with spaces) 14:41 < krzie> err, (aka the sample config) 14:41 < krzie> !howto 14:41 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:42 -!- c64zotte1 [n=hans@p5B17B098.dip0.t-ipconnect.de] has joined ##openvpn 14:42 < krzie> # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 14:43 -!- c64zotte1 [n=hans@p5B17B098.dip0.t-ipconnect.de] has quit [Client Quit] 15:57 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 15:59 < ikla> krzie, switching to udp on the tunnel fixed that issue I had with packets coming up short 16:00 < krzie> =] 16:02 < ikla> can I set it up for udp and tcp in the config? 16:02 < krzie> no, but you can run 2 servers 16:02 < ikla> same machine just different config file 16:03 < krzie> yup 16:04 < ikla> with udp I was having packet loss issues with large file transfers 16:05 < krzie> you tried mtu-test? 16:05 < ikla> no 16:08 < ikla> figures out the largest packet size in both directions? 16:09 < krzie> right 16:09 < krzie> finds best mtu for the connection 16:13 < ikla> you seen that help with packet loss? 16:13 < ikla> on a udp tun 16:22 -!- Borf [n=Borf@5ED293EA.cable.ziggo.nl] has joined ##openvpn 16:23 < Borf> !logs 16:23 < vpnHelper> Borf: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:23 < krzie> whats up 16:25 < Borf> I'm having some problems setting up openvpn xD 16:25 < krzie> i might need more detail 16:26 < Borf> I've got a dedicated server in a datacenter, and I want to use it to create a virtual network, in a same way hamachi sets up one 16:26 < krzie> i dont use hamachi, whats your goal 16:26 < Borf> things work ok when I connect, things work ok when someone else connects, things don't work when we both connect at the same time 16:26 < krzie> !configs 16:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:27 < Borf> my goal is to make a 10.7.0.x network routed through that dedicated server 16:28 < Borf> server (linux) http://test.exnw.com/game.txt , client (win32) http://dump.borf.info/game.txt 16:28 < Borf> as soon as that other person connects, my connection gets kicked out 16:29 < krzie> !ipp 16:29 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:30 < krzie> switch to dev tun 16:30 < Borf> that's all ? 16:31 < krzie> you dont need tls-client, but should uncomment tls-auth 16:31 < krzie> the 1 tells the client it is the client and 0 tells server its the server 16:31 < krzie> (for tls) 16:31 < krzie> now... 16:31 < krzie> im gunna guess your other client is using the same cert 16:32 < krzie> and thats prolly the cause of the problem you are having 16:32 < krzie> the other stuff is just things i caught that you should fix 16:32 < Borf> nope he isn't 16:32 < krzie> also, you could add a little security by using dh 16:32 < krzie> !dh 16:32 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 16:33 < krzie> so the client has a different common-name than your client? 16:33 < krzie> lemme rephrase, 16:33 < krzie> NO 2 machines have the same common-name in their certs...? 16:34 < Borf> nope 16:34 < krzie> !logs 16:34 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:34 < krzie> also, after the first client is done connecting, connect the second 16:34 < krzie> then send me all 3 16:34 < Borf> hmm I have to go for a couple of minutes, be right back 16:36 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 16:42 < Borf> ok back 16:42 * Borf starts configuring 16:44 < krzie> you read !ipp right? 16:47 * ecrist needs to find a graphics person 16:47 < krzie> for business or fun? 16:47 < krzie> i know a guy locally with mad skills, im sure he'ld be cheap if its for biz (aka willing to pay) 16:47 < krzie> plus we could just make it cancel colo costs and i pay him locally when you're happy with it 16:48 < js_> ditto 16:58 < ecrist> krzie: it's for my bbthe.me website 16:59 < krzie> ahh 16:59 < ecrist> I'm alright at the backend coding, but the graphical gooeyness is not my thing 16:59 < ecrist> not a business venture. 16:59 < ecrist> speaking of your server, when are you wanting that turned back on? 16:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:59 < krzie> well my guy is a straight up artist, but hes so busy with school i couldnt bring him something unless i offered him something in return 16:59 < krzie> but im sure someone will come through here 17:00 < krzie> toss it on topic maybe someone will bite 17:00 < ecrist> ah, no worries. I'll find someone to help on crackberry 17:00 < krzie> ahh good point 17:00 < krzie> should be real soon 17:00 < krzie> its been 1 hassle after another 17:00 < krzie> im sending back 3 seagate 1.5TB drives for RMA right now 17:01 < krzie> my inet got cut off cause i never got a bill in like 7 months 17:01 < krzie> so i got a huuuge bill the other day, 27th 17:01 < krzie> sent in a few hundred USD, told them ild pay the rest today 17:01 < krzie> they cut it off yesterday 17:01 < krzie> fuckers 17:01 < krzie> i guess they expect me to guess what the bill is and send it in or something 17:02 < ecrist> lol 17:02 < ecrist> I hate that. 17:02 < krzie> no kidding 17:03 < krzie> so i changed banks when i was in usa 17:03 < krzie> BofA was charging me monthly 17:03 < krzie> wamu doesnt 17:03 < krzie> well after that i renewed my skype account 17:03 < krzie> got shut off for fraud cause paypal tried to use my bank 17:03 < krzie> (totally forgot) 17:04 < krzie> so now im verifying my bank with paypal, then gunna get skype back on 17:04 < krzie> lol 17:04 < krzie> fun stuff man! 17:04 < ecrist> soudns like it 17:04 < krzie> (paypal also had my cc on file, coulda just used that) 17:05 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["Always try to be modest, and be proud about it!"] 17:19 < Borf> krzie: I think I found the problem..I had the wrong certificate / key in the server.... 17:19 < Borf> can't test it properly right now, but I think it's working properly now :) 17:19 < Borf> anyway, another day tomorrow...g'night 17:19 < krzie> nite 17:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection timed out] 17:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:58 -!- gebi_ [n=gebi@84-119-43-219.dynamic.xdsl-line.inode.at] has joined ##openvpn 18:08 -!- gebi_ [n=gebi@84-119-43-219.dynamic.xdsl-line.inode.at] has quit [Read error: 145 (Connection timed out)] 18:08 < ikla> krzie, does mtu-test set the mtu or do I need mtu-disc also? 18:09 < krzie> !mtu 18:09 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:09 < krzie> see the manual for detailed explanation 18:09 < krzie> !man 18:09 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:09 -!- gebi [n=gebi@84-119-57-55.dynamic.xdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 18:10 -!- gebi [n=gebi@84-119-57-210.dynamic.xdsl-line.inode.at] has joined ##openvpn 18:11 * ecrist revels in his sed wonderfulness. 18:12 < ikla> si 18:12 < krzie> <3 sed 18:15 < ecrist> sed -i '' -e 's%^MIDlet-Description:.*%MIDlet-Description: Hosted at http://bbthe.me for free!%' \ 18:15 < ecrist> -e "s%^MIDlet-Vendor:.*%MIDlet-Vendor: $2%" \ 18:15 < ecrist> -e "s%^RIM-COD-Module-Name:.*%RIM-COD-Module-Name: $3%" -e "s%^MIDlet-Name:.*%MIDlet-Name: $3%" \ 18:15 < ecrist> -e "/RIM-COD-URL/s% com_% /$DIR/com_%g" $TMPFILE 18:15 < vpnHelper> Title: BBThe.me: Home (at bbthe.me) 18:16 < ecrist> pretty simple, really, but allows me to edit a JAD for deployment with one command and a few options. ;) 18:16 < ecrist> I hope PHP can do all that. 18:16 < ecrist> http://www.secure-computing.net/wiki/index.php/Sed 18:16 < vpnHelper> Title: Sed - Secure Computing Wiki (at www.secure-computing.net) 18:59 < ecrist> muahahah 18:59 < ecrist> I've gotta brush up on some perl, but I think I've figured out how to extract some images from RIMs COD binary. 19:15 < krzie> extortion? 19:15 < krzie> "get out of that binary or ill whack ya over the head with a large trout!" 19:17 < ecrist> is there a good byte editor for freebsd? 19:17 < ecrist> ah, bed 19:49 < ikla> if you don't specify an mtu setting in the config what does it default to? 20:09 < dan__t> hi 20:09 * dan__t stabs krzie 20:15 * ecrist stabs dan__t 20:20 < krzie> ikla 20:20 < krzie> !man 20:20 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:23 -!- belZe [i=noone@p5091CC0A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:23 -!- belZe [i=noone@p5091C908.dip.t-dialin.net] has joined ##openvpn 20:23 < dan__t> :/ 20:49 * ecrist begins writing a perl script to extract PNGs from binaries 20:56 < ecrist> woot, that was fast 21:01 < dan__t> ecrist, you rock. 21:02 < dan__t> ssl-admin is my new best friend. 21:04 < dan__t> any chance its oging to go to a single command-line style? 21:04 < dan__t> ssl-admin --create-ca var1 var2 var3 etc etc 21:05 * krzie is willing to guess no 21:22 < ecrist> dan__t: I've got a few issues. 21:23 < ecrist> 1) ssl-admin needs a lot of work. it should be using the ssl perl libraries, but it's not, because I was lazy when I wrote it. 21:23 < ecrist> I'm probably not going to do anything till i get off my ass and do that. 21:23 < ecrist> 2) I've got a new pet project that's more fun right now. ;) 21:23 < ecrist> but, I would really like batch-mode and command line arguments for ssl-admin, for sure. 21:24 < ecrist> now, if someone were donating money to me to develop the applicaiton, I'd probably put more time into it. 21:24 < ecrist> the problem is, it works right now, and so it's a 'If it isn't broken, don't fix it,' thing. 21:25 < ecrist> well krzie, I can extract the PNGs out of the binary files now. ;) 21:26 < ecrist> theme developers are having mixed feelings. one side, AWESOME!, the other, hey, you shouldn't be able to get that out of the file. SADFACE 21:26 < ecrist> so, with some perl foo, a bit o' grep, and some ImageMagick fun, I can automagically figure out which file is the thumbnail. :D 21:26 < ecrist> sorry, I ramble on. 21:28 < krzie> hahaha sweet man 21:28 < krzie> time for me to detach for the night (unless the phone co actually turned my inet back on) 21:28 < krzie> which i highly doubt, nothing happens fast here... 21:29 < krzie> they didnt even send me a bill for like 7 months 21:32 < ecrist> krzie: quick store 21:33 < ecrist> after we talked about that earlier, I had the same thing happen. My business partner's EVDO card was turned off. I logged in to the site, our business account had reached it's 'spending limit' because we hadn't paid a bill. Talked to customer service, haven't gotten a bill since December. 21:33 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 21:34 < ecrist> I was told that when we signed up for online account access, we were automatically signed up for e-billing. Their invoices have been going to SPAM for three months. 21:34 < ecrist> grr 22:27 -!- vladi [n=vladi@cpe-75-80-161-192.san.res.rr.com] has joined ##openvpn 22:28 < vladi> hi, how can i specify the dev to use in the server conf? "dev vpn0" gives me an error "server-bridge directive only makes sense with --dev tap" 22:37 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 22:37 < onats1> !/30 22:37 < vpnHelper> onats1: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:37 < onats1> !topology 22:37 < vpnHelper> onats1: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 22:41 < dan__t> ecrist, I don't ask that in a "why doesn't application abc have feature xyz" manner. I completely understand what's involved, and certainly understand your viewpoint. 22:41 < dan__t> I know how it works, I promise :) --- Day changed Wed Apr 01 2009 00:15 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 00:26 -!- nemysis [n=nemysis@61-28.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:27 -!- nemysis [n=nemysis@245-199.3-85.cust.bluewin.ch] has joined ##openvpn 01:20 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 113 (No route to host)] 01:26 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 01:45 -!- qwaza [n=dexter@gateway.geodesic.com] has joined ##openvpn 01:47 < qwaza> hi all, has anybody faced around 50% packet losses at random intervals with openvpn 2.1 ? 01:47 < dan__t> krzie, you up? 01:47 < qwaza> or any clues as to how to deal with it? 01:48 < dan__t> tried testing with mtr? 01:48 < qwaza> nope 01:49 < qwaza> mtr is a tool right 01:49 < qwaza> i tried mssfix 1300, but that didn't fix it. can't use fragment size 01:51 < qwaza> dan__t, mtr is a graphical tool. can't use it on a firewall. alternatives? 01:51 < dan__t> No, its not. 01:51 < dan__t> Well, that one may be. 01:52 < qwaza> well, apt-get says it needs all sorts of libx libs 01:53 < qwaza> ok i'll get back with my config files pastebined 02:13 < reiffert> mtr got a curses frontend as well 02:14 < reiffert> However, !configs 02:14 < reiffert> !configs 02:14 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:26 < kraut> moin 02:31 < reiffert> moin 02:33 < qwaza> http://pastebin.com/d615c49dc Please have a look 02:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:33 < qwaza> i repeat, there is a steady 50% packet loss 02:34 < qwaza> mssfix of 1300 didn't help 02:41 < qwaza> any ideas? anyone? what can i do to resolve this? 02:55 < reiffert> remove from server.conf: line 10, 17,18,19,21,22 02:55 < reiffert> 25 02:55 < reiffert> from client conf: line 46 02:55 < reiffert> update both to 2.1rc15 02:57 < reiffert> How to you measure "packet loss"? 03:01 < qwaza> the packet loss was reported from ping 03:02 < reiffert> What are you planning to send over the tunnel, mostly tcp or udp data? 03:02 < qwaza> both 03:03 < qwaza> it is already functional and working 03:03 < qwaza> i'm basically troubleshooting the packet loss 03:03 < reiffert> icmp is a stateless protocol, so is the tunnel protocol udp. 03:03 < qwaza> yes 03:03 < qwaza> but why should i loose 50% of my icmp pings? 03:03 < reiffert> When you send 100MB of tcp payload over the udp tunnel, you won't loose a single byte. 03:04 < qwaza> dns queries timeout 03:04 < qwaza> over the vpn 03:04 < reiffert> change the tunnel protocol to tcp then. 03:04 < qwaza> i see 03:04 < reiffert> oh and btw 03:04 < reiffert> !factoids search mtu 03:04 < vpnHelper> reiffert: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 03:05 < qwaza> ok i'll do try that. unfortunately, this is a corporate vpn and the client configs are all not in my hands 03:05 < qwaza> so i can't really work with mtu, only mss which didn't workout 03:05 < qwaza> so, the only recourse is to switch to tcp? 03:06 < reiffert> 10:05 < qwaza> so i can't really work with mtu, only mss which didn't workout 03:06 < reiffert> why is that? 03:06 < qwaza> then i have to change the mtu of the client too, according to the man page 03:07 < reiffert> when you switch to tcp, you have to do as well. 03:07 < qwaza> yes :( 03:08 < qwaza> just wondering, how do the vast majority of vpns function over udp? 03:08 < qwaza> do they face packet loss too? doesn't that openvpn protocol handle the losses? 03:08 < reiffert> How many of those vast majority do you know personally? 03:09 < qwaza> three. doesn't openvpn usually run over udp? 03:09 < qwaza> i'm not complaining, just wonmdering 03:10 < qwaza> *wondering 03:10 < reiffert> start running the mtu test. results? 03:10 < qwaza> will get back with those 03:18 -!- qwaza [n=dexter@gateway.geodesic.com] has quit ["Leaving"] 03:22 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 60 (Operation timed out)] 03:24 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 03:31 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 04:57 < _jack--> how to enable web access of openvpn installed linux machine? 04:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:01 < kaii> openvpn? web access? 05:07 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 05:08 < _jack--> yeah.... 05:09 < _jack--> kaii: actually openvpn is installed in linux machine is working..also can accessible to other server in that network... 05:10 < _jack--> but the problem is that openvpn server is also web server..and can't access web from client 05:10 < lukask> Hi! I have a problem where I'm somewhat lost ... an vpn host-to-host, where on one side we hava a dsl-line with a router and a vpn-host, on the other side is a "secure computing Sidewinder 5.2.x" router and firewall and behind that a vpn-host. The vpn worked nicely, but for a few days now packets >17000bytes just get dropped :/ 05:23 < lukask> Grmbl ... reducing the link-mtu to 1300 helped. darn borken internet. 06:01 -!- lukas__ [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 06:08 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, rdz, vlt, isox, ikla, Borf, l2trace99, onats1, krzie, kraut, (+50 more, use /NETSPLIT to show all of them) 06:08 -!- Netsplit over, joins: Flumdahl, lukas__, lukask, cpm, _jack--, boojit, floyd_n_milan, SuperEvilDeath14, nemysis, onats1 (+50 more) 06:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:16 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has quit [Read error: 110 (Connection timed out)] 06:47 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 06:49 < achilles> hello, I'm using openvpn for site-to-site connectivity, it's good, but what if the internet disconnected for few minutes, is there a way to reconnect automatically ? 07:08 < ecrist> achilles: it's covered in the man page. iirc, it's --retry-infinite 07:16 -!- rdz [i=roman@195.176.254.176] has quit [Read error: 104 (Connection reset by peer)] 07:16 < achilles> ecrist, oh I looked at the man page .. I didn't notice. thank you very much, I started to write my own cron-ed job to check connectivity I found this http://www.linuxquestions.org/questions/linux-networking-3/openvpn-does-not-reconnect-621097/ 07:16 < vpnHelper> Title: OpenVPN does not reconnect - LinuxQuestions.org (at www.linuxquestions.org) 07:17 < achilles> hehe .. that one! 07:33 < belZe> hello together 07:35 < belZe> @ecrist: finally some time to get back to my the-bridge-doesnt-want-to-learn-arp-coming-from-ovpn-client problem :) 07:46 < belZe> hey mjt, you remember my scenario? arp-replies arent propagated to tap0 somewhow, i can see both - request and reply - on eth0 and br0 07:47 -!- lukas__ [n=l@212.100.49.238.fixip.bitel.net] has quit ["Ex-Chat"] 07:51 -!- arshavin [n=asd@host213-123-233-96.in-addr.btopenworld.com] has joined ##openvpn 07:52 < arshavin> Hey, does anyone know of a decent open vpn front end interface allowing for easy administration 07:52 < arshavin> like adding/removing users(certicates) etc... 07:52 < ecrist> arshavin: yes 07:52 < ecrist> !ssl-admin 07:52 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 07:59 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:59 < kala> ecrist: btw, I think I can update the client A and PTR record on the Windows DNS server. I still have to integrate the script to the actual OpenVPN server, but I hope its not too difficult 08:03 < arshavin> ecrist : thanks for that but I don't suppose there is a product commercial or otherwise that is a bit friendlier? I don't want to give that script )which looks fairly powerful) or a layuser 08:03 < arshavin> ecrist : especially if they have to ssh into a box first and run it 08:07 < ecrist> arshavin: no, there's nothing out there for 'layusers.' 08:07 < ecrist> If they can't handle running a menu-driven script over ssh, they probably shouldn't be administering your OpenVPN system. 08:08 < ecrist> now, OpenVPN folks are coming out with a commercial application soon to do what you're looking for, but it's not available yet, and I'm not certain on pricing. 08:08 < arshavin> Administration yes but the simple adding/removing of users for example 08:08 < ecrist> arshavin: that *is* administration 08:09 < ecrist> once the server is configured, adding/removing users is all that's left. 08:09 < ecrist> check out beta.openvpn.net 08:09 < ecrist> information on the app I mention 08:09 < arshavin> Yes but it doesn't take a genius to click new user and fill out a form :) so I'd love to find something like that 08:09 < arshavin> thanks 08:09 < ecrist> arshavin: did you try ssl-admin? 08:09 < ecrist> it's almost that easy 08:09 < ecrist> ssh 08:09 < ecrist> ./ssl-admin 08:10 < arshavin> I'm going to set that up on the current VPN box now as it will help me alot 08:10 < ecrist> user's given a menu. option '4' is one-step request/sign, fill out form, press 'z' to zip the package for a user. 08:10 < arshavin> but I'm the only IT guy in the company. even though we are mainly technically minded developers. 08:11 < ecrist> if you allow people to arbitrarily create certificates for themselves, your VPN is not secure. 08:11 < arshavin> "people" would be limited to some of the dev team managers 08:12 < arshavin> still it's about ease of use so yeah something pointy and clicky is where I'd like to be just to remove the burden from me :) 08:12 < arshavin> but I'll give ssl-admin a go now for myself 08:13 < ecrist> check out the site above, it's probably what you're looking for, when it's released. 08:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:19 -!- achilles [n=achilles@82.205.120.165] has quit [Read error: 60 (Operation timed out)] 08:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:41 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 08:46 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 08:49 -!- arshavin [n=asd@host213-123-233-96.in-addr.btopenworld.com] has quit [] 08:53 -!- achilles [n=achilles@mail.masrouji.com] has joined ##openvpn 09:12 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 09:19 -!- achilles [n=achilles@mail.masrouji.com] has quit [Read error: 113 (No route to host)] 09:20 -!- ecrist changed the topic of ##openvpn to: Canadian Mounty back-door discovered in OpenVPN versions going back to 0.83. 09:38 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has joined ##openvpn 09:38 -!- mode/##openvpn [+o SlashLife] by ChanServ 09:38 <@SlashLife> Uhh ... Oo 09:38 -!- mode/##openvpn [-o SlashLife] by SlashLife 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 09:49 -!- mode/##openvpn [+o ThoMe] by ChanServ 09:49 <@ThoMe> servus 09:49 <@ThoMe> hello 09:49 < ecrist> hi 09:50 <@ThoMe> have an error on my server when i connect with my openvpn client (installed on my snom sip telefon) 09:50 <@ThoMe> "~" 09:50 <@ThoMe> telefon ) telephone 09:50 < ecrist> ok 09:50 < ecrist> !configs 09:50 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:51 < ecrist> !logs 09:51 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:51 <@ThoMe> "tls_process: killed expiring key" 09:56 -!- mode/##openvpn [+o ecrist] by ThoMe 09:56 -!- mode/##openvpn [-o ecrist] by ThoMe 09:58 <@ThoMe> ecrist: this is my config from my pc, works good: 09:58 <@ThoMe> http://paste.keks.be/430/txt 09:58 <@ThoMe> this is my config from my phone: http://paste.keks.be/429/txt with the error (killed expiring key) 10:02 < ecrist> ok, and logs? 10:02 <@ThoMe> ecrist: moment. sorry pls 10:03 <@ThoMe> ecrist: http://paste.keks.be/431/txt 10:03 <@ThoMe> ecrist: oh, now i see, my pc has also the problem 10:05 -!- mode/##openvpn [-o ThoMe] by ThoMe 10:05 < ThoMe> ecrist: can you help me? 10:08 < SlashLife> Mhh ... would it be possible to "chain" OpenVPN connections? 10:08 < ecrist> SlashLife: what do you mean? 10:08 < SlashLife> e.g. I'd first need to get into my universities VPN to be able to connect to the internet ... and then I'd need to through this VPN to my home VPN. 10:08 < ecrist> ThoMe: hang on 10:09 < ThoMe> *hang* 10:09 < ecrist> SlashLife: the more you tunnel, the more fragmented packets get 10:09 < ecrist> you should be able to, but you may see performance problems. 10:10 < ecrist> ThoMe: 'killed expiring key' isn't an error, it's normal 10:11 < SlashLife> ecrist: Performance is not the issue. :) Could I lessen the severity of this effect by lowering my home VPNs MTU? 10:11 < ecrist> you could. use --test-mtu 10:11 < ecrist> !mtu 10:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:11 < SlashLife> Ah, thanks. 10:11 < ThoMe> ecrist: hm. when i call over 11 minutes then i have break over ~5 seconds. 10:11 < ThoMe> ecrist: hm. 10:12 < ThoMe> but onyl when i use openvpn. 10:12 < ThoMe> without i have not breaks. 10:12 < ecrist> ThoMe: read this for reference: http://openvpn.net/archive/openvpn-users/2007-07/msg00104.html 10:12 < vpnHelper> Title: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean? (at openvpn.net) 10:12 < ThoMe> ecrist: and the breaks? you have a idea for this? 10:13 < ecrist> ThoMe: I can only guess about that. 10:14 < ecrist> my guess is low bandwidth or cpu power on the device 10:14 < ThoMe> mh ok 10:16 < ThoMe> ecrist: i must use "dev tap" on server AND client side? 10:16 < ThoMe> of i can use dev tap on my server and dev tun on my client? 10:17 < ecrist> they must match on both sides 10:17 < ecrist> if (server.config == tap); then (client.config == tap); fi 10:22 -!- fixxxermet [n=kjohnson@66.92.156.2] has joined ##openvpn 10:22 -!- mode/##openvpn [+o fixxxermet] by ChanServ 10:22 <@fixxxermet> hmm 10:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:23 -!- mode/##openvpn [+o rubydiamond] by ChanServ 10:25 <@fixxxermet> I've setup a openvpn server and a client along with the client-to-client option and the various push route options yet I am still unable to fully access each others lan. I can ping one or two machines on each lan from the other side, but that is it. 10:26 < ecrist> fixxxermet: did you setup iroutes? 10:26 <@fixxxermet> Yes, with the ccd 10:26 <@fixxxermet> pasting everything onw 10:26 < ecrist> what about firewalls? 10:27 <@fixxxermet> Port 1194 udp is forwarded to both the sever and the client 10:27 <@fixxxermet> http://pastebin.com/d58e0af5b be my info 10:28 < ecrist> right, but what about non-1194 traffic? 10:28 < ecrist> my guess is you're running into a firewall issue 10:29 <@fixxxermet> that would make sense 11:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:01 -!- mode/##openvpn [+o polaru] by ChanServ 11:03 -!- elventear [n=elventea@208.42.115.81] has joined ##openvpn 11:03 -!- mode/##openvpn [+o elventear] by ChanServ 11:03 -!- elventear [n=elventea@208.42.115.81] has left ##openvpn [] 11:28 < ThoMe> ecrist: emm 11:29 < ThoMe> ecrist: my client said: http://paste.keks.be/432/txt 11:29 < ThoMe> ecrist: client config: http://paste.keks.be/433/txt 11:30 < ThoMe> ecrist: server config: http://paste.keks.be/434 11:30 < ThoMe> ecrist: server log: http://paste.keks.be/435/txt 11:31 < ThoMe> can you help me? 11:42 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Read error: 110 (Connection timed out)] 11:43 < ThoMe> ecrist: huhu? 11:55 -!- sm01 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 11:55 -!- mode/##openvpn [+o sm01] by ChanServ 11:56 <@sm01> I'm hosting a openvpn server at my linux server and I'm going to be using windows clients but I can't seem to understand if I should use tun or tap. What is your opinion? 12:06 < ecrist> sm01: tun, unless you have a specific reason to use tap 12:06 < ecrist> ThoMe: what's your issue? 12:07 < ecrist> I don't see anything in your logs, a few lines of regular stuff. 12:09 < ikla> anyone ever have issues with ssh sessions freezing through a udp tun? 12:09 <@sm01> ecrist: What would be a reason to choce tap then? 12:12 <@sm01> well I guess it is routing that is my need so I'll stick with tun then? 12:21 -!- sm01 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 12:23 < ecrist> ikla: no 12:23 < ecrist> unless there's a shoddy connection 12:40 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:08 -!- kyrix [n=ashley@91-115-26-112.adsl.highway.telekom.at] has joined ##openvpn 13:08 -!- mode/##openvpn [+o kyrix] by ChanServ 13:11 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 13:11 -!- mode/##openvpn [+o plaerzen] by ChanServ 13:11 <@plaerzen> hello irc :) long time. 13:22 < ecrist> hey plaerzen 13:23 <@plaerzen> We moved offices about a month ago so I've been supremely busy 13:35 < ecrist> moving offices can be fun. a break in the dullness of day-to-day 13:40 < Dougy[Office]> ecrist: i know 13:41 <@fixxxermet> If my server is on 192.168.0.47 and my client on 192.168.8.10, and I want every computer on each lan to have access to every other on the other lan (which client-to-client is for?), how does the "server" option relate to my setup? 13:46 -!- nemysis [n=nemysis@245-199.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 13:48 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has joined ##openvpn 13:48 -!- mode/##openvpn [+o JediMaster] by ChanServ 13:48 <@JediMaster> hey guys, I'm fairly new to openvpn, I've used tunneldigger to generate the openvpn config for both server and clients 13:49 * JediMaster wonders how he's got the @ 13:51 -!- achilles [n=achilles@62.90.14.185] has joined ##openvpn 13:51 -!- mode/##openvpn [+o achilles] by ChanServ 13:51 <@JediMaster> ok, I can see when openvpn is running, on the client port 5000 is open 13:52 <@JediMaster> achilles: is everyone opped in this channel? 13:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:57 -!- reiffert [n=thomas@mail.webersheim.de] has left ##openvpn [] 13:57 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 13:57 -!- mode/##openvpn [+o reiffert] by ChanServ 13:58 -!- mode/##openvpn [-ooo achilles fixxxermet JediMaster] by reiffert 13:58 -!- mode/##openvpn [-oo kyrix plaerzen] by reiffert 13:58 < plaerzen> awe 13:58 <@reiffert> ecrist: somethings going wrong here ... 13:58 <@reiffert> krzie: any idea? 14:02 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has left ##openvpn [] 14:02 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has joined ##openvpn 14:02 -!- mode/##openvpn [+o JediMaster] by ChanServ 14:02 <@JediMaster> heh reiffert: what's with chanserv? 14:03 -!- mode/##openvpn [-o JediMaster] by JediMaster 14:04 <@reiffert> I have no idea. 14:04 < JediMaster> after several pages of debug, I'm getting: http://pastebin.com/d4a910687 14:04 < JediMaster> in my syslog 14:05 -!- mode/##openvpn [-o reiffert] by reiffert 14:06 -!- SlashLife [n=slashlif@port-92-195-163-82.dynamic.qsc.de] has joined ##openvpn 14:06 -!- mode/##openvpn [+o SlashLife] by ChanServ 14:06 < JediMaster> anyone got any idea why it's not connecting? 14:07 -!- mode/##openvpn [-o SlashLife] by SlashLife 14:11 -!- reiffert [n=thomas@mail.webersheim.de] has left ##openvpn [] 14:11 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 14:11 -!- mode/##openvpn [+o reiffert] by ChanServ 14:11 -!- ecrist was kicked from ##openvpn by reiffert [nice joke on april the 1st, eh?] --- Log closed Wed Apr 01 14:11:38 2009 --- Log opened Wed Apr 01 14:35:19 2009 14:35 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:35 -!- Irssi: ##openvpn: Total of 64 nicks [3 ops, 0 halfops, 0 voices, 61 normal] 14:35 -!- mode/##openvpn [+o ecrist] by ChanServ 14:35 -!- Irssi: Join to ##openvpn was synced in 1 secs 14:35 <@ecrist> heh 14:36 -!- mode/##openvpn [-o ecrist] by ecrist 14:37 < ecrist> reiffert: happy April Fool's Day! 15:04 -!- kyrix [n=ashley@91-115-26-112.adsl.highway.telekom.at] has quit ["Leaving"] 15:28 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 15:28 -!- mode/##openvpn [+o tsunami] by ChanServ 15:35 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Connection timed out] 15:40 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:40 -!- mode/##openvpn [+o disco-] by ChanServ 16:03 -!- fixxxermet [n=kjohnson@66.92.156.2] has left ##openvpn [] 16:19 -!- ecrist changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 16:19 -!- Irssi: ##openvpn: Total of 63 nicks [5 ops, 0 halfops, 0 voices, 58 normal] 16:20 -!- mode/##openvpn [+o ecrist] by ChanServ 16:20 -!- mode/##openvpn [-oooo disco- nemysis plaerzen reiffert] by ecrist 16:20 -!- mode/##openvpn [-oo tsunami ecrist] by ecrist 16:20 -!- Irssi: ##openvpn: Total of 63 nicks [0 ops, 0 halfops, 0 voices, 63 normal] 16:25 < SlashLife> "the following test will take about two minutes..." 16:25 < SlashLife> I sure would like to know what it's testing. :< 16:39 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 16:40 -!- ThoMe [i=tm@tm.muc.de] has quit [Remote closed the connection] 16:40 < Kreg-Work_> when signing keys, what is the use of the email address field? the email address of the admin making the keys, or the email address of the user getting the key? 16:50 -!- gebi_ [n=gebi@84.119.81.115] has joined ##openvpn 16:51 < krzie> Kreg-Work_ doesnt really matter, makes more sense to use the users i guess 16:51 < krzie> i just make stuff up 16:51 < krzie> your@mom 16:51 < krzie> hehe 16:53 -!- gebi [n=gebi@84-119-57-210.dynamic.xdsl-line.inode.at] has quit [Read error: 145 (Connection timed out)] 16:54 < Kreg-Work_> lol 16:54 < Kreg-Work_> well you have to answer similar questions when signing ssl certs for things like web servers. but never really sure what the main purpose was 16:55 < krzie> for that it would be admin 16:55 < krzie> when accepting the cert it can be seen by the end user 16:58 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 16:58 < SgtPepperKSU> !/30 16:58 < vpnHelper> SgtPepperKSU: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:59 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 17:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:17 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has quit [Connection timed out] 18:06 -!- Dougy[Office] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit ["Lost terminal"] 18:14 -!- mode/##openvpn [+o krzie] by ChanServ 18:15 -!- krzie changed the topic of ##openvpn to: Sorry, the openvpn project has been cancelled due to a lawsuit by microsoft. Any further use of the program will get you sent to prison 18:15 -!- mode/##openvpn [-o krzie] by krzie 18:15 * krzie snickers 18:37 -!- DvlDog [n=DvlDog@c-76-111-238-130.hsd1.fl.comcast.net] has joined ##openvpn 18:58 -!- JediMaster [n=JediMast@84.9.122.189] has joined ##openvpn 18:58 < JediMaster> awww, not auto-op'ed this time =( 19:01 < JediMaster> is there a nice quick way to get openvpn setup? I've always found it way too time consuming to get going 19:01 < JediMaster> tried using "tunneldigger" and I couldn't get it working 19:05 -!- DvlDog [n=DvlDog@c-76-111-238-130.hsd1.fl.comcast.net] has quit [Read error: 110 (Connection timed out)] 19:06 < krzie> ild say by reading the docs... 19:06 < krzie> but 19:06 * krzie points at the topic 19:08 < krzie> still here? 19:11 < ecrist> sup guys? 19:11 * krzie points at the topic and the calendar 19:11 < ecrist> krzie: you missed it 19:12 < ecrist> I had chanserv auto-opping everyone all day today 19:12 < krzie> aww, what'd i miss? 19:12 < krzie> hahahahah 19:12 < krzie> nice man 19:12 < ecrist> /msg chanserv access ##openvpn set *!*@* +O 19:13 < ecrist> slashdot has been a fail all day, though 19:14 < ecrist> too many lame attempts at false news. 19:14 < ecrist> like the just-posted 'Microsoft Asks Fed for Bailout' 19:14 < krzie> sounds like the other 364 days 19:14 < krzie> lol 19:15 < krzie> i just had the head of security tell a guy that he needed to go out and check his car cause his rims and tires had been stolen 19:15 < ecrist> heh 19:17 < krzie> everyone was cracking up when he walked out 19:17 < krzie> haha 19:18 < ecrist> I posted, without permission, a theme a guy named Dylan Macleod wrote. He sent me an email asking me to take it down because I was cutting into his ad revenue. 19:18 < ecrist> I told him his thoughts on the matter didn't matter. 19:18 < ecrist> He asked why. 19:19 < ecrist> I said it was because he was from Canada. 19:19 < krzie> lol 19:19 < ecrist> his response, and I quote, 'What is wrong with you?' 19:19 < krzie> hahahah 19:24 < krzie> that was april fools tho right? 19:24 < ecrist> not at all 19:24 < krzie> like, you'll take it down? 19:24 < ecrist> oh, I took it down 19:24 < ecrist> still think he's a pile of shit because he's from canada 19:24 < krzie> lol 19:24 < krzie> whys it matter where hes from 19:25 < ecrist> because it's CANADA 19:25 < ecrist> krzie, when the Canada military takes it's break, the MN national guard is going to invade. we're going to build more cabins up there. 19:25 < ecrist> s/Canada/Canadian/ 19:26 < krzie> hah 19:26 < krzie> invade washington instead and tell them to allow states to run their own states 19:26 < JediMaster> sorry to break up the fun and get all on-topic ;-) (mind you considering the current topic...) 19:26 < krzie> aka reinstate the 10th amendment 19:26 < JediMaster> If I want to setup two VPNs that will go via two different interfaces to a remote server, can I use the same key for the client? 19:27 < ecrist> sure 19:27 < krzie> you can 19:27 < JediMaster> kk, ta 19:32 < ecrist> http://www.youtube.com/watch?v=Xtc1MG9bDrg&eurl=http%3A%2F%2Fwww%2Edivinecaroline%2Ecom%2Farticle%2F22117%2F71004%2Dseven%2Dhoaxes%2Dapril%2Dfirst&feature=player_embedded 19:32 < vpnHelper> Title: YouTube - Camp Okutta - An Adventure Camp for Kids (at www.youtube.com) 19:39 < ecrist> ROFLMAO 19:40 < ecrist> if you look in that URL, you can find the word, 'Farticle' 19:40 * ecrist goes and has another. 19:41 < krzie> hahah 19:45 < JediMaster> do I need the dh1024.pem file on the client? 19:45 < ecrist> no 19:45 < krzie> not only do you not need it 19:45 < krzie> it cant do anything there 19:45 < JediMaster> kk 19:46 < JediMaster> so I just need client.* and ca.crt? 19:46 < ecrist> and client.crt and client.key 19:46 < ecrist> oh, yeah 19:46 < krzie> !factoids search cert 19:46 < vpnHelper> krzie: 'servercert', 'certs', and 'nocert' 19:46 < ecrist> and client.config 19:46 < JediMaster> hence the * =) 19:46 < krzie> !certs 19:46 < vpnHelper> krzie: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 19:46 < krzie> err thats not it 19:47 < ecrist> JediMaster: don't instult me when I'm drinking! 19:47 < JediMaster> lol 19:47 < ecrist> or insult. 19:47 < krzie> !factoids search where 19:47 < vpnHelper> krzie: No keys matched that query. 19:47 < krzie> !factoids search file 19:47 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 19:47 < krzie> bleh 19:47 < krzie> i thought i had something there for that one 19:47 < krzie> in the howto it has a table of what files go where 19:47 < krzie> !howto 19:47 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:49 * JediMaster followed the instructions and they actually worked 19:49 < JediMaster> ! 19:49 < JediMaster> =) 19:50 < krzie> haha 19:50 * JediMaster is a programmer, so he doesn't RTFM unless he REALLY has to 19:50 < JediMaster> now to do the next stupid part 19:50 < krzie> hrm i would think a programmer would understand how important the manual is in a complicated program 19:50 < krzie> rather than ask for help 19:51 < ecrist> indeed 19:51 < ecrist> I'm a pseudo-programmer and I RTFM all the time. 19:51 < JediMaster> krzie: maybe when I was a sysadmin, but I'm more of a programmer than sysadmin, so I just want it to work now =) 19:51 < ecrist> ooh, I hate programmers like that. I'm a sysadmin in a partial devel environment. 19:51 < ecrist> all the programmers are the same way 19:52 < JediMaster> now I've got to get it to run on two different ports so I can use iptables on the client to put one through one interface and the other through the other interface 19:52 < krzie> welp 19:52 < JediMaster> as I've got 2 ADSL lines (25Mbps combined) 19:52 < ecrist> 'Hey Eric. I want to use perl module X in my program. will you install it for me?' 'Rot in Hell' I say. 19:52 < krzie> you need 2 instances of the program running 19:52 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has joined ##openvpn 19:53 < SatanClaus> hiho 19:53 < krzie> hohoho 19:53 < ecrist> I was going to kickban you on principle, then noticed the n was at the *end* rather than before the t 19:53 < SatanClaus> ;) 19:53 < SatanClaus> just a short question... is there any way to get around the need for loading the kernel module tun? 19:54 < ecrist> no 19:54 < krzie> yes 19:54 < JediMaster> maybe 19:54 < ecrist> unless you'd rather load kernel module for tap 19:54 < JediMaster> =D 19:54 < SatanClaus> i want to setup an openvpn server but only own a vserver where I don't have control over the kernel 19:54 < krzie> by staticly building it into the kernel 19:54 < krzie> or by not using openvpn 19:55 < krzie> if you want a vps for it, i can speak for a company that is cheap, responsive, and works fine with openvpn 19:55 < krzie> www.nerios.net #nerios on efnet 19:55 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 19:55 < SgtPepperKSU1> !/30 19:55 < vpnHelper> SgtPepperKSU1: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:57 * ecrist goes and drinks more. 20:02 < JediMaster> heh, nice, 20ms ping to my colo machine with the openvpn server running 20:03 < JediMaster> through the vpn 20:04 < JediMaster> ok, next silly part to this project, connecting the two vpns together using ling aggregation 20:04 < JediMaster> if it's even possible 20:04 < krzie> neg 20:05 < krzie> but you can use a routing protocol over them 20:06 < JediMaster> routing's not going to work 20:06 < JediMaster> need to double up the bandwidth 20:07 < krzie> ild say if it can be done on normal links it can be done on the vpn links 20:07 < JediMaster> what's the best way of running openvpn in the background? nohop and & ? 20:07 < krzie> READ THE FUCKING MANUAL 20:07 < JediMaster> pfft, it's 2am, eyes are blurry 20:07 < JediMaster> been doing this for 5+ hours 20:07 < krzie> --daemon, and thats the last plainly spelt out in manual freebie 20:08 < JediMaster> ta 20:08 < krzie> yw 20:11 * JediMaster goes off to RTFM as it doesn't actually do anything at all 20:11 < krzie> !man 20:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:11 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has joined ##openvpn 20:11 < JediMaster> thanks again 20:12 < krzie> np 20:14 < SatanClaus> may i ask why the vpn-server needs a kernel module to be loaded at all? 20:15 < krzie> because it uses a tun or tap device 20:15 < krzie> which unless compiled into the kernel requires a module 20:15 < krzie> if compiled into the kernel, you need no module 20:15 < SatanClaus> ok, so why does it need such a device? 20:15 < krzie> cause thats how it works! 20:16 < krzie> if you wanna go figure out howto code it differently, feal free, the code is open source 20:16 < SatanClaus> ;) but why? i mean it's just a server... listening on one port, answering with some packets 20:16 < krzie> umm no 20:16 < krzie> its NOT just a server listening on a port 20:16 < SatanClaus> not? 20:17 < krzie> its a server listening on a port that creates a tunneled connection 20:18 < JediMaster> ok, I've actually looked and RTFM'ed and I've got: openvpn --daemon openvpn1 --cd /etc/openvpn --dev tun0 server.conf 20:18 < JediMaster> but tun0 isn't showing up in ifconfig 20:19 < JediMaster> the config works fine when running in the foreground with just openvpn server.conf 20:19 < krzie> you can put daemon in the config 20:19 < krzie> and cd 20:19 < krzie> and dev 20:19 < krzie> without the --'s 20:19 < JediMaster> handy to know 20:19 < krzie> basically all options can go in config 20:19 * krzie swears the manual says that 20:20 < krzie> OPTIONS 20:20 < krzie> OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file. 20:21 < JediMaster> it doesn't start up if I put daemon in the config 20:21 < krzie> as in, you dont see it in ps auxw|grep openvpn? 20:21 < krzie> or you dont see output to the screen 20:22 < JediMaster> nm, got it workingnow 20:22 < krzie> heh 20:22 < JediMaster> getting blurry-eyed 20:22 -!- belZe [i=noone@p5091C908.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:22 -!- belZe [i=server3@p5091CA0B.dip.t-dialin.net] has joined ##openvpn 20:22 < krzie> then goto sleep 20:23 < krzie> it'll be there tomorrow 20:23 < JediMaster> I have 4 ssh terminals open and I had already had the same config started on the same port on the same server heh 20:23 < JediMaster> still not why the --daemon didn't work though 20:25 < JediMaster> hmmm should two instances use different ip ranges? 20:25 < krzie> they MUST 20:25 < JediMaster> they've both started up as 10.0.0.1 on tun0 and tun1 20:26 < JediMaster> ok, ta 20:28 < JediMaster> sweet, I can ping both 20:29 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has quit [Remote closed the connection] 20:31 < JediMaster> yup, you're right, ifenslave doesn't like tun devices 20:31 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has joined ##openvpn 20:32 * JediMaster cries 20:32 * JediMaster wants uuuuuuber fast single connection 20:32 < SatanClaus> re 20:32 < JediMaster> wb 20:32 < SatanClaus> sorry, had a timeout... 20:33 * Bushmills wants a pile of chocolate, the size of a planet system 20:35 < JediMaster> shame it'd have it's own gravity and all the components would seperate out and be pretty yucky 20:36 < JediMaster> this is what I get if I try to aggregate the two tun's together: Master 'bond0': Error: set hw address failed....Master 'bond0', Slave 'tun0': Error: Enslave failed 20:36 < SatanClaus> ok, what i want to do is to setup a vpn or proxy for my girlfriend who's currently in Helsinki and needs to watch a german tv show via internet for her work (sounds strange but that's how it is). the show is provided on the tv station's website with some kind of flash that doesn't work on my computer and I didn't succeed saving an episode for her... somehow the only thing i have is a vserver, where I'm root but can't load kernel modules o 20:36 < SatanClaus> r modify the kernel. so what would you do if I may ask 20:36 < krzie> SatanClaus try a socks proxy 20:36 < krzie> or a normal web proxy 20:36 < SatanClaus> squid? 20:36 < krzie> difference being socks allows encryption 20:37 < krzie> yup squid is a normal web proxy 20:43 < krzie> OR you can get a cheap VPS from nerios, i know they'll get you going with openvpn 20:43 < krzie> if you wanna use openvpn as your solution 20:44 < SatanClaus> yupp, i'm currently reading up on socks vs. proxy ;) 20:44 < krzie> difference = encryption 20:44 < krzie> socks5 basically uses ssh's encryption 20:45 < krzie> whereas a normal proxy doesnt use encryption 20:45 < krzie> which seems unimportant for what you're talking about 20:45 < SatanClaus> it also sounds as if socks supports more than just http... and I'm afraid that the flash stuff loads the video payload via udp 20:45 < krzie> yup i socksify udp 20:45 < krzie> so good point 20:45 < krzie> i use dante for my socks daemon 20:46 < SatanClaus> thanks, will have a look then 20:46 < krzie> np 20:46 < SatanClaus> (if you can understand that I'm not too willing to invest into a second vps) 20:50 < JediMaster> SatanClaus: most of the flash video is just over standard http 20:50 < JediMaster> there could always be an exception though 20:54 < JediMaster> krzie: thanks for the help, must go now, it's 3am and work in the morning =( 20:54 < krzie> yw 20:54 < SatanClaus> awww, why can't openvpn run in userspace :-/ 20:55 < krzie> dude 20:55 < krzie> its been explained 20:56 < krzie> it runs in userspace, but requires tuntap because you use it to TUNNEL 20:56 < krzie> besides, a socks is easier to setup 20:57 < SatanClaus> yupp, but in my usecase it would work perfectly without the /dev/tun|tap 20:57 < SatanClaus> :p 20:57 < krzie> no 20:57 < krzie> it would be 100% useless 20:57 < SatanClaus> why not, just because of iptables? 20:57 < krzie> IT WOULDNT DO ANYTHING 20:57 < krzie> lol 20:58 < krzie> the WHOLE point of openvpn is to tunnel 20:58 < krzie> thats what openvpn does 20:58 < krzie> it uses tun to tunnel ip traffic, or tap to tunnel ethernet traffic 20:58 < krzie> but no matter what, take out the fact that it tunnels and it becomes NOTHING 20:58 < SatanClaus> yupp, so on the one side it wraps it up, on the other it unwraps, right? 20:59 < krzie> umm 20:59 < krzie> on both sides it tunnels 20:59 < SatanClaus> and fakes a network interface which is then in the desired network 20:59 < krzie> the server client thing is just for who hands out the settings 21:01 < krzie> regardless, if you cant load anything into the kernel, or get the person who can to do it, then you wont be using openvpn 21:02 -!- JediMaster [n=JediMast@84.9.122.189] has quit ["fnarble"] 21:03 < SatanClaus> yupp, that's what I got from your first message :-/ 21:07 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has quit [] 21:10 < SatanClaus> my question was just why it needs to be a kernel module... and what i now got for me is that it is because it provides a lot of flexibility if you have /dev/tun on both sides connected with each other, as you can then use other tools, e.g. iptables, route, etc. on both sides to configure what to be done with packets... just as if another mysterious nic was plugged into your computer and provides a "hey, i can beam your packets from here t 21:10 < SatanClaus> o there" ;) 21:10 < krzie> no 21:10 < krzie> not how it works 21:10 < SatanClaus> so just say yes and you're done ;) 21:10 < krzie> but feel free to code it and prove me wrong if you think you can do it 21:12 < SatanClaus> ok, what's wrong about what I just said? 21:13 < krzie> until you code it and prove me wrong, thats not how it works 21:13 < krzie> stop wasting your time arguing about it and go setup what you need 21:13 < SatanClaus> I'm doing that ;) 21:13 < SatanClaus> right now 21:14 < krzie> werd 21:14 < SatanClaus> but nevertheless i want to understand what i didn't understand regarding openvpn 21:14 < SatanClaus> as i'm using that each day when connecting to the university network 21:14 < krzie> the fact that tunneling doesnt happen in iptables 21:14 < SatanClaus> when did i say that? 21:15 < krzie> each other, as you can then use other tools, e.g. iptables, 21:15 < krzie> route, etc. on both sides to configure what to be done with 21:15 < krzie> packets... just as if another mysterious nic was plugged into 21:15 < SatanClaus> and? 21:15 < krzie> openvpn uses tun because it TUNNELS 21:15 < krzie> you wont reproduce that with iptables + route 21:16 < SatanClaus> that's not what I said... 21:16 < krzie> *shrug* im leaving 21:16 < krzie> adios 21:16 < SatanClaus> but you can then "after beamin"... 21:16 < SatanClaus> bye 21:16 < SatanClaus> and sorry and thanks again 21:17 < krzie> damn i forgot to do 1 thing before i detached 21:17 < SatanClaus> the topic? 21:17 < krzie> ya 21:19 -!- mode/##openvpn [+o krzie] by ChanServ 21:20 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 21:20 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 21:20 -!- mode/##openvpn [-o krzie] by krzie 21:20 < krzie> *detached* 21:48 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 22:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: stephenh, jameswhite, sigius 22:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt, eliasp, vlt, Flumdahl, CybDev, kraut, simplechat, Typone 22:57 -!- Netsplit over, joins: vlt, Flumdahl, mjt, eliasp, kraut, CybDev, simplechat, Typone, sigius, stephenh (+1 more) 23:07 < SatanClaus> ssh user@server.com -D 1080 23:07 < SatanClaus> ouch 23:07 < SatanClaus> could've been so easy ;) 23:07 < SatanClaus> good night 23:08 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has quit ["bye"] 23:15 -!- datruth [i=scott@gotpot.org] has joined ##openvpn 23:17 < datruth> I'm on ubuntu 8.10 i can connect to my open vpn but i can't seem to use the vpn for web traffic? 23:31 -!- backtracker [n=backtrac@200.106.102.187] has joined ##openvpn 23:31 < backtracker> hi 23:31 < backtracker> I have my .conf, .crt, .key and ca.crt 23:31 < backtracker> Now what should I do to connect to the VPN? 23:32 < backtracker> openvpn some_parameters 23:32 < backtracker> first time with this 23:46 < reiffert> !howto 23:46 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:49 < SlashLife> "Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server." - is this necessary if I am bridging it with the LAN anyway? 23:50 < reiffert> If in doubts, try it out. 23:51 < SlashLife> That'll be hard without a second client for the beginning. :| 23:51 < SlashLife> And since I tend to forget about such options, I'd prefer to configure it now instead of "on demand" 23:52 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] --- Day changed Thu Apr 02 2009 00:08 -!- backtracker [n=backtrac@200.106.102.187] has quit ["leaving"] 00:23 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 01:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:12 -!- ghfu [n=unknown@gateway.geodesic.com] has joined ##openvpn 01:13 < ghfu> hi, any disadvantages in using tcp as the proto for site-to-site vpn instead of udp? 01:16 < reiffert> !factoids search tcp 01:16 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:16 < ghfu> thanks 01:21 < ghfu> thats an excellent explanation! 01:26 < ghfu> !factoids search udp 01:26 < vpnHelper> ghfu: No keys matched that query. 01:26 < ghfu> :0 01:27 -!- ghfu [n=unknown@gateway.geodesic.com] has left ##openvpn ["Leaving"] 01:27 < reiffert> !factoids search forward 01:27 < vpnHelper> reiffert: 'winipforward' and 'linipforward' 01:28 < reiffert> !winipforward 01:28 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 02:25 -!- nemysis [n=nemysis@209-90.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 02:30 < kraut> moin 03:11 -!- ekenix [n=eken@58.35.164.249] has joined ##openvpn 03:18 -!- ekenix [n=eken@58.35.164.249] has left ##openvpn [] 03:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:46 < datruth> I'm on ubuntu 8.10 i can connect to my open vpn but i can't seem to use the vpn for web traffic? 04:11 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Connection timed out] 04:19 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has joined ##openvpn 04:20 < SlashLife> !/30 04:20 < vpnHelper> SlashLife: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:20 < SlashLife> !topology 04:20 < vpnHelper> SlashLife: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:22 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 04:24 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit [No route to host] 05:02 < reiffert> moin kraut 05:12 < reiffert> SlashLife: without any details it sounds like you are using a web proxy. 05:12 < reiffert> afk 05:12 < SlashLife> reiffert: I take it you are the channel troll here? 05:14 < kraut> hi reiffert 05:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 06:06 < mazzachre> Hi... I have a problem.. I am setting up a bridged vpn to our server park... The servers have net addresses on 172.16.0.0/16 and I have set aside 172.16.250.0/24 for the bridged clients... When I connect the vpn my client gets 172.16.250.1 so that works... The server's internal address is 172.16.0.1 (on eth1) however I can't reach the internal net from the client... 06:07 < mazzachre> I have a push route to 172.16.0.0/16 from the server, and route on the client says: "172.16.0.0 172.16.0.1 255.255.0.0 UG 0 0 0 tap0 172.16.0.0 * 255.255.0.0 U 0 0 0 tap0" 06:07 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 06:08 < mazzachre> I am allowing forwarding and have setup the rules found in the howto... 06:08 < mazzachre> Can someone help me? 06:10 < mazzachre> I have network access from the server... I can ssh into it's external address (on eth0) and I have full access to the lan on eth1 aswell. 06:10 < mazzachre> please? 06:12 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:12 < mazzachre> If I try to ping 172.16.250.1 from the openvpn server, I get destination host unreachable 06:13 < mazzachre> What am I doing wrong here? 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has joined ##openvpn 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has left ##openvpn ["Ik ga weg"] 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has joined ##openvpn 06:16 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has left ##openvpn ["Ik ga weg"] 06:49 -!- gebi_ is now known as gebi 07:02 < ecrist> morning, fuckers 07:09 < mazzachre> morning! 07:19 < ecrist> mazzachre: why are you using bridged? 07:32 < mazzachre> well.. possibly because of excess fail... I will try to set it up differently now... but I lost connection... 07:32 < mazzachre> I set it up that way because I am not good with networks and routing have failed me before... 07:32 < ecrist> ok. probably 90% of vpns can be setup with tun. very few people need to use tap vpns. 07:39 < dazo> mazzachre: if you need a quick and not too advanced guide to basic network routing, have a look here: http://www.scribd.com/doc/10245818/Networking-Tutorial-TCPIP-Over-Ethernet 07:39 < vpnHelper> Title: Networking Tutorial - TCPIP Over Ethernet - Internet & Technology, Research, and networking tcp ip ethernet router mac address cidr (at www.scribd.com) 07:42 < mazzachre> dazo: Thx... I know that from back in uni... learned basic networking there... the osi stack and tcp and low level... I am not very proficient though... Especially when it comes to routing... 07:42 < dazo> mazzachre: you don't have to think much about OSI stack ... and that intro do not even mention it ... well it mentions it saying it won't mention it again 07:43 < mazzachre> ya :) 07:43 < dazo> mazzachre: and that guide, if you read it ... it should be able to get you up to some basic understanding .... and routing is a lot easier than bridging 07:44 < dazo> OSI layers are for geeks who already understands everything about networking and wants to be super-geeks :-P 07:44 < mazzachre> Well.. my immidate problem right now is that I have fucked up the connection to the server... so I am beyond repair at the moment... 07:44 < dazo> ouch 07:48 < mazzachre> And the admin is on holiday... and I leave on holiday saturday... 07:48 * mazzachre should know better than to fiddle with these things up to a holiday... 07:48 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !confi+1gs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 07:48 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 07:48 < dazo> whoops ... wrong window 07:49 < mazzachre> !route 07:49 < vpnHelper> mazzachre: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:54 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 60 (Operation timed out)] 07:58 < mazzachre> Ahh.. got connection back... phew... 07:59 -!- ozirus [n=Furkan@88.242.78.196] has joined ##openvpn 08:00 < mazzachre> reboot worked... 08:02 < datruth> I really need help with bridging my openvpn with my wireless can anyone help me with this? 08:07 < datruth> Can someone please help me with this? 08:11 -!- datruth [i=scott@gotpot.org] has quit ["leaving"] 08:18 < ecrist> dazo: !route 08:19 < dazo> ecrist: yeah, I now that one ... but when people do not understand the contents here ... I send them further to the other link, so that they get the basic knowledge ... 08:27 < mazzachre> Hmm... Now it seems to find its way into the firewall again... 08:29 < mazzachre> Can someone help me with firewalling here? ecrist and dazo? (Now that I have setup routing... I can connect and that seems to work. When I ping something on the LAN of the VPN it is put in the tun device...) 08:30 < dazo> mazzachre: Linux + iptables? 08:31 < mazzachre> http://www.pastebin.ca/1379956 yep 08:31 < mazzachre> dazo: Yep, linux +iptables 08:31 * dazo looks 08:31 < mazzachre> That is how it looks right now (Not really my firewall) 08:32 -!- mooseman447 [n=mooseman@pool2-iu-conf.nat.cliu.org] has joined ##openvpn 08:32 < mooseman447> hey 08:32 < mooseman447> if i want to route all ip traffic on a client through the vpn all i need to do is add redirect-gateway def1 in the client's config right? 08:32 < dazo> mazzachre: seems to be reasonable starting point 08:33 < mazzachre> dazo: I would think so... it is our sysadm that have set it up... he is quite knowledgeable... he is however also on vacation :/ 08:33 < dazo> mazzachre: is you VPN server the default gateway for you clients on LAN? 08:33 < dazo> is your* 08:35 < mooseman447> i ask because i added that line and reconnected to the openvpn server and i cant load or ping anything on the client 08:35 < mazzachre> dazo: Uhm... unknown? I want a "road warrior" setup :) So I can connect my workstation from anywhere (mostly at home or the office) to the network where the vpn server is setup... The vpn server is one of the servers on the server hosting site... 08:36 < dazo> mazzachre: oki ... is the default gateway on your LAN clients this OpenVPN server? (twisting the question around) 08:37 < mazzachre> uhm... not understood... 08:37 < mazzachre> No... it is not supposed to be default gw... 08:38 < dazo> mazzachre: that might be why you have problems 08:38 < dazo> mazzachre: on your default gateway you then need to add a route for your VPN network through your OpenVPN server 08:39 < mazzachre> :( I don't have access to do anything on the default gateway the LAN here... 08:40 < mazzachre> (I am developper, not corporate sysadm...) our sysadm don't even have that access... Only on the production server setup :( 08:40 < mazzachre> I am pushing our routes to the netwotk for the clients... 08:41 < mazzachre> 172.16.0.0 192.168.90.5 255.255.0.0 UG 0 0 0 tun0 08:42 < dazo> mazzachre: which clients ... LAN clients? 08:45 < mazzachre> Uhm.... the setup is supposed to be like this: "Servers have ips 172.16.0.0/16, with openvpn server having internal address 172.16.0.1 and an external ip address, other servers exist on the 172.16 net... clients (like my workstation) is sitting around the world, vpn connecting to the openvpn server to ssh (and other connections) to the servers on the 172.16 network... 08:47 < mazzachre> My workstation have that route setup, 172.16.0.0 through 192.168.90.5 which is its tun0 device (in the openvpn-status.log I have "192.168.90.6,mra.client.vpn.wifact.com,194.152.38.14:2863,Thu Apr 2 15:44:39 2009") 08:47 < mazzachre> and in tun0 in ifconfig it says inet addr:192.168.90.6 P-t-P:192.168.90.5 Mask:255.255.255.255 08:48 < mazzachre> tcpdumping packages on tun0 lists the packages when I try to ping something (172.16.1.1 which exists) but no return packages... 08:50 < mazzachre> Apr 2 15:50:01 openvpn ovpn-server[2933]: mra.client.vpn.wifact.com/194.152.38.14:2272 Authenticate/Decrypt packet error: cipher final failed 08:50 < mazzachre> what is this? 08:51 -!- mooseman447 [n=mooseman@pool2-iu-conf.nat.cliu.org] has quit ["Leaving"] 08:54 < mazzachre> Ah... found out... 08:56 < mazzachre> dazo? 08:57 -!- ozirus [n=Furkan@88.242.78.196] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 09:09 < mazzachre> dazo: Are you here? 09:10 < dazo> mazzachre: sorry, yeah ... I'm at work and it needed my attention .... will be back again soon 09:14 < mazzachre> ok ;) 09:28 -!- Guest35431 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 09:39 -!- ozirus [n=Furkan@88.242.78.196] has joined ##openvpn 09:43 < ozirus> while trying to create client-to-net vpn connection with http://dpaste.com/22612/ configurations i can't connect clients to server. i always get http://dpaste.com/22613/ error from client-side. any idea? 09:44 -!- Rochdi [n=abid@196.203.51.17] has joined ##openvpn 09:45 < Rochdi> hello 09:45 < Rochdi> I'm use'in OpenVPN on a pfSense Gateway 09:46 < Rochdi> I'm using OpenVPN on a pfSense Gateway 09:46 < Rochdi> I can connect to pfSense, but I cant reach lan network 09:46 < Rochdi> can you help me ? 09:47 < Rochdi> can you help me ? 09:48 < Rochdi> I used this : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN 09:48 < vpnHelper> Title: VPN Capability OpenVPN - PFSenseDocs (at doc.pfsense.org) 09:48 < Rochdi> vpnHelper: I used it 09:48 < vpnHelper> Rochdi: Error: "I" is not a valid command. 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 < Rochdi> vpnHelper: sorry, i can't understand you 09:49 < vpnHelper> Rochdi: Error: "sorry," is not a valid command. 09:49 < ecrist> Rochdi: what problems are you having? 09:50 < Rochdi> I'm using OpenVPN on a pfSense Gateway 09:50 < Rochdi> I used this : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN 09:50 < vpnHelper> Title: VPN Capability OpenVPN - PFSenseDocs (at doc.pfsense.org) 09:50 < Rochdi> I can connect to pfSense, but I cant reach lan network 09:50 < ecrist> I hate to say it, but you need to talk to the pfsense folks on that 09:51 < Rochdi> ecrist: can you help me please 09:51 < ecrist> they do funky things with configs and system layout 09:51 < mazzachre> When connecting my client to the server, should I not be able to ping the clients new ip address? (It have gotten 192.168.90.5/6 ptp) and should the client not be able to ping some addresses also on that network? 09:53 < ecrist> mazzachre: your VPN client should be able to ping the server VPN address, probably 192.168.90.1 09:53 < ozirus> anybody knows a simple guide about how to setup openvpn with auth-user-pass-verify autentication only (not included certs)? with a script and simple configuration files... 09:54 < mazzachre> ecrist: it is not... firewall? 09:54 < ecrist> ozirus: google should be able to help you with that. there are some basic scripts included with openvpn. if you want encryption, you should still be using certificates, though. 09:55 < ecrist> mazzachre: from the client, can you ping the VPN server address? 09:56 < mazzachre> ecrist: the external address or the 192.168.90.1 address? 09:56 < ecrist> the VPN address 09:57 < ecrist> if I'm going to help you, at least read what I write. 09:57 < mazzachre> ecrist: I just didn't understand... No, I can't ping the VPN address 09:58 < ecrist> then you have a firewall issue 10:05 < mazzachre> apparently I have more than a simple firewall issue... I have no idea how that stinking firewall system (ipmasq) works... Or why it is installed :( It seems to block everything and anything... Or something else is wrong :( 10:12 < mazzachre> ecrist: When I ping from the client to the server VPN address, I don't get any return, on the vpn server, there is no output from tcpdump -i tun0 10:13 < ecrist> mazzachre: disable your firewall 10:17 < mazzachre> ecrist: no difference... 10:18 < mazzachre> When I kill all iptables rules and set policy to ACCEPT for channels, I still cannot ping the server VPN address from a connected client... 10:19 < ecrist> mazzachre: post your logs and configs, please 10:20 < mazzachre> ecrist: http://www.pastebin.ca/1380034 server config 10:21 < ecrist> !configs 10:21 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:21 < ecrist> comments are a pain to read around 10:21 < ecrist> see the grep 10:24 < mazzachre> http://www.pastebin.ca/1380036 10:24 < mazzachre> sry 10:24 < ecrist> *much* better :) 10:25 < mazzachre> Server side: OpenVPN 2.0.9 x86_64-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 22 2007 10:26 < mazzachre> Client sie: OpenVPN 2.0.7 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 24 2008 10:27 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has joined ##openvpn 10:27 < ecrist> !logs 10:27 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:27 < mazzachre> ecrist: which log files would that be? 10:28 < mazzachre> o.O 10:28 < mazzachre> They are HUGE! 10:28 < ecrist> mazzachre: all we need is a new 'connection' 10:28 < ecrist> up until traffic starts flowing 10:29 < mazzachre> http://www.pastebin.ca/1380047 10:29 < mazzachre> Server side... 10:29 < mazzachre> Have grepped on openvpn... 10:30 < ecrist> in your logs, note line 13 - you've got multiple clients using the same certificate 10:31 < ecrist> occurs again on line 41 10:32 < mazzachre> Hmm.... how can that happen? The certificate is only on this workstation, no others are using the vpn yet (until I have gotten it to work) 10:32 < ecrist> line 50 indicates a firewall blockage 10:32 < ecrist> don't know, mazzachre, not my network. 10:32 < mazzachre> From client http://www.pastebin.ca/1380051 10:33 < ecrist> I would say, start with figuring out your competing clients, and make sure your firewall is really open. 10:33 < ecrist> on both ends. 10:33 -!- kezhi is now known as prozacwizard 10:34 < mazzachre> How to figure out the competing clients? I only have one machine and this is the only place I have the certificates... 10:34 < SlashLife> Mhh ... I'm a bit puzzled by the server-bridge configuration entry ... The IP range at the end - how does it affect me if I want to assign IPs to VPN users through the DHCP? Is that even possible? 10:34 < ecrist> SlashLife: the end range is so you can assign ips through openvpn within the same range as the local lan. 10:35 < ecrist> omit those if you want a local DHCP server to handle assignments 10:35 < SlashLife> Ah, ok. The comment for did didn't say anything about omitting it, thanks. 10:36 < SlashLife> *for it 10:37 < ecrist> mazzachre: your client server certificates don't match 10:37 < ecrist> rebuild your certificates 10:37 < ecrist> you're using two different cipher lengths 10:37 < ecrist> see here for more information: http://forum.openwrt.org/viewtopic.php?id=474 10:37 < vpnHelper> Title: OpenWrt / OpenVPN (at forum.openwrt.org) 10:38 < mazzachre> DOOOOOOH!!!!! 10:38 < mazzachre> Ya... I just found that out.. 10:39 < mazzachre> Now I have set the certificate and key length correct and everything works... 10:39 < SlashLife> Hey mazzachre btw. :) 10:39 < mazzachre> thx ecrist 10:39 < mazzachre> hi 10:39 < mazzachre> lol 10:42 < SlashLife> The other question I had earlier today (unfortunately with just one client atm, I am not able to test it): Uncomment this directive (client-to-client) to allow different clients to be able to "see" each other. -- does this even affect me when bridging? 10:42 < ecrist> SlashLife: I haven't tried, but probably. 10:45 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 10:47 -!- fixxxermet [n=kjohnson@69.85.26.2] has joined ##openvpn 10:48 < fixxxermet> For a setup where both lans (client and server) can fully access each other, does it matter if I use a tun or a tap setup? 10:48 < ecrist> fixxxermet: use tun 10:48 < ecrist> !route 10:48 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:48 < ecrist> read that page, your setup is covered 10:50 < SlashLife> Mhh ... thanks for your input. Unfortunately: Options error: Unrecognized option or missing parameter(s) in openvpn/openvpn.conf:95: server-bridge (2.0.6) - seems it wants the range after all. 10:50 < ecrist> SlashLife: read the man page, it's all discussed there. 10:52 < SlashLife> Oops. There's a man page. *finds a stone and hides* 10:53 < SlashLife> I'll do that. Thanks and sorry. :/ 10:53 < ecrist> !man 10:53 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:55 -!- Rochdi [n=abid@196.203.51.17] has quit [Remote closed the connection] 10:55 < SlashLife> I have the howto open, the ethernet bridging manual, the FAQ and the whole FreeBSD section on Bridging, DHCP etc and last but not least the annotated sample config ... but I honestly forgot to check whether there was a man page. :( 10:56 < ecrist> SlashLife: why are you using bridging? 10:56 < ecrist> oh, have you read this 10:56 < ecrist> !freebsd 10:56 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:56 < ecrist> it's a tun setup, but much will apply to you. 10:58 < SlashLife> Oh, no, I didn't. Thanks. 10:59 < SlashLife> I have tap and the bridge up and running already, so that shouldn't matter. :) It's just lots of new information for me. 11:00 < SlashLife> Regarding bridging: If everything works out as planned, I'd have three equivalent methods of connecting to my home network: Directly to the wired LAN, VPN over WLAN (got a few scriptkiddies around here) or VPN through WAN. 11:00 < SlashLife> Regardless which way I choose, I'd like to have the same IP in every case. 11:07 -!- Rochdi [n=abid@196.203.51.17] has joined ##openvpn 11:10 -!- Rochdi1 [n=abid@196.203.51.17] has joined ##openvpn 11:12 -!- ozirus [n=Furkan@88.242.78.196] has quit [Remote closed the connection] 11:13 -!- Rochdi1 [n=abid@196.203.51.17] has quit [Remote closed the connection] 11:14 -!- Rochdi1 [n=abid@196.203.51.17] has joined ##openvpn 11:14 -!- Rochdi1 [n=abid@196.203.51.17] has quit [Remote closed the connection] 11:28 -!- Rochdi [n=abid@196.203.51.17] has quit [Read error: 110 (Connection timed out)] 11:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:30 -!- prozacwizard [i=moneybag@in-t-er.n-e-t.name] has quit [Remote closed the connection] 11:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:33 -!- ikla [n=lbz@fw1.aspsys.com] has quit [Remote closed the connection] 11:45 -!- DeRoSvOs [n=jacob@bas8-ottawa23-1177761899.dsl.bell.ca] has joined ##openvpn 11:45 < DeRoSvOs> !howto 11:45 < vpnHelper> DeRoSvOs: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:29 -!- Guest35431 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 12:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:50 -!- DeRoSvOs [n=jacob@bas8-ottawa23-1177761899.dsl.bell.ca] has left ##openvpn [] 13:22 -!- achilles [n=achilles@62.90.14.185] has quit ["Leaving"] 13:45 -!- l4p32 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 13:47 < l4p32> I connect to my openvpn server all the time from outside my home-network. But when I'm in the same network I'm able to connect and obtain a ip but I'm disconnected after a while and when I'm connected I'm not able to ping any of the server ips. I only changed the external ip in the config file to the local, but it doesn't seem to work. Anyone have a clue why it won't work? 13:50 < l4p32> anyone? 13:55 < l4p32> I want to connect to openvpn with a local client.. 13:59 -!- l4p32 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 14:04 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 113 (No route to host)] 14:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:28 -!- pgrace [n=pgrace@2001:470:8a93:2:20c:29ff:fee9:9689] has joined ##openvpn 15:28 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 15:30 < pgrace> I have a really odd situation. I'm using openvpn between a linux server and a windows client. The vpn is up and running, I can ping, everything's great. Until I do something like a ps aux or bring up irc in screen, in which case the terminal screen begins to draw and then.. stops. 15:30 < pgrace> this is with ipv6, by the way. 15:30 < pgrace> Has anyone heard of this before? Is it an mtu issue or something? 15:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:54 -!- fixxxermet [n=kjohnson@69.85.26.2] has left ##openvpn [] 16:11 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 16:11 < ThoMe> hiho 16:12 < ThoMe> have a openvpn cliento n my snom phone. when the server can't connect with my openvpn server I would like reconnect in X seconds 16:12 < ThoMe> how i can set it? 16:12 < ThoMe> client side or server? 16:12 < ThoMe> client: http://paste.keks.be/441/txt 16:12 < ThoMe> can anybody help me? 16:12 < ThoMe> thank you! 16:13 < ThoMe> my last log-line in my server: Thu Apr 2 23:07:04 2009 SNOM_370_HERR_WINDELS/77.47.52.27:64260 SIGTERM[soft,delayed-exit] received, client-instance exiting 16:13 < ThoMe> and now, dont reconnect :-( 16:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 110 (Connection timed out)] 16:16 < krzie> !man 16:16 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:16 < krzie> theres all sorts of reconnect otions 16:16 < krzie> options 16:17 < krzie> but it should try automaticly, show me this: 16:17 < ThoMe> krzie: hello. i have read this. but i can't find this. 16:17 < krzie> !configs 16:17 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 < ThoMe> krzie: my config http://paste.keks.be/441/tx 16:17 -!- gebi_ [n=gebi@84.119.81.184] has joined ##openvpn 16:17 < ThoMe> krzie: my config http://paste.keks.be/441/txt 16:18 < krzie> and server... 16:19 < ThoMe> krzie: http://paste.keks.be/442 16:20 < krzie> !logs 16:20 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:22 < ThoMe> krzie: have only logs from server http://paste.keks.be/443 16:22 < krzie> i want the whole log from start to finish at verb 6 16:22 < ThoMe> krzie: grr. moment 16:28 -!- gebi [n=gebi@84.119.81.115] has quit [Read error: 113 (No route to host)] 16:36 < ecrist> howdy 16:37 < krzie> yeeeehaw 16:37 < krzie> ;] 16:43 < sunga> does anyone here tunnel tightvnc over a vpn? I cant find the option or way to change the listening port to the ip adress my virtual adaptor is using 16:44 < krzie> dunno anything about tightvnc 16:44 < krzie> any openvpn questions? 16:45 < sunga> well how can you verify you got a working, secure connection over the vnc port? 16:45 < sunga> I tunneled sabnzbd over port 80 to 8081 on the server machine 16:45 < sunga> I want to verify traffic to it is going over port 80 and secured 16:45 < sunga> wireshark? 16:48 < krzie> using redirect-gateway or without? 16:48 < krzie> openvpn runs on the same machine that runs the vnc? 16:49 < sunga> yes 16:49 < krzie> connect to the vpn ip 16:49 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 16:50 < krzie> vpn ip:port for the vnc connection 16:50 < krzie> know what i mean> 16:50 < krzie> ? 16:51 < sunga> yes but that doesnt work because tightvnc isn't listenin on the vpn ip and I cant force it 16:51 < krzie> start it after the vpn is established 16:52 < krzie> unless it has a place to enter what ip it listens on, it should be binding to * 16:52 < krzie> easy to check with netstat 16:55 < sunga> im on vnc right now will be hard to restart tightvnc I guess 16:55 < sunga> if i close it I lose connection, duh 16:56 < krzie> *shrug* check netstat 16:56 < krzie> if it needs to be started after vpn is up, thats easy enough 16:56 < krzie> just script up something to start it and use it in a hook in openvpn 16:57 < krzie> so connection to vpn is made, then the script starts up the vnc app 16:58 < sunga> ye to bad I cant script =) 16:59 < krzie> should be completely simple 16:59 < krzie> just a matter of opening it in dos 16:59 < krzie> once you have that command, you put the command in a text file with extention .bat 16:59 < krzie> then its an executable batch script 17:00 < krzie> then you figure out how to kill it, and put that command in a .bat for disconnect (if thats even needed) 17:00 < krzie> the way to test that: 17:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 17:00 < krzie> try to connect now, if that doesnt work, open vnc app after vpn is established, if that works you know it needs to be opened after 17:01 < krzie> then disconnect vpn, reconnect it and try to connect to vnc 17:01 < krzie> if it can still be contacted over the vpn, you dont need to worry bout shutting it down 17:01 < krzie> OR 17:01 < krzie> i know windows remote desktop just works 17:02 < krzie> cause ive implimented it for someone before 17:02 < krzie> and since it should ONLY be accessible over the vpn, security of the app is less important 17:03 < krzie> you follow? 17:03 < sunga> yes 17:03 < sunga> prefer vnc though more options and feels faster 17:05 < krzie> cool, since it has more options, what ip it listens on should be one 17:05 < krzie> since remote desktop has that 17:06 < krzie> either way, i can only help you with openvpn 17:06 < krzie> and... 17:06 < krzie> !notovpn 17:06 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 17:06 < krzie> !factoids search not 17:06 < vpnHelper> krzie: 'notopenvpn' and 'notcompat' 17:06 < krzie> !notopenvpn 17:06 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:07 < krzie> i guess theres another way to handle it tho, one that works via openvpn 17:07 < krzie> if you move the vpn to another machine on the same lan 17:07 < krzie> then you use 17:07 < krzie> !route 17:07 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 17:07 < krzie> you can connect to the machine over the vpn by LAN ip 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 17:08 < krzie> that will garuntee the traffic passes over the vpn, without needing to change the vnc's settings 17:08 < krzie> =] 17:08 < krzie> wassup ropetin 17:23 -!- icmp [n=icmp@unaffiliated/icmp] has joined ##openvpn 17:23 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 17:24 < icmp> Hi, I have a question. I'm doing a static PSK setup on my vpn. I was wondering what is the purpose of the "ifconfig" statement on the server and clients sides? I've seen exmaples that say to use 2 un-used address on the server side and simply reverse them on the client. But this doesn't seem to make sense. 17:24 < icmp> Can someone calrify the use of ifconfig for me in a TUN environment? 17:24 < krzie> well 17:24 < krzie> you only want 2 machines connected to eachother? 17:24 < krzie> or a hub/spoke setup 17:24 < icmp> No, more than two. 17:24 < krzie> ok so you dont want to use ifconfig at all 17:24 < krzie> you want the server statement 17:25 < icmp> Hub/spoke. But not remote-access. Simply all connected users hitting the central server. 17:25 < krzie> like this: 17:25 < krzie> !sample 17:25 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:25 < icmp> If I use server though I cannot use a static key. 17:25 < icmp> It says I have to go PKI. 17:25 < krzie> you dont want a static key, you want certs 17:25 < icmp> I know the difference, and I know what I want. 17:25 < krzie> you use bsd or linux? 17:25 < icmp> I want a simply PSK. Is that possible? 17:25 < icmp> Linux. 17:25 < icmp> s/simply/simple/ 17:25 < krzie> a static key is much less secure than certs 17:25 < icmp> I realize that. 17:25 < krzie> !ssl-admin 17:25 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 17:25 < icmp> No, no. 17:25 < icmp> Is it possible? 17:25 < krzie> makes it extremely simple to manage your certs 17:26 < icmp> I suppose I'll go PKI, thank you. 17:26 < icmp> Btw, ircpimps 4 life. 17:26 < krzie> i believe it is if you make your own auth system using a script 17:26 < icmp> Yeah I wrote a django interface for new users. 17:26 < krzie> heheh you know of us? =] 17:26 < icmp> < node, syrrus's frient 17:26 < icmp> friend 17:26 < krzie> ahhh right on bro 17:27 < krzie> if you REALLY want only static keys, you also wanna auth with passwords 17:27 < krzie> that way you can use the username as your common-name 17:27 < krzie> !nopass 17:27 < vpnHelper> krzie: Error: "nopass" is not a valid command. 17:27 < krzie> err 17:27 < krzie> !nocert 17:27 < vpnHelper> krzie: "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 17:27 < krzie> then you can also use a static key 17:27 < krzie> note, i DO NOT recommend this method 17:28 < krzie> much better off to use the full security offered to you 17:28 < krzie> and with ssl-admin managing the certs and even a CRL is VERY simple 17:28 < krzie> like on the verge of fun :-p 17:29 < krzie> but if you choose to go that route, you may want the passwords saved in a file so no human interaction (also do NOT recommend it) 17:29 < krzie> !pwfile 17:29 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 17:29 < krzie> i think thats everything you could wanna know on that subject =] 17:30 < krzie> but if you care about security like i know you do seeing as you're oldschool 0x41, take my advice and use certs 17:31 < krzie> also when you're done, feel free to show me your configs (type !configs to see how i want them) and ill tell you if anything can be improved for security 17:34 < sunga> its working now 17:34 < sunga> it is listening on all available ips 17:34 < sunga> had to restart openvnc and tightvnc 17:35 < sunga> gonna try tomorrow on a external location if I can login over vpn too 17:35 < sunga> lets hope it works 17:35 < sunga> im off to bed now nn thanks so much for the help 17:35 < krzie> np man 17:44 < krzie> icmp, wanna know bout anything else? 17:45 < icmp> No I got it working now. 17:46 < krzie> cool, you go the pki route or implimented l/p + --username-as-common-name 17:46 < icmp> I went with PKI. 17:46 < krzie> nice 17:47 < krzie> want me to take a glance and see if i can see anything to beef it up? 17:47 < krzie> ie: checking for MITM, dh seed, etc 17:47 < krzie> i dont mind, im bored, plus a friend of sy is a friend of mine 17:47 < icmp> I'm only pushing a route to the server itself (172.16.1.1). So there's no need to work about that. An my diffie-hellman params are at 2048. All perms are nobody and it's running with a confined selinux policy. 17:48 < icmp> I think I'm good. 17:48 < krzie> using cert type server checking on clients? 17:48 < krzie> tls static key for HMAC sigs? 17:49 < icmp> From what I read in the docs, openvpn does bidirectional authentication by default. The client should be verifying the server and visa versa by default. 17:49 < krzie> is the route that you're pushing to the server a lan behind a client? 17:49 < krzie> somewhat 17:49 < icmp> And I'm not worried about HMAC sigs, since openvpn implements a type of PFS. 17:49 < krzie> but 2 certs signed by a CA can still auth even tho both are clients 17:49 < icmp> Meaning the seed is changing dynamically anyway. 17:49 < krzie> !mitm 17:49 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 17:49 < krzie> hmac sigs: 17:49 < krzie> !hmac 17:49 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:49 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 17:49 < icmp> brb 17:49 < krzie> ok 17:56 < reiffert> SlashLife: regardings scriptkiddies around your place: be sure that they cant use your WLAN by ip over dns. 17:57 < krzie> <3 IPoDNS 17:57 < reiffert> SlashLife: I was mixing up your nick with that guy who was asking a question right before you. Thanks for the flowers. 17:58 < reiffert> Moin krzie 17:58 < krzie> moin! 17:58 < krzie> http://www.doeshosting.com/code/NStun.sh 17:59 < krzie> my script for starting iodine and correctly setting up and destroying routes for it 17:59 < krzie> iodine being a IPoDNS tool 18:00 < reiffert> I thought about setting this up for so many times ... 18:00 < reiffert> the day will come for sure .. 18:00 < krzie> welp, you'll enjoy that script when the time comes 18:00 < krzie> its nice and lazy 18:01 < krzie> and tested in linux/bsd/osx 18:01 < reiffert> and the other way around, I'd like to prevent using IPoDNS at the public places I care about the WLAN 18:01 < reiffert> but let's think about a solution when it's time for that 18:02 < reiffert> when time has come ... 18:02 < krzie> well the solution is public 18:02 < reiffert> I definitly have to improve my english. Sigh. But how? 18:02 < krzie> and starbucks has implimented it 18:03 < reiffert> I have to improve my english, definitly. 18:03 < krzie> odd, ive never seen you have a problem communicating in english 18:04 < krzie> let me find the way to block it for you 18:05 < reiffert> My vague idea is limiting the DNS queries per minute to 10/m for the unauthenticated clients. 18:05 -!- dli_ [n=dli@adsl-75-22-21-245.dsl.chcgil.sbcglobal.net] has joined ##openvpn 18:06 < krzie> ild think changing the mtu would be easier 18:06 < krzie> seeing as the oversized packets of a tunnel are overkill for legit dns 18:07 < krzie> also a nice way to allow recursive dns without being a ddos relay/amplifier 18:07 < reiffert> The WLAN concept as follows: unencrytped public access, dhcp. Client begins surfing and gets redirected to the authentication page. 18:08 < reiffert> after authentication the mac address makes it into the whitelist/firewall. 18:08 < krzie> right but you need a much larger MTU to actually tunnel over dns than you need for real dns 18:09 < krzie> the thing is with that, they allow dns and do the redirection after 18:09 < reiffert> Ah. 18:09 < krzie> you can still resolve stuff 18:09 < krzie> but its usually forced through their nameserver 18:09 < reiffert> Will have to remember that. 18:09 < krzie> so their nameserver relays to your fake one after being told to by your real one for a subdomain you made and forwarded dns 18:09 < krzie> if they dont allow dns, they do allow icmp 18:10 < krzie> and theres an app to tunnel over icmp 18:10 < krzie> although ive never seen the one that allows icmp in real life 18:10 < krzie> i just know its been seen by others, which is why the tool exists 18:10 < reiffert> well, I always thought the IPoDNS works as: client asks local DNS (same machine that plays the dhcp server) for a name, e.g. foo.bar.com and the DNS hands the question to the authorized DNS from bar.com, now? 18:11 < krzie> ok 18:11 < krzie> then bar.com says for foo, ask this other NS 18:11 < reiffert> s,now,no, 18:11 < krzie> but the other NS isnt a real ns 18:11 < krzie> foo.bar.com is actually a fake NS setup for tunneling 18:11 < krzie> if using iodine, it auths, then sets up a tunnel 18:11 < reiffert> bar.com just answer with 127.0.0.2 or a very long name e.g. for the MX 18:12 < reiffert> and that very long name can be taken for data 18:12 < krzie> then my routing script makes the default route go over the tunnel that was just setup 18:12 < krzie> actually iirc it works on dns null requests 18:12 < krzie> which i think is how they block 18:13 < reiffert> like I said, on one day I have to look through all the possible solutions. 18:13 < reiffert> Hm, reading english books might improve my english ... 18:14 < krzie> ya i plan on reading some books in spanish for that same reason 18:14 < reiffert> any recent scifi on books? 18:14 < krzie> no idea, i dont really read anymore 18:14 < reiffert> common estas? 18:14 < krzie> too much computer work to be done 18:14 < krzie> estoy muy bien, gracias 18:15 < krzie> (como estas?) 18:15 < reiffert> de nada, muchas gracias, bonna noche 18:16 < krzie> bonna is italian (bonna note), buenas noches = spansih =] 18:16 < reiffert> My girl has got some people in her workgroup that come from mexico, portugal, spain and italy. It's quite a fun talking to these peoples :) 18:16 < krzie> hehehe right on 18:17 < krzie> mexico and spain... they prolly need to talk a 3rd language to communicate 18:17 < krzie> err 2nd 18:17 < reiffert> Funny thing is I can understand them in whatever language they are talking to eachother, cause I've had some years of french in school, years ago 18:18 < reiffert> Personally I really like to speak in german to them, so can try to learn the language of that country they stay in :) 18:18 < krzie> agreed 18:19 < krzie> thats why i learn spanish, if im going to live here i need to speak the native language 18:19 < reiffert> Most of them do understand me, just like the same for me in italian/portuguese/spanish 18:19 < krzie> i felt that way about people who move to usa, and i feel that way about myself now that i live in a spanish speaking country 18:20 < reiffert> It's a matter of practising .. 18:21 < krzie> yup 18:22 < krzie> since i stopped finding american girls and switched to local girls my spanish has GREATLY improved 18:22 < krzie> took me a good 8 months to have good enough spanish to get locals 18:22 < reiffert> :) 18:22 < krzie> before that i was finding damn near every american girl on the island, lol 18:22 < reiffert> :) 18:22 < krzie> now i dont care about them, i like the local girls more 18:23 < krzie> let the locals have them while i go for their girls 18:23 < krzie> ;] 18:23 < reiffert> :) 18:26 -!- dli_ [n=dli@adsl-75-22-21-245.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 18:31 -!- Sinky_ [n=stancho@78.90.99.168] has quit [Connection timed out] 19:04 < ecrist> Boats and Hos 19:05 < krzie> hos on boats! 19:10 -!- pgrace [n=pgrace@2001:470:8a93:2:20c:29ff:fee9:9689] has quit [Read error: 113 (No route to host)] 19:12 < ecrist> If I knew C, and had nothing better to do, I'd fork OpenVPN 19:12 < krzie> what would the fork accomplish? 19:12 < ecrist> decent support, code clean-up 19:14 < krzie> only thing i can think of is tunneling over ipv6 and support for a 3rd location for 2 parties to bypass NAT 19:15 < ecrist> the biggest feature I'd add is configuration push, similar to 'commercial' vpn packages like cisco 19:15 < ecrist> and the ability to push new certificates/keys to clients 19:15 < krzie> ahh ya that would be cool 19:16 < ecrist> oh, and support for proper load balancing without connection dropping 19:16 < krzie> currently scriptable, but could be built in 19:16 < ecrist> i.e. two vpn servers, one can seamlessly take over for the other as problems occur 19:16 < ecrist> without dropping the vpn 19:16 < krzie> i believe thats the job of a routing protocol outside ovpn 19:17 < ecrist> krzie: negative. if you switch servers, your key gets out of sync, even if the servers currenlty use the same server certificate 19:17 < krzie> ahh right 19:17 < ecrist> pfsync is the idea I'm thinking of, synchroniztion of state tables. 19:18 < ecrist> basic idea. 19:19 < krzie> gotchya 19:24 < icmp> I have a question. Does openvpn actually match the CN in a client certificate against their ip address? Or can the CN be any value? 19:24 < ecrist> CN can be any value 19:24 < ecrist> CN identifies unique users 19:24 < icmp> I remeber cisco being a little picky about it, that's all. 19:24 < ecrist> and is used for client-specific configs. 19:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:32 < krzie> for client specific settings: 19:33 < krzie> !ccd 19:33 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:33 < krzie> if you're looking to make a client stay on the same vpn ip, see this 19:33 < krzie> !iporder 19:33 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 19:49 -!- icmp [n=icmp@unaffiliated/icmp] has quit ["Leaving"] 20:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 20:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:26 -!- belZe [i=server3@p5091CA0B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:26 -!- belZe [i=server3@p5091CA11.dip.t-dialin.net] has joined ##openvpn 20:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:10 * ecrist considers take 'C' classes at comm college 21:10 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 21:11 < ecrist> sup sh 21:11 < ecrist> sup zheng even. 21:12 < zheng> hi, all 21:12 < zheng> how can I forbid cllients to change their virtual ip address? 21:13 < ecrist> zheng: how are they changing it? 21:14 < zheng> I means , when I assign 10.8.0.2 to a client, then the tunnel setup and works, but I dont hope the client change his IP to 10.8.0.3, 21:14 < ecrist> shoot them 21:14 < ecrist> they won't change it again 21:14 < zheng> how? 21:15 < zheng> I means assign fixed IP to clients. 21:15 < ecrist> no, actually shoot them. 21:15 < ecrist> it's how we do it in Taliban. 21:16 < zheng> where? 21:16 < zheng> where r u from? 21:16 < ecrist> zheng: they shouldn't be changing it. it's going to break their VPN. if it breaks, it won't work. 21:16 < ecrist> they'll figure it out and not do it again 21:26 < zheng> ecrist, I test it, when I change the IP, the vpn tunnle go on working 21:26 < zheng> sometime it works , sometime it don't. 21:27 < zheng> a minute, I re-test it now 21:27 < ecrist> zheng: why do you care? 21:28 < zheng> I want to group all clients into multi-group, 21:28 < ecrist> have you read the howto? 21:28 < ecrist> !howto 21:28 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:28 < ecrist> this is covered 21:29 < ecrist> coupled with an --up-script, you can easily punch the correct holes in the firewall 21:32 < zheng> Its unralated to firewall 21:33 < ecrist> zheng: do you know what you're doing? 21:34 < zheng> ecrist, when I use username/password auth mode, I find the ccd/clients-config-dir clients specific file is not in use 21:34 < zheng> and the ccd files were be overrided. 21:34 < zheng> :( 21:34 < zheng> Im reading the whoe HOWTOs 21:35 < ecrist> zheng: ccd is coupled with ssl certs. no ssl, no ccd 21:41 < zheng> what? say it 21:46 < ecrist> what? you say it 21:47 < zheng> ah? really? why? 21:48 < zheng> certs and user/pass are different auth mode. 21:48 < zheng> what's their others dirfference? 21:51 < zheng> I just test it again, the clients can change their virtual ip and the tunnel will go on. 21:52 < ecrist> zheng: ccds are assigned based on CN of ssl certificate 21:55 < zheng> I know it. but I config the username-as-common-name. When I use ccd + user/pass, It can recongnize the ccd/clients files, why It can treat the clients files as the clients when using SSL certs? 21:55 < zheng> I know it. but I config the username-as-common-name. When I use ccd + user/pass, It can recongnize the ccd/clients files, why It can NOT treat the clients files as the clients when using SSL certs? 21:56 < ecrist> it does, when using ssl, not with user/pass 21:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:32 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 22:32 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 22:49 -!- huslu_ is now known as huslu 23:23 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 23:39 -!- zheng_ [n=zheng@222.66.224.110] has joined ##openvpn 23:41 -!- zheng [n=zheng@222.66.224.110] has quit [Success] --- Day changed Fri Apr 03 2009 00:04 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 00:05 < ploo> whats the best GUI for linux? 00:05 < damentz> ploo, i don't know your tastes 00:05 < damentz> start off with gnome, kde, and xfce first 00:06 < ploo> gopenvpn ? 00:06 < ploo> vpn gui :p 00:06 < damentz> oh lol 00:06 < damentz> idk, never used one 00:07 < damentz> setting it up in text was really easy 00:07 < damentz> ploo, once you get it working correctly the first time 00:07 < damentz> the configuration begins to make sense 00:07 < ploo> thats not the problem just easy launch from X 00:07 < ploo> :p 00:34 < zheng_> ecrist, r u there? 00:35 < zheng_> ecrist, when a packet from a client to a client, how to internal routing? 00:35 < zheng_> by TAP mac address? 00:56 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:59 -!- Sinky [n=stancho@78.90.99.168] has joined ##openvpn 02:08 < dan__t> hrm... 02:10 < dan__t> When using --client-config-dir, do I need to specify any kind of extension to said file(s)? 02:10 < dan__t> What kind of information CAN I put in a ccd file? Anything, really - it just take precedence over the server? 02:12 < dan__t> hm, "same name as the client's X509 common name..." 02:12 < dan__t> I'm making up random common names. Big fat md5 strings. 02:14 -!- ]sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 02:14 < ]sintax[> !howto 02:14 < vpnHelper> ]sintax[: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:14 < dan__t> the "x509 common name", is that what the client ends up sending TO openvpn? 02:14 < ]sintax[> !route 02:14 < vpnHelper> ]sintax[: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:15 < dan__t> in regards to --client-config-dir 02:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:55 < ]sintax[> how come i'm missing init-config on a fresh install? 02:59 < zheng_> when packet from a client to b cliient, the packet will be decrypted in server then re-crypt it? 03:07 < kraut> moin 03:08 < dan__t> moin 03:08 * dan__t stabs. 03:09 < dan__t> So, using ccd is nice and all. But according to the man page: "of a just-authenticated client...". What if I want to specify TLS credentials, which are required by the user to authenticate, inside the cc file? 03:10 < dan__t> chicken before egg etc etc. 03:10 < dan__t> heh 03:11 < dan__t> "just authenticated client" implies that they were already tls verified 03:51 < Flumdahl> I am trying to set up bridge utils but everytime i type "brctl addbr br0" i get the error message "add bridge failed: Package not installed" yet checking with apt-get tells me that bridge-utils is installed and is the latest verison. i am running debian 4.0 etch with a custom kernel 03:52 < Flumdahl> its kernel problem 04:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 04:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:42 -!- kippix [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has joined ##openvpn 04:43 < kippix> J osa 04:56 -!- BiNaRyCoDE [n=BiNaRyCo@host-72-174-87-108.gdj-co.client.bresnan.net] has joined ##openvpn 04:58 < BiNaRyCoDE> Hi! When I first installed openVpn, it installed everything i needed even the config files!!! I didn't have to configure anything! I could connect immediately but now it doesn't automatically configure my config files. Does anyone know how to automatically get openvpn to generate config files? 05:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 < BiNaRyCoDE> ? 05:14 -!- BiNaRyCoDE [n=BiNaRyCo@host-72-174-87-108.gdj-co.client.bresnan.net] has quit [] 05:15 -!- zheng_ [n=zheng@222.66.224.110] has quit [Remote closed the connection] 05:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:18 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 05:55 -!- gebi_ is now known as gebi 06:04 -!- irc [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:04 -!- irc is now known as Guest53023 06:05 -!- Guest53023 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 06:05 -!- ir1 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:05 -!- ir1 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Client Quit] 06:06 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:12 -!- nRocha [n=nRocha@unaffiliated/nrocha] has joined ##openvpn 07:18 < nRocha> hello... Is possible during the openvpn connection a balance traffic? Or is possible only at startup? 07:19 < nRocha> hello... Is possible during the openvpn connection a traffic balancing? Or is possible only at startup? 07:22 < nRocha> someone? 07:28 < nRocha> Anyone idea? 07:37 < ecrist> nRocha: what do you mean? 07:39 < nRocha> I need the balacing the openvpn's traffic between 2 links. 07:40 < ecrist> OpenVPN itself doesn't do that. You'd have to use another protocol, over OpenVPN, to do that. 07:43 < nRocha> Some example the how do? 07:43 < ecrist> not an openvpn question. it's basic networking 07:43 < ecrist> CARP or DNS round-robin would handle it. 07:44 < nRocha> ok, thank you. 07:56 < mjt> or linux advanced routing thing. but those are complicated for a beginner. 07:59 * ecrist wonders what the point of that comment was 08:04 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 08:05 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 08:09 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 08:17 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 08:18 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 08:20 < ecrist> LOL: http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246&forum=40 08:20 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 08:20 < ecrist> someone found my Durrrr post. 08:40 < tsunami> if you install openvpn from an admin account there isn't any problems with running it through the gui that I have seen in my testing 08:40 < tsunami> is this correct? 08:41 < ecrist> sure 08:41 < tsunami> the only reason i ask is there is documentation as to how to run the software as a user 08:41 < tsunami> but it seems I don't need to go that far 09:46 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 10:04 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 10:10 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 10:11 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 10:26 -!- Irssi: ##openvpn: Total of 64 nicks [0 ops, 0 halfops, 0 voices, 64 normal] 10:44 -!- kami- [n=user@unaffiliated/kami-] has joined ##openvpn 10:44 < kami-> hello 10:45 < kami-> I have a problem: TLS Error: TLS key negotiation failed to occur within 60 seconds 10:46 < kami-> it occurs when the client is in _some_ network which is not under my control 10:46 < kami-> this time, it's an ADSL connection 10:47 < kami-> the connection attempt is logged on the client *and* on the server, but the key negotiation fails, though 10:48 < kami-> both sides say: Initial packet from ... 10:49 < kami-> I have no firewall in place at the client 10:51 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 10:57 -!- kami- [n=user@unaffiliated/kami-] has quit [Remote closed the connection] 11:14 < dan__t> hi 11:14 < dan__t> hi 11:21 < ecrist> howdy 11:21 < ecrist> howdy 11:23 < tsunami> hello 11:23 < tsunami> hello 11:23 < tsunami> I don't know why I say goodbye, I say hello! 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:33 < dan__t> heh 11:34 < dan__t> Today I'm doing some testing, since some things in the manpage aren't entirely clear. 11:34 < dan__t> I'll report back and let you know. 11:34 < dan__t> from earlier: So, using ccd is nice and all. But according to the man page: "of a just-authenticated client...". What if I want to specify TLS credentials, which are required by the user to authenticate, inside the cc file? 11:34 < dan__t> "just authenticated client" implies that they were already tls verified 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:37 < ecrist> I don't understand your question 11:38 < mjt> openvpn (in tls-server mode) supports only one type of credentials: namely, any credentials signed by the given CA. 11:38 < dan__t> What part of it needs explanation? 11:38 < ecrist> mjt: you're incorrect 11:38 < dan__t> So it cna be any key so long as its signed by the CA? 11:39 < ecrist> dan__t: yes 11:39 < mjt> translation: any key signed. 11:39 < mjt> heh 11:39 < ecrist> so, you can send the same client certificate out for all your clients 11:39 < ecrist> make sure you've got 'duplicate-cn' in your config, though 11:39 < dan__t> Sorry, OpenVPN not being a strong point, nor TLS for that matter... thinking about this. 11:39 < mjt> ecrist: (granted, also username/pw thing, but that's not tls, right?) 11:39 < dan__t> Yep, familiar with that one. 11:40 < ecrist> mjt, TLS is the encryption, and has a basic authentication (signed my X ca or not). 11:40 < mjt> yup 11:41 < dan__t> Ok, I got ya now. 11:41 < ecrist> please don't spew information as fact, when you don't know. 11:41 < ecrist> you seem to do that a lot... 11:41 < dan__t> fact 11:41 < mjt> ghrm. In this case, please tell me what exactly did I say wrong? 11:41 < dan__t> No, just kidding. 11:42 < ecrist> 11:38 < mjt> openvpn (in tls-server mode) supports only one type of credentials 11:42 < mjt> what's wrong with that? 11:42 < ecrist> it's wrong 11:42 < ]sintax[> how come i'm missing init-config on a fresh install? 11:43 < mjt> oh well. 11:43 < ecrist> ]sintax[: is that a shell script? 11:43 < mjt> ecrist: you called me a troll a while back. But now YOU are behaving like troll. 11:43 < ]sintax[> http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd 11:43 < ]sintax[> its listed on there 11:43 < vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de) 11:43 -!- mode/##openvpn [+o ecrist] by ChanServ 11:43 -!- mode/##openvpn [+b *!*n=mjt@*.corpit.ru] by ecrist 11:43 -!- mjt was kicked from ##openvpn by ecrist [ecrist] 11:43 -!- mode/##openvpn [-o ecrist] by ecrist 11:45 < ecrist> ]sintax[: are you sure you're in the correct directory? 11:45 < ]sintax[> i tried searching my entire disk for that file, it doesn't exist 11:45 < dan__t> What a tool. 11:46 < ecrist> it might be an openbsd-specific thing 11:46 < ecrist> skipping that line, you should be fine 11:46 < ecrist> . ./vars is what really initializes the environment. 11:47 < ]sintax[> i tried skipping that and when i type ./vars or source vars, i get a huge spam of command not found errors from openssl.cnf, did i miss something? i tried following the tutorial on openvpns site 11:48 < ecrist> can you pastebin the entire error somewhere? 11:48 < ]sintax[> sure, 1 sec 11:48 < ]sintax[> http://pastebin.ca/1381033 11:49 < ecrist> ah, you need to use bash for those scripts 11:49 < ecrist> then . ./vars will initialize correctly 11:50 < ]sintax[> what do you mean use bash? 11:50 < ecrist> bash is a shell 11:50 < ]sintax[> i know what bash is but i'm using it 11:50 < ]sintax[> thought you might have meant something else 11:50 < ]sintax[> that's just how my PS1 is setup 11:51 < ]sintax[> http://pastebin.ca/1381036 11:52 < ecrist> odd, those errors are usually from people not using bash as the shell. 11:52 < ecrist> I don't know, I guess. 11:52 < ]sintax[> same errors with ksh 11:52 < ]sintax[> is there a cert im supposed to generate is that what its looking for ? 11:54 < ]sintax[> looks like ive got more reading to do lol 11:54 < ecrist> yeah, OpenVPN uses SSL certificates for encryption and base authentication 11:54 < ]sintax[> i wasnt sure whether or not to use IPSec or OpenVPN for a VPN server ;-p 11:54 < ecrist> OpenVPN is generally easier for vpns with lots of clients. 11:55 < ecrist> IPSec is a pain, unless you've got a static lan-lan setup 11:55 < ]sintax[> yeah it seemed like a pain with the giant config files structure 11:55 < ]sintax[> this OpenVPN - Building And Integrating Virtual Private Networks (2006) should still work fine right? 11:57 < ecrist> should, although you're on OpenBSD, try reading this: 11:57 < ecrist> !freebsd 11:57 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 11:58 -!- filePeter [n=filePete@95.88.146.254] has joined ##openvpn 11:59 < ]sintax[> maybe if I figure it out i should write a tutorial since there seems to be a lack of them 12:00 < filePeter> Hi, I using CF-CBC as encryption. But on my linksys Openwrt this is not very good for my performance. Can i reduce the bitrate for that? How "insecure" is that? Thanks. 12:02 < ecrist> filePeter: you can change the encryption, but security goes down with lower-bit keys. 12:03 < ecrist> anything >128 should be good enough, as things are rekeyed every 60 minutes by default. 12:06 < filePeter> ecrist: Rekeyed? Cool! How to set it? 12:07 < ecrist> filePeter: it's automatic 12:07 < ecrist> setting key length and such is done in the ssl certificates. 13:05 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 13:12 -!- filePeter [n=filePete@95.88.146.254] has quit ["leaving"] 13:36 -!- kippix [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has quit [Remote closed the connection] 13:48 < Flumdahl> !config 13:48 < vpnHelper> Flumdahl: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 13:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:57 -!- ]sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 13:57 -!- sintax [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 13:58 -!- sintax is now known as ]SintaX[ 14:03 -!- nRocha [n=nRocha@unaffiliated/nrocha] has quit [Read error: 145 (Connection timed out)] 14:04 < ecrist> Flumdahl: !configs 14:04 < Flumdahl> !configs 14:04 < vpnHelper> Flumdahl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:25 -!- mweichert [n=mweicher@216.13.154.21] has joined ##openvpn 14:25 < mweichert> hello! 14:25 < mweichert> I'm just new to OpenVPN - but wow, it's an amazing piece of software 14:25 < mweichert> seems easy to get started with 14:26 < ]SintaX[> i'm new as well, mind if i ask what OS you're using it on ? 14:26 < mweichert> Win and Linux 14:26 < ]SintaX[> ah ok 14:26 < mweichert> Win64 and BusyBox 14:27 < mweichert> I'm reading the OpenVPN book by PacktPub 14:27 * ]SintaX[ wishes it covered openbsd better 14:27 < mweichert> finished the chapter "The First Tunnel" ... I got a working tunnel using tap. 14:28 < mweichert> SintaX, having troubles installing tap/tun ? 14:28 < ]SintaX[> no i'm just having trouble getting it to configure initially on openbsd :-\ 14:28 < mweichert> are there no binaries available in ports? 14:29 < ]SintaX[> i've installed it from ports, i'm just getting weird errors when i run vars 14:29 < ]SintaX[> but i figure im missing something somewhere else 14:29 < mweichert> can someone help me understand how to get openvpn to play nice with firewalls? From what I get out of it, I can have it tunnel through port 443? 14:32 < mweichert> also too, can someone confirm for me that what I've done is peer-to-peer networking? 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < mweichert> ]SintaX[, what do you mean by 'run vars'? Sorry - maybe I'm not well enough into openvpn, but I'd like to help if I could 14:33 < ]SintaX[> you know the 'vars' file you're supposed to run in the easy-rsa dir? 14:34 < mweichert> ]SintaX[, ah, I'm not there yet. I'm just using Static Key tunnels right now 14:34 < ]SintaX[> hmm i thought this step was required to get it to even work haha 14:35 < ]SintaX[> i've taken too long a break from BSD and networking in general so im really rusty with both 14:35 < mweichert> no - there are two approaches to getting openvpn working, AFAIK: static key and PKI (public key infrastructure) 14:35 < mweichert> easy-rsa is related to PKI 14:36 < ]SintaX[> ah i didn't know that. the tutorials for the OS i've found suck or im just too stupid to follow them with my setup heh 14:39 < Flumdahl> what is it need to write in the server/client conf so openvpn automaticly makes the routes so all traffic from clients goes over the vpn tunnel ? 14:40 < mweichert> ]SintaX[, what client os are you using to connect to openbsd? 14:40 < ]SintaX[> i'm trying to vpn two openbsd machines 14:41 < ecrist> ]SintaX[: try my perl script 14:41 < ecrist> !ssl-admin 14:41 < ]SintaX[> i wonder if i could follow the same approach you used with static key 14:41 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:41 < ecrist> easy-rsa sucks balls 14:41 < ]SintaX[> thats nice to know, that did seem a bit of a pita 14:41 < mweichert> ]SintaX[, I think you can do this in four steps 14:42 < mweichert> 1) Generate a private key on one of the servers. 14:42 < mweichert> 2) Copy the private key, rrrr... static key to your other server 14:43 < mweichert> 3) Configure your conf file with: 14:43 < mweichert> dev tap 14:43 < mweichert> secret key.txt 14:43 < mweichert> ping 10 14:43 < mweichert> comp-lzo 14:44 < mweichert> ifconfig 10.3.0.5 255.255.255.0 # the ip you want to listen on 14:44 < mweichert> remote 10.30.0.1 # the ip you want to connect to 14:44 < ]SintaX[> i dont need two interfaces on each machine do i? some tutorials have said that but i dont think my network setup is the same 14:44 < ecrist> ]SintaX[: no, you don't. 14:44 < ]SintaX[> i'm just experimenting with two VM's inside of vmware right now with one interface each 14:45 < mweichert> you need one physical interface 14:45 < mweichert> on each machine 14:45 < mweichert> and one virtual interface (tap or tun) 14:45 < ]SintaX[> ok 14:45 < ecrist> and, unless you're using ethernet protocols, such as IPX, you should probably use tun rather than tap 14:45 < ]SintaX[> let me boot these machines up and try 14:45 < mweichert> that's fine 14:45 < mweichert> same here 14:45 < ]SintaX[> im going to try them on the same subnet 192.168.1.X 14:47 < mweichert> ]SintaX[, I believe you tunnel needs to be established on a different subnet (I very-much could be wrong about that) 14:48 < mweichert> is there anything wrong with setting up several (like 50) static key VPNs? 14:50 < ]SintaX[> ecrist i can vpn two machines on the same subnet right? wouldnt that encrypt all traffic between the two 14:52 < mweichert> yes, I know you can encrypt two machines on the same subnet... but I don't know if your tunnel should be routed on the same subnet 14:52 < ]SintaX[> ah 14:52 < mweichert> for example... 14:52 < mweichert> you can tunnel between 192.168.0.1 and 192.168.0.2 14:53 < ]SintaX[> thats on the same subnet isnt it? 14:53 < mweichert> but your tunnel should be created on 10.3.0.1 and 10.3.0.2 14:53 < ]SintaX[> cant believe how rusty i am with networking :-( 14:53 < mweichert> yes, that's on the same subnet - the hosts with you want to encrypt traffic between 14:53 < mweichert> but the tunnel is established on a different subnet 14:53 < krzie> i take it you are trying to secure wireless or something? 14:54 < krzie> so you will be default routing over the encryption 14:54 < krzie> right? 14:54 < ]SintaX[> eventually i'm going to work on that, i'm just trying to learn how to setup a vpn on the two machines 14:54 < krzie> !local 14:54 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 14:54 < krzie> other than that, its the same as always 14:54 < krzie> !sample 14:54 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:55 < ecrist> ]SintaX[: yes, you can 14:56 < ecrist> but mweichert is on the right track. you need non-conflicting ip spaces. 14:56 < ]SintaX[> so i use the perl script ecrist made to make the crt/pem/key files? 14:56 < ecrist> yes. it requires a bit of initial config, I recomend taking the one out of SVN rather than any static versions you find out there. 14:57 < ]SintaX[> ok 14:57 < ecrist> if you were using freebsd, it's in the ports tree 14:57 < ecrist> haven't tested/submitted to net/open bsd 15:00 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 15:00 -!- mtoledo [n=user@c906c009.virtua.com.br] has quit [Remote closed the connection] 15:04 < mweichert> ecrist, can you help me understand the advantages of using PKI over static key? 15:06 < ecrist> mweichert: you can only have one client, iirc, with static key 15:06 < ecrist> static key is ok for simple 1-1 connections 15:06 < ecrist> PKI comes in when you need multiple clients on the same system. 15:10 < mweichert> ecrist, but why not just define multiple static key connections? 15:11 < mweichert> I guess that would require a lot of manual configuration and many ports? 15:20 < krzie> lol ya, and it would take more resources and generally be an administration PITA 15:20 < krzie> kinda like how you dont need DNS 15:20 < krzie> you could just edit your hosts file for everything you ever wanna connect to 15:20 < krzie> but common, which sounds easier 15:21 < mweichert> ok, fair enough. :) 15:21 < mweichert> krzie - can I squeeze in one more question... after I create a static key tunnel between two clients, do I configure any routing to over over the tunnel, or will that just happen automagically? :) 15:23 < mweichert> btw - are static key tunnels simliar to how ipsec tunnels work? 15:29 < krzie> it wont default route over that unless you tell it to 15:29 < krzie> do you plan on more than 2 connections? 15:29 < krzie> more than 2 endpoints 15:30 < krzie> because server mode is far easier thanpoint to point for that, better to do it right than try to manage multiple point to point modes solely so you dont need to learn how to manage the certs 15:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 15:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:10 < mweichert> I agree krzie. Thanks. 16:12 < krzie> np 16:23 -!- mweichert [n=mweicher@216.13.154.21] has quit ["Leaving"] 16:24 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 16:28 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:52 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 16:56 -!- sjzzalx [n=jeff@70.102.50.18] has joined ##openvpn 16:57 < sjzzalx> What is a DNS suffix and why do I need one to resolve internal hostnames from a logged-in client? I'm already pushing the DNS server's address. 16:57 < sjzzalx> !howto 16:57 < vpnHelper> sjzzalx: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 17:05 < krzie> !pushdns 17:05 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 17:11 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 17:12 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 17:13 < sjzzalx> krzie: Thanks. Should my DNS IP be the VPN gateway or the real subnet's DNS server? It doesn't seem to work with either for me. 17:14 < krzie> the dns server you wanna use is inside the lan behind the vpn machine? 17:14 < sjzzalx> krzie: It's on the same machine as the VPN, this is all on a pfsense box 17:15 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 17:15 < krzie> test by requesting dns specifying dns server 17:15 < krzie> also check that the firewall isnt blocking cause now you're showing up as coming from vpn ip 17:16 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [Client Quit] 17:16 < krzie> racism is so 80's 17:16 < krzie> oops wrong chan 17:17 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 17:18 < krzie> ie: host ircpimps.org ns.doeshosting.com 17:18 < krzie> will use ns.doeshosting.com to check dns for ircpimps.org 17:18 < krzie> test if dns works manually like that 17:19 < sjzzalx> krzie: it does work manually like that 17:19 < sjzzalx> through either the VPN gateway or the internal DNS server 17:19 < sjzzalx> but it doesn't work if I try to ping, etc. 17:20 < sjzzalx> with both ips added to resolv.conf 17:20 < krzie> show me resolv.conf 17:21 < sjzzalx> http://pastebin.com/m164e8858 17:23 < krzie> ok so which ips worked in manual test 17:23 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 17:23 < sjzzalx> the last two, 10.x 17:23 < krzie> remove the first one, and keep the one that uses vpn ip 17:23 < krzie> remove the other 17:23 < krzie> so only 1 entry 17:24 < sjzzalx> krzie, that works, thanks. But, I would like to be able to resolve the other hostnames on my home network, too 17:24 < sjzzalx> via 192.168.1.1 17:25 < krzie> try putting the home one under the vpn one 17:25 < krzie> see if that works 17:25 < krzie> (we seem to have ventured outside of vpn troubleshooting, but i dont mind helping since i might be able to help and you've clearly read docs and know what you're doing) 17:26 < krzie> OR, you could make one of them slave for the other over the vpn 17:26 < krzie> even slave for eachother 17:27 < krzie> that way you can resolv both networks from each dns server 17:28 < sjzzalx> krzie: Interesting, I'm not aware of DNS slaves. I'll have to look into it. This seems to work now, though, so thanks very much. I can't test my home network resolver since I think only localhost is up right now there. :) 17:28 < krzie> =] np 17:28 < krzie> you use bind i assume>? 17:29 < krzie> allow-transfer { ip_address; }; 17:30 < sjzzalx> I'm just using resolv.conf right now, I don't really want to deal with bind, so I'll just change the order in resolv.conf. Thank you very much though, for the help and your willingness to provide it. 17:30 < krzie> then for example: 17:30 < krzie> zone "thekeelecentre.com" { type slave; masters { 217.206.238.155;}; file "slave/thekeelecentre.com.db"; notify no; }; 17:30 < krzie> umm, you said you are running nameservers in each lan 17:30 < krzie> this is done by nameserver software 17:31 < krzie> since you mention resolv.conf, i see you use a unix-like os 17:31 < krzie> and bind is the most common 17:32 < krzie> but ya, you're welcome =] 17:32 < sjzzalx> Indeed, that's all on pfSense's side right now and it's handled by it; I'm fairly sure they use bind, but I don't want to set up anything locally to override, or to mess with pfSense's things elsewise when I can just reorder resolv.conf and have it all nice and functional. I appreciate the reference though and will remember it when/if I need to do something else to make the fix less hackish. :) 17:39 < krzie> np 17:39 < krzie> btw im sure pfsense supports slaves in the dns stuff 17:39 < krzie> but i dont mess with guis 17:39 < krzie> i just edit the files 17:50 < dan__t> Hi. 17:50 < dan__t> So, have a question re: tls 17:53 < krzie> go for it... 17:54 < krzie> tls as used in openvpn: 17:54 < krzie> !hmac 17:54 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:54 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 18:20 < krzie> dan__t, didnt you have a question? 18:22 < dan__t> I was working on it. 18:22 < dan__t> Sorry, distracted with work :/ 18:24 < krzie> ya i know how that is 18:24 < dan__t> Ok, so. 18:32 < dan__t> heh 18:32 < dan__t> lame. 18:32 < dan__t> So with tls, any client key that is signed by my CA can connect. 18:33 < dan__t> What enables me to stop them from connecting, even if a key is signed by my CA? 18:33 < dan__t> I can publish a CRL, but how can/do I enforce that the client *must* reference that 18:33 < krzie> tls only has to do with HMAC sigs 18:33 < dan__t> Or does OpenVPN reference the CRL? 18:33 < krzie> clients dont reference crl 18:33 < krzie> server does 18:33 < krzie> CRL is a list of clients that can no longer connect 18:34 < dan__t> I understand that. 18:34 < dan__t> How do I get OpenVPN to use that though? 18:35 < krzie> !man 18:35 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:35 < krzie> 1sec 18:37 < dan__t> Sure. Thanks. 18:45 < krzie> --crl-verify crl 18:45 < krzie> Check peer certificate against the file crl in PEM format. 18:45 < krzie> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 18:45 < krzie> Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. 18:45 < krzie> The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 18:46 < krzie> !crl 18:46 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 18:46 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 18:51 < krzie> but you said you had a tls question 18:51 < krzie> CRL has nothing to do with tls 18:52 < krzie> tls inside openvpn is just for building a static key that packets get signed with, if the packets arent signed with it then the server ignores 18:52 < krzie> and doesnt even process 18:54 < krzie> those signatures are known in openvpn as HMAC signatures 18:55 < krzie> everything you need to know about tls in openvpn is in !hmac and everything you need to know about CRL in openvpn is in !crl 18:55 < krzie> =] 18:55 < krzie> i think instead of tls you meant ssl 18:56 < krzie> but also, if you use tls, a client with a ssl cert signed by your CA cant connect unless he also has the tls static key 20:10 < dan__t> Not my day man, I'm trying to participate, I appreciate the time. 20:10 < krzie> all good =] 20:14 < krzie> im at work anyways, not going anywhere for now 20:18 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 20:25 -!- belZe [i=server3@p5091CA11.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:25 -!- belZe [i=noone@p5091CE96.dip.t-dialin.net] has joined ##openvpn 20:39 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:30 < onats> morning people 21:31 < krzie> mornin 21:32 < krzie> although its night here 21:32 < krzie> hehe 21:32 < onats> whats new? 21:37 < krzie> not much really 21:37 < krzie> rebuilt the NFS again yesterday 21:37 < krzie> since 3 drives proved to be bad 21:38 < krzie> so now the other 3 are in there for ZFS, and i tossed in an old 80gb IDE for the OS 21:38 < onats> what os is that running on? 21:38 < onats> solaris? 21:38 < krzie> freebsd 8-current 21:38 < krzie> although its not all that current, feburary snapshot 21:39 < krzie> ill catch it up soon tho 21:39 < krzie> then when the 3 drives i RMA'ed come back ill toss in the 4th and add it to the zfs pool 21:39 < onats> nice 21:39 < krzie> zfs is nice about that 21:39 < onats> what do you put in it anyway? 21:40 < krzie> my NFS 21:40 < krzie> movies and apps and stuff 21:40 < onats> lol 21:40 < krzie> really anything i dont need on the laptop 24/7 21:40 < onats> i thought something mission critical 21:40 < krzie> hahah nope 21:40 < krzie> nothing mission critical would possible go on an experimental FS on a dev OS 21:40 < krzie> possibly 21:41 < krzie> also just tossed a 500gb seagate in the macbook pro 21:41 < krzie> so thats pretty cool 21:42 < krzie> next mission, build the quad core intel box i have waiting in parts and setup osX86 on it 21:42 < krzie> that'll be dopeness 21:48 < krzie> how bout you? 21:49 < krzie> anything cool or new? 21:51 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 21:52 < onats> figuring out how to move installation of opkg packages to another partition... 21:52 < onats> i have this 1 GB CF card with openwrt on it, on the 64MB. I just opened up the rest of the partition and want the packages to go in there so it won't use up the primary partition 21:53 < onats> i'm playing with this alix board i got two weeks ago 21:53 < onats> pretty sweet piece of HW 21:53 < onats> hehe 21:53 < krzie> ahh right on 21:54 < krzie> i remember looking at it 21:55 < onats> what's your primary machine? 21:55 < onats> laptop? 21:55 < krzie> currently 21:55 < krzie> til i get that osx86 box up 21:55 < krzie> well then i need to wait til i get my bigscreen over here 21:55 < krzie> but the goal is to make that my primary machiine and let the lappy rest 21:55 < krzie> poor thing is overworked 21:56 < onats> hehe 21:56 < onats> im running a quad core here too 21:56 < onats> for my primary 21:58 < krzie> sweet 21:58 < krzie> i overpowered the shit outta my new NFS 21:58 < onats> what proc are you planning to get? 21:58 < krzie> dual core amd64 with 8gb ram 21:58 < krzie> for the intel i got a q9400 21:58 < onats> i thought you said quad core? 21:58 < onats> ahh 21:58 < krzie> the quad core is for osx86 21:58 < krzie> the dual core amd64 is for the nfs 21:58 < onats> wow, thats a lot of powerful HW! 21:59 < timttwtdi> I'm missing a piece in my openvpn configuration and I'm wondering if someone can tell me what step I may have missed. 21:59 < krzie> the nfs will have 4x 1.5TB drives 21:59 < krzie> i say will cause i had to RMA 3 of them 21:59 < onats> isn't a dual core amd64 a bit overpowered for a storage server? 21:59 < krzie> timttwtdi, sure 21:59 < krzie> !configs 21:59 < timttwtdi> openvpn set up on client and server with keys. client and server can connect and ping one another. 21:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:59 < krzie> oh ok 21:59 < krzie> then whats your goal? 21:59 < timttwtdi> verified by tcpdump -i tun0 on vpn server 21:59 < krzie> onats yes, it is 21:59 < krzie> lol 22:00 < krzie> but i wanted amd64 for ZFS 22:00 < onats> and for your osx86, are you gonna do video editing? 22:00 < krzie> ZFS likes amd64 22:00 < timttwtdi> cannot ping any hosts on vpn server network. 22:00 < krzie> nope, but i may crack encryptions and stuff like that when im bored enough 22:00 < krzie> timttwtdi, i made a writeup just for that 22:00 < krzie> timttwtdi, you use tun right? 22:00 < timttwtdi> wow. strange. just started working. 22:01 < krzie> !route 22:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:01 < timttwtdi> I've got tcpdump running across the room and all of a sudden show ICMP echo requests. 22:01 < krzie> they should get the requests no matter what 22:01 < krzie> but unless routes are right, no responses 22:02 < krzie> read my writeup 22:02 < timttwtdi> after initial setup I tried contacting hosts on the subnet, couldn't, and then read through the FAQ 22:03 < krzie> read my writeup 22:03 < krzie> its everything you need to know about connecting lans behind openvpn 22:04 < krzie> onats, and since i was going amd64, it wasnt much more $ to go dual core 22:04 < krzie> and ram isnt that expensive, may as well shove 8gb its way 22:04 < onats> hehe yes 22:04 < krzie> the main $ was spent on the harddrives 22:04 < onats> i have 8 gigs here too. never been able to fully max it out yet 22:04 < krzie> i bought 6 1.5TB seagates 22:04 < onats> how much is a 1.5TB in USD there? 22:04 < krzie> i picked them up for $120 each 22:05 < krzie> but i was in san jose california 22:05 < krzie> on vacation 22:05 < onats> roughly the same here 22:05 < krzie> brought a whole suitcase of parts back 22:05 < krzie> (i no longer live in usa, was on vaca) 22:05 < onats> isn't the carribean close to the east coast? jamaica? 22:06 < krzie> ya its not far from florida 22:06 < krzie> and jamaica is in the caribbean 22:14 < onats> are you high all the time there? 22:14 < onats> heheh 22:14 < krzie> nah but i was when i lived in california 22:15 < krzie> the weed out here SUCKS compared to cali 22:16 < krzie> http://www.ircpimps.org/pics/krzee_vaca/SDC10038.JPG 22:16 < krzie> theres what i was smoking about a month ago when i visited california 22:17 < timttwtdi> krzie, it's a good read. 22:18 < krzie> thanx, learn anything useful? 22:19 < timttwtdi> I identified the problem. whenever I stopped ipmasq on the openvpn machine it would essentially echo "0" > /proc/sys/net/ipv4/ip_forward 22:19 < timttwtdi> er. one of the problems. 22:19 < krzie> ahh, sucks 22:19 < timttwtdi> I am not joining networks of clients connecting to the openvpn server, so iroute is not for me. 22:20 < krzie> right, just a simple push route 22:20 < krzie> is openvpn server on the router for its LAN? 22:20 < timttwtdi> I believe now that I figured out why packets where not going when I thought they should be going i just need to determine the proper way to add static routes for machines on the vpn server network. 22:20 < timttwtdi> yes. 22:21 < timttwtdi> oh- I had the push route working. that 22:21 < krzie> so openvpn is running on the default gateway for its LAN...? 22:21 < timttwtdi> 's why tcpdump -i tun0 on the server displayed incoming packets. 22:21 < krzie> (server) 22:21 < timttwtdi> yes. 22:21 < krzie> then you should be done, no static routes needed 22:21 < timttwtdi> and I am using a region of that subnet address space for vpn address ;-P 22:21 < krzie> bad! 22:22 < krzie> vpn network should be totally different 22:22 < krzie> you arent bridging 22:22 < krzie> give it like 10.8.0.x or something 22:22 < timttwtdi> not right now. I may try bridging sometime. 22:22 < krzie> bridging < tunneling 22:22 < krzie> only used when really needed 22:23 < krzie> for tunneling layer2 protocols that are NOT samba 22:23 < krzie> i say not samba cause in that case you should use wins 22:24 < timttwtdi> yes sir/ma'am! will change vpn addresses pronto! 22:24 < krzie> so ya... you're doing it right 22:24 < krzie> also, no clients can have same LAN addresses as the server 22:25 < krzie> and if you start adding lans behind clients, that goes for their lan's addresses too 22:25 < krzie> (im a guy =] ) 22:26 < timttwtdi> I would never want to offend a female comrade (better safe than a greater ratio) 22:27 < krzie> heheh right on 22:27 < timttwtdi> thanks for the info. I'll pass it on to the next neophyte. 22:28 < krzie> howd it work for ya? 22:29 < timttwtdi> I'm checking to see if a route can give me a round-trip message before I reconfigure the network addresses. 22:30 < krzie> it can without changing a thing after you reconfigure it 22:30 < krzie> also if you like you can post your configs and i can tell you if anything can be improved 22:30 < krzie> (im bored for the next few minutes, then i leave) 22:31 < timttwtdi> it'll probably be more than a few minutes. 22:31 < timttwtdi> I want to get things working 'the wrong way as an exercise 22:32 < krzie> sounds good 22:32 < krzie> hehe 22:32 < krzie> in the meantime i can still look over your configs if you want 22:32 < krzie> little things like !hmac and !mitm and !dh it would still work, but not as good as it could 22:33 < krzie> but of course thats totally up to you 22:35 < timttwtdi> http://pastebin.com/f6b987e4e 22:35 < krzie> !configs 22:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:36 < krzie> pls use that to strip comments 22:36 < timttwtdi> did you know that there are command-line utilities for interacting with pastebin? 22:36 < krzie> yes, i know freebsd has one in ports 22:39 < timttwtdi> http://pastebin.com/f63f8e721 22:39 < timttwtdi> I guess I could have stripped blank lines too. 22:39 < krzie> ya i been meaning to change that regex 22:39 < krzie> haha 22:40 < timttwtdi> insert a sed to only strip double empties or something. 22:41 < krzie> the same grep can do it 22:42 < krzie> just another | 22:42 < krzie> |^$ 22:42 < timttwtdi> I didn't think grep expressions could span lines. 22:42 < krzie> if the first char is the last char 22:43 < timttwtdi> oh. I just meant that grep can't strip pairs of empty lines as far as I know. 22:44 < krzie> grep -vE '^#|^;|^$' 22:44 < krzie> care to try that and see how it looks for the hell of it? 22:44 < krzie> i see you're pushing dns 22:44 < krzie> you will find this post interesting (first link) 22:44 < krzie> !pushdns 22:44 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 22:45 < krzie> and other than that, ild say its a perfect config (minus the vpn subnet thing i said earlier) 22:46 < krzie> actually, i take back the "other than that" 22:46 < krzie> its a perfect config 22:46 < timttwtdi> :-D 22:46 < krzie> (minus the vpn subnet thing i said earlier) ;] 22:47 < timttwtdi> it was my first! 22:47 * timttwtdi blushes 22:47 < krzie> hehe 22:47 < krzie> comes with reading the docs =] 22:47 < krzie> if only more took the time you did 22:48 < onats> jedi master, you are. 22:48 < krzie> !configs 22:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:48 < timttwtdi> Jedi Master? No. I'm a Debian User. 22:48 < krzie> lemme fix that now since we touched on the subject 22:48 < krzie> hahah 22:48 < krzie> !forget configs 22:48 < vpnHelper> krzie: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 22:48 < krzie> !forget configs * 22:48 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$'client.conf`), also include which OS and version of openvpn. 22:49 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !learn configs as dont forget to include any ccd entries 22:49 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !configs 22:49 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$'client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:50 < krzie> and yes i know i could simplify that regex, but my bot wouldnt like it cause [] is for embedding commands for my bot 22:51 < krzie> grep -vE '^[#;$]' would be cooler 22:51 < timttwtdi> are any of you guys openvpn devs? 22:51 < krzie> negative 22:52 < timttwtdi> well thanks anyways ^_^ 22:52 < krzie> np man 22:52 < krzie> i think reiffert has submitted bits of code 22:52 < krzie> but theres really like 2 main devs afaik 22:52 < krzie> (or 1 maybe) 22:52 < krzie> ahh damn i typo'ed 22:53 < krzie> !forget configs * 22:53 < vpnHelper> krzie: Joo got it. 22:53 < krzie> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. 22:53 < vpnHelper> krzie: Joo got it. 22:53 < krzie> !learn configs as dont forget to include any ccd entries 22:53 < vpnHelper> krzie: Joo got it. 22:57 < timttwtdi> I did something interesting tonight when troubleshooting. 22:58 < timttwtdi> have you ever called tcpdump on the interface you are ssh'd into a machine on without limiting the scope of tcpdump? 22:59 < timttwtdi> esp. if you've got gigabit. 22:59 < krzie> lol yes 22:59 < krzie> bbl 22:59 < krzie> gnite 22:59 < timttwtdi> 'night. thx. 23:11 -!- p_quarles [n=lee@unaffiliated/pquarles] has joined ##openvpn 23:12 < ecrist> night, fuck heads. 23:13 < p_quarles> so, I'm a bit puzzled: I successfully set up a tunnel, and can ping the tun device on the server from the client; but all traffic is still going through the LAN-connected device by default 23:14 < p_quarles> there's nothing in the "how-to" at openvpn.net, but I'm guessing there's some other step that will be obvious in retrospect 23:15 < ecrist> sure there is. you need to route interesting traffic over the vpn 23:15 < ecrist> see --redirect-gateway 23:16 < p_quarles> ecrist: okay, damn, now I see it in the docs; guess I didn't know what I was looking for; thanks 23:16 < ecrist> np 23:29 -!- p_quarles [n=lee@unaffiliated/pquarles] has left ##openvpn ["thanks!"] --- Day changed Sat Apr 04 2009 00:08 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 00:51 < Flumdahl> http://pastebin.com/m1a1ed3e2 00:51 < Flumdahl> anyone that can help ? 00:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:57 -!- vadi01 [n=vadi01@217.118.93.23] has joined ##openvpn 00:58 < Flumdahl> krzee: hey there. 01:03 < Flumdahl> !howto 01:03 < vpnHelper> Flumdahl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:04 < Flumdahl> !/30 01:04 < vpnHelper> Flumdahl: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:16 -!- vadi01 [n=vadi01@217.118.93.23] has quit [Read error: 110 (Connection timed out)] 01:17 -!- vadi01 [n=vadi01@217.118.93.122] has joined ##openvpn 01:30 < reiffert> moin 01:39 < Flumdahl> :D 01:40 < Flumdahl> hmm, how do i write in server conf so client only can use one specific ip ? 01:43 < reiffert> !factoids search static 01:43 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 01:44 < Flumdahl> !ccd 01:44 < vpnHelper> Flumdahl: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 01:46 < Flumdahl> hmm 01:47 < Flumdahl> Options error: option 'ifconfig-push' cannot be used in this context 01:47 < Flumdahl> ifconfig-push ipadress netmask ? 01:48 < reiffert> !man 01:48 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:55 -!- vadi01 [n=vadi01@217.118.93.122] has quit [Read error: 110 (Connection timed out)] 02:28 < Flumdahl> hmm, do i need to use ca cert key dh for ccd ? 02:32 < reiffert> you need a common name for ccd. common names sound like certificates. CN 02:32 < reiffert> afk, sorry 02:35 < Flumdahl> are there no other way to lock a specific ip to an client? 02:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:30 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has joined ##openvpn 03:32 < jnnewton> if anyone is here, i could use some setup clarification. the docs say /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (it's best to copy this directory to another location such as /etc/openvpn". 03:33 < jnnewton> first of all, the directory structure i got from apt is different, everything they refer to is in /usr/share/doc/openvpn/examples/easy-rsa/2.0, which is not reference. 03:34 < jnnewton> they for the copy part, whic dir to copy to /etc/openvpn ? the whole thing, or just the 2.0 folder? 03:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:57 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has quit ["So this is it. Were going to die."] 04:34 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:05 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has joined ##openvpn 05:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:38 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has quit ["You may get an opportunity for advancement today. Watch it!"] 06:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 07:07 -!- sloburnie [n=sloburni@p579889AB.dip.t-dialin.net] has joined ##openvpn 07:08 -!- sloburnie [n=sloburni@p579889AB.dip.t-dialin.net] has left ##openvpn ["Verlassend"] 07:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 60 (Operation timed out)] 07:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 07:30 -!- eliasp_ is now known as eliasp 08:04 -!- hkais [n=xenoadmi@p50815F50.dip.t-dialin.net] has joined ##openvpn 08:04 < hkais> hello 08:05 < hkais> i have troubles to configure my connection to run on pointopoint mode 08:05 < hkais> previousely is was working in bridge mode, which I want quit due to the scaling problems 08:06 < hkais> i get the error on the client http://pastebin.com/m160785e3 08:29 < ecrist> looking 08:29 < ecrist> hkais: the error is pretty clear... 08:30 < ecrist> !configs 08:30 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:31 < hkais> ecrist: I got my error. It was the problem, that I set the server with tap interface instead of tun... 08:31 < hkais> now it is running 08:48 < hkais> ecrist: not properly 08:48 < hkais> i have a 10.11.12.0 LAN. my VPN goes to 10.11.22.0. 08:48 < hkais> I cannot ping any device on the 10.11.12.0 lan from the VPN-network. 08:49 < hkais> the pings (ICMP) aren't reachng the device in the lan 08:53 < ecrist> hkais: see here 08:53 < ecrist> !route 08:53 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:53 < ecrist> also, what OS are you using? 08:53 < hkais> ubuntu/linux 08:53 < hkais> for the server and currently also ubntu client 08:53 < hkais> but it will be a windows later 08:54 < ecrist> you need to set ip_forwarding in proc, I believe 08:54 < ecrist> only for the server, though. 08:56 -!- onats [n=onats@unaffiliated/onats] has quit [Connection timed out] 08:57 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:04 < hkais> ecrist: thx! I forgot the forward in the kernel! 09:06 < ecrist> np 09:15 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 09:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:15 -!- hkais [n=xenoadmi@p50815F50.dip.t-dialin.net] has left ##openvpn ["Leaving."] 11:09 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:10 < archvile> hi, i'm getting a error when trying to connect to a vpn about not being able to load a CA cert 11:10 < archvile> Cannot load CA certificate file ca.crt (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib 11:10 < archvile> am i missing a package? 11:10 < archvile> or is it not being pointed to the correct location 11:24 -!- archvile_ [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:32 -!- archvile1 [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:32 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 11:33 -!- archvile1 [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Client Quit] 11:34 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:44 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit ["leaving"] 11:46 -!- archvile_ [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 11:52 < onats> anyone alive? 12:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:11 < dan__t> Nope. 12:11 < dan__t> krzee 12:11 < dan__t> krzie 12:11 < dan__t> R*(@##@*@$R@#*(% 12:20 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 12:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 < onats> boom! 12:59 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 13:05 -!- Exilant [i=goelzera@berlin.ethz.ch] has joined ##openvpn 13:10 < Exilant> !route 13:10 < vpnHelper> Exilant: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:12 < dan__t> krzie, RE: crl, OpenVPN references this file and based on its contents will either allow or disallow the client? 13:15 < dan__t> http://madboa.com/geek/openssl/ 13:15 < vpnHelper> Title: OpenSSL Command-Line HOWTO (at madboa.com) 13:15 < dan__t> Ahhh, long lost resource. 13:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:24 < Flumdahl> anyone here who knows howto lock an client to only one ip address without use cert and key? i only use a secret key 13:25 < Flumdahl> i have googled alots today but can not find any solution to it 13:25 < Flumdahl> i find that static ip with ccd but i dont want to use all those crt etc etc 13:29 < dan__t> I'd use a --client-connect script 13:29 < dan__t> wait, to one IP address 13:30 < dan__t> Nevermind. I'm not sure on that one, actually. 13:30 < Flumdahl> dan__t: yes for just one ip. or more 13:31 < Flumdahl> prq have only secret key file and if they dont insert the ip somewhere i can not use it 13:31 < dan__t> http://openvpn.net/index.php/documentation/howto.html#policy 13:31 < vpnHelper> Title: HOWTO (at openvpn.net) 13:31 < dan__t> I think you're stuck using ccd 13:31 < Flumdahl> hmm 13:31 < Flumdahl> must be another way 14:00 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 14:05 < dan__t> I'm not sure. 14:06 -!- c64zottel [n=hans@p5B1780E0.dip0.t-ipconnect.de] has joined ##openvpn 14:06 -!- c64zottel [n=hans@p5B1780E0.dip0.t-ipconnect.de] has left ##openvpn [] 14:21 < Flumdahl> crl-verify is that needed to get ccd to work ? 14:26 -!- gallatin [n=gallatin@dslb-092-072-077-251.pools.arcor-ip.net] has joined ##OpenVPN 14:29 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has joined ##openvpn 14:30 < dan__t> I'm not sure..... 14:30 < dan__t> What does the manual page say? 14:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 14:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:50 < krzie> no 14:50 < krzie> !ccd 14:50 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:51 < krzie> i didnt scroll up so if you have unanswered stuff feel free to ask again 14:52 < dan__t> haha ok 14:52 < dan__t> np 14:52 < dan__t> Just hacking on some openssl arguments so I can further automate pki 14:53 < dan__t> writing my own little wrapper to maintain the CRL, as well. 14:59 < krzie> ahh cool 14:59 < krzie> if you know perl you could make it commandline stuff for ssl-admin 14:59 < krzie> would be cool 15:02 < dan__t> Yea I was looking at it. I'm not such a great programmer :( 15:03 < Flumdahl> the ccd filename shall be the same i name the key/cert file for the client?? 15:06 < Exilant> !howto 15:06 < vpnHelper> Exilant: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < dan__t> The CCD should be of the same name as the "common name" 15:06 < krzie> when you make the cert theres a common-name field 15:07 < krzie> thats what ccd// must be 15:08 < Flumdahl> aha 15:08 < Flumdahl> thanks 15:09 < dan__t> er, trailing slash? 15:09 < dan__t> its a directory? Its a file, right? 15:09 < krzie> oops 15:09 < krzie> ya my mistake 15:09 < dan__t> oh ok 15:09 < dan__t> don't confuse me 15:09 < dan__t> haha 15:09 < krzie> hehe 15:10 < krzie> time for me to finally dive into nagios 15:11 < dan__t> That sucks man. 15:12 < krzie> why? 15:13 < dan__t> Nagios is the bastard child of everything unholy. 15:13 < krzie> lol 15:14 < dan__t> Ever use Zabbix? 15:14 < Exilant> i'm trying to setup an openvpn network in bridged mode. i got it working to the point where it somehow connects, yet i cannot even ping into the private net. both client and server run linux, and a route is set up on the client. Can someone please hint me in the right directtion, how to find out where the error is? 15:15 < krzie> Exilant can you ping the vpn ips? 15:15 < Exilant> no 15:15 < krzie> why are you using bridged mode? 15:16 < Exilant> From 192.168.178.201 icmp_seq=1 Destination Host Unreachable 15:16 < krzie> dan__t, never heard of it 15:16 < Exilant> because routed mode didn't work 15:16 < krzie> Exilant, bridged mode is only the right choice in very few situations, what is yours in this care? 15:16 < dan__t> Go check it out. 15:16 < krzie> thats no reason, it just means you didnt do it right in routed 15:17 < Flumdahl> hmm 15:17 < Exilant> that samba is easier to access was my main reason 15:17 < Flumdahl> i only missing one thing... crl-verify .pem file. how do i create that one ? 15:17 < krzie> no its not 15:17 < krzie> !wins 15:17 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:17 < krzie> !crl 15:17 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 15:17 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 15:17 < krzie> Exilant, you want wins in routed mode for your samba 15:18 < krzie> Flumdahl, see above #2 15:18 < Exilant> ok 15:18 < Exilant> i'll try that 15:18 < krzie> heres a few steps in right direction: 15:19 < dan__t> Man I'm still fucked up from last night. 15:19 < dan__t> Pretty bad. 15:20 < dan__t> I thought sake wasn't supposed to give you hangovers. 15:20 < Flumdahl> krzie: thanks 15:22 < krzie> np 15:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:28 < dan__t> Ok, got SSL done. 15:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:44 < krzie> http://www.freebsd.org/ports/portaudit/03140526-1250-11de-a964-0030843d3802.html 15:44 < vpnHelper> Title: portaudit: zabbix -- php frontend multiple vulnerabilities (at www.freebsd.org) 15:44 < krzie> ill pass 15:56 < krzie> actually, maybe ill use zabbix: http://www.nagios.org/faqs/viewfaq.php?faq_id=39&expand=false&showdesc=false 15:56 < vpnHelper> Title: Nagios: FAQs : Can I monitor a host without defining any services for it? (at www.nagios.org) 15:56 < krzie> ill just protect it from public entrance 15:56 < dan__t> hh 15:57 < dan__t> heh 15:57 < krzie> basically i only wanna monitor 2 networks, 1 has a webserver and 1 only can be reached with ping 15:57 < dan__t> 1.6.4 is the current release. 15:58 < krzie> ahh so its the port thats out of date 15:58 < krzie> *grabs source* 16:01 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 16:11 < Flumdahl> when i run the ccd part in openvpn... that ccd file for my server. can i setup for example 3 ips to one person to there instead of only one ip ? 16:11 < krzie> huh? 16:11 < Flumdahl> yah ... in ccd/commonname 16:12 < Flumdahl> i write push "ip netmask" 16:12 < krzie> !static 16:12 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 16:12 < krzie> ifconfig-push you meant 16:12 < Flumdahl> ah, i have push "ifconfig ip netmask" 16:13 < Flumdahl> krzie: but yes, that one. can i allow more ips there? 16:13 < krzie> i dont believe so 16:13 < krzie> this is vpn software 16:13 < krzie> that has no purpose in a vpn 16:13 < Flumdahl> uhm? 16:13 < krzie> why would you need to give more private vpn ips to a client? 16:14 < Flumdahl> its not private ip ... its public internet ips 16:14 < krzie> possibly that can be done with a bridge, or with tun using NAT 16:15 < krzie> but i wont be the one helping with it 16:15 < Flumdahl> i have it bridged already 16:15 < krzie> umm dude 16:15 < Flumdahl> i will just setup an linuxserver and i will try it 16:15 < krzie> then why are you bothering with pushing ip 16:16 < krzie> just take the ips, you're on the same lan 16:16 < Flumdahl> krzie: that is what i dont want to be allowed 16:16 < krzie> thats bridged 16:16 < Flumdahl> i dont want the client to be able to just "take" ips 16:16 < krzie> when you bridge you're on the same lan 16:16 < krzie> too bad, you are using a bridge 16:16 < Flumdahl> i wanna have some control so client1 dont steel client2s ips 16:17 < krzie> then dont use a bridge 16:17 < Flumdahl> i need brdige to use the public ips ? 16:17 < krzie> but you also cant use topology subnet i believe 16:17 < krzie> which means you need to waste 4 ips per client 16:17 < krzie> no, i said you can do it with a NAT 16:17 < krzie> but youd still need to waste 4 ips per client 16:17 < krzie> using net30 topology 16:17 < krzie> otherwise a client can just ifconfig to another ip 16:18 < Flumdahl> i will test if it works with more ips in ccd file 16:18 < krzie> err wait tho 16:18 < krzie> youd be wasting 4 internal VPN ips with tun, not pubolic 16:18 < Flumdahl> just going to install the server first that i will try as client 16:18 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 16:19 < krzie> then you can use bidirectional NAT (ipf called this binat) to nat the ip both ways (in and out) 16:19 < krzie> BUT, you wont be able to give multiple over the same link 16:19 < krzie> because net30 uses a /30 16:19 < krzie> the other ips would need their own /30 16:33 < Flumdahl> works perfect :D 16:33 < krzie> what does? 16:33 < Flumdahl> bridge and put in more ips in ccd/file 16:33 < krzie> cool 16:34 < Flumdahl> if i dont have ips there it wont work at all 16:34 < krzie> now connect a second client 16:34 < krzie> and manually ifconfig to an ip taken by first 16:34 < krzie> or even better, disconnection first client, connect second 16:34 < krzie> second gets its ips 16:34 < krzie> then manually ifconfig to first clients ip and watch it get jacked 16:35 < krzie> then connect a third while the first 2 are connected xfering traffic 16:35 < Flumdahl> i dont have more than 1 user on the server conf 16:35 < krzie> then arp poison client 1 and 2 and sniff all their traffic (and your lans traffic) over the bridge 16:35 < dan__t> 4325:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 42 16:35 < dan__t> what the fuck. 16:36 < krzie> i wanna have some control so client1 dont steel client2.s ips 16:36 < krzie> im telling you right now, he easily can 16:36 < krzie> not only that, but he can sniff the traffic over the bridge 16:36 < krzie> not just from other clients, but from the whole lan, anyone on the same switch as server 16:37 < krzie> thats not openvpn's fault, its how layer2 works 16:37 < Flumdahl> krzie: i cant steel ips now. 16:37 < Flumdahl> i tried to steel my workstations ip over the vpn 16:37 < krzie> sure you can 16:38 < Flumdahl> no ip conflicts or nothing 16:38 < krzie> i could :-p 16:39 < dan__t> me too, me toO! 16:40 < krzie> a bridged in client can do anything he could if he was attached to the same switch 16:40 < krzie> because HE IS attached to the same switch 16:40 < krzie> via a bridge 16:41 < Flumdahl> krzie: this vpn solution i am working with is not for some secure network ... its for swedish people to go away from the swedish laws 16:41 < krzie> i easily tunnel my traffic outside of my area using a tun 16:42 < krzie> but i dont need public ips for people to reach me from 16:42 < krzie> if i did ild use ssh port forwarding 16:49 < dan__t> So just by LOOKING at a client cerficicate I can't tell that it has been revoked, right 16:49 < dan__t> I'd need to look at the crl 16:49 < krzie> right 16:49 < dan__t> Because... naturally, I can't modify the client cert. 16:49 < dan__t> Ok. Alright. I get it now. 16:49 < krzie> how could you change the cert thats been stolen 16:50 < dan__t> PKI, you silly fuck. 16:50 < dan__t> You're my bitch now. 16:50 < krzie> lol 16:54 < Exilant> ok, i switched back to tun, and it is working better than ever before, i can ping the vpn server, and access the https server on the same machine. but if i try other computers in the private network, i get "Destination Port Unreachable". I'm trying to figure that out, but thanks for the hints so far :) 16:54 < krzie> !route 16:54 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:54 < krzie> there is my writeup for exactly what you want 16:55 < krzie> my writeup assumes 1 server and 2 clients, all with lans behind them to connect to 16:55 < krzie> so its likely a little more complicated than your setup, but provides all info you need 16:56 < dan__t> What is the 'serial' file used for, when using OpenSSL? 16:56 < krzie> making your CRL 16:56 < dan__t> Its just an incremental number. 16:56 < krzie> i believe 16:56 < dan__t> openssl updates it etc etc 16:58 < dan__t> real 0m16.479s 16:58 < dan__t> Just batch made 100 keys, csr's, and crt's 16:58 < dan__t> not bad 16:58 < dan__t> and signed them 16:58 < dan__t> well, duh, implying .crt 16:58 < krzie> ya a crt is a signed csr 16:58 < krzie> hehe 16:59 < Exilant> krzie: are you sure? i thought that implies it gets routed correctly, but gets stuck in some firewall? 17:01 < dan__t> route != firewall 17:01 < dan__t> route = clue of how to get somewhere 17:03 < krzie> Exilant 17:03 < krzie> !route 17:03 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:03 < krzie> read it 17:07 < dan__t> hrm 17:07 < dan__t> Just made a script to pull some routes from MySQL, to be stuffed in a ccd 17:07 < dan__t> there's a client-connect option I think 17:07 < dan__t> Which passes the CN of the key as an argument in an env var 17:07 < dan__t> So I'm taking that, then building a dynamic CCD file based on that. 17:07 < dan__t> Then, client-disconnect will remove it. 17:08 < dan__t> I really hope this works. I'm going to test this out with a bunch of doctors 17:08 < dan__t> They'll be using the OpenVPN client from XP and Vista 17:11 < krzie> no dont build dynamic ccd option 17:11 < krzie> !iporder 17:11 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 17:11 < krzie> just give static ip from client-connect 17:12 < krzie> thats what its for! 17:12 < dan__t> no..... i need routes 17:12 < dan__t> I want to push a shitton of specific routes to clients, on a per-client basis. 17:12 < krzie> oh bleh right 17:12 < dan__t> The only mangling I'm going to do with IPs are to use iptables' SNAT 17:12 < krzie> cant push routes directly from the script? 17:12 < dan__t> But that comes way after openvpn, so its a non-issue 17:12 < dan__t> no, because each client could/may be different. 17:12 < krzie> oh no that would be from a diff script 17:12 < krzie> an --up script 17:13 < dan__t> Yeah 17:13 < krzie> which would run on client 17:13 < dan__t> No 17:13 < krzie> so i guess you're doing it right, interesting setup 17:13 < dan__t> I'd push routes from the server 17:13 < dan__t> yeah 17:13 < krzie> right i gotchya 17:13 < dan__t> using 'push' from that ccd 17:13 < dan__t> ccd file 17:13 < krzie> im interested to hear how that does 17:13 < dan__t> Yeah dude this could be bad-ass. 17:13 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:13 < dan__t> I'm going to POC this and if it works, I'll be interested in learning more about licensing 17:14 < krzie> if its shell script either make it nice and give it to james for inclusion, or ild be happy to help clean it up for ya 17:14 < krzie> my personal fav license is the BSD license 17:14 < krzie> it basically says: you can use this ANY way you want, just dont claim you wrote it, give me my props 17:15 < dan__t> wlrd 17:15 < dan__t> word 17:15 < krzie> which is why you see so much BSD code in the major OS's 17:15 < dan__t> there's a commercial agenda behind all of this but I'll contribute what I am able to. 17:15 < dan__t> The least I can do is give some back. 17:15 < dan__t> I'll definitely give out the scripts for pulling ccd data from mysql like I'm doing 17:16 < krzie> werd 17:16 < krzie> im not much of a coder but definitely know scripting 17:16 < krzie> so happy to help any way you need etc 17:16 < krzie> but i have no mysql so no testing from me, lol 17:17 < dan__t> the sad part is 17:17 < dan__t> most of it is going to be php 17:17 < dan__t> heh 17:22 < krzie> ahh 17:25 < dan__t> Man 17:25 < dan__t> I still hurt. 17:25 < krzie> next time tell him you wanna be on top 17:25 < krzie> OOOOOOOOOO 17:25 < krzie> lol 17:25 < dan__t> heh 17:26 < dan__t> Mmmm, no 17:26 < dan__t> You wish that were the case, eh 17:26 < krzie> haha 17:28 < dan__t> http://l7-filter.sourceforge.net/ 17:28 < vpnHelper> Title: Application Layer Packet Classifier for Linux (at l7-filter.sourceforge.net) 17:28 < dan__t> seen that before 17:28 < dan__t> ? 17:28 < dan__t> trying to block p2p voa openvpn 17:28 < dan__t> via, rather 17:28 < dan__t> p2p and torrents 17:33 -!- ]SintaX[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:57 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 18:01 < Exilant> yay, got it working 18:01 < Exilant> thanks all 18:10 -!- gallatin [n=gallatin@dslb-092-072-077-251.pools.arcor-ip.net] has quit ["Client exiting"] 18:23 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has quit [] 18:28 < krzie> yw 18:36 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 18:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:10 < dan__t> Cool, my gf is buying me smokes. 19:10 < dan__t> $90.00 in sushi last night and she goddam better do whatever I tell her to. 19:10 < krzie> lol 19:10 < krzie> oh hey reiffert ya here? 19:40 -!- Exilant [i=goelzera@berlin.ethz.ch] has quit ["e^P-P = 20. For large values of P or small values of 20."] 20:24 -!- belZe [i=noone@p5091CE96.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:24 -!- belZe [i=noone@p5091D590.dip.t-dialin.net] has joined ##openvpn 20:36 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:17 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:17 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:42 < dan__t> Hmm, another night of hacking. 21:50 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit ["Leaving"] 21:52 < onats> $90 dollar sushi? what's included in it? 21:53 < onats> a Chirashi-Don here cost's $10. with uni/unagi 22:01 < dan__t> We ate a shitton. 22:01 < dan__t> And the sake didn't help. 22:01 < dan__t> Anyone have a definition on the format of OpenSSL's crl list? 22:09 < onats> what's a shitton? 22:09 < onats> "shit" on? 22:09 < onats> lol 22:10 < dan__t> like five sake bomber rounds worth 22:10 < dan__t> like a 10oz thing of sake and a tall Kirin 22:10 < dan__t> That's good for 2-3 good ones 22:11 < dan__t> No wonder everyone hates OpenSSL. 22:11 < onats> why? 22:11 < dan__t> Half of the stuff you actually want details on is not documented. 22:12 < onats> guess that's how the originators got paid... 22:13 < dan__t> And continue to get paid. 22:24 < dan__t> http://www.unrest.ca/Unix-and-Administration/working-with-ssl-certificates 22:24 < vpnHelper> Title: Working with SSL Certificates | Knowledge Base (at www.unrest.ca) 22:24 < dan__t> Jackpot. 23:05 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 23:08 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 23:12 < mf_417> Hi, I have configured an OpenVPN server and provided an ipp.txt file with the hope that my assigned IPs will be from this pool, but unfortunately clients did not get the IPs I assigned :(( any Idea? 23:14 < mf_417> ping 23:58 -!- miguelcma [n=miguelcm@87-196-111-144.net.novis.pt] has joined ##openvpn 23:58 < miguelcma> hi. i'm trying to appply rules like "route " (usually on server.conf) 23:59 < miguelcma> but i want them applied only when a specific client connects 23:59 < miguelcma> how can I do it? --- Day changed Sun Apr 05 2009 00:36 -!- miguelcma [n=miguelcm@87-196-111-144.net.novis.pt] has quit ["Leaving"] 00:52 < onats> miguelcma, you should create CCD entries for each client 00:52 < onats> !ccd 00:52 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 00:52 < onats> woops 02:10 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 02:16 < dan__t> wat 03:11 -!- dirkD [n=dirk@dirkdokter.nl] has joined ##openvpn 03:12 < dirkD> !logs 03:12 < vpnHelper> dirkD: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 03:26 < dirkD> i have set up a bridged vpn, with a seperate DHCP server, and there is traffic going over it :) 03:26 < dirkD> But.... just non-ip traffic. DHCP works, but i can't ping from the client to the server and vice versa. 03:26 < dirkD> Ping from server to client: nothing. 03:26 < dirkD> Ping from client to server: i see requests coming in on the server, but the server doesn't respond. 03:26 < dirkD> - iptables: http://pastebin.com/m3b01a263 and http://pastebin.com/mb04d88 03:26 < dirkD> - openvpn configs: http://pastebin.com/m16a8648a and http://pastebin.com/mc1e3f5a 03:26 < dirkD> - routing tables: http://pastebin.com/m514e29b4 and http://pastebin.com/m1681e690 03:26 < dirkD> - interfaces: http://pastebin.com/m7b522092 and http://pastebin.com/m779a7278 03:26 < dirkD> XCENTOS is the openvpn server, SERVER1 is the openvpn client 03:26 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 03:33 < reiffert> dirkD: ping from server to client: On which interface do you see the icmp packets while running tcpdump? 03:35 < reiffert> and please show us a brctl show br0 03:36 < dirkD> that's the problem: i don't see any icmp traffic when pinging from the server to the client 03:36 < dirkD> but i do see this: 03:36 < dirkD> 12:28:31.928011 arp reply 192.168.45.66 is-at 8a:c9:64:d8:ec:e8 (oui Unknown) 03:36 < dirkD> 12:28:32.870331 arp who-has 192.168.45.66 tell xcentos 03:36 < dirkD> 12:28:32.927902 arp reply 192.168.45.66 is-at 8a:c9:64:d8:ec:e8 (oui Unknown) 03:36 < dirkD> 12:28:33.870354 arp who-has 192.168.45.66 tell xcentos 03:36 < reiffert> And what exactly is tap1 used for on server? 03:36 < dirkD> it's nod used 03:36 < dirkD> should i remove it? 03:37 < dirkD> http://pastebin.com/m2bd1e26c 03:37 < dirkD> aha 03:37 < dirkD> it's in the bridge 03:38 < reiffert> why do you get arp request for 45.66? Should be within the same range than the br0 Interface 03:39 < reiffert> which is 192.168.1.0/24 03:40 < dirkD> uhm, my vpn subnet is 192.168.45.0/24 03:40 < reiffert> 10:26 < dirkD> - interfaces: http://pastebin.com/m7b522092 and http://pastebin.com/m779a7278 03:40 < reiffert> which one is that frfom the server? 03:42 < reiffert> You dont have a vpn subnet when using bridging. You create your bridge like this: 03:42 < dirkD> xcentos is the server 03:42 < dirkD> but isn't it possible to use a seperate subnet for it? 03:42 < dirkD> or do i need a vritual interface on eth0 then? 03:42 < reiffert> look: 03:43 < reiffert> tap0 and eth0 both must not have an ip address assigned to them 03:43 < reiffert> they both are bound on br0 03:43 < reiffert> which carries one IP address. 03:43 < dirkD> aha 03:44 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:44 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 03:44 < dirkD> yes, but it worked some time ago 03:45 < reiffert> for the beginning, you can let the openvpn server play the dhcp server for the openvpn clients. 03:45 < reiffert> thats done by server_bridge directive, see the manpage for an example 03:45 < reiffert> sorry, server-bridge that is 03:45 < dirkD> yes, but is it possible to use dynamic dns updates then? 03:45 < reiffert> yes. 03:47 < reiffert> ah well, it is not, but I'd recommend using the server-bridge directive at the beginning to get things working 03:48 < reiffert> so again, tap0[1,2,3], eth0 no IP address (0.0.0.0 promisc up) 03:48 < reiffert> br0 one ip address 03:48 < reiffert> clients gets an ip address within that subnet. 03:51 < dirkD> ok, but the lan subnet is the same on the client and the server 03:51 < reiffert> hm? 03:51 < dirkD> oh, wait, i could make a virtual interface on the bridge i think 03:51 < reiffert> ?? 03:52 < dirkD> the client and server are both in 192.168.1.0/24 03:52 < reiffert> you dont need .45.0 03:53 < dirkD> but.... won't i get conflicts when i use 192.168.1.0/24 for both the VPN and the LAN on both sides? 03:53 < reiffert> so tell me, what do you know about ethernet bridging and why do you want to use it? 03:54 < dirkD> brb in 20 minutes 03:54 < dirkD> then i'll draw it 04:11 -!- Flumdahl [i=n30@shell.auth.se] has quit ["reboot && upgrade world."] 04:12 < dirkD> reiffert: http://webmeeting.dimdim.com/portal/JoinForm.action?meetingRoomName=dirkd 04:12 < vpnHelper> Title: Welcome to Dimdim. (at webmeeting.dimdim.com) 04:14 < dan__t> !30 04:14 < vpnHelper> dan__t: Error: "30" is not a valid command. 04:14 < dan__t> !/30 04:14 < vpnHelper> dan__t: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:14 < dan__t> bitch 04:14 < dan__t> !topology 04:14 < vpnHelper> dan__t: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:18 < dirkD> reiffert: so that's the idea 04:19 < dirkD> reiffert: like this, machines on the xcentos end don't need the openvpn client 04:20 < dirkD> and like this it's easy to add a machine to the 'vpn' 04:20 < dirkD> just by adding a virtual nic with a 192.168.45.x ip-address 04:28 < dirkD> reiffert: never mind, i understand it now :) 04:29 < dirkD> thanks for your help 04:33 < dan__t> Maximum length of --push buffer (1024) has been exceeded 04:33 < dan__t> Come on. 04:33 < dan__t> Seriously? 04:34 < reiffert> !factoids search push buffer 04:34 < vpnHelper> reiffert: No keys matched that query. 04:34 < reiffert> !factoids search push 04:34 < vpnHelper> reiffert: 'push', 'push-reset', 'pushlimit', and 'pushdns' 04:34 < reiffert> !pushlimit 04:34 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 04:34 < dan__t> I see it.. I'm going to make common.h my bitch. 04:34 < reiffert> !factoids search push block 04:34 < vpnHelper> reiffert: No keys matched that query. 04:35 < reiffert> dan__t: good luck 04:35 < dan__t> I'll let ya know. 04:35 < reiffert> dirkD: welcome 04:36 < dirkD> oops, now i have a another problem of course 04:36 < dirkD> i un-bridged tap0 04:36 < dirkD> and gave it a 192.168.45.x ip 04:37 < dirkD> but how to let the computers on the xcentos side connect to that ip now? 04:41 < dirkD> nvm, fixed with a virtual interface on the bridge 04:42 < dan__t> 131072 04:42 < dan__t> We'll see how well that works. 04:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:27 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 06:01 < dan__t> Hah. It worked. 06:08 < dan__t> Apr 5 04:08:17 centos5 openvpn[19193]: OpenVPN ROUTE: cannot add more than 100 routes 06:08 < dan__t> God damnit. 06:09 < reiffert> dan__t: wtf? 06:11 < dan__t> YEah. 06:11 < dan__t> Rebuilding with MAX_ROUTES 16384 06:19 < dan__t> [root@centos5-test1 SOURCES]# route -n|wc -l 06:19 < dan__t> 191 06:19 < dan__t> Apr 5 04:19:32 centos5 openvpn[28387]: ERROR: Linux route add command failed: external program exited with error status: 2 06:19 < dan__t> Coincidence? I think not. 06:21 < dan__t> Oh, maybe that's correct. 06:47 < dan__t> FWIW, OpenVPN blows up between 514 and 550 routes 06:47 < dan__t> Wigs out with: Apr 5 04:46:01 centos5 openvpn[5527]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 06:48 < dan__t> ...which is a lie. 06:58 < dan__t> beh. can't run client-connect inside ccd files eh 07:06 < reiffert> dan__t: why should you? 07:07 < dan__t> Guess it doesn't matter so long as I have $1 07:09 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 08:09 < ecrist> dan__t: why do you have so many routes? 08:25 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 08:34 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 08:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 08:55 < timttwtdi> !pastebin 08:55 < vpnHelper> timttwtdi: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 09:00 < timttwtdi> I wonder if someone could help me. 09:01 < timttwtdi> I believe there is something wrong with my openvpn server configuration because the routes and forwarding of the settings once running act predictably, but don't actually facilitate two-way operation of the vpn. 09:02 < timttwtdi> here is my server and client configs along with the output of route: http://pastebin.com/f6021bff8 09:02 < sunga> does anyone know a good windows firewall where I can choose the interface on which it should work (seperate rules for seperate interfaces) and that is able to allow ip ranges and single ip's to a certain interface? 09:06 < timttwtdi> ping requests from a vpn endpoint are received by the server and forwarded to the subnet for which the vpn server is also a gateway (192.168.2.0/24) and the vpn server receives a reply, but does not forward that reply back to the vpn endpoint. 09:12 < timttwtdi> there are no rules in iptables and /proc/sys/net/ipv4/ip_forward is obviously '1' 09:14 < ecrist> sunga: checkpoint 09:15 < ecrist> timttwtdi: see here 09:15 < ecrist> !route 09:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:15 < timttwtdi> I should amend what I said earlier ^^^^ that the route rules act predictably but don't facilitate operation. The 'once-removed' method of routing via an undefined intermediate ip does work (as I see on the client) but doesn't seem to be working for the server. 09:16 < timttwtdi> ecrist, I have read that. iroute does not apply in my case. 09:17 < timttwtdi> and the routes to return the reply to the vpn endpoint do seem to exist. 09:18 < ecrist> what, specifically, isn't working? give me an example 09:19 < timttwtdi> ping requests from a vpn endpoint are received by the server and forwarded to the subnet for which the vpn server is also a gateway (192.168.2.0/24) and the vpn server receives a reply, but does not forward that reply back to the vpn endpoint. 09:19 < timttwtdi> tcpdump verifies this exact behavior 09:19 < ecrist> what version of openvpn? 09:19 < timttwtdi> 2.1~rc11-1 09:21 < timttwtdi> I am pinging from 192.168.3.6 (a vpn endpoint) to 192.168.2.10 (hostname 'water') on the subnet behind the openvpn server and receive replies 09:21 < timttwtdi> tcpdump -i eth0 on the vpn server: 09:21 < timttwtdi> 09:19:33.957359 IP water.local > 192.168.3.6: ICMP echo reply, id 3136, seq 716, length 64 09:21 < ecrist> timttwtdi: sounds like a firewall issue 09:22 < timttwtdi> tcpdump -i tun0 only displays the requests on the server; no replies. 09:22 < timttwtdi> iptables -L show no entries. 09:22 < ecrist> so, you're not seeing the reply hit the OpenVPN server at all? you're only showing the reply leaving the client machine? 09:23 < reiffert> ecrist: no, he's watching the replies entereing the LAN NIC on the VPN Server. 09:23 < timttwtdi> sorry, that was incorrect 09:23 < reiffert> timttwtdi: hint: use -n on tcpdump. 09:23 < ecrist> oh, didn't see the line above the tcpdump output, my mistake 09:24 < reiffert> timttwtdi: paste the routing table: route -n 09:25 < timttwtdi> duh! 09:26 < timttwtdi> sorry; what I meant earlier was that I had cleared rules from my firewall. 09:26 < timttwtdi> someone just pointed out to me that I had only added 3 of the necessary 4 rules to iptables 09:27 < ecrist> grr 09:27 < reiffert> spark 09:28 < timttwtdi> I had added the accept forward rule on the physical interface, but not the accept input rule 09:28 < ecrist> it's ok, everyone blows me off when I tell them their issue is their firewall. 09:28 < timttwtdi> it's frustrating because I knew that I needed all four and didn't notice that it was missing. 09:28 * ecrist points at channel topic 09:29 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has left ##openvpn ["Leaving"] 09:29 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 09:29 < ecrist> fucker 09:29 < timttwtdi> ? 09:30 < ecrist> :P thought you left without a 'thank you' 09:30 < ecrist> well, I'm out. going to watch some tv before work. 09:30 < timttwtdi> leaving was the only way I knew how to see the topic (I've been on the channel for two days) 09:31 < timttwtdi> ecrist, thank you very much. 09:48 < ecrist> timttwtdi: /topic usually works. :) 10:38 < timttwtdi> oh. thank you. 10:50 -!- mode/##openvpn [+o ecrist] by ChanServ 10:50 -!- mode/##openvpn [-b *!*n=mjt@*.corpit.ru] by ecrist 10:50 -!- mode/##openvpn [-o ecrist] by ecrist 11:19 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 11:24 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 11:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:29 < thedoc> !howto 11:29 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:29 < thedoc> Is that a trigger? ;p 11:32 < thedoc> Well well, I got it ;) 11:32 < thedoc> Thanks guys! 11:32 -!- thedoc [n=andelyx@unaffiliated/thedoc] has left ##openvpn [] 11:56 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has quit ["Leaving"] 12:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:12 < theDoc> Hello all, can someone please point me to some resource? I have my vpn tunnel up however, it seems to be assigning me a x.x.x.6 with a /30 subnet mask and ipconfig is showing the gateway as empty. 12:12 < theDoc> Is there something else I'm missing to route all traffic over the vpn when it's up? 12:13 < theDoc> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.97.58.1,topology net30,ping 10,ping-restart 120,ifconfig 10.97.58.6 10.97.58.5' (status=1) -- I'm seeing this in the logs but the client machine isn't making changes to it's routing table. 12:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:17 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 12:18 < theDoc> No one at all? :o 12:21 < krzee> ? 12:24 < theDoc> krzee: I'm wondering why my vpn tunnel comes up but the gateway is left blank and all the traffic is still being routed over my normal wlan0 interface. 12:24 < theDoc> krzee: I'm not sure what I'm missing. However, the logs are showing, ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=29] 12:24 < theDoc> and this, Mon Apr 06 01:19:10 2009 route ADD 10.97.58.1 MASK 255.255.255.255 10.97.58.9 12:25 < theDoc> I'm not sure why it's not tunneling the traffic through. Windows 7 over here, for the client machine 12:25 < krzee> windows? 12:25 < krzee> !win7 12:25 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:25 < krzee> !winroute 12:25 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 12:25 < theDoc> Oh, ok. 12:25 < theDoc> Thanks! 12:25 < krzee> np =] 12:26 < theDoc> I'll give it a go, just got openvpn running for the first time. 12:26 < krzee> also you mentioned gateway stuff 12:26 < krzee> you using redirect-gateway? 12:28 < reiffert> he is 12:29 < reiffert> 19:13 < theDoc> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.97.58.1,topology net30,ping 10,ping-restart 120,ifconfig 10.97.58.6 10.97.58.5' (status=1) -- 12:29 < krzee> looks like you're pushing dns 12:29 < krzee> !pushdns 12:29 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 12:29 < krzee> see link 1 12:30 < krzee> aka factoid #2 12:30 < reiffert> he is missing the gateway. 12:30 < krzee> show us the redirect-gateway line 12:30 < reiffert> not sure about that "bypass-dhcp" 12:30 < krzee> are you tunneling over ppp btw? 12:31 < krzee> !dhcp 12:31 < vpnHelper> krzee: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1 12:32 < krzee> theDoc, is this a dialup link? 12:33 < krzee> oh reiffert 12:33 < krzee> i made my #1 on the island my girlfriend 12:35 -!- doc`hmm [n=andelyx@bb116-15-11-145.singnet.com.sg] has joined ##openvpn 12:36 < doc`hmm> krzee: It works :) 12:36 < doc`hmm> Thanks! 12:36 < doc`hmm> Just wondering why, it's a one way traffic now ;p 12:36 < krzee> huh? 12:37 < doc`hmm> krzee: Well, the tunnel is up and I can ping the vpn server, no traffic goes out of it though. 12:37 < krzee> !linnat 12:37 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:37 < doc`hmm> Doh, it's coming to 2am. I should get sleep and work on it tomorrow. 12:37 < krzee> !linipforward 12:37 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:37 < krzee> your vpn server must be running nat and have ip forwarding enabled 12:38 < doc`hmm> krzee: That vpn server has a routable ip on the public internet 12:38 < krzee> and the vpn hands out a non-routable ip 12:38 < krzee> which must be NAT'ed if you want internet over the vpn 12:39 < doc`hmm> krzee: home box --> public internet --> vpn server --> internet 12:39 < doc`hmm> That's the current setup I have at the moment 12:39 < ecrist> unless you push 'real' ips from your vpn, which is *very* rare. ;) 12:40 < doc`hmm> ecrist: Nope, that's not what I want to do (I think I read you right there), I want to tunnel all traffic into the vpn server and push it out from there. 12:41 < doc`hmm> Oh yes, I do need NAT. 12:41 < doc`hmm> wtf. 12:41 < doc`hmm> >_> 12:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 12:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 12:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:48 < krzee> no shit doc`hmm 12:48 < krzee> thats why i told you you do 12:48 < krzee> 10.97.58.6 is client1's ip 12:48 < krzee> which means you used server 10.97.58.0 255.255.255.0 or something similar 12:48 < krzee> which is NOT routable on the internet 12:49 < doc`hmm> Oh, yes. 12:49 < doc`hmm> That's right. 12:49 < doc`hmm> It's 2am. I need to go slap myself 12:49 < doc`hmm> >_> 12:49 < doc`hmm> krzee: sorry, wasn't thinking ;) 12:52 < doc`hmm> Ok, time for bed. 12:52 < doc`hmm> I'll work on it tml ;p 12:52 < doc`hmm> krzee: Thanks for the help :) 12:54 < krzee> yw =] 13:16 -!- doc`hmm [n=andelyx@bb116-15-11-145.singnet.com.sg] has quit [Read error: 113 (No route to host)] 13:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:01 < krzie> damn i was a dick earlier 14:01 < krzie> thats what a nice whiskey hangover will do 14:03 * Bushmills recalls krzie claiming that he's not prone to hangovers 14:03 < krzie> doesnt happen often 14:03 < krzie> but i also never drink whiskey 14:05 < Bushmills> hehe. i never got a hangover from a substance I didn't drink 14:05 < krzie> no choice last night, they had no rum or beer 14:05 < krzie> i was like fuckit bring me whiskey (since there isnt a place on the island that doesnt have whiskey) 14:07 < Bushmills> time for moonshining 14:08 * Bushmills watches the yeast bubbling merrily 14:09 < Bushmills> one earlier batch: http://forthfreak.net/ginger/img_1354.jpg 14:14 < krzie> haha sweet 14:14 < krzie> reminds me of being in jail 14:15 < krzie> making the pruno and the banana rama 14:15 < Bushmills> sounds good 14:15 < krzie> the pruno didnt taste too good, but it did the job 14:16 < Bushmills> reiffert had some of that stuff, so I can refer to second opinion 14:16 < krzie> oh you're local to reif? 14:18 < Bushmills> yes 14:18 < krzie> awesome man 14:20 < Bushmills> well, not always, in the past. distance was as far between 500 and 1500 km, and 15 km now. 14:21 < krzie> ahh so you guys have known eachother a long time 14:21 < Bushmills> shortest, a few years back, was about 1 km 14:21 < Bushmills> several years, yes 14:41 < Bushmills> a few days ago i made my most economic alcoholic drink as far, which was a kind of lemon wine 14:42 < Bushmills> came down to about 20 c per liter 14:43 < Bushmills> right now, apples are bubbling 14:52 < krzee> awesome! 14:56 < Bushmills> stuff in the bottles is gingerbeer. alcoholic. carribean variation. 14:57 < krzee> <-- lives in the caribbean 14:57 < Bushmills> that's why i mention it :D 14:57 < krzee> =] 15:00 < Bushmills> but i tend to make that stuff much stronger than literature suggests. 15:01 < Bushmills> 4 times as much or even more ginger 15:01 < dan__t> Hi. 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:03 < dan__t> hey krzee 15:03 < dan__t> http://pastebin.ca/1382964 15:04 < krzee> hehe werd 15:06 < dan__t> At least I can manage and record all the data now. 15:14 < krzee> !factoids search win 15:14 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 15:14 < krzee> !win_noadmin 15:14 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 15:15 < krzee> !learn win_noadmin as and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:15 < vpnHelper> krzee: Joo got it. 15:15 < krzee> !win_noadmin 15:15 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:15 -!- wuffi600 [n=keck0f@g224200215.adsl.alicedsl.de] has joined ##openvpn 15:16 < wuffi600> hi. 15:16 < krzee> dan__t, sounds like you're partially on your way to a badass gui 15:16 < krzee> dan__t, maybe you should play with management interface too 15:16 < dan__t> Just some interesting PHP 15:16 < dan__t> Yeah that's next. 15:16 < krzee> you could end up with something really really nice 15:16 < krzee> hey wuffi600 15:18 < wuffi600> Can openvpn act as a pptp-client to connect to a microsoft-vpn-Server using mschapv2? 15:19 < krzee> !notcompat 15:19 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:19 < wuffi600> krzee, thanx for that quick and good answer.. 15:19 < krzee> np 15:20 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:21 < wuffi600> krzee, could you recommend another tool apart from "linux-pptp" that could do the job? maybe stunnel? 15:22 < krzee> nope, i cant 15:22 < krzee> ive never used pptp and likely never will 15:22 < wuffi600> krzee. thank you 15:22 < krzee> np 15:22 < wuffi600> krzee, have a nice day. 15:22 < krzee> you too =] 15:22 -!- wuffi600 [n=keck0f@g224200215.adsl.alicedsl.de] has left ##openvpn [] 15:22 < krzee> hey dan 15:22 < krzee> whyd the little girl walk around with a fish in her pocket? 15:23 < krzee> so she could smell like the big girl! 15:26 < dan__t> heh 15:34 < dan__t> Speaking of women.. mine will be here soon, we're going to go apt shopping 15:34 < dan__t> Which means I need a shower. bbl. 15:35 < krzee> adios 15:43 -!- sunga [n=naft@77.109.122.179] has quit ["pieuw pieuw"] 15:49 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 15:50 -!- M08w is now known as M06w 15:59 < krzee> !man 15:59 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:33 -!- Borf [n=Borf@5ED293EA.cable.ziggo.nl] has quit [Read error: 104 (Connection reset by peer)] 16:38 -!- mepholic [n=what@67.202.101.69] has joined ##openvpn 16:38 < mepholic> hi guys 16:38 < mepholic> do diffie-hellman parameters need to be generated for every vpn server on a vpn? 16:38 < mepholic> or only once for the first? 16:39 < krzee> theres multiple servers? 16:39 < mepholic> yeah 16:40 < krzee> how so... 16:40 < mepholic> well, this vpn is basically 16:40 < mepholic> a bunch of servers at different datacenters 16:40 < mepholic> hooked up to a vpn 16:41 < mepholic> i want to have multiple vpn servers hooked up to the vpn as failsafes 16:41 < krzee> but as far as the vpn is concerned 16:41 < krzee> theres only 1 server 16:41 < krzee> the rest are clients 16:41 < mepholic> no 16:41 < mepholic> i want there to be 2 or 3 servers 16:41 < mepholic> with the rest being clients 16:41 < krzee> umm sure 16:41 < krzee> yes, every server gets dh params 16:41 < mepholic> ok 16:41 < krzee> same or not, no biggie 16:42 < mepholic> thanks 17:12 < dan__t> hi. 17:19 < dan__t> Anyone familiar with building tunnelblock from a svn co? 17:20 < Flumdahl> are there any way to bandwidht limit a vpn server in the server.conf ? 17:21 < dan__t> Use --shaper 17:22 < dan__t> (on both client and server) 17:22 < Flumdahl> but if the client change it? 17:24 < dan__t> Read the man page that discusses that. 18:12 -!- sjzzalx [n=jeff@70.102.50.18] has quit ["Leaving."] 18:44 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 19:14 -!- mepholic [n=what@67.202.101.69] has quit [Remote closed the connection] 19:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 19:31 -!- doc`hmm [n=andelyx@bb116-15-5-251.singnet.com.sg] has joined ##openvpn 19:42 -!- carpe_ is now known as plaerzen 19:46 -!- doc`hmm [n=andelyx@bb116-15-5-251.singnet.com.sg] has quit [Read error: 113 (No route to host)] 19:47 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Operation timed out] 19:47 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 19:55 < dan__t> krzie 19:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:05 -!- doc`hmm [n=andelyx@119.73.165.162] has joined ##openvpn 20:05 -!- doc`hmm is now known as theDoc 20:35 -!- belZe [i=noone@p5091D590.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:35 -!- belZe [i=server3@p5091CAF6.dip.t-dialin.net] has joined ##openvpn 20:39 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 20:44 -!- blahdeblah [n=paulgear@124-171-161-177.dyn.iinet.net.au] has joined ##openvpn 20:44 < blahdeblah> !howto 20:44 < vpnHelper> blahdeblah: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:44 < blahdeblah> !route 20:44 < vpnHelper> blahdeblah: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:47 * dan__t stabs krzee 20:47 < blahdeblah> Hi. I've already read the howto, and it doesn't seem to indicate whether it's possible to reload the openvpn multi-client server without disconnecting the clients 20:47 < blahdeblah> I'm working for a company that has about 25 remote sites to connect via openvpn, and they want to be able to change options (esp. routes) and restart individual clients without affecting everyone. Is this possible? 20:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 20:55 < dan__t> Hmm, good question. 20:58 < blahdeblah> Good questions are cool; good answers are better! ;-) 21:00 < blahdeblah> As an alternative to no-disconnect restarts, is there a way that we can either aggregate all client LAN routes in one server route directive, or specify the route directive in the CCD? 21:02 < blahdeblah> e.g. if i have up to 254 clients, each using a 192.168.x.0/24 remote subnet, can i specify "route 192.168.0.0 255.255.0.0" to tell OpenVPN that all of those subnets should be routed through the tun interface? 21:03 < dan__t> Why couldn't you? 21:03 < dan__t> You could use a netmask or CIDR notation 21:04 < blahdeblah> I tried it and it didn't seem to work - i wondered whether i was missing something. 21:05 < dan__t> Give me an example of that route push 21:05 < dan__t> I take that back, I don't know if you can use CIDR 21:05 < blahdeblah> There's no push 21:05 < blahdeblah> I mean the server side 21:05 < dan__t> ooh. 21:05 < dan__t> Well sure I don't see why not. 21:05 < dan__t> route add -net 192.168.x.0/24 -dev tunXYZ ? 21:06 < blahdeblah> I'm talking about the route directive in openvpn's server.conf 21:07 < dan__t> each connection creates a tun interface 21:07 < dan__t> each separate connection, rather 21:07 < blahdeblah> Not in the server configuration 21:07 < blahdeblah> There's only tun0 on the server 21:07 < dan__t> Maybe I'm mistaken. 21:07 < dan__t> The clients *are* on the tun interface 21:07 < blahdeblah> Yep 21:07 < dan__t> What is your goal? 21:08 < blahdeblah> Hang on - writing an example 21:08 < dan__t> word 21:08 < dan__t> I'll brb, going to go burn one. 21:12 < blahdeblah> Let's say the head office server is 192.168.0.1/24 and it has incoming client connections from 192.168.1.1/24, 192.168.2.1/24, and 192.168.3.1/24 (LANs on remote office sites). 21:12 < blahdeblah> To get everything talking to everything, it seems you need these directives on the server: client-to-client, push "route 192.168.0.0 255.255.252.0" (to get the RO routing to HO), route 192.168.x.0 255.255.255.0 (for appropriate routing of each RO LAN), and iroute 192.168.x.0 255.255.255.0 (in the CCD file for each client). 21:13 < blahdeblah> This means that to add a new RO, you have to add its config to the HO server and restart, which causes VPN downtime for all ROs. I want to avoid this if possible. 21:31 < ecrist> sup, bitches? 21:31 < ecrist> I'm off to please my lady. Have fun with your keyboards. :P 21:32 < ecrist> blahdeblah: yes, you can reload the config on the server without booting clients 21:32 < ecrist> you need to use the management interface to do so, however, a SIGINT will disconnect all the clients. 21:32 < blahdeblah> ecrist: How? I've tried a number of combinations and none seem to work for me 21:33 * blahdeblah scratches his head - what management interface? 21:33 < ecrist> go http://openvpn.net/index.php/documentation/manuals/openvpn-21.html and search the page for 'management interface' 21:33 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 21:33 < blahdeblah> What about 2.0? 21:34 < ecrist> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 21:34 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 21:34 < ecrist> search the page for 'management interface' 21:34 * blahdeblah searches 21:34 < ecrist> right in the man page. ;) 21:35 < ecrist> here's another gem 21:35 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:35 < vpnHelper> Title: Management Interface (at openvpn.net) 21:35 < ecrist> !mgmt 21:35 < vpnHelper> ecrist: Error: "mgmt" is not a valid command. 21:35 < ecrist> !learn mgmt as http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:35 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:36 < ecrist> !learn mgmt as http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:36 < vpnHelper> ecrist: Joo got it. 21:37 * blahdeblah turns on the management interface in his openvpn server 21:37 < blahdeblah> Thanks for the tip ecrist - that is well buried on the site. This is the first i've heard of it. 21:43 < blahdeblah> ecrist: So where is the restart option? Doesn't seem to be there in my 2.0.9 server 21:43 < blahdeblah> Reload config, i mean 21:47 < blahdeblah> http://linuxman.wikispaces.com/OpenVPN+remote+office+setup explains what i'm trying to achieve here. ecrist, dan__t: any suggestions greatly appreciated 21:47 < vpnHelper> Title: linuxman OpenVPN remote office setup (at linuxman.wikispaces.com) 21:47 * blahdeblah heads off for lunch 21:47 < dan__t> Oh shit. 21:47 < dan__t> I totally forgot. 21:51 < dan__t> reboot, brb. 22:01 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:05 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Client Quit] 22:08 -!- theDoc- [n=andelyx@119.73.165.162] has joined ##openvpn 22:09 -!- theDoc- [n=andelyx@119.73.165.162] has quit [Read error: 54 (Connection reset by peer)] 22:09 -!- theDoc- [n=andelyx@119.73.165.162] has joined ##openvpn 22:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Success] 23:56 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn --- Day changed Mon Apr 06 2009 00:36 -!- theDoc- is now known as theDoc 00:49 < dan__t> Any way to prevent a client from trying to change the IP address? They couldn't do that anyway right 00:49 < theDoc> dan__t: I believe you can set inside your server.conf file if you want to assign the same ip to the client 00:49 < dan__t> Well that's not so much it, but I don't want the client to be able to change IPs during a connection 00:50 < theDoc> dan__t: I'm new to this but I don't think your client can just change IP's during connection, since your server.conf file has specified the parameters for the connecting client 00:51 < dan__t> That's the answer I was hoping to hear 00:51 < theDoc> dan__t: I *don't* think they can do that, I'm not an expert on openvpn by any measure, still learning 00:52 < dan__t> Understood. 00:52 < dan__t> Also trying to find the difference between --client-connect, --up, --route-up etc etc. I think they all perform the same thing, just at different times. 00:56 < theDoc> ergh. 00:57 < theDoc> I hate stupid customers whom insist that they're right. 00:57 < theDoc> Well fuck, if you're right, you wouldn't be coming to me with that problem now would you?! 00:58 < dan__t> haha 00:58 < dan__t> Nice. 00:58 < dan__t> So why does $common_name passed to a client-connect script contain a trailing underscore 00:58 < dan__t> common_name=dc60f2348413978b9e49f5be6685a949_ 01:16 < krzee> dan__t, yes there is a way 01:16 < krzee> [01:49] Any way to prevent a client from trying to change the IP address? They couldn't do that anyway right 01:16 < krzee> use tunnel mode, with topology net30 (default) 01:17 < krzee> then force them into a static ip using a ccd entry or client-connect script 01:17 < krzee> this gives them their own /30 01:17 < krzee> so any attempt to change their address will result in no route 01:17 < krzee> because any other ip will be outside their /30 01:18 < krzee> !/30 01:18 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:18 < krzee> using bridge or topology subnet, they can change it 01:18 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 01:18 < krzee> (i swear i broke that down to you before, bbut maybe it was someone else) 01:19 < krzee> [01:52] Also trying to find the difference between --client-connect, --up, --route-up etc etc. I think they all perform the same thing, just at different times. 01:19 < dan__t> word. 01:19 < krzee> they all are hooks to run an external script 01:19 < dan__t> just at different stages right 01:19 < krzee> but because they occur at different times, they have different uses 01:19 < dan__t> yeah 01:19 < dan__t> got it. 01:19 < dan__t> just clarifying. 01:23 < dan__t> rad, thank you. 01:27 < krzee> np =] 01:43 < theDoc> Oh brilliant. 01:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 01:43 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:44 < theDoc> I got my vpn tunnel working 01:44 < theDoc> ! 01:44 < dan__t> Hrm. Can I use multiple client-connect script definitions? 01:44 < dan__t> word 01:46 < reiffert> multiple as in #!/bin/bash script1 script2 script3? 01:46 < krzee> i dont get the question 01:46 < dan__t> uh, sorry - directives. 01:46 < dan__t> No, as in multiple: 01:46 < krzee> oh if thats it, no... but a script can call another script 01:46 < dan__t> client-connect /somescript 01:46 < dan__t> client-connect /otherscript 01:46 < dan__t> yeah 01:46 < reiffert> dan__t: I was pasting somescript. 01:46 < dan__t> ok. 01:47 < dan__t> wait, what? 01:47 * reiffert waits. 01:47 < krzee> lol 01:47 < dan__t> unWait(); 01:47 < dan__t> what? 01:48 < reiffert> I was about to say the same thing than krzee but in a different way. 01:48 < dan__t> oh ok. 01:49 < krzee> somescript can call otherscript 01:49 < krzee> but i rather doubt both can be called from client-connect directive 01:49 < krzee> either first or last will likely be ran, with the other forgotten 01:49 < krzee> mind you, im guessing here 01:50 < krzee> you can tell me if im wrong, but its a educated guess 01:50 < krzee> woop 01:50 < dan__t> Understood. 01:50 < krzee> debian almost done installing on my VM 01:50 < dan__t> That's unfortunate. 01:51 < krzee> agreed, which is why its only going on a VM 01:51 < dan__t> ./whois dan__t 01:51 < dan__t> heh 01:51 < krzee> zabbix hated my fbsd 01:51 < krzee> [02:51] * [dan__t] (n=dant@ns1.hitb.net): dant 01:51 < krzee> [02:51] * [dan__t] ##openvpn 01:51 < krzee> ?? 01:53 < krzee> so im gunna see if zabbix is that much easier to get working on debian, if it is i will switch my completely unused VPS to debian and give it an actualy purpose 01:53 < krzee> actual 01:53 < krzee> since i wont be using the vps for anything other than monitoring 2 machines using zabbix, i believe it really doesnt matter what i run 01:55 < krzee> and while i far prefer gentoo to debian, im lazy and just want it to come with stuff ready 01:55 < blahdeblah> !topology 01:55 < vpnHelper> blahdeblah: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:59 < blahdeblah> Anyone else have a suggestion on http://linuxman.wikispaces.com/OpenVPN+remote+office+setup which i posted earlier? 01:59 < vpnHelper> Title: linuxman OpenVPN remote office setup (at linuxman.wikispaces.com) 01:59 < krzee> dan__t, was i supposed to learn something from the whois? 02:00 < krzee> blahdeblah, what was your question? i have no desire to read another walkthrough 02:00 < blahdeblah> It's not a walkthrough 02:00 < krzee> ok going 02:00 < blahdeblah> krzee: Basically, i'd like to be able to reconfigure remote offices without needing to disconnect all other remote offices 02:02 < krzee> you dont need to restart openvpn for that 02:02 < blahdeblah> You seem to on 2.0.9 02:02 < krzee> why do you believe you do? 02:02 < blahdeblah> Because i've tried signalling the running daemon, and it disconnected the other clients 02:02 < krzee> you dont need to signal either 02:03 < blahdeblah> So how do you add new client routes? It doesn't just automatically sense changes in the server startup config, does it? 02:03 < krzee> nope, you add the route 02:03 < krzee> all route command does is add a system route to the routing table 02:03 < blahdeblah> The documentation says that the route directive does something more than that 02:03 < krzee> do it manually after editing the config 02:03 < krzee> umm, no 02:03 < krzee> !man 02:03 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:03 < krzee> lemme read again 02:04 < krzee> Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. 02:04 < krzee> This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. 02:04 < blahdeblah> I'll try to find the spot 02:04 < krzee> note the second sentance 02:05 < krzee> the ccd entry does more 02:05 < blahdeblah> yeah - but there was something else that indicated otherwise. 02:05 < krzee> !iroute 02:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 02:05 < krzee> but ccd entries are read upon client connection, and therefor you dont need to signal 02:05 < krzee> btw, nice lil writeup 02:05 < krzee> feel free to steal anything you want from my similar writeup... 02:05 < krzee> !iroute 02:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 02:05 < krzee> errrr i mean 02:05 < krzee> !route 02:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:06 < krzee> thats my writeup 02:08 -!- _dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 02:08 < blahdeblah> Yeah - read it already 02:09 < krzee> oh cool 02:09 -!- dan__t [n=dant@ns1.hitb.net] has quit [Read error: 104 (Connection reset by peer)] 02:09 < _dan__t> hmmmm 02:09 -!- _dan__t is now known as dan__t 02:09 < krzee> seems you read it correctly, your setup is good =] 02:09 < krzee> so ya, forget about signaling the process 02:10 < krzee> just add the route and let the client connect 02:10 < krzee> it'll be fine =] 02:10 < blahdeblah> Bah - can't find it 02:10 < krzee> you cant find it cause it doesnt exist 02:10 < krzee> --route explains what it does 02:10 < blahdeblah> My memory's not *that* bad. ;-) 02:10 < krzee> --route network/IP [netmask] [gateway] [metric] 02:10 < krzee> Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. 02:10 < krzee> This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. 02:10 < krzee> that is very clean 02:10 < krzee> err 02:10 < krzee> that is very clear 02:11 < blahdeblah> But basically what you're saying is that if i want to i can just route add 172.20.0.0/16 to tun0 and that should work. 02:11 < krzee> correct, just make it identical to the routes openvpn added 02:11 < krzee> thats all --route doesw 02:11 < blahdeblah> Identical, or equivalent? 02:11 < krzee> identical 02:12 < krzee> as explained by the 2 sentances i pasted from the manual 2x 02:12 < krzee> now if you were PUSHING the route, we'ld have a problem 02:12 < blahdeblah> In my example i had 3 routes: route 172.20.11.0 255.255.255.0 / route 172.20.12.0 255.255.255.0 / route 172.20.13.0 255.255.255.0 02:12 < blahdeblah> I would much rather aggregate them into one 02:12 < blahdeblah> Is that feasible? 02:12 < krzee> cause then youd hafta manually add it to all clients' routing table to do what you want 02:12 < krzee> no 02:13 < krzee> lemme paste why from my writeup 02:13 < krzee> !route 02:13 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:13 < blahdeblah> I've read it already! :-) 02:13 < krzee> that was for me 02:13 < krzee> needed the link 02:13 < krzee> here: 02:13 < krzee> You may realize that client1 should not route 192.168.1.0 traffic over the vpn, and that client2 should not route 192.168.3.0 traffic over the vpn (because those networks are local to each client). Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client. 02:13 < krzee> oh actually for local its fine 02:13 < krzee> thats for pushing 02:14 < blahdeblah> It doesn't matter anyway, because there's already a specific matching route via the local eth0 02:14 < blahdeblah> I just push 172.20.0.0/16 and it works fine - that is as it should be 02:14 < krzee> so sure, i guess you might be able to get away with making it 255.255.0.0 02:14 < blahdeblah> It's the server side that i just find a little clunky 02:15 < krzee> oh ya you do push a /16 02:15 < krzee> interesting 02:15 < krzee> oh well i guess it has a more specific route for its own already 02:15 < krzee> good call 02:15 < krzee> sure, you can do the same locally 02:16 < blahdeblah> I find that aggregating routes like that makes things a lot cleaner, and eliminates the need for dynamic routing in a lot of cases. 02:16 < krzee> then you never even need to add routes locally manually when adding a new client-lan 02:16 < blahdeblah> Now you're understanding me! 02:16 < krzee> just make the ccd entry and booya 02:16 < blahdeblah> That's it 02:16 < krzee> either way no signaling needed 02:16 < blahdeblah> I just want to know whether i should expect that to "just work" 02:17 < krzee> well i expect it to 02:17 < krzee> while i havnt done it, all my experience says it will 02:17 < blahdeblah> OK - i'll have another try 02:21 < krzee> basically, if it works for those 3, it'll work for the next ones you add 02:21 < blahdeblah> yeah 02:21 < blahdeblah> Trying now 02:21 < krzee> since you'll only be changing ccd configs from there on out 02:21 < blahdeblah> thanks for your help krzee 02:22 < theDoc> Say guys, if I wanted to migrate the existing vpn config files to another server of a different hardware, do I need to resign anything? 02:22 < krzee> ya man np, love helping someone who took time to read the docs and follow them 02:22 < theDoc> or generate new keys or any odd stuff like that? 02:22 < krzee> theDoc, nope 02:22 < krzee> all is well 02:22 < theDoc> krzee: Thanks, ;) It's all working now :) 02:22 < krzee> can be any supported OS as well 02:22 < krzee> although if its from windows to unix or vise versa theres some gotchyas 02:22 < blahdeblah> theDoc: Just don't try to use it on the old hardware... ;-) 02:23 < theDoc> Oh yes. 02:23 < blahdeblah> (At the same time, i mean...) 02:23 < theDoc> It's running on a p4 at the moment 02:23 < theDoc> I might migrate it if there are more users 02:23 < krzee> like how you specify dirs and whatnot 02:23 < krzee> so the configs may need lil editing for things like that 02:23 < krzee> but certs are perfect 02:23 < theDoc> I'm only worried about the ca.crt, server.crt/key stuff 02:23 < theDoc> Cert and key stuff. 02:24 < theDoc> I can deal with the config files :) 02:24 < krzee> then you have no worries 02:24 < theDoc> Aye, thanks. 02:24 < krzee> np 02:29 < krzee> theDoc, you should be able to get quite a few users connected before you have HW issues 02:29 < krzee> how many are you thinking? 02:29 < theDoc> krzee: I'm not sure at the moment, I'm having a /30 for each user here on a /24 subnet 02:30 < theDoc> I might end up with something like, 64 users or so 02:30 < theDoc> before I run out addresses 02:30 < krzee> ahh doing it for biz 02:30 < theDoc> ahh, yes 02:30 < krzee> ya some nice strong hw will be good in the future 02:31 < krzee> and when that time comes maybe you can switch to a /16 with /30's 02:31 < theDoc> krzee: It's for a mockup at the moment 02:31 < krzee> you need /30's? 02:31 < krzee> so they cant change ips for example 02:31 < theDoc> I don't expect a gazillion users tomorrow, we're just starting out with beta. 02:31 < krzee> sure i follow ya 02:31 < theDoc> krzee: /30's work fine for now, because each user should stick to their own tunnel and not touch another user 02:32 < krzee> without --client-to-client they cant anyways 02:32 < krzee> check out !topology for the way to use 1 ip / client 02:32 < theDoc> !topology 02:32 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:32 < krzee> without --client-to-client clients cant communicate 02:32 < krzee> even if in same subnet 02:32 < theDoc> Yep, I don't have that enabled in my server.conf 02:32 < theDoc> No clients should be able to communicate anyway. ;p You're supposed to be "isolated" 02:33 < krzee> the server will smack down attempts 02:33 < krzee> right 02:33 < krzee> so you should be able to get away with that assuming you dont need to make sure to lock users into their own vpn IP 02:33 < krzee> if you do need to lock them into never being able to change VPN ips, then thats different 02:34 < krzee> in that case you wanna keep net30 02:34 < krzee> but otherwise, topology subnet in 2.1 is for you 02:35 < theDoc> krzee: There's no need for me to lock them into the vpn IP. 02:35 < krzee> then you can use 2.1 with topology subnet 02:35 < theDoc> krzee: Since this is really for mobile warriors to encrypt their data before sending it out to the public internet 02:35 < krzee> and then its 1 ip per client 02:41 < theDoc> krzee: Yep, that too. 02:41 < theDoc> Does openvpn support split-tunneling? 02:41 < theDoc> I don't suppose it does but it'll be interesting to see if it can perform like the Cisco ASA 02:42 < krzee> split tunneling?? 02:42 < krzee> care to define that? 02:43 < theDoc> krzee: Like say, traffic destined for ip address_x doesn't get tunneled into the vpn, while the rest does. 02:43 < krzee> sure its a matter of what you route 02:43 < krzee> you control any routes you want, as does the user 02:44 < krzee> they will have their existing default route 02:44 < theDoc> Hmm. 02:44 < theDoc> Yep. 02:44 < krzee> but then they get 2 new default routes 02:44 < krzee> because you used def1 02:45 < krzee> which works because it adds slightly more specific routes, and therefor gets used instead of the existing one 02:45 < theDoc> ahh. 02:45 < krzee> you can add another more specific route to bypass that 02:45 < krzee> and another more specific route to bypass that 02:45 < krzee> etc until you are routing a single ip 02:45 < krzee> hehe 02:45 < theDoc> Windows is confusing the fuck out of me. 02:45 < theDoc> Stupid piece of shit. 02:45 < krzee> heh 02:51 < theDoc> Regardless, I'm extremely glad that my vpn tunnel is now working. 02:51 < theDoc> However, I'm wondering how the fuck can someone not know tcp/udp shit and become the head of network ops. 02:51 < krzee> lol 02:51 < krzee> all too common i believe 02:52 < theDoc> krzee: and that said person sent an email today asking me to stfu because .. I suggested something that everyone else agrees it would work. 02:52 < theDoc> krzee: I build networks, I got told to stfu and stop sprouting rubbish by someone whom doesn't know tcp/udp :( 02:52 < krzee> i worked in a NOC for a couple months when i had a court case pending and couldnt use self employment to try to get an ankle bracelet if it came to that 02:52 < krzee> while at the NOC i couldnt believe the incompetence of my bosses 02:53 < theDoc> krzee: It's fucking ridiculous as to how these people can get a job. 02:53 < krzee> the guy who hired me wanted to backup his website which he couldnt access via ftp 02:53 < krzee> so i told him to use wget 02:53 < theDoc> Oh yes, wget works as well. 02:53 < krzee> but he had no clue what it was or how to do it 02:53 < theDoc> .. 02:53 < krzee> i told him to read the man page 02:53 < krzee> which he also couldnt figure out 02:53 < theDoc> doh! 02:54 < krzee> finally i just typed it in for him 02:54 < krzee> lol 02:54 < theDoc> I can understand if it's something cryptic like vpn configs. 02:54 < theDoc> But wget??! Hello??! 02:54 < krzee> im sure he couldnt figure out how to ssh in either 02:54 < theDoc> That's like saying, where is my f1 key!? 02:54 < theDoc> ... 02:54 < krzee> seriously 02:54 -!- fad_xxx [n=fad@pppoe-88-147-239-215.san.ru] has joined ##openvpn 02:54 < krzee> thats how bad it was 02:54 < theDoc> krzee: I've had people come and tell me how good they are at this whole "nix" thing and can't figure out scp 02:54 < theDoc> ;) 02:54 < krzee> lol 02:55 < krzee> i have a 830G scp going on right now 02:55 < theDoc> Oh nice. 02:55 < theDoc> What are you transferring? 02:55 < krzee> my old ZFS NFS xferring * to my new ZFS NFS 02:55 < krzee> [root@nfs /nfs]# du -h -d 1 . 02:55 < krzee> 369K ./work 02:55 < krzee> 76K ./torrents 02:55 < krzee> 28G ./win_bak 02:55 < krzee> 4.3G ./ron_paul 02:55 < theDoc> Ahh. 02:55 < krzee> 30G ./mac_apps 02:55 < krzee> 20G ./books 02:55 < krzee> 42G ./games 02:55 < krzee> 28G ./apple_bak 02:55 < krzee> 42G ./music 02:55 < krzee> 2.3G ./images 02:55 < krzee> 4.0K ./.TemporaryItems 02:55 < krzee> 61G ./win_apps 02:55 < krzee> 570G ./movies 02:55 < krzee> 828G . 02:56 < krzee> but the old one is only 100mbit nic 02:56 < theDoc> krzee: What is the -d flag? I don't seem to have that -d option on my redhat box 02:56 < theDoc> ;o 02:56 < krzee> so its slowwwww 02:56 < krzee> depth 02:56 < krzee> so it doesnt go past 1 dir deep 02:57 < krzee> <-- bsd 02:57 < theDoc> Oh, bsd. 02:57 < theDoc> Figures. 02:57 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 02:57 < krzee> FreeBSD 8.0-CURRENT-200902 02:58 < krzee> FreeBSD 7.0-STABLE 02:58 < krzee> also HUGE difference in the hardware 02:58 < dan__t> ok. 02:59 < dan__t> iptables wrapper works. 02:59 < dan__t> creates routes based off of SQL data 02:59 < dan__t> pushes those routes via ccd 02:59 < dan__t> lays down the law with iptables 02:59 < krzee> haha your setup is pretty nice 02:59 < dan__t> so clients can't try pushing their own routes 02:59 < krzee> umm 02:59 < theDoc> For some reason.. 02:59 < krzee> pushing their own? 02:59 < dan__t> yeah. 03:00 < krzee> clients dont push anything 03:00 < dan__t> er. 03:00 < dan__t> adding a route to their table to go through the vpn 03:00 < krzee> ahh 03:00 < dan__t> That's what I meant by pushing, sorry. 03:00 < dan__t> So there's a very VERY restrictive ruleset of routes. 03:02 < dan__t> krzee, you do iptables? 03:02 < krzee> nah i use bsd 03:02 < krzee> this is my 3rd linux install 03:03 < dan__t> iptables -N INPUT-d8e8fca2dc0f896fd7cb4cb0 03:03 < dan__t> iptables -A INPUT -s 10.8.0.1 -m comment --comment "d8e8fca2dc0f896fd7cb4cb0031ba249 | re-assign to custom chain | gcj2" -j INPUT-d8e8fca2dc0f896fd7cb4cb0 03:03 < dan__t> iptables -A INPUT-d8e8fca2dc0f896fd7cb4cb0 -s 10.8.0.1 -d 4.2.2.2/32 -m comment --comment "d8e8fca2dc0f896fd7cb4cb0031ba249 | accept destination | gcj2" -j ACCEPT 03:03 < krzee> ive used gentoo before, had ubuntu on dualboot on my macbook pro (to get aircrack working without usb dongle), and now im tossing debian on a VM for testing stuffs 03:03 < dan__t> So, create a new table with a semi-random name that corresponds to the common name of the client cert 03:04 < dan__t> and send traffic through it 03:05 < theDoc> I wonder who's the lucky guy to be having a server with the ip address of 133.7.133.7 03:05 < dan__t> heh 03:05 < krzee> lol 03:05 < krzee> 13.37.13.37 too, right? 03:06 < theDoc> Oh, that too. 03:06 < krzee> :-p 03:07 < theDoc> https://ws.arin.net/whois 03:07 < vpnHelper> Title: ARIN: WHOIS Database Search (at ws.arin.net) 03:07 < theDoc> Japan-Internet 03:08 < krzee> umm 03:08 < theDoc> NetRange: 133.0.0.0 - 133.255.255.255 03:08 < theDoc> CIDR: 133.0.0.0/8 03:08 < theDoc> NetName: JAPAN-INET 03:08 < theDoc> NetHandle: NET-133-0-0-0-1 03:08 < theDoc> ;D 03:08 < krzee> [root@nfs2 /storage/nfs]# whois 03:08 < krzee> heh 03:08 < theDoc> Oh right, that too 03:08 < theDoc> wtf 03:08 -!- fad_xxx [n=fad@pppoe-88-147-239-215.san.ru] has quit [Read error: 54 (Connection reset by peer)] 03:08 < krzee> be lazier! 03:08 < krzee> ;] 03:08 < theDoc> Be lazy! 03:09 < theDoc> respectively owned by japan and xerox 03:10 < krzee> niether responds to ping 03:11 < theDoc> Yep. 03:11 < theDoc> I got a destination host unreachable for the xerox one 03:18 -!- bandini [n=bandini@host234-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 03:21 -!- onats_ [n=onats@unaffiliated/onats] has quit [Connection timed out] 03:22 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:02 < blahdeblah> krzee: Thanks for the help - i've updated my wiki page to reflect 04:02 < blahdeblah> Works well now 04:02 < krzee> np =] 04:04 < krzee> where you mention topology subnet you may want to make mention that its like ifconfig-pool-linear but compatible with windows 04:05 < krzee> thanx for linking in my writeup and the shoutout =] 04:05 < blahdeblah> good point 04:06 < krzee> also, openvpn2.1 is available in centos 04:07 < krzee> the source will compile painlessly ;] 04:10 < dan__t> why does $common_name passed to a client-connect script contain a trailing underscore 04:11 < krzee> dunno 04:11 < dan__t> wtf 04:11 < krzee> you're the first ive actively seen use a client-connect 04:12 < dan__t> wtf 04:12 < dan__t> seriously? 04:12 < krzee> ive recommended it before to some 04:12 < krzee> but they say oh cool thanx and i never hear from them again 04:12 < krzee> hehe 04:12 < dan__t> heh 04:16 < theDoc> lmao, http://digg.com/d1o084 04:16 < vpnHelper> Title: Raccoon bites off man's penis after attempted rape (at digg.com) 04:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:36 < dan__t> Welp, I need to pass out. 04:37 < dan__t> Have a good one, thanks again for the help, krzee. 04:43 < krzee> yw 04:58 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 04:58 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 04:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 05:13 -!- dazo|h [n=David@r9dm48.net.upc.cz] has joined ##openvpn 05:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:19 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 06:22 < lataffe> !howto 06:22 < vpnHelper> lataffe: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:22 < lataffe> !route 06:22 < vpnHelper> lataffe: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:27 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 06:56 < onats_> hey guys 06:56 -!- onats_ is now known as onats 07:00 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 07:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:52 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 08:27 -!- rhousand [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 08:28 < rhousand> whats the best way to remove an ex-employee from openvpn? 08:31 < plaerzen> remove his server-side keys? 08:32 < ecrist> you need to revoke his certificate 08:33 < rhousand> thanks! 08:39 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 104 (Connection reset by peer)] 08:40 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 08:45 -!- dazo|h [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 08:51 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 08:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 09:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 09:08 -!- belZe [i=server3@p5091CAF6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 09:10 -!- m31k0r [n=m31k0r@142.Red-81-33-47.dynamicIP.rima-tde.net] has joined ##openvpn 09:10 < m31k0r> hi 09:10 < m31k0r> does anybody know if it's possible to use windows key repository in openvpn configuration? 09:13 < rhousand> I think that I am using the same key for every client? http://pastie.org/438408 09:17 < rhousand> can i still kill only one user? 09:21 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 104 (Connection reset by peer)] 09:22 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 09:27 -!- m31k0r [n=m31k0r@142.Red-81-33-47.dynamicIP.rima-tde.net] has quit ["Saliendo"] 09:27 < karlpinc> I'm having problems trying to build a win32 openvpn 2.1 rc15 installer on Debian etch. First, the domake-win and related scripts are not executable. After working around that I get 'configure: error: OpenSSL Crypto library not found.' which I believe is due to pointing ./configure --with-ssl-lib=$H/$OPENSSL_DIR/out, which has Windows executables so no wonder the test fails. What should I do to build a Windows installer? 09:42 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 09:43 < dazo> karlpinc: just a dumb question, since I don't know .... but is OpenVPN supposed to support win32 building on Linux at all? 09:43 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 09:45 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 09:45 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 10:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:05 -!- tsunami [n=tsunami@64.119.141.126] has quit [Read error: 113 (No route to host)] 10:07 < karlpinc> dazo : I thought so. 10:07 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 10:08 < dazo> dazo: which cross compiler are you using? 10:08 < dazo> karlpinc: ^^ 10:08 < kala> karlpinc: See INSTALL-win32.txt for more info 10:09 < karlpinc> dazo : The domake-win says to install MinGW 10:10 < dazo> karlpinc: Yeah, Fedora Project has put some effort into building win32 apps on Linux .... might be you need to have a look how to do that, including the OpenSSL part .... might be you need to build the OpenSSL with MinGW first 10:10 < karlpinc> kala : That's for installing pre-built binaries on Windows. 10:10 < karlpinc> dazo : Supposedly openvpn has a tarball with pre-built binaries already. 10:10 < kala> hmm 10:11 < dazo> karlpinc: it should all be available from http://www.openvpn.net/ ... but might be that only source is as tar ball .... 10:11 < vpnHelper> Title: Welcome to OpenVPN (at www.openvpn.net) 10:11 < karlpinc> dazo: I've installed it. The problems come later. 10:12 < dazo> I see 10:12 < karlpinc> Maybe I should ask the openvpn-users mailing list, or the devel list? 10:12 < theDoc> Anyone has a documentation on how to setup openvpn to use user/pass for clients? 10:13 < theDoc> I can't seem to find anything substantial. Is this even supported? 10:13 < karlpinc> theDoc : Yes. I've done it. Used the manual and the HOWTO. The server side is linux though. 10:13 < dazo> karlpinc: try the -devel list 10:13 < karlpinc> dazo: Will do. 10:14 < kala> karlpinc: http://openvpn.net/index.php/documentation/install.html?start=1 and scroll down to "Notes -- Building from source" 10:14 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 10:14 < theDoc> karlpinc: Yes, I have a nix server. I would prefer to do user/pass authentication as opposed to using certs as I do now. 10:14 < dazo> theDoc: how do you want to authenticate users? against a separate user database (virtual users) or against PAM? 10:14 < theDoc> dazo: I'd say user database. 10:15 < karlpinc> dazo : (Pam will do virtual users too.) 10:15 < dazo> theDoc: have a look at http://www.eurephia.net/ 10:15 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 10:15 -!- MarcWeber [n=marc@88.80.200.63] has joined ##openvpn 10:15 < MarcWeber> Mon Apr 6 17:14:11 2009 write to TUN/TAP : Invalid argument (code=22) 10:15 < MarcWeber> Is this a serious error? 10:15 < theDoc> dazo: Thanks. 10:15 < dazo> karlpinc: Wasn't aware of that ... but I'm going to dig more upon PAM auth later on :) 10:16 < dazo> theDoc: You might actually want to take the latest version from git at the moment ... worst case, I can pull it down and do a quick tar ball for you, but git is preferred right now 10:17 < ecrist> you're best off getting PAM auth working, most authentication schemes out there have PAM modules 10:17 < theDoc> Ohh, dazo. You're the developer for it? :o 10:17 < dazo> theDoc: I am 10:17 < dazo> theDoc: it's' a work in progress ... but I have it running in production on one site already, so it works very well in that setup 10:18 < theDoc> ahh. 10:18 < theDoc> dazo: I'll give it a go. Will donate money to help development process 10:18 < dazo> theDoc: well, I'm working 100% with Open Source all ready .... so it won't help too much right now .... but I'll consider it 10:19 < theDoc> ahh, ok. 10:19 < dazo> theDoc: but my employer allows me to spend some time on eurephia in work hours as well 10:19 < theDoc> dazo: How far in are you into the dev? 10:19 < theDoc> Oh, that's nice. 10:19 -!- mikey| [n=Mikey@93-96-140-104.zone4.bethere.co.uk] has joined ##openvpn 10:19 < dazo> theDoc: I'm putting together the last details for the admin utility, a few more features which must go in ... and then 0.9.4_beta release will come 10:19 < karlpinc> kala : Looks like there you're expected to be running Windows.... 10:20 < dazo> theDoc: and if that is stable ... it's only some nice docs missing to make it a 1.0 release 10:20 * dazo has already spent some time putting together the docs as well 10:20 < mikey|> hi, i set up vpn on my remote linux server and I install the client on my windows laptop. Everything loads fine but no traffic is routed through the vpn interface. Any ideas why? 10:20 < dazo> mikey|: have you setup routes? 10:21 < theDoc> dazo: Ah, ok. I'm going to require this module for a production machine, should I be going with your stable or developers release? 10:21 < mikey|> dazo: no, I didnt know I had to add routes, I followed a guide from a blog 10:22 < dazo> theDoc: if you pull the git tree ... you'll get what's ready for the 0.9.4 beta release basically .... it's just admin utility tweaks ... the auth module for openvpn has been stable for quite some time 10:22 < theDoc> Oh, ok. 10:22 < dazo> mikey|: have a look at !route 10:22 < dazo> !route 10:22 < MarcWeber> Where is the right place to add extra routing commands which should be executed when openvpn starts up? 10:22 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:22 < mikey|> thanks 10:23 < theDoc> dazo: I'll give it a roll and see how it goes, thanks! :) 10:23 < dazo> theDoc: What's missing in admin utility is features for add/delete/list blacklisted usernames, certificates and IP addresses ... and the same for resetting attempt counts ... except for that, it's ready 10:24 < dazo> theDoc: cool! Don't hesitate to contact me if you stumble upon something 10:24 < MarcWeber> Can I switch off encryption? I only need a tunnel. Will this gain much performance? (700kbits/s) 10:24 < dazo> theDoc: I'm willing to do quick fixes if you find something critical 10:25 < karlpinc> MarcWeber : Yes and yes. 10:25 < karlpinc> MarcWeber : Or save cpu cycles anyway. 10:26 < theDoc> dazo: I seem to have a cmake issue, well, I think it's on my end anyway ;p 10:26 < dazo> theDoc: which cmake version do you have? 10:27 < dazo> theDoc: I'm wondering how well it works with the 2.4 version .... I know 2.6 should work pretty okey 10:27 < karlpinc> kala, dazo : It's all starting to make sense. I think I'm supposed to be building on MS Windows. :-P 10:27 < theDoc> cmake is 2.6 10:27 < theDoc> However, I'm getting this error. 10:27 < dazo> karlpinc: good to know :) 10:28 < theDoc> dazo: http://pastebin.com/m37a59323 10:28 < dazo> theDoc: you need libxml and libxslt probably too 10:29 < dazo> theDoc: CMAKE_C_COMPILER not set ... that's an odd one ... 10:29 < theDoc> dazo: Yep, I have those already. 10:29 < theDoc> and yes, that's odd. 10:29 < karlpinc> dazo : I'm suffering a quick change of plans. ;-) All I really want is a custom installer, so I'm switching to using the NSIS installer maker on linux and I'll just get the windows binaries directly from openvpn. 10:29 < theDoc> dazo: Would you have any idea on that cmake_c_compiler issue? 10:30 < dazo> theDoc: which distro are you using? 10:30 < dazo> theDoc: I've tried to build this on SuSE, Fedora, Gentoo, of different versions .... and never seen the CMAKE_C_COMPILER error .... 10:30 < theDoc> That's odd. 10:31 < kala> karlpinc: thats what we were suspecting as well 10:31 < dazo> theDoc: --openvpn-src .... this one needs a path to the openvpn source code 10:31 < theDoc> dazo: I installed openvpn via an rpm. 10:31 < dazo> karlpinc: NSIS for Linux? Can you pin-point me to somewhere? .... I'm into such a project myself to setup my own Win installer 10:32 < theDoc> So in this case, where exactly do I point it? :o 10:32 < dazo> theDoc: yeah ... but eurephia needs a patch into the openvpn source as well 10:32 < theDoc> Ohh. 10:32 < theDoc> Hmm. 10:32 < dazo> theDoc: please have a look at the wiki pages ... I believe they should be pretty much straight forward ... at least I hope 10:32 < karlpinc> If I download the 2.1 rc15 zip version am I getting MS Windows binaries? 10:33 -!- Swiatecki [n=ns@0x5739be9e.arcnqu1.dynamic.dsl.tele.dk] has joined ##openvpn 10:33 < karlpinc> dazo : Debian has a NSIS package. (Natch. ;-) 10:33 < karlpinc> dazo : Otherwise, I dunno. Get it from the product website? 10:33 < theDoc> dazo: Let me go mess around with it, I'll give it a go 10:34 < dazo> theDoc: the issue is that eurephia does authentication against the certificate SHA1 digest, which is sent from openvpn to the plug-ins ... so I've added a patch to only add that, and it's not upstream yet ... I hope it will be at some day :) 10:34 < ecrist> debian just released support for the FreeBSD kernel. muahaha! 10:34 < ecrist> freebsd is getting closer to world domination. 10:34 < MarcWeber> When I don't use secret static.key 10:34 < theDoc> ahh, ok 10:34 < dazo> sounds like debian wants to be DebianBSD .... 10:35 < MarcWeber> will this switch off encryption? 10:35 < ecrist> http://lists.debian.org/debian-devel-announce/2009/04/msg00001.html 10:35 < vpnHelper> Title: New architectures (at lists.debian.org) 10:36 -!- benedictus [n=chatzill@152.70-243-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 10:37 < MarcWeber> karlpinc Do you just know how to switch off encryption? 10:40 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 10:40 < theDoc-> fuck. 10:40 < theDoc-> Stupid wireless shit 10:41 -!- mikey| [n=Mikey@93-96-140-104.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 10:41 < MarcWeber> What dose this push exactly mean? Does this mean that these routes are set up at the client? 10:44 < dazo> MarcWeber: push means that the option you push will be "setup" on the client .... the server pushes an option to the connected clients config 10:45 < MarcWeber> dazo So I got that right. How can I run commands such as iptables -A POSTROUTING -s ... -j MASQUERADE automatically on server startup? 10:45 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:45 < MarcWeber> and remove them on tear down? 10:46 < karlpinc> MarcWeber : It means that you can change the client's config dynamically by changing the server's config, so you don't have to mess with the client config if the stuff you push changes. 10:46 < dazo> MarcWeber: you'll probably need to tweak the startup scripts 10:46 < karlpinc> MarcWeber : I forget how to turn off encryption. I think it's the --crypt arg. 10:47 < MarcWeber> karlpinc Removing the static key made it faster. So probably this turned it off as well 10:47 < MarcWeber> I feel I finally can setup traffic shaping today :)) 11:00 -!- tsunami [n=tsunami@64.119.141.126] has left ##openvpn [] 11:02 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:04 < MarcWeber> So manually editing /etc/init.d/openvpn is the way to add iptable commands? I'll try 11:09 < karlpinc> Humm... How can I get all the stuff that comes in the pre-compiled Windows version, without the installer so I can make my own installer? 11:09 < MarcWeber> When adding addtional networking setup, which is the recommended way waiting till openvpn has setup the tun devices? 11:10 < MarcWeber> Using a while ! ifconfig | grep .. ; loop ? 11:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:17 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:27 -!- Swiatecki [n=ns@0x5739be9e.arcnqu1.dynamic.dsl.tele.dk] has quit ["Ex-Chat"] 11:29 -!- olger901 [n=olger901@cable-159-18.zeelandnet.nl] has joined ##openvpn 11:29 < olger901> !configs 11:30 < vpnHelper> olger901: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:30 < olger901> !route 11:30 < vpnHelper> olger901: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:31 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 11:36 < olger901> How can I access local clients behind the VPN server (the local clients are inside the same local subnet as the vpn server) network using routing mode? 11:36 < olger901> Because both the clients behind the openvpn server and the clients connecting to the openvpn server would need to know the route... 11:38 < dazo> olger901: you need to setup routes .... and it is pretty well explained in !route 11:39 < reiffert> dazo: In this very moment I was about to point him to the topic :) 11:40 < olger901> I just read that part indeed 11:40 < olger901> But users only need to be able to access the network behind the VPN server, they shouldn't be able to access eachothers network ;) 11:40 < dazo> olger901: if running Linux ... you may also check that /proc/sys/net/ipv4/ip_forward is set to 1 ... (cat and echo) ... and also check your firewall settings, to make sure you allow traffic to be forwarded between tun/tap and your internal network 11:41 < dazo> olger901: then you can just skip the "iroute" part of that guide ... it's the same principles 11:41 < reiffert> dazo: he is still missing a static route on his lan gateway. 11:41 < dazo> reiffert: oh true!! 11:41 < reiffert> pointing to his ovpn server 11:41 < dazo> thx! 11:41 < dazo> olger901: ^^^ 11:42 < olger901> Yeah, thats the part I'm missing 11:42 < olger901> Or which I don't fully understand... :$ 11:43 < olger901> but from what I think, all I would need to do is add an iroute in the server config file, for the server config right? 11:44 < dazo> olger901: on that router (your default gateway) you'll need to add a route explicit ... so if you VPN network is 10.8.0.0/24 ... and your OpenVPN is 192.168.1.130 ... you need on the default gw to add a route like this: route add -net 10.8.0.0/24 gw 192.168.1.130 ... that's all, basically ... but it needs to be tweaked to match your setup and OSes 11:44 < dazo> olger901: no, iroute is only for accessing network behind openvpn clients 11:45 < olger901> on the router, which the openvpn server is behind right? 11:45 < dazo> on your default gateway, you must add this extra route 11:46 < olger901> dazo: What do you mean with your default gateway; the gateway of the openvpn server, or the gateway of the home clients? 11:46 < dazo> from how things were described here ... I have understood that you have an openvpn server in the inside of your default gateway/internet router 11:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 11:47 < dazo> olger901: let's try to make a quick "drawing" 11:47 < dazo> olger901: ------{internet}---------- 11:48 < dazo> and the other clients on your "LAN" is behind (to the right of) "your Internet router" 11:48 < dazo> right? 11:48 < olger901> OpenVPN client 192.168.3.x ---- internet ------ Router (LAN: 192.168.0.254) (WAN: 82.176.xx.xx) ---------- OpenVPN Server (192.168.0.1) 11:49 < olger901> so at work, there's a router iwth 1 WAN IP, behind the router there are various clients and one server 11:49 < dazo> good! your default gateway is 192.168.0.254 for computers on the LAN 11:49 < olger901> the server has linux with openvpn installed 11:50 < olger901> the clients at home usually 192.168.1.x need to be able to connect to the openvpn server take over their own computers using rdp 11:50 < dazo> olger901: so at this router (192.168.0.254) you need to add a route explicit, which says that route VPN network via gateway 11:50 < olger901> and then all clients would be accessible as well? 11:50 < dazo> olger901: this is setup you're working on here, is pretty much straight forward 11:51 < dazo> olger901: no, because you don't use iroute ... but this is the tricky thing about routing 11:51 < reiffert> dazo: what kind of gateway are you using within your LAN? 11:51 < dazo> olger901: you VPN client sends a request to reach 192.168.0.94 (f.ex) ... the OpenVPN client will route this through the VPN to the server, and the server to the client 11:52 < olger901> yeah 11:52 < olger901> Client -> Router at work -> Server at work -> Remote Computer 11:52 < dazo> olger901: then when 192.168.0.94 replies to that package, it do not know the route back, so it goes to the default gateway - your 192.168.0.254 11:52 < olger901> correct 11:53 < olger901> so I would need to add a route like: route add -net 192.168.100.0/24 gw 192.168.0.254 (100 is the VPN subnet) 11:53 < dazo> olger901: and then your default gateway must have a route which then understands that your VPN network needs to go through you OpenVPN server ... or else it will send the traffic straight out on WAN 11:53 < reiffert> olger901: sounds good. 11:53 < dazo> olger901: that is correct 11:54 < reiffert> olger901: what is the openvpn server, 0.254? 11:54 < dazo> olger901: just remember, it must be on your default gw 11:54 < olger901> the server (all in one small sbs server) is 0.1, the router is .0.254 11:54 < dazo> (192.168.0.254 box) 11:54 < reiffert> dazo: 0.254 is his default gw, and not the openvpn server 11:54 < olger901> you mean it must be ont he same subnet right? 11:54 < reiffert> on the default router do: route add -net 192.168.100.0/24 gw 192.168.0.1 11:55 < reiffert> where default router is 0.254 and openvpn server is 0.1 11:55 < dazo> olger901: ^^ that is a good explanation 11:56 < olger901> uhm, sorry for all the confusion, but why route it through 0.1, cause it's the OpenVPN server? 11:56 < olger901> and OpenVPN will automatically know howto route it back to the client? 11:57 < dazo> olger901: yes, traffic coming from the VPN via the OpenVPN server needs to go back to the OpenVPN server when the clients responds 11:57 < olger901> ok, then everything is clear to me, thanks a lot for clearing that up :) 11:57 < dazo> olger901: np! :) 11:58 < reiffert> lets wait until it works. 11:59 < dazo> reiffert: pessimistic? :-P 11:59 -!- innnit [n=andre@79-73-46-223.dynamic.dsl.as9105.com] has joined ##openvpn 11:59 < olger901> I won't know until tomorrow, when I can try to connect remotely :P 12:01 < reiffert> olger901: A PC, lets call it 192.168.0.123 wants to send a packet to 192.168.100.25 12:02 < reiffert> olger901: as 100.25 is not on the same subnet as 0.123, that packet will travel to the default router. 12:02 < reiffert> the default router will answer "Oh, a packet to 100.25, send it to the openvpn server, 192.168.0.1" 12:02 < olger901> Yeah, the default router does know what to do with it, because of the static route, forwards it to 0.1 like stated in the router and 0.1 forwards it back to the client 12:03 < reiffert> actually the packet will get resend and 0.123 will remember the alternative path for some time. 12:04 < karlpinc> Looks like p7zip can be used to extract the files from the Windows nsis installer. 12:04 < reiffert> 0.1 will hand the packet to 100.25, who should know about the 0.0/24 net because of push "route 192.168.0.0 255.255.255.0" 12:05 < olger901> Isn't there a way to make this easier / automatic, like OSPF or something? 12:05 < dazo> olger901: it is easy already, you just need to learn it :-P 12:06 < dazo> "Science should explain things as simply as possible but no simpler" (Albert Einstein) 12:07 < olger901> Well, this isn't exactly science, this is called System- and Networkadministration :P 12:08 < dazo> for me ... network = computer science ;-) 12:08 < reiffert> olger901: allright, read the fucking manual. 12:08 < dazo> heh 12:09 < olger901> lol :P 12:09 < olger901> Manuals don't tell everything either, experience is one of the most important things in this business IMHO 12:10 < dazo> +1 12:10 * reiffert sees many dollars. 12:10 < reiffert> gimme all you have and I let you share my experience :) 12:11 < olger901> I can share mine too in return for exp, but my knowledge is mostly windows SBS based networking unfortunately :P 12:13 < reiffert> This explains why you think that manuals dont tell everything. 12:14 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 12:15 < olger901> lol, I know they mostly do in Linux, and if the manual doesn't, google oftenly does, but I'm no linux dummy either :P 12:17 < olger901> btw, would I need both the push route and the regular route directives in my server configuration file? :P 12:22 < MarcWeber> olger901: Depends on what you want to do. If the ip of your connection line is on a different subnet than your vpn on the server side you have to use a route 12:23 < karlpinc> olger901 : Read the networking admin guide at tldp.org. It's old but the principls continue to apply. 12:27 < olger901> Ok, found it, don't really think I need it 12:27 < olger901> bb in 30 12:38 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 12:39 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 12:44 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Connection timed out] 13:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:30 -!- benedictus [n=chatzill@152.70-243-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 13:30 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 13:36 < ecrist> !dns 13:36 < vpnHelper> ecrist: Error: "dns" is not a valid command. 13:36 < dan__t> HI. 13:38 < ecrist> !learn dns as Level3 open recursive DNS server at 4.2.2.1 13:38 < vpnHelper> ecrist: Joo got it. 13:38 < ecrist> howdy, dan__t 13:39 < dan__t> How's it goin man 13:39 < ecrist> working for the man, atm 13:39 < dan__t> don't forget 4.2.2.2, 4.2.2.3, 4.4.4.4 iirc 13:39 < dan__t> Ah hah. Today's my day off... today is hardcore hack on projects day. 13:39 < ecrist> !forget dns 13:39 < vpnHelper> ecrist: Joo got it. 13:40 < dan__t> So now that I know that iptables can handle > 20k chains..... 13:40 < dan__t> I can proceed with my POC. 13:40 < ecrist> !learn dns as Level3 open recursive DNS server at 4.2.2.1 13:40 < vpnHelper> ecrist: Joo got it. 13:40 < ecrist> dan__t: those other addresses you gave aren't recursive 13:40 < dan__t> Uh, I thought they were 13:40 < dan__t> That's why I said "IIRC" :) 13:41 < dan__t> I knew 4.2.2.1 for sure. 13:41 < ecrist> 4.4.4.4 doesn't respond and the other two forward to root zones 13:41 < dan__t> Yeah they do. 13:41 < dan__t> I'm up to .20 13:42 < dan__t> Are you hizzigh? 13:43 < ecrist> what? 13:45 < dan__t> what 13:45 < dan__t> they are recursive 13:45 < dan__t> uh unless they use 4.2.2.1 as a forwarder 13:49 < ecrist> actually, level 3 uses anycast addressing, which means all those you're using are actually talking to the same server. 13:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:51 < dan__t> Got it. 14:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:24 < karlpinc> I was wrong, p7zip won't get me the content of the openvpn nsis installer. I'll probably end up finding a Windows box to compile it on. It's too bad it won't cross compile. :-P 14:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:41 -!- dirkD [n=dirk@dirkdokter.nl] has quit [Remote closed the connection] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:41 -!- AnAnt [n=anant@217.139.224.193] has joined ##openvpn 15:44 < AnAnt> Hello, I configured the openvpn server such that it pushes to reach the subnet behind the server 15:44 < AnAnt> yet on the client, I find that the default gateway route has been replaced 15:44 < krzie> server and clients have different LAN subnets? 15:44 < AnAnt> yup 15:45 < AnAnt> server: 192.168.1.x 15:45 < AnAnt> client: 192.168.99.x 15:45 < krzie> redirect-gateway being used? 15:45 < AnAnt> nope 15:45 < krzie> what is the vpn subnet? 15:46 < AnAnt> vpn subnet is 10.8.0.x 15:46 < krzie> !configs 15:46 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:46 -!- nemysis [n=nemysis@41-21.107-92.cust.bluewin.ch] has joined ##openvpn 15:50 < AnAnt> krzie: http://pastebin.com/maf9c89f 15:51 < krzie> not saying this is the problem, but rc11 has known problems 15:51 < krzie> moving up to rc15 would be a good idea 15:53 < krzie> still waiting for client config 15:53 < krzie> why are you using dev tap? 15:53 -!- innnit [n=andre@79-73-46-223.dynamic.dsl.as9105.com] has quit [Read error: 60 (Operation timed out)] 15:54 < AnAnt> krzie: how would the client access the subnet without tap ? 15:54 < krzie> tun 15:54 < krzie> you're using routed config over tap anyways 15:54 < AnAnt> krzie: will I be able to do ssh, and so over tun ? 15:54 < krzie> tun is layer3 (aka ip layer) 15:55 < krzie> tap is layer2, but you're using it to do routed over 15:55 < krzie> which means you're wasting the overhead for no reason 15:55 < krzie> !tunortap 15:55 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:55 < AnAnt> I see 15:55 < krzie> the client can access the subnet because of the push route 15:56 < krzie> has nothing to do with tap 15:56 < krzie> still waiting on client config 15:56 < AnAnt> krzie: I use network manager at client 15:56 < krzie> !ubuntu 15:56 < vpnHelper> krzie: "ubuntu" is dont use network manager! 15:56 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 15:56 < krzie> find the config, it exists... 15:57 < MarcWeber> http://mawercer.de/~marc/net.svg That's the basic setup what I'd like to setup. However I'd like to use openvpn instead of socat 15:57 < krzie> also i see you're using ipp.txt 15:57 < krzie> !ipp 15:57 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 15:57 < MarcWeber> Is there some documentation telling me how to route all traffic but the opevpn connection through the vpn tunnel ? 15:58 -!- mtoledo [n=user@c906c009.virtua.com.br] has left ##openvpn ["ERC Version 5.0 $Revision: 1.743 $ (IRC client for Emacs)"] 15:58 < krzie> MarcWeber, you need redirect-gateway, NAT, and ipforwarding 15:58 < krzie> what os is the server on MarcWeber ? 15:58 < MarcWeber> krzie linux 15:58 < krzie> !def1 15:58 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:58 < krzie> !linnat 15:58 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:58 < krzie> !linipforward 15:58 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:58 < krzie> there ya go 15:58 < krzie> oh and: 15:58 < krzie> !sample 15:58 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:00 < MarcWeber> krzie: ;-) Don't flood. The MASQUERADING option does already work. I was still looking for the SNAT line though. My problem is the client side. 16:01 < MarcWeber> When setting the default route to route through the tunnel nothing seems to work anymore. 16:01 < MarcWeber> The strange thing is that even tcpdump -i tun0 does no longer show any packages.. 16:02 < MarcWeber> krzie Am I right that I have to use two different routing tables: One for the openvpn connection and one for everything else ? 16:02 < krzie> marc, using routed tun, right? 16:03 < AnAnt> krzie: if I use tun, should I still do: push "route 192.168.1.0 255.255.255.0" at the server ? 16:03 < krzie> AnAnt, honestly, only if you use tun, as theres almost no reason to ever use tap with server command 16:03 < krzie> so yes 16:04 < MarcWeber> krzie: I'm not sure what routed tun refers to. Let me look it up 16:04 < krzie> you using dev tun? 16:04 < krzie> and server as opposed to server-bridge 16:06 < MarcWeber> krzie: http://rafb.net/p/1fbUR680.html 16:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:07 -!- innnit [n=andre@92.40.202.113.sub.mbb.three.co.uk] has joined ##openvpn 16:07 < MarcWeber> THat's my setup which does alread work when only routing all connections from a specific user id. 16:08 < MarcWeber> Propabbly this is called routed tun (?) 16:10 < AnAnt> krzie: thanks, solved ! 16:11 < AnAnt> krzie: 1) used tun, 2) found an option in NetworkManager to disabled using VPN as default route 16:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:12 < krzie> np AnAnt 16:13 < krzie> MarcWeber, yes thats a ptp tun 16:14 < MarcWeber> krzie Have you seen my picture? 16:14 < krzie> i have 16:14 < MarcWeber> So is a ptp tun the right tool ? 16:14 < krzie> your NAT is wrong 16:15 -!- AnAnt_ [n=anant@41.237.147.119] has joined ##openvpn 16:15 < AnAnt_> krzie: thanks, solved ! 16:15 < AnAnt_> krzie: 1) used tun, 2) found an option in NetworkManager to disabled using VPN as default route 16:15 < krzie> yup, good job =] 16:15 < krzie> MarcWeber your NAT is wrong 16:16 < krzie> why would packets coming from the vpn have a src address of 192.168.2.0/24 when the vpn uses 10.8.0.2 10.8.0.1 16:16 < MarcWeber> krzie Because I routed them into the tunnel this way? 16:16 < krzie> wrong! 16:16 < krzie> !linnat 16:16 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:16 < MarcWeber> http://rafb.net/p/3DhW1I15.html @ krzie line 24 16:16 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:16 < krzie> you want the command EXACTLY as i have it in #1 16:17 < AnAnt_> krzie: now I got a question, the subnet @ server side is 192.168.1.x, what if the subnet @ client side is also 192.168.1.x , will I be able to access both internet websites & vpn sites at the same time ? 16:17 < krzie> anayou will break routing in that situation 16:17 < krzie> err 16:17 < AnAnt_> krzie: ok, I thought so 16:18 < krzie> which is why its nice to make sure to use some wierd lan number for lans where you connect the whole lan to ovpn 16:18 < krzie> like your client's lan is(assuming a road-warrior setup) 16:18 < krzie> if people wont be logging in from unknown locations, it dont matter much 16:19 < AnAnt_> ok 16:19 < krzie> anant_, if you wil be adding more lans, you may find my routing writeup handy 16:19 < krzie> !route 16:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:19 < krzie> or if you just wanna learn more about openvpn routing 16:20 < MarcWeber> krzie First of all it worked. You'r setup (#1) says -s 10.8.0.0/24, but my local LAN is 192.168.2.*. I can't do nat on the client because I need the 192.168.2.x ips on the vserver to do traffic shaping. 16:21 < krzie> YOU ARENT NATing YOUR LOCAL LAN 16:21 < krzie> you need to nat your vpn lan 16:22 < krzie> the vpn subnet rather 16:22 < krzie> and for traffic shaping 16:22 < krzie> see --shaper in the manpage 16:22 < krzie> !man 16:22 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:23 < AnAnt_> krzie: thanks for the help 16:23 < AnAnt_> bye 16:23 -!- AnAnt_ [n=anant@41.237.147.119] has quit ["leaving"] 16:26 < MarcWeber> krzie That's new option I didn't knew about. I thought I had to use tc commands (which can be created by tcng) 16:26 < MarcWeber> I'll read more vpn documentation first to understand what you've said 16:28 < krzie> sounds good 16:28 < krzie> remember, you're contacting the cliuent over the tunnel 16:28 < krzie> which has a 10.8.0.x ip 16:28 < krzie> so your packets will come with that source address 16:29 < krzie> and THAT will be the ip that needs to be NATed 16:29 < krzie> anything else will be lulz 16:29 -!- AnAnt [n=anant@217.139.224.193] has quit [Read error: 110 (Connection timed out)] 16:42 < MarcWeber> You say I can't sent a package originating from 192.168.x.x through a 10.8.0.1 <----> 10.8.0.2 virtual cable ? 16:42 < krzie> im telling you that you need to nat 10.8.0.x 16:42 < krzie> i dont care if you choose to believe me or not, you came here for help and i gave you the answer 16:43 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 16:44 < krzie> thats all i can do 16:44 < MarcWeber> krzie: At which point will the nat (network adress translation) take place exactly? Must this be done on the client (before entering the tunnel) or at the end of the tunnel? 16:44 < krzie> the side that is being routed through 16:45 < krzie> packets go from A to B to inet, B needs to NAT the vpn network 17:12 < dan__t> hmm 17:16 -!- blahdeblah [n=paulgear@124-171-161-177.dyn.iinet.net.au] has quit ["Leaving."] 17:16 -!- mtoledo [n=user@189.102.205.95] has joined ##openvpn 17:44 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 17:44 < hagna> so what do you do to avoid conflicts between two clients on the same subnet? 17:44 < krzie> change one 17:45 < hagna> on the client side or sever side? 17:45 < krzie> same subnet different network, and not sharing the LAN behind it = no problem 17:46 < krzie> same subnet different network, sharing both LANs = change a lan subnet 17:46 < krzie> same subnet same network = only connect 1 and route to the rest through that 17:46 < hagna> I thin kit's one 17:47 < krzie> its one what 17:47 < hagna> the server is connected to both lans but both lans don't need to connect to each other 17:47 < hagna> the first one 17:47 < krzie> so you're using iroutes fort exampke... 17:47 < krzie> for example 17:47 < hagna> um what's that? 17:48 < krzie> the way you access a lan behind a client... 17:48 < krzie> oh #1 was not sharing the lan behind the client 17:48 < krzie> ok there should be no problem then 17:48 < krzie> are you having a problem? 17:48 < hagna> oh yeah right they are setup to route properly to the server machine (it's just one machine and not a network) 17:48 < hagna> I haven't done it yet I'm just trying to understand 17:49 < hagna> the problem I see is 17:50 < hagna> what is the server wants to ping machine 7 in lan 1 but there is also a machine 7 in lan 2 17:50 < hagna> /is/if 17:51 < hagna> I guess I need NAT on the server 17:51 < hagna> krzie: am I making sense? 17:52 < krzie> no 17:52 < krzie> you shouldnt be accessing ANYTHING in the lan 17:52 < krzie> just the vpn ip 17:53 < krzie> unless you're sharing the lan, in which case you are using #2 not #1 17:53 < hagna> ahh ok #2 then 17:53 < krzie> then you must change a lan and read !route 17:53 < krzie> !route 17:53 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:53 < hagna> but lans don't need to route to each other 17:54 < krzie> then dont use client-to-client and dont push their routes 17:54 < hagna> so what do you do on the server to avoid collisions? 17:55 < krzie> the point of my writeup is for you to understand what ever command does, so you can change it to fit your needs 17:55 < krzie> not to just give you every command to use 17:55 < krzie> YOU CHANGE A NETWORK! 17:55 < dan__t> heh 17:55 < hagna> not sure what that means yet :), but I'm reading your writeup 17:55 < krzie> dude 17:56 < krzie> your problem will be they are on the same subnet 17:56 < dan__t> So would client-to-client be used if I wanted to basically turn OpenVPN in to a bridge? 17:56 < krzie> SO YOU CHANGE ONE 17:56 < dan__t> Well, not a real "bridge" in the L2 sense... 17:56 < krzie> a bridge would be for layer2 17:56 < dan__t> But connecting two networks, where one side might provide all services such as DHCP and DNS and such? 17:56 < krzie> client-to-client allows packets to pass from 1 client to another 17:56 < krzie> dhcp is layer2 17:56 < dan__t> Right, so what if I simply wanted to extend an existing network 17:56 < dan__t> Then I want OpenVPN to relay DHCP. 17:57 < krzie> then you use a bridge, which is a terrible reason to use a bridge 17:57 < krzie> screw dhcp 17:57 < dan__t> heh 17:57 < krzie> just make it so the lans can talk 17:57 < krzie> like in !route example 17:57 < dan__t> That's all I want. 17:58 < dan__t> I want OpenVPN's client IP pool to come from network A's space 17:58 < krzie> *shrug* upto you 17:58 < krzie> why? 17:58 < dan__t> Well yeah, I'm just wondering the best way to achieve that overall goal. 17:59 < dan__t> I want office A and office B to be in the same IP space 17:59 < dan__t> Same subnet, even. 17:59 < krzie> if one is 10.1.0.x and other is 10.1.1.x, other is 10.1.2.x, but all can communicate with no problem, whats the problem? 17:59 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 17:59 < krzie> but why? 17:59 < krzie> is there an actual point? 17:59 < krzie> in large businesses they break up subnets in the same building 17:59 < dan__t> Being that office A might only have a /24 17:59 < krzie> you're trying to do the opposite, makes no sense to me 17:59 < dan__t> I understand how subnetting works. 18:00 < dan__t> I guarantee you. 18:00 < dan__t> I promise :) 18:00 < krzie> ok 18:00 < krzie> well ya you can do it with a bridge 18:00 < krzie> a layer2 bridge 18:00 < krzie> i wouldnt, but you know what you're doing... 18:00 < dan__t> Yeah, I used "bridge" in a general sense, not a true networking sense. 18:00 < krzie> but you want it in a true networking sense 18:00 < dan__t> I also guarantee you unequivably beyond a shadow of a doubt that I actually know what I'm talking about. 18:01 < dan__t> I just don't know how to achieve this in OpenVPN. 18:01 < krzie> now you do, a bridge 18:02 < hagna> so network B has 10.1.1.x and you want it to access a machine in network A 10.1.0.x? 18:02 < krzie> tap, and --server-bridge 18:03 < krzie> hagna, no he wants all clients to recieve ips from the server's dhcp pool 18:03 < krzie> so network A has 10.0.0.x lets say, he wants b and c to get ips from 10.0.0.x as well 18:03 < dan__t> Notice I said *POOL*, not *SERVER*. 18:03 < krzie> i said pool as well 18:03 < dan__t> So I can simply assign that designated POOL to OpenVPN to give to clients on office B 18:04 < krzie> right 18:04 < krzie> you tell your lan dhcp server to not touch a certain part of the pool 18:04 < krzie> then you tell openvpn to feel free to hand them out 18:04 < krzie> OR you tell openvpn to let the clients grab from dhcp 18:04 < krzie> read --server-bridge 18:04 < krzie> !bridge 18:04 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 18:04 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 18:04 < krzie> !forget bridge 4 18:04 < vpnHelper> krzie: Joo got it. 18:04 < dan__t> Got it. 18:05 < krzie> !learn bridge as useful for anything where the protocol uses MAC addresses instead of IP addresses. (but not samba, see !wins) 18:05 < vpnHelper> krzie: Joo got it. 18:06 < dan__t> word. 18:07 < dan__t> thanks. 18:07 < krzie> yw 18:08 < hagna> um so when you said CHANGE ONE earlier did you mean the ip of the conflicting machine on the other lan or the client openvpn configuration on the lan or the server configuration? 18:08 < krzie> change the ip space of the lan 18:09 < hagna> and if that's not an option couldn't I use NAT on the server? 18:09 < krzie> i guess 18:09 < krzie> have fun with that 18:09 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Connection timed out] 18:09 < krzie> ugly hack 18:09 < hagna> heh 18:09 < krzie> better to just do it right 18:10 < hagna> I don't have control over the ip space of the lan 18:10 < krzie> you have someone there who is admin enough to get ovpn installed for you 18:10 < krzie> tell him to login to the router and change that shit 18:10 < hagna> heh I'm the admin 18:10 < hagna> that's how I know 18:10 < krzie> then do it yourself, lol 18:11 < krzie> i havnt heard of a router or other dhcp server in the world that wont let you change the lan ip space 18:11 < hagna> yeah I agree 18:12 < hagna> I'm just talking about what to do when you get collisions between two lans 18:12 < krzie> change one's lan ip space! 18:12 < krzie> (for like the 4th time) 18:12 < hagna> that's not the question really 18:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:12 < hagna> it's more how do you detect a collision 18:12 < krzie> by knowing that you have 2 lans you're routing to that are = 18:13 < krzie> i guess grep iroute ccd/* would make that easy enough 18:13 < hagna> that's good for manually 18:13 < krzie> you only add them manually 18:13 < krzie> if you dont add the iroute in ccd entry, you arent routing to their lan 18:13 < krzie> so theres no issue 18:14 < hagna> ok well it's been fun 18:14 < krzie> same 18:14 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:14 < krzie> lulz 18:16 < MarcWeber> krzie: I've found my problem: I did forget a RETURN so the first mark was overriden by a second one. Everything seems to be working fine now. Thank you for your support. 18:16 < dan__t> haha 18:16 < krzie> you saying you didnt need to nat vpn_subnet? 18:17 < MarcWeber> krzie: Let me paste the whole setup to rafb.net. Give some seconds to prepare 18:17 < krzie> sure 18:17 < krzie> im just curious from what you said if you didnt nat 10.8.0.x 18:18 < krzie> its working so dont bother wasting the time to paste 18:58 < MarcWeber> http://rafb.net/p/otoTuo86.html @ krzie 18:58 < vpnHelper> Title: Nopaste - No description (at rafb.net) 19:01 -!- innnit [n=andre@92.40.202.113.sub.mbb.three.co.uk] has quit ["Leaving."] 19:02 < MarcWeber> krzie: Does this answer all your questions? 19:07 < krzie> cool, enjoy 19:35 < MarcWeber> One last question :-) Having a subnet A ==== B ==== C == D where A,B,C,B are connected by a network hub and D is the router connected to the ISP. Can I make B route its packages via A without VPN and without having the router send the package as well (the router is on the same wire and will forward all packages adressed to the internet, correct?) 19:36 < MarcWeber> The TCP/IP protocol doesn't contain a "router" field or such, only destination and source, right? 19:40 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 19:43 < krzie> sure 19:43 < krzie> as shown in !route under the picture 19:43 < krzie> you can choose between 2 options 19:44 < krzie> 1) adding the route on the router, benefit is you only add it on 1 machine and all work 19:44 < krzie> or 2) add the route on the local machine (B in your example), benefit is only B has the route and you dont need to touch the router 19:45 < MarcWeber> Wired. I've tried route add default gw A and the packages didn't show up on its eth0.. 19:46 < krzie> packets should be going over the vpn at the vpn address, and therefor the route should be for that address 19:46 < krzie> as oposed to the lan address 19:46 < krzie> you say your nat was on the lan address on and vpn address, i dont believe that should work, but if you're happy thats as far as i care 19:47 < MarcWeber> It does. But only for the client beeing connected to the vpn server.. 19:47 < MarcWeber> So does a TCP/IP package contain a "route to " IP shadowing the real destination (such as www.google.de) ? 19:48 < MarcWeber> It would have been easiest to not setup VPN on all the pcs on the LAN. Anyway I'm really tired now. I have to go to bed. 19:55 -!- olger901 [n=olger901@cable-159-18.zeelandnet.nl] has quit [] 20:08 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:08 -!- theDoc [n=andelyx@119.73.165.162] has quit [Remote closed the connection] 20:08 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:12 < krzie> no 20:12 < krzie> each packet gets routed according to the routing table on the machine passing it to the next place 20:13 < krzie> theres a src and a dst 20:13 < krzie> the most specific matching route matching dst will be the path the packet takes 20:13 < krzie> then dst will reply back to src when the time comes 20:14 < krzie> NAT is a matter of rewriting the src 20:14 < krzie> and then rewriting the dst as the packet comes back 20:35 -!- miguelcma [n=miguelcm@87.196.144.39] has joined ##openvpn 20:36 < miguelcma> hi all :) 20:36 < krzie> hey 20:37 < miguelcma> i'm trying to do a redudant openvpn network, with 3 servers connected each other, with ospf discovering the best route on the network 20:37 < miguelcma> it is working very good 20:38 < miguelcma> except one thing... when i disconnect a link, some routes doesn't work. and i discovered the problem is with "iroute" rules 20:38 < krzie> so you have clients with lans behind them? 20:38 < miguelcma> yes 20:38 < miguelcma> is there any way to remove that "iroutes" and use only "route"? 20:39 < krzie> no 20:39 < krzie> !iroute 20:39 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:39 < miguelcma> the sittuation is very difficult to explain here, but the problem is with "iroutes" 20:39 < krzie> but if you have the same ccd entries on every server ild think it would work fine 20:39 < krzie> oh except that then every machine needs to know to route through that server 20:39 < krzie> i see what your prob is 20:39 < krzie> no clue how you'd fix it tho 20:39 < miguelcma> yes, that is the problem :\ 20:40 < krzie> ild think instead of 100% redundant like that you could just have 3 servers that arent all used at same time 20:40 < krzie> and use stuff to choose what to connect to 20:40 < krzie> so when server1 dies, they all connect to server2 20:40 < krzie> when that dies, they all connect to server3 20:41 < krzie> i believe you can have them connect back to server1 when its up 20:41 < krzie> read all about stuff in 2.1 manual 20:41 < krzie> !man 20:41 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:41 < miguelcma> yes, that's what I'm trying to do 20:41 < miguelcma> but, how can I have all them onnected to the other server? 20:41 < krzie> you are trying to have all 3 servers connected at same time 20:41 < krzie> im saying thats the problem 20:42 < miguelcma> no, because i have ospf between them 20:42 < krzie> sounds like because you need iroute stuff, you gotta only use 1 server at a time 20:42 < miguelcma> ospf find the best route 20:42 < krzie> like failover instead of redundant 20:42 < miguelcma> the problem is that i don't know to the server each client is connected 20:43 < krzie> ya it sounds like a tough spot to be in 20:43 < krzie> not sure how you're gunna fix that one, maybe someone else has an idea, i suggest the mail list 20:43 < krzie> !mail 20:43 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 20:44 < krzie> !forget mail 3 20:44 < vpnHelper> krzie: Joo got it. 20:45 < miguelcma> http://miguel.martinsalmeida.com/stuff/network.pdf 20:45 < miguelcma> this is my sittuation 20:45 < krzie> i see where the problems come from 20:45 < krzie> its just the solutions im not sure of 20:45 < miguelcma> sede can ping everyone, but not 10.88.1.1, nor 10.88.1.1 20:45 < miguelcma> i really don't know what to do 20:46 < miguelcma> ospf is giving me the best route.. its working very well.. the problem is only with openvpn :\ 20:46 < krzie> but not 10.88.1.1, nor 10.88.1.1 20:47 < miguelcma> 10.88.1.9, nor 10.88.1.1 20:47 < krzie> ahh 20:47 < krzie> without ospf you can ping it? 20:47 < miguelcma> no 20:48 < krzie> VPS is a server? 20:48 < miguelcma> i don't have any "route" rules configured on openvpn 20:48 < krzie> or a client? 20:48 < miguelcma> yes, all the three are servers 20:48 < krzie> how are they connected to eachother? 20:48 < miguelcma> each one connected to the other 20:48 < krzie> servers dont make outbound connections 20:48 < miguelcma> server-client 20:48 < krzie> !configs 20:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:48 -!- afonso [n=afonso@bl11-12-251.dsl.telepac.pt] has joined ##openvpn 20:49 < krzie> so each machine runs a client and a server? 20:49 < miguelcma> oh, i'm using "topology subnet" 20:49 < miguelcma> yes 20:49 < krzie> and you have iroute stuff in ccd entries? 20:49 < miguelcma> i'll pastebin 20:50 < krzie> also read !route 20:50 < krzie> a lot wont apply to you, but it will very much help to be familiar with the standard way to set this stuff up without all the complication you are adding 20:50 < krzie> to understand every command as it relates in openvpn 20:51 < krzie> like iroute and its relationship to route 20:51 < krzie> !route 20:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:51 < miguelcma> http://pastebin.com/m300f1080 20:51 < krzie> # 20:51 < krzie> root@VPS # cat /etc/openvpn/ccd/sede 20:51 < krzie> # 20:51 < krzie> onfig-push 10.88.1.254 255.255.255.0 20:52 < krzie> i take it that some got cut off, right? 20:52 < miguelcma> oh, sry, it was the copy/paste.. it is ok on the server 20:52 < ecrist> GOOD EVENING, FUCKERS 20:52 < krzie> ok 20:52 < krzie> ecrist, ready for some mental rubix cube of a setup? 20:52 < krzie> check out what miguelcma is doing 20:52 < krzie> haha 20:53 < miguelcma> eheh 20:53 * ecrist reads up 20:54 < krzie> miguelcma, and does castrodaire have a route back to every vpn network that may access it through VPS's lan ip? 20:54 < miguelcma> the router or the lan? 20:54 < krzie> router 20:54 < miguelcma> yes 20:55 < miguelcma> the first three routes 20:55 < krzie> tcpdump shows that the ping gets to castrodaire? 20:55 < miguelcma> tcpdump -i tun0 icmp ? 20:55 < ecrist> I'm skipping lots, but why not run tap, allowing all the servers to simply be transport? do routing higher up the OSI, where it belongs. 20:55 < ecrist> routed isn't the right technology to use for your setup 20:55 < krzie> hrm, nice point 20:56 < krzie> this is a job for tap 20:56 < krzie> ecrist with the win 20:56 < miguelcma> hum, really? 20:56 < ecrist> yep 20:56 < krzie> im so used to saying "DONT USE TAP" that i didnt think of that 20:56 < miguelcma> i don't know very well how tap works 20:56 < miguelcma> lol 20:56 < krzie> it connects at layer2 20:57 < krzie> basically bridging all of them 20:57 < krzie> well optionally bridging them all 20:57 < krzie> but for you, bridging them all =] 20:57 < miguelcma> i can use the same multiple lans and multiple servers for redundancy? 20:58 < afonso> the 3 servers are not directly connected. i don't think you can use layer2 20:58 * karlpinc lusts after a supported cross-compile from Linux to Windows 20:58 < krzie> yes, but without worrying about iroute and whatnot 20:58 < afonso> it's just a simulation 20:58 < krzie> afonso, thats what tap is for 20:58 < krzie> connecting them at layer2 when NOT directly connected 20:59 < krzie> if they were plugged into eachother he could use a bridge without vpn 20:59 < afonso> humm, sorry then 20:59 < krzie> unless i misunderstood you 20:59 < karlpinc> I don't suppose there's any way to get Windows binaries etc without the installer? (Aside from building my own that is.) 21:00 < miguelcma> with a bridge connecting all of them, i will need a centralized dhcp server? 21:00 < krzie> openvpn can act as one, or you can have one 21:00 < krzie> your choice 21:00 < krzie> see --server-bridge 21:02 < miguelcma> hum... i think i have a lot to read tonight :p 21:02 < afonso> krzie: it makes sense... i've been helping miguelcma with this project for so many hours now, i couldn't see another solution. 21:03 < krzie> shiet ild have a lot to read for a couple days doing your setup 21:03 < krzie> and ive been here helping people for like a yr or 2 21:04 < miguelcma> lol 21:04 < afonso> krzie: since OSPF is working so well, don't you think there may be a way to do the iroutes right? 21:05 < afonso> krzie: it's a little hard at this point to drop everything already done. 21:06 < krzie> the iroutes are right 21:06 < krzie> *shrug* 21:06 < afonso> the routing table in the kernel works perfectly 21:06 < krzie> ecrist was right 21:06 < krzie> this should be a shitton easier connecting them all at layer2 and letting your ospf layer3 stuff handle routing 21:07 < afonso> do we really need OSPF if we connect averything layer2? 21:13 < krzie> let me go back to my origional suggestion 21:13 < krzie> mail list 21:13 < krzie> theres some experts in exactly this on the list 21:13 < krzie> it wouldnt be the first thread of this nature 21:14 < krzie> and would be nice to have a nice archive on it for my bot to link to 21:14 < krzie> !mail 21:14 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 21:18 -!- prxtien [n=pro@teamaustralia.net.au] has quit [Read error: 110 (Connection timed out)] 21:18 < afonso> !iroute 21:18 < vpnHelper> afonso: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 21:25 < ecrist> ospf would still be used 21:26 < ecrist> s/would/could/ 21:27 < ecrist> though not really needed 21:27 < ecrist> the remote network routing address would keep the same static IP 21:30 < ecrist> so, with bridging, they're all on the same network, ARP would figure out how to get to the router, not OSPF 21:30 < ecrist> OSPF could be used if you're worried about link cost and multi-homing your connections 'properly' 21:30 < ecrist> but, i'm done talking to myself. 21:33 < afonso> i'm listening... 21:33 < miguelcma> ecrist: yes, the best path is important in this setup 21:43 < afonso> is there any way to add iroutes only when a client connects? and remove them when it disconnects? 21:44 < krzie> thats the only time they are active 21:44 < krzie> bbl 21:45 < afonso> the problem is that some iroute should be inactive when certain clients connect 21:47 < afonso> for instance, iroute 10.88.1.0 255.255.255.0 should be present iff it could not connect to server 10.88.1.1 21:48 < afonso> i can't find a way to do this 21:50 < ecrist> iroutes are only in effect when that client is connected. 21:56 < afonso> i don't understand why adding to many iroute rules can make a connection stop working then 21:57 < ecrist> are they being added to ccd, or to main config? 21:58 < afonso> ccd 22:01 < ecrist> you shouldn't have too many problems, unless you've got more than 100 routes 22:03 < afonso> are iroutes takem into account before kernel routes? 22:03 < ecrist> depends 22:03 < afonso> because the problems seems to be there... 22:05 < ecrist> well, openvpn has its own internal routing mechanism for vpn routes. that's processed first for traffic to/from tun/tap devices, kernel second 22:05 < afonso> kernel routing table says to go through tun1 to reach 10.88.2.0 and iroutes states i can reach 10.88.2.0 in tun0 22:05 < ecrist> I'm telling you, use tap. 22:05 < afonso> ok, you're probably right 22:05 < afonso> i give up! :( 22:06 < ecrist> you can still use OSPF. but you're trying to route over a fairly rigid structure. bridging opens the flexibility back up. 22:07 * ecrist goes to bed. 22:08 < afonso> ok, ty ecrist 22:08 < afonso> sleep tight 22:08 < miguelcma> thanks too 22:13 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:17 -!- afonso [n=afonso@bl11-12-251.dsl.telepac.pt] has quit [] 22:18 -!- miguelcma [n=miguelcm@87.196.144.39] has quit ["Leaving"] 23:57 -!- sartan [n=JP@S0106000f66a59cb0.cg.shawcable.net] has joined ##openvpn 23:58 < sartan> Conceptually, is there any functionality directly within openvpn for policy routing? Checking executable names in userspace, checking tcp/ip ports in networkland, etc? If criteria matches, use openvpn; otherwise, use default system routing --- Day changed Tue Apr 07 2009 00:00 < sartan> I suppose it counts that i'll look at openvpn on windows.. on linux i'd just bust out iptables for this sort of thing. 00:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:26 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 00:27 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 00:28 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 00:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 00:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:48 < theDoc> Say guys, anyone has managed to get a WindowsXP/Vista box to setup the vpn tunnel using it's own "create new network" option? 00:48 < theDoc> I can get it to work with the open-vpn gui client, no dice with Window's default. 01:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:06 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 01:12 < zheng> HI, all, In openvpn internal VIRTUAL Route Table, tap mode use virtual MAC address, but tun mode use virtual IP 01:12 < zheng> address? 01:12 < zheng> why? 01:12 < zheng> In TAP mode, it can use Virual IP Address? 01:29 < reiffert> moin 01:30 < reiffert> zheng: tap handles ethernet frames 01:30 < reiffert> zheng: tun cares about IP packets. 01:31 < zheng> reiffert, yes, tap handles ether freame, but why It cannot route it by virtual IP? like normal IP packets? 01:34 < zheng> I think it is probable route Virtual IP packets by Virtual IP Address. 01:34 < zheng> now I'm reading the source. 01:41 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 01:42 -!- sartan [n=JP@S0106000f66a59cb0.cg.shawcable.net] has left ##openvpn ["no"] 01:45 < dazo> theDoc: The "Create new network" option does not support OpenVPN, afaik ... it's only for PPTP VPN's afaik ... might be that other commercial ones uses an API to integrate into this GUI, but that's just guessing from my side 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:49 < theDoc> dazo: Ahh, I see. 01:50 < theDoc> No wonder I couldn't get it to work. 01:50 < theDoc> heh 01:50 < dazo> heh 01:52 < dazo> That's both the advantage and disadvantage of OpenVPN ... it's not integrated into any OS at all, just a tiny separate piece of software ... you won't be able to use such integrated API's, but it's darn flexible when you get begin to configure it 01:53 < theDoc> dazo: Yes, however it'll be even better if OS's started supporting openvpn using their intergrated API's. 01:53 < theDoc> I can see how alot of people can capitalize on that. 01:54 < dazo> theDoc: Not sure MS is too much interested in that .... as they have their own PPTP ... other vendors most probably pay MS money to get the API .... 01:54 < dazo> it would benefit a lot of companies with this API more open .... but not MS 01:55 < theDoc> dazo: MS probably doesn't bother. 01:55 < theDoc> However, it'll be good for SME's. 01:55 < dazo> theDoc: when it comes to Open Source ... they bother ... to ignore it as much as possible :-P 01:56 < theDoc> dazo: Oh right, while the rest of us proceed on with OS stuff, microsoft continues to hide in the corner playing with himself. 01:58 < dazo> exactly ... even though, it must be said ... they do _seem_ to improve, beginning to participate in Open Source communities ... but nobody knows if that's just another attempt of their EEE strategy ... 01:59 < theDoc> I'm guessing it's another attempt. 01:59 < theDoc> Windows 7 was a step in the right direction though 01:59 < theDoc> I'd like to see openvpn being integrated into many different OS's. 01:59 < theDoc> Support for clients I mean 02:01 < dazo> true enough 02:02 < theDoc> Right now, since I'm starting my vpn service, I'd be forcing all my clients to be installing a copy of openvpn-gui ;p 02:02 < theDoc> gack! 02:10 < dazo> mm ... many people try to create their own installer somehow for windows, which contains a minimalistic config file, which relies on server pushing whatever can be pushed from server to clients 02:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:16 < theDoc> dazo: Yeah, I'll do that 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:40 -!- detys [n=admin@ks31179.kimsufi.com] has joined ##openvpn 04:40 < detys> Hi 04:40 < detys> I'm trying to give my clients a fixed IP 04:41 < detys> I've got this in my server config 04:41 < detys> route 10.9.0.0 255.255.255.252 04:41 < detys> and I've got this in my iptables 04:41 < detys> MASQUERADE all -- 10.9.0.0/30 anywhere 04:41 < detys> Now it works for client1 with 04:41 < detys> ifconfig-push 10.9.0.2 10.9.0.1 04:42 < detys> but for client2 with ifconfig-push 10.9.0.10 10.9.0.9 04:42 < detys> openvpn connects OK 04:42 < detys> but webtraffic doesn't work 04:42 < detys> I haven't tested other sort of traffic 04:42 < detys> but it works fine for client1 04:43 < detys> can someone help me out please? 04:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:55 < reiffert> see what --server expands to, it might be that you are missing a push "route ..." 05:06 -!- coChosh9 [i=coChosh9@gateway/tor/x-91204993eac4b3af] has joined ##openvpn 05:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:32 -!- detys [n=admin@ks31179.kimsufi.com] has quit ["Leaving"] 05:32 -!- detys [n=admin@ks31179.kimsufi.com] has joined ##openvpn 05:32 < detys> hey thanks i fixed it 05:32 < detys> turns out my iptables was'nt up to date 05:33 < detys> i just had to run iptables-restore -c < /etc/iptables.rules 05:33 < detys> One thing thouhg 05:33 < detys> I have revoked client5 05:33 < detys> but now I can't generate a new client5 05:33 < detys> if I do ./build-key client5. The client5.key and client5.crt have the same checksum as the old one 05:34 < detys> so I can't use that common name anymore? 05:34 < detys> How can I generate a new client5 that isn't blacklisted 05:38 -!- coChosh9 [i=coChosh9@gateway/tor/x-91204993eac4b3af] has quit [Remote closed the connection] 05:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 06:04 -!- coChosh9 [i=coChosh9@gateway/tor/x-81848008e69e8d21] has joined ##openvpn 06:07 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:10 -!- coChosh9 [i=coChosh9@gateway/tor/x-81848008e69e8d21] has quit [Remote closed the connection] 06:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:29 < MarcWeber> (LAN: A - B - C - D ) and ( B - slow internet connection - vserver ) 06:29 < MarcWeber> Now I'd like to route the traffic from A - B - C ( D is the router ) through the VPN tunnel B - vserver. 06:30 < MarcWeber> Is the best way to do this create a VPN with B beeing the server on the LAN and then make B route traffic to v-server (the routing to the vserver does already work) 06:38 -!- coChosh9 [i=coChosh9@gateway/tor/x-dbde9b43a7be8a1a] has joined ##openvpn 06:40 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:59 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 07:03 -!- detys [n=admin@ks31179.kimsufi.com] has quit [Remote closed the connection] 07:22 < MarcWeber> Which is the relation command line option and configuration file option? I've seen that some command line options such as --server network mask can expand to multiple configuratin file options, right? 07:22 < MarcWeber> Can I put all command line options into the config file equally well? 07:26 < dazo> MarcWeber: yes you can ... all options (except --config, I presume) can be put into a config file, by removing the '--' 07:27 < dazo> MarcWeber: for multiple config files, that's doable with client specific configs ... --client-config-dir 07:41 < MarcWeber> --mktun and --rmtun is just a wrapper for os specific commands, right? 07:48 < onats> guys, a little bit of OT here.. anyone know how to pair a nokia phone using hcitools/rfcomm? 07:52 < MarcWeber> onats: Maybe also try ##networking. I've no idea. 07:53 < dazo> onats: have you looked into /etc/rfcomm.conf (or wherever that config is located) 07:54 < onats> dazo, yes... have been looking... 07:54 < dazo> onats: I believe you mainly had to setup the HW "mac" address of the phone here ... start rfcommd and then do a connect with the rfcomm cli 07:54 < dazo> it's ages since I used that now 07:55 * dazo converted to Sony Ericsson ... which gives you bnep0 interface instead, which is a pure network card 07:58 -!- mtoledo [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 08:04 < onats> i only have nokia phones available here... :( 08:04 < onats> maybe you have your old config files lying around there? 08:05 < dazo> onats: sorry .... I've had Sony Ericsson for 4 years and have changed laptop twice in between .... 08:05 < dazo> onats: I'll have a quick look if I still have a bookmark somewhere 08:06 < dazo> onats: http://www.spiration.co.uk/post/1307/Ubuntu%20Linux%20-%20Bluetooth%20and%20GPRS%20dialup%20connection ... have you seen this? it's pretty close to what I setup 08:06 < vpnHelper> Title: Ubuntu Linux - Bluetooth and GPRS dialup connection (at www.spiration.co.uk) 08:07 < dazo> onats: http://users.tkk.fi/u/kehannin/bluetooth/bluetooth.html ... this might also be interesting 08:07 < vpnHelper> Title: Linux USB Bluetooth <-> Nokia 6310i (at users.tkk.fi) 08:08 < onats> o 08:08 < onats> i've seen the 2nd link, which i followed earlier 08:08 < onats> the first one has tools specific to ubuntu (no package on openwrt)... 08:08 < onats> anyway, my problem is the PIN from the x86 machine seems to be not being presented to the phone... 08:09 < dazo> onats: well, it's not specific tools for ubuntu ... it's standard bluez utilities 08:10 < onats> the bluez-pin? 08:10 -!- mtoledo [n=user@201-93-152-83.dsl.telesp.net.br] has joined ##openvpn 08:11 < dazo> onats: bluez-pin is a default "hack" to use a fixed pin code when pairing phones and Linux 08:12 < dazo> onats: what you basically need is the kernel modules (rfcomm, l2cap, etc) ... hcitool and rfcomm 08:12 < onats> dazo, already there.. 08:13 < onats> how do i force the PC side to present the PIN? 08:13 < onats> a static pin even 08:14 < dazo> onats: then start rfcomm with rfcomm bind rfcomm0 ... then you should have /dev/rfcomm0 08:14 < dazo> aha 08:14 < dazo> hmm 08:14 * dazo things 08:14 * dazo thinks 08:14 < onats> i already have rfcomm0... 08:14 < onats> and 1 for the other phone 08:15 < ecrist> morning, folks 08:15 < onats> morning ecrist 08:16 < dazo> onats: http://www.summet.com/blog/2007/01/09/pairing-devices-with-linux-bluez/ ... could this help you out? 08:16 < vpnHelper> Title: Jays Technical Talk Forced pairing of devices with Linux BlueZ (at www.summet.com) 08:16 < dazo> ecrist: morning 08:16 < dazo> onats: /etc/bluetooth/hcid.conf .. this is where you set which pin-code program to use 08:17 * dazo begins to refresh old knowledge 08:17 < onats> dazo, pin_helper? 08:18 < dazo> onats: in some bluez version, I believe the behaviour changed ... so after a certain version, you could even set the static key in this config file directly 08:18 < onats> lemme paste my hcid.conf 08:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:19 < dazo> man hcid.conf 08:20 < onats> http://pastebin.ca/1384871 08:21 < onats> yup 08:21 < dazo> onats: security none|auto|user 08:21 < dazo> none means the security manager is disabled. auto uses local PIN, by default from pin_code, for 08:21 < dazo> incoming connections. user always asks the user for a PIN. 08:21 < onats> i set it to 1234, and auto 08:21 < dazo> yepp 08:35 < onats> oh boy 08:44 * ecrist finally gets around to prioritizing packets for the office voip 08:47 < onats> dazo, any other ideas? 08:47 < dazo> onats: hmmm ... not right now .... 08:48 < onats> ok thanks for your help 08:48 < onats> hope to get it up in a few hours time 08:48 < dazo> onats: np! Sorry I'm out of ideas by now 08:50 -!- mtoledo [n=user@201-93-152-83.dsl.telesp.net.br] has quit [Read error: 60 (Operation timed out)] 09:05 -!- dcestari [n=dcestari@190.199.164.160] has joined ##openvpn 09:05 < dcestari> hello everybody 09:06 < ecrist> hi 09:10 -!- SpinaL [n=administ@12.177.178.136] has joined ##openvpn 09:10 < dcestari> I belive I'm having trouble with mtu 09:10 < dcestari> but I'm not sure how to solve it 09:11 < ecrist> !mtu 09:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 09:12 < dcestari> I think it's that because in the manual, under --tun-mtu it said "MTU problems often manifest themselves as connections which hang during periods of active usage." 09:12 < dcestari> and that's exactly my issue 09:12 < dcestari> thanks 09:12 < dcestari> I'll check that 09:12 < ecrist> tcp or udp? 09:14 < dcestari> udp 09:15 < dcestari> tcp had troubles 09:15 < dcestari> I had to reconnect all the time 09:15 -!- rhousand [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has quit [Remote closed the connection] 09:16 < SpinaL> Can openvpn use passworded x.509 certs ? If so how do you put that in the conf file on the client? I googled for this but was unable to find anything. I have an existing PKI for openswan x.509 certs and would like to continue using it for openvpn certs. 09:18 < ecrist> SpinaL: yes, but you can't put the directly in the config 09:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:19 < ecrist> 1) why would you use password-protected certificates, and then store the password in the config? 09:19 < ecrist> 2) you can do this, with compile options for openvpn 09:20 < SpinaL> ecrist so openvpn will prompt for the password ? 09:20 < ecrist> yes 09:20 < plaerzen> ecrist, Why do you know so much?? 09:21 < ecrist> plaerzen: I don't. I just guess well. ;) 09:22 < plaerzen> ecrist, I myself have the same problem. 09:22 < plaerzen> ecrist, Helps with the paycheck too. 09:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 09:24 < SpinaL> ecrist so if all certs are passworded, you would need to be at the console when the server boots to type in the password for its cert ? 09:27 < ecrist> yes 09:29 < dazo> SpinaL: why not use password-less certificates ... if you are willing to have the password in a config, what's the point of having password protected certs? 09:29 < dazo> SpinaL: it's also easy enough to remove passwords in certs as well, if you want that too 09:41 -!- coChosh9 [i=coChosh9@gateway/tor/x-dbde9b43a7be8a1a] has quit [Remote closed the connection] 09:50 < dcestari> how do I run a ping mtu test from linux? 09:53 < dcestari> !mtu 09:53 < vpnHelper> dcestari: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 09:55 < dcestari> I ran --mtu-test and it gave me this "NOTE: This connection is unable to accomodate a UDP packet size of 1541. Consider using --fragment or --mssfix options as a workaround." 09:55 -!- coChosh9 [i=coChosh9@gateway/tor/x-7d52f1a163f83292] has joined ##openvpn 09:56 < dcestari> anyone? 10:02 < dcestari> !howto 10:02 < vpnHelper> dcestari: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:07 < dcestari> anyone could help with an mtu problem? 10:11 < ecrist> http://www.engadget.com/2009/04/07/data-robotics-goes-large-with-8-bay-drobopro/? 10:11 < vpnHelper> Title: Data Robotics goes large with 8-bay DroboPro (at www.engadget.com) 10:11 < ecrist> grr 10:11 < ecrist> dcestari: did you see !mtu? 10:11 < dcestari> I did 10:11 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 10:11 < ecrist> !mtu 10:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:11 < dcestari> I got an output I could not interpetre 10:12 < dcestari> Tue Apr 7 10:19:23 2009 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 10:12 < dcestari> Tue Apr 7 10:22:32 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,541] remote->local=[1541,1437] 10:12 < dcestari> Tue Apr 7 10:22:32 2009 NOTE: This connection is unable to accomodate a UDP packet size of 1541. Consider using --fragment or --mssfix options as a workaround. 10:13 < ecrist> ok, did you look in the man page for --mssfix or --fragment? 10:14 < ecrist> try --link-mtu 541 on the client side 10:15 < dcestari> I did, but I don't know what value to put there 10:15 < dcestari> ok, I'll try that. 10:15 < ecrist> your message tells you 10:15 < ecrist> read it 10:15 < dcestari> I know, you must be used to read this, but is not as easy to me. 10:16 < dcestari> I really don't understand the output 10:18 < dcestari> that did it, the link-mtu 10:18 < dcestari> I wonder why. 10:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:21 < theDoc> Question guys, is it possible to disable the client from requiring ca.crt to bring the vpn tunnel up? 10:21 < theDoc> That would mean that the server doesn't use it's self-signed certs as well. 10:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 10:22 < ecrist> theDoc: so you want to disable encryption? 10:23 < ecrist> !plain 10:23 < vpnHelper> ecrist: Error: "plain" is not a valid command. 10:23 -!- mtoledo` [n=user@189.80.89.234] has joined ##openvpn 10:23 < theDoc> ecrist: Is it possible to still maintain encryption without using the ca.crt? 10:23 < ecrist> how would that work? 10:24 < ecrist> encryption is two ways. you need a private/public key on both ends. 10:24 < theDoc> Ahh, right. 10:24 < ecrist> you could use static keys 10:24 < theDoc> ecrist: Sorry, need to get spanked ;p I got confused for a moment. 10:24 < dazo> asymetric encryption use private/public key, the trad. SSL style .... symetric encryption uses static keys on both sides 10:25 < theDoc> Correct me if I'm wrong by wouldn't asymetric keys be harder to break in this case? 10:25 < ecrist> theDoc: what do you mean? 10:26 < dazo> theDoc: The asymetric encryption is mainly used on the control channel... between client and server, so they can use symetric encryption on the data channel 10:26 < theDoc> I think I should go and redo my PKI lesson ;( 10:26 < dazo> theDoc: A 128 bit symetric key can be much stronger and harder to crack than a 1024 bit asymetric key pair 10:27 < kala> dazo: are you sure? 10:27 < dazo> theDoc: and asymetric encryption is much slower than symetric ... thus the use of symetric key on data channel and asymetric on control channel 10:28 < dazo> kala: yes, because with asymetric encryption you have at least some known data which can be used to reverse the encryption ... with symetric you basically have no clue what the encryption key could be 10:28 < kala> theDoc: back to your original question, it should be possible. But then you cannot verify that you are talking to the correct server 10:28 < theDoc> kala: Yes. 10:29 < theDoc> kala: That's what I'm trying to get around, the whole verification of the correct server. 10:29 * dazo read about key strength and differences many years ago ... can try to find resources if interested 10:29 < kala> dazo: why is that? 10:29 -!- dcestari [n=dcestari@190.199.164.160] has quit [] 10:29 < kala> dazo: I mean, how come that when asymmetrically encrypting, you have some known data and when symmetrically encrypting, you don't have any known data? 10:29 < dazo> kala: the key point in PKI is to have a unique enough prime number .... the longer key, the bigger prime number 10:30 < dazo> kala: so when you have the public key, it is claimed that it is possible to figure out the prime number through some brute forcing and a lot of calculation time ... when you get a match, you have the decryption key 10:30 < kala> you have the private keyu 10:30 < kala> key 10:31 < kala> not the decryption key 10:31 < dazo> kala: public key is the encryption key ... and through that you can get the prime number needed, to take it one step further to begin cracking the decryption key 10:32 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 10:33 < dazo> kala: and this is why you need key sizes bigger than >1024 to really have it more safe on PKI ... than compared to symetric encryption where 128 bit gives a very hard and difficult to crack, since you have no clue at all what the encryption key could be 10:33 < kala> anyway, yes you are right, that you could crack the public key and get the private key out of it. Compared to symmetric encryption, you would need to have some chosen cleartext to work with. But I still doubt that its easier to break 1024 bit RSA, than 128 bit Blowfish 10:33 < ecrist> she's a brick and I'm drowning slowly... 10:34 -!- mtoledo [n=user@c906c009.virtua.com.br] has quit [Connection timed out] 10:35 < dazo> kala: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf 10:35 < dazo> page 7 10:35 < dazo> page 5, I mean 10:36 < theDoc> Man, this whole security thing takes it all another step ;) 10:36 * theDoc dances around with a Cisco router 10:37 < theDoc> Personally, I thought asymetric was the more secured one. 10:38 < theDoc> Because 2 keys were required instead of 1 key. 10:38 < kala> dazo: hmm. I must stand corrected :) 10:38 < kala> dazo: "As of 2003[update] RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys." from wikipedia article 10:39 -!- ben1597 [n=ben1597@cs-wlc-136.cs.umn.edu] has joined ##openvpn 10:40 < dazo> theDoc: that's exactly why it is weaker ... because you have a known part of the encryption key ... while in symmetric an attacker will not have any known factors to work out from, which makes it more difficult to crack it 10:40 < dazo> theDoc: the PDF I sent a link to, even claims that you need a RSA key with at least 15K bit key to compare security with AES-256 symmetric 10:41 < dazo> theDoc: so OpenVPN uses a hybrid system ... where the symmetric key are changed regularly, and exchanged over an asymmetric channel 10:42 < ecrist> !encryption 10:42 < vpnHelper> ecrist: Error: "encryption" is not a valid command. 10:42 < onats> almost done!!!:D 10:42 < ecrist> !learn encryption as Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf 10:42 < vpnHelper> ecrist: Joo got it. 10:42 < ben1597> If I can ping through a VPN server to hosts on the subnet of the VPN server (not the VPN subnet), but not be able to SSH into those hosts, what does that tell you? 10:43 < ecrist> you have a firewall issue 10:43 < dazo> ben1597: that it's not working? 10:43 < theDoc> ben1597: sshd is not running 10:43 < ben1597> :-D 10:43 < ecrist> like the topic suggests 10:44 < ben1597> Normally I use a more complex firewall, but for testing purposes I've added rules manually to an empty table. 10:44 < theDoc> !topology 10:44 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:45 < ecrist> ben1597: 99.999% of the time, we're told that the firewall has been reset/cleared/killed/shot in the mouth/etc and the user is mistaken. 10:45 < theDoc> dazo: I could have sworn that many years ago back in school, we were taught that asymmetrical > symmetrical 10:46 -!- mtoledo` [n=user@189.80.89.234] has quit [Read error: 104 (Connection reset by peer)] 10:47 < dazo> theDoc: if you haven't read the cryptology's papers on this subject, it's easy to think so ... because the key size is much bigger :) ... but the fact is that it needs to be so big to have at least some security 10:47 < ben1597> I have 4 rules right now (http://pastebin.com/f624a8f3c). Maybe I'm in that .001% ? 10:47 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 10:48 < ecrist> ben1597: you can ping, which mean the VPN works. 10:48 < ecrist> that's all it does. 10:48 < ben1597> yes. and nslookup works too. 10:48 < ecrist> great, then fix your firewall 10:49 < theDoc> dazo: Yes, I was under that impression. Well, thank you for correcting me on that 10:49 < theDoc> ;) 10:49 < dazo> no worries :) 10:50 < ecrist> OpenVPN doesn't allow or block anything, it simply sets up routes or bridges. run a traceroute from the vpn client to the host you're trying to ssh into. if it looks good, the traffic is being blocked somewhere. 10:50 < theDoc> That's more proof that school doesn't always teach the right thing ;p 10:50 < theDoc> ecrist: Well, you forgot the part about encrypting the data ;) 10:50 < dazo> theDoc: unfortunately, it's enough of teacher who do not care about staying updated ... 10:50 < ecrist> theDoc: that's an optional feature, enabled by default. 10:51 < theDoc> ecrist: ahh, I see. 10:54 < ben1597> ecrist: Yep; that works. 10:55 < ben1597> I'll take your word for it that OpenVPN isn't to blame. 10:56 < dazo> ben1597: remember also to check the other tables in iptables as well .... as nat, mangle, etc 10:56 < dazo> ben1597: if you have a blocking rule here too, it will stop ... even though the filter table looks nice 10:56 < ben1597> iptables -L lists everything- doesn't it? 10:56 < dazo> ben1597: only filter table 10:56 < ben1597> Oh! 10:56 < dazo> ben1597: use iptables-save .... that will show everything .... 10:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:57 < ben1597> So there is a man behind the curtain. 10:57 < ben1597> Holy crap that's a lot 10:58 < dazo> ben1597: that's one of the "annoying" things with iptables .... people forget that there are other tables as well .... I wish that it didn't list the filter table by default when -t is missing .... that would have sharpened the mind of iptables users 10:58 < ben1597> I am enlightened; thank you. 10:58 < dazo> ben1597: your welcome :) 10:59 < ecrist> !iptables 10:59 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 10:59 < ecrist> dazo: does that look right? 10:59 < dazo> ecrist: it only manipulates the filter table here too 10:59 < dazo> ecrist: just a sec, and I'll prepare a more comprehensive version 11:00 < ecrist> thanks 11:05 < dazo> ecrist: http://pastebin.com/m583a31ef ... there you have it 11:05 < dazo> ecrist: probably more suitable for a wiki 11:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:08 < ben1597> Could either of you recommend a guide with a good treatment of iptables? 11:09 < dazo> ecrist: it do not touch the raw table ... but people playing with that one usually knows how to turn of iptables ... the same for ebtables as well (kind of "layer2" firewalling) 11:09 < theDoc> !iptables 11:09 < vpnHelper> theDoc: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 11:09 < dazo> ben1597: not quite sure what you really want ... as it is a very broad topic ... 11:10 < ben1597> Hopefully something that applies to a setup where the VPN server is the gateway to a NAT'd network. 11:15 < dazo> ben1597: this is a little outdated iptables tutorial ... but the basics is still valid, and should work pretty well still ... http://www.faqs.org/docs/iptables/index.html 11:15 < vpnHelper> Title: Iptables Tutorial 1.1.19 - Firewall (at www.faqs.org) 11:15 < dazo> ben1597: a little bit more updated version: http://iptables-tutorial.frozentux.net/iptables-tutorial.html 11:15 < vpnHelper> Title: Iptables Tutorial 1.2.2 (at iptables-tutorial.frozentux.net) 11:16 < krzee> !mail 11:16 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 11:16 < krzee> (for me) 11:16 < ben1597> Thanks; I'll get reading (openvpn-users too). 11:17 < dazo> ben1597: on the last link (tutorial 1.2.2) ... you can probably start with chapter 3, if you don't want to go really deep into differences different TCP/IP protocols 11:19 < onats> whee! dazo, got it to work!:D 11:19 < dazo> onats: cool! 11:19 < dazo> onats: what was the key? 11:20 < onats> paired from the phone, and commented out part of the 3g.sh script that wants to assign a pin 11:20 < onats> that ate one day of my life 11:20 < onats> actually 2 11:21 < onats> we're going up a mountain resort tomorrow but there's no wifi there 11:21 < onats> i mean no net connection 11:28 < ecrist> !firewall 11:28 < vpnHelper> ecrist: "firewall" is please see http://openvpn.net/man#lbBD for more info 11:28 < ecrist> !learn firewall as see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 11:28 < vpnHelper> ecrist: Joo got it. 11:28 < ecrist> !firewall 11:28 < vpnHelper> ecrist: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 11:29 < ecrist> !learn iptables as see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 11:29 < vpnHelper> ecrist: Joo got it. 11:33 -!- innni2 [n=andre@79-74-126-105.dynamic.dsl.as9105.com] has joined ##openvpn 11:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:44 -!- nemysis [n=nemysis@41-21.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:47 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 11:50 < onats> anyone here have freetime? 11:50 < onats> :D 11:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:56 < ecrist> I'm here. I'm at work, so I have freetime. ;) 11:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:57 < onats> hehehe 11:57 < onats> but its non-vpn related 11:59 < onats> ok to ask? 11:59 < onats> networks related still 12:09 < ecrist> sure 12:14 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 60 (Operation timed out)] 12:17 < onats> ok. am trying to assign dhcp only to wireless interface 12:17 < onats> the wireless clients are able to connect already, but i still can't get ip's from the dhcp 12:18 < onats> is that supposed to come from dnsmasq? or is there a service that has to be running in order to throw out IPs? 12:18 -!- Guest24440 [n=Barry_Tr@64.123.245.253] has joined ##openvpn 12:19 < ecrist> onats: I don't know dnsmasq 12:19 < onats> alright 12:19 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 12:19 < Guest24440> anyone know how to get openvpn to drop routes that are not active 12:19 < ecrist> Guest24440: what do you mean? 12:20 < Guest24440> and use it with a dyanmic route daemon like zebra to have failover/ load balancing for fix IP range 12:20 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:20 < Guest24440> i want client to keep the same ip but I want it to connect to either server 12:20 < Guest24440> with is easy from the client side 12:21 < Guest24440> but from the server side you have to know which server has the active route to that network 12:22 < Guest24440> someone has to have done this before 12:23 < Guest24440> i believe zebra would advertise the route , but openvpn does not remove it route table when not connected .. thus not letting the change flow upstream thru OSPF 12:24 -!- innni2 [n=andre@79-74-126-105.dynamic.dsl.as9105.com] has quit ["Leaving."] 12:26 < ecrist> oh, you again 12:26 < ecrist> didn't I tell you to use tap yesterday? 12:26 * karlpinc thinks that openvpn would be more portable if install-win32/settings.in !define MAKE_JOBS was 1 instead of 2 12:30 < Guest24440> no 12:31 < Guest24440> r u telling me tap will drop routes and tun does not? 12:32 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit ["Coyote finally caught me"] 12:32 < krzie> tap doesnt work on routes 12:32 < krzie> its layer2 12:32 -!- mtoledo` [n=user@c934af3b.virtua.com.br] has joined ##openvpn 12:32 < krzie> works with arp 12:32 < Guest24440> I need layer 3 12:33 < krzie> i believe anything added in a ccd entry is dropped when the client disconnects 12:34 < Guest24440> i have routes for hosts with dedicated ips 12:34 < Guest24440> those route seem to stay even with client is not connected 12:35 < Guest24440> http://www.linuxjournal.com/article/9915 12:35 < vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN (at www.linuxjournal.com) 12:35 < Guest24440> just found this 12:36 < Guest24440> u too looks like 12:36 < Guest24440> hard to believe that is the only way 12:36 < Guest24440> be nice if openvpn server would just add/remove routes as connects where made 12:36 < Guest24440> sure make this easy 12:36 < krzie> lol 12:37 < Guest24440> or am i off base 12:37 < krzie> would be nice if it would give me a blowjob in the morning too 12:37 < Guest24440> need to make feature request 12:37 < krzie> but in the end its just vpn software 12:37 -!- SpinaL [n=administ@12.177.178.136] has quit ["DMDirc exiting"] 12:37 < Guest24440> not really 12:37 < karlpinc> I'm trying to compile 2.1 rc15 on Windows XP using MinGW 5.1.4 and I get the error "cryptoapi.c:55: error: 'CryptAcquireCertificatePrivateKey' redeclared as a different kind of symbol". It says the previous declaration was at c:/mingw/include/wincrypt.h. Should I be using a different version of mingw or what should I do to resolve this? 12:37 < Guest24440> if it creates routes and knows when clients are connect 12:38 < Guest24440> it seems quite simple and to be the right place to add/remove the routes 12:38 < ecrist> Guest24440: openvpn has some very simplistic routing mechanisms. 12:38 < krzie> i said it should drop stuff it was given via ccd entries on client disconnect 12:40 < krzie> and openvpn's route command is just a hook into the system route command, no more no less, it exists for your convienence only, is very simplistic and , halfway only exists for the fact that diff OS have diff exact commands to add routes 12:40 < krzie> s/ and ,/, and/ 12:40 < Guest24440> [root@vpnp1wi1 xxxx ]# cat /etc/openvpn/openvpn-*status.log | grep '172.18.64' 12:40 < Guest24440> [root@vpnp1wi1 xxxx ]# route -n | grep '64' 12:40 < Guest24440> 172.18.64.0 172.18.253.2 255.255.255.0 UG 0 0 0 tun1 12:41 < Guest24440> nope 12:41 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 12:41 * krzie wonders what thats supposed to mean to us =/ 12:42 < Guest24440> well still think would be nice 12:42 < krzie> then code it 12:42 < krzie> its open source and welcomes contibutions 12:42 < Guest24440> u got a point 12:42 < Guest24440> been a while since wrote anything but good excuse to try 12:42 < krzie> i garuntee nobody would be mad at you for making the patch to do what you want 12:43 < krzie> and theyd even likely say thanx after you mail'ed it to the list 12:43 < Guest24440> downloading code now 12:43 < Guest24440> thats for the help 12:43 < krzie> right on =] 12:44 < krzie> i look forward to seeing it, if you dont feel like signing up to the list or whatever ild be happy to send it out to public for ya, maybe someone else will like it too 12:44 < krzie> ild say you should make it a ./configure option to enable or not 12:44 < Guest24440> true 12:45 < krzie> since it will change a basic functionality of how ovpn works (using route is very common) 12:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 12:51 -!- Guest24440 [n=Barry_Tr@64.123.245.253] has left ##openvpn [] 12:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:53 < onats> i just want to share something 12:54 < onats> i now have a mobile router!:D openwrt based alix board, with a bluetooth dongle, connecting to a nokia phone, dialing 3g. now serving internet!:D 12:55 < karlpinc> The problem seems to be that openvpn is delareing the function to work-around that MinGW 3.1 is missig the declaration, but now there's 2 different declartions: "static BOOL WINAPI (*CryptAcquireCedrtificatePrivateKey) (..." in openvpn and "BOOL WINAPI CryptAcquireCertificatePrivateKey(..." in MinGW. What's the best way to resolve this issue? (Frankly, maybe the problem is that gcc shouldn't be complaining at all?) Any suggestions? 12:56 < karlpinc> I'm not sharp in C but don't those declarations mean the same thing? 12:57 < karlpinc> Should I be reporting this to someone who cares? 13:00 < krzie> your problem is you're trying to compile for windows in linux? 13:00 < karlpinc> No. I'm compling for windows in windows. Following the directions as given in the 2.1 rc15 domake-win32 fle. 13:01 < karlpinc> (file) 13:01 < krzie> ahh 13:01 < krzie> trying to change a config option to save pw's in file? 13:01 < krzie> for pw auth...? 13:01 < karlpinc> krzie (I wish I was compiling for windows in linux.) 13:01 < krzie> you mentioned gcc 13:01 < krzie> i didnt know that existed in win 13:02 < krzie> (ive never compiled source in win) 13:02 < karlpinc> krzie : No. I want my own nsis installer, and I can't get the windows binaries from anywhere. So, I'm compiling. 13:02 < krzie> gotchya 13:02 < krzie> ild help if i could 13:02 < krzie> <-- stopped messing with win a few yrs back 13:02 < karlpinc> krzie : MinGW is a fork of Cygwin, so it can be more windows like. 13:03 < krzie> ahh 13:03 < karlpinc> krzie : I stopped messing with Windows Years ago. 13:04 < krzie> yet here you are ;] 13:04 < karlpinc> krzie : It seems Windows won't go away. :-P 13:05 < krzie> lol yup 13:06 < karlpinc> krzie : Seriously, there's some problem between the 2.1 rc15 and the latest production MinGW and the gcc it ships with. Somebody should care. I think the problem is that OpenVPN no longer needs the duplicate declaration because it's in MinGW already. Easy enough to patch, except I'm on Windows. 13:06 -!- mtoledo` [n=user@c934af3b.virtua.com.br] has quit [Read error: 113 (No route to host)] 13:07 < karlpinc> For the moment I'm going to comment out the duplcate declaration in OpenVPN. But somebody upstream of me should know there's a problem.... 13:08 < krzie> i dont think its that nobody cares 13:08 < krzie> i think you need to talk to devs or something maybe 13:08 < krzie> !dev 13:08 < vpnHelper> krzie: Error: "dev" is not a valid command. 13:08 < krzie> hrm 13:08 < krzie> !factoids search dev 13:08 < vpnHelper> krzie: No keys matched that query. 13:08 < krzie> =/ 13:08 < krzie> theres a dev maillist 13:08 < krzie> !mail 13:08 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 13:10 < krzie> first link 13:10 < krzie> !learn dev as https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 13:10 < vpnHelper> krzie: Joo got it. 13:11 < karlpinc> I don't suppose I can send them an email without subscribing? 13:11 < krzie> not sure, i know you can to -users 13:11 < krzie> devel is low volume anyways tho 13:11 < karlpinc> krize: I'll give it a go. 13:24 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 13:25 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 13:33 -!- PacoBell [n=PacoBell@adsl-75-15-133-14.dsl.snlo01.sbcglobal.net] has joined ##openvpn 13:34 < PacoBell> !howto 13:34 < vpnHelper> PacoBell: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:34 < PacoBell> !route 13:34 < vpnHelper> PacoBell: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:35 < PacoBell> !man 13:35 < vpnHelper> PacoBell: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:35 < PacoBell> !/30 13:35 < vpnHelper> PacoBell: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:36 < karlpinc> Allright, now gcc is bitching because the code's assigning a value to something that's not a pointer. Shouldn't openvpn be using a different name for CryptoAcquireCertPrivateKey, so it does not conflict with the win api? 13:39 < krzie> im not sure if anyone here is familiar with compiling from source in windows 13:39 < krzie> but i wont say dont ask, cause ya never know 13:39 < krzie> just saying if you dont get an answer, its not from a lack of people caring 13:42 < karlpinc> I'm thinking it's more of a C question.... 13:43 < krzie> i promise it compiles fine on freebsd 13:43 < krzie> 6 7 and 8 13:43 -!- ben1597 [n=ben1597@cs-wlc-136.cs.umn.edu] has quit [Read error: 60 (Operation timed out)] 13:44 < karlpinc> krzie : It's in an #ifdef for windows :P 13:45 < krzie> ahh right, back to the fact that you're compiling from source in windows =] 13:46 < krzie> but it is a very on-topic question of course 13:46 < krzie> so this would be the right place to ask (along with dev mail list i believe) 13:47 < karlpinc> Uh, how do I do a search and replace over a lot of lines in vi? 13:47 < krzie> not sure, i prefer nano, can only do basic stuffs in vi 13:48 < krzie> but i think /string is search 13:48 < krzie> so its prolly /string 13:48 < karlpinc> krzie : I'm an emacs sorta guy. 13:48 < krzie> could possibly just be a regex there 13:48 < krzie> like s/something/replace/ 13:49 < PacoBell> :s/search_string/replacement_string/g 13:49 < krzie> ahh werd 13:49 < krzie> i was close =] 13:49 < krzie> missing the : 13:49 < PacoBell> g for global 13:49 < krzie> well ya 13:49 < PacoBell> Be vewwy careful with that one. 13:49 < karlpinc> PacoBell : I thought I tried that and it told me not found. Maybe I mis-typed. 13:49 < PacoBell> Mebee. 13:49 < karlpinc> PacoBell : That will do lots of lines? 13:50 < krzie> a prior grep could help be sure its fine 13:50 < krzie> with the trailing g it will do the whole file 13:50 < karlpinc> PacoBell : I know :q! really well. 13:50 < PacoBell> Supposedly, I just googled the answer. LOL! 13:50 < krzie> and matches 13:50 < krzie> lol PacoBell =] 13:50 < PacoBell> karlpinc: *snicker* 13:50 < krzie> my educated guess was good =] 13:51 < karlpinc> I think it wants a range, whatever the hell that is. 13:51 * karlpinc going to find my vi cheat sheet 13:52 * PacoBell needs his vi cheat sheet burned into his retinas 13:52 < krzie> not i 13:53 < krzie> i only need vi on rare occasions 13:53 < ecrist> vi < vim 13:53 < PacoBell> There are some places that won't let me install anything =( 13:53 < krzie> so knowing d/dd/:w/:q!/:x/o/i/esc is good enough for me 13:54 < PacoBell> Ah, yes, /esc is my happy green place... 13:54 < karlpinc> krzie : No, you also need to know a. 13:55 < krzie> ahh forgot bout a 13:55 < krzie> i have been just using i and moving 1 forward 13:55 < krzie> lol 13:55 < ecrist> krzie: don't forget :%!xxd and :%!xxd -r 13:56 < karlpinc> krzie: Then you can't put anything on the end of a line. 13:56 < krzie> hah i never knew those 13:56 < krzie> karlpinc, sure you can 13:56 < krzie> go to the end, i arrow to the right, type 13:57 < krzie> i is insert, a is append, same shit diff cursor location 13:57 < karlpinc> krzie : Ah, the arrows. 13:57 < krzie> arrows will work once in typing mode 13:57 < karlpinc> krzie : Newfangled stuff. 13:57 < ecrist> krzie: for that, use A instead of a 13:57 < krzie> without taking you out of typing mode 13:57 < krzie> *shrug* how bout i stick to nano ;] 13:58 < ecrist> /mode -o krzie 13:58 < ecrist> nano is for lusers 13:58 < plaerzen> real programmers use ed 13:59 < krzie> im not a programmer 13:59 < krzie> explains that! 13:59 < PacoBell> Oh dear... http://xkcd.com/378/ 13:59 < vpnHelper> Title: xkcd - A Webcomic - Real Programmers (at xkcd.com) 13:59 < plaerzen> http://xkcd.com/378/ 13:59 < PacoBell> HAH! 13:59 < plaerzen> DAMN 13:59 < plaerzen> too late 13:59 < krzie> LOL 13:59 < krzie> nice 14:00 * PacoBell waves to all the xkcd fans in the room 14:00 * plaerzen waves back. 14:01 < krzie> <3 xkcd 14:01 < PacoBell> "Good ol' C-x M-c M-butterfly" 14:01 < plaerzen> haha 14:02 < plaerzen> I love that strip 14:02 < ecrist> one of my favorites is http://xkcd.com/303/ 14:02 < vpnHelper> Title: xkcd - A Webcomic - Compiling (at xkcd.com) 14:03 < ecrist> or 'Bobby Tables' 14:03 < PacoBell> hyuk hyuk! 14:03 < krzie> ya bobby tables is my favorite one! 14:03 < plaerzen> "Did you actually name your son "Bobby drop table students;--" ? 14:04 < krzie> I hope you're happy! 14:04 < plaerzen> "Someone should learn to sanitize their database inputs" 14:04 < PacoBell> Huh, classic. 14:04 < krzie> I hope you learned to properly sanatize db inputs! 14:04 < krzie> or of course the mother hacker who is cooking and rewriting packets on the fly while blocking the vpn etc 14:05 < ecrist> that's a good one, too. 14:05 < plaerzen> yeah, that's a good one too 14:05 < plaerzen> using oven mitts 14:05 < plaerzen> "How do you type in oven mitts?" 14:05 < ecrist> http://xkcd.com/528/ 14:05 < vpnHelper> Title: xkcd - A Webcomic - Windows 7 (at xkcd.com) 14:05 < krzie> oooo newer 14:05 < krzie> i need to catchup 14:06 < plaerzen> xkcd and ctrl alt del are the only 2 webcomics I read 14:06 < PacoBell> Ditto. *there goes my productivity for the day* 14:06 < ecrist> questionablecontent.com is a good one. 14:06 < PacoBell> I'm kinda a fan of Real Life Comics, too. 14:06 < ecrist> though Jeph is a bit crazy 14:06 < PacoBell> ecrist: ^5! 14:08 < PacoBell> Wow, I so felt like doing this the other day... http://xkcd.com/562/ 14:08 < vpnHelper> Title: xkcd - A Webcomic - Parking (at xkcd.com) 14:08 < ecrist> krzie: you know xkcd comes out three times a week, right? 14:09 < krzie> nah never bothered checking that, i just catchup on huge chunks occasionally 14:09 < krzie> its more fun that way 14:09 < ecrist> ah, I have a bookmark group with XKCD, Cyanide & Happiness and Questionable Content 14:10 < ecrist> xkcd is update MWF, the other two M-F 14:11 < plaerzen> I thought CH was updated every day ? 14:12 < ecrist> it is. 14:12 < ecrist> well, monday through friday, I think 14:12 < plaerzen> oh right 14:12 < plaerzen> m-f 14:13 < plaerzen> m-f >< mf 14:14 < plaerzen> alright, time to get some food. bbiab 14:18 < ecrist> http://xkcd.com/492/ 14:18 < vpnHelper> Title: xkcd - A Webcomic - Scrabble (at xkcd.com) 14:26 < krzie> http://xkcd.com/487/ 14:26 < vpnHelper> Title: xkcd - A Webcomic - Numerical Sex Positions (at xkcd.com) 14:26 < krzie> hahahah 14:26 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 14:27 < mmcgrath> When I try to connect to an openvpn service on an aliased interface (eth0:0) I get connections errors. 14:27 < mmcgrath> I'm not quite sure what to do about it 14:28 < mmcgrath> Anyone have any ideas? The specific error I get is... 14:28 < krzie> !configs 14:28 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:29 < mmcgrath> Apr 7 18:14:09 bastion2 openvpn[12117]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 14:29 < mmcgrath> Apr 7 18:14:10 bastion2 openvpn[12117]: read UDPv4 [ECONNREFUSED|EHOSTUNREACH]: No route to host (code=113) 14:29 < mmcgrath> but if I connect to eth0 directly it works fine 14:30 < kraut> mmcgrath: could you please try tcp instead of udp? 14:30 < kraut> (on both sides!) 14:31 < krzie> or check firewall rules 14:31 < mmcgrath> kraut: sure, one sec getting configs in order as well. 14:31 < krzie> udp > tcp whenever possible 14:31 < mmcgrath> http://pastebin.ca/1385187 14:32 < mmcgrath> I'm assuming this is packets coming in eth0:0's IP via udp and out via eth0's IP via udp causing the confusion 14:32 < krzie> ahh right 14:32 < krzie> sure could be 14:32 < kraut> erm no! 14:33 < kraut> there is a special error message for that situation! 14:33 < krzie> oh right 14:33 < kraut> "no route to host" is another problem i think 14:33 < krzie> get a MULTI error when its that 14:34 * mmcgrath verifies iptables isn't the problem first 14:34 < krzie> hey mmcgrathm is 192.168.0.0 already a lan subnet on either client or server? 14:35 < krzie> oh god using /16 14:35 * ecrist guesses itis 14:35 < krzie> LOL 14:35 < mmcgrath> kraut: nope, just for the vpn we have, and it's a non-routed vpn for what that's worth. 14:35 < krzie> dude, dont do that! 14:35 < ecrist> !1918 14:35 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 14:35 < krzie> you cant have a single client in 192.168.x.x with this config 14:35 < ecrist> pick another from our bucket o' IPs! 14:35 < krzie> (or the server) 14:35 < krzie> thats the worst server statement i ever seen 14:36 < mmcgrath> kraut: it was for better organization of the IP's we have so we can seperate them out later. We're still at step one of a multi step process :) 14:36 < krzie> pls do change it =] 14:36 < ecrist> your kids will hate you 14:36 < krzie> yes, butterflies are furiously flapping their wings at you over this 14:36 < kraut> what is he doing? 14:36 < kraut> missed the point 14:36 < krzie> # 14:36 < krzie> server 192.168.0.0 255.255.0.0 14:36 < kraut> ah, /16 rape 14:36 < mmcgrath> naw, this vpn setup is for a group of servers geographically spread around. not for end users. 14:37 < krzie> mmcgrath can you garuntee that niether server nor ANY clients will be on a 192.168.x.x? 14:37 < krzie> and will you really have so many clients that you need a /16? 14:37 < mmcgrath> yeah, we can. otherwise I wouldn't have used it :) 14:37 < mmcgrath> no but like I said, step one of a multi step process. 14:37 < ecrist> mmcgrath: do you have 16,382 vpn clients? 14:38 < krzie> with !topology you get 254 ips per /24 14:38 < mmcgrath> right now all servers need access to all other servers, we're working to be in a setup that's not the case. 14:38 < krzie> !route 14:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:38 < krzie> thats how you give all lans access to eachother 14:38 < krzie> also, you really dont want that server statement 14:38 < krzie> it makes babies cry 14:38 < kraut> mmcgrath: erm, a /16 won't work! 14:38 < mmcgrath> I really do understand what having a /16 does, I really do know why I picked it. Thanks for the warning though. 14:39 < krzie> you dont wanna make babies cry do you? 14:39 < mmcgrath> kraut: uhh, and yet it does. 14:39 < kraut> and it's totally stupid to use such a huge net! 14:39 < krzie> mmcgrath, oh wasnt aware you werent having any problems, ignore us then 14:39 < kraut> mmcgrath: ever thought about broadcasts? 14:39 < ecrist> LOUD NOISES! 14:39 < mmcgrath> kraut: yes, so lets say I sent a broadcast to the /16. 14:39 < mmcgrath> and only 100 nodes are on the network. 14:39 < krzie> I DONT KNOW WHY WE'RE YELLING 14:39 < krzie> lol 14:39 < kraut> lemmy in your net, i'll storm your broadcast and you'll have fun 14:39 < mmcgrath> tell me, at the network layer, how that's different. 14:39 < mmcgrath> seriously. 14:40 < mmcgrath> keep in mind that earlier I mentioned it's a non-routed net. 14:40 < kraut> uhmm 14:40 < mmcgrath> how many more bit's get broadcast? 14:40 < mmcgrath> 0 14:40 < ecrist> 'do you want to come to my pants party? 14:40 < krzie> before you get past a /24 with topology subnet you will need another server to handle the additional connections anyways more than likely 14:40 < ecrist> mmcgrath: check your firewall for issues, otherwise is probably a kernel routing bug 14:43 < krzie> also you're aware that you only need 1 machine at each location connecting to the server, right? 14:43 < krzie> i mean shit, you have over 254 locations, and arent using cisco? 14:44 < mmcgrath> ecrist: bummer not the firewall. 14:44 < mmcgrath> this is RHEL5.3 BTW, not sure I mentioned that. 14:45 < mmcgrath> it is quite strange though, I switch back to eth0 and it all works just fine, switch it to eth0:0 and get nothing but failures. 14:45 < ecrist> mmcgrath: what version of OpenVPN, and why such an old version of linux? 14:45 < ecrist> why are you running it on an alias? 14:46 < mmcgrath> ecrist: when you say kernel routing bug, in theory would I not be seeing that from machines on a LAN? 14:46 < mmcgrath> ecrist: RHEL5.3 came out about 4 months ago. 14:46 < mmcgrath> I'm running on an alias to try to use a heartbeat aliased IP. 14:47 < mmcgrath> This is the first UDP service I've done that with. I'm going to test tcp in a bit. 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < ecrist> I'm confusing RHEL with Fedora 14:50 < mmcgrath> it's openvpn-2.1 14:50 < ecrist> rc? 14:50 < ecrist> or are you the first with the release? ;) 14:50 < krzie> if so i missed an announcement 14:50 < krzie> and need to do a series of upgrades 14:51 < mmcgrath> The full tag is 2.1-0.29.rc15.el5 14:51 * mmcgrath isn't the packager. just grabbed it from EPEL. 14:51 < krzie> ahh good rc15 is latest 14:51 < krzie> not sure what 1-0.29 refers to 14:51 < krzie> but 2.1-rc15 is latest 14:52 -!- SpaceBas1 [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 14:52 < SpaceBas1> hey folks 14:52 < ecrist> hey SpaceBas1. 14:52 < SpaceBas1> I can establish my tunnel but DNS seems to only resolve for internal address - ie I can ping machine1.local but not google.com 14:53 < krzie> i take it you're using redirect-gateway 14:54 < krzie> is it only dns, or can you not ping by ip either? 14:54 * ecrist goes home. 14:54 < krzie> are you pushing dns? 14:54 < krzie> basically, give us more info 14:55 < SpaceBas1> trying IP now 14:55 < SpaceBas1> yes, doing a redirect-gateway 14:55 < SpaceBas1> ok, fixed one issue - DNS server was not set to respond to the openvpn subnet 14:55 < SpaceBas1> so now its returning the query, but the ping fails outside of the local network 14:56 < krzie> using NAT? 14:56 < krzie> what OS? 14:57 < SpaceBas1> krzie: client is OSX, server is BSD (PFsense) - there is NAT on the PFsense box 14:57 < SpaceBas1> and now that you say that, let me check for outbound nat 14:58 < SpaceBas1> bingo! 14:58 < SpaceBas1> glad you said that, thanks! 14:58 < krzie> you must nat the vpn ips 14:58 < krzie> np 14:58 < SpaceBas1> been doing dev tap with a bridge so this hasn't been an issue - recent PFsense upgrade left me without tap option :( 14:59 < krzie> welp, better for you! 14:59 < krzie> !tunortap 14:59 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:00 < SpaceBas1> but I love me some layer 2 goodness 15:00 < SpaceBas1> like kerberos auth and mDNS 15:07 < mmcgrath> ecrist: FWIW, it works fine with proto tcp, breaks with proto udp. 15:07 < SpaceBas1> I was doing tap with udp - was working great 15:07 < krzie> interesting... howd you know kraut? 15:08 < kraut> wth? 15:08 < krzie> ecrist: FWIW, it works fine with proto tcp, breaks with proto udp. 15:08 < kraut> krzie: i hat excact the same issue few days ago 15:08 < krzie> that was your suggestion 15:08 < krzie> ahh 15:08 < kraut> krzee: thought it was an issue with avm dsld 15:08 < krzie> !tcp 15:08 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:09 < krzie> heres something to know before sticking with tcp 15:09 < kraut> didn't had time to investigate that 15:09 < krzie> or at least to know when you run into tcp issues 15:09 < mmcgrath> yeah I don't want to use tcp, but udp is failing for me. 15:09 < kraut> udp would be better, cause you don't have any flow problems 15:20 < mmcgrath> Ah, seems I just needed to add "local aliasedip" to the openvpn config. 15:20 < mmcgrath> working great now on udp too. 15:21 < krzie> hrm no shit 15:21 < krzie> !man 15:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:21 * krzie looks 15:21 < krzie> --local host 15:21 < krzie> Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. 15:22 < krzie> hrm aliasedip doesnt appear anywhere in the manual 15:22 < krzie> you find that in the source? 15:22 < mmcgrath> well for me it was: 15:22 < mmcgrath> local 10.8.34.50 15:22 < krzie> ohhhh, lol 15:22 < mmcgrath> :) 15:23 < krzie> gotchya, interesting it only worked when binding specificly to that ip, will remember that for the next guy 16:14 -!- rfxr [n=rfxr@adsl-67-126-192-10.dsl.chic01.pacbell.net] has joined ##openvpn 16:16 < rfxr> Help please? :-) Do I need to use bridge mode in order to route from server to client LAN? I can ping from client LAN to server LAN but cannot ping from server to client LAN. 16:16 < krzie> no 16:16 < krzie> you need to read and understand this: 16:16 < krzie> !route 16:16 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:17 < rfxr> thank you 16:17 < krzie> yw 16:17 < rfxr> was looking for that :-) 16:18 < krzie> =] 16:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:28 -!- SpaceBas1 [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 16:33 < rfxr> kraut, SUCCESS! Thank you very very much ;) 16:33 < rfxr> oops 16:33 < rfxr> krzie, SUCCESS! Thank you very very much ;) 16:33 < krzie> glad it helped =] 16:33 < rfxr> :-) 16:33 < rfxr> been fighting with routes for an hour ;) 16:33 < krzie> very common requested info, spent some good time on that writeup 16:34 < krzie> but it saves me tons more time on helping people =] 16:34 < rfxr> if they will read it anyway ;) 16:34 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 16:34 < krzie> lol ya 16:35 < kraut> rfxr: any thanks to me are welcome ;) 16:35 < rfxr> kraut, ok :-) 16:36 < krzie> lol 16:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:19 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 17:19 < SpaceBass> hey folks - back at it, trying to get a site-to-site tunnel working 17:19 < SpaceBass> keep getting this on the server: TLS Error: Unroutable control packet received from 17:33 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 17:39 -!- rfxr [n=rfxr@adsl-67-126-192-10.dsl.chic01.pacbell.net] has left ##openvpn ["Leaving"] 17:39 < SpaceBass> now getting this error: (si=3 op=P_ACK_V1) 17:39 < krzie> !configs 17:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:39 < krzie> !logs 17:39 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:40 < SpaceBass> server log -http://pastebin.ca/1385427 17:41 < SpaceBass> client log - http://pastebin.ca/1385428 17:41 < krzie> those arent verb 6 17:42 < SpaceBass> unfortunatly they are all I have access to with these endpoints 17:42 < krzie> you dont control the machines? 17:43 < SpaceBass> I do - and I'm sure at some point on this PFsense box I could get below their xml logging layer to the raw logs, but its going to take some forum posting to get at it 17:44 < krzie> well can you at least egt the raw configs? 17:44 < krzie> get 17:44 < krzie> cause if not theres no helping you 17:44 < SpaceBass> again, not easily - but I'll try 17:44 < SpaceBass> the concern there is that I cannot edit them even if I do find them 17:44 < SpaceBass> the web gui will overwirte them 17:44 < krzie> sucks for you i guess 17:45 -!- PacoBell [n=PacoBell@adsl-75-15-133-14.dsl.snlo01.sbcglobal.net] has left ##openvpn [] 17:45 < SpaceBass> clearly 17:45 < krzie> i dont use any of those web gui's, cant help ya with that 17:45 < krzie> i do use openvpn, and will happily try to help with that 17:45 < SpaceBass> thats the challenge with these things - as soon as you apply any kind of interface things start to break down 17:46 < krzie> well 17:47 < krzie> ild say when the interface overwrites manual changes its lame 17:47 < krzie> there should at least be a sync command where the interfaces learns the new edits 17:47 < krzie> a web ui is one thing, enforcing that it MUST be used is another 17:48 < SpaceBass> I'd agree with that 17:48 < krzie> i see nothing wrong with a nice web ui, i personally choose not to use them, but to each their own... but it should be optional when used 17:54 < karlpinc> I'm _still_ trying to compile 2.1 rc15 on windows. Something is really borked (and it's windows). Bad things happen at random. I get segfaults, I get messages telling me that m4 1.4 or later is needed but m4 --version says version 1.4 is installed, and so forth. What should I try? 17:55 < krzie> karl, posting to the dev mail list =] 17:55 * krzie swears hes said that 17:55 < SpaceBass> progress... 17:55 < SpaceBass> client conf - http://pastebin.ca/1385436 17:56 < SpaceBass> server conf - http://pastebin.ca/1385438 17:56 < krzie> niether of those are a client or server 17:56 < krzie> its ptp mode 17:57 < SpaceBass> isn't that what I want for a site-to-site tunnel? 17:57 < krzie> sure 17:57 < krzie> but theres still no client or server 17:57 < krzie> ;] 17:58 < krzie> post /etc/rc.filter_configure 17:58 < krzie> comment # 17:59 < krzie> tls-server 18:00 < krzie> fromn what you called the server 18:00 < SpaceBass> trying to follow ... 18:00 < krzie> pastebin /etc/rc.filter_configure 18:00 < krzie> and comment tls-server 18:00 < SpaceBass> no such file - not sure if thats a BSD thing or a PFsense thing 18:00 < krzie> from server2.conf 18:00 < krzie> # 18:00 < krzie> up /etc/rc.filter_configure 18:00 < krzie> # 18:00 < krzie> down /etc/rc.filter_configure 18:00 < krzie> its a your openvpn config thing 18:01 < krzie> (this is why gui's shouldnt setup configs) 18:01 < karlpinc> !devs 18:01 < vpnHelper> karlpinc: Error: "devs" is not a valid command. 18:01 < krzie> !dev 18:01 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 18:01 < karlpinc> krzie : Actually, I was hoping for the archives. 18:02 < SpaceBass> ok... I see what you are saying 18:02 < krzie> karlpinc 18:02 < krzie> !mail 18:02 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 18:02 < SpaceBass> comment out the up; down; tls-server lines ? 18:02 < krzie> thats user archives, im sure you can find dev archive there too 18:03 < krzie> SpaceBass if the up script doesnt exist, go ahead and comment it 18:03 < krzie> but your log doesnt complain that it doesnt exist 18:03 < krzie> making me think its gotta be there 18:03 < SpaceBass> it is, I was mistaken 18:03 < krzie> oh actually it might be complaining 18:03 < krzie> well then pastebin it! 18:04 < krzie> also your version of openvpn is very old 18:04 < SpaceBass> http://pastebin.ca/1385442 18:04 < krzie> 2.0.6 is quite a few yrs back 18:04 < krzie> 2.0.9 is latest stable and is like 4 yrs old i think 18:04 < krzie> we all use 2.1rc15 now-a-days 18:05 < SpaceBass> i'll submit a request on that one - not sure why they are using something so old 18:06 < krzie> so just comment tls-server and give it a try 18:06 < onats> morning!:D 18:07 < krzie> also comment the push route 18:07 < krzie> as it cant be used 18:07 < SpaceBass> krzie, thanks for the help, its been an education for me :D 18:08 < SpaceBass> indeed the web gui is overwriting it, but at least now I have the education to submit a bug report 18:08 < krzie> not in a ptp setup without pull, besides you have the route added at the bottom of the other side anyways 18:08 < krzie> just start it from commandline 18:08 < krzie> yanno, the normal way 18:09 < krzie> do your testing and see you can get it up 18:09 < krzie> then worry bout your gui knowing what you need to change 18:09 < SpaceBass> good idea 18:09 < SpaceBass> openvpn[13104]: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 18:10 < krzie> lol i didnt see that part 18:10 < krzie> you have 1 side setup for ptp mode 18:10 < krzie> other side setup for client/server mode (half way) 18:10 < SpaceBass> and the other for remote access? 18:10 < krzie> must remove ca cert and dh 18:10 < SpaceBass> interesting... 18:10 < krzie> and other side needs the exact same key 18:10 < krzie> key file 18:11 < krzie> and a reference to it in the config 18:12 < krzie> if their gunna give you something as complicated as openvpn to setup in web gui, they should give you the chance to edit the file raw from the gui 18:12 < krzie> thats what your ticket should tell them 18:12 < krzie> openvpn has sooooo many config options 18:12 < SpaceBass> it sure does :d 18:12 < krzie> no web gui could handle it all and make any sense 18:13 < SpaceBass> and I've configured it by hand on the client site before in a road warrior setup and would agree that it might actually be easier to do that way 18:13 < krzie> might? 18:13 < krzie> shiiiet 18:13 < krzie> its the only way 18:13 < SpaceBass> baby steps for me - admitting I have a problem is the first step 18:13 < SpaceBass> (and right now the gui is my problem) 18:13 < krzie> lol 18:14 < krzie> # 18:14 < krzie> ca /var/etc/openvpn/server2.ca 18:14 < krzie> # 18:14 < krzie> cert /var/etc/openvpn/server2.cert 18:14 < krzie> # 18:14 < krzie> key /var/etc/openvpn/server2.key 18:14 < krzie> # 18:14 < krzie> dh /etc/dh-parameters.1024 18:14 < krzie> only keep the key entry 18:14 < krzie> the rest go byebye 18:14 < krzie> then you copy that keyfil;e to the other box 18:14 < krzie> and make an entry for it there too 18:14 < krzie> although i think it gets a diff option now, lemme check 18:14 < krzie> !man 18:14 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:15 < krzie> ya, use secret 18:16 < krzie> make sure to copy the file using a secure connection like sftp 18:16 < krzie> as its your only security on this setup 18:16 < krzie> the better way is to make a client/server setup 18:16 < krzie> better as far as security at least 18:16 < SpaceBass> connected via ssh tunnel currently 18:17 < krzie> but shit you're almost there anyways 18:17 < krzie> and actually 18:17 < krzie> forget about that key file 18:17 < krzie> generate the secret like this 18:17 < krzie> openvpn [ --genkey ] [ --secret file ] 18:17 < SpaceBass> actually, got the key files in place 18:17 < krzie> openvpn --genkey --secret 18:17 < krzie> ya but thats a keyfile for a cert 18:18 < krzie> might be better to make a keyfile that was meant to be a pre-shared key 18:18 < krzie> it'll work like this, but could possibly be less secure 18:18 < krzie> (im not sure, so lets do what the docs say) 18:18 < SpaceBass> is that why I get this: openvpn[45701]: Options error: Parameter priv_key_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 18:18 < krzie> you still have it in as key 18:19 < krzie> needs to be secret 18:19 < krzie> the entry key is for server/client 18:19 < SpaceBass> gotcha 18:19 < krzie> the entry secret is for ptp preshared-key 18:19 < krzie> regenerate it with the command i gave you 18:19 < krzie> copy it over 18:19 < krzie> and use secret 18:20 < krzie> on both sides 18:20 < SpaceBass> got it 18:20 < SpaceBass> copying now 18:23 < SpaceBass> ok...progress 18:24 < SpaceBass> ran openvpn ../../../server2.conf on Box A and got: 18:24 < SpaceBass> route: writing to routing socket: File exists 18:24 < SpaceBass> add net 10.1.1.0: gateway 10.250.1.2: route already in table 18:25 < krzie> repaste your configs 18:25 < krzie> and also 18:25 < krzie> !interface 18:25 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:25 < SpaceBass> one sec 18:25 < SpaceBass> btw - I really appreciate your help. Know your time is valuable but its been a real education for me 18:26 < krzie> yw 18:26 < krzie> its only slightly slowing down my first install of zabbix =] 18:27 < SpaceBass> remote conf - http://pastebin.ca/1385455 18:27 < SpaceBass> local conf - http://pastebin.ca/1385456 18:27 < SpaceBass> secrets are the same 18:28 < krzie> yup you woulda never gotten to route otherwise 18:28 < SpaceBass> local ifconfig - http://pastebin.ca/1385457 18:28 < SpaceBass> remote - ifconfig http://pastebin.ca/1385458 18:28 < krzie> you didnt comment the push route 18:29 < krzie> from local 18:29 < krzie> you cant push in your setup 18:29 < SpaceBass> drat - doing it now 18:29 < krzie> in fast you have a push to comment in both 18:30 < SpaceBass> done 18:30 < krzie> local has 2 openvpn's running, you're aware of that? 18:30 < SpaceBass> yes 18:30 < SpaceBass> the other is for road warriors and its working 18:30 < krzie> here do this for me 18:31 < krzie> i want 1 pastebin for local and 1 for remote 18:31 < krzie> with config, ifconfig, and routing table 18:31 < SpaceBass> k 18:31 < krzie> otherwise you're gunna have me with 6 pastebins 18:31 < krzie> comment the push's first 18:31 < krzie> and let me know it still has the error 18:31 < krzie> (after restarting both) 18:32 < SpaceBass> remote - http://pastebin.ca/1385463 18:32 < krzie> and which sides gets the error? 18:33 < SpaceBass> local http://pastebin.ca/1385465 18:33 < SpaceBass> just executed openvpn again on both sides - neither errored 18:33 < SpaceBass> checking logs now 18:33 < SpaceBass> remote - openvpn[10091]: MANAGEMENT: Cannot bind TCP socket on 127.0.0.1:1194: Address already in use (errno=48) 18:34 < SpaceBass> same on the local 18:34 < krzie> prolly same address/port as your first install 18:34 < SpaceBass> the ports are unique 18:34 < SpaceBass> road warrior setup uses 4405 18:35 < krzie> then its already running 18:35 < krzie> ps auxw|grep openvpn 18:35 -!- cmb [n=cmb@pfsense/coreteam/cmb] has joined ##openvpn 18:35 < SpaceBass> here's a kink - which I totally forgot about... the remote box is behind another router, so its WAN IP is a bogon (the other router doesnt block anything and it has a static public IP) 18:36 < krzie> also i see you're trying to route 10.1.1.0/24 over the vpn 18:36 < krzie> but it seems you already have that route locally on both sides 18:37 < SpaceBass> ok, killed the orphaned processess on both side 18:37 < SpaceBass> suspect thats why the route was present 18:37 < SpaceBass> relaunch ovpen on both sides 18:38 < SpaceBass> remote: # openvpn ./server2.conf 18:38 < SpaceBass> route: writing to routing socket: File exists 18:38 < SpaceBass> add net 10.1.1.0: gateway 10.250.1.2: route already in table 18:38 < krzie> ya no kidding 18:38 < krzie> theres already a 10.1.1.0 network local to it 18:39 < SpaceBass> see that now 18:39 < krzie> hrm wait no maybe not 18:39 < krzie> redo that pastebin 18:39 < krzie> i want routing table BEFORE AND AFTER starting openvpn 18:40 < krzie> so kill openvpn, paste routing table, start it, paste routing table after full connection made 18:40 < SpaceBass> going to bounce that remote box 18:40 < krzie> make sure the only openvpn process running is the road warrior one that should not conflict with the at all 18:40 < krzie> bounce? 18:40 < SpaceBass> reboot 18:40 < krzie> ok 18:41 < SpaceBass> meanwhile on the local box: 18:41 < SpaceBass> # openvpn ./server1.conf 18:41 < SpaceBass> add net 10.1.5.0: gateway 10.250.1.2 18:41 < SpaceBass> # 18:43 < SpaceBass> when I see that add net line, is that info only "? 18:43 < krzie> right 18:43 < krzie> no error should mean it added the route 18:44 < SpaceBass> cool 18:44 < SpaceBass> also, here is local conf again, where is the line that tells it the IP of the remote machine? http://pastebin.ca/1385474 18:45 < krzie> there isnt one, the other machine connect to this one 18:45 < krzie> although either or both can have remote entries 18:45 < SpaceBass> gotcha 18:46 < krzie> err wait 18:46 < SpaceBass> something's wrong on that end - gotta make a call 18:46 < krzie> either im blind or NIETHER have remote entries 18:46 < SpaceBass> thats what I was getting at 18:46 < krzie> as in niether is connecting to anything 18:46 < krzie> lol 18:46 < krzie> thats just remote 18:47 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 18:47 < HardDisk_WP> heya all 18:48 < HardDisk_WP> I have a small server sitting at home, and a laptop I use often with public WLANs 18:48 < krzie> whoa, a wikipedia spoof 18:48 < krzie> cool 18:48 < HardDisk_WP> I now want to use the small server at home (Debian Testing, NAT port forwarding is possible) to act as an internet gateway 18:49 < HardDisk_WP> so that no one can spoof data I send 18:49 < krzie> then you need: 18:49 < krzie> !def1 18:49 < HardDisk_WP> but, as a friend of mine has an iPod touch and also wants to use it 18:49 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:49 < krzie> !linnat 18:49 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:49 < krzie> !linipforward 18:49 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 18:49 < HardDisk_WP> can I make the VPN password-based? 18:49 < krzie> ipod doesnt have tuntap drivers, he cant use it 18:49 < HardDisk_WP> ah, ok. 18:49 < krzie> no matter what you do, until it has tuntap drivers hes SOL 18:50 < krzie> in fact i make a plea to the world in a script i wrote to make tuntap drivers 18:50 < krzie> !google krzee iodine 18:50 < vpnHelper> krzie: TipsAndTricks - iodine: ; #!/bin/sh ...: ; IP-over-DNS - Mac Forums: 18:50 < HardDisk_WP> i thought the ipods have some VPN capab, or is it another VPN technology they can? 18:50 < krzie> link #2 i make my plea 18:50 < krzie> they support pptp and ipsec 18:50 < krzie> !notcompat 18:50 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 18:51 < HardDisk_WP> Ah. 18:51 < HardDisk_WP> krzie, is this script what I think it is?? 18:51 < HardDisk_WP> DNS tunneling using OpenVPN? 18:51 < krzie> lol, likely 18:51 < krzie> no 18:51 < krzie> using iodine 18:51 < krzie> its for automating the setup of routes for iodine 18:52 < krzie> since its a PITA to do manually everytime 18:52 < HardDisk_WP> "iodine lets you tunnel IPv4 data through a DNS server" 18:52 < HardDisk_WP> WOW. 18:52 < krzie> correct =] 18:52 < krzie> not good for fastness, but nice for those spots you can get dns but no inet 18:52 < HardDisk_WP> like our McDonald's. :D 18:52 < HardDisk_WP> Sounds cool, indeed. 18:53 < krzie> aye 18:54 < krzie> and you'll enjoy my script if you use it (i hope) 18:54 < HardDisk_WP> they kicked me out of #linux in efnet two months ago as I asked for help with setting up some other dnstunnel solution, lol 18:54 < krzie> and if someone gets tuntap working on iphone, please make me aware, im always here 18:54 < krzie> nstx? 18:55 < HardDisk_WP> no idea who it was... apparently they do not like anything POSSIBLY related to hacking over there^^ 18:55 < krzie> thats efnet 18:55 < krzie> (i been there since 94) 18:59 < krzie> i once got banned from #freebsdhelp for not talking for too long 18:59 < krzie> lol 18:59 < krzie> (efnet) 18:59 < krzie> all i could even say was "really?" 19:00 < HardDisk_WP> lol 19:00 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 19:00 < HardDisk_WP> krzie, query please? i dont want to reveal the pastebin with my network details that public 19:00 < krzie> and tunneling over dns is NOT hacking 19:01 < krzie> they allow a service, you use it as you feal suits you 19:01 < HardDisk_WP> I mentioned the fucking McDonald's hotspot, maybe because of this... 19:01 < krzie> you dont break any security, dont crack anything, etc 19:01 < HardDisk_WP> exactly 19:01 < krzie> sure you can msg the pastebin if youd rather take the chance that others cant help you 19:01 < HardDisk_WP> mh ok^^ 19:01 < HardDisk_WP> http://pastebin.com/d18f989ac 19:01 < krzie> (theres often others here that find a solution when i dont) 19:02 < HardDisk_WP> contains some quick schema of everything I got available 19:02 < krzie> oh we're talking bout the dns tunnel now? 19:02 < krzie> you dont want openvpn over the dns tunnel 19:02 < HardDisk_WP> btw, does openvpn support IPv6? It'd be really cool to access IPv6 stuff also... 192.168.1.9 is acting as a SIXXS relay also 19:02 < HardDisk_WP> both 19:02 < krzie> dns tunnel is a terrible connection already, to tunnel over that tunnel you will have a SHITTY experience 19:03 < HardDisk_WP> i wanna have both OpenVPN and dnstunnel, if possible. the first for public WiFis, the dnstunnel for mcdonalds 19:03 < krzie> you'll be tunneling tcp over udp + encryption over udp dns 19:03 < krzie> the iodine docs will easily get you going with iodine 19:03 < krzie> lets seperate those 2 setups 19:03 < HardDisk_WP> yep, thats what I thought. 19:04 < krzie> ill help with openvpn, use iodine docs for iodine, its simple 19:04 < HardDisk_WP> OpenVPN via DNStunnel, I think this is overkill =) 19:04 < HardDisk_WP> kk, so let's start w/ openvpn :) 19:04 < krzie> not only overkill, it will be a terrible connection 19:04 < krzie> ok 19:04 < HardDisk_WP> package is installed already 19:04 < krzie> !sample 19:04 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:04 < krzie> !linnat 19:04 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:04 < krzie> !linipforward 19:05 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:05 < krzie> !def1 19:05 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:05 < krzie> thats everything you need to know 19:05 < krzie> heres a sweet tool for managing your ssl certs 19:05 < krzie> !ssl-admin 19:05 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 19:05 < HardDisk_WP> ok. what about the keys? 19:06 < krzie> openvpn docs will walk you through easy-rsa if you want, personally i dont like easy-rsa 19:06 < krzie> niether does ecrist, so he made ssl-admin 19:06 < krzie> which i must say rocks 19:06 < HardDisk_WP> it's not in debian, I fear? ;) 19:06 < krzie> svn 19:06 < krzie> subversion 19:06 < HardDisk_WP> kk 19:07 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 19:07 < HardDisk_WP> what's the checkout URL? https://www.secure-computing.net/svn/trunk/ssl-admin/ 19:07 < vpnHelper> Title: svn - Revision 43: /trunk/ssl-admin (at www.secure-computing.net) 19:07 < HardDisk_WP> ? 19:07 < krzie> !ssl-admin 19:07 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 19:07 < krzie> #2 19:07 < krzie> ya prolly better one you psated 19:07 < krzie> pasted 19:07 < HardDisk_WP> kk thanks 19:07 < krzie> np 19:08 < krzie> so what do you do with wikipedia? 19:08 < krzie> <3 the wikipedia 19:09 < HardDisk_WP> I operate a popular IRC bot (shoulda be in >30 channels, I dunno exactly) for lots of wikipedia channels, and have over 13k edits in something like 4 years 19:09 < krzie> btw for dns tunnel you need 2 machines on the inet, 1 running a real NS and 1 running a fake one (iodined) 19:09 < krzie> ahh sweet 19:09 < krzie> like my bot in here? 19:10 < krzie> or hooked into wikipedia 19:10 < HardDisk_WP> vpnHelper is yours? 19:10 < vpnHelper> HardDisk_WP: Error: "is" is not a valid command. 19:10 < krzie> ya 19:10 < HardDisk_WP> nice :) 19:10 < krzie> | vpnHelper (i=vpn@unaffiliated/krzee/bot/vpnhelper) (unknown) 19:10 < HardDisk_WP> krzee, the IRC bot is only wikipedia-related, similar to your one. I did run a "real" wikipedia bot, though. 19:10 < krzie> coolness 19:11 < HardDisk_WP> .oO( and every of these bots is entirely php-written... I musta be insane. ) 19:12 < krzie> you wrote them? 19:12 < krzie> mine just uses supybot (python) 19:14 < HardDisk_WP> I didn't write the IRC backend itself, I used the SmartIRC framework. But all the module code is from me... check it out : /msg unilinky help 19:15 < krzie> ahh werd 19:24 < HardDisk_WP> LXMUKS01:/static/ssl-admin# ./ssl-admin 19:24 < HardDisk_WP> Syntax error in ~~~ETCDIR~~~/ssl-admin/ssl-admin.conf 19:25 < krzie> grr 19:25 < krzie> did you ./configure? 19:26 < HardDisk_WP> yep... 19:27 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 19:27 < qknight> hi 19:27 < HardDisk_WP> Ah. 19:27 < HardDisk_WP> I didn't make install :p 19:28 < qknight> i would like to connect two networks behind nat (the linuxservers i want to use to connect both networks is not the router) 19:28 < qknight> how would i do that? 19:28 < HardDisk_WP> krzie, do you have write access to the repo? the makefile assumes it runs on mac os x and so the "wheel" group is present 19:31 < HardDisk_WP> and what is the $ENV{'KEY_CN'} = ""; 19:31 < HardDisk_WP> for? 19:32 < SpaceBass> krzie, minor crisis averted - had a huge routing problem when I rebooted the remote box 19:34 < krzie> prolly common-name 19:34 < krzie> i do have write access 19:34 < krzie> if you wanna fix the makefile it would be cool =] 19:34 < krzie> i made configure and edited the makefile to make it work on linux best i could 19:34 < krzie> but im no coder 19:34 < krzie> just a scripter 19:35 < krzie> doesnt linux have wheel group...? 19:37 < HardDisk_WP> apparently not, it fucked up here. maybe it' s debian specific 19:38 < krzie> odd, i tested it in ubuntu 19:38 < krzie> which is based on debian i believe 19:39 < HardDisk_WP> ubuntu is based on debian, nothing more^^ 19:40 < qknight> s/based/derived/ 19:41 < HardDisk_WP> krzie, http://pastebin.com/m758b0b8a line 43 :X 19:42 < krzie> gotchya 19:43 < krzie> hrm, prog 19:44 < krzie> odd, is the prog dir there? 19:44 < HardDisk_WP> yes 19:44 < krzie> are you root? 19:44 < krzie> if not, do you have perms to write there? 19:45 < krzie> index.txt should be a file you would be making 19:45 < HardDisk_WP> i am root 19:49 < krzie> hrm 19:49 < krzie> i wonder why you cant make the file then 19:49 < krzie> any file exist there? 19:52 < HardDisk_WP> mnslu:/etc/ssl-admin# ls prog/ 19:52 < HardDisk_WP> crl.pem index.txt index.txt.attr install serial 19:57 < krzie> ls -la that dir 19:59 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 19:59 < HardDisk_WP> krzie, http://pastebin.com/m6d3d32b7 20:00 < karlpinc> krzie: Agonized screaming email sent to dev list. Well, agonized anyway. 20:00 < SpaceBass> progress krzie 20:00 < SpaceBass> remote - http://pastebin.ca/1385540 20:01 < krzie> HardDisk_WP, and /etc/ssl-admin has o+rx? 20:01 < krzie> err 7xx rather 20:02 < HardDisk_WP> drwxr-xr-x 7 root root 4.0K Apr 8 02:40 . 20:02 < HardDisk_WP> (run in /etc/ssl-admin) 20:05 < krzie> hrmz 20:05 < krzie> whoami 20:06 < krzie> (i know you said you're root, and smart enough that i shouldnt even need that) 20:06 < krzie> but i have no clue what else would stop that from being written 20:07 < HardDisk_WP> mnslu:/etc/ssl-admin# whoami 20:07 < HardDisk_WP> root 20:07 < HardDisk_WP> mnslu:/etc/ssl-admin# id -a 20:07 < HardDisk_WP> uid=0(root) gid=0(root) groups=0(root) 20:10 < HardDisk_WP> krzie, manually editing the file works 20:10 < HardDisk_WP> oh, of course 20:10 < HardDisk_WP> # 20:10 < HardDisk_WP> # 20:10 < HardDisk_WP> 1986:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/ssl-admin/prog/index.txt','r') 20:10 < HardDisk_WP> it's opened for *read*, not write. 20:10 < HardDisk_WP> maybe the ssl-admin creates it automatically, when closing 20:10 < HardDisk_WP> which would explain its existance after quitting ssl-admin 20:11 < krzie> ecrist would know best 20:12 < HardDisk_WP> do you know when he's online? 20:12 < ecrist> I know nothing 20:12 < ecrist> what? 20:13 < krzie> ssl-admin woes 20:13 < krzie> debian 20:14 < ecrist> ack, use a real OS, like freebsd. :) 20:14 < krzie> lol 20:14 < ecrist> HardDisk_WP: what version of ssl-admin? from SVN? 20:14 < HardDisk_WP> Yep 20:15 < ecrist> ok, lemme pull a copy and 'start from scratch' with you 20:15 < HardDisk_WP> 'kay, I'll delete the /etc directory and make isntall again 20:16 < ecrist> is there a linux installer? oh yeah, krzie did it. 20:16 < krzie> he said he has no wheel group in debian 20:17 < HardDisk_WP> fixed that problem in the makefile, actually 20:17 < HardDisk_WP> simply changed the -g parameter in install 20:17 < ecrist> ah, that would cause a problem. 20:17 < ecrist> hrm, thought it was 0:0 rather than root:wheel. 20:17 < krzie> and i admit while my linux changes were ugly, they worked when testing on debian, redhat and gentoo 20:18 < HardDisk_WP> ah. maybe the wheel group gets created in the desktop versions ^^ 20:18 < HardDisk_WP> this install is a really bare one, i hand-selected every package. 20:18 < krzie> gentoo ;] 20:18 < krzie> but ya 20:19 < krzie> err 20:19 < krzie> i said debian 20:19 < krzie> i meant tested on ubuntu redhat and gentoo 20:19 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:19 < krzie> no deb 20:19 < krzie> although i mdid just install deb on a vm at home 20:20 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:21 < ecrist> HardDisk_WP: all the install/configure things do is setup correct pathing. 20:22 < krzie> aye 20:22 < HardDisk_WP> yep, that's what I could see from their code 20:22 < ecrist> 'their' is me and krzie, btw 20:22 < ecrist> I wrote ssl-admin, krzie's fixed a couple bugs for me. ;) 20:23 < krzie> although im to blame for the ugly stuff :p 20:23 < ecrist> krzie: ssl-admin doesn't seem to work on mac os x 20:23 < ecrist> :( 20:23 < krzie> umm, ive used it 20:23 < krzie> osx is my primary desktop 20:23 < ecrist> oh, durrr 20:24 < krzie> i can test again when i get home tho 20:24 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 20:24 < krzie> HardDisk_WP the paths right from configure for debian? 20:25 < HardDisk_WP> yes 20:25 < krzie> sweet 20:25 < ecrist> Syntax error in ~/Library/ssl-admin/ssl-admin.conf 20:25 < ecrist> grr 20:26 < krzie> latest svn? i dont see how that would happen in osx and not bsd 20:27 < ecrist> yeah, latest svn. here's why: 20:27 < ecrist> my $result = do $config_file; 20:27 < ecrist> die "Syntax error in $config_file\n\n" unless ($result); 20:27 < ecrist> I think. 20:28 < ecrist> blast, I'm to 'blame'' 20:29 < krzie> ? 20:30 < ecrist> I don't know, something's not being executed correctly. 20:30 < krzie> trace it? 20:30 < HardDisk_WP> can I help you, or is this mac os specific? 20:31 < krzie> seems osx but dont see how since its perl 20:31 < ecrist> not sure. been a while since I've looked at this code. got another pet project currently. 20:31 < krzie> maybe diff perl vs than i use... 20:31 < krzie> i have bunches of stuff from macports... could have updated perl 20:34 < ecrist> I think ~ isn't being expanded correctly. 20:35 < krzie> oh does perl no likee? 20:35 < krzie> if thats it just use /Library 20:35 < krzie> put it global instead of user 20:36 < ecrist> ok, it's the ~ that's not being expanded in perl 20:38 < ecrist> commited 20:39 < krzie> i like user better tho 20:39 < krzie> because of filevault 20:39 < krzie> encrypts homedir only 20:39 < ecrist> yeah, me too. 20:39 < ecrist> could be a work around of some kind. would have to be some glob of shell for current user 20:40 < krzie> easy one 20:40 < ecrist> however, doing this removes the ability of separate admins running the program 20:40 < krzie> just /Users/`whoami`/Library 20:40 < krzie> true 20:40 < ecrist> could be a configure option, ala windows. 20:40 < ecrist> 'Install for just this user, or all users?' 20:41 < krzie> also true 20:41 < krzie> and only for osx 20:41 < krzie> easily done 20:41 < krzie> i can do that later if ya like 20:41 < krzie> when im home 20:41 < ecrist> at this point, why not write a cocoa front-end, too? 20:41 < krzie> lol 20:41 < ecrist> sure, have at it. :) 20:42 < ecrist> ok, fixing the paths fixes the error 20:42 < ecrist> there's a missing check, though, which I'm going to fix now. 20:43 < krzie> did you see what his error was? 20:43 < krzie> http://pastebin.com/m758b0b8a 20:43 < krzie> line 43 20:43 < ecrist> he got quiet, so I assumed he left. 20:44 < krzie> nah he just couldnt help with the osx specific stuffs 20:44 < ecrist> will look into this when i fix the latest bug 20:44 -!- ben1597 [n=ben1597@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 20:44 < HardDisk_WP> no i am still here ecrist / krzie 20:44 < HardDisk_WP> don't worry =) 20:44 < ecrist> HardDisk_WP: lemme fix this minor issue I discovered and I'll look at your problem. 20:45 < HardDisk_WP> just goin to grab something to eat, it's 03:45 here :p 20:48 < ecrist> w00t! my fixes work, make the program a little more usable on initial run, and fixed an OS X install issue. 20:49 < ecrist> I really should work more on this program. 20:49 < ecrist> packaging it for freebsd is *such* a PITA, though. 20:50 < HardDisk_WP> but easier than debian, probably 20:50 < ecrist> never looked into it, really. 20:50 < krzie> and since we dont use linux someone else would need to step in there 20:50 < ecrist> afaik, with linux, I just have to build a package and done. FreeBSD ports tree is a little involved. 20:51 < krzie> a redhat guy was here talkin bout putting in their system, but i dunno if that ever happened 20:51 < ecrist> doh! I'm missing something, I think, krzie 20:51 < krzie> i talked to gentoo guys but they laughed at my weak hack of a configure/makefile and i dont think it was approved / taken on by one of their guys 20:52 < ecrist> Error Loading extension section v3_ca 20:52 < ecrist> 744:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:319: 20:52 < ecrist> 744:error:2206B069:X509 V3 routines:X509V3_EXT_conf:invalid extension string:v3_conf.c:138:name=crlDistributionPoints,section= 20:52 < ecrist> 744:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=crlDistributionPoints, value= 20:52 < ecrist> OpenSSL exited with errors. Please read above and address the problems indicated. at /usr/local/bin/ssl-admin line 194, <> line 3. 20:52 < karlpinc> Seems to be a problem with 2.1 rc15 and nsis 2.44. SF_SELECTED winds up defined so install-win32/openvpn.nsi generates an error. I can't figure out what's setting it though, and don't know enough about nsis to know what to do about it. (An ifdef comes to mind...) 20:52 < krzie> doh! 20:53 < krzie> oh and that weird problem i had with dh keys being made is gone now, on a new install of the same exact snapshot of fbsd8-current 20:53 < ecrist> krzie: didn't you add something to the ssl config? I might be missing that. 20:54 < ecrist> v3_ca or something? 20:54 < krzie> i added the server stuffs 20:54 < krzie> to openssl.conf 20:54 < krzie> and added S option 20:54 < ecrist> I'm thinking we've been telling people to use svn when it's not been tested. 20:54 < ecrist> :\ 20:55 < krzie> i tested it on osx/and 3 linux's before my commits 20:55 < krzie> and directly after 20:56 < ecrist> I need to give this script some attention, anyways 21:04 < ecrist> ok, the fresh install on my osx system gets the same error HardDisk_WP was getting 21:04 * ecrist puts on his 'TS' hat 21:05 < ecrist> the problem is with my logic in CRL generation 21:05 < HardDisk_WP> debugging time :) 21:06 < ecrist> ah, easy fix, I thinkk. 21:13 < HardDisk_WP> ecrist / krzie: what timezone are you? 21:13 < ecrist> CST 21:13 < ecrist> for me 21:13 < krzie> im in AST 21:13 < krzie> which is = to EST right now 21:13 < ecrist> HardDisk_WP: I have the update placed in SVN. testing it now 21:15 < ecrist> grr 21:15 < ecrist> didn't quite fix it 21:28 < HardDisk_WP> ecrist / krzie i'm off to bed... i shoulda be back in 5 hours or so 21:28 < ecrist> HardDisk_WP: ok 21:28 < ecrist> the main error is fixed 21:28 < ecrist> committed to svn 21:29 < HardDisk_WP> i can't test any more now... the nslu crashed and i'm too tired to run a full fsck on this slow USB disk^^ i'll test when I wake uo 21:30 < HardDisk_WP> gn8 21:30 < ecrist> l8r 21:32 < krzie> nite 21:33 < krzie> hey HardDisk_WP 21:33 < krzie> http://xkcd.com/545/ 21:33 < vpnHelper> Title: xkcd - A Webcomic - Neutrality Schmeutrality (at xkcd.com) 21:33 < krzie> lol 21:33 < HardDisk_WP> rofl :D 21:41 < ecrist> ok, appears as though ssl-admin has the major bugs fixed. 21:41 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 21:46 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:53 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 21:58 < ecrist> krzie: you still around? 21:58 < ecrist> nm 21:59 < krzie> yup 21:59 < krzie> in and out for now 21:59 < ecrist> working on a freebsd ports-tree wrap for ssl-admin 21:59 < ecrist> my head is spinning 21:59 < krzie> in shell? 21:59 < ecrist> ? 22:00 < krzie> shell script? 22:00 < ecrist> oh, already have that. trying to figure out what the fuck it was doing. 22:00 < ecrist> think it was written before you did your linux stff 22:01 < krzie> ahh 22:13 < ecrist> grr 22:13 < ecrist> I just spent an hour undoing what shouldn't have been undone. 22:14 < ecrist> *BANG* 22:14 < dan__t> WHAT 22:14 < dan__t> WHAT 22:14 < dan__t> WHAT 22:14 < dan__t> I'll make an RPM for it. 22:14 < ecrist> that would be great! 22:14 < dan__t> rpm is my bitch++ 22:21 < krzie> what what 22:21 < krzie> in the butt 22:28 < ecrist> ok, patch built, and tested. submitting pr 22:39 < ecrist> sent. I'm off to bed. 22:39 < ecrist> l8r 22:39 < ecrist> dan__t: let me know if you need anything from me to build the RPM 22:39 < ecrist> the entire SVN tree is world-readable 22:40 < dan__t> werd 22:40 < dan__t> thanks. 22:40 < ecrist> Collaborative Fusion, inc claimed they were going to help develop it back in February, but that was the last I ever heard. 22:41 < ecrist> oh well. g'night. 22:45 < dan__t> I can't develop. 22:45 < dan__t> But I can roll krzie's cheating wife in to an RPM. 22:47 < dan__t> ;) 22:47 < krzie> wife? hahaha you really dont know me 22:49 < dan__t> hahaha 22:49 < dan__t> I was going to say "dead wife" but I thought you might get mad. 22:50 -!- ben1597 [n=ben1597@c-24-245-3-7.hsd1.mn.comcast.net] has quit ["Leaving"] 22:58 < karlpinc> fyi, OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 are out 22:58 < dan__t> nice. 22:59 < karlpinc> I finally got a working build on Windows. *blech* 22:59 < dan__t> What do you mean finally? 22:59 < dan__t> What was wrong with it? 22:59 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:00 < karlpinc> dan__t : It took 14 hours. Mostly being on Windows was wrong with it. 23:00 < dan__t> Noted. 23:00 < dan__t> Why'd it take so long? 23:00 < karlpinc> There's 2 bugs in 2.1 rc15 with MinGW 5.1.4 23:00 < theDoc> Hi all :) 23:01 < karlpinc> The first is that openvpn cryptoapi.c assumes mingw does not know about the full win crypo api, but now it does so the code breaks. 23:01 < dan__t> I see. 23:02 < dan__t> Which, OpenVPN itself, or OpenVPN GUI? 23:02 < karlpinc> The second is that with nsis 2.44 SF_SELECTED is set but install-win32/openvpn.nsi sets it anyway so there's an error when the installer is built. 23:03 < karlpinc> dan__t : OpenVPN itself. 23:03 < karlpinc> dan__t : It depends on what version of mingw you're using as to whether you need the #ifdef(s). 23:03 < dan__t> Ah. 23:03 < dan__t> Understood. 23:03 < dan__t> Is OpenVPN GUI going to be around for a while you suppose? 23:03 < karlpinc> dan__t : It's now packaged with openvpn. I hope so. ! 23:04 < karlpinc> dan__t : I'm relying on it. 23:04 < dan__t> I didn't know it was. 23:04 < dan__t> But that's bad-ass. 23:04 < dan__t> What are you doing with it? 23:05 < karlpinc> Uh, starting and stopping vpn tunnels. :-) 23:05 < dan__t> heh 23:05 < karlpinc> I'm deploying it. 23:06 < dan__t> rad 23:07 < karlpinc> dan__t : But what really took so long is that about 6 months ago I tried to get a Logitech quickcam working. It left cruft on the XP box, even though uninstalled, that runs and interferes with cygwin/msys in truely random and bizzare ways. That took a good 5 hours. Just another day in MS Windows land. 23:07 < dan__t> haha. 23:08 < karlpinc> dan__t : Made even more special by the fact that the camera never did work. 23:08 < dan__t> haha 23:08 < dan__t> Well. Right now I'm waiting on WHMCS 23:08 < dan__t> Its not working as I expected it to, for sure. 23:08 < karlpinc> dan__t : ? 23:08 < dan__t> Suspend and Unsuspend action hooks are not working as expected. 23:08 < karlpinc> dan__t : WHMCS? 23:09 < dan__t> Billing system. 23:10 < karlpinc> dan__t : Any good? 23:11 < dan__t> I've been through them all. 23:11 < dan__t> And this is the one that I've found that works the best. 23:11 < dan__t> I've done ModernBill, Ubersmith, HSPC, ClientExec, and many others 23:12 < karlpinc> dan__t : If it's not FOSS I tend to stay away. Spent too much brain on stuff that's long gone. Sometimes you need what you need though. 23:13 < dan__t> Believe me, I've searched through and through for some FOSS application that does 1/2 of what any of these commercial systems do. 23:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 23:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 23:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:27 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 23:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 23:38 < dan__t> so, karlpinc the GUI is now packaged with OpenVPN? 23:38 < dan__t> Can I still build it with NSIS and stuff? 23:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Wed Apr 08 2009 00:07 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:09 -!- rodpod [n=rod@hick.org] has joined ##openvpn 00:18 -!- WormFood [n=wormfood@58.60.118.151] has joined ##openvpn 00:22 < WormFood> can openvpn, in server mode, support both udp and tcp? 00:25 < dan__t> I do not believe it can support both. 00:25 < dan__t> I gave up on trying to use UDP because so many bullshit routers make it suck. 00:30 < MarcWeber> Is there a way to make opnevpn connect to a server A if it's reachable and B if A is down? 00:30 < dan__t> Just list different 'remote' lines. 00:37 < WormFood> MarcWeber, you can script that 00:37 < MarcWeber> WormFood What do you mean? while true; do if ping -c1 $server1; use_server_1 else use_server_2; fi; done? 00:40 < dan__t> Use two 'remote' lines. 00:40 < dan__t> As many as you wish. 00:40 < dan__t> That's what they're there for. 00:46 < WormFood> something like that 00:48 < WormFood> "On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server." <-- straight from the openvpn man page 00:48 < WormFood> did you try that? 00:48 < dan__t> And didn't Marc Weber retire? 00:49 < WormFood> The OpenVPN client will try to connect to a server at host:port in the order specified by the list of --remote options.The client will move on to the next host in the list, in the event of connection failure. 01:00 < MarcWeber> dan__t: retire ? :-) That was'nt me then. I'll try multiple remote settings. Thank you! 01:00 < dan__t> F1 driver... 01:00 < dan__t> nevermind heh 01:06 < reiffert> moin 01:06 < reiffert> WormFood: udp+tcp: no. 01:07 < reiffert> dan__t: Webber with double b. 01:08 < dan__t> heheh 01:11 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 01:23 < theDoc> Anyone might have an idea what could be throwing this error up? write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065) 01:23 < theDoc> Oh wait, might be a user error 01:27 < theDoc> Stupid user. Disconnecting from his own wifi network and wondering why he can't connect to the vpn. 01:27 < theDoc> >:o 01:27 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 01:32 < ftp3> hey.. i am trying to automagically generate a openssh installer with the keys to email to my "people" :). I know that untangle does this, but i cannot find any tutorial or instructions.. anyone have any ideas for me? 01:35 < dan__t> For which part exactly? 01:40 < ftp3> well, i want to do this automagically on my linux box 01:41 < ftp3> so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 01:42 < ftp3> does that make sense? 01:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:47 < kraut> moin 01:47 < krzee> moin 01:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:04 < MarcWeber> push "x"; What is x to set the ip address of a client ? I'd like to assign them using client-config-dir 03:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:07 < MarcWeber> Can I push an "ifconfig" command? 03:08 < MarcWeber> It's not listed in the list of --push 03:18 < krzee> !static 03:18 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 03:18 < krzee> =] 03:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:35 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 03:36 < ]Sintax[> what's the deal with init-config ? i've seen a cpl tutorials online now that mention it and i can't find it on my system 03:37 < krzee> init-config? 03:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 03:37 < ]Sintax[> yes 03:37 < ]Sintax[> http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd like here for example 03:37 < vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de) 03:38 < krzee> oh part of the easy-rsa script 03:38 < krzee> better to just use ssl-admin anyways 03:38 < krzee> !ssl-admin 03:38 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:38 < krzee> find / -name easy-rsa 03:38 < krzee> its there somewhere 03:39 < ]Sintax[> ok thank you ill check into that 03:39 < krzee> but ssl-admin will make making your certs easy and damn near fun 03:39 < krzee> at least it was that way for me 03:39 < krzee> was/is 03:40 < ]Sintax[> ill just be excited if i can get openvpn working in the first place with what im trying to do haha 03:40 < krzee> whats that 03:41 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:41 < ]Sintax[> well theres no reason for what im doing other than to get some more experience but i've got an OpenBSD 4.4 machine here and just installed OVPN on it and am going to try a site-site setup to connect to a 4.4 OBSD VMware machine i've setup inside my friends network across the inet 03:42 < ]Sintax[> if i figure it out i might write a HOWTO since there seems to be a lack of them 03:42 < krzee> ok well a) 03:42 < krzee> init-config is part of eary-rsa 03:42 < krzee> which is for certs 03:42 < krzee> which is for server/client 03:42 < krzee> site-site is ptp 03:42 < krzee> non server/client 03:43 < krzee> b) if you want experience maybe you want server/client instead of site-site 03:43 < krzee> in which case heres what you want: 03:43 < ]Sintax[> that might be easier to start with eh? server/client 03:43 < krzee> !ssl-admin 03:43 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:43 < krzee> for making the certs 03:43 < krzee> !sample 03:43 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:43 < krzee> a basic generic config 03:43 < krzee> (mine) 03:43 < krzee> !route 03:43 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:43 < ]Sintax[> init-config doesnt exist on my box 03:43 < krzee> my walkthrough on routing to lans 03:44 < krzee> well i guess whatever package manager you installed from didnt give you it 03:44 < ]Sintax[> i used ports 03:44 < krzee> (obviously you used one since its in the source) 03:44 < ]Sintax[> on openbsd 03:44 < krzee> dunno its in freebsd ports 03:44 < krzee> but i dont use obsd 03:44 < ]Sintax[> weird.. 03:44 < ]Sintax[> i wonder if a package would have had it 03:44 < krzee> i guess it follows their slogan tho 03:44 < krzee> "unusable by default" 03:44 < krzee> ;] 03:44 < ]Sintax[> will your setup here work for single interface machines? most tutorials ive found are for dual-nic machines 03:45 < ]Sintax[> Haha 03:45 < krzee> openvpn NEVER needs dual nic 03:45 < krzee> which is why reading the manual > reading google's howtos 03:45 < krzee> but you must have tuntap in the kernel or the kernel mod 03:46 < krzee> err tun i mean for obsd 03:46 < krzee> since theres no true tap for obsd 03:46 < ]Sintax[> well i think those scenarios are for machines running as NAT/Router devices you know? internal and external interfaces 03:46 < krzee> whatever 03:46 < krzee> you never need 2 devices for openvpn 03:46 < ]Sintax[> good to know 03:47 < krzee> now since you're just doing this to play 03:47 < krzee> after you get that working... 03:48 < krzee> then move on to connecting your own client in from mobile laptop 03:48 < krzee> to encrypt your connection through the vpn in hostile lans 03:48 < krzee> for that you'll need: 03:48 < krzee> !def1 03:48 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:48 < ]Sintax[> that sounds like fun 03:48 < krzee> and on the server you will need: 03:48 < krzee> ip forwarding turned on 03:48 < krzee> NAT enabled for the vpn network 03:49 < krzee> and for every command you see in my config and in your final configs 03:49 < krzee> !man 03:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:49 < krzee> read what they do! 03:49 < krzee> *back to securing the webserver for me* 03:50 < krzee> if you come across ?'s feel free to ask 03:50 < ]Sintax[> thanks a bunch ! 03:50 < krzee> yw 03:50 < ]Sintax[> appreciate it 03:51 < krzee> make sure to read !route carefully 03:51 < krzee> it has a ton of info packed into a lil writeup 03:51 < ]Sintax[> okay 04:10 < ]Sintax[> i dont think im going to have much luck getting ssl-admin running on openbsd 04:10 < krzee> just grab from svn 04:10 < krzee> all it requires is perl and openssl 04:10 < krzee> and zip for 1 feature if you use it 04:11 < ]Sintax[> im not sure why SVN for OBSD wants to install a bunch of apache deps and such 04:11 < krzee> lame 04:11 < ]Sintax[> im downloading all the files 1 by 1 04:11 < krzee> subversion shouldnt need apache 04:11 < krzee> lol obsd 04:11 < krzee> wget for the win? 04:11 < ]Sintax[> yep! 04:11 < ]Sintax[> ftw 04:12 < krzee> note i never tested the lil configure stuff i added for linux on obsd 04:12 < krzee> it was written by ecrist for fbsd 04:12 < ]Sintax[> ah 04:12 < krzee> (which i also use) 04:12 < krzee> and im no coder by any definition, but i script a bit 04:13 < krzee> so i added a configure script to rewrite the makefile to let it install to right places in linux 04:13 < krzee> if that doesnt work right on obsd just mod the makefile manually 04:13 < ]Sintax[> maybe with a little tweaking i can get it to work 04:13 < krzee> easy to see what it wants 04:13 < krzee> it would be very slight tweaking 04:13 < krzee> and obvious what it wants 04:14 < krzee> but likely = to fbsd 04:14 < ]Sintax[> ok i've got the whole dir downloaded 04:14 < ]Sintax[> typical ./configure ? 04:14 < ]Sintax[> or perl ssl-admin ? 04:16 < krzee> configure 04:16 < krzee> then make install 04:16 < krzee> then ssl-admin 04:16 < ]Sintax[> configure failed horribly 04:16 < krzee> although you must edit a config file first 04:16 < krzee> then mod it 04:16 < krzee> i warned ya 04:16 < ]Sintax[> ah 04:16 < krzee> just mod the makefile 04:16 < ]Sintax[> lol im no coder either ;-p 04:16 < krzee> read the configure and makefile 04:16 < krzee> its simple shell script 04:17 < ]Sintax[> i need to edit ETCDIR?=VARETC and the other two correct ? 04:17 < krzee> i dont have the files in front of me 04:18 < krzee> but i have a sed expression editing it 04:18 < krzee> for each 04:18 < krzee> just do my sed manually for what it should be on your OS 04:19 < ]Sintax[> hmm 04:19 < ]Sintax[> feeling like an idiot for not knowing what to do here lol, although it is overly complicated for being on OpenBSD ya know 04:20 < ]Sintax[> well sed -i isnt valid on here so i dont know what -i does on your system 04:20 * ]Sintax[ smashes openbds 04:20 < krzee> s/oldstring/newstring/ 04:20 < krzee> edits files in place 04:20 < krzee> (-i) 04:21 < ]Sintax[> mine only has -a -e -f -n -u lol 04:21 < krzee> which is what you'll be doing manually 04:21 < ]Sintax[> http://pastebin.ca/1385811 04:21 < krzee> since without that or redirection it would print to stdout 04:22 < krzee> just pastebin the configure and Makefile 04:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:22 < ]Sintax[> http://pastebin.ca/1385812 configure 04:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:23 < ]Sintax[> http://pastebin.ca/1385812 configure and makefile is http://pastebin.ca/1385813 04:26 < krzee> oh i see 04:26 < krzee> i did check out openbsd's filestructure 04:27 < krzee> i just didnt check their sed 04:27 < krzee> weaksauce no in-line sed for obsd 04:27 < ]Sintax[> isnt that weird lol 04:27 < ]Sintax[> sed is different from free/openbsd 04:28 < krzee> ok so check this out 04:28 < krzee> s+VARETC+/etc+g 04:28 < krzee> that is a switch regular expression 04:28 < krzee> means 04:28 < krzee> take VARETC and change it with /etc globally 04:28 < krzee> so for every instance of VARETC in the Makefile, replace it with /etc 04:28 < krzee> go do that 04:29 < krzee> then do the same for the other 2 04:29 < ]Sintax[> so i dont need to bother with the configure do i? 04:29 < krzee> nope 04:29 < krzee> just do what it does manually 04:29 < krzee> but then theres 1 more thing when you're done 04:29 < krzee> cause the last 1 04:29 < krzee> has its own sed -i 04:29 < ]Sintax[> cant i just edit ETCDIR?=VARETC and put /etc ? 04:30 < krzee> you just remove VARETC and make it /etc 04:30 < krzee> ETCDIR?=/etc 04:30 < ]Sintax[> hmmm see if i can remember what VARMAN should be 04:30 < krzee> you should prolly be using an easier OS if you dunno regular expressions 04:31 < ]Sintax[> no i mean.. which man it wants 04:31 < krzee> here comes the bitch 04:31 < ]Sintax[> bin/man or local/man or share/man ;-p 04:32 < krzee> you will need to edit ssl-admin itself 04:32 < krzee> and remove a line from the Makefile 04:32 < ]Sintax[> hah 04:32 < krzee> shit i'm gunna hafta redo that Makefile cause of this 04:32 < krzee> gay ass obsd sed 04:33 < krzee> it doesnt matter which man dir 04:33 < krzee> as long as it is in your MANPATH it works 04:33 < ]Sintax[> ok i got those 3 variables changed 04:33 < krzee> ok 04:33 < krzee> ignore the 4th 04:34 < krzee> now remove line 18 from Makefile 04:34 < krzee> SEDCMD "s+~~~ETCDIR~~~+${ETCDIR}+g" ssl-admin 04:34 < krzee> then go into ssl-admin 04:34 < krzee> manually 04:34 < ]Sintax[> ok 04:35 < krzee> search and replace ~~~ETCDIR~~~ with your etc dir 04:35 < ]Sintax[> which is just /etc right 04:35 < krzee> ya 04:36 < krzee> (in freebsd we prefer /usr/local/etc/ for 3rd party software as to not confuse from base software) 04:36 < krzee> but you can read about that in man hier someday on fbsd ;] 04:36 < krzee> after that (no more instances of ~~~ETCDIR~~~ exist in ssl-admin), make install 04:37 < ]Sintax[> i used to use freebsd alot but now im playing with openbsd for a bit 04:38 < ]Sintax[> hmmm did something wrong 04:38 < krzee> btw theres nothing you have seen yet that isnt a standard command in the commandline 04:39 < ]Sintax[> http://pastebin.ca/1385828 04:39 < ]Sintax[> im not sure if its printing those sed lines as if they worked or didnt 04:39 < krzee> hah 04:39 < krzee> install doesnt have -v in obsd 04:39 < ]Sintax[> figures 04:40 < krzee> shit i think i should be writing notes on this 04:40 < krzee> just remove the -v's 04:40 < ]Sintax[> i can log the channel and you can go back through it 04:40 < krzee> its just for verbosity 04:40 < krzee> oh right, we have it logged 04:40 < ]Sintax[> wow you'd think it would have that 04:40 < krzee> !irclogs 04:40 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 04:41 < krzee> err wait 04:41 < krzee> oh nm its good 04:41 < ]Sintax[> http://pastebin.ca/1385829 hows that ;-p 04:41 < krzee> just remove those -v's 04:42 < krzee> i assume its good 04:42 < krzee> we'll see 04:42 < ]Sintax[> well apparently some of it didnt work 04:42 < ]Sintax[> err wait 04:42 < krzee> whats the new error... 04:43 < ]Sintax[> its a user error :-D 04:43 < ]Sintax[> ok now just run ssl-admin right? 04:43 < krzee> aye 04:43 < ]Sintax[> after i edit* 04:45 < ]Sintax[> nice script 04:45 < krzee> thanx but from there on i cant take credit 04:45 < krzee> my work was what didnt work for you, lol 04:45 < ]Sintax[> one more for ya http://pastebin.ca/1385831 04:46 < krzee> did you edit your sample config? 04:46 < krzee> (ike it told you you had to) 04:46 < ]Sintax[> $ENV{'KEY_CRL_LOC'} = "URI:https://www.secure-computing.net/crl.pem"; 04:46 < ]Sintax[> do i need to do one of those 04:46 < ]Sintax[> i left that line alone 04:46 < krzee> thats fine 04:46 < krzee> you arent at the point where you could possibly need a CRL 04:46 < krzee> you're just playing 04:46 < krzee> !crl 04:46 < vpnHelper> krzee: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 04:46 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you 04:46 < ]Sintax[> let me fix up the other conf file ;-p 04:47 < krzee> ok im gone 04:47 < krzee> gl to you 04:47 < ]Sintax[> http://www.ircpimps.org/openvpn.configs should be my server.conf ? 04:47 < ]Sintax[> thanks ! i'll get there! i might sleep first before i finish it heh 04:54 -!- Gumbler is now known as Gumbler|NotHere 04:54 -!- Gumbler|NotHere is now known as Gumbler 04:58 < MarcWeber> Which is the option to set the permanent tun device name to be used? 04:58 < dazo> MarcWeber: --dev tun0 ? 04:59 < MarcWeber> --dev tun0 --dev-type tun :-) 05:03 < dazo> MarcWeber: yeah, to be explicit ... --dev-type is normally only needed when you use another prefix than tun or tap on --dev ... but might be OS and ovpn version dependent 05:03 -!- WormFood [n=wormfood@58.60.118.151] has left ##openvpn ["Leaving"] 05:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 05:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:37 < HardDisk_WP> ping krzee 05:37 < HardDisk_WP> ping ecrist 05:38 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:53 -!- theDoc [n=andelyx@bb116-15-19-68.singnet.com.sg] has joined ##openvpn 05:59 -!- theDoc [n=andelyx@bb116-15-19-68.singnet.com.sg] has quit [] 05:59 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:59 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 06:05 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:14 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has joined ##openvpn 06:15 < hans67521> is openvpn access server free? 06:15 < hans67521> or free "as in beer" 06:17 < MarcWeber> hans67521: GPLv2 06:23 < hans67521> but why does it then need a license to install 06:24 < hans67521> which vpn setup the faster one, routing or bridging? 06:26 < theDoc> They both do different things. 06:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:33 < reiffert> free as in you send beer, I send openvpn 06:33 < reiffert> hans67521: routing 06:33 < reiffert> (faster setup) 06:56 < hans67521> i mean in terms of speed? 07:04 < reiffert> 1 setup per 10 minutes vs 1 setup per 20 minutes 07:05 < ecrist> ping pong! 07:12 < dazo> hans67521: nope ... Access Server is closed .... but seems to be only a management package around standard OpenVPN 07:15 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 07:15 * ecrist reads http://www.openbsd.org/ports.html#Create 07:15 < vpnHelper> Title: OpenBSD Ports and Packages (at www.openbsd.org) 07:20 < illio> Having a bit of trouble with setting openvpn up on a OpenWRT router.. Here's the server conf: http://pastebin.ca/1385933 .. and here's the client conf: http://pastebin.ca/1385937 .. Now when I try to connect to the server (which is running of course), I get this: http://pastebin.ca/1385939 .. So I immediately think "It's probably IPTables".. sa I checked the /etc/firewall.user file on OpenWRT, but the OpenVPN stuff is there and should be work 07:20 < illio> ing: http://pastebin.ca/1385934 07:22 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has quit [] 07:22 < ecrist> illio: something is killing the proccess on you router 07:23 < illio> Hehe.. nevermind! 07:23 < illio> OpenVPN had crashed on the router for some unspecified reason.. so it actually wasn't running :-P.. oops 07:23 < illio> ecrist, that's obviously a possibility yes.. I'll have to keep an eye on it and see if it does it again.. I haven't noticed it before 07:23 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit ["Leaving"] 07:29 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 07:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 07:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:48 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 07:54 -!- FuraX [n=cp@umb-sls99-003.u-strasbg.fr] has quit [Remote closed the connection] 08:00 < HardDisk_WP> ecrist, did you manage to fix that script? 08:02 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:03 < illio> I'm a bit unsure if I got disconnected before sending my messages before.. so I'm just gonna repost them.. sorry if anyone get's a duplicate 08:03 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 08:03 < illio> I'm actually having one issue .. when I do get a connection the vpn, my client says the following: http://pastebin.ca/1385964 .. and I can't access the internet, even though my server config here: http://pastebin.ca/1385933 .. should allow it... 08:03 < illio> according to the errors, it seems to be the route command 08:03 < illio> The local network with access to the internet at the vpn location is 192.168.1.x 08:03 < illio> and the actual device the vpn server is running on is 192.168.1.2 .. and the gateway is therefore 192.168.1.1 08:07 < ecrist> HardDisk_WP: yes, it was fixed right before you left. 08:07 < ecrist> updates are in svn 08:08 < HardDisk_WP> ok 08:08 < HardDisk_WP> lemme pull 08:09 < ecrist> illio: what's the IP address of the client machine, BEFORE connecting to the VPN? 08:11 < illio> ecrist, 192.168.1.114 08:11 < ecrist> that's your problem 08:12 < ecrist> you can't use 192.168.0/23 for VPNs, at the very least. you've go conflicting routes. 08:15 < illio> ecrist, so what could I use instead? 08:15 < illio> ecrist, how about something like 10.8.1.0? 08:16 < ecrist> illio: you need to setup your VPN lan to be something other than 192.168.x, and build from there. 08:16 < illio> ecrist, okay.. I'll try that 08:16 < ecrist> too many home routers use that address range, so you'll almost always have conflict 08:16 < ecrist> !1918 08:16 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:16 < ecrist> any of those will work, even 192.168.8.0/24 would be fine 08:17 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 08:18 < illio> ecrist, okay thanks man 08:18 < ecrist> np 08:21 < HardDisk_WP> ecrist, this is current ssl-admin.conf http://pastebin.com/m14f829fd 08:21 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 08:22 < ecrist> ok, still thowing errors? 08:22 < HardDisk_WP> no, I'm gonna run it now 08:22 < HardDisk_WP> or did I fuck sth. up in the conffile? 08:22 < ecrist> nope, config looks ok 08:23 < HardDisk_WP> kk 08:23 < HardDisk_WP> ===> Moving certficate and key to appropriate directory. 08:23 < HardDisk_WP> Creating initial CRL...Using configuration from /etc/ssl-admin/openssl.conf 08:23 < HardDisk_WP> FAILssl-admin installed Wed Apr 8 15:23:26 CEST 2009 08:23 < HardDisk_WP> I can't find your OpenVPN client config. Please copy your config to 08:23 < HardDisk_WP> /etc/ssl-admin/packages/client.ovpn 08:23 < HardDisk_WP> this comes before the menu screen 08:24 < ecrist> yeah, that FAIL is a misnomer, it actually works. haven't figured out how to get rid of the error. 08:24 < ecrist> the CRL does get created, though 08:24 < HardDisk_WP> ah ok 08:25 < ecrist> really, I need to start using the perl ssl module, rather than the commandline openssl 08:25 < HardDisk_WP> ecrist, ok, so what do I have to do now to get openvpn server running on the NSLU? In the end, it should be so that the laptop would behave exactly as if it would be attached directly to the router where the NSLU also is 08:27 < ecrist> HardDisk_WP: what types of network traffic do you need passed? (what programs/protocols?) 08:31 < HardDisk_WP> if possible, everything - it 'd be that cool to be able to access this streaming stuff from my NAS also from outside 08:31 < HardDisk_WP> i think what i need is called bridging, correct me if i'm wrong 08:31 < ecrist> tun is probably all you need. 08:31 < ecrist> !freebsd 08:31 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:32 < HardDisk_WP> ok 08:32 < ecrist> some of that link is installation on freebsd, but the majority of it should apply 08:32 < MarcWeber> ifconfig-push 10.9.0.10 10.9.0.9 08:32 < MarcWeber> Why are there two ips ? 08:33 < ecrist> one is remote endpoint, one is local endpoint 08:33 < ecrist> !/30 08:33 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:33 < HardDisk_WP> ecrist, uh, there's no KEY_DIR in my version of ssl-admin.conf 08:34 < ecrist> can you paste the error? 08:35 < ecrist> KEY_DIR is a variable that should have been set by ./configure 08:36 < HardDisk_WP> Lastly, your KEY_DIR directory must already exist, or the script will error out. In our test installation here, we need to create this directory: 08:36 < HardDisk_WP> mkdir /usr/local/etc/openvpn/ssl 08:36 < HardDisk_WP> ah okay 08:36 < ecrist> oh, that page needs to be updates 08:36 < ecrist> updated* 08:36 < HardDisk_WP> ah, ok^^ 08:36 < ecrist> ssl-admin used to be a much simply perl script, which would auto-install itself. 08:36 < ecrist> that's not the case anymore. 08:37 < ecrist> you've already done all the setup for ssl-admin, ignore those parts of that wiki page 08:37 < HardDisk_WP> kk 08:38 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:42 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 54 (Connection reset by peer)] 08:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 08:45 < HardDisk_WP> ecrist, do I have to run openssl dhparam -out KEY_DIR/active/dh1024.pem 1024 ? 08:47 < reiffert> HardDisk_WP: no, just read the howto. 08:48 < reiffert> ah, ssl-admin, sorry, /me shuts up 08:49 < MarcWeber> What makes a ptp link that special that it has to be emulated for win32 TUN/TAP driver emulations? 08:49 < HardDisk_WP> ecrist, uh... your server config example... it makes clients have their own network 08:51 < ecrist> what do you mean? 08:51 < MarcWeber> ecrist: I just don't understand that part yet. 08:51 < HardDisk_WP> server - The IP address and subnet the virtual interface should have. Your clients will get addresses on this network. 08:51 < ecrist> HardDisk_WP: yes, that's correct 08:52 < ecrist> MarcWeber: windows sucks, that's all 08:52 < ecrist> it's been fixed in 2.1, iirc 08:52 < ecrist> !topology 08:52 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:52 < MarcWeber> When using --server 10.8.0.0 255.255.255.0 this expands to "... ifconfig 10.8.0.1 10.8.0.2 08:52 < MarcWeber> ..." 08:56 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:56 < ecrist> MarcWeber: yes, we're aware. 08:58 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Leaving"] 08:59 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Connection timed out] 09:00 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 09:00 < HardDisk_WP> ecrist, http://pastebin.com/m48030c38 this is the network setup 09:01 < HardDisk_WP> using your server.conf would give my laptop some 172.30.x.x address, right? 09:04 < MarcWeber> What kind of data comes out of the application side of a tun/tap device? kind of stdin/stdout binary stream representing packages? 09:04 < ecrist> HardDisk_WP: yes, it would. 09:04 < ecrist> MarcWeber: tun/tap is a standard pseudo network interface. 09:06 < ecrist> HardDisk_WP: since you would probably be putting the openvpn server on your DHCP server machine/router, you wouldn't really need any additional config, other than in the server config to add a push statement for your LAN subnet. 09:06 < ecrist> as I was talking to illio above, you can't reliably use 192.168.0/23 across a VPN - too many conflicts. 09:07 < ecrist> so, you'd need to renumber your home LAN 09:07 < MarcWeber> http://rafb.net/p/r8Rj1D59.html I got this from the docs. But i still don't see what the "Network address" and "Broadcas address" are used for in /30 09:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 09:07 < HardDisk_WP> ecrist, that's doable, actually 09:07 < ecrist> and, on your dad's router, do a portforward rule to your server for udp port 1194 09:07 < HardDisk_WP> ecrist, my router is DMZ, so that's no prob 09:07 < ecrist> MarcWeber: read up on networking and how subnetting works. 09:07 < ecrist> then come back 09:08 < ecrist> ah, then that part is set. 09:08 < HardDisk_WP> ecrist, the DHCP server is my router, btw. the OpenVPN gate will be the NSLU 09:08 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 09:09 < ecrist> oh, then you'll need to add a static route on the LAN gateway for your VPN ips space 09:10 < ecrist> alternatively, you could run a bridged VPN, to avoid all the routing, but you still need to renumber your LAN 09:10 < HardDisk_WP> yep, then I'll go the bridged way. it isn't that hard to renumber three machines ^^ 09:12 < ecrist> @1918 09:12 < ecrist> !1918 09:12 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 09:13 < HardDisk_WP> i think i'll go with the 172.16 netmask, then. i have never seen this one in any hotspot or company LAN 09:13 < ecrist> generally, anything in 172.16/12 is OK. it seems common practice to use 192.168.0/23 for home routers, 10.0/16 for businesses, and 172.16/12 for VPNs 09:14 < HardDisk_WP> brb, mighta take me 10mins till every device on my net is renumbered properly 09:15 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 09:16 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Client Quit] 09:20 -!- BBishop [i=dexter@unaffiliated/blackbishop] has joined ##openvpn 09:22 -!- BBishop [i=dexter@unaffiliated/blackbishop] has quit [Client Quit] 09:24 < HardDisk_WP> re 09:25 < HardDisk_WP> ecrist, okay, laptop, nslu and router are renumbered and work properly 09:33 < HardDisk_WP> ecrist, what now? 09:36 < ecrist> did you setup a bridged vpn? 09:37 < MarcWeber> 16:10 < HardDisk_WP> yep, then I'll go the bridged way 09:42 -!- Flumdahl [i=n30@shell.auth.se] has quit ["reboot"] 09:52 < HardDisk_WP> ecrist, yep... http://pastebin.com/m7d233bb is the server.conf 09:53 < HardDisk_WP> but there's no server.key/server.pem in the /etc/ssl-admin/active 09:53 < ecrist> HardDisk_WP: did you create them? 09:54 < ecrist> ssl-admin isn't 100% openvpn-specific, you need to create those certs. 09:54 < ecrist> there's an 'S' option in the menu 09:55 < ecrist> I'm actually setting up a bridged vpn for the first time, as we speak. 09:56 < HardDisk_WP> kk now there is mnslu. key/pem/crt files in active folder 09:56 < HardDisk_WP> set the crt and key file instead of server.key/crt 10:02 < ecrist> HardDisk_WP: I'm not going to walk you through every step.. there are tons of documents out there that do so already 10:03 < HardDisk_WP> kk 10:03 < HardDisk_WP> actually, the server started... let me see if it works as expected 10:14 < MarcWeber> ecrist Ok. I got that the network address is the lower bound of the "masked" ip range and that the broadcast is the upper bound of the ip range masked by the subnet mask. 10:15 < MarcWeber> I still don't know when the network address is used. I neither know when the broadcast is used within the p2p link. 10:18 < ecrist> MarcWeber: what's the purpose of your questions? 10:19 < ecrist> this isn't #OSI_101 10:19 < MarcWeber> Basically I just want to know how to configure openvpn. Still reading the man page.. 10:23 < ecrist> you're best off ignoring the small details. 10:33 < HardDisk_WP> ecrist: the vpn connection works from outside :) 10:34 < HardDisk_WP> now only one problem remains: i cant ping anything else from 172.16.1.x than my own 172.16.1.50 ip address. okay, this is likely due to I forgot bridging, but why can't I ping at least the VPN gate itself? 10:37 < HardDisk_WP> ecrist: in server.conf I stated server-bridge 172.16.1.4 255.255.255.0 172.16.1.50 172.16.1.100 10:37 < HardDisk_WP> but why can't I ping at least .1.4, then? 10:37 < HardDisk_WP> this shoulda be pingable even without bridging, right? 10:37 < HardDisk_WP> client-to-client and push "redirect-gateway def1 bypass-dhcp" are enabled 10:39 < ecrist> HardDisk_WP: firewall? 11:19 < HardDisk_WP> ecrist, none that I know of 11:23 < HardDisk_WP> ecrist, actually there is no tun or tap device shown in ifconfig... 11:23 -!- lough [i=nn@ip68-97-0-203.ok.ok.cox.net] has joined ##openvpn 11:23 < lough> !logs 11:23 < vpnHelper> lough: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:23 < lough> !howto 11:23 < vpnHelper> lough: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:26 < lough> alright heres the error i get when using openvpn-gui 11:26 < lough> http://pastebin.com/m16024141 11:26 < lough> im assumng port 443 is in use by something on my computer but i dont see anything in netstat -a 11:27 < lough> it used to work but then it stopped working probably two weeks back. i cant think of what ive changed 11:30 < lough> !interface 11:30 < vpnHelper> lough: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:31 < HardDisk_WP> lough, 443 is HTTPS 11:31 < HardDisk_WP> do you have Azureus or Skype running?? 11:31 < HardDisk_WP> these two tend to use 443 sometimes 11:32 < lough> skype 11:32 < HardDisk_WP> ah yes. shut it down and then retry 11:33 < lough> ok perfect that did it 11:33 < ecrist> ping krzee 11:33 < krzee> werd 11:33 < ecrist> or krzie 11:34 < krzee> pong 11:34 < ecrist> hey, you had any problems with tunnelblick setting up two vpn connections on os x to two separate places? 11:34 < krzee> i only tried it 1x 11:34 < krzee> 2 years ago 11:34 < krzee> it crashed every time i started it, without fail 11:34 < ecrist> I'm getting an invalid password error, think it's for the mgmt interface 11:34 < krzee> so ive never actually used tunnelblick 11:34 < ecrist> yeah, that's what's happening to me. 11:35 < lough> thank you HardDisk_WP 11:35 < krzee> i dont get why people use it at all 11:35 < HardDisk_WP> no problem :) 11:35 < krzee> i mean shit 11:35 < krzee> heres how i start openvpn 11:35 < ecrist> nm, might be a misconfig with my cert. 11:35 < ecrist> krzee: Tunnelblick is the sexy, Viscosity is even better. 11:36 < ecrist> but it's $9 or some shit 11:36 < MarcWeber> Any experiences wether compression should be enabled (700kbit/s) ? 11:36 < krzee> bigboy-2:~ Jeff$ cat /Applications/scripts/routed.command 11:36 < krzee> open "/Applications/Proxifier.app" 11:36 < krzee> sudo /usr/local/sbin/openvpn /Users/Jeff/vpn/routed.conf 11:36 < krzee> bigboy-2:~ Jeff$ 11:36 < krzee> so that is double-clickable 11:36 < krzee> then i tossed a shortcut to it in stacks 11:36 < krzee> and gave it a cool icon, www.ircpimps.org/pimpin.jpg 11:37 < krzee> screw a gui for something thats handled in 1 line of shell script 11:37 < krzee> (2 for me cause i proxify over it) 11:37 < ecrist> ah, that doesn't work so well for my end users, though. 11:37 < krzee> they dunno how to click? 11:38 < krzee> shit its easier than tunnelblick 11:38 < krzee> tunnelblick they have to click, then click to start 11:38 < krzee> mine you just click 11:38 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:38 < krzee> oh and type password (but same in tunnelblick too) 11:39 < krzee> and the password tunnelblick wants is to raise privs 11:39 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 11:39 < krzee> cause yanno, needs root to start 11:39 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 11:40 < ecrist> RAWR 11:40 < krzee> MarcWeber, you can keep compression adaptive if you like 11:40 < krzee> MarcWeber, by samples of the data it'll decide how much to encrypt it 11:43 < ecrist> hrm. 11:44 < ecrist> my openvpn is looking for a passphrase. wtf 11:44 < HardDisk_WP> Crap, I can't bridge-start 11:44 < HardDisk_WP> Wed Apr 8 18:43:33 2009 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 11:45 < krzee> ecrist, not your osx pw for raising privs? 11:45 < ecrist> no, something elese 11:45 < ecrist> gotta figure it out 11:45 < krzee> odd 11:45 < krzee> !configs 11:45 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:45 < krzee> if you want 11:46 < krzee> another pair of eyes could help 11:47 < ecrist> sure, I think it's ssl-related, though 11:47 < krzee> ohh 11:47 < krzee> built cert wanting pw? 11:47 < krzee> start it manually 11:47 < krzee> take tunelgay outta the loop 11:49 < ecrist> did that, get erro 11:49 < ecrist> http://pastebin.ca/1386170 11:49 < ecrist> http://pastebin.ca/index.php 11:50 < MarcWeber> krzee: Thanks. That's even the default. 11:50 < krzee> aye =] 11:50 * krzee holds himself back from the bridge questions cause he knows who hes talking to 11:50 < krzee> LOL 11:51 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:51 < ecrist> http://pastebin.ca/1386172 11:51 < ecrist> that's the error log, krzee 11:51 < krzee> verb 6 help? 11:52 < ecrist> wait one.. 11:53 < krzee> also 11:53 < krzee> client-connect /usr/local/etc/openvpn/client-connect.sh 11:53 < krzee> could that not be getting the right auth? 11:54 < krzee> also, could you not be giving it the right script-security? 11:54 < ecrist> http://pastebin.ca/1386179 11:54 < ecrist> krzee: no scripts it's pulling up. 11:56 < krzee> its pulling up client-connect 11:57 < krzee> Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected. 11:57 < ecrist> I'm concerned with line 337 in the last log. 11:57 < ftp3> hey.. i am trying to automagically generate a openssh installer with the keys to email to my "people" :). I know that untangle does this, but i cannot find any tutorial or instructions.. anyone have any ideas for me? 11:57 < ftp3> so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 11:57 < krzee> right, but im saying that could be why 11:57 < krzee> comment the client-connect 11:58 < krzee> see if it helps a 1time test 11:58 < krzee> ssl-admin will zip up their keys and openvpn config 11:58 < krzee> !ssl-admin 11:58 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:58 < ecrist> krzee: added script-security 3 to config, get same auth_failed control message 11:58 < krzee> but its not a windows thing 11:59 < krzee> try commenting client-connect 11:59 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has left ##openvpn [] 11:59 < MarcWeber> What happens with files in /etc/openvpn? I tried putting the files up down there (scripts setting up and removing nat) 11:59 < HardDisk_WP> argh 11:59 < MarcWeber> I got syntax error near "done" (part of my for loop) 11:59 < HardDisk_WP> since the bridge is up, openvpn cant connect anymore -.- 11:59 < ecrist> krzee: I was looking at the wrong thing. you're right 11:59 < ecrist> another set of eyes 11:59 < HardDisk_WP> Wed Apr 08 18:59:14 2009 Local Options hash (VER=V4): 'd79ca330' 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 Expected Remote Options hash (VER=V4): 'f7df56b8' 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 UDPv4 link local: [undef] 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 UDPv4 link remote: 93.104.114.155:1194 12:00 < ecrist> was looking at client side, not server side. 12:00 < HardDisk_WP> and then it hangs 12:00 < krzee> ahh 12:00 < ecrist> removed those lines, starts up fine. 12:01 < krzee> werd 12:01 < ecrist> btw, freebsd openvpn bridging is SUPER easy 12:01 < MarcWeber> :-) It has been my init script.. 12:01 < HardDisk_WP> brb 12:01 < krzee> good im forwarding all bridge questions to you! 12:01 < krzee> lol 12:01 < ecrist> note the 'freebsd' qualifier in there. 12:01 < krzee> :-p 12:01 < ecrist> I'm going to be doing a write-up on the wiki this afternoon 12:02 < krzee> ahh nice 12:04 < ecrist> can't ping my server ip, but I'll work on it after lunch. bbiab 12:07 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:14 -!- taner [n=taner@f048039067.adsl.alicedsl.de] has joined ##openvpn 12:14 < taner> hi 12:16 < taner> how is to disconnect a vpn tunnel ? (command) 12:17 < ftp3> anyone have any thoughts on my question? 12:17 < krzee> kill 12:17 < krzee> (@ taner) 12:18 < krzee> you stop the application, it kills the vpn 12:18 < krzee> yes ftp3, i gave you my thoughts 12:18 < ftp3> ohhh, that was directed at me? 12:18 < ftp3> !ssl-admin 12:18 < vpnHelper> ftp3: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:18 < ftp3> right? 12:18 < krzee> [12:57] so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 12:18 < krzee> [12:57] right, but im saying that could be why 12:18 < krzee> [12:57] comment the client-connect 12:18 < krzee> [12:58] see if it helps a 1time test 12:18 < krzee> [12:58] ssl-admin will zip up their keys and openvpn config 12:18 < krzee> [12:58] !ssl-admin 12:18 < taner> krzee: thank you 12:18 < krzee> right 12:18 < krzee> np taner 12:19 < ftp3> krzee, ok, i will check that out. Thanks 12:19 < krzee> np 12:19 < krzee> oh wait 12:19 < krzee> [13:18] [12:58] ssl-admin will zip up their keys and openvpn config 12:19 < krzee> [13:18] [12:58] !ssl-admin 12:19 < krzee> only that was at you 12:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:20 < ftp3> checking it 12:20 < krzee> what os will you use to make certs? 12:23 < ftp3> centos or debian 12:23 < krzee> cool 12:23 < krzee> use it from svn then 12:23 < krzee> ecrist and HardDisk_WP found/fixed debian bugs last night 12:25 < taner> how is to connect with different certs, so it runs in background ? "openvpn /../user.conf &" but then i will not be asked to password 12:25 < taner> linux 12:25 < krzee> you only get asked for a password under 2 conditions 12:26 < krzee> 1) you made it that way in the config by using pw auth 12:26 < krzee> 2) you made it that way when making the certs by password protecting them 12:26 < krzee> 3) you arent starting it as root and must elevate your privileges 12:26 < krzee> so make that 3 12:26 < ftp3> krzee: are there any docs for ssl-admin? I cant find anything 12:26 < krzee> runs in background is --daemon or add the word daemon to the config 12:26 < krzee> !ssl-admin 12:26 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:27 < krzee> link 1 is the most on web, man ssl-admin works too tho 12:28 < ftp3> krzee: i see, so that makes keys. .but that does not send a openvpn installer like I was talking about. correct? 12:28 < krzee> correct 12:28 < krzee> as i said 12:28 < krzee> ssl-admin will zip up their keys and openvpn config 12:29 < krzee> it will make them, sign them, and bundle it with their openvpn config 12:29 < krzee> thats the most i can help ya with 12:29 < krzee> but should be stupid simple to setup from there, could even make a batch file very simply to handle it from there 12:30 < taner> condition 2 12:30 < krzee> well taner 12:30 < ftp3> krzee :-) thanks 12:31 < krzee> either live with typing in the password, or dont make them that way 12:31 < krzee> of course you can strip the pw as well, it would be an openssl command 12:31 < taner> krzee: i have the certs with password 12:31 < krzee> ftp3, np 12:32 < krzee> was there some reason you thought you wouldnt need to interactively type in the password when you made your certs require passwords? 12:34 < krzee> if you want to strip the password, try reading and understanding this page: 12:34 < krzee> http://www.informit.com/articles/article.aspx?p=30115&seqNum=4 12:34 < vpnHelper> Title: InformIT: Setting Up a Secure Apache 2 Server > Managing Certificates (at www.informit.com) 12:34 < krzee> same basic idea as far as removing the passphrase goes 12:34 < taner> thank you 12:34 < krzee> (or you could regen) 12:34 < krzee> np 12:36 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:37 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 12:40 < HardDisk_WP> anyone of you really fit in debugging network problems? 12:40 < HardDisk_WP> NSLU w/ TCP openVPN is 172.16.1.9 @ port 1194 12:41 < HardDisk_WP> laptop in same LAN as NSLU can successfully telnet 172.16.1.9:1194 12:41 < krzee> !tcp 12:41 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:41 < HardDisk_WP> krzee, it's same prob with udp, only that I can test tcp connectivity with telnet 12:41 < HardDisk_WP> now, portforwarding for 1194 is correctly set to 172.16.1.9 on router 172.16.1.1 12:41 < krzee> and udp connectivity with nc 12:42 < HardDisk_WP> krzee, laptop is windows 12:42 < krzee> eww 12:42 < HardDisk_WP> but when I now connect laptop to outer router and then try to telnet 192.168.0.9:1149 it doesnt work 12:42 < krzee> go on 12:42 < HardDisk_WP> it can't connect from outside. 12:42 < krzee> firewall 12:43 < HardDisk_WP> it worked before, I changed nothing except some iptables stuff on 172.16.1.9 12:43 < krzee> ding ding ding 12:43 < HardDisk_WP> my router wasnt changed at all 12:43 < krzee> show HardDisk_WP what hes won! 12:43 < krzee> a neeeeeeew firewall ruleset! 12:43 < HardDisk_WP> krzee, to make stuff even better: iptables doesnt show any "forbidden"... http://pastebin.com/m56a26646 12:44 < krzee> im no linux guy 12:44 < HardDisk_WP> and especially, the NSLU only has one ethernet port. so why the hell can I connect from *inside* my router, but not via portforward?? 12:44 < krzee> but its either a firewall or NAT 12:44 < HardDisk_WP> mine is a NAT router, but has portforward for TCP and UDP 1149 set 12:45 < krzee> you say NAT is fine... so we know its firewall 12:45 < HardDisk_WP> but how could iptables on the NSLU affect this in any way? o_O 12:45 < HardDisk_WP> mh... lemme try something# 12:46 < krzee> dunno bro, you're the linux guy here 12:47 < krzee> !linfw 12:47 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 12:48 < krzee> or somethin 12:48 < krzee> (ive never used iptables in my life) 12:48 < krzee> ive used ipfw, ipf, pf 12:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:54 < ]Sintax[> pf ftw 13:01 < HardDisk_WP> ah, ic. 13:01 < HardDisk_WP> apparently something went wrong with bridging 13:03 < HardDisk_WP> i fucking hate bridging networks. 13:05 < ]Sintax[> hey krzee 13:13 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 13:18 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has quit [Client Quit] 13:18 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 13:20 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 104 (Connection reset by peer)] 13:20 -!- tharvey [n=tharvey@adsl-76-205-222-173.dsl.snlo01.sbcglobal.net] has joined ##openvpn 13:21 -!- taner [n=taner@f048039067.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 13:21 < tharvey> is it true to say that openvpn is fips-197? 13:22 < tharvey> if I understand correctly fips-197 is the publication that specifies AES and simply requires AES-128, AES-192, and AES-256 - which OpenVPN support 13:26 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 13:30 < krzee> the real question isnt about openvpn 13:30 < krzee> its about openssl 13:31 < krzee> openvpn doesnt handle its own encryption 13:31 < krzee> openssl handles it 13:33 -!- ystla [n=chatzill@97.66.75.162] has joined ##openvpn 13:34 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:40 < MarcWeber> I've a strange problem using openvpn: when scp file user@internet_server: scp stops at 100%. 13:44 < ystla> !howto 13:44 < vpnHelper> ystla: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:13 < ecrist> holy spooky http://www.collegehumor.com/video:1906578 14:13 < vpnHelper> Title: Disney Templates - CollegeHumor Video (at www.collegehumor.com) 14:16 < ]Sintax[> wow ecrist thats crazy hah 14:24 < HardDisk_WP> anyone here who is experienced in linux network interface bridging? 14:24 < ecrist> HardDisk_WP: there are how-to's on the openvpn site for those things. 14:25 < HardDisk_WP> ecrist, I followed the howto, that is the problem :D 14:25 < HardDisk_WP> as soon as I use this bridge-start script, the services on the machine become unusable by anything outside the NSLU's network 14:28 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 14:31 < SpaceBass> hey folks 14:31 < SpaceBass> after a few days, I've managed to get a site to site tunnel working, but seem to be having problems with the routing 14:32 < SpaceBass> I cannot ping either side of the tunnel network 14:35 < ecrist> the vpn client cannot ping the vpn server address? 14:38 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 14:42 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 14:43 -!- eliasp [n=quassel@78.43.213.203] has quit [Client Quit] 14:44 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 14:49 < SpaceBass> ecrist: its a ptp setup, neither side can ping the other 14:49 < ecrist> firewall 14:50 < SpaceBass> could be - thats part of what Im trying to determine 14:50 < SpaceBass> both of the endpoints are also the firewalls for the respecitve networks 14:50 < SpaceBass> seems to be a routing issue actually 14:53 < SpaceBass> here's what I dont get, when I try and ping the local side of the tunnel It errors out pinging an address up stream http://pastebin.ca/1386382 14:57 < ecrist> ROFLMFAO 14:57 < ecrist> SpaceBass: right in your log, it say 'Communication prohibited by filter' 14:57 < ecrist> what do you think that means? 14:58 < ecrist> I'll give you a hint, firewalls are considered packet filters, there's one, pf, which stands for packet filter. 14:58 < ecrist> so, reading that, my guess that you've a firewall issue still stands. :) 14:58 * ecrist goes away 14:59 -!- tharvey [n=tharvey@adsl-76-205-222-173.dsl.snlo01.sbcglobal.net] has left ##openvpn ["Leaving"] 14:59 < SpaceBass> ecrist: I got that, thanks... but still not sure its the issue 14:59 < ecrist> ok, disable all packet filtering, and try your ping 14:59 < SpaceBass> if that is the case, then rules engine of th firewall is broken 15:00 < ecrist> more often, it's the admin that's broken. 15:00 < SpaceBass> its setup as an any/any now - no filtering 15:00 < ecrist> must not be. those packets are being blocked by the firewall 15:00 < ecrist> the system is even telling you so 15:00 < ecrist> really have to leave now. l8r 15:02 < SpaceBass> not sure why I'm getting filter and TTL issues on a bogon address that is not part of my network 15:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 145 (Connection timed out)] 15:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 15:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 15:19 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 15:35 -!- hans67521 [n=jcputter@41.24.190.116] has joined ##openvpn 15:36 < hans67521> can someone please have a look at my openvpn config i have added a push route to the client but cant ping the lan 15:36 < hans67521> http://pastebin.com/m4362717f 15:38 < hans67521> here is my client config 15:38 < hans67521> http://pastebin.com/m475211f5 15:40 < hans67521> cant ping internal ip of server aswell 15:42 -!- hans67521 [n=jcputter@41.24.190.116] has quit [Read error: 104 (Connection reset by peer)] 15:43 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has joined ##openvpn 15:43 < hans67521> hello 15:44 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 113 (No route to host)] 15:57 -!- felixthecat12 [n=jcputter@mail.centreweb.co.za] has joined ##openvpn 15:57 < felixthecat12> hello 15:57 < felixthecat12> what is the recommened mtu to use for openvpn server and client on tun device? 15:58 < krzie> !mtutest 15:58 < vpnHelper> krzie: Error: "mtutest" is not a valid command. 15:58 < krzie> !mtu-test 15:58 < vpnHelper> krzie: Error: "mtu-test" is not a valid command. 15:58 < krzie> bleh 15:58 < krzie> !mtu 15:58 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 15:58 < krzie> !learn mtu-test as you can just use --mtu-test on the client to see what the best mtu for your connection is 15:58 < vpnHelper> krzie: Joo got it. 16:10 -!- lough [i=nn@ip68-97-0-203.ok.ok.cox.net] has quit [Read error: 110 (Connection timed out)] 16:10 -!- lough [n=nn@ip-129-15-127-224.fennfwsm.ou.edu] has joined ##openvpn 16:12 -!- felixthecat12 [n=jcputter@mail.centreweb.co.za] has quit [Read error: 60 (Operation timed out)] 16:15 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has quit [Read error: 113 (No route to host)] 16:21 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 113 (No route to host)] 16:22 -!- ystla [n=chatzill@97.66.75.162] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:44 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:48 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has left ##openvpn [] 16:49 < HardDisk_WP> krzie, fixed the connectivity problem :) 16:49 < HardDisk_WP> problem was 16:49 < HardDisk_WP> the bridge-start script DID NOT SET A FUCKING GATEWAY! 16:49 < HardDisk_WP> so the tcp connection init packets arrived at the NSLU 16:49 < HardDisk_WP> but could not be sent back! 16:51 < HardDisk_WP> so no connection coulda ever be established. 16:51 < HardDisk_WP> brb 16:56 < krzie> ohhh right 16:56 < krzie> i forgot about that 16:56 < krzie> i havnt bridged in a couple years 16:59 < HardDisk_WP> re 17:00 < HardDisk_WP> krzie, do you have write access to the OpenVPN docs? 17:00 < krzie> neg 17:00 < krzie> nobody here does 17:00 * krzie points to the double # 17:00 < HardDisk_WP> Crap =) 17:00 < krzie> but, the dev maillist is the place for that 17:00 < krzie> !dev 17:00 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 17:04 -!- lough [n=nn@ip-129-15-127-224.fennfwsm.ou.edu] has quit [] 17:10 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 17:41 < HardDisk_WP> krzie, one problem still remains, though: push "redirect-gateway def1 bypass-dhcp" doesnt work - a traceroute shows the packets still go through the primary ethernet port of the laptop, but not through the VPN 17:49 < krzie> you're not using a routed setup 17:49 < krzie> its on the same network, just change the routes manuallt 17:49 < krzie> maually 17:50 < krzie> read how that works and you'll likely see why its not for bridged (i blieve its not) 18:11 < HardDisk_WP> ah okay 18:47 -!- gebi_ [n=gebi@84-119-54-65.dynamic.xdsl-line.inode.at] has joined ##openvpn 19:00 -!- gebi [n=gebi@84.119.81.184] has quit [Read error: 110 (Connection timed out)] 19:32 < ]Sintax[> krzie and krzee = same person? 19:33 < krzie> aye 19:33 < krzie> i his him and he is me 19:33 < krzie> err 19:34 < krzie> i is him and he is me 19:34 < ]Sintax[> i'm almost done with setting these two boxes up so far 19:34 < ]Sintax[> finally 19:35 < ]Sintax[> on the wiki for openvpn_server, it mentions in the openvpn config file, "push route x.x.x.x x.x.x.x", is this needed or not? because in the other file it links to "openvpn.configs" its missing that 19:36 -!- gebi_ is now known as gebi 19:41 < krzie> my sample configs were not for default routing through the tunnel 19:41 < ]Sintax[> ah 19:42 < ]Sintax[> do i basically want to have the same files on both machines? all the keys i generated on one machine and the configs? 19:42 < ]Sintax[> thats about all i have left to do 19:42 < krzie> look at the howto 19:42 < krzie> it tells you what cert files go where 19:43 < krzie> !howto 19:43 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:45 < ]Sintax[> hmmm quite a bit different than the other tutorial i was reading 20:01 < krzie> most tutorials i see seem to think everyone should be on a bridge too 20:01 < krzie> which is very very wrong 20:05 < ]Sintax[> what is ipp.txt for? 20:05 < ]Sintax[> i see it in your config file 20:07 < krzie> !ipp 20:07 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 20:07 < ]Sintax[> i think i've made a big mess now 20:07 < krzie> you know the manual tells you everything too, right? 20:08 < ]Sintax[> well the manual doesnt seem to work very well with OpenBSD nor does the other guide :-\ 20:09 < krzie> you could always try an OS that is compatible with actually running programs 20:10 < ]Sintax[> yeah might have to do that until i at least get the hang of setting up openvpn normally 20:23 -!- Randune [n=Miranda@CPE002129686737-CM001bd7a862f2.cpe.net.cable.rogers.com] has joined ##openvpn 20:23 < Randune> hi all 20:24 < Randune> !howto 20:24 < vpnHelper> Randune: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:24 < Randune> !route 20:24 < vpnHelper> Randune: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:30 < Randune> I have a question about openvpn that I can't seem to find in the howto 20:31 < Randune> I wish to use my remote OpenVPN server as a defaut gateway when I am connected to it remotely 20:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:31 < Randune> I've added the necessary iptables rules I think 20:31 < Randune> but I cannot connect. 20:31 < Randune> iptables -i tun0 -j ACCEPT 20:32 < Randune> iptables -A -i tun0 -j ACCEPT 20:32 < Randune> iptables -A INPUT -i tun0 -j ACCEPT 20:32 < Randune> that's it..the last one:) 20:32 < Randune> iptables -A OUTPUT -o tun0 -j ACCEPT 20:32 < Randune> I can connect to the VPN..but I cannot access the ssh server on the openvpn box 20:33 < Randune> anyone have any ideas? 20:34 < krzie> make sure ssh is running on the vpn ip as well 20:34 < krzie> ie: *:22 20:34 < krzie> then connect to it via vpn ip 20:35 < Randune> right..sshd is listening on all interfaces 20:35 < Randune> but I still cannot connect to it 20:36 < Randune> if I allow all the traffic through tun0 it should connect should it not? 20:37 < Randune> I have established a route on the remote windows box 20:37 < Randune> so it knows how to get to my LAN remotely 20:37 < Randune> maybe iptraf would show something..I'll try it 20:38 < krzie> i dont use iptables 20:38 < krzie> but i can tell you this... 20:38 < krzie> !linfw 20:38 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 20:40 < Randune> k..I will try that..thanks. 20:40 -!- Randune [n=Miranda@CPE002129686737-CM001bd7a862f2.cpe.net.cable.rogers.com] has left ##openvpn [] 22:12 -!- cmb [n=cmb@pfsense/coreteam/cmb] has quit [] 22:22 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 22:28 < theDoc> Is it possible to be sniffing a users traffic on the vpn server itself or does it stay encrypted? 22:32 < krzie> !irclogs 22:32 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 22:35 < krzie> !factoids search nat 22:35 < vpnHelper> krzie: 'bsdnat', 'nat', and 'linnat' 22:36 < krzie> !factoids search bsd 22:36 < vpnHelper> krzie: 'bsdnat', 'freebsd', 'fbsdbridge', 'fbsdjail', and 'obsdtap' 22:37 < krzie> !learn bsdipforward as set gateway_enable="YES" 22:37 < vpnHelper> krzie: Joo got it. 22:37 < krzie> !forget bsdipforward 22:37 < vpnHelper> krzie: Joo got it. 22:37 -!- TheDox [n=jcase@voip.sysadmins.com] has joined ##openvpn 22:37 < krzie> !learn bsdipforward as set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 22:37 < vpnHelper> krzie: Joo got it. 22:37 < TheDox> ok krze 22:37 < TheDox> ok here 22:37 < krzie> sup dox 22:37 < krzie> here you go... 22:37 < krzie> !sample 22:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:37 < krzie> thats a basic config 22:37 < krzie> to redirect over the vpn you want: 22:37 < krzie> !def1 22:37 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:38 < krzie> but then you need: 22:38 < krzie> !linnat 22:38 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 22:38 < krzie> !bsdnat 22:38 < vpnHelper> krzie: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 22:38 < krzie> (depending on os) 22:38 < krzie> and also: 22:38 < krzie> !linipforward 22:38 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 22:38 < krzie> !bsdipforward 22:38 < vpnHelper> krzie: "bsdipforward" is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 22:38 < krzie> (depending on os) 22:39 < krzie> so basically, you use redirect-gateway def1 to redirect your gateway over the VPN 22:39 < TheDox> ah ok 22:39 < krzie> then the vpn server must have ip forwarding enabled, and NAT your VPN network 22:39 < krzie> and thats that 22:39 < krzie> for managing your certs, i highly recommend this: 22:40 < krzie> !ssl-admin 22:40 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:40 < krzie> its far better than easy-rsa which is the scripts ovpn comes with 22:40 < TheDox> ever use it with ubuntu? we run freeBSD no, but im planning on grabbing another box just for the vpn 22:40 < TheDox> and ubuntu i know better 22:40 < krzie> sure 22:41 < krzie> tons of people use ovpn with ubuntu 22:41 < krzie> me and the guy who made ssl-admin use freebsd 22:41 < krzie> but he (ecrist) is very active in here so if theres a problem we'ld prolly wanna figure it out to fix it 22:42 < TheDox> k 22:42 < krzie> speaking of which, openbsd has a gay version of sed so i need to re-mod the configure/makefile sometime soon when i get a chance =/ 22:43 < TheDox> yes openbsd appears to be gay 22:43 < TheDox> i hate nick registry services 22:43 < krzie> hah we used to only allow people in here when they're registered 22:43 < TheDox> o 22:44 < krzie> but we loosened that up a couple months ago 22:44 < TheDox> why 22:44 < krzie> *shrug* kept trolls out 22:44 < TheDox> o 22:44 < krzie> and overly lames 22:44 < krzie> if you cant figure out nickserv you shouldnt be running an openvpn ;] 22:47 -!- cmb [n=cmb@pfsense/coreteam/cmb] has joined ##openvpn 22:47 < krzie> but i must say 22:47 < krzie> openvpn is FAR less complicated than zabbix 22:48 < TheDox> i can figure it out ez 22:48 < TheDox> i jsut dont like nickserv 22:48 < krzie> oh for sure i know 22:48 < krzie> i wasnt talking bout you 22:48 < krzie> was a blanket statement 22:48 < krzie> oh and also 22:48 < krzie> if you decide you want access to your lan over the vpn 22:48 < krzie> !route 22:48 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:49 < krzie> theres the writeup i made on that 22:54 < krzie> *detached* 22:54 < theDoc> Is it possible to be sniffing a users traffic on the vpn server itself or does it stay encrypted? 22:55 < TheDox> sniff the outgoing and incoming 22:56 < TheDox> has to decrypt before going out heh 23:10 < krzee> umm 23:10 < krzee> what do you mean 23:10 < krzee> like if the server was owned could they sniff? 23:10 < krzee> or could someone MITM you 23:25 < krzee> theDoc 23:26 -!- Sinky_ [n=stancho@78.90.99.168] has joined ##openvpn 23:26 < krzee> pls refine the question for me to answer it right 23:36 -!- Sinky [n=stancho@78.90.99.168] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Thu Apr 09 2009 00:00 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:18 < krzee> hahahah 01:18 < krzee> heres an email from the freeswitch maillist 01:18 < krzee> Hi Guys, 01:18 < krzee> 01:18 < krzee> I?m no Linux guru, but today I inadvertently had 1000+ call attempts going through FS, load according to TOP was 16.5. Calls were still absolutely perfect. Can I throw out the rule book on load ? CPU was ~45% on each core. (dual) 01:18 < krzee> 01:18 < krzee> Regards, 01:18 < krzee> 01:18 < krzee> ild like to see asterisk do THAT 01:18 < krzee> you will NEVER see that message in an asterisk place 02:19 < dazo> theDoc: if you sniff the traffic on the tun/tap device, and the traffic going inside the tunnel is unencrypted, then yes, you would see the traffic in clear text ... and that's often why you want the VPN tunnel to do the encryption initially 02:20 < krzee> yup 02:21 < krzee> and if someone is bridged into your network, they can sniff over your switch with arp poisoning just like if they were plugged in 02:21 < krzee> and if hey are on the same lan as you, they cant sniff your connection 02:21 < krzee> as long as you followed: 02:21 < krzee> !mitm 02:21 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 02:22 < krzee> same with if they are anywhere else in the middle 02:22 < krzee> wassup dazo 02:23 < dazo> krzee: back at work .... :-P 02:23 < dazo> krzee: u? 02:23 < krzee> smokin some hash playing with zabbix 02:23 < krzee> someone here recommended it when i was bout to checkout narios, glad they did 02:23 < krzee> err 02:24 < krzee> nagios 02:24 < krzee> turns out nagios couldnt just test with a ping, which is what i needed... zabbix does 02:24 < krzee> bout to whip up shell scripts to fire off when conditions are met 02:25 < dazo> aha ... I know nagios get a lot of attention, but I haven't tested it myself .... I probably should setup something like this on one of my sites 02:25 < dazo> nice 02:25 < dazo> zabbix is OSS? 02:25 < krzee> ya GPL 02:26 * dazo decided to look at that one as well now 02:30 < kraut> moin 02:30 < krzee> moin 02:32 * dazo should probably not do any sysadmin work yet when he begins to look for package files under /var/log .... 02:33 < krzee> haha 02:36 -!- Sinky [n=stancho@78.90.99.168] has joined ##openvpn 02:40 < dazo> just skimmed the Zabix doc .... _that_ looks interesting .... 02:42 < theDoc> I'm testing out zabbix ;p 02:42 < krzee> hehe werd 02:42 < krzee> thedoc, was that you who mentioned it? 02:43 < theDoc> No ;) 02:43 < krzee> haha werd 02:53 < dan__t> %#@%@!#%#^!@#$ 02:53 < dan__t> dazo, did you look under ~/ ? 02:54 < dazo> heh ... I knew I needed to look under /usr/portage .... and I type /var/log ..... so, it's just too early in the morning for me :-P 02:54 < reiffert> coffee++ 02:54 * dazo don't like coffee ..... 02:55 -!- Sinky_ [n=stancho@78.90.99.168] has quit [Connection timed out] 02:55 < theDoc> I spy a gentoo user. 02:55 < reiffert> amphetamine++ 02:55 < dazo> theDoc: that's correct ;-) 02:55 < theDoc> dazo: Very good distro for learning, horrible for production. 02:55 < theDoc> Since most of us in production don't have ridiculous amounts of time for compiling ;) 02:56 < dazo> reiffert: I live now in a country where even white caffeine is considered to be a bad drug .... not sure I can manage the amphetamine then :-P 02:57 < dazo> theDoc: I've been using Gentoo in production environments since 2005 ... yeah, upgrades takes longer time ... but I really have 100% control over everything ... and I don't get a bunch of "default installed packages" which I would never use in production ... I know exactly what's installed and why 02:58 < theDoc> dazo: Yes, I can see that coming from a sysadmin, I'm a net engineer by nature ;p 02:58 < theDoc> I don't have that load of time to be figuring out cryptic look stuff from the lines of code ;) 02:59 < krzee> thedoc, compiling doesnt take long 02:59 < krzee> in the big picture 02:59 < reiffert> dazo: where is that country and what its name? 02:59 < krzee> setup a server right and you dont need to compile stuff much once its how it should be 02:59 < dazo> reiffert: so you didn't figure it out with your CTCP TIME requests? :-P .... I'm in Czech 03:00 < krzee> gentoo is the linux with the most bsd feel 03:00 < krzee> at least thats what i thought when i used it 03:00 < reiffert> dazo: I couldnt, not even after identifying mysqlf to the nickservices :) 03:01 < dazo> krzee: I think even the crux distro might be even closer .... as it even has /usr/ports and the ports command ;-) 03:01 < dazo> mysqlf .... oh dear ..... reiffert is a geek :-P 03:02 < krzee> nvr seen crux 03:02 < reiffert> hehe mysqlf 03:02 < reiffert> rotfl 03:03 < reiffert> time for getting some coffee 03:03 < dazo> krzee: I'm not sure I would recommend it for production .... when I tried it some years ago, it was nice and easy to install, but maintenance is a hassle and not too well up-to-date on packages 03:04 < krzee> doesnt sound much like fbsd 03:06 < dazo> krzee: crux is just another distro to the already overfilled distro pool .... while *bsd is not that many and therefor you have more users who put a bigger demand to it being updated 03:06 < krzee> yup 03:07 < krzee> and its easy to admin/has great features/ and easy maintenance 03:07 < dazo> mm 03:08 < dazo> Unfortunately, Gentoo is also loosing the pace it once had .... so I'm wondering what to do on the next server needing an install .... 03:08 < dazo> *BSD has crossed my mind 03:10 < krzee> if gentoo is your fav linux you may find yourself really liking fbsd 03:10 < krzee> s/iptables/pf/ 03:10 < krzee> +CARP 03:10 < dazo> Yeah ... But I can write iptables rules a sleep without doing any mistakes .... 03:10 < dazo> CARP? 03:11 < krzee> =] 03:11 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html 03:11 < vpnHelper> Title: Common Access Redundancy Protocol (CARP) (at www.freebsd.org) 03:13 < krzee> oh and MAC 03:13 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html#MAC-SYNOPSIS 03:13 < vpnHelper> Title: Mandatory Access Control (at www.freebsd.org) 03:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:14 < dazo> krzee: MAC sounds like SELinux, though 03:14 < dazo> CARP looks neat 03:14 < krzee> portaudit stays pretty up to date and stops you from installing ports with known security vulns 03:14 < krzee> and adds a portion to your nightly emails telling you any installed ports with known issues 03:15 < krzee> jails 03:15 < dazo> hmmmm .... I need to give it a shot on a test box at least ... 03:15 < krzee> (put your webserver on its own read-only filesystem with its own seperate memory if you like) 03:18 < krzee> ZFS rocks my home NFS, and will be BADASS when its done being experimental 03:20 < dazo> ZFS sounds promising .... but I don't like CDDL license it uses :( 03:20 < krzee> ya 03:20 * dazo is picky about licences ... but not as badly as Mr. Stallman :-P 03:20 < krzee> i thought it was gunna be re-made to be BSD 03:20 < dan__t> hi. 03:20 < dan__t> a/s/l 03:20 < krzee> h/a/s/h 03:21 < dazo> j/e/r/k 03:21 < dan__t> HEH! 03:24 < krzee> dan__t, ever fully finish your setup? 03:26 < dan__t> i was spending some good time on it 03:27 < dan__t> a friend of mine called me up, said she got pulled over, the cop found out she had a glass of wine earlier. she blew a .08 03:27 < dan__t> So I had to go get a friend and pick her and her car up blah blah blah. I just got back. 03:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 03:30 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 03:32 < krzee> umm 03:32 < krzee> the cop 'found out'? 03:32 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 03:32 < krzee> and 03:32 < krzee> .08 > a glass of wine 03:33 < krzee> ESPECIALLY earlier 03:33 < krzee> but werd 03:34 < reiffert> it's a she. 03:37 < krzee> even if its a 90lb she 03:39 < reiffert> "I said to him: just one glass of wine" 03:39 < reiffert> And I forgot to mention the other 3 glasses 03:39 < dan__t> she's about 90lbs. 03:40 < dan__t> Bet the cop was just trying to get her number. 03:40 < dan__t> Shit, I would have. 03:46 < krzee> exactly reiffert 03:46 < krzee> i figured if i told him i drank 1 he would trust me and not do his job versus me keeping my mouth shut and hoping he went away 03:46 < krzee> is what that sentence meant to me 03:47 < krzee> hehe 03:49 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 03:57 < Bushmills> wine? 03:57 * Bushmills raises an ear 03:59 < theDoc-> ergh. 03:59 < theDoc-> Anyone up for helping me take a look at fedora's setup of cacti? 04:00 < theDoc-> I have it running on gentoo but for some reason, I see to be missing something in fedora 04:00 < theDoc-> ;( 04:00 < dan__t> Been a while since I've used Cacti.... 04:00 < dan__t> What part is broken? 04:00 < theDoc-> dan__t: I can't seem to get to my index.php to start configuring cacti on the web browser. 04:00 < theDoc-> Keeps throwing up the no permission ;( 04:01 < theDoc-> [thedoc@antares include]$ ls -lah | grep config.php 04:01 < theDoc-> lrwxrwxrwx 1 root root 17 2009-04-08 23:54 config.php -> /etc/cacti/db.php 04:01 < dan__t> Like a 403 or what 04:01 < krzee> ls -l /etc/cacti/db.php 04:01 < theDoc-> [thedoc@antares include]$ ls -lah /etc/cacti/db.php 04:01 < theDoc-> -rw-r--r-- 1 cacti apache 1.9K 2009-04-09 00:50 /etc/cacti/db.php 04:01 < dan__t> cat /etc/httpd/conf.d/cacti.conf 04:01 < dan__t> Allow From, Deny From etc etc 04:01 < krzee> ls -l /etc/|grep cacti 04:02 < theDoc-> Oh wtf, I don't have a /etc/httpd/conf.d/cacti.conf 04:02 < theDoc-> ;o 04:02 < theDoc-> [thedoc@antares include]$ ls -l /etc/cacti 04:02 < theDoc-> total 4 04:02 < theDoc-> -rw-r--r-- 1 cacti apache 1929 2009-04-09 00:50 db.php 04:02 < krzee> umm 04:03 < krzee> not what i asked for, seen that already 04:03 < krzee> ls -l /etc/|grep cacti 04:03 < theDoc-> [thedoc@antares conf.d]$ ls -l /etc/|grep cacti 04:03 < theDoc-> drwxr-xr-x 2 root root 4096 2009-04-08 23:54 cacti 04:03 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has joined ##openvpn 04:03 < theDoc-> Oh heh, I found out where. 04:03 < krzee> ok i was thinking maybe you had taken x from the dir 04:04 < theDoc-> DENY from all 04:04 < theDoc-> >_> 04:04 < theDoc-> Sorry ;p 04:04 < Gruelius> Hi, can i ask about routes here? or strictly openvpn questions 04:04 < krzee> is it openvpn related routes? 04:04 < Gruelius> yes 04:04 < krzee> or like "how do i use ospf" 04:04 < Gruelius> the routes to access subnets behind the client and openvpn server 04:04 < krzee> !route 04:04 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:04 < krzee> i made a writeup for ya 04:04 < Gruelius> cheers 04:05 < krzee> =] 04:05 < Gruelius> i think ive got the right routes set but cant ping anything so i guess back to the books 04:05 < krzee> you'll know after that 04:05 * krzee bets he knows what part it'll click for you at 04:07 < Gruelius> yeah i think i need to add the routing to the pc's behind the openvpn server 04:07 < krzee> their default gateway (router) 04:08 < krzee> its explained right under the picture 04:08 < krzee> in detail 04:08 < krzee> including the explanation of exactly whats going on in your situation 04:08 < theDoc-> Hm, this is odd. 04:09 < theDoc-> my /cacti directory via http is blank! 04:09 < Gruelius> krzee: push "route 10.1.1.0 255.255.255.0" that gives all clients the route for the 10.1.1.0./24 subnet 04:10 < krzee> theDoc-, directoryindex in http.conf have index.php? 04:10 < Gruelius> the vpn clients get assigned ip's 10.0.0.x 04:10 < krzee> so? 04:10 < Gruelius> would the pc's in the 10.1.1.x subnet need a route for the 10.0.0.x ip's? 04:11 < theDoc-> krzee: Not sure, checking. 04:11 < krzee> Gruelius, its explained right under the picture 04:11 < krzee> easiest is to add the route back to their router 04:12 < Gruelius> kk 04:12 < krzee> if you CANT, you must add one to every machine behind the vpn-endpoint which should be able to communicate to/from vpn 04:12 < krzee> but they already default route to that router 04:12 < Gruelius> kk 04:12 < krzee> so just add it there 04:12 < krzee> as it explains in detail 04:12 < Gruelius> ahh add the route in the router 04:12 < Gruelius> gotcha 04:13 < krzee> READ IT DONT SKIM IT 04:13 < krzee> you'll understand 04:13 < Gruelius> yeah im reading 04:19 < theDoc-> krzee: No dice, I've checked httpd.conf 04:20 < krzee> turn on indexes 04:21 < theDoc-> krzee: I just tested, if I throw the entire cacti bunch of files into /var/www/html, I'm just getting a blank page. 04:21 < theDoc-> It's probably httpd.conf fucking up somewhere. 04:22 < theDoc-> Do I have to compile php support for that like gentoo? 04:22 < krzee> if php is compiled, you need to tell httpd about it 04:22 < theDoc-> ahh. 04:22 < krzee> ports should toss in the module for you 04:22 < krzee> but thats all 04:22 < krzee> its not the OS, its the software 04:23 < krzee> apache and php 04:23 < theDoc-> Sorry, new to this fedora core 04:23 < krzee> ive never used it 04:23 < krzee> had to do a thing or 2 to help a close friend once, so glad i dont use it 04:24 < theDoc-> ahh. No probs 04:24 < theDoc-> I'll tinker with this a little more 04:53 -!- theDoc- is now known as theDoc 04:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 < Gruelius> krzee: ive added the routes but i still cant get it to work, im also a bit confused about the virtual device 05:02 < krzee> why confused? 05:03 < Gruelius> its got an inet addr and a P-t-P addr ,which one do i use for the routing (on the server itself) 05:03 < krzee> show me 05:03 < Gruelius> http://www.pastebin.ca/1386961 <- routing table on the openvpn server 05:04 < krzee> ifconfig 05:04 < Gruelius> ifconfig http://www.pastebin.ca/1386962 05:04 < krzee> ok and which do you put where? 05:04 < Gruelius> one vpn client has been given the address 10.2.1.6 05:04 < krzee> right 05:04 < Gruelius> so with those routes (created by openvpn) 05:04 < krzee> !/30 05:04 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:05 < krzee> the client with .6 is routing to .5 which is actually internal to openvpn 05:05 < krzee> it was their workaround 05:05 < krzee> you can read why in !topology 05:05 < krzee> ok and which IP do you put where? 05:06 < Gruelius> i tried making routes without sucess, but shouldnt i be able to ping that addr from the server itself? 05:06 < Gruelius> the client 05:07 < krzee> what routes 05:07 < krzee> where 05:07 < krzee> if you arent specific i cant help you 05:07 < Gruelius> http://www.pastebin.ca/1386961 05:07 < Gruelius> thats the routing table on the server 05:07 < krzee> i saw that 05:07 < Gruelius> the client connected to the server getting a IP of 10.2.1.6 05:07 < krzee> wasnt my question 05:07 < krzee> so!? 05:07 < Gruelius> but i cant ping it from the server itself 05:08 < Gruelius> but i thought those routes were the right ones 05:08 < krzee> what routes did you try to mess with? 05:08 < krzee> with NO routes added pinging that will work 05:08 < krzee> openvpn knows what basic routes to add 05:08 < krzee> you only need to add routes for extra stuffs 05:08 < Gruelius> well i tried adding 10.2.1.0 10.2.1.1 255.255.255.0 and that didnt work 05:08 < krzee> !configs 05:08 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:08 < krzee> why would you do that? 05:09 < krzee> openvpn knows what its doing 05:09 < krzee> you're just gunna break it 05:09 < Gruelius> yeah 05:09 < Gruelius> cause pinging it doenst work 05:09 < Gruelius> with no routes added 05:09 < Gruelius> like with that table i posted before i cant ping it 05:10 < krzee> [05:10] the vpn clients get assigned ip's 10.0.0.x 05:10 < krzee> now 10.2.1.x ...? 05:10 < Gruelius> i changed it 05:10 < krzee> !configs 05:10 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:10 < Gruelius> to see if the routing table would change 05:10 < Gruelius> 1 sec 05:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:12 < Gruelius> http://pastebin.com/m6d157d6c 05:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Success] 05:27 < reiffert> krzee: any idea how I tell OS X: what ever I type in a terminal.app window, treat it as iso-8859-15 and *NOT* as utf-8? 05:28 < krzee> only term? 05:29 < reiffert> hm, global setting might do as well 05:34 < krzee> system prefs 05:34 < krzee> international 05:34 < krzee> something in lang or input menu maybe 05:35 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has quit [Read error: 104 (Connection reset by peer)] 05:35 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has joined ##openvpn 05:46 < reiffert> German is Unicode only there 05:46 < reiffert> When I switch to american roman style I dont have the Umlauts 05:46 < reiffert> which I need 05:46 < reiffert> Which is what I need 05:46 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has left ##openvpn ["Leaving"] 05:48 < reiffert> hm, lets try with .inputrc magic 05:48 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 05:48 < reiffert> convert meta stuff 05:48 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 05:50 < krzee> you just need 1 char? 05:50 < krzee> and wont be using it often? 05:51 < krzee> if so, make a lil script to printf it, and make it named u or something, then you can `u`se it like that 05:51 < krzee> lol 05:51 < krzee> ugly but functional 05:52 < reiffert> I need all german umlauts in iso-8859-15 05:52 < reiffert> For quite some time now. Have to write some texts 05:53 < reiffert> difference between unicode and 8859-15 is: two bytes vs. one byte 05:53 < krzee> werd 05:53 < krzee> i have no idea what an umlaut is 05:53 < krzee> haha 05:53 < reiffert> uaoUOA with two dots above them 05:53 < krzee> ahh 05:53 < krzee> ? 05:53 < krzee> like that? 05:53 < krzee> alt+u u 05:54 < reiffert> I cant see them here, irssi on screen sucks ass with special chars 05:54 < reiffert> "u 05:54 < krzee> yup 05:54 < krzee> ? 05:54 < krzee> alt+u a 05:54 < reiffert> but in principle alt+u u gives me a two byte unicode 05:54 < krzee> etc etc =] 05:54 < reiffert> 0x303 0x274 05:54 < krzee> i dunno anything bout that 05:54 < reiffert> sorry, \303\274 05:54 < reiffert> octal 05:54 < krzee> i just know i made that char 05:54 < krzee> hehe 05:55 < krzee> ? 05:55 < krzee> ? 05:55 < krzee> it works for all of them for my display 05:55 < reiffert> 196 on http://en.wikipedia.org/wiki/ISO/IEC_8859-15 05:55 < vpnHelper> Title: ISO/IEC 8859-15 - Wikipedia, the free encyclopedia (at en.wikipedia.org) 05:55 < reiffert> 214 05:55 < reiffert> 220 05:55 < reiffert> and so on. One Byte chars. 05:56 < reiffert> -15 also knows as latin9 05:56 < krzee> ? 05:56 < krzee> thats the image from 196 for me 05:56 < krzee> thats all i know, how to make the char you said 05:57 < krzee> if its the wrong bytes internally, i dunno 05:57 < krzee> but you said a char, i made it on my display =] 05:57 < krzee> 214 - ? 05:57 < reiffert> how can I see all available localezucker:~ ute$ locale -a |grep -i de 05:57 < reiffert> zucker:~ ute$ locale -a |grep -i de 05:58 < reiffert> de_DE 05:58 < reiffert> de_DE.ISO8859-1 05:58 < reiffert> de_DE.ISO8859-15 05:58 < reiffert> de_DE.UTF-8 05:58 < krzee> 220 - ? 05:58 < reiffert> zucker:~ ute$ export LC_CTYPE de_DE.ISO8859-15 05:58 < reiffert> -bash: export: `de_DE.ISO8859-15': not a valid identifier 05:58 < reiffert> wtf? 05:58 < krzee> ild man locale 06:15 < reiffert> 13:13 <@rorx> reiffert: the inspector.. Command-i 06:15 < reiffert> display 06:15 < reiffert> charecter set encoding 06:16 < reiffert> sigh sigh sigh 06:16 < reiffert> #macosx 06:17 < krzee> cool 06:17 < krzee> i can rename the title from there tooo 06:19 < reiffert> jup 07:09 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 07:11 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ]Sintax[, kraut, Typone 07:12 -!- Netsplit over, joins: vlt, ]Sintax[, kraut, Typone 07:29 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has left ##openvpn ["Leaving"] 07:29 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 07:47 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 08:07 < SpaceBass> morning folks 08:07 < ecrist> howdy 08:07 < SpaceBass> I have established a tunnel b/t two gateways. On each gateway I can ping the remote site of the tunnel, but not the local 08:07 < ecrist> fix your firewall? 08:07 < SpaceBass> ecrist: I'm making progress :D 08:08 < SpaceBass> ecrist: thats my goal, just not sure how to trouble shoot 08:08 < ecrist> !iptables 08:08 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 08:09 < SpaceBass> ecrist: this box is using PF ... and configuring it manually is a challenge (not impossable though) 08:09 < ecrist> ah, pf is great. 08:09 < SpaceBass> I'm running the PFsense router/firewall/nat distro ... its nice indeed 08:10 < ecrist> so, you can ping the VPN ip of the server, but you can't ping your own VPN ip? 08:10 < SpaceBass> and I'd like to think I have a basic understand, but far from an expert 08:10 < SpaceBass> yeah so if the tunnel is 192.168.123.1 --> 192.168.123.2 I can ping 192.168.123.2 08:11 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 08:11 < ecrist> the other is virtual, SpaceBass 08:11 < ecrist> it doesn't *really* exist 08:11 < ecrist> so, in short, quit trying to ping it 08:11 < SpaceBass> ah! well that helps :D 08:12 < SpaceBass> Still, Network A can ping resources on Network B but not viceversa 08:12 < SpaceBass> checking the routes now 08:13 < ecrist> well, that still sounds like firewall 08:13 < ecrist> is pf doing nat for you? 08:13 < SpaceBass> which appears to be the problem... Gateway B has networkA/24 using its own upstream gateway, not the VPN 08:13 < SpaceBass> ecrist: yes, doing nat with PF 08:15 < SpaceBass> ok - manually added the route: route add 10.1.1.0/24 192.168.123.1 08:15 < ecrist> the problem with running something like pfsense, is you don't *really* know everything that's going on under the hood. 08:15 < SpaceBass> that fixed it ! 08:15 < ecrist> normally, I'd tell you to disable the firewall and test 08:15 < SpaceBass> ecrist: you nailed it... PF is hard for a novice like me to troubleshoot b/c you can't really dig in 08:15 < ecrist> you're not pushing that route? 08:15 < SpaceBass> ecrist: ok, help me uunderstand pushing and pulling routes - I'm reading the docs too...so I want to add a push line on the client? 08:16 < ecrist> read this: 08:16 < ecrist> !route 08:16 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:16 < ecrist> sounds like you need an iroute on the server 08:17 < SpaceBass> thanks for the help the past two days... let me read that and keep playing 08:17 < SpaceBass> excited to at least have the tunnel up 08:18 < SpaceBass> final question - if I no longer want PFsense to be my Ovpn end points, I assume I could use dedicated machines on each network and then just setup the routing on the PFsense box? 08:19 < ecrist> yep 08:19 < ecrist> your firewall is a good place to put a vpn server, though. 08:19 < SpaceBass> I can see why that would be the case 08:21 < SpaceBass> looks like the gateways can ping resources on each others networks, but not the clients 08:22 < ecrist> do you have client-to-client? 08:22 < SpaceBass> to your point - its checked in the webgui but now that I look, its not in the conf file 08:23 < SpaceBass> thats why I wanted to use a dedicated box for oVPN, I think PFsense has some kinks 08:24 < ecrist> yeah. pfsense is really just a freebsd system 08:24 < ecrist> rather than doing it in the gui, set it up from the command line 08:24 < SpaceBass> yeah 08:24 < SpaceBass> thats what I'm doing - but I have to keep the webgui from overwriting my changes 08:24 < SpaceBass> it doesnt sync - which I think is a poor design 08:25 < ecrist> !freebsd 08:25 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:25 < ecrist> follow those instructions, should get you going 08:25 < SpaceBass> thanks again 08:25 < ecrist> disable openvpn in the webgui 08:25 < SpaceBass> ahhh good idea, and just execute from the CLI 08:27 < ecrist> yep 08:30 -!- infinity_ [i=brendon@saleen.netcal.com] has quit [Read error: 104 (Connection reset by peer)] 08:30 -!- infinity_ [i=brendon@saleen.netcal.com] has joined ##openvpn 08:34 < SpaceBass> added client-to-client and mode server and a push route line ...seemse to have botches things 08:36 < ecrist> did you read the route link above? 08:36 < SpaceBass> yeah 08:37 < SpaceBass> re-reading now :D 08:38 < ecrist> does that network exist on the client end, or the server end? 08:41 < SpaceBass> on the server I have push route lines for both the local network and remote 08:41 < SpaceBass> and a route line for the remote 08:42 < ecrist> that's a problem, though 08:42 < ecrist> read the route link. you need ccds and iroute statements 08:43 < ecrist> your setup is covered on that page 08:44 < SpaceBass> I thought thats what I was covering - I added the iroute on the client and got an error "cannot be used in this context" 08:45 < SpaceBass> ahhh the ccd - didn't know what that was refering to...got it now 09:02 < SpaceBass> ok... back to where I was... one way routing at the gateway level only 09:03 < ecrist> can you draw a diagram of your network and post it somewhere? 09:03 < SpaceBass> working on the routes now 09:03 -!- TheDox [n=jcase@voip.sysadmins.com] has quit ["TheDox has no reason"] 09:03 < SpaceBass> ecrist: I'll try 09:16 -!- WastePotato [n=WastePot@unaffiliated/wastepotato] has joined ##openvpn 09:16 -!- WastePotato [n=WastePot@unaffiliated/wastepotato] has left ##openvpn [] 09:18 -!- teddy__ [n=teddy@208.92.235.227] has joined ##openvpn 09:20 < teddy__> How should I lockout 2 of my OpenVPN users? Deleting their unix account? Are there better ways ? 09:22 < ecrist> since you're in an openvpn channel, I assume you're using openvpn? 09:23 < ecrist> you can simply revoke their client SSL certificates 09:33 < teddy__> Each user was not generated their own certificate...Can you still revoke a ssl certificate per user? 09:47 < SpaceBass> ecrist: got a network diagram comming right up - had to track down a copy of vizio :( 09:48 < SpaceBass> http://www.flickr.com/photos/nickdawson/3426787662/ 09:48 < vpnHelper> Title: network on Flickr - Photo Sharing! (at www.flickr.com) 09:50 < ecrist> SpaceBass: looking now. coulda just used paint, or ascii chars, too 09:51 < SpaceBass> ececrist Im OCD like that 09:52 < ecrist> SpaceBass: your setup is covered, start to finish, on the routing page I linked you. 09:52 < ecrist> paste your configs 09:52 < ecrist> !configs 09:52 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:52 < SpaceBass> yeah - I've been following that and know I'm very close 09:56 < SpaceBass> http://pastebin.ca/1387140http://pastebin.ca/1387140 09:56 < SpaceBass> oops 09:56 < SpaceBass> http://pastebin.ca/1387140 09:57 < ecrist> SpaceBass: your configs are wrong 09:57 < ecrist> oh, wait, hang on, misread something 09:58 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:01 < ecrist> SpaceBass: is the CN on the certificate client1 is using 'lynchburgclient'? 10:01 < ecrist> !logs 10:01 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:02 < SpaceBass> ecrist: yes, the CN is lynchburgclient 10:04 < SpaceBass> logs 01 < ecrist> SpaceBass: is the CN on the certificate client1 is using 10:04 < SpaceBass> oops 10:05 < SpaceBass> http://pastebin.ca/1387148 10:06 < SpaceBass> still not getting a routing table entry on the client side 10:09 < ecrist> still reading 10:09 < SpaceBass> take your time - and hope you'll tell me how I can repay the favor 10:09 < SpaceBass> appreciate your help 10:09 < ecrist> your ifconfig-push is wrong 10:11 < ecrist> try 'ifconfig-push 192.168.123.5 192.168.123.6' 10:11 < ecrist> and remove the ifconfig line from your client config 10:12 < SpaceBass> ok 10:14 < SpaceBass> and the ifconfig-push goes in the ccd, correct? 10:14 < ecrist> yes 10:16 < SpaceBass> ok - logs on both side say its up...cannot ping in either direction 10:17 * ecrist grumbles 10:17 < SpaceBass> :) 10:17 < ecrist> firewall issue 10:18 < SpaceBass> let me keep at it for a few, work with the firewall and see what I can come up with 10:18 < SpaceBass> back in a few 10:18 < ecrist> ok 10:21 < theDoc> That's odd. 10:22 < theDoc> in my openvpn-server.log, I have an UNDEF 10:22 < theDoc> .. 10:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:23 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:36 -!- huslu_ [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 11:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:49 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Read error: 113 (No route to host)] 11:59 -!- mooncup [n=a@unaffiliated/mooncup] has quit [No route to host] 12:02 < SpaceBass> ok...think I've narrorwed it down... ecrist I dont think my setup is reading/using the ccd 12:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:12 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 12:15 < SpaceBass> the client is not getting the push-ifconfig 12:20 -!- rodpod [n=rod@hick.org] has quit [Read error: 104 (Connection reset by peer)] 12:23 -!- mweichert [n=mweicher@216.13.154.21] has joined ##openvpn 12:23 < mweichert> does anyone know how to make an OpenVPN connection with the iPhone? Maybe there is an indirect way to achieve this? 12:25 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ftp4, SpaceBass 12:29 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 12:44 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 12:44 < SpaceBass> ugly netsplit 12:45 < ecrist> bah, you and ftp4 were the only ones in this channel affected. 12:45 < SpaceBass> really? 12:46 < ecrist> 12:25 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ftp4, SpaceBass 12:46 < SpaceBass> ha 12:46 < SpaceBass> took a few steps forward and a few back 12:49 < SpaceBass> http://pastebin.ca/1387268 12:49 < ecrist> you're interrupting my porn viewing now. ;P 12:50 < SpaceBass> why do you think I need the VPN working? can't very well look at pron on my network can I? 12:51 < ecrist> error, again, in your ifconfig-push ccd 12:51 < ecrist> second address should be .6, not both .5 12:51 < SpaceBass> F me! 12:51 < SpaceBass> been looking at this way too long 12:55 < SpaceBass> still not sure my ccd is being read 12:55 < SpaceBass> the client isn't getting the ifconfig 12:56 < ecrist> ok, you fixed the line, restarted openvpn (just to be safe) and restarted client? 12:56 < ecrist> !logs 12:56 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:00 < SpaceBass> http://pastebin.ca/1387278 13:01 < SpaceBass> i see an extra backslash in th path for the ccd, but I aslo see it using the options via the server log 13:02 < ecrist> ok, looks like things are working. 13:03 < SpaceBass> why doesnt it setup the tunnel IPs on the client ? 13:03 < SpaceBass> ovpnc1: flags=8010 metric 0 mtu 1500 Opened by PID 24071 13:03 < ecrist> you gave me server log, lemme see client log 13:04 < SpaceBass> it was in there too, but here it is on its own http://pastebin.ca/1387281 13:05 < ecrist> that's not showing me startup 13:08 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 113 (No route to host)] 13:09 < SpaceBass> http://pastebin.ca/1387285 13:09 < SpaceBass> I dont see it referencing the cn name lynchburgclient anywhere 13:10 < ecrist> your logs are backwards. 13:10 < ecrist> like this. 13:10 < ecrist> to read things 13:10 < SpaceBass> in reverse order? yeah 13:10 < ecrist> I find it difficult 13:10 < SpaceBass> leme see if I can fix that 13:12 < SpaceBass> client log - normal order http://pastebin.ca/1387289 13:12 < ecrist> lemme see your configs again, current ones 13:14 < SpaceBass> current configs http://pastebin.ca/1387292 13:17 -!- mweichert [n=mweicher@216.13.154.21] has quit ["Leaving"] 13:18 < ecrist> ok, here's the issue 13:18 < SpaceBass> lay it on me 13:18 < ecrist> from server config, remove ifconfig line, add server 192.168.123.0 255.255.255.0 13:19 < ecrist> restart, dance, show me !logs again, if it doesn't work. 13:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:22 < SpaceBass> server log 13:22 < SpaceBass> http://pastebin.ca/1387304 13:23 < SpaceBass> client log 13:23 < SpaceBass> 14:12 < SpaceBass> client log - normal order http://pastebin.ca/13872 13:23 < SpaceBass> drat paste error... 13:23 < SpaceBass> client log http://pastebin.ca/1387305 13:24 < SpaceBass> still no IP on the tunnel adaptor for the client 13:28 < SpaceBass> btw: Subject: C=US, ST=Virginia, L=Lynchburg, O=NSnet/emailAddress=npdweb@nickdawson.net, CN=lynchburgclient 13:29 < SpaceBass> thats from the client -wanted to verify that it was the right cn name 13:29 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 13:33 < ecrist> current configs, again, please? 13:34 < SpaceBass> http://pastebin.ca/1387292 13:35 < ecrist> um, I said current configs 13:35 < SpaceBass> leme get a fresh cat 13:37 < SpaceBass> http://pastebin.ca/1387309. 13:38 < karlpinc> I'm curious wheather there's any demand for this patch: http://article.gmane.org/gmane.network.openvpn.devel/2581 13:38 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 13:38 < SpaceBass> brb - going to get power adaptor for laptop 13:42 < karlpinc> The idea is to allow customization of the OpenVPN MS Windows installer without having to compile. 13:46 < ecrist> karlpinc: did you have any feedback from the mailing list? 13:51 < karlpinc> ecrist : A couple of people said suggested installing the windows version and then snarfing the files from there. Sounded dicey to me. 13:54 < ecrist> if I knew C, and had time, I'd fork OpenVPN 13:56 < karlpinc> ecrist : Why? 13:56 -!- Sinky [n=stancho@78.90.99.168] has quit [Read error: 110 (Connection timed out)] 13:58 < ecrist> karlpinc: a few reasons, really. 1) more consistent releases and transparency, 2) better enterprise support 14:01 < reiffert> 14:02 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 14:02 < Flumdahl> WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 91.210.104.0 255.255.254.0' <-- do i get as error, i have never used any ifconfig lines in server.conf 14:03 < ecrist> are you using them in client config? 14:04 < Flumdahl> yes 14:04 < Flumdahl> http://pastebin.com/m745f55c3 <-- there is my server conf and version 14:04 < ecrist> then you're wrong 14:04 < ecrist> karlpinc and reiffert: http://pastebin.ca/1387326 14:05 < reiffert> ? 14:06 < ecrist> ? 14:06 < Flumdahl> http://pastebin.com/m1dc7ad97 there is both client and server config. 14:06 < reiffert> ecrist: ah, so you are about to fork openvpn. 14:07 < karlpinc> ecrist : ok. 14:07 < ecrist> reiffert: I wish I could, but I'm a talentless ass-clown. 14:07 < ecrist> all I do is idle is IRC 14:08 < karlpinc> ecrist : What does "transparency" mean? Do they respond on the devel list? 14:08 < Flumdahl> shall i use the ifconfig in server conf? 14:08 < Flumdahl> push "ifconfig 91.210.104.95 255.255.254.0" 14:08 < Flumdahl> ? 14:08 < reiffert> ecrist: soo .. and why are you pasting such useless sentences to a pasteservice then? 14:09 < ecrist> Flumdahl: properly configured, you either of ifconfig lines on both server and client, or you have them neither place, with a server in server config 14:09 < Flumdahl> so in server config i write server serverip servermask ? 14:10 < ecrist> reiffert: karlpinc was asking why I'd fork, if I had the tools. couldn't remember all the reasons i'd come up with, so pasted that. your initial, '?' comment made me believe you were curious as well. 14:10 < ecrist> apparently I was mistaken 14:10 < ecrist> Flumdahl: yes. and remove ifconfig from client config 14:11 < reiffert> ecrist: oh, that was an accidentally typed german umlaut 14:11 < ecrist> ah 14:11 < Flumdahl> ecrist: but, if i setup ifconfig line in server conf with my servers ip... will that not be a ip conflict then because i have that ip on my br0 ? 14:16 < HardDisk_WP> ecrist, do you have /charset utf-8? 14:17 < HardDisk_WP> I can see an ö from reiffert so I guess you're ISO-8859 or some other obscure charset 14:19 < ecrist> HardDisk_WP: nope 14:19 < ecrist> I'd hardly call it obscure... 14:21 < HardDisk_WP> what charset do you use? 14:22 < ecrist> send me that character again, reiffert 14:22 < HardDisk_WP> ö 14:22 < ecrist> HardDisk_WP: whatever default is for irssi 14:22 < HardDisk_WP> here you go 14:22 < ecrist> that character shows up now. had to set it to utf-8 in irssi 14:24 < ecrist> I don't know the irssi default charset 14:31 -!- grandee [n=tinkle@80-254-74-45.dynamic.swissvpn.net] has joined ##openvpn 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:53 -!- grandee [n=tinkle@80-254-74-45.dynamic.swissvpn.net] has quit ["bbl"] 15:05 < SpaceBass> ecrist: I feel like I keep taking one step forward two back :D 15:09 < SpaceBass> I'm still not sure the client is getting the CCD http://pastebin.ca/1387309 15:15 -!- rodpod [n=rod@hick.org] has joined ##openvpn 15:15 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 15:22 < ecrist> SpaceBass: does the VPN come up on the client, and does the client have the .5 ip address? 15:23 < SpaceBass> ecrist: logs suggest its up, but no the client never gets the .5 15:26 < ecrist> SpaceBass: at this point, I'm going to say it's a pfsense thing. 15:26 < ecrist> try on other hosts, as you'd mentioned this morning. 15:27 < SpaceBass> ecrist: thanks - I'll give that a go 15:29 < SpaceBass> before I totally give up - rather than pushing the ifconfig to the client, could I add it to the client's config? 15:29 < ecrist> you can try, I've never done a config like that, though 15:31 < SpaceBass> strange thing was that I had it working b/t gateways earlier - wish I had saved "snapshot" configs 15:42 < HardDisk_WP> krzie, ping 15:49 < krzie> hey man 15:51 < krzie> good timing, i just re-attached 15:52 < HardDisk_WP> :) 15:52 < HardDisk_WP> krzie, I got OpenVPN up and running :) 15:52 < HardDisk_WP> now, the iodine stuff 15:53 < krzie> thats where i dont help, i just point you to the right place 15:53 < krzie> (which i did) 15:53 < HardDisk_WP> I just need some help with that domain stuff. because the only server usable for running the DNS server is on a dialup connection 15:54 < krzie> lol 15:54 < krzie> then you dont get to run iodine 15:54 < krzie> it requires you to have 2 servers 15:54 < krzie> one for real DNS, 1 for fake DNS 15:54 < krzie> the real points to the fake for dns authority for a subdomain 15:55 < HardDisk_WP> hmm wait, I got another vserver (problem is: it isnt reliable^^) 15:56 < HardDisk_WP> krzie, does the server running iodine require a tun/tap device? 15:56 < krzie> yes 15:56 < HardDisk_WP> and it needs a static IP= 15:56 < HardDisk_WP> ? 15:56 < krzie> its a dns TUNNEL 15:56 < krzie> no, dyndns is enough for that 15:57 < HardDisk_WP> :) 15:57 < krzie> but dialup wont work 15:57 < HardDisk_WP> Why not? 15:57 < krzie> mtu is shitty enough when using a 100mbit 15:57 < krzie> do it over dialup and you're better off using smoke signals 15:57 < HardDisk_WP> Oh. 15:58 < HardDisk_WP> But I can try out, I guess? :D 15:58 < krzie> do whatever you want 15:58 < krzie> heh 15:58 < krzie> it wont hurt me any 15:58 < HardDisk_WP> ^^ 16:01 < SpaceBass> ecrist: I got it! 16:01 < ecrist> gratz 16:01 < SpaceBass> ecrist: one very simple little word... "client" missing from the client.conf 16:01 < ecrist> oh, I thought I checked for that. 16:01 < ecrist> mea culpa 16:01 * SpaceBass would dance if I wasn't recovering from a knee reconstruction 16:01 < SpaceBass> ecrist: not on your shoulders at all - I should have know that as a basic 16:02 < HardDisk_WP> krzie, so http://pastebin.com/m6d72874 would be basically correct? 16:03 < SpaceBass> ecrist: still no routing b/t clients, but know that has to be pfsense 16:03 < ecrist> SpaceBass: do you have an openvpn-status file? 16:03 < ecrist> look in there, contains openvpn's internal routing table 16:04 < ecrist> if it's not listed there, your problem is with openvpn, otherwise it's firewall 16:04 < SpaceBass> ecrist: not sure about the status file - I'll investigate 16:04 < SpaceBass> but at least I can ping remote recources from the respective gateways 16:05 < Flumdahl> hmm, why wont my shaper work on server? directly when i insert shaper 131072 in server conf it wont setup the route on my client at all. if i erase the shaper line and restart the server and connect it works fine again 16:12 * SpaceBass is so close he can taste it 16:20 < krzie> HardDisk_WP: thats where i dont help, i just point you to the right place 16:20 < krzie> (which i did) 16:20 < krzie> i dont do iodine support 16:20 < HardDisk_WP> kk 16:20 < krzie> its one of those things where if you get it working its cause you figured it out 16:21 < krzie> unlike openvpn where im willing to help walk someone through it 16:21 < krzie> but for now, time for me to work on a side-job 16:21 < krzie> a guy wants me to setup an automated way to lie to a shitton of nameservers about his reverse dns based on a whitelist 16:21 < SpaceBass> if my routes on the gateways allow traffic, then I'd think the clients would work 16:21 < krzie> im like "umm, bind made that for us, but finding the nameservers to lie to from the whitelist of domains will need some custom work, and could get pricey" 16:22 < krzie> booya, gunna make a lil script and get paid++ 16:22 < krzie> (the job isnt for my buddy, its for a guy using him as a proxy) 16:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 16:34 -!- grandee [n=tinkle@80-254-66-61.dynamic.swissvpn.net] has joined ##openvpn 16:48 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 16:48 -!- bandini [n=bandini@host234-109-dynamic.41-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:04 < MarcWeber> I've some trouble routing udp through the the vpn network. Are there any known pitfalls? Using iperf -cu $vpn_server works whatsoever.. 17:19 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 18:06 < krzie> is it voip by chance? being routed over the vpn which NATs it? 18:06 < krzie> if so, you'll need STUN 18:29 -!- afonso [n=afonso@bl6-119-108.dsl.telepac.pt] has joined ##openvpn 18:29 < afonso> hi guys 18:32 < afonso> i have a client with a lan connected to a openvpn server. something similar to what's explain on the howto 'Including multiple machines on the client side when using a routed VPN' on the official website 18:34 < afonso> the thing is: if i ping the client's tun0 IP from the server, i get around 2ms of latency. BUT if i ping the first lan ip (which is on the same router as the tun0), i get around 20ms. 18:34 < afonso> is there an explanation for this? 18:34 < afonso> 18ms just to jump from tun0 to eth0? 18:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:06 < dan__t> Well. 19:06 < dan__t> All that good shit I talked about WHMCS can pretty much go down the drain now. 19:16 -!- cirdan [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has joined ##openvpn 19:16 < cirdan> !howto 19:16 < vpnHelper> cirdan: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:16 < cirdan> eh 19:26 -!- grandee [n=tinkle@80-254-66-61.dynamic.swissvpn.net] has quit ["bbl"] 19:34 < afonso> can anyone answer my question? 19:42 < dan__t> njo 19:42 < dan__t> no 19:55 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 19:55 < SpaceBass> evening 20:05 < dan__t> howdy. 20:14 < krzie> nope, i have no answer for you afonso 20:14 < afonso> :( 20:14 < afonso> i'm i doing something wrong or is this normal? 20:14 < ecrist> everyone who doesn't understand OpenVPN are bitches. 20:14 < krzie> it would go from vpn ip out through lan if to the router to the client, back to router, back to vpn endpoint then back over the vpn 20:15 < krzie> but that shouldnt add 18ms 20:15 < krzie> since all added stuff is on-lan 20:15 < afonso> i agree 20:15 < afonso> that's why i'm asking 20:15 < krzie> maybe some latency from firewalls in the middle or a slow router or something 20:16 < krzie> the packet could be going through many more firewall rules than it would if it were on-lan 20:16 < krzie> dunno 20:16 < afonso> it a router with 500Mhz and 256MB ram 20:16 < afonso> not really slow... 20:16 < krzie> but its not openvpn related as the vpn connection has the good ping 20:16 < krzie> the added latency happens outside the vpn 20:17 < afonso> but lan connections also have good pings 20:17 < krzie> should 20:17 < krzie> but they also dont come with the source ip of your vpn network 20:17 < krzie> which seems to be the only time its high latency im guessing 20:18 < ecrist> bitches, I say 20:18 < dan__t> Bitches. 20:18 < krzie> lol eric 20:18 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 20:19 < afonso> i though it could be something with the iroutes and openvpn 20:19 < krzie> not if you get ANY ping reply 20:19 < afonso> i don't see another explanation 20:20 < krzie> !route 20:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:20 < krzie> !iroute 20:20 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:20 < krzie> i don't see another explanation 20:20 < krzie> its not even a POSSIBLE solution 20:21 < afonso> why? you assume that openvpn can't be slow? 20:21 < afonso> in any circunstance... 20:22 < krzie> dude 20:22 < krzie> you told me ping tun tun endpoint was 2ms 20:23 < krzie> thats all thats happening over the vpn 20:23 < krzie> the rest is on your lan 20:23 < krzie> you didnt figure that out on your own? 20:24 < afonso> yeah but the ip on the lan is on the same router... 20:24 < afonso> i don't see the kernel taking 18ms to jump between interfaces 20:24 < krzie> welp, the only place openvpn is in the picture is between tun endpoints 20:25 < krzie> the rest is outside of openvpn 20:25 < krzie> period 20:26 < afonso> ok 20:27 < afonso> but it's still weird that this only happens with tun0... and not any other interface 20:27 < afonso> *between 20:27 < krzie> i told you whats different 20:27 < krzie> different source ip 20:27 < krzie> what firewall is on your router? 20:27 < afonso> iptables 20:28 < krzie> i dont use linux, but if it were pf on bsd, i would make a pass rule on the top of the list, and ild make it quick so it was immediately passed and hit NO more rules 20:28 -!- gebi [n=gebi@84-119-54-65.dynamic.xdsl-line.inode.at] has left ##openvpn [] 20:28 < krzie> to rule that out 20:30 < afonso> i already ruled that out 20:31 < krzie> ok well 20:31 < krzie> !notovpn 20:31 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 20:31 < afonso> i'm accepting everything, no more rules 20:31 < krzie> !notopenvpn 20:31 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 20:31 < krzie> what channel that would be, i dont know 20:31 < afonso> ok ok 20:31 < krzie> but the fact that the tun stuff is fast, dunno man 20:31 < krzie> you could try a traceroute? 20:31 < afonso> i did 20:31 < krzie> see where the latency increases 20:32 < krzie> also, how the hell are you 2ms from your endpoint? 20:32 < krzie> lol 20:32 < afonso> root@Sede:/etc/openvpn-core# traceroute 192.168.231.1 20:32 < afonso> traceroute to 192.168.231.1 (192.168.231.1), 30 hops max, 38 byte packets 20:32 < afonso> 1 192.168.231.1 (192.168.231.1) 19.637 ms 19.116 ms 19.082 ms 20:33 < afonso> i don't even see the jump 20:33 < krzie> well that dont help any 20:34 < krzie> this is a tcp or udp vpn? 20:35 < afonso> udp 20:35 < krzie> good 20:35 < krzie> tried mtu-test? 20:35 < krzie> !mtu-test 20:35 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 20:36 < krzie> although its likely the default, wont hurt to test 20:37 < afonso> sorry krzie. i'll have to give it a try tomorrow 20:37 < afonso> thank for your help! 20:39 -!- afonso [n=afonso@bl6-119-108.dsl.telepac.pt] has quit [] 20:41 < krzie> hehe 20:41 < krzie> hi im running openvpn on my webserver, and now my mailserver is running slow, can someone help me? 20:43 < dan__t> whmcs 20:43 < dan__t> what a bunch of fags. 20:44 < krzie> wtf is whmcs 20:44 < dan__t> Their support responses are terse, they're ill-informed. If I ask a very technical question they reply with "yes", or "no", without any elaboration. 20:44 < dan__t> Billing system. 20:44 < dan__t> We talked about this the other day. 20:44 * dan__t kicks krzie in the vagina. 20:44 < krzie> my vagina is out of town for a couple days 20:44 < krzie> she'll be back sunday 20:45 < dan__t> awesome 20:46 < dan__t> You familiar with any billing systems, krzie? 20:46 < krzie> neg 20:53 < krzie> my billiong system was always "hey man, you owe me $x" 20:54 < dan__t> yea 20:54 < dan__t> im sick of that 20:54 < dan__t> too many clients for that any more 20:54 < dan__t> i still do billing in ms office accounting :/ 20:54 < krzie> werd 20:55 < krzie> thats when ild get someone to my my accounting for me 20:55 < krzie> thats how much i like to deal with billing 20:55 < dan__t> heh 20:55 < krzie> although of course a billing system is better 20:55 < krzie> but im a fan of delegation 20:57 < dan__t> i'm a fan of keeping my money. 20:58 < krzie> ya and im actually a bigger fan of automation than delegation 20:58 < krzie> so you win on both 21:05 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has left ##openvpn ["Leaving"] 21:20 -!- grandee [n=tinkle@80-254-75-26.dynamic.swissvpn.net] has joined ##openvpn 21:26 < grandee> Hi guys, could somebody recommend a good commercial VPN service provider that uses openvpn? 21:27 < krzee> i believe dan was making a system to be done 21:27 < krzee> err to be one 21:28 < grandee> krzee, do you mean dan__t? 21:29 < krzee> yup 21:30 < grandee> what sort of price was he thinking of asking? 21:30 < krzee> no clue 21:30 < krzee> i only talked tech stuff 21:30 < grandee> maybe i'll ask him personally 21:31 < grandee> sure thanks krzee 21:31 < krzee> np =] 21:31 < grandee> i'm using pptp at the moment with swissvpn 21:32 < krzee> ya i understand why youd wanna switch 21:33 < grandee> openvpn has a reputation as being the best 21:37 < dan__t> That, and swissvpn has a reputation of sucking. 21:38 < grandee> hi dan__t you are going to offer vpn service? how much are you thinking of charging? 21:39 < grandee> dan__t: the biggest problem with swissvpn is that they use pptp 21:39 < dan__t> It really wasn't a general purpose VPN. I was toying with the idea tonight, and began to work on some code to allow it for general use. 21:39 < dan__t> How long have you been using SwissVPN? 21:40 < grandee> one week approx 21:40 < dan__t> Where are you located? 21:40 < grandee> Canada 21:41 < dan__t> To be perfectly honest, my pricing is quite a bit more than what SwissVPN advertises. 21:42 < grandee> what are your privacy policy 21:42 < grandee> $15 US? 21:42 < dan__t> I was thinking around $20/mo for basic, if I offer it. I have a pretty unique setup that I can't elaborate on which I'll be charging $35/mo for 21:43 < dan__t> Privacy policy is that anyone asking me for information regarding a client can go kick rocks. 21:43 < dan__t> I do need to log just about every connection for statistics, load averaging, forecasting etc etc. 21:43 < dan__t> And enough to bill a credit card. 21:44 < dan__t> What a God awful ugly site. 21:44 < grandee> are you a openvpn developer? 21:45 < dan__t> I am not. I'm a Linux systems administrator by trade. 21:45 < dan__t> Emphasis on load balancing, distribution, clustering, storage etc etc. 21:46 < grandee> 20 dollar is a little expensive for me, but i'm sure your service would blow the doors off anybody elses 21:47 < dan__t> And a formidable degrader of krzie's better half. 21:47 < dan__t> Yeah, its not for everyone. 21:47 < dan__t> There are a few things involved that will make it hands down better than anything I've seen in the past 21:47 < dan__t> I have this habit of starting a project that 289342323 other people do. 21:47 < dan__t> This time i did the research, and the niche that I'm shooting for is not saturated. 21:48 < grandee> sounds interesting 21:50 < grandee> anyway thanks for your time, hope to use openvpn in the future 21:51 < dan__t> I'm a few weeks away from going "live" 21:51 < dan__t> I figure I'll still be hanging out around here. If you see me, feel free to say hello. 21:52 < grandee> sure thats cool thanks dan__t :) 21:56 -!- rodpod [n=rod@hick.org] has quit [Read error: 104 (Connection reset by peer)] 22:01 -!- grandee [n=tinkle@80-254-75-26.dynamic.swissvpn.net] has quit ["goodnight"] --- Day changed Fri Apr 10 2009 00:17 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:19 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 00:23 -!- theDoc [n=andelyx@bb121-6-127-231.singnet.com.sg] has joined ##openvpn 00:23 -!- theDoc [n=andelyx@bb121-6-127-231.singnet.com.sg] has quit [Client Quit] 00:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:15 < reiffert> moin 01:21 < dazo> moin 01:22 < krzee> moin 01:26 < dan__t> moin 01:40 < dan__t> Free PowerEdge 2600, 2x32G Ultra320 10k's, 512M RAM, Xeon 2.8 01:40 < dan__t> Shipping from CA to AZ worth it? heh 02:19 -!- prozacwizard [i=moneybag@you.can.do.it.cx] has joined ##openvpn 02:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:29 -!- prozacwizard [i=moneybag@you.can.do.it.cx] has quit [Remote closed the connection] 02:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 < dazo> dan__t: yeah, I would say so .... you can prep it up to 2GB RAM pretty cheap nowadays ... and you have a pretty good server 02:41 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 02:41 < dazo> dan__t: depending on how old the disks are ... you might consider new disks 02:42 < dan__t> yea 02:42 < dan__t> ultra320's 02:42 < dan__t> that's hardcore++ 02:42 < dan__t> don't know what I would ever use them for 02:42 < dan__t> I just need a big-ass VM server 02:42 < tjz> long long long long time never come check this channel 02:42 < tjz> :( 02:42 < dazo> dan__t: well, it's not state of the art any more .... but it rocks, that's for sure :) 02:42 < dan__t> U320 is backwards compat with u160 last I recall. I could just fill it with big-ass u160's 02:42 < tjz> hi to all my new friends 02:42 < dan__t> tjz, what the f are you talking about 02:43 < tjz> hi dan 02:43 < tjz> = 02:43 < tjz> =) 02:43 < dazo> dan__t: true you can use U160 disks in U320, but not the other way, iirc 02:43 < dan__t> Correct. 02:43 < dan__t> Hello, tjz. 02:44 < dazo> dan__t: it might not be powerful enough for serving a lot of VM's .... as the CPU would benefit having Virt support ... but it sounds good enough for other things .... would probably do well as a mid-range database server or dedicated high-end webserver 02:44 < dan__t> whatever 02:44 < dan__t> vmware does me well 02:45 < dan__t> i just need something for developing with 02:45 < dan__t> this VPN thing is the first side project I've done in a month 02:45 < dan__t> I gave up side projects to study for a shitton of certs I should already have. 02:45 < dazo> heh 02:46 < krzee> [02:40] Free PowerEdge 2600, 2x32G Ultra320 10k's, 512M RAM, Xeon 2.8 02:46 < krzee> [02:40] Shipping from CA to AZ worth it? heh 02:46 < dan__t> So with that... I need a lab 02:46 < krzee> absolutely 02:47 < dan__t> And I can run a lab on a beefed up 2600 02:47 < krzee> ild pay shipping to the caribbean if i found that 02:47 < dan__t> I'll just ebay another xeon because its a dual socket board 02:47 < dan__t> and beef it up to 8G RAM 02:47 < dan__t> at least 02:47 < dan__t> 750w power supply 02:47 < dan__t> goddam 02:47 < dan__t> two of them, even 02:47 < krzee> damn nice 02:47 < krzee> rackmount? 02:47 < dan__t> no, tower 02:47 < dan__t> soho 02:47 < krzee> ahh 02:47 < dan__t> funny how this came back to me 02:48 < krzee> still, free 02:48 < dan__t> I did some contract work for some retard in California 02:48 < dan__t> They ran out of business befure they paid me 02:48 < krzee> if you find more freeness please let me know if you dont take it 02:48 < dan__t> my friend worked there, he made off pretty well 02:48 < dan__t> the retard gave a few servers to my friend 02:48 < dan__t> he's giving them to me because he felt bad I didn't get paid 02:48 < krzee> nice 02:49 < dan__t> i'm still fighting whmcs 02:49 < dan__t> haven't hacked on openvpn in a day and a half 02:49 < dan__t> there's one problem I'm still trying to get over. 02:50 < dan__t> http://forum.whmcs.com/showthread.php?t=19364 02:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:53 < krzee> You are not logged in or you do not have permission to access this page. This could be due to one of several reasons: 02:54 < dan__t> gay. 02:54 < krzee> http://www.zabbix.com/forum/showthread.php?p=44784#post44784 02:56 < dan__t> 2) I would like to be able to view multiple graphs at the same time. 02:56 < dan__t> make a screen, throw graphs in that screen 02:56 < dan__t> 3) When viewing those graphs I would like to have the percentages and numbers displayed there as well. 02:56 < dan__t> edit those in the graph display properties 02:56 < dan__t> 4) I would like the filter to apply to the graphs I view. 02:56 < dan__t> which filter? 02:57 < dan__t> oh 02:57 < dan__t> the filter pretty much sucks. 02:57 < krzee> time and date filter 02:57 < dan__t> right 02:57 < dan__t> you're fucked 02:57 < krzee> to only view a certain date range 02:58 < krzee> nah this rocs 02:58 < dan__t> that filter sucks completely. 02:58 < krzee> rocks 02:58 < dan__t> the rest of it does sure 02:58 < krzee> just small things need fixing 02:58 < dan__t> check out the dashboard yet? 02:58 < krzee> yup 02:58 < krzee> ya doesnt do much for my lil setup 02:58 < dan__t> The dashboard looks great on a 60" plasma with like 600 hosts. 02:58 < krzee> but availability reports and monitoring - events does all i want 02:58 < krzee> in fact when they fix availability reports, its all ill need 02:59 < krzee> so the username to view will only get reports 02:59 < krzee> ild like finer grained user rights 02:59 < dan__t> yeah 02:59 < krzee> they only give menus 02:59 < dan__t> they're kinda tricky. 02:59 < dan__t> use host groups. 02:59 < krzee> il like submenus 02:59 < krzee> ild 02:59 < dan__t> yeah 02:59 < dan__t> use hostgroups for perms 02:59 < krzee> so i could clean out what i dont want 02:59 < krzee> i do 02:59 < dan__t> give permis to hostgroup ABC etc etc 02:59 < krzee> but only allows access to entire menus 03:00 < krzee> like monitoring 03:00 < krzee> i dont need all 11 submenus 03:00 < krzee> only 1 of them 03:00 < krzee> and reports availabilty report 03:01 < krzee> so now for 1 submenus i must enable 12 i dont want 03:01 < krzee> err 03:01 < krzee> so now for 2 submenus i must enable 12 i dont want 03:01 < krzee> and in reports - status the user can see exactly how much is being monitored 03:02 < krzee> i think he should only see what he has rights to, even if it is just a # 03:02 < dan__t> hehe 03:02 < dan__t> overall not bad though huh 03:02 < krzee> very much so 03:02 < krzee> im nitpicking there 03:02 < dan__t> has its quirks 03:02 < dan__t> its young 03:02 < krzee> ya 03:02 < dan__t> polling 70k items and 600 hosts gets crazy 03:02 < dan__t> need some hardcore++++ sql machines for that 03:03 < krzee> understandably so 03:03 < dan__t> talking like 2-2500 queries/sec 03:03 < krzee> it allows you to do so much, if you enable a shitton it will need the resources 03:03 < dan__t> haha 03:03 < dan__t> yeah 03:04 < tjz> hi jeff!! 03:04 < tjz> =) 03:04 < tjz> lol 03:04 < tjz> in the wee hour 03:04 < krzee> hey 03:04 < tjz> happy good friday 03:04 < tjz> :P 03:04 < dan__t> pbbbttht. 03:04 < krzee> Required server performance, new values per second 0.0667 03:04 < tjz> lol 03:04 < krzee> every friday is good 03:04 < dan__t> Just another occasion to party myself stupid. 03:04 < krzee> its those mondays that need help 03:05 < tjz> hahahaha 03:05 < tjz> can't agree more 03:05 < tjz> lol 03:06 < krzee> hey dan, any ideas here? 03:06 < krzee> http://www.zabbix.com/forum/showthread.php?t=12225 03:07 < dan__t> take a few values and average them 03:07 < dan__t> that's what I do with icmpping 03:08 < krzee> im doing that 03:08 < dan__t> average 3 rounds, and if their sum > 2 then its probably a not false positive 03:08 < dan__t> do this 03:08 < dan__t> use templates. 03:08 < dan__t> make "service" templates. 03:08 < krzee> read the whole thing 03:08 < dan__t> I'd have, like, Generic Linux Template 03:08 < dan__t> Generic windows template 03:08 < dan__t> etc etc 03:08 < dan__t> then all hosts that are of that type get that template 03:09 < krzee> im preventing trigger fire if zabbix network goes down 03:09 < dan__t> i'd have items and graphs associated with that template 03:09 < dan__t> i'd make graphs and triggers and items associated with another template called "Disk Device sda" 03:09 < krzee> so if last 3 pings avg to 0 for hemp, and last ping to joogot was good, FIRE 03:09 < dan__t> and just apply them to the host, make them overlap 03:09 < dan__t> yeah 03:09 < dan__t> I don't know about that one 03:09 < krzee> i think i found it, bout to test 03:10 < krzee> 9 & Logical AND 03:10 < dan__t> jea 03:10 < krzee> sweet this could even detect jitter 03:10 < dan__t> brb smokes and cokes 03:10 < krzee> great for a voip company 03:10 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 03:19 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 03:20 < dan__t> k 03:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 03:20 < dan__t> god damn you whmcs 03:21 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:22 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 03:25 < krzee> {hemp:icmppingsec.avg(#3)}=0&{joogot:icmppingsec.avg(#2)}#0 03:27 < dan__t> don't use icmppingsec 03:27 < krzee> and why not 03:27 < krzee> it works! 03:27 < dan__t> what if the ping is 0.0000ms 03:28 < krzee> i like seeing the latest graph 03:28 < krzee> umm, thats 0 03:28 < krzee> means its down 03:28 < krzee> exactly what im testing for 03:28 < dan__t> uh 03:28 < dan__t> eyes 03:28 < dan__t> sorry 03:29 < krzee> if the avg of the last 3 pings to hemp is 0 and the avg of last 2 pings to joogot is NOT 0, alarm!!! 03:30 < dan__t> yes 03:31 -!- _lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 03:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 < tjz> i don't think there is a fool proof solution.. 03:44 < tjz> i tend to get some false alarm! 03:44 < tjz> too 03:48 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 03:49 < krzee> umm mines pretty foolproof against when the zabbix machine loses connection 03:50 < tjz> ok 03:53 -!- js_ [n=js@193.0.253.161] has quit [Remote closed the connection] 04:03 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 04:04 < lepine> !/30 04:04 < vpnHelper> lepine: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:04 < lepine> !topology 04:04 < vpnHelper> lepine: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:05 < lepine> !route 04:05 < vpnHelper> lepine: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:06 < lepine> I'm trying to set myself up with a tunnel that i can use safely at conferences and public wifi 04:07 < lepine> i got it working 04:07 < lepine> i'm currently being masqueraded from my colo'ed server. 04:08 < lepine> thing is, whenever i connect to to the vpn, i have to delete the default gateway on my machine, and add the openvpn server as default gw 04:08 < lepine> is there a way i can have the server push that config? it can push new routes (add) ... but can it push deletions? 04:08 < dan__t> redirect-gateway 04:08 < lepine> i've done that 04:08 < lepine> not working 04:08 < lepine> not properly anyway 04:09 < dan__t> hm 04:09 < dan__t> what do both client and server logs tell you? 04:09 < dan__t> beh i gotta pass out 04:09 < dan__t> krzie will be around in a few. 04:09 < lepine> so should i actually 04:18 -!- lepine1 [n=leprecha@206-248-132-81.dsl.teksavvy.com] has joined ##openvpn 04:27 < krzee> [05:08] thing is, whenever i connect to to the vpn, i have to delete the default gateway on my machine, and add the openvpn server as default gw 04:27 < krzee> redirect-gateway def1 04:27 < krzee> !def1 04:27 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:27 < krzee> if you say its not working, post logs 04:30 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 04:34 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 04:37 < djc> so I have a problem; I have a topology subnet-based setup 04:38 < djc> but I can't ssh to one of the clients 04:38 < djc> my co-worker is logged in on the local subnet that machine is in, so the sshd is apparently not the problem 04:38 < djc> and I can still ping the machine from one of my other clients, so at least there is some VPN connection 04:38 < djc> but when I try to ssh in over VPN, I get connection refused 04:39 < djc> any clues as to how to troubleshoot this would be appreciate 04:39 < djc> d 04:42 < djc> no one? :| 04:51 < kraut> moin 04:51 < djc> !logs 04:52 < vpnHelper> djc: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:52 < djc> !configs 04:52 < vpnHelper> djc: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:52 < djc> !interface 04:52 < vpnHelper> djc: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 04:54 < djc> kraut: moin; would you be able to help me troubleshooting 04:55 < kraut> i'm just on the jump 05:11 < djc> probably no one from openvpn.net is awake at this time? 05:44 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 06:07 < reiffert> djc: use tcpdump on every single machine involved and inbetween. 06:08 < reiffert> djc: check if the packets get to that machine. If so, check if the answers get back to you. 06:16 < krzee> djc 06:16 < krzee> did you check sshd is listening on the vpn ip? 06:16 < krzee> like *:22 06:17 < reiffert> connection refused sounds like it, yes. 06:18 < krzee> aye 06:18 < reiffert> "like it" = "like it is involved" 06:18 < krzee> refused means the packets got there 06:18 < krzee> but it said "no way" 06:18 < krzee> so round trip packets 06:18 < krzee> as opposed to connection timed out 06:22 < krzee> oh and nobody from openvpn.net is around here even if they are awake 06:22 < krzee> ssh: connect to host 127.0.0.1 port 22: Connection refused 06:23 < krzee> host was contacted just fine but no daemon listening 06:23 < krzee> ssh: connect to host 10.0.0.69 port 22: Operation timed out 06:23 < krzee> host cant be contacted 06:24 < krzee> unless you play with blackhole settings and make the first just timeout too or course... 06:24 < krzee> but either way, thats what your problem is djc 06:38 < djc> hmm 06:38 < djc> (sorry, was away for a bit 06:38 < djc> ) 06:38 < djc> but isn't it pretty weird that ping works when http/ssh don't? 06:39 < djc> plus, this vpn just worked before 06:41 < djc> and yeah, I had the idea about sshd not listening on the VPN if, too, but my sshd_config has ListenAddress 0.0.0.0, which I'm pretty sure means it should listen on every iface 06:43 < djc> OMFG 06:45 < reiffert> krzee: alternative idea: firewall says: R 06:45 < ecrist> morning, fuckers 06:46 < ecrist> refused can also mean the firewall is blocking 06:46 < djc> okay, so it turned out that because there was a different login order, the server was not at the IP I specified, so I was trying to ssh into the local box, which most definitely doesn't have either ssh or http running 06:47 < reiffert> djc: firewalls can confuse things and people. yes. 06:47 < djc> okay, so I should obviously make sure my server always gets a fixed IP 06:48 < krzee> !static 06:48 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 06:48 < krzee> !forget static 2 06:48 < vpnHelper> krzee: Joo got it. 06:48 < krzee> !learn static as also see !ccd and !iporder 06:48 < vpnHelper> krzee: Joo got it. 06:48 < djc> !iporder 06:48 < vpnHelper> djc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:49 < krzee> bleh i wanna change that one too 06:49 < djc> so can I just assign one IP and have the rest auto-assigned? 06:49 < krzee> sure 06:49 * ecrist uses a /23 on his vpn, the first /24 is for dynamic IPs, the second is for static ips 06:51 < krzee> !change iporder 2 s/(next choice)./(next choice). see !ccd/ 06:51 < vpnHelper> krzee: Joo got it. 06:51 < krzee> !iporder 06:51 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP ((next choice). see !ccd., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:52 < krzee> !change iporder 2 s/((/(/ 06:52 < vpnHelper> krzee: Error: 's/((/(/' is not a valid regular expression. 06:52 < ecrist> you need to escape the parens 06:52 < krzee> !change iporder 2 s/\(\(/\(/ 06:52 < vpnHelper> krzee: Joo got it. 06:52 < krzee> !iporder 06:53 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP \(next choice). see !ccd., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:53 < krzee> heh 06:53 < djc> lol 06:53 < krzee> !change iporder 2 s/\\// 06:53 < vpnHelper> krzee: Error: 's/\\\\//' is not a valid regular expression. 06:53 < krzee> !change iporder 2 s/\// 06:53 < vpnHelper> krzee: Error: 's/\\//' is not a valid regular expression. 06:53 < krzee> cute 06:53 < krzee> !forget iporder 2 06:53 < vpnHelper> krzee: Joo got it. 06:53 < krzee> !forget iporder 2 06:53 < krzee> !forget iporder 2 06:53 < vpnHelper> krzee: Joo got it. 06:53 < vpnHelper> krzee: Joo got it. 06:54 < djc> !ipp 06:54 < vpnHelper> djc: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 06:54 < djc> !clientconnect 06:54 < vpnHelper> djc: Error: "clientconnect" is not a valid command. 06:54 < krzee> !learn iporder as Use --client-config-dir file for static IP (next choice) !ccd for more info 06:54 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !learn iporder as Use --ifconfig-pool allocation for dynamic IP (last choice) 06:55 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 06:55 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !iporder 06:55 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !ccd for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 06:58 < djc> !ccd 06:58 < vpnHelper> djc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:59 -!- mode/##openvpn [+o krzee] by ChanServ 06:59 <@krzee> Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder 06:59 <@krzee> err 06:59 -!- krzee changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder 06:59 -!- mode/##openvpn [-o krzee] by krzee 06:59 -!- dazo is now known as dazo_gone 07:00 < djc> so in the sample config file it says to put "ifconfig-push 10.9.0.1 10.9.0.2" in the ccd/Thelonious file 07:00 < djc> but what are those ip addresses for? 07:00 < djc> I'm assuming one is the address you want to assign to that client 07:00 < djc> but what is the other? 07:00 < krzee> thats only for ptp setup 07:01 < krzee> where this is no client and server, only 2 endpoints 07:01 < djc> sorry, you lost me 07:02 < krzee> theres 2 ways to have openvpn as far as that goes 07:02 < krzee> server - clients 07:02 < krzee> or point-to-point 07:02 < krzee> ptp can only handle 2 endpoints 07:02 < djc> ok 07:02 < krzee> it was the mode for openvpn version 1 07:03 < krzee> !sample 07:03 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:03 -!- mode/##openvpn [+o krzee] by ChanServ 07:03 -!- krzee changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder !sample 07:03 -!- mode/##openvpn [-o krzee] by krzee 07:04 < krzee> aww shit 07:04 < krzee> i messed up on iporder 07:04 < krzee> !forget iporder 2 07:04 < krzee> !forget iporder 2 07:04 < vpnHelper> krzee: Joo got it. 07:04 < krzee> !forget iporder 2 07:04 < vpnHelper> krzee: Joo got it. 07:04 < vpnHelper> krzee: Joo got it. 07:04 < ecrist> krzee: don't need to be op to change topic 07:04 -!- ecrist changed the topic of ##openvpn to: Eric rocks! 07:05 < krzee> !learn iporder as Use --client-config-dir file for static IP (next choice) !static for more info 07:05 < vpnHelper> krzee: Joo got it. 07:05 < krzee> !learn iporder as Use --ifconfig-pool allocation for dynamic IP (last choice) 07:05 < vpnHelper> krzee: Joo got it. 07:05 < djc> !static 07:05 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:05 -!- ecrist changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder !sample 07:05 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 07:05 < vpnHelper> krzee: Joo got it. 07:05 < krzee> ecrist loves to be the one who sets the topic 07:05 < krzee> lol 07:05 < ecrist> naw 07:06 < ecrist> was just demonstrating. :) 07:06 < krzee> you do it with /topic deoped? 07:06 < krzee> or through chanserv 07:06 < ecrist> yep 07:06 < krzee> ahh cool 07:07 < ecrist> surprisingly, nobody's abusing it. 07:07 < ecrist> reiffert's suggestion 07:07 < krzee> oh i figured only we could 07:07 < krzee> *shrug* that works 07:07 < krzee> we can always lose the abusers ;] 07:07 < ecrist> exactly 07:08 < krzee> welcome to ##openvpn, we have given you enough rope to hang yourself with, tie it wisely 07:08 < krzee> haha 07:09 < djc> krzee: so can I see the ccd/ipp.txt that go along with your sampleconfigs, too? 07:09 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: isox, dazo_gone, Bushmills, djc, karlpinc, kaii 07:09 -!- ThoMe is now known as thomas 07:09 < krzee> pretend it doesnt exist 07:09 < krzee> openvpn makes it itself 07:09 < krzee> and i will remove it anyways 07:09 < krzee> cause ipp is kinda useless 07:10 -!- Netsplit over, joins: djc, dazo_gone, karlpinc, kaii, isox, Bushmills 07:10 -!- thomas [i=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 07:10 -!- ThoMe [n=tm@tm.muc.de] has joined ##openvpn 07:10 < krzee> there, removed 07:11 < krzee> !ipp 07:11 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:11 < krzee> see #2 07:11 < djc> !static 07:11 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Connection timed out] 07:11 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:12 < reiffert> ecrist: sorry? 07:12 < reiffert> ah, -t 07:13 < krzee> djc, is it that complicated? 07:13 < krzee> i thought my bot spelt it out pretty simply 07:13 < djc> krzee: yes, sorry, I'm not that well-versed in all of this 07:14 < krzee> ok 07:14 < djc> and it's a while ago that I set this up 07:14 < krzee> !static 07:14 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:14 < krzee> !ccd 07:14 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:14 < djc> one of the attractions of subnet topology is that it makes it work just like a normal DHCP-run subnet 07:14 < krzee> all it does is get around this: 07:14 < krzee> !net30 07:14 < vpnHelper> krzee: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:14 < krzee> and heres how: 07:14 < krzee> !topology 07:14 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:15 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 07:15 < krzee> but that doesnt make ifconfig-push any different 07:15 < krzee> !man 07:15 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:15 < djc> yeah, reading the manual now 07:16 < krzee> example: ifconfig-push 10.8.0.0 255.255.255.0 07:17 < djc> right 07:17 < krzee> err 07:17 < krzee> example: ifconfig-push 10.8.0.4 255.255.255.0 07:17 < krzee> my bad 0.0 wouldnt be cool 07:17 < djc> yeah 07:19 < krzee> !forget static 2 07:19 < vpnHelper> krzee: Joo got it. 07:19 < krzee> !learn static as example: ifconfig-push 10.8.0.6 255.255.255.0 07:19 < vpnHelper> krzee: Joo got it. 07:20 < krzee> !learn static as also see !ccd and !iporder 07:20 < vpnHelper> krzee: Joo got it. 07:22 < reiffert> time for opening the grill season 07:22 < reiffert> time to open the grilling season? 07:22 < ecrist> hell yeah 07:29 < djc> ARGH 07:29 < djc> wtf 07:32 < djc> guys, I love openvpn when it works, but configuration is just a fucking pain 07:32 < djc> I'll just work with connect-order IPs for now 07:32 < krzee> lol 07:32 < krzee> you had it spoon fed to you 07:33 < krzee> my bot did everything but add it to your config for you 07:33 < djc> I know you think so, but apparently I'm just not too bright or not as into openvpn that what your bot did felt as spoonfeeding 07:33 < djc> I tried to specify --route and it just kept complaining about not having a gateway 07:34 < krzee> it gave you the commands to paste in your config 07:34 < krzee> wasnt it a static ip you wanted to add...? 07:34 < krzee> not having a gateway... you on dialup? 07:34 < djc> yes, but to use ccd I apparently need to add route? 07:34 < krzee> no... 07:34 < krzee> !ccd 07:34 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:34 < krzee> does it say something about route there? 07:35 < djc> the text from the example config did say something about that 07:35 < krzee> i said my bot spoonfed you, not some example config somewhere 07:35 < djc> this is from the official one 07:35 < krzee> *shrug* 07:36 < djc> but ok, let me try again 07:36 < krzee> you misunderstood it, and my bot DID tell you exactly what to do 07:36 < krzee> what it probably said is that iroute MUST go in a ccd entry if it is going to be used 07:36 < krzee> but a better explanation of that stuff is in my routing writeup (!route) 07:36 < krzee> but it has nothing to do with static ips 07:37 < qknight> afonso: /j #kde 07:37 < djc> !iporder 07:37 < vpnHelper> djc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:37 < krzee> afonso isnt even in here qknight 07:37 < djc> !static 07:37 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:38 < djc> !ccd 07:38 < vpnHelper> djc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:39 < krzee> goodnight 07:39 < tjz> niteee 07:39 < djc> well, I have client-configdir /etc/openvpn/ccd in my config, then /etc/openvpn/cdd/client1 contains ifconfig-push 10.8.0.2 255.255.255.0 07:40 < djc> but 10.8.0.2 is still given out to client2 if I connect it first 07:40 < djc> but thanks for your patience 07:43 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 07:45 < djc> to be fair, the ccd for client1 seems to work, but that apparently doesn't mean that other clients can get that IP address 07:45 < djc> which is .. well, stupid 07:46 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 07:48 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 07:49 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:03 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 08:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:58 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has joined ##openvpn 08:59 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has quit [Client Quit] 09:00 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has joined ##openvpn 09:25 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has quit ["Leaving."] 09:34 -!- teddy__ [n=teddy@208.92.235.227] has quit [SendQ exceeded] 09:36 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 09:37 -!- lepine1 [n=leprecha@206-248-132-81.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)] 09:42 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:47 < ecrist> krzee: when you want that server turned up? 10:02 < lepine> this might not be an openvpn specific question, but that's the scope i'm wondering about anyway ... is there a way to have the server push dns servers ... but have the client use it's pre-existing dns for local domains? eg, i want to tunnel out of work, and i want to use my own DNS whenever possible ... except that any queries to our local windows domain will fail ... what can i do? except a last hosts file 10:03 < lepine> *except a long hosts file 10:04 < lepine> or offering recursion on my own dns and host copies of the zones (i dont want to) 10:04 < ecrist> lepine: that doesn't really work in *any* network scenario 10:05 < lepine> so i 10:05 < lepine> have to use a large hosts file? 10:06 < ecrist> yes, if you've got a bunch of private dns stuff on two separate networks. 10:07 < lepine> bleh, using work's DNS would make the vpn more or less pointless 10:09 < lepine> The day they start logging DNS queries, i'll start getting worried ... i can live with that for now ... 10:10 < lepine> is there a way i can set that behaviour in the client ... keep the push dns ... so other clients use the supplied DNS ... but this one client for me at work doesnt? 10:22 < ecrist> hrm, I don't know that there's a why to *not* push an option 10:22 < ecrist> lemme look 10:22 < ecrist> what version openvpn? 10:24 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit ["Leaving."] 10:36 < ecrist> nm 10:36 -!- codev [n=avinash@static-71-172-94-115.nwrknj.fios.verizon.net] has joined ##openvpn 10:37 < codev> I'm trying to get openVPN set up correctly, and I can't ping across the tunnel 10:37 * ecrist points to the channel topic 10:38 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 10:38 < codev> I've checked that, and I have accept as my default policy (flushed) and also ip.forward is on 10:38 < codev> It's basically stopped at PREROUTING .. 10:41 < HardDisk_WP> codev, do you use bridged tunnel? 10:43 < codev> HardDisk_WP: routed 10:43 < HardDisk_WP> ah ok 10:44 < HardDisk_WP> check your gateway settings, nevertheless 10:44 < HardDisk_WP> look if you got crap in the routing tables 10:44 < codev> 10.14.16.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10:45 < codev> That's basically my ptp tun 10:46 < codev> I've got some other routes as well, none overlapping .. like 192.168.122.X that routes to some VMs.. and I can't ping them either 10:46 < codev> so at that point 192.168.122.4 would come over tun0 and would get hung in prerout 10:46 < HardDisk_WP> ok... no idea, sorry 10:46 < HardDisk_WP> eh wait 10:46 < HardDisk_WP> you route everything over tun0... 10:46 < HardDisk_WP> circle routing. 10:47 < HardDisk_WP> of course. 10:47 < HardDisk_WP> route everything to the openvpn server via eth0 or whatever your inet connection is 10:48 < codev> I have a subnet 192.168.122.X I want to be accessible from the client 10:48 < codev> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 10:49 < codev> as far as I know..I'd just push that route to the clients.. 10:49 < codev> that's not the whole table, let me pastebin 10:51 < codev> http://www.pastebin.ca/1388064 11:25 < ecrist> codev: are you *sure* it's not your firewall? 11:26 < ecrist> generally, 'I cant ping the vpn address' mean your firewall is FUBAR 11:28 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:45 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:53 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 12:00 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 12:31 -!- huslu_ is now known as huslu 12:42 < dan__t> hi. 12:45 < codev> ecrist: there are NO rules :-/ and def. policy is accept 12:53 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 13:06 < HardDisk_WP> codev, do you have another firewall installed? 13:06 < HardDisk_WP> an IDS maybe? 13:08 -!- adac [n=nutella@host99-45-static.61-88-b.business.telecomitalia.it] has joined ##openvpn 13:10 < adac> Is there a log file on client side that is more verbose than the /var/log/daemon.log ? I get this error at the moment while trying to connect to the vpn server: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 13:14 -!- mepholic [n=what@67.202.101.69] has joined ##openvpn 13:15 < mepholic> Hey guys 13:15 < codev> adac, can you keep in foreground and crank up debugging? 13:15 < codev> HardDisk_WP: doubt it man, base gentoo install lol 13:15 < mepholic> I'm having problems getting non computer uh... clients onto my vpn 13:16 < codev> mepholic: what? lol 13:16 < mepholic> I mean like.. wifi access points and stuff 13:16 < mepholic> ok, my setup: 13:16 < mepholic> i have an openvpn server running on a dedicated server at a nearby datacenter 13:16 < mepholic> clients from all over the country can connect to it 13:16 < HardDisk_WP> mepholic, DD-WRT is capable of being an VPN hotspo 13:17 < HardDisk_WP> üt 13:17 < HardDisk_WP> +t 13:17 < mepholic> this is a tab based vpn 13:17 < mepholic> uh 13:17 < mepholic> tap* 13:17 < mepholic> HardDisk_WP, not my question, hold on just a minute :) 13:17 < adac> codev, sorry I don't understand? 13:18 < mepholic> anyways, i'm running a DHCP server so i can have multiple vpn servers on the same subnet 13:18 < HardDisk_WP> ah k 13:18 < mepholic> now what I am doing at my house, is i have 2 ethernet adapters in my computer 13:18 < mepholic> connected to the vpn 13:18 < mepholic> then i bridged the vpn interface and one of the ethernet adaptors 13:18 < mepholic> that is then plugged into a vlan on my switch 13:19 < mepholic> so i have a vlan on my switch that I can plug computers into and be "directly" on the vpn 13:19 < mepholic> it works with my laptop just fine 13:19 < mepholic> now i tried to plug a WAP11 Linksys Wireless access point into it 13:19 < mepholic> i configured it beforehand 13:20 < mepholic> then plugged it into the vpn 13:20 < mepholic> and it doesnt work 13:20 < mepholic> i can't get ping responses, clients on the access point can't get to the vpn, etc 13:20 < mepholic> same thing with a Cisco ATA 186 i have 13:21 < mepholic> no pings, can't access the web interface 13:21 < mepholic> that is an analog to ip telephone convertor 13:21 < codev> :-/ 13:21 < mepholic> does anybody know why I can get computers to work, but not other network devices? 13:22 < mepholic> the one thing that i thought about was the weird subnet 13:22 < mepholic> 14.28.0.0/14 13:22 < mepholic> I even tried to statically configure the access point 13:23 < mepholic> put it on 14.28.3.10 with 14.28.1.1 as the gateway, 255.252.0.0 as the netmask, etc 13:23 < mepholic> no luck 13:24 < mepholic> by the way, this is a linux bridge 13:27 < mepholic> anyways, I'm baffled 13:29 < codev> i have the same problem, but it's just..that i can ping my vpn lol 13:30 < mepholic> from a bridge? 13:30 < codev> im trying to get the client's ping to get through a bridge on the VPN server 13:30 < codev> i've got a ton of VMs and they're sitting on a bridge 13:30 < codev> route looks good 13:30 < codev> i just have no idea 13:30 < mepholic> lololol 13:30 < mepholic> god i love vm's 13:30 < mepholic> openvz? 13:31 < codev> qemu/kvm actually 13:31 < mepholic> ew 13:31 < mepholic> i got it working perfectly with openvz 13:31 < codev> how is openvz? 13:31 < mepholic> awesome 13:32 < mepholic> other then the need to replace your kernel 13:32 < mepholic> but you can cram toms of vps's onto a box 13:32 < codev> ah, do that anyway cause this KVM env is ONLY to test a live Xen env 13:32 < mepholic> they are really fast too 13:32 < mepholic> ah 13:32 < codev> my routing was working fine until i added openvpn 13:32 < codev> then i fucked it all up 13:32 < codev> now i cn't even ping vpn lol 13:32 < mepholic> well, if you are going to be running openvpn off of a vps, use xen 13:33 < mepholic> if you are using tap that is 13:33 < mepholic> it works fine with tun on openvz 13:33 < mepholic> but tap won't work 13:34 < mepholic> so what i did, is i have a hardware node running a tap based openvpn server 13:34 < codev> it must be something im doing that's wrong cause the examples work fine 13:34 < mepholic> with the tap interface and a few vps's in a bridgwe 13:34 < codev> what do you have rnning on openvz?? 13:34 < mepholic> well 13:34 < mepholic> a dns server, a ntp server, a dhcp server 13:35 < mepholic> ntp and dhcp are on the same box 13:35 < mepholic> well 13:35 < mepholic> vm 13:35 < mepholic> dns is on a seperate vm 13:35 < mepholic> then i have an other hardware node on the other side of the country with a few more vm's 13:35 < mepholic> another dns server 13:35 < codev> gotcha 13:35 < mepholic> some other stuff 13:35 < mepholic> main server is in chicago 13:36 < mepholic> the secondary dns is in vancouver 13:36 < mepholic> then i have another box in toronto doing things like ldap and such 13:37 < mepholic> this has been an ongoing project since early december 13:47 -!- codev [n=avinash@static-71-172-94-115.nwrknj.fios.verizon.net] has quit ["Lost terminal"] 14:22 < krzee> why do you want bridge instead of routed tunnel? 14:23 < krzee> also 14:23 < krzee> Fixed.... Turns out it was a VMWare issue with it not allowing the interfaces 14:23 < krzee> to be promisc. Once I turned it on, things worked great!!!! 14:23 < krzee> thats a recent message from the mail list 14:23 -!- ampsix [i=moneybag@has.no.info.tm] has joined ##openvpn 14:24 < krzee> (that was a bridge) 14:24 -!- cirdan_ [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has joined ##openvpn 14:25 -!- cirdan_ [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has quit [Client Quit] 14:26 -!- cirdan [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has quit [Nick collision from services.] 14:27 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:29 < mepholic> why do you want bridge instead of routed tunnel? 14:29 < mepholic> routed tunnels are useless 14:29 < krzee> ?? 14:29 < mepholic> first of all, i couldn't do dhcp 14:29 < krzee> why would you need dhcp? 14:29 < mepholic> or anything else that the vpn is actually meant for 14:29 < mepholic> anything requireing broadcasts or multicasts 14:30 < krzee> broadcasts are ip packets sent to ethernet, a routed tap will do 14:30 < mepholic> i'm talking about like 14:30 < mepholic> samba, online games, etc 14:30 < mepholic> lan games 14:30 < krzee> same = wins 14:31 < krzee> lan games, if they use layer2 are a good reason tho 14:31 < krzee> but to say routed tuns are useless is very wrong 14:31 < mepholic> kraut, roujted tunnels are useless for me 14:31 < krzee> cause over 90% of the time thats what people who are trying to setup a bridge really need 14:31 < krzee> !tunortap 14:31 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 14:31 < mepholic> which i dop 14:32 < krzee> cool 14:32 < krzee> carry on 14:32 < mepholic> i just wanna figure out why this isn't working 14:32 < mepholic> i don't see why it wouldnt be 14:32 < krzee> i missed the question 14:32 < mepholic> well, there is no reason that it shouldn't be 14:32 < mepholic> read up 14:33 < mepholic> i explained everything up there 14:33 < mepholic> kind of a longish question 14:33 < krzee> i would but i need to leave in 3 minutes 14:33 < mepholic> now what I am doing at my house, is i have 2 ethernet adapters in my computer 14:33 < mepholic> connected to the vpn 14:33 < mepholic> then i bridged the vpn interface and one of the ethernet adaptors 14:33 < mepholic> that is then plugged into a vlan on my switch 14:33 < mepholic> so i have a vlan on my switch that I can plug computers into and be "directly" on the vpn 14:33 < mepholic> it works with my laptop just fine 14:33 < mepholic> now i tried to plug a WAP11 Linksys Wireless access point into it 14:33 < mepholic> i configured it beforehand 14:33 < mepholic> then plugged it into the vpn 14:33 < mepholic> and it doesnt work 14:33 < mepholic> i can't get ping responses, clients on the access point can't get to the vpn, etc 14:33 < mepholic> same thing with a Cisco ATA 186 i have 14:33 < mepholic> no pings, can't access the web interface 14:33 < mepholic> :3 14:34 < krzee> you know you dont need 2 nics for openvpn right? 14:34 < mepholic> for what i'm doing, I do 14:34 < mepholic> you see, my computer is a client 14:35 < mepholic> one is plugged into my lan, which goes out to the internet 14:35 < mepholic> the other is plugged into a 6 port vlan on my switch 14:35 < mepholic> tap0 is bridged with eth1 14:35 < mepholic> which is plugged into the switch 14:35 < krzee> ya man i have no clue 14:35 < krzee> i havnt setup a bridge in years 14:35 < mepholic> so i can plug devices into the switch on that vlan, and they'll be on the vpn 14:36 < krzee> if one of my servers gets owned im not gunna let my lan be vuln to layer2 attacks 14:36 < krzee> i stick to layer3 for the inet 14:36 < mepholic> it's not like this is a business 14:36 < krzee> me niether 14:36 < mepholic> its just a project i'm working on 14:36 < mepholic> but you can't get to my lan from the vpn 14:37 < mepholic> i just want to be able to for example, have a wifi access point that is on the vpn directly 14:37 < krzee> cool, i still dont know 14:37 < mepholic> mmk 14:37 < mepholic> thanks anyways 14:38 < krzee> np, woulda helped if it was a setup i had some experience with 14:38 < mepholic> well, you understand the problem though, right? 14:38 < mepholic> computers will work when they are plugged into the vlan, but other network devices won't 14:39 < krzee> ild call that a good thing personally 14:39 < krzee> *shrug* 14:40 < krzee> do you even get ARP? 14:40 < krzee> shit its 3:40 i gotta go 14:40 < mepholic> yes i do 15:01 -!- cunderid [n=arne@p548EFDD5.dip.t-dialin.net] has joined ##openvpn 15:08 -!- cunderid [n=arne@p548EFDD5.dip.t-dialin.net] has left ##openvpn ["Ex-Chat"] 15:12 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 15:18 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 15:23 < krzie> werd back 15:51 < dan__t> werd 15:54 -!- ampsix [i=moneybag@has.no.info.tm] has quit [Remote closed the connection] 15:54 < krzie> zabbix is <3 15:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:01 < adac> can someone help me with this error: http://pastebin.com/m4fb7d7e1 ? 16:06 < troy-> if i run build-key client2 at a later time do i need to rerun ./build-dh? 16:07 < dan__t> no\ 16:07 < troy-> what does build-dh do? 16:07 < krzie> dh keys are only generated 1x, and only go on the server 16:07 < krzie> !dh 16:07 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 16:08 < troy-> ah, thank you 16:08 < krzie> np 16:08 < krzie> # 16:08 < krzie> Fri Apr 10 22:56:09 2009 us=5565 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 16:09 < krzie> are you sure you're connecting to the right port on the right ip with the right protocol? 16:09 < krzie> if so, are you sure the firewall on the remote machine has that port for that ip for that protocol open? 16:09 < adac> krzie, yes I'm sure about the ip and port 16:09 < krzie> and if so, are you sure the service provider allows a connection to that port on that ip for that protocol to be connected to 16:10 < adac> problem is the vpn server is behind a NAT 16:10 < krzie> then setup the port forward 16:10 < adac> I did port forwarding on my linuxy server to the vpn server machine 16:10 < krzie> either you didnt open the port in the firewall or your port forward didnt work 16:11 < krzie> cause connection refused means 1 very specific thing 16:11 < krzie> it got a request, and actively refused it 16:11 < krzie> versus a timeout 16:11 < adac> krzie, port forwarding also should also be fine...i did that a hundred times on other apps. :( 16:11 < krzie> also 16:11 < krzie> consider moving from rc11 to rc15 16:11 < krzie> (even tho thats not your problem, it could be another) 16:12 < adac> krzie, I see 16:12 < krzie> then maybe you didnt open the port in firewasll 16:12 < krzie> but its something along those lines 16:12 < krzie> doublecheck its UDP and not TCP you forwarded/opened 16:12 < dan__t> Are you using UDP over a really, really shitty router? 16:12 < dan__t> Like, say, a Linksys WRT 16:12 < krzie> hey those arent that shitty! 16:13 < dan__t> They are for OpenVPN 16:13 < krzie> ive got some serious no-name routers that are much shittier! 16:13 < dan__t> and heavy UDP 16:13 < dan__t> heh 16:13 < krzie> heheh 16:13 < dan__t> Do they butcher UDP? No. 16:13 < dan__t> haha 16:13 < adac> krzie, dan__t uhh I see probaly udp makes the problem 16:13 < krzie> (i grabbed a few wifi routers to test diff WEP attacks on diff routers) 16:13 < krzie> it could be, but if you can get UDP working you want to 16:13 < krzie> !tcp 16:13 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:14 < dan__t> oh, whatever. 16:14 < adac> krzie, dan__t: this is how i did forwarding on the server router to the server vpn: http://pastebin.com/m36fcc313 16:14 < dan__t> The margin of failure or error is so miniscule that on 10MBit I'm not going to give a flying fuck. 16:14 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 16:14 < guy191> Hii room 16:14 < dan__t> Hii dude. 16:14 < krzie> hiiii 16:15 < guy191> which VPN Software work with by default WinXP VPN client ? 16:15 < krzie> !notcompat 16:15 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:15 < guy191> i meant open VPN dont work with XP clients 16:15 < krzie> sure it does, but not with default one 16:15 < krzie> you can install openvpn on windows... 16:15 < krzie> even comes with a lil gui for ya 16:15 < guy191> yes.. openvpn client ? 16:16 < krzie> and can be installed as a service 16:16 < krzie> openvpn doesnt have a client / server app 16:16 < krzie> the config decides how it works 16:16 < krzie> but yes 16:16 < adac> krzie, dan__t: with openvpn: do I have to port forward the port also on client side? 16:16 < krzie> adac 16:16 < krzie> no 16:16 < guy191> krzie: open vpn is not client/server app 16:16 < krzie> not if the client is connecting to the server 16:17 < krzie> guy191 openvpn can be setup to run client/server 16:17 < krzie> or point-to-point 16:17 < adac> krzie, ok I see! I read this somewhere in the internet (: 16:17 < dan__t> No, but if your firewall has no knowledge of a "related" or "established" port then you're fucked. 16:17 < krzie> but you use the exact same install no matter what 16:17 < guy191> i meant.. if i wll install opevnvpn server on linux then clients wil be XP installed client 16:17 < krzie> the config decides how it acts 16:17 < dan__t> However, if you can connect to the internet through it, chances are great that it does. 16:17 < guy191> oh i see 16:18 < guy191> which VPN router work very well with XP by default clients ?.. 16:18 < guy191> Cisco routers ? 16:18 < krzie> adac, most routers will automaticly map a way back through the nat when you make an outbound connection, thats how STUN works for voip 16:18 -!- mepholic [n=what@67.202.101.69] has quit [Remote closed the connection] 16:18 < adac> krzie, ok I see! 16:19 < krzie> guy191 dunno, this is a channel for openvpn only 16:19 < krzie> and openvpn works great for XP 16:19 < krzie> as well as linux, bsd 16:19 < guy191> hmm.. 16:20 < krzie> if you use ssl-admin it will even zip up the client config with their certs, they just move those files into the right place after installing openvpn, and booya all done 16:23 < adac> krzie, so do i need to port forward udp and tcp on vpn server side? 16:24 < dan__t> Either OR 16:26 < adac> dan__t, well in my config there is udp uncommentet so i guess it has to be the udp port that needs to be forwarded? ;) 16:26 < dan__t> One would assume so. 16:26 < adac> hehehe :) 16:28 < krzie> heheh 16:33 < adac> Ok I get another error now after forwarding with the correct udp protocol now :P http://pastebin.com/m4dc54877 16:34 < guy191> what is benefits of DMZ.. where we need to use it ? 16:36 < guy191> adac: its a error of open VPN with SSL ? 16:37 < dan__t> guy191, when one host in the organization should not be connected by any means to any other part of the organization? 16:39 < guy191> Dan__t: sorry didnät get .. wat u said ? 16:42 < krzie> a DMZ is good for seperating something that can be connected to from the world from the LAN which cannot 16:42 < krzie> so lets say your webserver gets owned 16:42 < krzie> its in a seperate lan, and does not comprimise the rest of your network if your firewall is setup correctly 16:43 < guy191> hmm.. 16:43 < guy191> which Distro is best for Open VPN ? 16:43 < krzie> very common for corporate networks 16:44 < krzie> basically a DMZ is part of the network which is less trusted than the rest 16:44 < krzie> guy191, whichever distro you are most comfortable with 16:44 < adac> krzie, dan__t: what is the difference between server.crt and ca.crt? which of those two are needed on client side? 16:45 < krzie> openvpn runs fine on all BSD and linux distros, it comes down to how well you know the system for the rest of administration 16:45 < guy191> hmm.. Ubuntu / Centos 16:45 < krzie> adac, see !howto 16:45 < krzie> there is a table of which files go where 16:45 < krzie> the difference is plain when you understand how PKI works 16:45 < krzie> (so read about it) 16:45 < adac> krzie, ok! 16:46 < guy191> adac: read this one regarding keys.. looking nice 16:46 < guy191> http://openvpn.net/archive/openvpn-users/2004-09/msg00252.html 16:46 < vpnHelper> Title: [Openvpn-users] SSL/TLS Configuration (at openvpn.net) 16:46 < adac> guy191, thx! 16:48 < krzie> also for making keys, you may enjoy ssl-admin 16:48 < krzie> very good key management system 16:48 < krzie> !ssl-admin 16:48 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 16:48 < guy191> krzie: if we have all Unix systems on LAN with VPN SErver.. so the client will connect to it and share network.. what extra things wll be important on VPNServer to configure for sharing XP client with LINUX /Unix LAN services ? 16:48 < krzie> if you want to use the packaging ovpn.conf + ssl-keys feature you need to install zip as well 16:49 < krzie> guy191 what services will need to be shared? 16:49 < guy191> file sharing.. 16:49 < krzie> and for LANs behind openvpn, see !route (as the topic says) 16:49 < krzie> file sharing using samba? 16:49 < reiffert> guy191: a firewall 16:49 < krzie> file sharing using NFS? 16:49 < reiffert> = important 16:49 < krzie> file sharing using ftp? 16:49 < guy191> krzie: samba/nfs.. 16:49 < krzie> file sharing using your mom to hand them manually? 16:50 < krzie> there we go! 16:50 < krzie> for samba you will need WINS 16:50 < krzie> !wins 16:50 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:50 < reiffert> wins sucks. 16:50 < krzie> reiffert negative, its better than using a bridge for samba 16:50 < guy191> krzie: why wins ? 16:50 < reiffert> just use a broadcast relay 16:51 < krzie> *shrug* you could do that too, but windows was made to use wins anyways 16:51 < reiffert> or bridging setup (openvpn= 16:51 < krzie> either way, broadcast relay or wins 16:51 < guy191> krzie: if client is connect to network then samba services on that UNIX/LINUX servers in not enough through samba ? 16:51 < krzie> maybe you could write a doc on adding a broadcast relay reif 16:51 < reiffert> samba was designed to be used on LANs and not on VPN tunnels 16:51 < krzie> and for NFS support on windows, you're on your own, its a PITA and i never found a reliable free method 16:51 < guy191> hmm.. 16:52 < reiffert> ah well, windows networking that is. 16:52 < krzie> reiffert sure it was, thats why they made wins 16:52 < reiffert> crap 16:52 < krzie> well was kinda, not too good of performance on it 16:52 < krzie> in fact rather poor 16:52 < krzie> but hell its a windows protocol, what do we expect 16:52 < reiffert> wins helps browsing but its not speeding up file transfer across vpn tunnels 16:52 < guy191> krzie: i noticed that VISTA in lan dont support SAMBA ? 16:53 < krzie> i wouldnt know, ive never used vista and never will 16:53 < krzie> i use osx and BSD 16:53 < guy191> haha oh yes !! 16:53 < reiffert> oh yes!! 16:53 < krzie> yes oh yes! 16:53 * krzie dry humps the desk 16:53 < reiffert> yeah yes yes oh yeah!! 16:54 < krzie> whoever pasted this: http://openvpn.net/archive/openvpn-users/2004-09/msg00252.html 16:54 < vpnHelper> Title: [Openvpn-users] SSL/TLS Configuration (at openvpn.net) 16:54 < guy191> haha what happend guyz 16:54 < krzie> they didnt make the server cert right 16:54 < krzie> !servercert 16:54 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 16:54 < krzie> -extensions server is important for !mitm 16:54 < guy191> i meant Ooh yes.. becoz i m sitting in UNIX/LINUX world so why vista wll be here 16:55 < reiffert> krzie: you could hand that in your openssl.cnf file 16:55 < adac> hmm it seems that I'm now connectet to the vpn...but i still have the local ip adress and not the remote one 16:55 < reiffert> guy191: oh YES! 16:55 < krzie> adac: 16:55 < krzie> !configs 16:55 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:55 < krzie> what do you mean the local ip and not remote 16:55 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 16:56 < reiffert> adac: maybe because of IP addresses are made to be used locally .. 16:56 < krzie> you mean you expected it to automagicly default route through the VPN? 16:56 < adac> krzie, aye :) 16:56 < unix3> Hello all 16:56 < krzie> heres what you need: 16:56 < krzie> !def1 16:56 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:56 < krzie> !linnat 16:56 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:56 < reiffert> I want to have the IP address of google.com, gimme YES YES YES! 16:56 < adac> krzie, It was like that whn I connected to my other vpn 16:56 < krzie> !linipforward 16:56 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:56 < reiffert> !static 16:56 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:56 < reiffert> !ccd 16:56 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:56 < reiffert> !ipp 16:56 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:56 * krzie dry humps reiffert's desk 16:56 < reiffert> :) 16:57 < guy191> krzie: network Manager tool also play a vital role with open VPN on Linux .. ? 16:57 * reiffert takes a ride 16:57 < reiffert> bbl 16:57 < krzie> reiffert why the floop for static ips? did i miss someone asking bout that, lol 16:57 < krzie> !ubuntu 16:57 < vpnHelper> krzie: "ubuntu" is dont use network manager! 16:57 < adac> krzie, ôk I did that ;) 16:57 < reiffert> krzie: wanna have some lard for the dry desk? 16:57 < guy191> !centos 16:57 < vpnHelper> guy191: Error: "centos" is not a valid command. 16:57 < krzie> bring on the lard! 16:57 < guy191> !fedora 16:57 < vpnHelper> guy191: Error: "fedora" is not a valid command. 16:58 < adac> No i just play arounfd with the config files...I'm sure I find out how to make this work! 16:58 < reiffert> !YES 16:58 < vpnHelper> reiffert: Error: "YES" is not a valid command. 16:58 < reiffert> doh 16:58 < krzie> lol reiffert 16:58 < guy191> any wayz..Thanks Guzy for discussion !! 16:58 < krzie> you're in a funny mood today ;] 16:58 < reiffert> !learn YES as i meant Ooh yes.. 16:58 < guy191> !vpnhelper 16:58 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:58 < vpnHelper> guy191: Error: "vpnhelper" is not a valid command. 16:59 < guy191> !helper 16:59 < vpnHelper> guy191: Error: "helper" is not a valid command. 16:59 < guy191> ba bye !! 16:59 < krzie> !winnat 16:59 < vpnHelper> krzie: Error: "winnat" is not a valid command. 16:59 < guy191> !bye 16:59 < vpnHelper> guy191: Error: "bye" is not a valid command. 16:59 < krzie> bye guy 16:59 < reiffert> öäü 16:59 < reiffert> afk 16:59 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 17:00 < unix3> hello guys.. iam a newbie in firewalls.. I have read docs.. and I have successfully established a VPN bewteen to sites (client connecting to server) .. Iam asking some orientation to configure this to actually do something for me... iam a little confused on the config that server.conf should have to allow my client to access an IP. 17:01 -!- Gumbler is now known as Gumbler|NotHere 17:01 < unix3> What i have in server.conf is # Address range for the tun(4) interfaces server 10.0.1.0 255.255.255.0 , # Add routes to the remote networks to the server's routing table route 192.168.0.0 255.255.255.0 ... based on that what do I do on the client to be able to ping _something_ in the servers network? 17:02 < krzie> !route 17:02 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:02 < unix3> am i suppose to be able to ping 10.0.1.1 from the client .. and it answering? 17:02 < krzie> only if you set it up correctly 17:02 < krzie> see the part of that doc below the picture 17:04 < unix3> hmm ok, iam reading it.. but.. id like to note that.. ultimately all I want to do is terminate all the traffic from my client to the internet gateway that the server uses.. thats all :P 17:04 < krzie> i thought you said you wanted to access the lan 17:05 < unix3> at first.. just to test.. because i havent been able to do anything with my VPN hehe.. but it would be better just ot go ahead and do this internet termination over the vpn 17:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:06 < krzie> what os is server? 17:06 < unix3> most of the FAQs and docs ive read are just to link to LANs 17:06 < unix3> openbsd 17:06 < krzie> you need to setup NAT for the vpn ips to the inet on the server 17:06 < krzie> as well as IP forwarding 17:06 < krzie> and then: 17:06 < unix3> i know how to do that... 17:07 < krzie> !def1 17:07 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:07 < krzie> that can be used in the client.conf or pushed to it from server conf 17:08 < krzie> and if youd report back on how to nat and ip forward in openbsd, i can add it to my bot 17:08 < krzie> !bsdnat 17:08 < vpnHelper> krzie: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 17:08 < krzie> !forget bsdnat 17:08 < vpnHelper> krzie: Joo got it. 17:09 < krzie> !learn fbsdnat as http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 17:09 < vpnHelper> krzie: Joo got it. 17:09 < unix3> okey iam kinda understanding now.. So in my client server.. I can NAT all traffic from eth0 to tun .. is that wha need as step 1?t I 17:09 < krzie> huh? 17:09 < krzie> no 17:10 < krzie> if you want to redirect all traffic from client to go to inet through server, you NAT the vpn network on the server 17:10 < unix3> what do I need to nat within my client server to where again' 17:10 < krzie> wtf is a clientserver 17:10 < unix3> please disregard client server, i meant client 17:11 < krzie> on the server 17:11 < krzie> in the firewall 17:11 < krzie> you nat vpn network to external 17:11 < unix3> understood 17:11 < krzie> just like if it were a LAN and your server were the router 17:11 < unix3> and what do i do on the client.. nothing? 17:12 < krzie> !def1 17:12 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:12 < krzie> you make it default route over the vpn 17:12 < unix3> understood 17:13 < krzie> ip forwarding must be enabled on the server machine as well 17:13 < unix3> both enabled. :) 17:13 < krzie> note, this does NOT help you with seeing the lan 17:13 < krzie> those are 2 very seperate things 17:13 < unix3> its ok, i dont need that 17:13 < krzie> they can co-exist, but are done differently 17:13 < unix3> for now though 17:13 < krzie> when it comes time to have lans connectable, see !route 17:14 < unix3> ok step by step :) 17:14 < krzie> my writeup explaining everything you could need to know for that 17:14 < krzie> =] 17:15 < krzie> and if you wouldnt mind sharing how you enabled ip forwarding and nat rules on openbsd, i could update by not for the next guy 17:15 < krzie> (i use freebsd) 17:15 < unix3> So back to the client.. I just change the default gateway . What is this about a def1 flag? where is that suppose to go? 17:15 < krzie> !def1 17:15 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:15 < krzie> READ THAT 17:15 < krzie> dont skim, my bot doesnt have fluff in those descriptions 17:15 < krzie> !man 17:15 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:16 < unix3> ok let me get this first to work and ill brb 17:16 < krzie> cool 17:18 < krzie> !factoids search forward 17:18 < vpnHelper> krzie: 'winipforward', 'linipforward', and 'bsdipforward' 17:19 < krzie> !learn ipforward as please choose between !linipforward !winipforward and !fbsdipforward 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !bsdipforward 17:19 < vpnHelper> krzie: "bsdipforward" is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 17:19 < krzie> !forget bsdipforward 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !learn fbsdipforward as is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !factoids search nat 17:19 < vpnHelper> krzie: 'nat', 'linnat', and 'fbsdnat' 17:19 < krzie> !nat 17:19 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 17:19 < krzie> hrmz 17:20 < krzie> !learn nat as please choose between !linnat and !fbsdnat for specific howto 17:20 < vpnHelper> krzie: Joo got it. 17:21 < krzie> !learn redirect as in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push) 17:21 < vpnHelper> krzie: Joo got it. 17:22 < krzie> !learn redirect as you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and !ipforward) 17:22 < vpnHelper> krzie: Joo got it. 17:23 < krzie> !push 17:23 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 17:23 < krzie> there we go! 17:24 < unix3> so for now on the client.. all I do is something like: /usr/local/sbin/openvpn --config /etc/openvpn/client.conf --redirect-gateway def1 17:24 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder 17:25 < krzie> you can put redirect-gateway def1 in the config 17:25 < krzie> anything can be put in the config if you remove the -- 17:25 < krzie> but ya that works too... 17:25 < unix3> nice 17:26 < unix3> ok lets try this out :) 17:26 < krzie> it can also be pushed to take away the option from the client (if it wasnt you) 17:26 < krzie> i like to push most stuff to clients so i can admin * from the server 17:26 < unix3> yeah through command line 17:26 < krzie> but thats not needed 17:27 < unix3> openvpn is absolutely incredible 17:27 < krzie> no i mean you put the otion in server.conf but you push it 17:27 < unix3> ohh ok 17:27 < krzie> push "redirect-gateway def1" 17:27 < krzie> would make it appear in the client.conf magically on connect, but they wouldnt see it in the config 17:28 < krzie> its like an override on client.conf managed from the server 17:28 < krzie> and it can be done only for certain ones if you use ccd entries 17:28 < krzie> !ccd 17:28 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:32 < unix3> ok.. iam confused again. I understand there are several ways for me to give command to openvpn... put why did you say I can push <> inside the config.. you mean I should literally put the words push and order within the config? 17:32 < krzie> you dont need to 17:33 < krzie> since you use openbsd i figure you're kinda advanced 17:33 < krzie> so i was telling you the diff ways an option can be given 17:33 < krzie> redirect-gateway def1 in client.conf is plenty 17:33 < krzie> another way is push "redirect-gateway def1" in server.conf 17:34 < krzie> another way is push "redirect-gateway def1" in a ccd entry on server side for only a certain client, and not all of them like option 2 was 17:34 < krzie> just use #1 if that confuses you 17:34 < krzie> #1 being: redirect-gateway def1 in client.conf is plenty 17:35 < unix3> oki :P 17:35 < krzie> and lemme rephrase that 17:36 < krzie> since you use openbsd and all your questions were specific to openvpn (ie: you understand your OS) 17:36 < krzie> if you were noobish using openbsd you would have had a few openbsd specific questions as well :-p 17:38 < unix3> ok it seems it worked, by default gateway is now 10.0.1.5 ... 17:38 < unix3> however ifconfig output for tun, says its doing 10.0.1.6 -> 10.0.1.5 17:39 < krzie> yup 17:39 < unix3> seems iam half way 17:39 < krzie> !net30 17:39 < vpnHelper> krzie: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:40 < unix3> hmm ok i think iam good at least for the client... n ow I configure the server.. right krzie ? :) 17:41 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has joined ##openvpn 17:41 < krzie> i thought you said you already had ipforwarding and nat on the server 17:41 < unix3> i do 17:41 < unix3> not nat 17:42 < unix3> let me do nat 17:42 < krzie> well nat the vpn network as if it were the lan 17:42 < krzie> and booya 17:43 < psomas> hello 17:43 < unix3> kraut, if i do that.. what happens if the vpn server also hosts apache for example.. that will continue to work.. right? 17:43 < krzie> sure why not 17:44 < krzie> but it wont go over vpn unless you specify the vpn ip and have apache listen on it 17:44 < unix3> its ok dont need that 17:44 < krzie> cause the only way to have a connection to the vpn is to have a direct route to it overriding your vpn default route 17:45 < psomas> is it possible to have multiple tls-remote statements(if u have multiple remote statements with remote-random)? 17:46 < troy-> i'm having an issue whereby two people are connected to the VPN and the server cant ping one of them 17:53 < unix3> nfe0 log on nfe0 from tun0:network to any -> nfe0 pf.conf NAT line 17:53 < unix3> that will redirect tun0 to nfe0 17:58 < krzie> thanx 17:59 < krzie> tested it? 17:59 < unix3> kraut, ok done.. but its not working.. I cannot ping google.com from the client 17:59 < unix3> please remember i did put some route stuff in the server.conf 17:59 < krzie> check logs on server 17:59 < unix3> that needs to be taken out right? 17:59 < krzie> any errors when adding the routes? 17:59 < krzie> possibly 17:59 < krzie> how bout this 17:59 < krzie> !configs 17:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:59 < krzie> !logs 17:59 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:59 < troy-> krzie, both clients can ping the server and the server cant ping them - *but* the clients cant ping eachother 18:00 < troy-> any idea what might be wrong? 18:00 -!- adac [n=nutella@host99-45-static.61-88-b.business.telecomitalia.it] has quit ["Verlassend"] 18:00 < krzie> yes 18:00 < krzie> you need client-to-client in the server config 18:01 < unix3> interesting, when I ssh into the client.. it takes forever 18:02 < troy-> krzie, lol 18:03 < krzie> unix, you using tcp or udp? 18:05 < dan__t> So.... anyone want to school me on all the fields of a CRL? 18:05 < krzie> !crl 18:05 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 18:05 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 18:06 < dan__t> I know what the CRL is, I know its function. 18:06 < dan__t> but all the fields inside of it - I want to know all possible fields, what they're called, etc etc 18:06 < krzie> ahh, then i cant expand for ya =] 18:06 < krzie> ecrist might know 18:06 * dan__t stabs ecrist 18:07 < unix3> krzie, http://pastebin.com/m1e80bbf4 18:07 < krzie> gunna go with the interrogation method? 18:07 < krzie> haha 18:07 < dan__t> hah 18:09 < krzie> unix3 ill be a minute, busy for a few but i have the link open 18:09 < krzie> grab the logs while you wait for me 18:09 < krzie> !logs 18:09 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:10 < krzie> and you pasted server.conf 2x, no client.conf 18:10 < krzie> and no ccd entries 18:11 < unix3> krzie, iam sorry.. please disregard all of it.. one min 18:19 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has left ##openvpn [] 18:25 < unix3> krzie, http://pastebin.com/m5a047ca9 18:25 < unix3> there we go :P 18:26 < krzie> you might like to add this: 18:26 < krzie> !hmac 18:26 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 18:26 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:27 < unix3> understood.. 18:28 < unix3> btw... krzie when i do show route ... in the client.. it takes forever.. 18:28 < unix3> to show 18:28 < krzie> # 18:28 < krzie> push "route 172.16.0.0 255.255.255.0" 18:28 < krzie> # 18:28 < krzie> route 192.168.0.0 255.255.255.0 18:28 < krzie> # 18:28 < krzie> route 192.168.1.0 255.255.255.0 18:28 < krzie> this means the following: 18:28 < krzie> clients should all route 172.16.0.0 255.255.255.0 through the firewall 18:28 < krzie> the server should add 2 routes to its kernel's routing table 18:29 < krzie> 192.168.0.x and 192.168.1.x 18:29 < krzie> you say theres 1 ccd file 18:29 < krzie> so i assume both those lans are behind 1 client 18:29 < krzie> and that the name of that ccd file is EXACTLY the same as the common-name of the client 18:30 < unix3> no.. unfortunately i just got that from a default config.. 18:30 < unix3> i think i should delete them all 18:30 < unix3> it is exactly the same 18:30 < krzie> well thats what those do, decide if you need it or not and act occordingly 18:31 < krzie> but unless one of 172.16.0.x 192.168.0.x 192.168.1.x is the same as a lan you are using, they wont be doing anything 18:31 < unix3> what does it mean when you say that... clients should all route 172... ? 18:31 < krzie> if they are, and you have it backwards, it could screw something up 18:31 < krzie> push "route 172.16.0.0 255.255.255.0" 18:31 < krzie> this tells all clients to route that network through the vpn 18:32 < krzie> by adding a route in their kernel routing table 18:32 < unix3> there is a single LAN.. and that is.. 192.168.1.0 .. and its on the client 18:32 < unix3> the only LAN on the server is the internet itself 18:32 < krzie> and youd like it to work over the vpn? 18:32 < krzie> (the lan) 18:33 < krzie> and do you want it to work for other clients as well? or just for the server? 18:33 < unix3> krzie, i dont care about any lan actually.. 18:33 < krzie> then remove all 3 of those and the ccd file 18:33 < unix3> understood 18:33 < unix3> brb 18:33 < unix3> coffee 18:34 < krzie> No CCD file in client 18:34 < krzie> thats good, cause its not an option 18:34 < krzie> hehe 18:34 < krzie> and that wasnt what i wanted from your logs 18:34 < krzie> i want everything from start to finish of making the connection 18:35 < krzie> if i only wanted the portion of you pinging, i would have said so ;] 18:35 < krzie> i want it all! 18:35 < krzie> lol 18:35 < krzie> paha in spanish means jackoff 18:36 < krzie> spelt paja tho 18:37 < krzie> <-- lives in a spanish speaking country 18:39 < dan__t> America? 18:39 < dan__t> Or California? 18:39 < krzie> lol 18:39 < krzie> i moved out of california 2 yrs ago 18:39 < krzie> caribbean 18:40 < dan__t> wow, seriously? 18:40 < dan__t> what's it like living out there 18:40 < dan__t> never really thought of... living out there. 18:41 < krzie> its great 18:42 < krzie> cheap, beautiful, etc etc 18:44 < unix3> <--- also lives in a spanish speaking country 18:46 < dan__t> cheap? 18:46 < dan__t> like how cheap. 18:46 < dan__t> what do you do for work? 18:51 -!- unix3 is now known as epaphus 18:51 < dan__t> eh? wake up, bitch. 19:05 < epaphus> krzie, this is the log for the server http://pastebin.com/m2a30d0f8 19:06 < epaphus> this is the log for the client http://pastebin.com/d42a81ee 19:08 < epaphus> I think it is wise to note that the ifconfig output for the client shows for tun: inet 10.0.1.6 --> 10.0.1.5 netmask 0xffffffff , and the output on the server shows tun as.. inet 10.0.1.1 --> 10.0.1.2 netmask 0xffffffff 19:08 < epaphus> is that of any relevance? 19:12 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has joined ##openvpn 19:14 < epaphus> krzie, ? 19:18 < epaphus> anybody? :) 19:33 < troy-> is there anything in the config that can be changed to optimize throughput? 19:33 < troy-> i can never seem to sustain more than 100KB/s 19:36 < krzie> ok im back 19:36 < epaphus> krzie, :) 19:36 < troy-> <3 krzie 19:36 < krzie> epaphus those ips are normal, type !/30 for more info 19:36 < krzie> troy: type !mtu-test 19:36 < troy-> !mtu-test 19:36 < vpnHelper> troy-: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 19:36 < krzie> (assuming you use udp) 19:38 < krzie> epaphus i dont see any problem, whats wrong? 19:38 < krzie> oh you're unix3 19:38 < krzie> check your NAT rules 19:39 < krzie> doublecheck ip forwarding is enabled 19:39 < troy-> krzie, how do i know what the dev id is? 19:39 < krzie> troy- why do you think you need it? 19:40 < krzie> you have multiple tun devices or renamed it? 19:40 < troy-> C:\Program Files\OpenVPN\bin>openvpn.exe --mtu-test 19:40 < troy-> Options error: You must define TUN/TAP device (--dev) 19:40 < krzie> LOL 19:40 < krzie> put it in the client config 19:40 < krzie> how would it POSSIBLY test mtu without knowing what server to connect to 19:40 < troy-> inside the ovpn file? 19:40 < psomas> ovpn on windows server 19:40 < psomas> ugly 19:41 < krzie> psomas mtu-test goes in the client 19:41 < psomas> :P 19:41 < troy-> psomas, its just a windows endpoint 19:41 < psomas> ah 19:41 < psomas> soz then :) 19:41 < krzie> soz? 19:41 < psomas> sorry 19:42 < krzie> ahh 19:43 < epaphus> krzie, i checked all that.. seems to be ok.. Iam almost sure that the problem is within the client server.. something to do with the way the traffic goes out of it.. it isnt normal that after I enabled the redirect option.. something was messed up in the rouring table.. because when i SSH into the server it takes about 2 monutes to give me a password and login prompt 19:43 < krzie> epaphus wtf is a client server 19:43 < epaphus> when i saw "client server" iam referringt o the client 19:43 < epaphus> to the client 19:43 < krzie> only use one of those words per machine 19:43 < troy-> krzie, i get an error saying it will only work with proto udp 19:43 < psomas> the client "daemon" prolly 19:44 < epaphus> krzie, when iam in the client.. and i type route show, it takes forever or doesnt show the tables 19:44 < krzie> troy, troy: type !mtu-test 19:44 < krzie> (assuming you use udp) 19:44 < troy-> !mtu-test 19:44 < vpnHelper> troy-: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 19:44 < krzie> since you dont 19:44 < krzie> !tcp 19:44 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:44 < krzie> you should expect low performance on a tcp vpn, that link explains why (i got that link from the man page) 19:45 < epaphus> i was thinking that ... why ifconfig said that tun is inet 10.0.1.6 --> 10.0.1.5 ... how did it invent those IPs? shouildnt it be inet 10.0.1.6 --> to.the.ip.of.the.tun.in.the.server? 19:45 < krzie> no epaphus, i told you 2x now to type !/30 to understand why 19:45 < epaphus> !/30 19:45 < vpnHelper> epaphus: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:45 < krzie> although if you use 2.1 you can make it that way by reading !topology 19:46 < epaphus> krzie, ok so anyways.. the logs appear to be ok? and they appear to initialize the connection with one another correctly.. right? 19:47 < krzie> perfectly 19:47 < krzie> including routes 19:47 < krzie> your problem is either firewall, NAT, or ip forwarding 19:48 < krzie> all 3 would be on the server machine, and outside of openvpn 19:49 < krzie> you might need to specify the vpn ip range or something, i havnt played in obsd since 1999 19:49 < epaphus> firewall meaning you suspect the udp port is blocked.. right? 19:49 < krzie> no 19:49 < troy-> krzie, what should be in my ovpn file for mtu-test to work? 19:49 < krzie> it wouldnt connect if that was it 19:49 < epaphus> well my firewall only has 1 line, thats the NAT Line 19:49 < krzie> troy-, youd need to be in udp for that, but mtu isnt your problem, the fact you are on TCP is 19:49 < krzie> (as explained in !tcp ) 19:49 < troy-> krzie, i already changed that option 19:50 < krzie> epaphus i cant help you with openbsd specific stuff, but your problem is in 1 of those 3 places, and not in openvpn 19:50 < krzie> troy- so both sides are connected in udp now? 19:50 < troy-> oh, nope 19:50 < epaphus> krzie, oki.. 19:50 < krzie> then you didnt! 19:53 < epaphus> I think i see the problem now LOL... 20:02 < epaphus> This is the typical error message that the server is not reachable.. right ? Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS handshake failed Apr 10 13:07:23 UsbOcean openvpn[876]: TCP/UDP: Closing socket 20:03 < troy-> krzie, for some reason i can no longer ping my gateway when the connection is udp 20:04 < krzie> yes 20:04 < krzie> troy, did you look in logs for errors? 20:05 < epaphus> krzie, the yes was for me.. right? 20:05 < krzie> yes 20:10 < epaphus> krzie, and this is the typical last line when OpenVPN has been initialized successfully right.. Apr 10 20:06:51 vpn openvpn[25131]: Initialization Sequence Completed ? 20:12 < krzie> yes, but that doesnt garuntee there wasnt an error above 20:13 < krzie> example, some windows clients will get routing errors but still succeed, i have !winroute for them 20:13 < krzie> but your logs looked fine 20:13 < krzie> and all routes were added right 20:13 < krzie> etc 20:13 < krzie> your problem is where i said it was 20:13 < epaphus> yeah its just that i did a little change on the nat now my client wont connect.. buit it looks like the server did startup LOL 20:13 < epaphus> yup 20:14 < epaphus> its ok, this is the fun stuff.... ill deal by myself 20:14 < krzie> This is the typical error message that the server is not reachable.. 20:14 < krzie> right ? Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS key 20:14 < krzie> negotiation failed to occur within 60 seconds (check your network 20:14 < krzie> connectivity) Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS 20:14 < krzie> handshake failed Apr 10 13:07:23 UsbOcean openvpn[876]: TCP/UDP: 20:14 < krzie> Closing socket 20:14 < krzie> that points to firewall issue 20:14 < krzie> open the udp port 20:14 < krzie> as i said before, all problems you get now til it works are firewall, nat, or ip forwarding 20:14 < epaphus> yup 20:14 < epaphus> checking all 20:15 < epaphus> thing is i broke something, so iam fixing 20:15 < krzie> when those are right, unless you modify your configs, it will work 20:15 < epaphus> :) super fun 20:15 < krzie> you're in the !notopenvpn territory now ;] 20:16 < epaphus> absolutely 20:16 * krzie loves his bot 20:22 < troy-> krzie, is there anything that limits the speed of individual connections? 20:22 < troy-> like i cant seem to get more than 1Mb/s 20:23 < troy-> per stream 20:23 < krzie> yes, --shaper if you choose to use it 20:23 < troy-> will it increase my per stream speed? 20:23 < krzie> are you still on tcp? 20:23 < troy-> udp 20:23 < krzie> no, it will lower it if you use it 20:23 < krzie> ok, did you test mtu now that you're on udp? 20:24 < troy-> hmm no, sec :P 20:25 < krzie> Uploading jefftest.zip to /usr/home/krzee/jefftest.zip 20:25 < krzie> jefftest.zip 100% 3964KB 3.9MB/s 00:01 20:25 < krzie> thats over a vpn connection (same lan, 2 colo'ed boxes at a datacenter) 20:25 < krzie> a 3.9M file in 1sec 20:31 < epaphus> krzie, the problem is my NAT line in server.... I honestly cannot get it correctly... do you have the line for freebsd? 20:33 < krzie> !fbsdnat 20:33 < vpnHelper> krzie: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 20:33 < krzie> thats what i have 20:33 < krzie> i havnt done nat in bsd since like yr 2000 20:33 < krzie> in fact i havnt done nat whatsoever since then 20:34 < krzie> except for lil linksys type routers 20:35 < krzie> !google openbsd nat 20:35 < vpnHelper> krzie: PF: Network Address Translation (NAT): ; OpenBSD as a Simple NAT Router - blog.scottlowe.org - The weblog ...: ; NAT with pf | O'Reilly Media: 20:38 < epaphus> yeah well.. the nat line is this one . nat on re0 from tun0:network to any -> re0 20:39 < epaphus> the thing is.. when I enable it.. then immediatley my client looses the connection and cant connect 20:39 < epaphus> something must be wrong 20:39 < krzie> welp 20:39 < krzie> as i said 20:39 < krzie> i cant help you with your openbsd specific problem 20:39 < epaphus> i know :) 20:39 < epaphus> just saying for others to comment :P 20:39 < krzie> ahh werd 20:43 < krzie> pass in on $wlan_if inet proto udp from $wlan_if:network to ($wlan_if) port 1194 keep state 20:43 < krzie> try that, changing wlan_if with eth0 20:52 < troy-> krzie, when i use udp for some reason i cant ping the gateway 20:52 < troy-> everything connects fine but no traffic gets through 20:53 < krzie> troy- troy, did you look in logs for errors? 20:53 < krzie> !logs 20:53 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:53 < troy-> i did 20:53 < troy-> oh k 21:02 < troy-> krzie, nothing in log to indicate an issue 21:02 < troy-> just a ton of stuff 21:02 < krzie> ill be the judge of that 21:02 < krzie> verb 6 21:02 < troy-> hehe where to post? 21:02 < troy-> yep 21:03 < krzie> !pastebin 21:03 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 21:04 < troy-> krzie, http://pastebin.ca/1388535 21:06 < krzie> thats the client? 21:06 < troy-> yep 21:06 < krzie> and wheres the server log... 21:07 < troy-> good question 21:07 < troy-> gimme one min :P 21:07 < krzie> also when pushing dns to a windows client, you must read this 21:07 < krzie> !pushdns 21:07 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 21:09 < epaphus> krzie, iam pretty sure I have the NAT correct... firewall is ok.. I can ping the server from the client though... I cant ping anything else... and... the wierdest thing of all is... if I do a traceroute from the client to the IP of the server it seems its taking the regular internet route i had before openvpn was setup 21:10 < krzie> of course it is 21:10 < krzie> if it didnt how would the vpn stay up? 21:10 < epaphus> oh :) 21:10 < krzie> and your problem is still in 1 of the 3 places i said it was 21:10 < epaphus> oki 21:10 < krzie> that answer WILL NOT BE CHANGING 21:10 < krzie> !forget pushdns 3 21:10 < vpnHelper> krzie: Joo got it. 21:11 < krzie> !learn pushdns as http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 21:11 < vpnHelper> krzie: Joo got it. 21:12 < troy-> krzie, http://pastebin.ca/1388538 21:13 < krzie> thats NOT a logfile 21:13 < troy-> krzie, i usually just do ipconfig /registerdns 21:13 < krzie> whatever works for you 21:13 < krzie> #3 is a permanent fix 21:14 < krzie> (known to work on XP and Vista): 21:14 < troy-> krzie, where does openvpn write the log file? 21:14 < troy-> for linux 21:14 < psomas> troy-: depends on the conf i think 21:14 < krzie> i dunno man, depends on your system 21:14 < krzie> check /var/log/messages maybe 21:14 < psomas> if u don't specify prolly u can see it at syslog 21:15 < troy-> yep its writing a ton of crap to messages 21:15 < krzie> i want it from start to end of connecting message 21:17 < epaphus> krzie, iam being told to ping the tunnels endpoint.. in my case what would that be? 21:17 < krzie> client is whatever.6 21:17 < krzie> server is whatever.1 21:17 < troy-> krzie, http://pastebin.ca/1388540 21:17 < troy-> updated with real log 21:19 < krzie> ok troy, remove ipp.txt and reconnect 21:19 < krzie> then ping 172.16.2.1 from the client after reconnecting 21:19 < epaphus> krzie, wow neat.. apparently it doesnt add any latency when it goes through the vpn?? 21:20 < epaphus> double wow 21:20 < krzie> often does 21:20 < krzie> *shrug* 21:20 < krzie> should add a little ild say 21:20 < krzie> yanno, more overhead and sometimes even must split tcp packets to fit in a packet with the overhead 21:21 < krzie> but its hard to complain about it not adding any ;] 21:21 < krzie> troy, after you remove the ipp.txt restart the server 21:22 < krzie> or shut it down, remove it, restart it 21:22 < krzie> then connect the client 21:22 < krzie> then ping 172.16.2.1 from the client 21:22 < troy-> krzie, no good 21:22 < krzie> ild say lose the ipp command all together 21:22 < krzie> its kinda useless, can only mess some things up 21:22 < troy-> should i remove it from config and try again? 21:23 < krzie> troy, what ip is the client? 172.16.2.6? 21:23 < troy-> yes 21:23 < krzie> ping that from server 21:23 < troy-> okay 21:24 < troy-> krzie, btw with udp is nat an issue? 21:25 < krzie> nat isnt your problem 21:25 < krzie> firewall definitely could be 21:25 < krzie> in fact thats what i suspect 21:25 < troy-> yep i do have one of those 21:26 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 21:26 < epaphus> krzie, iam sorry perhaps asking this question rephrased.. not my intention to annoy you... but route show on the client says my default gateway is 10.0.1.5 , but the endpoint you said is 10.0.1.1 .. is that ok? 21:26 < krzie> troy- make sure all firewalls allow 172.16.2.x through tun interface 21:27 < troy_> krzie: i only i only have a network firewall 21:28 < troy_> neither server nor endpoint has a firewall 21:28 < epaphus> if I ping from the client 10.0.1.1 I get a latency of 200ms , if I ping 10.0.1.6 I get a latency of 430ms ... i dotn understand that :P 21:30 < troy_> krzie: i cant ping from the server either 21:31 < epaphus> btw krzie .. I cant ping my default gateway on my client (10.0.1.5) 21:31 < troy_> epaphus: seems we have the same problem 21:31 < krzie> epaphus you shouldnt be able to, did you read !/30 (the link in it) 21:32 < krzie> your gateway is .1 21:32 < krzie> .5 is internal ovpn shit to get around windows lameness 21:32 < krzie> they figured out a better way, so now 2.1 has topology subnet 21:32 < epaphus> but this is OBSD to OBSD 21:33 < epaphus> and iam in 2.1 :P 21:33 < krzie> they made topology net30 the default because of what i said 21:33 < epaphus> i c 21:33 < epaphus> ok ok 21:33 < krzie> and its still default for now, you can change it manually if you cant understand !/30 21:33 < troy-> krzie, any thoughts on why it wont work with UDP? 21:34 < krzie> firewall 21:34 < krzie> !linfw 21:34 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 21:35 < troy-> krzie, i dont have one on either machine 21:35 < troy-> but there is a firewall infront of the client 21:35 < epaphus> krzie, can you help me understand why is it that when I ping .1 i get 200ms, and .6 gets double? 21:36 < krzie> no 21:36 < krzie> troy-, sounds like a good place to look 21:36 < epaphus> ok, why so? krzie 21:36 < krzie> cause i dont know 21:36 < epaphus> oki 21:39 < troy_> krzie: will i see an improvment by upgrading to 2.1 from 2.0.9? 21:40 < krzie> could be, but i still sazy its a firewall 21:40 < troy_> will UDP be much better performance? 21:40 < krzie> !tcp 21:40 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:41 < epaphus> iam also going to test tcp 21:41 < epaphus> just in case its a udp thing 21:41 < troy_> tcp works flawlessly for me 21:41 < epaphus> troy_, whats your issue? 21:41 < troy_> cant ping gateway 21:41 < epaphus> from client, right? 21:41 < troy_> or server -> client 21:42 < epaphus> whats your ifconfig output for tun0 in the client.. and what is the ip of the gateway your a pinging? 21:42 < epaphus> also, according to the logs.. both sites establish a connection? 21:44 < troy_> according to logs both sides are established 21:44 < troy_> i'm pinging 172.16.2.1 as my gw 21:44 < krzie> epaphus's problem is it connects and pings fine, but he cant route inet traffic over his vpn 21:44 < krzie> because his nat, firewall, or ip forwarding is broken 21:44 < epaphus> troy-, paste ifconfig on pastebin for me 21:45 < epaphus> thats exactly my problem.. 21:45 < epaphus> lol 21:45 < krzie> no, its not 21:45 < krzie> troy cant ping his tunnel endpoints 21:45 < krzie> you can 21:45 < krzie> so for him it is firewall 21:45 < krzie> for you its one of those 3 21:46 < epaphus> oh thats heavy 21:46 * krzie wonders why hes even still here 21:46 < troy-> epaphus, himm its working now 21:46 < troy-> krzie, now its workin for some odd reason 21:46 < troy-> lalalalal 21:46 < troy-> <3 krzie 21:46 < epaphus> weird thing from troy_ is he can get it to work for tcp 21:46 < troy-> krzie, only thing i changed is adding SNAT for .1 and .2 21:46 < troy-> and it worked.. 21:46 < epaphus> krzie, we all appreciate your help.. at the end you will see when i get it up it was worth it 21:46 < troy-> la la la :< 21:47 < epaphus> troy-, what is snat, what os is this? 21:47 < krzie> troy-, aka you added a rule to your firewall ;) 21:47 < krzie> snat = linuxism 21:47 < troy-> lol 21:47 < krzie> source nat 21:47 < troy-> krzie, but i cant ping the client from tehh server 21:48 < krzie> firewall 21:48 < krzie> lol 21:48 < troy-> no no no :( 21:49 * krzie makes his bot reepond to ANYTHING troy says until it works with "firewall" 21:49 < troy-> krzie, speeds are about equal with UDP 21:49 < troy-> about 1Mb/s 21:49 < krzie> im just telling you whats in the manual, with tcp you can expect degradation of speeds as compared with udp 21:50 < troy-> maybe if you have a shoddy connection 21:50 < krzie> maybe if you need to resend any packets 21:50 < troy-> yah, exactly 21:51 < krzie> that happens more often than you may think 21:51 < krzie> watch a packet sniffer for a day 21:54 < epaphus> krzie, must the client originate the connection directly from a public ip assigned to it.. or can the client by under a nat? 21:55 < troy-> krzie, without the vpn i can download from the server at 500KB/s 21:55 < troy-> with the VPN i'm lucky to get 130KB/s 21:55 < krzie> client can be under a nat, no problem 21:55 < krzie> troy, sorry to hear that 21:55 < krzie> did you check mtu-test? 21:55 < epaphus> troy-, how is the latency differance? 21:55 < troy-> krzie, it errored 21:55 < troy-> wouldnt work 21:56 < krzie> lol 21:56 < krzie> upgrade 21:56 < krzie> you know 2.0.9 is like 4 yrs old right? 21:56 < troy-> yes 21:57 * troy- upgrades 21:58 < troy-> krzie, my config files can stay the same rite? 21:59 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has quit [Client Quit] 22:01 < krzie> yes 22:02 < epaphus> what is mtu test? 22:02 < krzie> !mtu-test 22:02 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 22:05 < epaphus> ohh nice 22:05 < troy_> how can i query openvpn for version# 22:05 < krzie> !man 22:05 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:05 < krzie> check the manual 22:07 < troy_> figured it out 22:07 < troy_> krzie: whats weird is it takes 4-5mins before openvpn can ping gw using udp 22:07 < troy_> but if you wait it out magically it happens 22:08 < krzie> also source nat isnt the real solution, allowing the tun ip is 22:08 < krzie> but whatev 22:09 < troy_> speeds are equal to the past ver 22:09 < krzie> mtu-test works? 22:09 < troy_> appears to 22:09 < krzie> you're using 2.1_rc15? 22:09 < troy_> yep 22:09 < krzie> well whats it say when you mtu-test 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu = 1500 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_defined = ENABLED 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 link_mtu = 1500 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 link_mtu_defined = DISABLED 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_extra = 0 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_extra_defined = DISABLED 22:10 < krzie> !pastebin 22:10 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 22:10 < troy-> lol 22:10 < troy-> it was 6 :/ 22:10 < krzie> thats not mtu-test results 22:10 < krzie> thats you grep'ing the logfile for 'mtu' 22:11 < krzie> comment the word daemon 22:11 < troy-> correct 22:11 < krzie> add the word mtu-test 22:11 < krzie> and connect 22:12 < troy_> connected 22:12 < krzie> both sides are now 2.1? 22:12 < troy_> i installed the windows ver but it still says openvpn gui v1.0.3 22:13 < troy_> C:\Program Files\OpenVPN\bin>openvpn --version 22:13 < troy_> OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008 22:13 < troy_> so yep, both 2.1 22:13 < krzie> comment the word daemon 22:13 < krzie> add the word mtu-test 22:13 < krzie> and connect 22:13 < troy_> i did 22:14 < troy_> i'm connected.. 22:14 < krzie> so it ran some tests in the forground? 22:14 < troy_> its scrolling so quick its hard to tell 22:14 < troy_> what am i looking for? 22:14 < krzie> oh right 22:14 < krzie> turn verb back to 4 22:14 < krzie> lol 22:14 < troy_> hehe 22:15 -!- jimi [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has joined ##openvpn 22:15 < jimi> How can I solve this? Fri Apr 10 23:13:22 2009 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 22:15 < troy_> connected 22:15 < krzie> by changing the LAN's subnet on one of the sides is on 22:16 < troy_> Fri Apr 10 23:15:23 2009 us=234000 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 22:16 < jimi> shit, not an option :( 22:16 * troy_ twiddles thumbs 22:16 < krzie> jimi, you dont run EITHER side? 22:16 * troy_ turns clock forward 2 mins 22:16 * krzie puts a muzzle on troy 22:17 < troy_> @_@ 22:17 < jimi> i run both sides... but, there are so many devices relying on 255.255.255.0 that it would be very dificult and time consuming to do this in a production environment 22:17 < krzie> no no 22:17 < krzie> dont change the netmask 22:17 < krzie> change the subnet! 22:17 < krzie> the part that is 192.168.1 22:17 < krzie> subnet + netmask = network 22:17 < krzie> basically 22:18 < krzie> err no im wrong there 22:18 < krzie> but whatev its been awhile since i went over vocab 22:18 < krzie> change the 192.168.1 on 1 side 22:19 < krzie> perferably the server if you can 22:19 < krzie> that way you wont have more clients with the same subnet connecting later 22:19 < troy_> Fri Apr 10 23:18:58 2009 us=343000 NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection). 22:19 < krzie> 192.168.1 is too common 22:19 < krzie> troy you restarted both sides with 2.1? 22:20 < krzie> ohhhhh wait 22:20 < krzie> you still cant ping both directions, right? 22:21 < troy_> krzie: correct 22:21 < troy_> both sides were restarted 22:21 < krzie> fix your firewall problem first then 22:21 < troy_> but it takes a few mins before i can even ping one way 22:21 < krzie> you still have one 22:21 < troy_> mmm 22:21 < krzie> in fact the 'fix' you did earlier wasnt a fix, just a hack 22:22 < krzie> to fix it for real you need to allow the vpn network instead of SNAT'ing 22:22 < troy_> how do i do that? 22:22 < krzie> by learning how your firewalls work 22:22 < krzie> im not your network admin 22:23 < krzie> your openvpn is setup correctly 22:23 < krzie> thats what we do here :-p 22:23 < troy_> damned 22:23 < troy_> hint? 22:24 < epaphus> back 22:24 < epaphus> ok so... back to work.. iam going to try tcp, and then iam going to try a different client 22:28 -!- jimi_ [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has joined ##openvpn 22:28 -!- jimi [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has quit [Read error: 113 (No route to host)] 22:28 < jimi_> changed my subnet to .2 and still getting the error 22:29 < krzie> show the error now pls 22:29 < krzie> troy, i dont use linux, and i gave you the hint 22:29 < krzie> !linfw 22:29 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 22:30 < jimi_> the error hasnt changed 22:30 < krzie> you changed it, killed both openvpns, started both, and got THAT EXACT error? 22:30 < jimi_> yes 22:30 < krzie> show me your server statement 22:30 < jimi_> potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 22:31 < jimi_> server 172.16.0.0 255.255.255.0 22:32 < jimi_> push "route 192.168.1.0 255.255.255.0" 22:32 < krzie> !configs 22:32 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:32 < krzie> 192.168.1.0 is the lan behind the server? 22:33 < jimi_> yes 22:34 < jimi_> http://pastie.org/443505 22:39 < krzie> why dev tap? 22:39 < krzie> why tcp? 22:39 < krzie> see !ipp if you have ipp.txt to try to have static ips 22:40 < jimi_> !ipp 22:40 < vpnHelper> jimi_: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 22:40 < jimi_> k 22:40 < krzie> !tunortap 22:40 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 22:40 < krzie> !tcp 22:40 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:40 < krzie> still waiting on client.conf 22:40 < jimi_> you didnt ask for it... 22:41 < krzie> !configs 22:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:41 < jimi_> server.conf 22:41 < krzie> (#1) please pastebin your client and server 22:41 < krzie> configs 22:41 < troy_> krzie: with TCP i'm seeing fairly high latency 22:42 < troy_> almost double what it should be 22:42 < jimi_> http://pastie.org/443508 22:43 < krzie> troy: i told you to read !tcp 3 times, it explains why 22:43 < krzie> then you told me only over a shoddy link 22:43 < krzie> what more do you want? 22:43 < krzie> jimi: why are you using dev tap, and tcp? 22:44 < krzie> also you might wanna change how your server cert is signed 22:44 < krzie> !mitm 22:44 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 22:44 < jimi_> k 22:44 < krzie> ok as for your real problem... 22:44 < krzie> !interface 22:44 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 22:44 < krzie> !logs 22:44 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 22:45 < jimi_> im not doing all that. 22:45 < jimi_> dev tap/tun... or tcp has nothing to do w/ why the routes are not working. 22:46 < jimi_> you would rather just have the bot spit out the same factoids over and over, instead of actually assisting. 22:46 -!- jimi_ [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has left ##openvpn ["Leaving"] 22:47 < krzie> LOL 22:47 < krzie> im sure thats my loss 22:48 -!- mode/##openvpn [+o krzie] by ChanServ 22:48 -!- mode/##openvpn [+b *!*jimi@*.rr.com] by krzie 22:48 -!- mode/##openvpn [-o krzie] by krzie 22:54 -!- troy_ [n=troy@72.37.245.28] has quit ["leaving"] 22:56 < epaphus> krzie, what would happen if two clients have the same cert ? 23:28 < epaphus> krzie, u there? 23:52 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 23:53 -!- nemysis [n=nemysis@194-1.3-85.cust.bluewin.ch] has joined ##openvpn 23:55 < epaphus> IT WORKED!!!!!!!!!!!!!! 23:55 < epaphus> FINALLY!!!!!!!!!!!!!!!!!! 23:55 < epaphus> THANK YOU SO MUCH krzie 23:56 < epaphus> my nat was incorrectly done on the server --- Day changed Sat Apr 11 2009 00:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:05 < epaphus> krzie, ill see you tomorrow :) 00:07 < troy-> epaphus, did you fix the ping issue? 00:07 < epaphus> troy-, yes 00:07 < epaphus> troy-, i rebuilt my firewall from scratch 00:07 < epaphus> in the server 00:08 < epaphus> troy-, the only thing I have pending is.. that my client doesnt resolve DNS... it must be a simple dns line in the server.conf .. do you have such? 00:08 < troy-> i do sir 00:09 < epaphus> troy-, can you help me here? 00:09 < troy-> push "dhcp-option DNS 4.2.2.1" 00:09 < troy-> push "dhcp-option DNS 4.2.2.2" 00:12 < epaphus> troy-, thanks 00:12 < epaphus> how are you doing troy- 00:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:36 < troy-> epaphus, decent and yourself? 00:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:40 < rubydiamond> Hi guys 00:41 < rubydiamond> I freshly installed ubuntu on my laptop 00:41 < rubydiamond> now want to connect to office using openvpn client on ubuntu 00:48 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:04 < rubydiamond> anybody here 01:13 < theDoc> Yep, ok 01:30 < rubydiamond> theDoc, hey 01:30 < rubydiamond> I have connected to openvpn 01:30 < rubydiamond> but is not able to use vpn dns 01:30 < rubydiamond> how do I start openvpn with dns option set 01:30 < rubydiamond> theDoc, yt? 01:34 < rubydiamond> anybody in 01:34 < rubydiamond> need help 01:38 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 01:39 < mf_417> Hi, is there any way to manually assign ip to clients of openvpn, when using tap ? ccd works fine but just for tun 01:40 < rubydiamond> guys.. 01:40 < rubydiamond> how do I push dns using openvpn 01:40 < rubydiamond> mf_417, help 01:40 < rubydiamond> I am using openvpn client 01:40 < mf_417> rubydiamond: I have same problem 01:42 < mf_417> ping 01:42 < mf_417> is there any way to manually assign ip to clients of openvpn, when using tap ? ccd works fine but just for tun 01:48 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 01:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:25 < reiffert> moin 02:27 < reiffert> push "dhcp-option DNS 123.34.32.21 02:27 < reiffert> " 02:27 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has joined ##openvpn 02:27 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has left ##openvpn [] 02:28 < kraut> moin 02:28 < reiffert> moin moin kraut 02:28 < krzee> moin 02:29 < kraut> moin moin reiffert 02:29 < kraut> steife brise hier ;) 02:29 < kraut> mit spitzen "st" ;) 02:29 < kraut> INORMALLANGNOW 02:29 < krzee> lol 02:30 < reiffert> INO what? 02:30 < reiffert> aye aye mein kaptein 02:30 < kraut> hrhr, arrrrrhoi salty seadog! ;) 02:35 < rubydiamond> kraut, hey 02:35 < kraut> hi rubydiamond 02:35 < rubydiamond> want to setup openvpn client with auto dns push 02:36 < rubydiamond> sudo openvpn anil.ovpn 02:36 < rubydiamond> I am able to connect my office sites with ip 02:36 < rubydiamond> but I also want to use dns server of my office 02:38 < kraut> rubydiamond: you could use "cmd" with a script that setups your dns 02:38 < kraut> is that a soloution? 02:38 < kraut> brb 02:40 < rubydiamond> kraut, hey 02:40 < rubydiamond> don't go. 02:40 < rubydiamond> hey could you you give me link related to it 02:40 < rubydiamond> kraut, yt? 02:43 < kraut> man openvpn -> --up cmd and --down cmd 02:43 < kraut> just a simple script, which backups your resolv-file and after the tunnel is down, copy it back to the old state 02:43 < kraut> rubydiamond: imho there isn't any feature, that the server could push the dns 02:44 < kraut> rubydiamond: yt? 02:44 < rubydiamond> yes 02:45 < rubydiamond> hey.. was playing with dns 02:45 < rubydiamond> btw .. what cmd you are talking 02:45 < kraut> just look into the man page, section --up cmd and --down cmd 02:45 < kraut> everything you need is described there 02:46 < rubydiamond> sudo openvpn anil.ovpn --up update-resolv-conf 02:46 < rubydiamond> [sudo] password for anil: 02:46 < rubydiamond> Options error: I'm trying to parse "anil.ovpn" as an --option parameter but I don't see a leading '--' 02:46 < rubydiamond> Use --help for more information. 02:46 < kraut> the options may be used in the client config as "up cmd $shellscript" and "down cmd $shellscript" 02:47 < kraut> yep, in the config you may not use "--", just use them without them 02:47 < kraut> the "--" is used, if you start openvpn from the cli directly 02:47 < kraut> like "openvpn --foobar conf" 02:47 < rubydiamond> trying 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 /etc/openvpn/update-resolv-conf tun0 1500 1541 10.226.239.26 10.226.239.25 init 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 openvpn_execve: external program may not be called due to setting of --script-security level 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 script failed: external program fork failed 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 Exiting 02:49 < rubydiamond> got this 02:49 < rubydiamond> I added two lines up and down in my conf 02:49 < kraut> GAH 02:50 < kraut> put "security-level 2" in your config 02:50 < kraut> sorry 02:50 < kraut> "script-security 2" 02:50 < kraut> that's the correct option 02:52 < rubydiamond> kraut, thanks a lot 02:52 < rubydiamond> it worked 02:52 < rubydiamond> it was awesome help 02:52 < kraut> :) 02:52 < kraut> no problem 02:52 < rubydiamond> I actually could not set it up properly couple of time.. had spent lots of hours on it 02:53 < kraut> btw. it could be a security issue to allow script-security to 2, just keep that in mind 02:57 < rubydiamond> btw, what could be 02:57 < rubydiamond> it ? 02:58 < rubydiamond> kraut, when i do /etc/init.d/openvpn start or stop.. it does not load my config 02:58 < rubydiamond> I have to always to openvpn anil.conf 02:58 < rubydiamond> need I rename anil.conf to something else 02:59 < kraut> is your config in /etc/openvpn/ ? 02:59 < kraut> everything in that directory with suffix .conf should be parsed 03:05 < rubydiamond> kraut, yes 03:05 < rubydiamond> okay 03:05 < rubydiamond> it was not .conf 03:05 < rubydiamond> it was .opvpn 03:05 < kraut> that's the suffix for windows 03:07 < rubydiamond> okay 03:07 < rubydiamond> kraut, yea, it worked 03:07 < rubydiamond> thanks a lot 03:07 < kraut> no problem 03:07 < kraut> bill is on the way ;) 03:14 < rubydiamond> :) 03:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:20 < kraut> need to go, batteries are low 03:20 < kraut> bye 03:34 < rubydiamond> okay bye 03:43 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 04:03 -!- e3032 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 04:03 < e3032> Is it possible to show a list of clients connected to my openvpn server? 04:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:08 < e3032> This should be possible ... 04:10 < e3032> ........ 04:12 -!- e3032 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 04:34 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- Gumbler|NotHere is now known as Gumbler 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:20 -!- c64zottel [n=hans@p5B1794D6.dip0.t-ipconnect.de] has joined ##openvpn 05:31 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:12 < krzee> CPU: 36.0% user, 0.0% nice, 63.6% system, 0.4% interrupt, 0.0% idle 07:12 < krzee> i love seeing that during a buildworld 07:12 < krzee> 2 amd64 cores used 100% 07:23 -!- cmb [n=cmb@pfsense/coreteam/cmb] has quit [Read error: 110 (Connection timed out)] 07:50 < ecrist> dan__t: what is you want to know about CRLs? 08:23 -!- c64zottel [n=hans@p5B1794D6.dip0.t-ipconnect.de] has quit ["Leaving."] 08:37 -!- Flumdahl [i=n30@shell.auth.se] has quit [Read error: 110 (Connection timed out)] 10:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:20 < epaphus> hello all 10:21 < epaphus> krzie, u there? 10:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:40 < epaphus> Well guys. my VPN works like a charm.. the problem is that the client which is a OpenBSD box doesnt resolve DNS. If I push a DNS option at the server.. It doesnt affect my client (probably because my client doesnt have any type of dhcp to get that value) .. so how do I go arround with this? 10:46 < Bushmills> epaphus, does the pushed DNS show up in /etc/resolv.conf? 10:46 < epaphus> Bushmills, in the client? 10:46 < Bushmills> yes 10:48 < epaphus> no it did not 10:49 < Bushmills> any other DNS there? 10:49 < epaphus> yes 10:50 < Bushmills> that's a working DNS? 10:51 < epaphus> yes, I have changed that and its working now 10:51 < epaphus> that was a working DNS before the VPN though 10:52 < epaphus> when I ping hostname does the resolving part take place in the client, or at the server Bushmills ? 10:52 < Bushmills> supposedly, pushing a DNS by vpn server should reflect in that file 10:52 < Bushmills> resolving takes place in client 10:53 < Bushmills> but client could use vpn server as dns, provided it is set up as dns 10:54 < Bushmills> but usually you would have one recursive DNS on your local net, which is used by the machines on the local net. 10:54 < epaphus> ohh, interesting... why do we suppose that after I Installed the VPN my DNS ips stoped working though? 10:54 < epaphus> yeah... 10:55 < Bushmills> maybe because of routing. could all your traffic (including dns requests) be routed to the vpn server? 10:57 < epaphus> ohhh DNS is being resolved within the client, but the client uses the VPN to contact the dns 10:57 < epaphus> got it 10:57 < epaphus> wellfor some reason those IPs didnt like a foreigner to contact them i guess 10:59 < Bushmills> having a short route, low propagation, to DNS is beneficial 10:59 < epaphus> yeah ill try to place a DNS within the vpn server then 11:07 < epaphus> I wonder, IAm using the VPN to access the internet on the client machine. Whats the point of having two default routes..? 11:07 < epaphus> default 10.0.1.5 UGS 0 18 - 48 tun0 11:07 < epaphus> default 192.168.1.1 UGS 1 1295 - 48 nfe0 11:10 < Bushmills> more likely that it is a misconfiguration than that there's a point to it 11:11 < epaphus> well, the redirect-gateway option automatically did part of this, iam sure:P 11:13 < Bushmills> it doesn't do that here 11:13 < epaphus> ohh 11:13 < epaphus> ill delete it :) what os are you using Bushmills ? 11:14 < Bushmills> Linux 11:14 < epaphus> iam in unix 11:14 < Bushmills> using redirect-gateway in client config, not pushed by server 11:14 < epaphus> me too. 11:16 < epaphus> so... unless clients key is compromised.. another client should not be able to login to the vpn server.. right? 11:16 < Bushmills> sounds about right 11:35 < epaphus> Quick question, If I use vpn with UDP ..does that mean that ICMP needs to be enabled? 11:41 < karlpinc> epaphus : No. 11:41 < Bushmills> it means that all tcp,udp and icmp traffic is tunneled through udp 11:42 < Bushmills> (all traffic routed through vpn interface) 11:45 < epaphus> hmm, for some reason I just switched the client/server to use UDP.. and I opened the UDP port in the firewall .. but it doesnt connect 11:46 < epaphus> maybe i didnt open it right 11:56 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [Remote closed the connection] 11:56 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 12:00 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 12:01 < guy191> Hii Room !! 12:01 < guy191> need to ask few things.. hope i wll take few nice answers with me from here :) 12:02 < Bushmills> !howto 12:02 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:02 < Bushmills> :D 12:02 < guy191> trying to establish VPN network in between my friend which is using laptop and my office network 192.168.0.0/24 12:03 < guy191> HI Bushmills.. 12:03 < guy191> i m not using openvpn.. but its relates to vpn so 12:04 < Bushmills> what vpn software are you trying to use? 12:04 < guy191> i m using hardware Zywall USG 100 device 12:05 < guy191> http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040908175941&CategoryGroupNo=4E8412D7-AF41-41EA-987C-ACA23F38108A 12:05 < vpnHelper> Title: ZYWALL USG 100 - Network Security in a Single Box for Offices of up to 25 People - ZyXEL Product & Solution (at www.zyxel.com) 12:06 < guy191> oh helper you know :).. 12:06 < guy191> !VpnHelper you are best 12:06 < vpnHelper> guy191: Error: "VpnHelper" is not a valid command. 12:06 < guy191> anywayz 12:07 < Bushmills> !botsnack 12:07 < vpnHelper> Bushmills: Error: "botsnack" is not a valid command. 12:07 < guy191> on other side .. only one guy.. not LAN 12:07 < Bushmills> hmm 12:07 < guy191> here is he saying in Policy Setting 12:08 < guy191> local policy.. our LAN network ip network/netmask 12:08 < guy191> remote policy.. otherside network and subnetmask 12:08 < guy191> no before that.. 12:09 < guy191> which ports should open on my LAN side for seeing network computers on my friends laptop? 12:09 < dan__t> hi 12:10 < Bushmills> !routing 12:10 < vpnHelper> Bushmills: Error: "routing" is not a valid command. 12:10 < guy191> oh hi dan__t 12:10 < dan__t> whatsup 12:10 < guy191> how are you ? 12:10 < Bushmills> !route 12:10 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:10 < dan__t> I'm ok. Trying to wake up. 12:10 < guy191> nutting jst trying to confiuge vpn.. 12:10 < dan__t> I'm eating Triscuits. 12:10 < dan__t> And drinking a diet coke. 12:11 < dan__t> Breakfast of champions. 12:11 < guy191> good.. dan__t you should take some vpn sandwiches with linux fresh juice :) 12:11 < dan__t> wtf 12:11 < guy191> haha 12:11 < dan__t> Are you hizzigh? 12:11 < guy191> sorry !! 12:11 < guy191> hizzigh.. whats dat 12:11 < dan__t> high 12:11 < guy191> no i m not hizzigh 12:12 < guy191> brb 12:14 < dan__t> k 12:18 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 12:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:27 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 12:28 < [4-tea-2]> !route 12:28 < vpnHelper> [4-tea-2]: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:38 < [4-tea-2]> Howdy, I'm connecting from a machine with a dynamic ip to a openvpn server, so I've set a host route to the server via the DSL interface. 12:39 < [4-tea-2]> What's the proper way to tell local machines how to reach other services on the openvpn server? 13:08 < [4-tea-2]> Masquerading works, but that way I lose encryption for those connections. 13:16 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has quit [Read error: 113 (No route to host)] 13:16 < dan__t> You can't really directly tie a service in to OpenVPN. 13:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:17 < rubydiamond> hi guys 13:17 < dan__t> You can set routes. You can't set rules based on ports etc etc unless using some sort of packet filtering or inspection, such as iptables 13:17 < rubydiamond> I need help on pushing openvpn dns to my laptop 13:18 < rubydiamond> dan__t, I am not able to use dns of my work.. from my laptop .. though I can access sites using ip.. also I have added up and down lines in my config 13:18 < rubydiamond> which should push dns 13:18 < [4-tea-2]> dan__t: I'm comfortable with iptables, but I'm not sure what's the right way to go. 13:18 < rubydiamond> but it's not doing so 13:18 < dan__t> Give me an example, [4-tea-2] 13:19 < dan__t> rubydiamond, http://openvpn.net/index.php/documentation/howto.html#dhcp 13:19 < vpnHelper> Title: HOWTO (at openvpn.net) 13:20 < rubydiamond> dan__t, I am using client 13:21 < rubydiamond> I think openvpn server is pushing it 13:21 < dan__t> Using what? 13:21 < rubydiamond> but my client is not able to use dns 13:21 < [4-tea-2]> dan__t: openvpn from dynip.ispone aka server.mylocal.net to realip.isptwo, isp two routes mylocal.net to me, so I have static IP addresses for my machines at home. 13:21 < rubydiamond> dan__t, I am using openvpn command line client on ubuntu 13:21 < [4-tea-2]> dan__t: I want to access e.g. the webserver on realip.isptwo:80 from workstation.mylocal.net. 13:21 < dan__t> Then just edit /etc/resolv.conf, rubydiamond 13:22 < dan__t> Can you ping it, [4-tea-2] ? 13:22 < rubydiamond> dan__t, yeah.. but what should I add there 13:22 < dan__t> er, you'd add what you normally would put there 13:22 < dan__t> nameserver 1.2.3.4 13:23 < [4-tea-2]> dan__t: from server.mylocal.net, I can ping realip.isptwo which goes "around" the vpn, or I can ping the link-local ip to the openvpn endpoint (I've chosen an rfc1918 address there, 10.something) 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 TUN/TAP device tun0 opened 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 TUN/TAP TX queue length set to 100 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/ifconfig tun0 10.226.239.26 pointopoint 10.226.239.25 mtu 1500 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /etc/openvpn/update-resolv-conf tun0 1500 1541 10.226.239.26 10.226.239.25 init 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/route add -net 192.168.8.0 netmask 255.255.248.0 gw 10.226.239.25 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/route add -net 10.226.239.1 netmask 255.255.255.255 gw 10.226.239.25 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 Initialization Sequence Completed 13:23 < rubydiamond> oh sorry.. 13:23 < rubydiamond> I pasted here 13:23 < dan__t> I'm sorry, its still fuzzy [4-tea-2] 13:24 < rubydiamond> but dan__t I don't know what are the name server ip at work 13:24 < rubydiamond> dan__t, do you see some above 13:25 < dan__t> Use 4.2.2.1? 13:25 < dan__t> I don't know. 13:26 < [4-tea-2]> dan__t: okay, let me try to rephrase my problem. When I establish the openvpn connection for my local network, I set a default route to openvpn's tun device and a host route to the physical device that I use to talk (via a DSL router) pointing to the openvpn's server real ip address (outside the openvpn tunnel). 13:28 < [4-tea-2]> dan__t: when all I needed from that server was the openvpn connection, that was perfectly fine. Now I'd like to reach other services (e.g. a webserver) on the very server that acts as my openvpn server. And preferably, I'd like those connections to benefit from openvpn's encryption. 13:28 < dan__t> Oh, right. 13:28 < dan__t> hmmm 13:35 < rubydiamond> dan__t, openvpn on linux machine suck 13:35 < rubydiamond> there is no good client 13:35 < rubydiamond> which can properly setup dns 13:35 < rubydiamond> after connecting to vpn 13:36 < rubydiamond> on mac and windoze it works awesome 13:41 < guy191> if one computer from outside want to connect with LAN through VPN 13:41 < guy191> all that LAN clients should also have installed that client software ? 13:41 < guy191> or only that guy which is trying to access it from outside ? 13:42 < guy191> any one ???? 13:42 < guy191> i meant about client software.. 13:43 < guy191> all the guys which want to be in a part of vpn .. even in lan or from outside will use vpn client ? 13:47 < dan__t> You just need a clue about doing it, rubydiamond 13:47 < dan__t> I told you what to do 13:47 < dan__t> I told yuou which options to use in OpenVPN. 13:48 < rubydiamond> dan__t, hmm 13:48 < rubydiamond> dan__t, used 13:48 < dan__t> No, guy191. A remote client "becomes" part of that LAN. 13:48 < dan__t> Kind of. 13:52 < dan__t> rubydiamond, all the OpenVPN clients work the same way. 13:52 < dan__t> They all have the same options, use the same communication, obey the same routes 13:52 < dan__t> They're all the same. 13:52 < dan__t> I'm sorry that it doesn't have a fuzzy cute GUI by default. 13:53 < dan__t> I'll.... bitch at the author or something. For shame, I know, right? 14:00 < rubydiamond> dan__t, both windows and mac have good gui clients 14:02 < dan__t> Great. 14:26 < dan__t> They all work the exact same way. 14:26 < dan__t> Your argument is invalid. 14:29 -!- _lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 14:36 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 14:42 < krzee> actually 14:43 < krzee> you can have certs or a PSK 14:43 < krzee> guy191, see !route 14:46 < guy191> my vpn client has connect with vpn server 14:46 < guy191> now how can i check that its working fine ? 14:47 < guy191> its not pinging to that network from command promt 14:47 < guy191> what the other ways to test connection ? 14:59 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 15:05 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 15:16 < guy191> Hii room !! 15:16 < guy191> any one ? 15:17 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 15:17 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 15:18 < guy191> back !!1 15:18 < guy191> actualy today is my first day here.. 15:18 < guy191> or even in this vpn configuration .. 15:18 < guy191> i have setup vpn.. now need to test from my remote client pc.. 15:18 < guy191> which is connect to internet.. and vpn client also showing that its connected 15:19 < guy191> now i canot ping to lan.... why ? 15:19 < guy191> hav to configure some thing on client network connection ? 15:27 < krzie> !route 15:27 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:29 < guy191> hi krzie.. how r u ? 15:30 < guy191> krzie: i have read this doc... 15:30 < guy191> my scenrio is little bit different 15:30 < guy191> only one computer from outside want to connect with my LAN .. 15:31 < guy191> his vpn client has connect with my vpn server.. actualy i m not using openVPN.. 15:31 < krzie> and the lan is behind the server or client 15:31 < krzie> !notcompat 15:31 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:31 < guy191> lan is behind that hardware gateway device 15:31 < guy191> i know compatiblity 15:32 < krzie> you said you arent using openvpn 15:32 < guy191> yes then ? 15:32 < krzie> so why are you here? 15:32 < guy191> ZYWALL USG 100 15:33 < guy191> jst for little bit info regarding vpn.. 15:33 < krzie> can only help you with openvpn 15:33 < guy191> yes i know.. suppose here its openvpn.. and client as connected with it.. 15:33 < krzie> pointless 15:33 < krzie> not gunna waste my time 15:33 < guy191> now he canät ping all other lan nodes 15:34 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 15:34 < guy191> only tell that .. how can we test on client side 15:34 < guy191> test the connectivity from that outsider ? 15:34 -!- mode/##openvpn [+o krzie] by ChanServ 15:34 <@krzie> seriously, this is a openvpn help channel 15:34 <@krzie> !notopenvpn 15:34 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 15:35 < guy191> ok .. Sorry .. Dont mind !! 15:35 -!- mode/##openvpn [-o krzie] by ChanServ 15:38 < krzie> werd 15:38 < krzie> however, if you switch to openvpn you can do that as well 15:39 < krzie> (likely with stronger encryption) 15:39 < guy191> Thanks.. !! yes i know that openvpn is best.. 15:39 < krzie> *shrug* best depends on needs 15:40 < guy191> some times we should also configure on another platform.. it also nice for our carreer 15:40 < krzie> some people dont like that we cant directly connect clients bypassing server 15:40 < krzie> and some people need a couple thousand connections, cisco might be better for them, comes with support and all that 15:40 < guy191> we shouldnät stuck on one apple.. 15:41 < guy191> yes..offcourse.. 15:41 < krzie> but i feel the strongest encryption is available here, because they dont try to do it and maintain it themselves 15:41 < krzie> very smart move to use openssl for all that 15:41 < krzie> and its very configurable 15:41 < krzie> very very flexible 15:42 < guy191> anywayz.. now my time is wasting.. time to go and work 15:42 < guy191> be happy n takecare !! 15:42 < guy191> ba bye !! 15:42 < krzie> you too =] 15:42 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 16:01 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 16:02 < dupondje> !route 16:02 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:13 < dupondje> mmm, I want to put a vpn server on my server (internet ip), so I can connect 2 networks together that are behind a router ... 16:13 < dupondje> any id where to start :) 16:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving"] 16:23 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 16:24 < quentusrex_> Is it possible to deny some clients access to certain parts of the subnet? even though they have the routes pushed? 16:24 < quentusrex_> such as through iptables, or something? 16:28 < karlpinc> krzie : People _could_ directly connect clients if they tried, using dyndns and such. 16:29 < karlpinc> quentusrex_ : Sounds like that's what iptables is for. (You might try looking at shorewall for an easier configuration.) 16:29 < dupondje> !howto 16:29 < vpnHelper> dupondje: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:44 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:51 < dan__t> hi 16:52 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:52 < epaphus> Hey guys, where can I read more about the access controls that openvpn has? 16:53 < dan__t> in the manpage 16:53 < dan__t> what specifically were you looking at? 16:53 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 16:53 < epaphus> an overview of what access control can do in the real life 16:59 < krzie> krzie : People _could_ directly connect clients if they tried, 16:59 < krzie> using dyndns and such. 16:59 < krzie> false 17:00 < krzie> when connecting from 1 client to another over openvpn, it will always flow through the server 17:07 < epaphus> krzee, thanks for the help yestreday 17:09 < krzie> you're welcome 17:09 < krzie> get your stuff sorted out? 17:11 < epaphus> btw.. redirect-gateway left two routes.. I need to delete one... not sure how to do it permanently.. because if I delete it with route delete.. it just comes back after a reboot 17:11 < epaphus> this bothers me a little.. default 10.0.1.5 UGS 0 0 - 48 tun0 17:11 < krzie> what route? 17:11 < epaphus> default 192.168.1.1 UGS 1 83 - 48 nfe0 17:11 < epaphus> the default being 192.168.1.1 17:12 < krzie> !interfaces 17:12 < vpnHelper> krzie: Error: "interfaces" is not a valid command. 17:12 < krzie> !interface 17:13 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:16 < epaphus> krzee, http://pastebin.com/d6500f389 ... see.. there is really no point to have a second default gateway as 192.168.1.1 if I already have the defualt gateway as the VPN 17:16 < krzie> thats what def1 was 17:16 < krzie> overrides without deleting 17:17 < krzie> so if you kill the vpn you have inet 17:17 < krzie> !def1 17:17 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:17 < epaphus> ohh understood 17:17 < epaphus> well, i dont want it that way.. if I kill the VPN .. its dead 17:17 < krzie> if you kill the vpn you still have a route to the internet 17:17 < epaphus> thats right, i dont want it that way 17:17 < krzie> but if you dont, you have a more specific route to the inet through the vpn, so that is all thats used 17:17 < epaphus> if I kill the VPN i want it to be dead 17:18 < krzie> fine, remove def1 from redirect-gateway 17:18 < epaphus> krzee, iam sorry.. i think i didint explain myself correctly.. 17:19 < epaphus> this machine is meant to always be connected to the VPN.. which is why i consider that that the default gateway being 10.0.... is cool... what i want to delete is the regular path to the internet which is 192.168.1.1 .... i understand if I delete the regular path and the VPN is down i wont have internet 17:19 < krzie> hey so howd you fix your nat / firewall issue? 17:19 < epaphus> but thats the way i want it 17:19 < krzie> THEN DONT ADD def1 17:19 < epaphus> krzee, i had to do a firewall from scratch.. its not as easy as 1 line. 17:19 < krzie> its only like that because you have def1 in redirect-gateway 17:19 < epaphus> ohh okie 17:19 < epaphus> sorry 17:19 < epaphus> thanks 17:19 < krzie> np yw 17:20 < krzie> if you wouldnt mind adding to our wiki with your firewall setup, it would be cool 17:20 < krzie> !wiki 17:20 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 17:20 < krzie> (under the openvpn section of course) 17:20 < krzie> thats the same wiki i made my routing setup walktrhough on 17:20 < epaphus> krzee, i can paste it for your in pasetbin.. is that ok? 17:21 < krzie> its about the same to add it to the wiki, it takes anonymous posts 17:21 < krzie> and i dont wanna butcher anything, since you understand it now and i dont 17:21 < epaphus> oki 17:30 < krzie> toss in how you set ip forwarding too pls! =] 17:31 < epaphus> oki 17:31 < krzie> you'll be helping tons of openvpn users with that info im sure! 17:32 * krzie notes thats how communities like this rock, we get free help from those who have done it if we need it, then we give the help back to those who need it after us ;] 17:45 < epaphus> krzee, if I push a dns server in the server.conf .. the client must configure tun0 with dhcp on.. right? 17:46 < krzie> no, you just need to use a script to update your resolv.conf 17:46 < epaphus> krzee, a script?? 17:46 < krzie> theres one included with openvpn, ive heard mixed opinions on it 17:46 < krzie> personally i would make my own if i ever used it 17:46 < epaphus> ohhh... okie 17:47 < krzie> BUT 17:47 < krzie> you said you ONLY want inet through the vpn 17:47 < krzie> so thats much easier 17:47 < krzie> since the vpn doesnt need dns to connect (just give an ip to the remote command) 17:47 < krzie> and set the dns manually, and dont have anything that would override it 17:48 < epaphus> yup 17:48 < epaphus> agreed 17:48 < krzie> but if you decide you need to push it, !pushdns is a good thread to read, although mostly talks about a windows problem with pushing dns i think they touch on doing it in unix too 17:49 < reiffert> YES OH YES!! 17:49 < krzie> you asked about auth controls, i have no clue what you were asking 17:49 < reiffert> !yes 17:49 < vpnHelper> reiffert: Error: "yes" is not a valid command. 17:49 < krzie> but if you refine your question, maybe mention a goal or something, maybe someone can answer it 17:49 < krzie> moin reif 17:49 * reiffert = someone 17:49 < reiffert> howdy 17:52 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:56 < reiffert> he doenst trust me, eh? 17:57 < krzie> he only truely trusts me 17:57 < krzie> cause i brought him into this world, and i can take him back out 17:57 < krzie> ;] 18:03 < reiffert> I can make him dig into it much deeper ... 18:29 -!- aluis_ [n=aluis@78.52.30.238] has joined ##openvpn 18:46 < krzie> ive read that line 10 times or so reif, still have no clue what you meant 18:46 < krzie> lol 18:58 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [] 19:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 19:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:46 < troy-> do i need to restart openvpn for it to pickup on new profiles? 19:46 < krzie> define profiles 19:46 < troy-> new keys 19:46 < krzie> do you need to restart the server when you setup new clients? 19:46 < krzie> (thats the question?) 19:46 < troy-> yep 19:46 < krzie> no 19:46 < troy-> kk 19:47 < krzie> they're signed by the same ca, they will work 19:47 < krzie> if you had meant prfiles in the server config, yes 19:47 < krzie> if you had meant ccd entries in the server, no 19:47 < krzie> thats why i had you clarify 19:47 < krzie> =] 19:53 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 19:55 < dan__t> man 19:55 < dan__t> i'm done working in like 5 mins 19:55 < dan__t> I'm going to get krunk. 19:55 < dan__t> I found a place that I can walk to that has Boddingtons on tap. 20:04 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:04 < troy-> krzie, how can i run openvpn as non-root? 20:04 < krzie> must START it as root 20:04 < krzie> but can drop privs immediately after 20:04 < troy-> how do i do that? 20:05 < krzie> --user --group and some persist options 20:05 < krzie> persist-key and persist-tun iirc 20:05 < krzie> lets see 20:05 < krzie> !sample 20:05 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:05 < krzie> user vpn 20:05 < krzie> group vpn 20:05 < krzie> persist-key 20:05 < krzie> persist-tun 20:05 < krzie> yup 20:06 < troy-> so in server.conf 20:06 < krzie> in whatever conf you want to run as non-root 20:06 < krzie> i do it on all 20:07 < krzie> (note, this isnt for windows) 20:07 < krzie> win is done differently 20:07 < troy-> server is on linux :) 20:08 < krzie> thats good for the server, i dont run it as root on any sides 20:08 < krzie> server or clients 20:08 < troy-> thanks krzie 20:08 < krzie> basically, i never run anything as root unless i have a reason to run it as root 20:08 < krzie> np 20:09 < troy-> krzie, i had to do it so ident would show up as that user 20:12 < krzie> ya, not a good nuff reason for me 20:12 < krzie> if i irc through my socks my ident is 'nobody' 20:12 < krzie> im ok with that 20:13 < krzie> more ok than giving up running it in a sandbox at least 20:13 < krzie> but thats a decision for each admin to make 20:13 < epaphus> krzee, if I want other people to use my client to connect through my vpn... the best way to do such thing would be to put in a second NIC and nat the traffic through tun0 ... and perhaps install a dhcpd also... right.... thats one way... ? 20:14 < krzie> why a second nic? 20:14 < krzie> werd 20:15 < epaphus> well.. thats how I usuallly share my internet.. 20:15 < epaphus> what other way can I let many users go out through the internet via my vpn? 20:16 < krzie> by giving them certs to connect to it 20:16 < krzie> its already setup 20:20 < epaphus> well yeah.. but that way its not transparent to them 20:20 < epaphus> if they use me as their gateway 20:20 < epaphus> then they dont have option 20:23 < krzie> im missing what you plan on having 20:23 < epaphus> I was planning on having the clients use my machine as their internet gateway 20:23 < krzie> you saying other people on your server's lan? 20:24 < epaphus> yes 20:24 < epaphus> so they are always connected to the LAN 20:24 < krzie> are they plugged in to the lan or you want them to be, but through the vpn 20:25 < epaphus> i want to make it so .. when they plugin to the LAN they are already connected to the VPN.. regardless of any config on their pc 20:26 < krzie> ok im still missing the point, you are basically answering yes to 2 totally different questions 20:26 < krzie> are they remote and you want them to access the lan over the vpn 20:26 < krzie> or are they local and you want them to access the inet over the vpn? 20:27 < epaphus> second choice 20:28 < krzie> ok grab another nic, make a new subnet for it 20:28 < epaphus> listening.. 20:29 < krzie> they are on the same lan as the client, right? 20:29 < epaphus> correct 20:29 < krzie> scratch the new nic 20:29 < epaphus> ok... 20:29 < krzie> put them on the same lan as the client 20:29 < epaphus> go on please.. 20:29 < krzie> give that client an iroute entry in a ccd entry 20:29 < krzie> for its lan 20:30 < krzie> their default gateway should be your client 20:30 < epaphus> what do you mean when you say " give that client" you mean.. taje the IP of the PC and put it in the ccd 20:30 < krzie> and your server needs to NAT the client's lan ips as well 20:30 < krzie> !ccd 20:30 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:30 < krzie> !iroute 20:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:31 < krzie> in addition to that, the server will need a route entry for the client lan 20:31 < krzie> just like in !route 20:31 < krzie> its basically just !route plus a default gateway change and a nat entry 20:31 < krzie> (both of which are outside openvpn) 20:32 < epaphus> a nat to where from where.. 20:32 < krzie> just like you nat the vpn network 20:32 < krzie> except now you'll nat the client lan network 20:32 < krzie> (as well) 20:32 -!- aluis__ [n=aluis@g227114042.adsl.alicedsl.de] has joined ##openvpn 20:32 < epaphus> the nat i did was on the server.. the client has no nats right now 20:33 < krzie> and that will remain the same 20:33 < krzie> the packets will still have SRC address of client lan when they get to the server, and the server will nat that 20:33 < krzie> better than a double-nat 20:33 < krzie> what you were thinking would work as well, but be more complicated 20:33 < epaphus> so that means that the PC would have to have a new gateway which I need to give it. 20:34 < krzie> unnecesarily more complicated 20:34 < krzie> what? 20:34 < krzie> "the pc"... we're talking about a minimum of 3 machines currently 20:34 < epaphus> yes. 20:34 < krzie> talk clearly pls 20:34 < epaphus> ok... 20:36 < epaphus> we have the PC that i want to connect through the client to the VPN. 20:36 < krzie> wow i wish you had started with that sentance 20:36 < krzie> ! 20:36 < krzie> much better =] 20:36 < epaphus> iam asking, in the PC.. the current gateway is 192.168.1.1 , which is currently a router with regular access to the internet 20:37 < epaphus> my client (the vpn client) has .5 20:37 < krzie> right, the PC will need the client as its gateway 20:37 < epaphus> got it 20:37 < epaphus> ok 20:37 < epaphus> one min to think hehe 20:37 < krzie> ;] 20:37 < krzie> thats the easy way 20:37 < krzie> other option is to get another nic, and setup a whole other network 20:38 < krzie> they'll both work, depends on your needs 20:38 < krzie> if you go with the other network the nic goes to a switch 20:38 < epaphus> that would be pointless though 20:38 < epaphus> this is so much fun :P 20:38 < krzie> and you run dhcpd on it 20:38 < epaphus> right 20:38 < krzie> to auto-assign the gateway, dns, ip 20:38 < krzie> with a totally new subnet 20:38 < krzie> (but pointless if only 1 machine) 20:38 < krzie> the point comes when you want 2 totally seperate lans 20:39 < krzie> or maybe if there were 10 machines on each, easier administration 20:40 < epaphus> i can still have 50 machines on the same NIC.. i can even run dhcpd based on the MAC to configure those... 20:40 < epaphus> or static 20:40 < krzie> guess so, although wouldnt the other dhcp server answer too? 20:40 < krzie> or do you have fine grained enough control on that one to make it ignore some 20:41 < epaphus> i think i can do that 20:41 < epaphus> iam sure i can 20:41 < epaphus> discriminate (sp?) 20:41 < krzie> cool 20:42 < krzie> whatever makes you happy 20:42 < krzie> personally ild go with seperate lans before setting up something like that 20:42 < krzie> the words admin nightmare come to mind 20:42 < epaphus> a little cleaner, right? 20:42 < krzie> totally 20:42 < epaphus> yeah... 20:42 < krzie> BUT 20:42 < krzie> like i said, if its only 1 or 2 machines 20:42 < krzie> just set their ip / gateway / dns manually 20:42 < epaphus> its 40 hehehehe 20:42 < krzie> get a nic and a switch 20:43 < krzie> thats like $20 20:43 < epaphus> ok ill do the clean way 20:43 < epaphus> i understand everything.. except the part of the nat.. what exactly am I natting? 20:45 < krzie> the subnet you create for the clients 20:45 < krzie> you will buy a nic, and make it like 192.168.50.1 20:45 < krzie> where 50.1 is NOT being used yet 20:45 < krzie> then its lan gets 50.x 20:45 < krzie> you will nat 50.x on the vpn server 20:46 < krzie> but ONLY after you setup !route 20:46 < krzie> !route 20:46 < epaphus> the vpn server is to tun, right? 20:46 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:46 -!- nemysis [n=nemysis@194-1.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 20:46 < krzie> pretend 192.168.1.0 in my example is 50.0 in our conversation 20:47 < krzie> the vpn server is to tun, right? 20:47 < krzie> huh 20:47 < krzie> ? 20:47 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has joined ##openvpn 20:47 < krzie> you must talk clearly for me to understand 20:47 < epaphus> I nat the new subnet to tun , or to the first NIC on my client? 20:47 < krzie> on the server you currently have a nat setup 20:47 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit ["leaving"] 20:48 < krzie> do the EXACT same thing you did, but with the new subnet you create instead of the vpn subnet 20:48 < epaphus> oki 20:48 < epaphus> and route 20:48 * krzie thinks you dont fully understand what you were doing when you set it up, cause its the EXACT same thing 20:48 < epaphus> also ccd? or not in this case.. right? 20:48 < krzie> yes in this case, go read !route 20:48 < epaphus> i do, believe me.. i had to do the firewall from zero 20:48 < epaphus> oki 20:48 < epaphus> thanks 20:49 < krzie> and 20:49 < krzie> pretend 192.168.1.0 in my example is 50.0 in our conversation 20:49 < krzie> 50.0 being the subnet you are about to invent 20:49 < epaphus> understood 20:49 < krzie> you however can skip 1 thing in there 20:50 < krzie> push "route 192.168.1.0 255.255.255.0" 20:50 < krzie> you dont need that unless you have more clients connecting from elsewhere that need communications with your new lan 20:50 < epaphus> oki 20:50 -!- aluis_ [n=aluis@78.52.30.238] has quit [Read error: 110 (Connection timed out)] 20:53 < epaphus> for now iam going to save this conversation.. and try to learn how to connect my linux ubuntu into the obsd... i saw some differences in the client.conf defaults... 20:54 < krzie> screw the defaults 20:54 < krzie> it should just work 20:56 < epaphus> out of curiosity... how owuld the server react if two clients have the same cert? iam lazy to do a cert LOL 20:58 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 20:58 < Dougy[home]> Hey all 20:58 < epaphus> hi 20:58 < Dougy[home]> sup 20:59 < krzie> sup doug 21:00 < krzie> ltns 21:00 < Dougy[home]> hey krzie 21:00 < Dougy[home]> i heard that 21:00 < Dougy[home]> how goes it 21:00 < krzie> good man, put together my new quad core last night 21:00 < Dougy[home]> awesome 21:00 < krzie> recompiled the kernel on my NFS overnight so i can burn the osx86 dvd 21:00 < Dougy[home]> I bought a server last night 21:00 < krzie> so when i get home ill play with that 21:01 < Dougy[home]> i got a hella deal 21:01 < krzie> after a lil hash of course 21:01 < krzie> lets hear it 21:01 < Dougy[home]> dual xeon 3.2, 1gb ram, 2x80gb hard drive 21:01 < Dougy[home]> in a SuperMicro 4 sata hotswap case 21:01 < Dougy[home]> with a 500 watt psu 21:01 < Dougy[home]> for $155 shipped 21:01 < krzie> WTF 21:01 < krzie> how do you always get these deals 21:01 < krzie> im jealous like half the time we talk 21:01 < krzie> lol 21:01 < Dougy[home]> ebay 21:02 < Dougy[home]> i got 21:02 < krzie> its a rackmount? 21:02 < Dougy[home]> yes 1u 21:02 < Dougy[home]> 2x hotswap, pentium 4 3.0, 2gb ram 21:02 < krzie> damn bro 21:02 < Dougy[home]> 2xhotswap 21:02 < krzie> savage 21:02 < Dougy[home]> for $105 21:02 < Dougy[home]> krzie: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&ssPageName=STRK:MEWNX:IT&item=230334825480 21:02 < vpnHelper> Title: Supermicro 1U Dual Xeon 3GHz 1GB DDR266 80GB Server - eBay (item 230334825480 end time Apr-08-09 15:34:10 PDT) (at cgi.ebay.com) 21:03 * krzie hacks dougy's ebay and changes the shipping address 21:03 < Dougy[home]> krzie: send me $25 21:03 < Dougy[home]> and you can have all the guts of it 21:03 < Dougy[home]> all i want is the case 21:03 < Dougy[home]> mobo, harddrive, memory, ipmi card 21:03 < Dougy[home]> all yours 21:03 < krzie> you're kidding me? 21:03 < Dougy[home]> for 25 bux 21:03 < Dougy[home]> id rather say 50 bucks 21:03 < Dougy[home]> but 25 sure ill give you it 21:03 < Dougy[home]> i mean the case new is $400, so i got a heller deal on it 21:03 < krzie> shit if i can buy a case and send that to you to toss it in, ill take that for sure 21:03 < Dougy[home]> yea sure 21:03 < krzie> im in another country so shipping back and forth wouldnt work 21:04 < Dougy[home]> if you wanna do 50bux go for it 21:04 < Dougy[home]> i will see 21:04 < Dougy[home]> if i can klepto some more ram for it 21:04 < Dougy[home]> y'know.. like make it 4 gigs or some shit 21:04 < krzie> sickness 21:04 < Dougy[home]> but id def like to ask for 50 at that point 21:04 < krzie> for sure 21:04 < Dougy[home]> but yah, tis yours for that 21:04 < Dougy[home]> albeit you will need a decent little case for that 21:04 < Dougy[home]> it wont run on a 260 watt psu 21:04 < Dougy[home]> you'll def need 400 21:05 < krzie> dual cpu, for sure it dont do 250 21:05 < Dougy[home]> yea 21:05 < Dougy[home]> those old cpu's are power whores 21:05 < Dougy[home]> I ran a dual 3.2 wtih 4gb ram on 350 21:06 < krzie> i have a box sitting at ecrists house with no purpose, not rackmount tho 21:06 * Dougy[home] is trying to rent out vps's and servers and not doing too well 21:06 < krzie> maybe ill kick that into the deal for ya, im sure you'd find something to do with it 21:06 < Dougy[home]> id offer you colo too but i can only offer you it at the price i get it for 21:06 < krzie> ya thats a saturated market 21:06 < Dougy[home]> and probably too much for your blood 21:07 < krzie> very likely 21:07 < krzie> i get too good of deals 21:07 < Dougy[home]> i get offered stuff now and again 21:07 < Dougy[home]> so krzie 21:07 < krzie> ie: i have 2 100mbit boxes i pay $500/yr for 21:07 < Dougy[home]> im lead bidder right now on.. 21:07 < krzie> (total, not each) 21:07 < Dougy[home]> Pentium 4 3.0 ghz 21:07 < Dougy[home]> 2gb ram ,2x36gb hd 21:07 < Dougy[home]> 2 hotswap case 21:07 < Dougy[home]> top bid is currently $0.99 :] 21:08 < krzie> damn, no minimum 21:08 < krzie> ? 21:08 < Dougy[home]> nope 21:08 < Dougy[home]> i won the other one for $35 21:08 < Dougy[home]> same spec 21:08 < krzie> i hope theres no snipers and you pay $1 21:08 < krzie> damn bro 21:08 < Dougy[home]> 2x supermicro hotswap, 250w psu 21:09 < dan__t> computars? 21:09 < dan__t> wher?!!!?// 21:10 < krzie> lol 21:10 < krzie> all your <$100 cpu belong to doug 21:11 < Dougy[home]> lol 21:13 < Dougy[home]> i have a bunch of socket 478 p4's on my desk 21:13 < Dougy[home]> and at work i have like 21:13 < Dougy[home]> 20 P4SGA+'s (478 p4's) 21:13 < dan__t> I'm waiting for the girl to get here so we can go get fucked up. 21:13 < krzie> dan__t dont forget to take nekkid pics of her and post them for us 21:14 < krzie> she wont care when shes all hammered 21:14 < krzie> :-p 21:14 < dan__t> word. 21:15 < Dougy[home]> lol 21:15 < Dougy[home]> man 21:15 < Dougy[home]> so does anyone need a vps? 21:15 < Dougy[home]> $5/mo ! 21:15 < Dougy[home]> sorry kids, no bsd yet 21:16 < krzie> no bsd == no krzee 21:16 < krzie> hehe 21:16 -!- _Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 21:16 < dan__t> centos? 21:16 < dan__t> can I use them for hardcore blackhat SEO? 21:16 < krzie> whats SEO? 21:16 < Dougy[home]> search engine optimziation 21:16 < Dougy[home]> optimization 21:16 < Dougy[home]> blackhat seo.. bastard 21:17 < dan__t> heh 21:17 < dan__t> whatever's clever 21:17 < dan__t> so that's a no eh 21:17 < Dougy[home]> i don't even know what it is 21:17 * Dougy[home] googles 21:17 < dan__t> don't worry 21:17 < dan__t> its cool 21:17 < Dougy[home]> oh 21:17 < Dougy[home]> never mind the googling 21:17 < Dougy[home]> i recognize the term now 21:17 < Dougy[home]> def not :p 21:17 < dan__t> why not 21:17 < Dougy[home]> that is dirty 21:18 < krzie> rigging search results? 21:18 < Dougy[home]> right 21:18 < krzie> gotchya 21:18 -!- huslu_ [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 21:18 < krzie> can i use it to sell my viagra to people that didnt sign up for my emails? 21:18 < krzie> 21:18 < dan__t> Where in CO are you, huslu_? 21:18 < dan__t> heh 21:19 < dan__t> i finally un-fucked whmcs 21:19 < dan__t> Only took like... I don't know, three days. 21:19 < dan__t> :/ 21:19 < Dougy[home]> whmcs 21:19 < Dougy[home]> is ok 21:19 < dan__t> Its the shit. 21:19 < Dougy[home]> i use it, but id rather use something else 21:19 < dan__t> Everything else sucks. 21:19 < Dougy[home]> but there isnt much better 21:19 < dan__t> There you go. 21:19 < Dougy[home]> not for automated anything 21:19 < Dougy[home]> imo 21:20 < Dougy[home]> freshbooks is great for a third party one 21:20 < dan__t> automated billing, yes. 21:20 < Dougy[home]> i would use it, but too lazy to move 21:20 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: jameswhite, kraut, huslu, Dougy 21:20 -!- _Dougy is now known as Dougy 21:21 < dan__t> eh. 21:21 < dan__t> alright, i need to get in the shower. 21:21 < dan__t> later, kids. 21:21 < krzie> adios 21:21 < Dougy[home]> get out of here 21:23 < Dougy[home]> krzie i got something for you 21:23 < Dougy[home]> hold 21:23 < Dougy[home]> here 21:23 < Dougy[home]> http://cgi.ebay.com/Silicon-Mechanics-2-x-AMD-Opteron-246-2-0-GHz-1U-Server_W0QQitemZ190290736825QQcmdZViewItemQQptZCOMP_EN_Servers?hash=item190290736825&_trksid=p3286.c0.m14&_trkparms=72%3A1234%7C66%3A2%7C65%3A12%7C39%3A1%7C240%3A1318%7C301%3A1%7C293%3A1%7C294%3A50 21:23 < vpnHelper> Title: Silicon Mechanics 2 x AMD Opteron 246 2.0 GHz 1U Server - eBay (item 190290736825 end time May-01-09 16:37:37 PDT) (at cgi.ebay.com) 21:23 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 21:24 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Killed by sagan.freenode.net (Nick collision)] 21:24 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 21:24 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 21:24 -!- jameswhite [n=james@fapestniegd.jameswhite.org] has joined ##openvpn 21:25 < krzie> moin kraut 21:25 -!- kraut_ [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 21:25 < Dougy[home]> krzie: check that out 21:25 < krzie> my client im on can only click 1 line 21:25 < krzie> then i have to paste the rest 21:25 < krzie> that one is 5 lines deep 21:25 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has quit [SendQ exceeded] 21:25 < Dougy[home]> grrmbl 21:25 < Dougy[home]> go to ebay 21:25 -!- kraut_ is now known as kraut 21:25 < Dougy[home]> search silicon mechanics 21:25 < Dougy[home]> you will see some bad ass deals 21:27 < krzie> shit you just reminded me bout a couple things i need to get 21:27 < Dougy[home]> like? 21:27 < krzie> i need like 2 dvd burners and i saw a deal too good to passup on a TV 21:27 < krzie> like $350 for a 32" hdtv 21:27 < Dougy[home]> ah 21:28 < krzie> which im sure would make a nice computer monitor ;] 21:28 < krzie> http://www.onsale.com/shop/detail~dpno~7773760~descr~Westinghouse-322+720p+LCD+HDTV+with+Built-In+ATSCfNTSCfClearQAM+Tuner+-+Refurbished.aspx 21:28 < vpnHelper> Title: Westinghouse SK32H540S-R 32 720p LCD HDTV with Built-In ATSC/NTSC/ClearQAM Tuner - Refurbished (at www.onsale.com) 21:29 < epaphus> hey guys, how can I learn more about load balancing on OPenVPn? and how it is determined to "balance " ? 21:30 < krzie> what do you mean by that? 21:30 < Dougy[home]> krzie: did you go to ebay 21:30 < epaphus> well, I see tha tin the client.conf you can input several servers... to balance bewteen the servers 21:30 < krzie> yup, didnt see anything too special 21:31 < krzie> blocks you mean? 21:32 < epaphus> # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194 21:32 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has quit [Connection timed out] 21:32 < epaphus> according to the example cofig in ubuntu for openvpn 2.1 21:34 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: dazo_gone, vlt, isox, kraut, ftp3, mtoledo`, xor|, pa, carpe_, worch, (+18 more, use /NETSPLIT to show all of them) 21:34 -!- ThoMe is now known as thomas 21:34 < krzie> havnt read much on it but i believe it just tries them in order til one works, unless you use remote-random or something like that to randomize it 21:34 < epaphus> krzee, do you know where i can read more? 21:34 < krzie> you use openbsd, prolly would enjoy learning about CARP more 21:34 < krzie> yes i do! 21:34 < krzie> !man 21:34 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:34 < krzie> the same place you can learn about everything else in openvpn, the manual! 21:35 -!- Netsplit over, joins: tarbo2, troy-, kraut, aluis__, carpe_, Bushmills, isox, kaii, karlpinc, dazo_gone (+18 more) 21:35 -!- thomas [n=tm@tm.muc.de] has quit [Killed by sagan.freenode.net (Nick collision)] 21:36 -!- ThoMe [n=tm@tm.muc.de] has joined ##openvpn 21:36 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: tarbo2, troy- 21:39 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 21:43 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 21:44 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 21:45 < epaphus> krzee, do you think CARP would apply to this? 21:45 < epaphus> i dont know carp 21:48 < krzie> CARP is for automated local failover 21:48 < krzie> its one of the great things to come from obsd 21:48 < krzie> fbsd has it now so :-p 21:54 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Solver, HardDisk_WP, infinity_ 21:55 -!- Netsplit over, joins: infinity_ 21:56 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 21:56 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 22:02 < Dougy[home]> krzie 22:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:05 < krzie> dougy 22:05 < Dougy[home]> i am a dirt bag 22:08 < krzie> me too, its fun isnt it 22:09 < Dougy[home]> krzee 22:09 < Dougy[home]> look what im doing on my 45/mo colo 22:09 < Dougy[home]> http://www.upload3r.com/serve/110409/1239505080.png 22:09 < Dougy[home]> krzie * 22:13 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 22:17 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 22:21 -!- Dougy[home[ [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 22:22 < krzie> im krzee too, same thing 22:22 < krzie> damn, you're using that sucker 22:22 < epaphus> Iam reading through the options of the OpenVPN client.conf.. there is a part where you can specify if you want to connect through a http proxy... I cant imagine any logic in regards to that... i mean are they expecting to channel it through something like squid? 22:23 < krzie> epaphus some companies ONLY allow outbound connections through http proxy 22:23 < krzie> (like squid) 22:23 < Dougy[home[> lol 22:23 < Dougy[home[> krzie: i know 22:23 < Dougy[home[> im a dick tho 22:23 < Dougy[home[> lol 22:24 < krzie> i almost never use that much BW on my colos 22:24 < krzie> i certainly dont sustain it 22:24 < krzie> and they dont even check my usage 22:24 < Dougy[home[> well 22:24 < epaphus> this may off topic but.. can squid actually support tcp traffic like the one for the VPN? hell i think squid cant even proxy SSL 22:24 < Dougy[home[> i sponsor a bunch of open source projects on it 22:25 < Dougy[home[> none of which im gonna share 22:25 < krzie> epaphus ive never tried, dunno... but i suspect some can or it wouldnt be there 22:25 < Dougy[home[> if anyone wants a VPS 22:25 < epaphus> ohh well :) 22:25 < krzie> open source + not share 22:25 < Dougy[home[> perfect for openvpn 22:25 < Dougy[home[> $5/month 22:25 < krzie> seems like a contradiction 22:26 < Dougy[home[> by not share 22:26 < Dougy[home[> i mean not sharing that i host them 22:26 * krzie pegs 400mbit on his vps from dougy 22:26 < Dougy[home[> they dont want people to know 22:26 < epaphus> btw off topic too... do you think there is really value to a quad core.. in comparison to the productivity versus the price..? or its just like a gift... 22:26 < Dougy[home[> krzie: you will get a bill for that 22:26 < Dougy[home[> at $20/Mbps 22:26 < krzie> come find me! 22:27 < krzie> epaphus, depends on what is needed for the job of the server 22:27 < krzie> if you are video rendering, definitely 22:28 < krzie> if you are running openvpn, absolutely not 22:28 < epaphus> hmm, yeah iam pretty self centered sometimes.. your right. i dont do any of that stuff 22:29 < epaphus> I remember the days when I hosted a website with thousands of visitors per hour on a pentium III and i never had a problem 22:29 < epaphus> :P 22:30 < krzie> i put together my new quad core last night 22:30 < krzie> with 8GB ram 22:30 < epaphus> i heard... 22:30 < epaphus> nice 22:30 < krzie> but that will be my primary desktop 22:30 < krzie> and i use my stuff =] 22:30 < troy-> krzie, nice. 22:30 < troy-> mine only has 4G ram but upgradable to 8G 22:31 < krzie> i believe i could use 16GB 22:31 < krzie> 4x4gb 22:31 < krzie> but seriously, why 22:31 < krzie> lol 22:32 < epaphus> ohh well, no further comments :P 22:37 < troy-> krzie, what kind of throughput do you get on your tunnels? 22:38 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [Remote closed the connection] 22:39 < krzie> *shrug* never been unhappy with it 22:39 < troy-> but sever hundred Kbps 22:39 < troy-> err several hundred KBps 22:39 < krzie> megabytes / sec 22:39 < troy-> krzie :P 22:40 < troy-> i cant figure out why mine is so low 22:40 < krzie> didnt you say yours was tcp? 22:40 < troy-> yes, but i've tried UDP as well with similar results 22:40 < krzie> dunno 22:41 < krzie> maybe someone in bwteen does funny mtu stuff 22:41 < troy-> without the VPN between same hosts i get MB/s 22:42 < krzie> what do you use the vpn for? 22:42 < troy-> transferring backups 22:42 < krzie> maybe you would get better results with a ssh tunnel or socks server 22:42 < krzie> or scp even 22:46 < troy-> yeah, mite be a good idea 22:48 < krzie> also, did you change the encryption method for the channel? 22:48 < krzie> or is it using the default (blowfish) 22:49 < krzie> that could make a lil diff, i use blowfish 22:49 < krzie> but for offsite backups ild just use scp 22:50 < krzie> which uses ssh for encryption 22:50 < troy-> yep 22:50 < troy-> lemme check 22:50 -!- theDoc [n=andelyx@bb116-15-5-216.singnet.com.sg] has joined ##openvpn 22:51 < troy-> krzie, i dont see any reference to crypt in server.conf 22:51 < Dougy[home[> pastebin 22:51 -!- Dougy[home[ is now known as Dougy[home] 22:51 < krzie> k its prolly blowfish then 22:51 < troy-> ah its Dougy[home] :P 22:51 < Dougy[home]> WHERE 22:51 < krzie> if you didnt change it its blowfish 22:51 < krzie> anyways, test it with scp 22:51 < Dougy[home]> You are now logged in. (id Dougy, username i=doug, hostname 64-18-144-2.ip.bergenhosting.com) 22:51 < Dougy[home]> w00t 22:51 < troy-> makes sense 22:51 < krzie> the speed 22:53 < epaphus> --remote-random 22:53 < epaphus> When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure. ... "BASIC" .. it was to good to be true :P 22:53 < epaphus> but its a neat option 22:54 < krzie> i guess 22:54 < krzie> nothing i see myself ever using 22:55 < epaphus> its neat when you have 50 clients 22:55 < epaphus> or more.. 22:56 < epaphus> problem is.. if one of those servers acts up.. example it has a slow link.. its may be hard to diagnose which one it is because they will hcange so rapidly... 22:56 < epaphus> i can imagine random people saying .. my connection is slow, ohh now it isnt, now it is.. now it isnt 22:57 < krzie> i dont think you understand 22:57 < krzie> it doesnt change moment to moment 22:57 < krzie> it randomizes which server you connect to 22:57 < epaphus> ohhhhh it changes once per client 22:57 < epaphus> ohhh.. 22:57 < Dougy[home]> fail 22:57 < krzie> LOL 22:57 * Dougy[home] high fives krzie 22:58 < epaphus> oh okie :) 22:58 < krzie> ^5 22:58 < Dougy[home]> i wanted to say 22:58 < Dougy[home]> pound it 22:58 < Dougy[home]> but that sounds so flamingly 22:58 < Dougy[home]> bad 22:58 < Dougy[home]> i didnt 22:58 < krzie> shamrock vs diaz fight is bout to start 22:58 < krzie> so ill be idle 22:58 < Dougy[home]> k 22:58 < Dougy[home]> bed time 22:58 < Dougy[home]> ciao childs 22:59 < krzie> childs, lol 22:59 < krzie> can you even drive yet!? 23:00 < Dougy[home]> yes 23:00 < krzie> legally 23:01 < krzie> ;] 23:01 < Dougy[home]> yes$ 23:01 < Dougy[home]> yes 23:01 < krzie> ;] 23:01 < krzie> lol 23:01 < krzie> im just fuckin with ya too, youre more mature than many on irc 23:01 < Dougy[home]> dont push it now 23:01 < Dougy[home]> lol 23:02 < krzie> ~lotta lolcats here 23:04 < epaphus> wow... traffic shaper is very neat... :) 23:14 < epaphus> anyways... could somebody provide me an example of how to send a SIGNAL to openvpn ... iam not quite sure.. ? 23:17 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has joined ##openvpn 23:17 < lepine> !topology 23:17 < vpnHelper> lepine: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 23:18 -!- mtoledo`` [n=user@189.102.205.95] has joined ##openvpn 23:20 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [] 23:23 < lepine> I've been playing around with tunnelling w/ openvpn these past few days ... 23:23 < lepine> is a 40% throughput hit normal? 23:23 < lepine> my server is my web server from which i can saturate my home connection 23:24 < lepine> but when doing speedtests, i'm getting 3mbps instead of 5 23:27 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 23:28 < epaphus> hey guys... now iam proceeding on setting up a client with OPenVPN 2.1 on UBuntu. When i run the openvpn --config client.conf command... the prompt returns again to input and no process is generated. Also the /var/log/messages doesnt change... how could I troubleshoot this? 23:28 < lepine1> Sorry, there was an obvious error in my ways. I connected to my vpn (and timedout on irc ... i kept writing until i noticed) ... 23:29 < lepine1> I was using speedtest.net to test, instead of my usual server ... 23:29 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 113 (No route to host)] 23:29 < lepine1> the throughput hit is approx. 15% ... is that normal? COuld a better server make it better? 23:30 < lepine1> epaphus: there *is* a verbosity setting somewhere 23:30 < epaphus> verb is set to 6 23:30 < lepine1> oh, that's high enough for me 23:31 < epaphus> and for me :P 23:31 < lepine1> do excuse me ... i'm quite the noob 23:32 < lepine1> to either openvpn, openssl, pki, or even encryption! 23:34 < lepine1> could someone point me towards a decent document that will teach me how to generate a private key ... and csr? 23:35 < lepine1> and hopefully will get me up to speed on this whole encryption/pki thing? 23:38 < krzee> epaphus, are you starting it as root? 23:38 < epaphus> krzee, yes iam 23:38 < krzee> lepine: 23:38 < krzee> !ssl-admin 23:38 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 23:39 < krzee> for an alternate package for generating them that is SIMPLE 23:39 < krzee> or the howto for the easy-rsa way 23:39 < krzee> ssl-admin makes it easier, assuming you arent doing it on windows 23:43 < epaphus> no suggestions anybody ? :) 23:44 < krzee> nope, read your logs 23:44 < krzee> !route 23:44 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:44 < krzee> (that was for me) 23:44 < krzee> (mail list reply) 23:44 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)] 23:45 < epaphus> krzee, well... the logs /var/log/messages doesnt have anything when i startup openvpn 23:45 < epaphus> or try to 23:46 < lepine1> krzee: thanks, reading 23:47 -!- theDoc [n=andelyx@bb116-15-5-216.singnet.com.sg] has quit [] 23:47 < lepine1> can one generate keys on a machine other than the ones they will be used on? 23:47 < lepine1> there's a tool in gnome called tinyca 23:49 < krzee> yes, its the normal way 23:50 < krzee> i know nothing about tinyca, but more often than not keys are generated in a secure place away from the vpn 23:50 < krzee> at my house its done on a machine that gets no interaction with the inet 23:51 < krzee> ca.key is the cornerstone of secure certs 23:51 < lepine1> right 23:51 < lepine1> the one thing i'm still not sure about is how to revoke keys ... or how that works 23:51 < krzee> i use ssl-admin 23:51 < lepine1> in that page you linked ... 23:51 < krzee> it generates the crl for you when you need it 23:51 < lepine1> it mentions a URI for revoked crts ... 23:51 < krzee> and it keeps track of client certs 23:52 < krzee> honestly i have no clue what that does 23:52 < krzee> ive never revoked a cert 23:52 < krzee> never needed to, lol 23:52 < krzee> ecrist would know tho when hes in 23:52 < lepine1> does that mean a certificate will *always* be valid (minus the timeframe) ... but clients must check on that revoked cert list to check first? 23:52 < krzee> since he coded ssl-admin 23:52 < krzee> clients dont check it 23:52 < krzee> server does 23:52 < krzee> to decide if the client is valid 23:52 < lepine1> right, i meant client as user of the pki 23:55 < lepine1> krzee: if you're generating *keys* on another machine, you still have to transmit it ( and store it ) on the machine for which it's destined ... what's the securty advantage here? 23:59 < krzee> because the ca.key is safe 23:59 < krzee> which is what REALLY matters 23:59 < lepine1> yes, that i can see 23:59 < krzee> if i get your ca.key, you're whole pki setup is screwed 23:59 < lepine1> but generating client keys ... --- Day changed Sun Apr 12 2009 00:00 < krzee> anything else you can fix 00:00 < lepine1> or did i misunderstand you 00:00 < krzee> pki's security rests upon a safe ca.key 00:00 < krzee> you can have clients make their own csr 00:00 < krzee> they send to you 00:00 < krzee> you take to CA server in secure location 00:00 < krzee> sign it 00:00 < krzee> send them their .crt over encrypted channel 00:00 < krzee> and its fine 00:01 < lepine1> ok cool, that makes sense 00:01 < krzee> csr can be sent any way 00:01 < krzee> crt should be kept safe 00:01 < krzee> ca.key should have an armed guard ;] 00:01 < lepine1> sneaker-net basically 00:08 < lepine1> can openvpn handle 4096 bit keys? 00:08 < lepine1> it's the default value in tinyca 00:11 < krzee> i use them 00:11 < lepine1> alrighties 00:12 < lepine1> do you make use of sub-ca's? 00:12 < krzee> one thing tho, not a whole lot of testing some of these algorithms at 4096 has gone on 00:12 < krzee> so for all we know we could be making them less secure by going to 4096 00:12 < lepine1> i assume that using them is a good idea ... since a sub ca being compromised doesn't compromise the whole PKI ... just what's under that sub-ca 00:13 * krzee thinks back to an XOR encryption that you just had to XOR the contents against itself to get the unencrypted text 00:13 < krzee> no i dont 00:13 < lepine1> lol 00:13 < krzee> and ive seen people with problems from using them 00:13 < lepine1> but is that the advantage, atleast on paper? 00:15 < lepine1> sorry, i don't mean to monopolize your time ... it's just how i learn ... think outloud with people that are better than me, and question everything ... 00:18 < krzee> no 00:18 < krzee> thats not the point of a sub-ca 00:18 < krzee> its no more secure 00:18 < lepine1> oh 00:18 < lepine1> then what is the point? adminstrative convenience? 00:18 < krzee> yes 00:18 < krzee> im sure google will explain 00:19 < lepine1> added to the 'to google' queue 00:19 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 00:30 < krzee> !freebsd 00:30 < vpnHelper> krzee: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:35 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ftp3, CybDev, ]Sintax[, kraut, reiffert, Typone 00:37 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Client Quit] 00:38 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 00:38 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 00:38 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 00:38 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 00:38 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 00:38 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 00:38 -!- CybDev [n=cybdev@unaffiliated/cybdev] has joined ##openvpn 00:49 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ftp3, CybDev, ]Sintax[, kraut, reiffert, Typone 00:50 -!- Netsplit over, joins: kraut, Typone, vlt, ]Sintax[, ftp3, reiffert, CybDev 01:08 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit [Connection timed out] 01:12 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [] 01:13 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has joined ##openvpn 01:17 < lepine> what does this mean: Sun Apr 12 02:22:46 2009 us=717749 Cannot load certificate file /path/to/file.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 01:23 < krzee> it means your crt isnt actually located at /path/to/file.crt 01:23 < krzee> you might wanna put a real location 01:23 -!- burak575 [n=burak575@88.244.246.59] has joined ##openvpn 01:24 < Bushmills> krzee, do ou 01:24 < Bushmills> you ever sleep? 01:24 -!- burak575 [n=burak575@88.244.246.59] has left ##openvpn [] 01:25 < krzee> i was thinking that earlier 01:25 < krzee> decided on not really 01:25 < Bushmills> then "yes, usually at the end of the month" might be a suitable answer 01:26 < krzee> lol 01:26 < lepine> krzee: nm, my bad ... the file was there ... but it was an exported certificate, and not a pem or other such file 01:31 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 01:32 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Client Quit] 01:35 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 01:37 < lepine> openvpn rocks 01:39 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 01:39 < lepine1> I'm loving openvpn ... 01:40 < lepine1> i should have made this small investment in time years ago 01:40 < lepine1> god knows how many cons i've been to and either being stuck on links through ssh, or browsing normally and crossing my fingers 01:52 < krzee> through ssh isnt that bad if you do it right 01:52 < krzee> it creates a connection a socks proxifier can use 01:53 < krzee> so you can actually send basically anything over it 01:53 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has quit [Connection timed out] 01:53 < krzee> he'll ive sent voip over a correctly configured socks server even 01:54 < krzee> (not sure if ssh tunnel will do udp 01:54 < krzee> (not sure if ssh tunnels will do that or not tho) 01:54 < lepine1> oh, i was ssh'ing to a box, and using command line tools! 01:54 < lepine1> not using tunnels :P 01:54 < krzee> oh 01:55 < lepine1> go mutt and lynx! 01:55 < krzee> hah 01:55 < krzee> if you had ssh you had a secure proxy to use your normal browser 01:55 < lepine1> lynx really didn't like the Exchange Web Access though :P 01:55 < krzee> haha 01:55 < krzee> links might have handled that better too 01:55 < krzee> links behaves better for some of that stuff 01:56 < lepine1> well ... i sincerely doubt either links or lynx has any support for active x whatsoever :P 01:56 < lepine1> (ms don't try using xmlhttprequest) 01:58 < lepine1> anyway ... the reason i'm up in arms about tunnelling is to do it at work. I recently got a scare by talking to an ex-employee who stayed as a consultant, and mentionned my boss said he had a way of monitoring me ... 01:58 < lepine1> knowing my boss, as much as he would want to ... he was most likely bluffing 01:58 < lepine1> however, i won't take any chances 01:59 < lepine1> other than tunnelling through my vpn 01:59 < lepine1> what else should i consider? 01:59 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 01:59 < lepine1> i've got ubuntu installed on my machine ... but can't get it setup right (i would look like an idiot if i cant get my quad monitor setup correctly) 02:04 < krzee> how would you look admitting you're having problems doing something in ubuntu? 02:04 < krzee> 02:04 < lepine1> lol 02:05 < lepine1> well, quad monitors is a different ballgame 02:05 < lepine1> and quite frankly, i can't justify the time investment to hacking that just yet 02:05 < krzee> im sure it isnt that much different in the config files 02:05 < krzee> ild be shocked to find out it was 02:06 < lepine1> there's a reason why the config tools only support two monitors 02:06 < krzee> because its the windows of the linux world? 02:06 < lepine1> well, it's probably not that complicted 02:06 < lepine1> lol 02:06 < lepine1> i've got an nvidia card, with the nvidia driver 02:07 < krzee> good thing you're in linux, those drivers suck for freebsd cause its closed source 02:07 < lepine1> dual works on 2 monitors 02:07 < lepine1> then i've got an ati card, which i haven't tried configuring 02:07 < lepine1> (it's pci, also) 02:07 < lepine1> nvidia is pci-e 02:08 < lepine1> so i figured using xinerama to make a virtual screen with the nvidia + the two ATI ... 02:08 < lepine1> i'm sure it's something along those lines 02:09 < lepine1> perhaps i can bypass the nvidia twinview, and use xinerama all the way, on 4 screens instead of 3 ... 02:10 < lepine1> but on to my original question 02:10 < lepine1> how safe would i be from scrutiny if tunnelling with a vpn? 02:10 < lepine1> what other snooping vectors can you think of? 02:11 < lepine1> physical key loggers ... but that's obvious, and implies someone will take time to check what i'm typing, which is impossible given everyone in the office already works too much and don't want extra tasks :P 02:12 < lepine1> while sticking to windows, i'm open to software keyloggers ... screen caps 02:12 < lepine1> and other such things 02:13 -!- uned [i=uned@gateway/tor/x-e84019702922f89e] has joined ##openvpn 02:14 < uned> my provider uses bandwidth limiting per connection, so how do i get openvpn to connect to its client(s) through 20 tunnels simultaneously? 02:16 < lepine1> hmmm, that'd be a nice hack 02:16 < krzee> !mitm 02:16 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 02:16 < krzee> !servercert 02:16 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 02:16 < uned> lepine1: but difficult too? 02:16 < lepine1> probably noy 02:16 < lepine1> maybe you can get a proof of concept going with iptables 02:17 < krzee> !irclogs 02:17 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 02:18 < lepine1> or perhaps there's the possibility to bond the links 02:18 < uned> lepine1: could you help me? 02:18 < uned> iirc there are some ways to fuse two network interfaces into one 02:18 < lepine1> i'd be glad to help ... cant garantee to be much use though 02:18 < uned> is this what i'd need? 02:19 < lepine1> yes 02:19 < lepine1> that would likely be the best option, vs some iptables hack 02:19 < uned> i think such a how-to would be a nice addition to an openvpn wiki 02:20 < lepine1> perhaps not very useful for 99.9% of people ... but certainly a nice feat indeed 02:20 < uned> so do i simply run the server twenty times on different ports and then fuse the interfaces? 02:20 < lepine1> no, you would be running 20 clients to one server 02:21 < uned> all 21 on just one computer? 02:21 < lepine1> or, actually, that could depend on your ISP's traffic shaping 02:21 < lepine1> but i would try 20 clients to one server first (much simpler) 02:21 < uned> all 21 on just one computer? 02:22 < lepine1> well, 20 clients on the client, 1 server on the server 02:22 < uned> on each client. i see 02:23 < lepine1> there's a server directive that says it can accept many connections with one same certificate 02:23 < lepine1> duplicate-cn i believe 02:23 < uned> oh, and another question: i have server, client1, client2 and a lot of traffic between client1 and client2. does that traffic have to pass through the server? 02:24 < lepine1> client1 and client2 being two different machines, yes 02:24 < uned> lepine1: i'm ok with running twenty clients with twenty different config directories and keys, only, won't they be very resource-uneconomical? 02:24 < lepine1> the tool you're looking for is most likely ifenslave 02:25 < lepine1> i don't know if openvpn will let you run more than one connection with the same config file 02:25 < lepine1> it would be a hassle if not 02:25 < lepine1> but atleast you don't necessarily have to do the same on the server 02:26 < lepine1> and you *can* use the same keys 02:26 < lepine1> what have you tried as of now? 02:26 < lepine1> openvpn is by default udp ... 02:26 < krzee> !ipp.txt 02:26 < vpnHelper> krzee: Error: "ipp.txt" is not a valid command. 02:26 < krzee> !ipp 02:26 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 02:26 < lepine1> the first step i think would be really understanding your ISP's traffic shaping 02:27 < lepine1> does it really understand a connection? 02:27 < krzee> !iporder 02:27 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:27 < lepine1> or does it just assume anything from the same ip:port to the same ip:port is a connection? 02:27 < lepine1> or does it inspect packets and actually check if it's a connection 02:27 < krzee> !hmac 02:27 < lepine1> if it does that ... udp might not even be shaped at all 02:27 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 02:27 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 02:28 < uned> how can i get rid of some server traffic by making client1 and client2 communicate to one another separately, with only some very-low-traffic server supervision? 02:30 < lepine1> client1 and client2 being 2 different computers? 02:30 < lepine1> or just 2 instances of vpn connections on the same machine? 02:30 < lepine1> the later makes no sense to me, so i will assume the first 02:30 < lepine1> and in that case, i don't think it's possible 02:31 < uned> two different computers that happen to have more bandwidth available than the server (ironically, i know) 02:31 < lepine1> imagine the VPN being an ethernet cable ... and the server being a switch 02:31 < lepine1> it has to go through the switch 02:31 < uned> much more bandwidth available! 02:31 < lepine1> eh, weird 02:31 < uned> right 02:31 < uned> i knew it 02:32 < lepine1> well, you could always run a vpn between the two 02:32 < uned> i was hoping i could somehow make my vpn more flexible 02:32 < lepine1> maybe there's a way to make a mesh out of vpn'ed machines 02:32 < lepine1> but that's probably out of the scope of openvpn 02:32 < lepine1> but that could be a cool project 02:33 < lepine1> that'd be really cool 02:33 < lepine1> not terribly elegant or useful, but cool nevertheless 02:33 < uned> so i was hoping there was some way to use the server only for doing some authentication stuff and let the clients communicate to each other for the real heavy traffic 02:35 < lepine1> do you want tcp/ip connections specifically? 02:36 < lepine1> or just a way to exchange files? 02:36 < lepine1> google said this: http://www.synacklabs.net/projects/cutlass/ 02:36 < vpnHelper> Title: Cutlass - Encrypted Peer-to-Peer communications (at www.synacklabs.net) 02:36 < uned> i'd prefer connections. that's be the most transparent so then i won't have to care about some per-situation challenges 02:37 < lepine1> yeah, so would i 02:37 < uned> s/that's/that'd/ 02:38 < lepine1> particularly relevant: http://www.mesh-networks.org/ 02:38 < vpnHelper> Title: Mesh Networks Research Group (at www.mesh-networks.org) 02:38 < lepine1> and mentions openvpn on the first page 02:39 < lepine1> wait, that's wireless 02:40 < uned> lepine1: then should i try to run every participating machine as both client and server simultaneously and use the ifenslave interface instead of the tuns? 02:40 < uned> do you think this would be the most transparent? 02:41 < krzee> [03:28] how can i get rid of some server traffic by making client1 and client2 communicate to one another separately, with only some very-low-traffic server supervision? 02:41 < krzee> totally doesnt exist in openvpn 02:41 < lepine1> krzee: yeah, we're discussing how one could do such a thing 02:41 < uned> krzee: and no workaround? 02:41 < krzee> none that have been made 02:41 < krzee> feel free 02:41 < lepine1> end result ... how does one make a mesh network with vpn's instead of wireless AP's 02:42 < krzee> my idea was to have a client request to the server to start the process between clients 02:42 < lepine1> totally doable ... but outside of the scope of openvpn per se 02:42 < krzee> server checks with the client if its ok (config option) 02:42 < krzee> if so the client sends some info to the server 02:42 < krzee> to start the new negotiation process 02:42 < krzee> so they can exchange keys and info beforehand in an already encrypted channel 02:43 < krzee> they could even both connect out to eachother to bypass NAT 02:43 < krzee> but im no coder 02:43 < krzee> feel free, like i said 02:43 < krzee> openvpn is open source, you're free to contribute 02:43 < uned> krzee: but how can the server start the process between clients? 02:44 < krzee> client1 tells server it wants a direct connect with client2 02:44 < krzee> server tells client2 02:44 < lepine1> krzee: am i crazy to think that a mesh made of vpn nodes on the internet would be awesome, eventhough it would be quasi useless? 02:44 < uned> krzee: i would only contribute utilities, not main code 02:44 < krzee> client2 says yes or no 02:44 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 02:44 < krzee> lepine1, i dont see how that could be built in with openvpn 02:44 < lepine1> on top of 02:44 < lepine1> you can be a client easy, and run a server 02:45 < krzee> doesnt seem too special to me 02:45 < lepine1> lol 02:45 < lepine1> all there is to figure out is the routing 02:45 < lepine1> and ip addressing 02:45 < krzee> !route 02:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:45 < lepine1> there are mesh routing protocols available 02:45 < krzee> !iporder 02:45 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:45 < uned> is running 20 clients on one machine very resource-intensive? 02:45 < krzee> there you go, routing and ip addressing 02:46 < krzee> uned, depends on bandwidth usage, i cant give exact answers 02:46 < krzee> more bandwidth means more encryption going on 02:46 < krzee> so more cpu 02:46 < krzee> also depends on type on encryption im sure 02:46 < krzee> (for the communication channel only, blowfish by default) 02:47 < lepine1> krzee: those route pushes would have to change during the lifetime of the server though 02:47 < krzee> how so? 02:47 < lepine1> one can't expect all nodes of the mesh to come online at the same time 02:48 < krzee> im not talking about mesh 02:48 < lepine1> i was 02:48 < krzee> i dont care about it, want it, or see why it is needed 02:48 < krzee> hehe 02:48 < lepine1> lol, i don't see the point either, frankly ... but i would find it really cool 02:48 < uned> krzee: your answer works for one instance of openvpn as well. i was talking only about the "running multiple openvpns" part. does it add a lot of weight? 02:48 < lepine1> well, i guess one could make large 'lans' through the internet 02:49 < lepine1> and have traffic move more efficiently at times 02:49 < krzee> ohhh i see, i thought you meant 1 server taking 20 clients 02:49 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 02:49 < krzee> no idea uned 02:49 < lepine1> there's most likely some overhead to having 20 connections instead of one, given the same throughput 02:50 < lepine1> ip wise, you will be sending more on the wire, for sure 02:50 < uned> lepine1: would that make it inadvisable? 02:50 < lepine1> no, i don't think so ... we're not talking a huge amount of overhead 02:50 < lepine1> but if you want to be told running 20 clients will add overhead ... 02:51 < lepine1> i'll say sure, because just that is overhead ... i'm no no position to quantify how much, either network bandwith, or cpu ressources it would add though 02:51 < lepine1> but sure thing is, that it adds some 02:52 < lepine1> krzee: perhaps this mesh thing could turn out being a useful TOR 02:52 < lepine1> same principle, but useful for TCP connections ... 02:52 < krzee> *shrug* i think its not openvpn's job and its for sure nothing im interested in 02:52 < uned> lepine1: what do you mean by "sending more on the wire", like twenty connections * 100 kbps > one 2000 kbps connection just because of the separate processing/encrypting? 02:53 < lepine1> oh wait ... the IP end points would never be the same 02:53 < lepine1> krzee: i never said this would be openvpn's job ... 02:53 < lepine1> actually i would be against implementing such a feature 02:53 < lepine1> uned: yes 02:54 < lepine1> every packet has to contain source and destination and other information 02:54 < uned> don't they have to include it when over just one connection anyway>? 02:54 < lepine1> yeah ... 02:55 < lepine1> well, to send X amount of information, you have to send N packets ... 02:55 < lepine1> perhaps i was wrong in assuming that because you're splitting them up in diff pipes, that you can send the same information, in the same number of packets 02:56 < lepine1> ok, lets assume that tcp/ip overhead won't be considerable 02:56 < uned> so is there any difference between sending that information over just one connection and sending it over multiple connections if the only consideration is bandwidth? 02:56 < lepine1> processing 20 tcp/ip connections isn't much of a big deal for anuy computer nowadays 02:57 < lepine1> no, the overhead, if any, is rather inconsiderable 02:57 < uned> this is really good 02:57 < lepine1> here's another idea 02:57 < lepine1> 1 vpn client per computer, 1 server 02:57 < lepine1> but have iptables split the packets on a range of ports 02:57 < lepine1> that will give your ISP a harder time 02:58 < uned> how can iptables do something like this by itself? 02:58 < lepine1> tha mangle table, i think 02:58 < lepine1> *the 02:58 < lepine1> (the port modification part anyway) 02:58 < uned> i mean, won't openvpn enforce one, single, connection? 02:59 < lepine1> i don't know how you could do the round robin on the ports 02:59 < lepine1> true 02:59 < lepine1> but you have iptalbes on the client split the packets over N ports 02:59 < lepine1> then the server recombine them on the same port when the come in, before being handed to the server socket 02:59 < uned> do you actually mean iptables can simply split any connection into many? that's be beyond the scope of iptables, i think 03:00 < lepine1> it would be transparent to openvpn 03:00 < lepine1> uned: that might be 03:00 < lepine1> but, if you're using udp ... 03:00 < lepine1> there's no connection 03:00 < uned> s/that's/that'd/ 03:00 < uned> oh 03:00 < uned> right 03:00 < uned> and i am 03:00 < lepine1> the question is, can iptables do a round robin kind of thing for that 03:00 < krzee> yes 03:00 < krzee> [03:56] so is there any difference between sending that information over just one connection and sending it over multiple connections if the only consideration is bandwidth? 03:01 < krzee> yes to that i mean 03:01 < krzee> there is DEFINITELY more overhead 03:01 < lepine1> krzee: due to the encryption? 03:01 < krzee> especially depending on the size of packets being xmitted 03:01 < lepine1> or tcp/ip? 03:01 < krzee> because new headers will need to be added to EACH packet 03:01 < lepine1> krzee: yes, but the way to look at this is ... 03:01 < krzee> so if each of the 20 is sending things with small packets (ie: voip) 03:02 < krzee> even tho inside its the same BW 03:02 < lepine1> would the number of packets used to send X amount of information be the same whether it was sent on one link, or more? 03:02 < krzee> outside, large amount more 03:02 < krzee> some people have reported 1/2 speeds due to stuff like that 03:02 < krzee> and with more connections comes more headers being added, and if each of those is sending stuff in small packets... 03:02 < lepine1> yeah, but that's a limitation of tcp/ip ... not openvpn 03:03 < krzee> then it gets huge 03:03 < krzee> its not a limitation of anything 03:03 < lepine1> if your app sends small packets ... 03:03 < krzee> its a byproduct of sending packets inside tunnels 03:03 < lepine1> that not something you can control 03:04 < lepine1> well, the point of all this, is that openvpn creates additional overhead 03:04 < lepine1> basically, a second set of tcp/ip headers inside a packet 03:04 < krzee> either way, 10mbit of data going from 1 client (before the tunnel) and 10mbit of data going from 20 will be different after the tunneling 03:05 < krzee> or so i figure 03:05 < lepine1> i don't think having one or more links (vpn) would add much overhead 03:05 < lepine1> bandwidth wise 03:06 < lepine1> if you're round robin'ing plain packets onto multiple vpn links 03:06 < lepine1> you're doing the same as round robin'ing them on multiple plain links 03:07 < uned> then the best solution is to design a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server), right? 03:07 < lepine1> the overhead comes from the encryption 03:07 < lepine1> that would be the simplest solution i think 03:07 < lepine1> but one client cannot talk to a server it's not connected to 03:08 < lepine1> unless you do some routing tricks to pass through the server 03:08 < lepine1> or have them on the same vpn, and allow cross talking 03:08 < lepine1> which amounts to having all the connections going through the sevrver anyway, so there's still the bw problem 03:08 < uned> lepine1: which is just what ifenslave does, isn't it? 03:09 < lepine1> i never used it ... but i think all it does is combine 1+ network connections (say ethernet) into one logical interface 03:10 < uned> lepine1: oh, you didn't get it: all the possible connections are always on all the time! 03:10 < lepine1> it doesnt care about routing or anything 03:10 < lepine1> ifenslave is not the tool for you here 03:10 < lepine1> that was when dealing with multiple vpn connections to one server 03:10 < lepine1> and those would likely habe to be tap devices 03:10 < uned> not even ifenslave plus good routing? 03:12 < lepine1> ifenslave is like talking on the phone with two phones at the same time 03:12 < lepine1> but only for one conversation 03:12 < krzee> [04:07] then the best solution is to design a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server), right? 03:12 < uned> oh 03:12 < krzee> best solution for what? 03:13 < lepine1> krzee: some peer to peer ish thing 03:13 < krzee> oh the mesh thing? 03:13 < lepine1> well, that's where i got the idea 03:13 < uned> krzee: for (or actually instead): "so i was hoping there was some way to use the server only for doing some authentication stuff and let the clients communicate to each other for the real heavy traffic" 03:13 < lepine1> but he wants more than 2 computers on the network 03:13 < krzee> i already gave you my idea for that 03:13 < krzee> more than 2 computers is no problem, my idea works for that 03:14 < lepine1> yeah, he doesn't want to code 03:14 < krzee> on demand they negotiate peer-to-peer using the server as a middle-man 03:14 < lepine1> he wants something that works soon :P 03:14 < krzee> lol good luck 03:14 < uned> krzee: could you please paste it again, i may have not connected your answer to my question 03:14 < krzee> my answer was how someone could code it 03:14 < krzee> my idea on how it would work 03:14 < lepine1> uned: his suggestion was implementing something hard to do in code 03:14 < lepine1> not a ready made solution 03:15 < krzee> ill bbl 03:15 < lepine1> krzee: nice talking to you, quite entertaining 03:15 -!- sofh [n=patanahi@119.153.59.236] has joined ##openvpn 03:15 < lepine1> i'll most likely be gone to sleep by the time you come back 03:15 < sofh> hi all 03:15 < lepine1> hi 03:16 < sofh> need your suggestion .. 03:16 < sofh> Regarding openvpn everything is orite..Thanks to its programmers to give us such a robust application 03:16 < krzee> lepine1, right on, have a good nite 03:16 < sofh> but i have one question... 03:17 < lepine1> sofh: i'm no expert, but i'll try to help 03:17 < sofh> suppose i have around 200 pcs in our organizations and i want all of them to connect to my openvpn SERVEr..then do i have to create keys/cert for all 200 clients and manually distribute them to 200 pcs ? 03:17 < lepine1> you *could* script it 03:17 < sofh> i could script to generate 100 or 1000 keys/cert for clients ..but how to distribute them ? 03:17 < lepine1> script, send them via scp 03:18 < sofh> still its a big job to manually sit and send all files.. 03:18 < uned> so i still don't understand why "a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server)" is not easy and feasible both as a workaround for eliminating the (otherwise very burdened) third-party server and instead my multiple connections workaround i mentioned in the beginning 03:18 < sofh> isn't they any alternative auth method we can do ? 03:18 < lepine1> password only type of thing? 03:18 < lepine1> i believe so 03:18 < sofh> i have seen a perl script in sample scripts folder 03:19 < sofh> what i want to keep the user/pass no my db 03:19 < sofh> and let openvpn authenticate on the base of that db 03:19 < uned> s/instead/instead of/ 03:19 < sofh> in this way i will just have to drop an email with user/pwd which could be automated via some script to get the user/pwd from the db and email to relavent person 03:19 < lepine1> i don't know what authentication mecanisms openvpn supports 03:19 < lepine1> but it does PAM for sure 03:20 < lepine1> you will still need to distribute you CA.crt to all the clients 03:20 < sofh> that doesn't matter 03:20 < sofh> i have recompiled the openvpn and included Ca.crt and my client.conf in it 03:20 < lepine1> uned: it's a viable solution 03:20 < lepine1> just more complicated on the long run 03:21 < sofh> only i need an alternative method to let the users authenticate themselves with server without having cert key files on their pc 03:21 < lepine1> openvpn does password only authentication 03:21 < uned> (except between everybody and the per-connection-limited server itself, of course) 03:22 < lepine1> it's a question of how openvpn can authenticate clients 03:22 < sofh> lepine1! could you please explain what do you mean by password only ? 03:22 < lepine1> uned: right 03:22 < uned> lepine1: please give me some examples of long-run complications 03:22 < sofh> means no username ? 03:23 < lepine1> well, without a username, you are running a big security risk 03:23 < lepine1> anyone with the ca.crt can connect 03:23 < sofh> thts why i was thinking to use some sort DB :$ 03:24 -!- betabot is now known as simplechat 03:24 < lepine1> sofh: -plugin module-pathname [init-string] 03:24 < lepine1> on http://www.openvpn.net/index.php/documentation/manuals/openvpn-21.html 03:24 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net) 03:24 < lepine1> mentions running a function for authentication 03:25 < lepine1> then this: --auth-user-pass-verify script method 03:25 < sofh> lepine1: ok let me check it... 03:25 < krzee> [04:18] still its a big job to manually sit and send all files.. 03:25 < krzee> scp them to a https server 03:25 < krzee> tell clients where they can get theirs 03:25 < lepine1> true enough 03:28 < sofh> i will try to do in a way i want , if not possible then i will DO as its possible :) 03:28 < sofh> simple :) 03:33 -!- huslu_ is now known as huslu 03:44 -!- Wachert [n=wachert@p3EE2FCB1.dip.t-dialin.net] has joined ##openvpn 04:02 < lepine1> sofh: http://www.eurephia.net/ 04:02 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 04:02 < lepine1> support mysql/postgres 04:05 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has joined ##openvpn 04:06 -!- Administrat is now known as TAG 04:06 -!- TAG is now known as Administrat 04:07 -!- Administrat is now known as Tagger 04:07 -!- Tagger is now known as Intheblue 04:09 < Intheblue> who #Intheblue 04:11 -!- Intheblue [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has quit ["good night"] 04:33 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Connection reset by peer] 04:35 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 04:45 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 05:06 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 05:07 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 05:17 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 05:18 < vadi01> can someone tell me how to install a vpn server in centos 5.3? 05:19 < lepine1> yum install openvpn ? 05:19 < lepine1> i'm on debian, so that was a wild guess 05:20 < vadi01> lepine1: ok but using openvpn, it is kind of complicated to connect users from windows... 05:20 < lepine1> there is openvpn gui 05:20 < vadi01> lepine1: is there any simple way like as it was using the pptpd server 05:20 < lepine1> still not completely idiot-proof, but much better than command line tools 05:32 -!- vadi01 [n=vadi01@81.18.134.61] has left ##openvpn ["Leaving"] 05:33 -!- sofh [n=patanahi@119.153.59.236] has quit [] 05:42 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has left ##openvpn [] 05:48 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 05:49 < vadi01> lepine1: you still there? 05:49 < vadi01> how can i use openvpn to use only pap authentication? 05:50 < krzee> pap = ? 05:51 < vadi01> yea as in without encryption 05:51 < vadi01> i just want my clients connecting to the server...via dialup vpn 05:56 < krzee> you got it listening to a dialup device? 05:56 < krzee> no encryption is easy, dont put a secret statement or certs 05:56 < krzee> but it should only listen to a tun or tap device 06:00 < vadi01> ok. so in the client side no need for certificates yea? 06:00 < vadi01> all they need to do is just connect to the server via vpn dial up? 06:02 < uned> krzee: how can i create client keys client-side *without* transferring ca.key, but only ca.crt? 06:02 < uned> krzee: from the server 06:05 < krzee> ca.key never leaves the CA machine 06:06 < krzee> and the client can only make a csr 06:06 < krzee> the CA machine signs it 06:06 < krzee> thats what turns it into a crt 06:06 < uned> krzee: what is the openvpn tool that i have to use in order to "turn" the csr into the crt? 06:07 < uned> krzee: i guess it's one of the tools in easy-crypt/, but i don't know which one 06:07 < uned> krzee: nor do i know the syntax 06:36 < uned> krzee: are you still there? 06:57 < uned> krzee: or not? 07:12 -!- uned [i=uned@gateway/tor/x-e84019702922f89e] has quit [Remote closed the connection] 07:15 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:26 -!- vadi01 [n=vadi01@81.18.134.61] has quit [Read error: 104 (Connection reset by peer)] 07:26 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 07:33 -!- uned [i=uned@gateway/tor/x-149bb1d680ae5d5f] has joined ##openvpn 07:49 -!- Wachert [n=wachert@p3EE2FCB1.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 07:55 -!- uned [i=uned@gateway/tor/x-149bb1d680ae5d5f] has quit [Remote closed the connection] 07:59 -!- uned [i=uned@gateway/tor/x-bef2d113b0306aea] has joined ##openvpn 07:59 < uned> krzee: i was disconnected, did you answer in the meantime? 08:02 -!- zheng [n=zheng@114.92.139.29] has joined ##openvpn 08:03 -!- antii [n=unknown@unaffiliated/antii] has joined ##openvpn 08:04 < antii> hello 08:04 < antii> is it possible to set up a NAT on the computer that is connected to the VPN so i can connect threw it on another computer (lan)? 08:04 < antii> so like two computers share traffic 08:08 < zheng> it is possible. 08:08 < antii> but i havent found a guide for it :S 08:08 < zheng> the others pc gateway to it. 08:09 < uned> zheng: what openvpn easy-rsa/ tool should i use to turn a key request into a key? 08:09 < antii> zheng: you got experience of this? 08:10 < zheng> uned, there are detail step by step in the HOWTO 08:11 < uned> zheng: that's precisely not true 08:11 < uned> zheng: that's the very missing thing 08:11 < antii> zheng: lets say i have my vpn on my server (running linux) and wanna connect threw it from my workstation (windows) 08:11 < zheng> antii, no, I dont't test it, but I know it is possbile. 08:11 < antii> that is possible right? 08:11 < uned> zheng: frustratingly so 08:12 < antii> sec 08:12 < antii> zheng: but then i just set the gateway manually 08:12 < antii> must try this 08:13 < zheng> antii, you can set the route mannully 08:13 < antii> zheng: but do i even need openvpn then? 08:13 < antii> on my workstation 08:14 < zheng> no, 08:15 < antii> nice 08:15 < antii> just use the cmd right 08:15 < zheng> the top like this: pc ---> gateway/openvpn ====/ssl/====> other vpn endpoint 08:15 < antii> yes 08:16 < antii> now i only have to set up nat on the server ;:p 08:21 < uned> zheng: what openvpn easy-rsa/ tool should i use to turn a key request into a key? 08:21 < zheng> a minute, 08:21 < uned> zheng: sorry, i just resent it, i didn't mean it only for you 08:22 < zheng> I'l check it for you. 08:24 < zheng> ./build-req mycert 08:24 < zheng> ./sign-req mycert 08:24 < zheng> ./build-key mycert 08:24 < zheng> the 3 steps can help you generate a mycert.cer/.key 08:28 < uned> zheng: thank you. however, i know these, it's just that they work only on the signing machine (i.e. the machine that has ca.key). 08:29 < uned> zheng: how do i get it signed client-side? 08:30 < zheng> ? 08:30 < zheng> He cert has been a signed key. 08:30 < uned> zheng: i would need your question to be a little more specific. :) 08:30 < zheng> for server, also for clients; 08:31 < uned> are you implying all i need to transfer from the server to the client is ca.crt? 08:33 < krzee> you can only sign it on the ca machine 08:33 < krzee> i said this like 3 times earlier 08:33 < krzee> you really dont get it? 08:33 < krzee> [07:05] ca.key never leaves the CA machine 08:33 < krzee> [07:06] and the client can only make a csr 08:33 < krzee> [07:06] the CA machine signs it 08:33 < krzee> [07:06] thats what turns it into a crt 08:35 < uned> krzee: i would *love* to sign it on the ca machine, but i don't know how. could you please tell me how? 08:35 < krzee> by reading the howto 08:35 < krzee> !howto 08:35 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:35 < krzee> its plainly spelt out there 08:36 < krzee> zheng went to the howto and pasted the commands 08:36 < uned> zheng: that's precisely not true. and i've read the how-to THOROUGHLY. 08:36 < uned> krzee: those commands only work on the ca machine, don't you understand? 08:36 < krzee> THEN DO IT ON THE CA MACHINE! 08:36 < krzee> lol 08:36 < zheng> ease-rsa is a simple CA. 08:36 < krzee> and send the client what they need 08:36 < krzee> zheng, i agree, but prefer ssl-admin 08:36 < uned> krzee: i don't have the slightest intention to generate my client key on the ca machine just because the how-to is unrealistic! 08:36 < krzee> !ssl-admin 08:36 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:37 < krzee> the howto is very realistic, many use it without problem 08:37 < krzee> ive used the method in the howto MANY times 08:37 < zheng> yes, I gree with krzee 08:37 < uned> krzee: how can i use a server-created key on the client? 08:38 < krzee> !mitm 08:38 < uned> krzee: (without transferring it, that is!) 08:38 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 08:38 < krzee> ohh 08:38 < krzee> without transfering it?> 08:38 < krzee> are you drunk? 08:38 < uned> krzee: oh! 08:38 < uned> krzee: now i get it! 08:39 < krzee> i misunderstood the question at first, ignore !mitm 08:39 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:39 < uned> krzee: so what you're implying is either ca.key or client.key has to be transferred no matter what, only it's more secure to transfer client.key. is that right? 08:39 < krzee> didnt you read that thoroughly? 08:40 < krzee> read the table above what i just posted 08:40 < krzee> READ THE HOWTO 08:40 < krzee> http://openvpn.net/howto.html#pki 08:41 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 08:41 < krzee> there i dug the direct link to the section out of the source for you 08:41 < uned> krzee: i read it thoroughly, but bathed in wishful thinking 08:41 < krzee> since you read it so thoroughly im sure you know all of that and are only asking what it plainly says for fun 08:41 < uned> krzee: so please answer my latest question. i know the table by heard, and then more accurately. i only need a confirmation that a .key would eventually have to be transferred, no matter what. 08:42 < krzee> you said "only a key" earlier 08:42 < krzee> pay attention to the table 08:42 < uned> krzee: i just need a confirmation that a .key has to be transferred no matter what. 08:42 < uned> krzee: which would be understandable 08:42 < krzee> whatever it says a client needs, needs to be transfered 08:42 < krzee> why must i repeat what the howto says? 08:42 < uned> krzee: i know, but they promise i could generate everything on the client 08:42 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:42 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:42 < krzee> right below a table saying that the key must goto the client 08:43 < uned> krzee: i know, but they promise i could generate everything on the client 08:43 < krzee> no 08:43 < krzee> you can generate the client key and csr there 08:43 < krzee> but until you have a clue how these scripts work, dont 08:43 < krzee> learn, then use 08:44 < uned> are you advising me not to generate the client key client-side? 08:44 < krzee> not until you are capable of doing it 08:45 < krzee> for now, follow the howto 08:45 < uned> i am capable: all i need to do is copy ca.crt and ca.key. but i don't like it. i want to use some openvpn-maintained secure channel to send a signing request. 08:45 < krzee> maybe even figure out what the openssl commands in those scripts do 08:45 < krzee> how the hell will you send the signing request over openvpn? 08:45 < uned> krzee: figuring out what i need to do is exactly why i'm asking you a simple question for which i'm sure there's a simple answer 08:45 < krzee> if you have openvpn up you dont need the signing request sent 08:46 < uned> krzee: no 08:46 < uned> krzee: i was hoping the client would just try to connect and the server would ask me something to the effect of "should i accept to sign this client's key?" 08:46 < uned> krzee: i don't find it very sci-fi. do you? 08:47 < krzee> lol 08:47 < krzee> yes 08:47 < krzee> very' 08:47 < krzee> do you happen to run windows? 08:47 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:48 < uned> i don't see why, as long as i know what i'm doing and who's connecting. like this, mitm is always an issue. 08:48 < krzee> whatever 08:48 < krzee> *back to idle* 08:48 < uned> this would be a normal feature 08:48 < uned> and useful 08:49 < uned> why would openvpn depend on ssh? 08:49 < uned> it wouldn't be the first time in the history of cryptography that an application is self-sufficient. i know it's tricky, but ssh is tricky too. everything is tricky. i'm only talking about the feature itself, not about misusing it. 09:01 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit ["leaving"] 09:01 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:02 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:10 -!- vadi01 [n=vadi01@81.18.134.61] has quit [Read error: 110 (Connection timed out)] 09:15 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 09:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:56 -!- antii [n=unknown@unaffiliated/antii] has quit [Read error: 54 (Connection reset by peer)] 10:08 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 10:10 -!- vadi01 [n=vadi01@81.18.134.61] has left ##openvpn ["Leaving"] 10:26 -!- solexious|netbk [n=solexiou@89.193.183.199] has joined ##openvpn 10:26 < solexious|netbk> !howto 10:26 < vpnHelper> solexious|netbk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:29 < solexious|netbk> Hello, I'm reading though the how to but wonder if some one can point me in the right direction with what path of setup I need to follow? My server is on a 192.168.5.0/24 network and I want any connecting clients to be given an ip from 192.168.5.50-60 as if they were another physical box on the network. Would this be bridged or routed? 11:05 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 11:13 < uned> krzee: i've thought it through and you're really making no sense. i guess you just have to find my idea ridiculous or else you're next. 11:16 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 11:19 < M06w> taking a computer running a single 2.7GHz processor with 512mb ram, an average integrated 10/100 network card, and windows server 03 as basis, how many separate vpns should I be able to run comfortably? 11:19 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:31 < krzee> or else im next what? 11:31 < krzee> M06w, no clue 11:31 < krzee> uned, "you just have to find my idea ridiculous or else you're next." 11:31 < uned> krzee: to claim the title :) 11:31 < krzee> im next what...? 11:31 -!- mode/##openvpn [+o krzee] by ChanServ 11:31 -!- mode/##openvpn [+b *!*i=uned@*gateway/tor/x-bef2d113b0306aea] by krzee 11:31 -!- uned was kicked from ##openvpn by krzee [krzee] 11:32 <@krzee> title that 11:32 -!- mode/##openvpn [-o krzee] by krzee 11:38 < solexious|netbk> nice 11:49 < solexious|netbk> !route 11:49 < vpnHelper> solexious|netbk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 12:33 < reiffert> When kicking people on IRC I'd really like to see a valid kick reason ... 12:36 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:36 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 12:37 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 12:40 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:42 < epaphus> hello all 12:42 < M06w> hellow epap 12:59 -!- azaghal [n=azaghal_@mail.netset.co.yu] has joined ##openvpn 12:59 < azaghal> !howto 12:59 < vpnHelper> azaghal: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:59 < azaghal> !topology 12:59 < vpnHelper> azaghal: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:00 < azaghal> !iporder 13:00 < vpnHelper> azaghal: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:01 < azaghal> Hello, can anyone point me to (or explain) the "update" event in case of --learn-address directive? 13:11 < solexious|netbk> Hello, I'm reading though the how to but wonder if some one can point me in the right direction with what path of setup I need to follow? My server is on a 192.168.5.0/24 network and I want any connecting clients to be given an ip from 192.168.5.50-60 as if they were another physical box on the network. Would this be bridged or routed? 13:12 < solexious|netbk> I believe its bridged? 13:50 < azaghal> solexious|netbk: Either 13:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 13:51 < solexious|netbk> azaghal, oh 13:53 -!- azaghal [n=azaghal_@mail.netset.co.yu] has quit [Read error: 60 (Operation timed out)] 14:12 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 14:16 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 14:18 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 14:18 < Flumdahl> anyone here that has a working server.conf with shaper ? 14:18 -!- unix3_ [n=unix3@ip249-10.ct.co.cr] has joined ##openvpn 14:39 < reiffert> Flumdahl: shaper as in lartc.org? 14:39 < Flumdahl> reiffert: shaper as bandwidth limit some users 14:40 < Flumdahl> in the config files for openvpn 14:40 < Flumdahl> reiffert: i wanna bw limit some ips 14:43 < reiffert> Flumdahl: I could paste you some lines of the manpage, but I guess that's what you've seen allready? 14:47 < Flumdahl> reiffert: yes, i dont get it to work as it should. if i have the shaper line in my server config it wont setup the routes :S 14:48 < Flumdahl> it wont work even if you write route commands manually in cmd in windows for example 14:51 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 14:54 -!- unix3_ [n=unix3@ip249-10.ct.co.cr] has quit [Client Quit] 15:02 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:03 < reiffert> Flumdahl: awful! 15:03 < reiffert> Flumdahl: 2.1rc15? 15:03 < reiffert> !shaper 15:03 < vpnHelper> reiffert: Error: "shaper" is not a valid command. 15:04 < reiffert> Flumdahl: what did you set the shaper value to? 15:05 < Flumdahl> to 1 mbit 15:05 < reiffert> like in "1 mbit" or more like "123456789"? 15:07 < Flumdahl> shaper 131072 15:07 < Flumdahl> 131 072 byte is 1 megabit 15:07 < reiffert> right, bytes per sec. 15:08 < reiffert> did you try different settings? change mtu? 2.1rc15? 15:10 < Flumdahl> its openvpn 2.0.9 15:10 < reiffert> update && report back 15:12 < ecrist> good afternoon, fuckers 15:52 < reiffert> welcome back my sweet little pussy 15:55 < Bushmills> reeks of plenty of pheromones here 15:55 < reiffert> reeks sounds like netherlands 15:56 < Bushmills> that's "ruiken" 15:59 < reiffert> rieken in belgium 15:59 < Bushmills> in fact, there is a dutch word "reeks" but that has a different meaning: "sequence" 16:00 -!- solexious|netbk [n=solexiou@89.193.183.199] has quit [Remote closed the connection] 16:10 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 16:10 < reiffert> Flumdahl: works with 2.1rc15? 16:11 < reiffert> OpenVPN 2.0.9 -- released on 2006.10.01 (Change Log) 16:12 < Flumdahl> i solved it with a script . :d 16:12 < reiffert> ? 16:14 < reiffert> ?? 16:16 < reiffert> please give us more details on that 16:26 < troy-> krzie, around? 16:52 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 16:52 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 16:55 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:56 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has joined ##openvpn 17:01 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 17:01 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 17:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:48 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 18:03 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 18:09 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:09 < epaphus> hello guys, I have now successfully installed my openVPN client on ubuntu... 18:10 < epaphus> but its not applying the push DNS :( .. any suggestions 18:10 < epaphus> the push dns paramter is recorded in the server.conf 18:13 < epaphus> is it maybe because I put the push DNS options at the last line of the server.conf ? 18:13 < epaphus> would it help to put it in the client.conf? 18:15 < epaphus> brb 18:15 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Remote closed the connection] 18:27 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 18:27 < boris_ag> !logs 18:27 < vpnHelper> boris_ag: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:27 < boris_ag> !configs 18:27 < vpnHelper> boris_ag: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:28 < boris_ag> !howto 18:28 < vpnHelper> boris_ag: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:28 < boris_ag> !iporder 18:28 < vpnHelper> boris_ag: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:28 -!- at1z0r [i=at1z0r@gateway/shell/rootnode.net/x-a4a853c981c6e79a] has joined ##openvpn 18:29 < at1z0r> hi guys 18:29 < at1z0r> http://dpaste.com/32496/ 18:30 < at1z0r> and can't ping anything 18:30 < at1z0r> simply doesn't work :) 18:30 < at1z0r> using arch linux 18:32 < boris_ag> helo - I'm having this problem that appears in openvpn FAQs: "I can ping through the tunnel, but any real work causes it to lock up. Is this an MTU problem?" 18:32 * ecrist guesses firewall 18:32 < ecrist> boris_ag: usually 18:32 < ecrist> !mtu 18:32 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:32 < boris_ag> tried with different MTU but no success 18:33 < boris_ag> also. several other coworkers uses default 1500 and works fine for them, using the same server and the same openvpn client version 18:33 < at1z0r> !logs 18:33 < vpnHelper> at1z0r: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:33 < at1z0r> !configs 18:33 < vpnHelper> at1z0r: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:37 -!- solexious [n=solexiou@80-41-109-207.dynamic.dsl.as9105.com] has joined ##openvpn 18:39 < solexious> Hia, tried to setup my server using the official how to for bridging but doing this makes my eth loose connection, any idea how I can stop this? 18:39 < at1z0r> same here, but on client side ;p 18:41 < solexious> hehe, dam :) 18:42 < solexious> The how to seems great, just think I need a few bits to click in my head for me to follow it correctly 18:43 < at1z0r> :) 18:46 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [] 18:47 < troy-> ii have a bug complaint 19:17 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 19:32 -!- at1z0r [i=at1z0r@gateway/shell/rootnode.net/x-a4a853c981c6e79a] has left ##openvpn ["EKG2 bejbi! http://ekg2.org/"] 19:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:47 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 19:48 < boris_ag> hi guys - having problems with MTU size and found 1500 is the optimal (1472+28), but getting this on vpn client side: "Data Channel MTU parms [ L:1544 D:1428 EF:44 EB:135 ET:72 EL:0 AF:3/1 ]".. is that 1544 correct ? 19:55 < boris_ag> !mtu 19:55 < vpnHelper> boris_ag: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 20:00 < boris_ag> if MTU needs to be changed, is just enough to change it with mssfix or do I have to modify the mtu size of the tap interface ? 20:00 < boris_ag> as well 20:24 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:26 < reiffert> the former 20:33 -!- aluis_ [n=aluis@g227126172.adsl.alicedsl.de] has joined ##openvpn 20:46 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 20:47 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 20:51 -!- aluis__ [n=aluis@g227114042.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 21:07 -!- nubcake [n=gab@c-75-73-8-45.hsd1.mn.comcast.net] has joined ##openvpn 21:08 -!- eedk [n=eed@berlin.perfect-privacy.com] has joined ##openvpn 21:08 < nubcake> Im having a problem running build-dh command on both a vista 64bit machine, and on a winXP machine. it just borks out while its creating all the dots with error, unable to write 'random state' anyway to fix this ? 21:09 < eedk> could anyone tell me where i could find a listing of good openvpn services? google just isnt working for this one. 21:14 < reiffert> nubcake: http://www.google.de/search?hl=de&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=6Kr&q=openvpn+unable+to+write+random+state&btnG=Suche&meta= 21:14 < vpnHelper> Title: openvpn unable to write random state - Google-Suche (at www.google.de) 21:14 < reiffert> eedk: services as in? 21:15 < eedk> as in providers 21:15 < reiffert> what shall they provide? 21:16 < reiffert> please place an example for me, it just beats me. 21:16 < eedk> a vpn 21:16 < eedk> an openvpn vpn 21:16 < nubcake> reiffert: i know how to use google, I wouldnt be here if I didnt. that gives no info on building keys within a windows environment. 21:16 < reiffert> hrmn. I've never heared about people offering openvpn servers for the use of 3rd party people. 21:17 < eedk> well then you obviously cant help me. thanks though. 21:17 < reiffert> nubcake: I'm sorry but I'm not a windows user. Try the openvpn mailinglist is all I can give you now. 21:17 < reiffert> eedk: same goes to you, openvpn mailinglist. 21:18 < eedk> oh 21:21 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [Read error: 110 (Connection timed out)] 21:34 < krzee> [22:16] reiffert: i know how to use google, I wouldnt be here if I didnt. that gives no info on building keys within a windows environment. 21:34 < krzee> the howto does 21:35 < krzee> its the same easy-rsa package 21:39 < nubcake> krzee: yea I know but there is no help anywhere in regards to a windows box giving a unable to write 'random state' error when compiling keys. 21:42 < nubcake> its ok i used my debian box to build the keys, just kinda silly thats what i have to do 21:49 < troy-> krzee, how can i make openvpn output status without writing to a logfile? 21:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 21:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:59 < krzee> \ 22:27 < troy-> sup krzee 22:43 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:45 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has quit [Client Quit] 23:18 < troy-> why isnt the latest openvpn version in the dag repo? 23:21 -!- nubcake [n=gab@c-75-73-8-45.hsd1.mn.comcast.net] has quit ["(I was using ) Version:(2.04) Wasted:(2 Hours 14 Minutes and 3 Seconds Online)"] 23:28 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 23:59 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon Apr 13 2009 00:50 -!- eedk [n=eed@berlin.perfect-privacy.com] has quit [Read error: 110 (Connection timed out)] 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has joined ##openvpn 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has left ##openvpn ["Leaving"] 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has joined ##openvpn 01:12 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 01:12 < uned_back> how do i generate the client key on the client instead of on the server machine? 01:12 < tjz> u have to generate on the server machine 01:12 < tjz> no way you can self-generate on client side 01:13 < uned_back> tjz: why is sending a request and receiving the key from the server more secure than simply receiving a server-generated key from the server? 01:14 < uned_back> tjz: don't they both involve transferring the key from the server? 01:24 < uned_back> tjz: from the how-to: "Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. ...." 01:25 < uned_back> tjz: this would make it necessary to only receive a certificate, no key 01:31 < uned_back> this "submit" word from "and then submit a Certificate Signing Request (CSR) to the key-signing machine" makes it look like there's some scripted way to do it, not like i have to send some request file manually and run the scripts manually on the server and then transfer the certificate file manually back to the client. so "submit" either is confusing or i still don't understand it. 01:47 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 01:47 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 01:50 < dan__t> Generate a csr, and sign it? 01:52 < uned_back> dan__t: you mean "send the csr file to the server, then have the server generate a signed certificate (file), then send the signed certificate file back to the client", right? 01:52 < dan__t> Not in those exact words, but yes. 01:52 < dan__t> Do you know how TLS, PKI etc etc work? 01:53 < uned_back> dan__t: for stylistic reasons, or are there any inaccurate terms? 01:54 < dan__t> what 01:54 < dan__t> No, that's accurate. 01:54 < uned_back> "not in those exact words" 01:54 < uned_back> oh, good 01:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:54 < dan__t> Generate the mofscking crt on the client, send it to the server, sign it, send it back to the client. 01:54 < dan__t> And go nuts. 01:55 < dan__t> Don't be a tool and quote me on everything I say. I'll tell you enough to get started and mop it up on your own. 01:55 < dan__t> http://openvpn.net/index.php/documentation/howto.html#pki 01:55 < vpnHelper> Title: HOWTO (at openvpn.net) 01:55 < dan__t> Look at the matrix towards the bottom of that section. 01:58 < uned_back> dan__t: you're saying i should send the .crt file to the server. but shouldn't i send the .csr one? 02:03 -!- mode/##openvpn [+o krzee] by ChanServ 02:03 -!- mode/##openvpn [+b *!*uned@*tor*] by krzee 02:04 -!- uned_back was kicked from ##openvpn by krzee [didnt i ban you?] 02:04 < dan__t> What a fucking tool. 02:04 -!- mode/##openvpn [-b *!*i=uned@*gateway/tor/x-bef2d113b0306aea] by krzee 02:04 < dan__t> tjz, you can generate the csr on the client. 02:07 <@krzee> seriously dan 02:07 <@krzee> [12:31] uned, "you just have to find my idea ridiculous or else you're next." 02:07 <@krzee> [12:31] krzee: to claim the title :) 02:07 <@krzee> [12:31] im next what...? 02:07 <@krzee> [12:31] >chanserv< op ##openvpn 02:07 <@krzee> haha 02:07 <@krzee> besides 02:08 <@krzee> that guy has been asking the same fucking simple question (and been answered over 10 times) for over a day 02:08 < dan__t> heh 02:08 <@krzee> even without him mouthing off trying to threaten that should be enough for a ban, lol 02:08 < dan__t> kewl.... just made a function in PHP to maintain a CRL from MySQL... 02:08 -!- mode/##openvpn [-o krzee] by krzee 02:08 < dan__t> Man I need some new music. 02:08 < dan__t> Already wore out that new Prodigy album 02:09 < krzee> damn prodigy still makes new albums? 02:09 < dan__t> and that Cage The Elephant album 02:09 < dan__t> Yeah, just came out a few days ago I think. 02:09 < krzee> last i listened to was smack my bitch up 02:09 < dan__t> Fat of the Land... still a great one heh 02:09 < krzee> (which by the way is still the best video of all times) 02:09 < dan__t> Indeed. 02:09 < dan__t> Total mindfuck. 02:10 < dan__t> Let's see what TPB has... 02:10 < dan__t> Dude I'm going to go out and visit you. 02:10 < dan__t> For like a month. 02:10 < dan__t> ok? 02:10 < dan__t> And we're going to wreck some vacationing sluts. 02:10 < krzee> not sure if you wanna really 02:11 < krzee> i dont live near water and i work a lot 02:11 < dan__t> why not 02:11 < dan__t> why not, you live in the Bahamas and don't live near the water? 02:11 < krzee> lol, well an hour away 02:11 < krzee> but not like on it 02:11 < dan__t> what do you do for work anyway 02:11 < dan__t> cabana boy? 02:11 < krzee> granted i cant live TOO far away from it 02:12 < krzee> nah im an international spy ;] 02:12 < dan__t> Ok, 006 02:12 < krzee> 0069 actually 02:13 < theDoc> Hello all :) 02:13 < theDoc> Seems like a good time to drop in. 02:13 < reiffert> moin 02:13 < krzee> whats up doc 02:13 < krzee> (pls use bugg bunny voice) 02:14 < dan__t> heh 02:14 < krzee> buggs 02:14 < dan__t> Bugs 02:14 < theDoc> hehe 02:14 < dan__t> I met Chuck Jones when I was like 5 02:14 < theDoc> How is everyone doing today? 02:15 < dan__t> My dad bought a few cells that he made right there on the spot and autographed them for me 02:15 < dan__t> They're pretty bad-ass 02:15 < krzee> good, cant wait for the computer store to open 02:15 < krzee> i need some sata dvd burners 02:15 < krzee> turns out i couldnt load osx86 cause of my IDE chipset 02:15 < theDoc> I need a few more clusters of servers around the globe to balance out vpn traffic. 02:15 * theDoc dances. 02:15 < dan__t> oh speaking of 02:16 < dan__t> krzee, can you make me a jail or something on that which I can use 02:16 < dan__t> I need an osx machine to fuck around with tunnelblick on 02:16 < krzee> i cant cause its local, but you can load osx86 =/ 02:17 < dan__t> wtf 02:17 < dan__t> i'll just vpn in 02:17 < dan__t> .. 02:17 < krzee> negative ghost rider 02:17 < dan__t> i'm going to murder you like Goose 02:17 < krzee> werd 02:17 < theDoc> Apparently, some of us are old enough to remember top gun ;) 02:17 < theDoc> Man, I feel old now. 02:18 < theDoc> When Val Klimer was hot ;p 02:18 < krzee> lol 02:18 < krzee> dude 02:18 < theDoc> iceman was the shit. 02:18 < krzee> i found out last night a guy i know from a hacking group was born when i was already on irc 02:18 < krzee> THAT made me feel old 02:18 < theDoc> lol 02:19 < dan__t> So, let me get this straight 02:19 < theDoc> krzee: By hacking, you mean stuff like hackintosh? 02:19 < dan__t> You're a bunch of old dudes? 02:19 < theDoc> or exploiting servers for a living? ;p 02:19 < krzee> dan, im 27 02:19 < krzee> theDoc, *shrug* 02:19 < krzee> lets just say the kid has skills 02:19 < krzee> and was born when i was already on efnet 02:20 < dan__t> Don't feel bad. 02:20 < dan__t> I'm 25. 02:20 < dan__t> heh 02:20 < krzee> nah i dont, it was just a lil mindfuck 02:20 < theDoc> In all honesty, I have no idea how do you guys get into exploiting systems. I could dance around and write firewall rules but besides that, I have nfi how to be breaking in ;p 02:21 < theDoc> and I take my hat off to those who can. 02:21 < dan__t> I literally tracked down some dude and kicked his ass for doing it. 02:21 < dan__t> Found out that he lived in Denver, too. 02:21 < theDoc> dan__t: >_>;; 02:22 < dan__t> Felt goooooooood 02:22 < dan__t> heh 02:22 < theDoc> dan__t: Care to share how you did it? 02:23 < dan__t> Got lucky. The dude actually used to work for a customer of ours. 02:23 < dan__t> I cheated. 02:23 < theDoc> Oh, figures. 02:23 < theDoc> dan__t: Backtracking, call a couple of people? ;p 02:23 < dan__t> Yep. 02:24 < krzee> http://ircpimps.org/prank/ 02:24 < vpnHelper> Title: Index of /prank (at ircpimps.org) 02:24 < theDoc> dan__t: Without cheating, is that possible? 02:24 < krzee> that was when bionic took over #RNS on efnet 02:24 < dan__t> I'm sure it is. 02:25 < krzee> i got ahold of his dox and started calling his family 02:25 < theDoc> krzee: How on earth do you guys do that is beyond me 02:25 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 02:26 < mf_417> Hi 02:26 < mf_417> how can I change default "--script-security" of openvpn? 02:26 < krzee> hey! 02:26 < mf_417> ping 02:26 < mf_417> how can I change default "--script-security" of openvpn? 02:26 < krzee> umm 02:26 < krzee> by using the command script-security 02:26 < krzee> followed by the level to set it to 02:27 < mf_417> and where is this command? 02:27 < krzee> where does it go or where is it documented? 02:27 < dan__t> man openvpn 02:27 < dan__t> Its right there 02:27 < krzee> aye it is 02:28 < krzee> !man 02:28 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:28 < dan__t> krzee, i start beta on Thursday 02:28 < krzee> beta what? 02:28 < dan__t> of my shit. 02:28 < krzee> oh cool 02:28 < dan__t> jeah. 02:28 < mf_417> tanx 02:29 < krzee> of your db based cert management system? 02:29 < krzee> you gunna allow it to also keep them in flat files? 02:29 < dan__t> No. 02:29 < dan__t> I'm tying it in to WHMCS right now 02:30 < krzee> ahh cool 02:31 < krzee> [03:24] that was when bionic took over #RNS on efnet 02:31 < krzee> btw that was 12 years ago 02:32 < dan__t> This song is bad-ass 02:32 < dan__t> Aquabats - Super Rad 02:32 < theDoc> 12 years ago :o 02:32 < krzee> just wanted to make it clear that it was when i was a youngster 02:33 < krzee> i wouldnt be harassing families over the takeover of an IRC channel anymore 02:33 < mf_417> krzee: Ok, it works fine 02:34 < mf_417> I must change /etc/init.d/openvpn ? 02:34 < krzee> cool, glad to hear 02:34 < krzee> no, why would you? 02:34 < mf_417> I must automate update-resolv-conf process on clients 02:34 < mf_417> I use an script for this purpose 02:34 < mf_417> and openvpn deny to run external scripts by default 02:35 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 02:35 < krzee> ok, you just put that in the config without the -- 02:35 < mf_417> I changed etc/init.d/openvpn and added --script-security 2 --dev tap0 and now it works fine 02:35 < krzee> and booya 02:35 < krzee> (kinda like all config options) 02:37 < mf_417> tanx alot, it works fine 02:39 < dan__t> krzee, how's your MySQL? 02:39 < krzee> only used it 1x 02:40 < dan__t> hm 02:44 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 02:45 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 02:45 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 02:48 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 03:09 < dan__t> ok, codine is kicking my ass... later. 03:17 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 03:28 -!- azaghal [n=azaghal_@217.24.18.195] has joined ##openvpn 03:28 -!- azaghal is now known as Guest19001 03:35 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit ["Konversation terminated!"] 04:14 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 04:14 < onats> hello 05:04 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] 05:06 -!- zheng_ [n=zheng@114.92.139.29] has joined ##openvpn 05:11 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:18 -!- mtoledo`` [n=user@189.102.205.95] has quit [Read error: 60 (Operation timed out)] 05:18 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 05:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:21 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:25 -!- zheng [n=zheng@114.92.139.29] has quit [Read error: 113 (No route to host)] 05:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:43 -!- theDoc [n=andelyx@bb220-255-184-252.singnet.com.sg] has joined ##openvpn 05:45 -!- theDoc [n=andelyx@bb220-255-184-252.singnet.com.sg] has quit [Client Quit] 05:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:57 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit ["Ex-Chat"] 07:09 -!- VeXocide [i=vexocide@snail.stack.nl] has joined ##openvpn 07:10 < VeXocide> hi, when i set up a tunnel to a friend the interface gets an ipv6 link and global address 07:11 < VeXocide> but then a default route is added via the link address for ipv6, instead of the global, might anyone have a clue as toe why ? 07:11 < VeXocide> -e 07:19 -!- Guest19001 [n=azaghal_@217.24.18.195] has quit ["Одлазим"] 07:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 08:05 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 08:06 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 08:11 -!- Kevin` [n=kevin@etmalec.net] has joined ##openvpn 08:11 < Kevin`> hey 08:12 < Kevin`> should I specify a push route AND route for a subnet which is connected at one of the clients? 08:15 < reiffert> !route 08:15 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:20 < Kevin`> <3 08:21 < Kevin`> nice and complete 08:22 < Kevin`> although fwiw "yes" would have worked ;D 08:23 -!- zheng_ [n=zheng@114.92.139.29] has quit [Read error: 110 (Connection timed out)] 08:34 < reiffert> crystall ball broken 08:53 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 09:00 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: isox, dazo_gone, Bushmills, karlpinc 09:00 -!- karlpinc [n=kop@69.17.73.250] has joined ##openvpn 09:00 -!- isox [n=dacurmud@209.144.31.10] has joined ##openvpn 09:00 -!- dazo_gone [n=dazo@62.40.79.66] has joined ##openvpn 09:00 -!- Bushmills [n=nnnnnl@verhau.de] has joined ##openvpn 09:02 -!- Irssi: ##openvpn: Total of 62 nicks [0 ops, 0 halfops, 0 voices, 62 normal] 09:34 -!- djshotglass [n=dextro@d216-232-234-123.bchsia.telus.net] has joined ##openvpn 09:35 * djshotglass loves topics like this 09:35 < djshotglass> answered my q's 09:35 < djshotglass> :) 09:35 < djshotglass> !route 09:35 < vpnHelper> djshotglass: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:35 < djshotglass> !redirect 09:35 < vpnHelper> djshotglass: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 09:35 < vpnHelper> djshotglass: !ipforward) 09:36 < ecrist> glad we could help, djshotglass 09:40 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Remote closed the connection] 09:41 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 09:41 < epaphus> hello all 09:43 -!- VeXocide [i=vexocide@snail.stack.nl] has left ##openvpn [] 09:45 < djshotglass> anyone ever have a machine tun http https traffic though one mahcine and the rest though another? 09:46 < theDoc> djshotglass: Sounds split-tunneling you're looking at there. 09:47 < djshotglass> :) 09:47 * djshotglass googles 09:48 < ecrist> djshotglass: you need to use some policy-based routing, which is far beyond the scope of this channel. 09:50 < theDoc> djshotglass: If you have a dmz and a couple of Cisco routers, I believe PBR and split tunneling might be your answer. 09:55 < reiffert> djshotglass: depends on your OS. 10:10 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 10:10 < Kobaz> Mon Apr 13 11:00:13 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.2.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.2.2.22 10.2.2.21' 10:10 < Kobaz> Mon Apr 13 11:00:13 2009 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9) 10:10 < Kobaz> how would i fix that? 10:11 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 10:11 < reiffert> Kobaz: update to 2.1rc15 10:11 < Kobaz> on the server? 10:12 < reiffert> both 10:12 < Kobaz> mm 10:12 < Kobaz> i'm using openvpn-gui on the client 10:12 < theDoc> Kobaz: Vista or Win7? 10:12 < Kobaz> vista 10:13 < theDoc> Upgrade to 2.1rc15 ^^; That solved it for me 10:13 < reiffert> he is using ancient 2.0.9 10:14 < reiffert> no such option topology in there. 10:14 < Kobaz> will the new client with with an old server? 10:14 < reiffert> no. 10:33 < Kobaz> hmm 10:34 < theDoc> heh, what a bitch. Directing people to hairytaco.com 10:34 < theDoc> lol 10:38 < Kobaz> hmm 10:38 < Kobaz> the windows openvpn gui for 2.1beta7 is borken 10:40 < ecrist> use 2.1rc15 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 route ADD 10.2.2.0 MASK 255.255.255.0 10.2.2.21 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=20] 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 Route addition via IPAPI failed 10:40 < Kobaz> there is no rv15 for windows 10:40 < Kobaz> rc 10:41 < Kobaz> well not of openvpn-gui 10:41 < ecrist> Kobaz: yes there is. I'm looking at openvpn-2.1_rc15-install.exe on the site, now 10:41 < Kobaz> yeah i see 10:41 < Kobaz> i've always used openvpn-gui for windows 10:41 < ecrist> OpenVPN GUI is now packaged in the Windows installer. 10:41 < Kobaz> okay, i'm gettin that now 10:41 < Kobaz> ah i see 10:41 < ecrist> why can't people read? 10:41 < Kobaz> i dunno 10:42 < Kobaz> i'm just doing what i've always done :P 10:44 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 10:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:47 -!- onats [n=onats@122.53.139.213] has joined ##openvpn 10:53 < reiffert> Kobaz: SIGH SIGH SIGH 10:59 -!- zheng [n=zheng@114.92.138.88] has quit ["Leaving"] 11:01 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:06 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 11:07 < onats> anyone familiar with proxies here? 11:07 < onats> is tinyproxy any good? 11:07 < reiffert> this is #openvpn 11:09 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 11:13 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 11:21 -!- _andre [n=andre@fosforo.k8.com.br] has joined ##openvpn 11:21 < _andre> hello 11:22 < _andre> i was reading about the failover mechanisms that openvpn supports 11:23 < _andre> is it also possible to do load balancing? 11:23 < _andre> in my current config i have two servers connected via a tunnel 11:23 < reiffert> no. it's not. 11:23 < _andre> ok 11:24 < _andre> thanks 11:28 < ecrist> it is, to a degree, but with features outside of openvpn 11:30 < _andre> you mean using something like lvs? 11:32 < ecrist> no, I mean with something like, listing multiple remote lines in your client configs, but having half your users use one first, the other half the other first. 11:32 < onats> reiffert, i know, but people here are a lot knowledgeable on networks stuff 11:32 < ecrist> or DNS round-robin, but then if the dns returns differently on refresh, the tunnel will go down/back up 11:34 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 11:45 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 11:45 < tsunami> Are the docs on running openvpn as non-admin still applicable? (they were written in 2005) 11:49 < _andre> ecrist: i see 11:54 < reiffert> tsunami: perfect question for the mailinglist 11:55 < tsunami> reiffert: how do i get on that? 11:56 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 11:56 < vpnHelper> Title: Mailing Lists (at openvpn.net) 12:01 < tsunami> has anyone in here had luck running this as a user? 12:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:02 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 12:02 -!- _andre [n=andre@fosforo.k8.com.br] has left ##openvpn [] 12:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:13 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:14 < Improv> The key presentation is the primary means by which clients identify themselves to an OpenVPN server, correct? 12:15 < onats> correct 12:15 < onats> ? 12:15 < Improv> Hmm... so it is used for both authentication and identification... 12:16 < onats> yes 12:16 < onats> the key has a label, and the actual key itself 12:16 < onats> wait what am i saying 12:16 * onats had a couple of shots of green label:D 12:17 < Improv> I am integrating it into network testbed software, where each node will need to have multiple tunnels in place, so I guess that means each client has multiple keys, one for each connection... 12:17 < onats> that... you better ask the experts 12:18 < Improv> Was hoping to bump into some here :) 12:19 < onats> want to know who the experts are here in this channel? 12:20 < Improv> I've sometimes chatted with some pretty knowledgable ppl here. 12:33 < kraut> moin 12:35 < Improv> Hmm.. for layer-2 vpns where the main point is for nodes to talk to each other, there's no need for the server to do TCP itself on that network, is there? 12:36 < Improv> by which I mean it'd be fine for the server not to have an IP address on the tue... 12:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:39 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 12:40 < tsunami> has anyone been successful in running a gui for openvpn as a user? 12:46 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:57 -!- lipin [n=li@static-ip-77-89-127-186.promax.media.pl] has joined ##openvpn 12:57 < lipin> !redirect 12:57 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 12:57 < vpnHelper> lipin: !ipforward) 12:59 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:03 < epaphus> Hi guys, i setup a vpn client with gateway--redirect , and it works great.. it deletes the default local route as I want it... however ... if I disconnect my network cable and put it back on.. it overwrites the vpn route and adds the local gateway as default therefore leaving my vpn bypassed... same happens if wireless gets disconnected and reconnected. How can I avoid this?? 13:04 < epaphus> I need to be _always_ accessing the internet through my VPN.. if i dont have access to the VPN it should NOT go through the local network. 13:05 < lipin> !redirect 13:05 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 13:05 < vpnHelper> lipin: !ipforward) 13:06 < lipin> !def1 13:07 < vpnHelper> lipin: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:09 < lipin> !winnat 13:09 < vpnHelper> lipin: Error: "winnat" is not a valid command. 13:10 < lipin> !winipforward 13:10 < vpnHelper> lipin: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 13:11 < lipin> !winnat 13:11 < vpnHelper> lipin: Error: "winnat" is not a valid command. 13:12 < lipin> !nat 13:12 < vpnHelper> lipin: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:13 < ecrist> lipin, please quite spamming. 13:13 < ecrist> if you're looking for something, search in private chat with the bot, or ask here. 13:13 < ecrist> we'd be happy to come up with the right !key 13:14 < lipin> ok i am new to irc i though it is private help bot :) sorry 13:14 < epaphus> lipin, was that for me? 13:15 < lipin> no it was for my problem i cant get redirect-gateway to work :/ 13:16 < ecrist> lipin: it is, if you /msg the bot, the replies come back in a private message. :) 13:16 < ecrist> lipin, you're probably not natting the vpn clients 13:18 < lipin> mayby someone can help me i am using linksys with tomato and vpn with wtatic key i tried to redirect-gateway from vista but i cant get 0.0.0.0 leading to vpn ip in route tables (sorry for pseudo english) 13:22 < lipin> hmm vpnHelper doesnt work in private chat 13:22 < ecrist> !linnat 13:22 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:28 < Improv> epaphus: You probably need to change how your network-management tool works 13:28 < Improv> epaphus: If you're on Fedora or Debian, it's gnome-network-manager's fault 13:29 < Improv> epaphus: I don't know if they have an option to do what you want though. 13:29 < Improv> epa: I rather doubt it, actually 13:42 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:45 < lipin> ahh why it needs to be so hard? is there someone to help me and check what is wrong http://www.linksysinfo.org/forums/showthread.php?p=343777#post343777 here are my unccessful tries (redirect-gateway doesnt work) 13:46 < reiffert> !def1 13:46 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:46 < reiffert> lipin: have a look at this. 13:47 < lipin> i did use def1 but it didnt help 13:48 < reiffert> try to be more specific "does/did not help" does not help us. 13:49 < reiffert> to be more specific use a network sniffer like tcpdump or wireshark. 13:49 < reiffert> they will tell you where packets travel to and where they stop. 13:49 < lipin> thats the problem i am just ordinary guy but 0.0.0.0 with 172.16.0.1 is not created win windows routetable 13:50 < lipin> and i get error when connecting: Mon Apr 13 20:37:37 2009 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1 13:50 < reiffert> my ordinary crystal ball is broken, I'm sorry. 13:52 < lipin> all my traffic goes trough 192.168.1.1 instead of 172.16.0.1 there is no rule created in routetable for vpn tunel i use redirect-gateway def1 and tun interface 13:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 14:01 < dan__t> Hi. 14:01 < dan__t> No one cares, lipin 14:01 < dan__t> YOu're not going to guilt anyone in to helping you. 14:01 < dan__t> What's the problem? 14:01 < dan__t> No one being available to answer your question does not imply we're all assholes. 14:01 < dan__t> You do understand how IRC works, especially when supporting a FOSS product, right? 14:02 < dan__t> People have jobs, lives, etc etc. 14:02 < dan__t> 14:02 < dan__t> I just think that's severely retarded logic. 14:05 < lipin> sorry if i insult you i guess my english is not great i know that is comunity driven poject and i cant expect any help and its great that irc channel like that exists chill my friend i am not calling anybody asshole I rather think that its great that you are here 14:09 -!- djshotglass [n=dextro@d216-232-234-123.bchsia.telus.net] has left ##openvpn [] 14:14 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:15 -!- nemysis [n=nemysis@132-254.3-85.cust.bluewin.ch] has joined ##openvpn 14:15 < dan__t> Ok, so, ask your question :) 14:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 14:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 14:24 < lipin> Why openvpn is not creating in windows vista 0.0.0.0 route using the 172.16.130.2 interface and 172.16.130.1 as the gateway? If I use redirect-gateway def1 and static key. I can ping 172.16.130.1 (that’s openvpn server ip) and i get 172.16.130.2 so it seems that tunnel is established. 14:25 < lipin> openvpn runs on linksys router bridged to belkin router in wds mode and i am conected to this belkin trough wifi 14:26 < lipin> thats the problem i can make wds connection only with wep encryption so i want to secure this link using vpn network 14:27 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 14:27 < reiffert> !net30 14:27 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:28 < lipin> dan__t wrote ask your question so i did once again 14:29 < dan__t> I did. Blame me. 14:30 < dan__t> That is a good read though, lipin 14:30 < dan__t> I suspect you'll find your answer in there. 14:36 < krzie> if you need it to be easier to understand, you can have .2 be the first client, .3 be the second, etc etc 14:36 < krzie> by using 2.1 with: 14:36 < krzie> !topology 14:36 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:51 -!- Lilarcor [n=Lilarcor@168.sub-97-165-229.myvzw.com] has joined ##openvpn 14:54 < lipin> did i understand it right ? i have ifconfig 172.16.130.1 172.16.130.2 in router and i am making tunnel from pc ifconfig 172.16.130.2 172.16.130.1 on router side there is linux on pc windows so next ip i could use in theory is 172.16.130.5 but i use static key so i am only one client and i dont really understand how it relates to me should i make 4 ip space between 172.16.130.1 and 172.16.130.2 ? 14:58 < lipin> and vpn said that local and remote endpoints must be in /3 subnet like i had before 14:59 < krzie> lipin ifconfig 172.16.130.1 172.16.130.2 is for a ptp style setup 14:59 < krzie> from what you're saying you want more than 2 clients 14:59 < krzie> so use server 172.16.130.0 255.255.255.0 14:59 < krzie> it will automagicly assign ips for you on clients 14:59 < krzie> just user the command client on them 15:00 < krzie> like this: 15:00 < krzie> !sample 15:00 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:00 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 15:00 < krzie> lol reif 15:00 < tsunami> anyone successful in deploying openvpn as user account (not admin) 15:00 < reiffert> it's pointless, he is repeating himself, so are we. 15:00 < krzie> ahh gotchya 15:01 < krzie> tsunami i dont use windows, BUT 15:01 < krzie> !factoids search admin 15:01 < vpnHelper> krzie: 'ssl-admin' and 'win_noadmin' 15:01 < krzie> !win_noadmin 15:01 < vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:03 -!- Lilarcor [n=Lilarcor@168.sub-97-165-229.myvzw.com] has quit [] 15:04 < lipin> i want p2p connection to test if internet traffic (it dosnt now) goes trough tunnel if it works then i will bother with generating keys etc. 15:04 < lipin> server config 15:04 < lipin> daemon 15:04 < lipin> ifconfig 172.16.130.1 172.16.130.2 15:04 < lipin> proto udp 15:04 < lipin> port 1194 15:04 < lipin> dev tun21 15:04 < krzie> you looked at the topic? 15:04 < lipin> comp-lzo yes 15:04 < lipin> keepalive 15 60 15:04 < krzie> !pastebin 15:04 < lipin> verb 3 15:04 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:04 < lipin> secret server1-static.key 15:04 < lipin> status-version 2 15:04 < lipin> status server1.status 15:04 < lipin> client config 15:04 < lipin> dev tun 15:04 < lipin> proto udp 15:04 < krzie> next paste that big = kick 15:04 < lipin> remote 192.168.1.1 1194 15:04 < lipin> ifconfig 172.16.130.2 172.16.130.1 15:04 < lipin> comp-lzo 15:04 < lipin> secret static.key 15:04 < lipin> route-gateway 192.168.1.1 15:04 < lipin> redirect-gateway def1 15:05 -!- mode/##openvpn [+o krzie] by ChanServ 15:05 <@krzie> ahh it stopped 15:05 -!- mode/##openvpn [-o krzie] by krzie 15:05 < krzie> dont do that 15:05 < krzie> when you entered chanserv told you, you must pastebin anything over 5 lines 15:05 < lipin> ok i am trying my best in this IT jungle and new experience of IRC chat 15:05 -!- krzie [i=krzee@unaffiliated/krzee] has left ##openvpn [] 15:05 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:05 < krzie> -ChanServ(ChanServ@services.)- [##openvpn] Welcome to ##openvpn. Please don't 15:05 < krzie> paste more than 5 lines to the channel; use pastebin.com or other, 15:06 < krzie> please see the topic in this channel 15:06 < krzie> you can type /topic if your IRC client doesnt display it 15:06 < krzie> || !redirect for sending inet traffic through server || 15:07 < krzie> so type !redirect to see what you need if that is your goal 15:07 < krzie> whoa whoa whoa 15:07 < krzie> remote 192.168.1.1 1194 15:08 < krzie> redirect-gateway def1 15:08 < krzie> 192.168.1.1 is on the same LAN, right? 15:08 < lipin> yes 15:08 < krzie> will that be the case in the final setup? 15:08 < lipin> its router with vpn 15:08 < krzie> securing your wifi? 15:08 < lipin> yes 15:08 < krzie> !local 15:08 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 15:09 < lipin> it didnt help i tried it before 15:09 < krzie> right, because you didnt type !redirect 15:09 < krzie> BUT, you will need thaty too 15:09 < krzie> please dont tell us what we say isnt right, we have experience with this stuff 15:10 < krzie> which is why we're here 15:10 < krzie> you dont, which is why you're here 15:11 < lipin> so what should i do next if its still doesnt work 15:11 < reiffert> die() 15:11 < reiffert> ah wait, 15:11 < lipin> and my pc is going always trough 192.168.1.1 15:11 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 15:12 < reiffert> use your ssh tunnel. 15:12 < krzie> you ever gunna type !redirect? 15:12 < krzie> or you just dont wanna see what you need...? 15:12 < krzie> ya, or use your ssh tunnel, lol 15:13 < lipin> !redirect 15:13 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 15:13 < vpnHelper> lipin: !ipforward) 15:13 < reiffert> 20:05 < lipin> !redirect 15:13 < reiffert> 2 hours ago 15:13 < krzie> reiffert ahh, see i just got here, lol 15:14 < lipin> yes and i was told tell it directly to bot (dont spam in here) and when i do it it says redirect is no valid command 15:15 < lipin> i dont want any war in here just a valuable help not guys laughting and coping same line with my ssh quote 15:16 < lipin> !winnat 15:16 < vpnHelper> lipin: Error: "winnat" is not a valid command. 15:16 < lipin> doesnt work btw 15:16 < krzie> reeeeally 15:16 < krzie> !factoids search nat 15:16 < vpnHelper> krzie: 'nat', 'linnat', and 'fbsdnat' 15:16 < krzie> hah true, i need to make that i guess 15:16 < krzie> bleh, i hate windows 15:17 < krzie> your server is windows? 15:17 < lipin> my server is linksys router 15:17 < krzie> then you dont need !winnat 15:18 < krzie> you need !linnat 15:18 < krzie> and !linipforward 15:18 < lipin> !linnat 15:18 < vpnHelper> lipin: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:18 -!- Wachert [n=wachert@p3EE2B858.dip.t-dialin.net] has joined ##openvpn 15:18 < lipin> i did posrouting it didnt help 15:18 < krzie> and !linipforward 15:18 < lipin> !linipforward 15:18 < vpnHelper> lipin: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:19 < krzie> and very importantly, you need local on your redirect-gateway line 15:19 < krzie> and !linipforward 15:19 < krzie> oops 15:19 < krzie> misfire 15:19 < krzie> but ya, when you have !local !linnat and !linipforward all correct, it will work 15:19 < krzie> route-gateway 192.168.1.1 15:20 < krzie> you also dont need that line 15:24 < krzie> also, you're saying you will wait until it works 1 way before you do it the right way... that is accepting that you will give up if it isnt easy for you, which sets you up for failure 15:24 < krzie> i strongly suggest that in your time on the computer you change your outlook if you would like to learn and successfully run whatever it is you want 15:25 < krzie> set things up correctly the first time, know that no matter how hard it is for you that you will spend the time reading the docs until you get it right 15:26 < lipin> can i check somehow if postrouting was added to iptables ? 15:29 < lipin> i am leaving tomorrow and i want to leave secured network in my sisters flat so ssh is not giving up its just worst case scenario leading to many calls why this and this program doesnt work and how to configure it just like me in here 15:30 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:30 < krzie> lipin, its up to you to learn your operating system (in this case linux) 15:30 < krzie> but that is all you need to accomplish 15:32 < KaiForce> Remote user with a previously functioning OpenVPN GUI client getting this message: "ERROR: Exit Event ('openvpngui_exit_event_0') is signaled" when trying to connect. Any idea what I can look for (the server is functioning). 15:32 < krzie> KaiForce turn up verb to 6 on the client and the server 15:32 < krzie> !logs 15:32 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:32 < KaiForce> krzie: thanks, wilco 15:33 < krzie> =] 15:34 < krzie> happy to take a look when you get them posted 15:34 < krzie> first thing that comes to my head (totally a guess) is cert may have expired or the time on the pc may be off 15:35 < krzie> but guesses mean nothing, the logs at verb 6 should help 15:37 < lipin> could you take a look at my iptables, route tables it still dosnt work after doing all this steps http://pastebin.com/m219161a1 15:37 < lipin> and there is error: Warning: route gateway is not reachable on any active network adapters: 172.16.130.1 15:38 < krzie> !configs 15:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:40 < krzie> oh that error is prolly because of this: 15:40 < krzie> route-gateway 192.168.1.1 15:40 < krzie> remove that line 15:41 < lipin> its deleted now 15:41 < lipin> rest is same with added local in redirect-gateway 15:42 < tsunami> is there any updated info on running ovpn as a user w/o admin... I have a hard time believing I can't get around this issue. (the issue being I can't use an encrypted connection as a user) 15:42 < krzie> tsunami did you read the links i gave you? 15:43 < tsunami> yeah 15:43 < krzie> thats all i know 15:44 < tsunami> it says it can't find a .dll file as the user when I gave access to all 15:44 < tsunami> er.. i'm venting sry 15:44 < krzie> i dont use windows, but the people who do say that works 15:53 < KaiForce> hmmm, time on PC, that is something I didn't consider 15:53 < KaiForce> I'm waiting to hear back from the end user 15:53 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 15:59 < KaiForce> doh, no user response yet. I'll try again tomorrow. Thanks again krzie 15:59 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:04 < lipin> bye bye enough :-) no succes :-( thanks for help & irc induction (i will fight this again in 2 weeks :-) and i am going to make this bloody linux server/router run well) 16:05 -!- lipin [n=li@static-ip-77-89-127-186.promax.media.pl] has quit [] 16:05 < tsunami> anyone know how to pass credentials when running openvpn as a service? 16:11 < krzie> !factoids search auth 16:11 < vpnHelper> krzie: 'tls-auth' and 'authpass' 16:12 < krzie> !factoids search pass 16:12 < vpnHelper> krzie: 'winpass', '2.1-winpass-script', 'password', and 'authpass' 16:12 < krzie> !authpass 16:12 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 16:12 < krzie> hrmm 16:12 < krzie> i know its in there somewhere 16:12 < krzie> !pwfile 16:12 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 16:12 < krzie> there it is 16:13 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:19 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 16:19 < dupondje> !route 16:19 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:20 < dupondje> is there a way to make iroute dynamic ? 16:20 < dupondje> cause client will be laptop, so sometimes it doesn't need to route 192.168.2.* over VPN 16:20 < dupondje> and sometimes not 192.168.3.* for example 16:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 16:22 < epaphus> Hey guys, I got a real issue with OpenVPN client in my desktop pc... its a fight bewteen the default route and whenever dhclient gets a new lease .. it overwrites the default route to route everything to VPN. 16:22 < epaphus> whats the best way to solve this? 16:23 < epaphus> if Iam not carefull and watch out closely when the computer gets a new dhcpd lease.. I can find myself routing the traffic through my local gateway and not the VPN and I wouldnt notice it 16:26 < epaphus> krzee, u there ? :) 16:30 < dupondje> its death :p 16:41 < epaphus> dupondje, hmm? are you referring to this? 16:51 < Bushmills> epaphus, set up your dhcp client to not overwrite default route 16:52 < epaphus> Bushmills, well what would occur if.. I want to some day just boot into my computer and start using the internet via the local..? I would have to set the route myself..? 16:53 < epaphus> Its too bad I cant tell dchlient not to overwrite if a current default route already exists. 16:54 < Bushmills> well, i answered your first question, not the "what if" part 16:54 < epaphus> :) 16:54 < epaphus> thank you though 16:55 < Bushmills> time that we finally get mind reading computers which can handle those "what if" situations 16:56 < epaphus> :) 17:01 < reiffert> lets start with it right now: 17:01 < reiffert> http://www.ocztechnology.com/products/ocz_peripherals/nia-neural_impulse_actuator 17:01 < vpnHelper> Title: OCZ Technology | Products | OCZ Peripherals | nia - Neural Impulse Actuator (at www.ocztechnology.com) 17:04 -!- Wachert [n=wachert@p3EE2B858.dip.t-dialin.net] has quit [Connection timed out] 17:11 < krzie> epaphus did someone answer this question yet? 17:11 < krzie> Hey guys, I got a real issue with OpenVPN client in my desktop pc... 17:11 < krzie> its a fight bewteen the default route and whenever dhclient gets a 17:11 < krzie> new lease .. it overwrites the default route to route everything to 17:11 < krzie> VPN. 17:12 < krzie> not sure if someone answered, but if you look in the manual you will see a flag for redirect-gateway to bypass the dhcp server 17:12 < krzie> its bypass-dhcp or something like that 17:15 < krzie> oh nm bushmills gave you a good answer, i missed that 17:16 < Bushmills> yes, those one-liners tend to be overlooked 17:17 < krzie> hows it goin man 17:17 < Bushmills> right on 17:17 < Bushmills> just returned from family, been out on visit over easter 17:17 < krzie> ahh cool 17:18 < krzie> i stayed in and got some good work done 17:18 < krzie> finished my zabbix NMS and built my new desktop 17:18 < Bushmills> i probably gained 3 kilos 17:18 < krzie> will install osX86 on it tonight now that the computer store is open so i could pickup sata dvd drives 17:18 < krzie> (it didnt like my ide chipset) 17:19 < Bushmills> cool. sounds like you've been productive 17:19 < krzie> ya man, im excited to get that box up 17:19 < krzie> quad core intel with 8gb ram 17:20 < Bushmills> high power dissipation. did you inherit a nuke? 17:20 < krzie> o and my 3 seagate 1.5TB drives should be coming back from getting RMA'ed tomorrow 17:20 < krzie> hahah nah i just want some real power 17:20 < krzie> a box i can crack stuff on when needed, and that can handle my everyday life as well 17:21 < Bushmills> hehe 17:21 < krzie> i been using my macbook pro for * for like 3 years now 17:21 < krzie> i feel bad for the poor thing 17:21 < Bushmills> if i tell you what my main computer is, you'll either laugh, or look disgusted 17:21 < krzie> overused 17:21 < krzie> nah if it works for you thats all that matters 17:22 < krzie> i demand a lot from mine, so it was time to go big 17:22 < krzie> if you heard what i put in my NFS youd laugh at me for the over-the-edge power i used for it 17:22 < krzie> (i may have gone overboard on that one) 17:23 < Bushmills> but i can do development on battery power, 3 to 4 cpus involved 17:23 < Bushmills> ehm. 5 actually 17:24 < krzie> nice 17:24 < krzie> you play with vmware esxi at all? 17:24 < krzie> (i always get that acronym wrong) 17:24 < Bushmills> no. my main machine lacks the power (speak: RAM) for it. 17:25 < krzie> ahh 17:25 < Bushmills> 512 k is a bit contrained 17:25 < Bushmills> ehm 17:25 < Bushmills> mb 17:25 < krzie> ild like to run it, but not on the nfs cause i use zfs for my filesystem and not on my desktop cause i want osx86 and dont think it works on esxi 17:25 < krzie> so im SOL 17:25 < Bushmills> my other "machine" is 2 kb 17:26 < krzie> 2kb what 17:26 < Bushmills> RAM 17:26 < krzie> umm 17:26 < krzie> atari? lol 17:26 < krzie> thats less than my ipod touch 17:26 < krzie> altair? 17:26 < Bushmills> nah. atmel controllers on which i'm running interactive interpreter, incremental compiler, multitasking ... 17:27 < epaphus> krzie, thanks 17:27 < krzie> wow, crazy stuff 17:27 < krzie> epaphus, np but after reading bout it in manpage im thinking its maybe not what you wanted 17:28 < epaphus> its ok i discovered that if you leave def1 17:28 < epaphus> then... it will do what i want 17:28 < krzie> ohhh right 17:28 < epaphus> how are you doing krzie ? :) 17:28 < krzie> good call 17:28 < krzie> im doing very well 17:28 < epaphus> me too 17:29 < epaphus> i installed gopenvpn 17:29 < epaphus> its great.. what a breeze 17:29 < krzie> Bushmills, sounds above my skilllevel, would be fun to watch 17:29 < krzie> epaphus, yup... very nice app 17:31 < epaphus> krzie, is this your preferred..? have you used any other? 17:31 < krzie> i havnt used any other because this is my preferred 17:32 < krzie> and its my preferred because i trust openssl far more than ipsec or pptp's proprietary protocols 17:32 < epaphus> ipsec is a proprietaty thing? ohh.. cisco? 17:32 < krzie> right 17:36 < Bushmills> krzee, no, not above level. maybe, beside your skill set but positively not anything you wouldn't be able to pick up. 17:37 < krzie> i can agree with that 17:39 < Bushmills> be warned though that the technology used in those controllers is something i have been recurrently busy with for about 30 years. 17:40 < Bushmills> means, it's not something one would pick up in a matter of 10 minutes 17:40 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 17:40 < krzie> ya its not something i have a need to use either 17:41 < krzie> (as far as i know...) 17:42 * Bushmills is a pre-ibm-pc fossil 17:44 < Bushmills> wanna see the first "real" computer i was learning to program on? 17:45 < krzie> sure 17:45 < Bushmills> http://www.columbia.edu/acis/history/5100.html 17:45 < vpnHelper> Title: The IBM 5100 Portable Computer (at www.columbia.edu) 17:46 < Bushmills> http://forthfreak.net/ibm5100.jpg better picture of that machine 17:49 < Bushmills> predates the IBM pc by 6 years 17:52 < krzie> savage 17:59 < Bushmills> it was slow, memory starved, and a ridiculously small text mode screen, but had an APL interpreter in ROM, which made it interactive. 18:00 < dupondje> how to solve my problem ? :x 18:00 < Bushmills> quite different from the ibm 360 mainframe machines i failed to grasp assembly for at that time. 18:08 < krzie> dupondje, what was it? 18:09 < krzie> Bushmills awesome man, i dont even code aside from scripting, so maybe i was right when i said above my skill level ;] 18:12 < Bushmills> actually, programming those controllers is - by virtue of the added interpreter and compiler in flash - very similar to scripting. 18:12 < krzie> ahh cool 18:12 < krzie> we im pretty damn handy in the shell scripting 18:13 < Bushmills> i actually wrote a version of it in javascript, which runs in your web browser 18:13 < krzie> ya 18:14 < krzie> while im not a coder im familiar with where you use the different onces and what they are 18:14 < Bushmills> or worse, also a version written as bash script 18:14 < krzie> and i can read through source to get an idea of whats going on 18:14 < Bushmills> probably (one of the) most complex bash scripts in existence 18:14 < Bushmills> ah 18:15 < krzie> heres my second favorite script i wrote (mainly cause of the comments i think) 18:15 < Bushmills> wanna get an idea what's going on by looking at a bash script (grin) 18:15 < krzie> http://www.doeshosting.com/code/mkimg 18:15 < krzie> sure, post it ill look 18:16 < Bushmills> http://scarydevilmonastery.net/bashforth enjoy :D 18:17 < Bushmills> virtual machine, interpreter, compiler, run time environment 18:19 < Bushmills> (but i foretell you need at least 3 looks to get an idea what's going on) 18:20 < krzie> no shit 18:21 < krzie> and i already learned a command i didnt know (declare) 18:21 < krzie> why use that over a normal var? 18:23 < krzie> damn that script is more complicated than the package i wrote to run my whole webhosting company (which i since shutdown) 18:23 < Bushmills> several possible reasons. you can give the declared data item characteristics an implicit declaration wouldn't give, for example, or 18:24 < Bushmills> declaration during "load"/"compile" time takes the time which would otherwise be needed at run time when declaration is done implicitely 18:24 < krzie> dude, that is a hardcore script 18:25 < Bushmills> also, better factoring. i can keep the declaration together in one section which helps me to know what gets actually declared 18:25 < dan__t> meh 18:25 < dan__t> Fuck Sendmail. 18:25 < dan__t> :( 18:25 < krzie> agreed dan, dont use it 18:25 < Bushmills> especially in combination with a bash invocation option which disables implicit declaration 18:25 < krzie> postfix or qmail 18:25 < dan__t> Postfix is my bitch. 18:25 < dan__t> unfortunately I can't change this setup. 18:26 < dan__t> I need to always BCC incoming mail for a particular user. 18:30 < Bushmills> dan__t, redirect mail for that user to a mail server running postfix, in its virtual file put for the recipient both real/final email address and bcc address :D 18:31 < Bushmills> or a procmail recipe could do the job too 18:33 < krzie> and to redirect mail in sendmail you just put ~/.forward with only the email address to forward to 18:35 < Bushmills> i think that's actually procmail handling that way of forwarding 18:36 < dan__t> alias hackery. 18:36 < dan__t> done and done. 18:36 < dan__t> aliases, rather. 18:36 < krzie> ahh, i never mess with sendmail 18:38 < krzie> i only know that cause freebsd comes with sendmail, and if its not gunna run a mailserver i leave sendmail running but not binding to an ip so it can deliver me its periodic emails (using .forward) 18:38 < krzie> thats all i know (and want to know) about sendmail 18:38 < krzie> besides how to turn it off ;] 18:39 < krzie> dupondje, didnt you have a question...? 18:40 < Bushmills> [22:20] is there a way to make iroute dynamic ? 18:40 < Bushmills> [22:20] cause client will be laptop, so sometimes it doesn't need to route 192.168.2.* over VPN 18:41 < krzie> ahh 18:41 < krzie> not dynamic, but you can use 2 accounts from the laptop 18:41 < krzie> 1 whose common-name is associated with the iroute, and you only use when connecting from the place with the lan 18:41 < krzie> other for when you are a road warrior 18:42 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 18:42 < sirus> !redirect 18:42 < vpnHelper> sirus: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 18:42 < vpnHelper> sirus: !ipforward) 18:54 * krzie closes Bushmills' shell script before his head explodes 19:15 -!- theDoc [n=andelyx@bb116-15-11-175.singnet.com.sg] has joined ##openvpn 19:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:51 -!- theDoc [n=andelyx@bb116-15-11-175.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 20:14 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 20:33 -!- aluis__ [n=aluis@e176245079.adsl.alicedsl.de] has joined ##openvpn 20:51 -!- aluis_ [n=aluis@g227126172.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 20:52 < krzie> sirus, did you understand that? 20:52 < krzie> !nat 20:52 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 20:53 -!- theDoc [n=andelyx@162.202-128-197.unknown.qala.com.sg] has joined ##openvpn 20:54 -!- theDoc [n=andelyx@162.202-128-197.unknown.qala.com.sg] has quit [Client Quit] 20:59 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:26 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 21:34 -!- Dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:34 < Dougy[home]> heyo 21:41 < krzie> bored 21:42 < Dougy[home]> me too 21:42 < Dougy[home]> fighting with this server 21:42 < Dougy[home]> mother f 21:42 < Dougy[home]> im memtesting to see if it locks again 21:42 * Dougy[home] is mad 21:51 < Dougy[home]> rm -rf /centos 21:51 < Dougy[home]> goodbye rhel5 21:51 < krzie> lol 21:51 < krzie> i wouldnt even say hello to it 21:54 < Dougy[home]> meh 21:54 < Dougy[home]> its not bad 22:10 -!- sn1ffer723 [n=davidj@68-187-222-247.dhcp.oxfr.ma.charter.com] has joined ##openvpn 22:23 < sn1ffer723> I am looking for a recommendation to do site-to-site IPSec VPNs 22:23 < sn1ffer723> What are your thoughts on NetScreens 22:23 < sn1ffer723> ? 22:25 < krzie> you're in the wrong channel 22:25 < krzie> we dont do ipsec here 22:26 < krzie> !notcompat 22:26 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 22:26 < krzie> !notovpn 22:26 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 22:26 < krzie> !notopenvpn 22:26 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:26 < krzie> !learn notovpn as [notopenvpn] 22:26 < vpnHelper> krzie: Joo got it. 22:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:27 < theDoc> I hope this works and xdiff didn't fuck up 3 config files. 22:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 22:42 < Dougy[home]> !forum 22:42 < vpnHelper> Dougy[home]: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:44 < Dougy[home]> hmm 22:44 < Dougy[home]> there are posts 22:45 < Dougy[home]> ! 22:45 < krzie> heh 22:49 < krzie> i almost dont wanna delete them either 22:49 < krzie> i mean sure its porn spam, but at least he posted pics 22:50 < krzie> wtf wheres my admin privs? 22:52 < krzie> ahh i see 22:57 < Dougy[home]> lol 22:57 < krzie> there, replied 22:58 < Dougy[home]> woot 22:58 -!- sn1ffer72 [n=davidj@Interference.CTCNet.com] has joined ##openvpn 22:58 < krzie> adios bbl 22:58 * sirus loves vpn 23:02 < Dougy[home]> MOTHER F 23:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:10 -!- Dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:14 -!- sn1ffer723 [n=davidj@68-187-222-247.dhcp.oxfr.ma.charter.com] has quit [Read error: 110 (Connection timed out)] 23:14 -!- diegoviola [n=diego@adsl-142-4.click.com.py] has joined ##openvpn 23:14 < diegoviola> is there a way to make the encryption stronger in openvpn? 23:14 < diegoviola> what's the default? 23:35 < diegoviola> is there a way that i could access the internet network from the openvpn server i'm connecting to? --- Day changed Tue Apr 14 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:02 < diegoviola> guys i need some help, i'm new with this openvpn stuff 00:03 < diegoviola> i have connected to the pptp vpn of a friend, and i was able to use his internet's ip to connect to my voip switch 00:03 < diegoviola> i didn't had to make my sip switch listen on his vpn network ip 00:03 < diegoviola> i just connected as i would normally 00:04 < diegoviola> when i set up a vpn client-server i need to make my switch listen on my openvpn server ip address 00:04 < diegoviola> and i don't want that 00:07 < dan__t> diegoviola> is there a way that i could access the internet network from the openvpn server i'm connecting to? 00:07 < dan__t> of course, why not? 00:07 < dan__t> what's the default? 00:07 < dan__t> depends on the keyset used 00:08 < diegoviola> the thing is that i have voip blocked (sip protocol), my isp blocks it 00:08 < diegoviola> but when i connected to his pptp i was able to connect just fine to my voip network 00:08 < diegoviola> i don't know how 00:08 < diegoviola> i think his pptp created a interface with his ip on my system 00:08 < diegoviola> with his internet ip 00:09 < dan__t> I'll be back in an hour. 00:09 < dan__t> Either wait for me, or someone else 00:09 < dan__t> sorry heh 00:09 < dan__t> Its called good NAT trickery. 00:09 < dan__t> Whatever he did with IPs had nothing to do with the VPN, it had everything to do with IP routing behind that VPN server 00:11 < diegoviola> nope, his ppp0 creates a interface with 10.10.10.3 here 00:11 < diegoviola> i see 00:11 < dan__t> (yeah, it is) 00:11 < dan__t> :) 00:11 < dan__t> bbl 00:12 < diegoviola> please let me know when you have some time to help me with this network 00:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:15 < diegoviola> http://pastie.org/445744 00:15 < diegoviola> his vpn creates a ppp0 interface with the vpn ip 00:16 < diegoviola> and adds a routing to his internet gateway 00:16 < diegoviola> on my machine 01:04 < diegoviola> anyone? 01:14 < diegoviola> is there a way i can create a vpn tunnel between me and my server, and then use the server internet for my computer 01:14 < diegoviola> like, add the ip of the server on my route table 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has left ##openvpn ["adios"] 01:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:25 < Cephalon> hello, can someone tell me how can my vpn clients to communicate each other, because now i have only client-server communication 01:26 < diegoviola> Cephalon: look at the client-to-client option 01:29 < Cephalon> thanx diegoviola, it works 01:33 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: roentgen, tarbo2, coChosh9, Gumbler 01:33 -!- ThoMe is now known as thomas 01:34 < diegoviola> np 01:34 < diegoviola> can someone help me please? 01:34 -!- Netsplit over, joins: roentgen, tarbo2, coChosh9, Gumbler 01:34 -!- thomas [n=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 01:35 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Alagar, Cephalon, simplechat 01:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [SendQ exceeded] 01:39 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: coChosh9, tarbo2, Gumbler 01:39 -!- Netsplit over, joins: coChosh9, Gumbler 01:39 -!- dazo_gone is now known as dazo 01:42 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 01:42 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 01:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: coChosh9, Gumbler 01:44 -!- ThoMe is now known as thomas 01:45 < dazo> diegoviola: it's a lot of people here who might want to help, I dunno ... but it's easier to help when you come up with a question ........ hint hint 01:47 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:47 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:47 -!- simplechat [n=betabot@li20-55.members.linode.com] has joined ##openvpn 01:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:48 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [SendQ exceeded] 01:49 -!- Cephalon [n=Cephalon@195.251.124.109] has quit [Excess Flood] 01:50 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:50 < diegoviola> dazo: well, let me explain... i connected my linux computer to my friend's vpn, which uses pptp... it assigned me a private ip address: 10.10.10.3, and also added me a route to his gateway, then i could connect to my voip server normally as i would with the internet ip, i didn't had to make my voip software listen to any other ip but the internet ip... and my traffic would appear with the vpn server ip 01:50 < diegoviola> dazo: does that makes sense? 01:50 < diegoviola> http://pastie.org/445744 01:50 < diegoviola> that was the config i had when i connected to his vpn 01:50 < diegoviola> i'm trying to do something similar with openvpn 01:51 < dazo> diegoviola: are you using openvpn or pptp? 01:51 < diegoviola> dazo: openvpn now 01:51 < diegoviola> dazo: i'm trying to do the same thing i made with pptp but with openvpn... 01:52 < dazo> diegoviola: aha ... I got concerned that you tried to use openvpn against a pptp service ... bec. that would not work out at all 01:52 < diegoviola> no, i'm not using pptp 01:52 < dazo> good 01:52 < diegoviola> 100% openvpn 01:52 < diegoviola> i have a client-server openvpn set up here 01:53 < dazo> Just trying to understand your case .... 01:53 < diegoviola> but i want to be able to use the openvpn server internet 01:53 < dazo> So you want all Internet traffic to pass over the VPN channel? 01:53 * dazo do not quite catch your problem 01:53 -!- Cephalon [n=Cephalon@195.251.124.109] has quit [Client Quit] 01:54 -!- coChosh9 [i=coChosh9@gateway/tor/x-3018485ce1e7e2de] has joined ##openvpn 01:54 < diegoviola> dazo: yes, that basically 01:54 < diegoviola> i want all the traffic to go from my computer to the vpn 01:55 < dazo> okey ... if you want to redirect all Internet traffic from the client .... you need to look into adding --redirect-gateway in your client config (or pushing it from the server) 01:55 < dazo> that's basically all you need :) 01:55 < dazo> --redirect-gateway defl ... I believe might be the right option .... double check it against the man pages 01:55 < diegoviola> thanks 01:58 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:03 -!- antii [n=whaj@unaffiliated/antii] has joined ##openvpn 02:03 < antii> hello 02:04 < antii> can anyone help me setup "intern routing", i got a crappy guide that is "Ok" :P 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 < kraut> moin 02:38 -!- vlt [n=dm@suez.activ-job.com] has left ##openvpn [] 02:49 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 03:02 -!- antii [n=whaj@unaffiliated/antii] has quit [Read error: 113 (No route to host)] 03:03 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 03:03 < Bushmills> diegoviola, http://scarydevilmonastery.net/masq 03:03 < Bushmills> (assuming linux on vpn server) 03:06 < diegoviola> Bushmills: thanks a lot 03:08 < Bushmills> np 03:09 -!- sn1ffer72 [n=davidj@Interference.CTCNet.com] has quit [Connection timed out] 03:20 < onats1> !route 03:20 < vpnHelper> onats1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:20 < onats1> i have a question 03:21 < onats1> what's the difference if i just create a proxy server on my LAN (behind the vpn server), and use it as proxy for traffic, than the !redirect? 03:21 < onats1> in terms of performance? 03:21 < onats1> !redirect 03:21 < vpnHelper> onats1: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 03:21 < vpnHelper> onats1: !ipforward) 03:39 -!- diegoviola [n=diego@adsl-142-4.click.com.py] has quit [Read error: 110 (Connection timed out)] 03:54 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 03:54 -!- thomas [i=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 03:54 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 04:13 -!- coChosh9 [i=coChosh9@gateway/tor/x-3018485ce1e7e2de] has quit [Remote closed the connection] 04:30 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 04:33 -!- coChosh9 [i=coChosh9@gateway/tor/x-861bdb4dfd29b5ad] has joined ##openvpn 04:36 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 05:09 -!- Wachert [n=wachert@p3EE2F1B2.dip.t-dialin.net] has joined ##openvpn 05:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:30 -!- inigo_work [n=inigo@212.21.227.90] has joined ##openvpn 06:30 < inigo_work> hello 06:34 < inigo_work> i'm getting this: http://pastebin.com/d1d84e2f6 06:35 < inigo_work> i don't know. I think this have work other times before. 06:36 < inigo_work> i don't know what to check 06:37 < inigo_work> we use to build certificates using build-key-pkcs12 06:37 < inigo_work> do i need to modify the revoke-full script ? 06:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:45 < dazo> inigo_work: ... seems like your cert file is empty .... that cannot be empty 06:45 < dazo> keys/emialag.crt: empty 06:46 < dazo> inigo_work: ahh ... sorry ... I read to quickly ... you're doing easy-rsa stuff .... my mistake 06:46 < inigo_work> maybe my index.txt is corrupted or something like ? 06:47 < dazo> inigo_work: are you sure /etc/openvpn/usuariosBiko/ca/openssl.cnf has not been changed? 06:47 < inigo_work> i'm trying -verbose in openssl lines and strace, but i don't see 06:47 < inigo_work> ono ca # stat /etc/openvpn/usuariosBiko/ca/openssl.cnf 06:47 < inigo_work> File: `/etc/openvpn/usuariosBiko/ca/openssl.cnf' 06:47 < inigo_work> Size: 7487 Blocks: 16 IO Block: 4096 regular file 06:47 < inigo_work> Device: fd00h/64768d Inode: 116784 Links: 1 06:47 < inigo_work> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) 06:47 < inigo_work> Access: 2009-04-14 13:33:13.000000000 +0200 06:47 < inigo_work> Modify: 2005-09-27 00:33:28.000000000 +0200 06:47 < inigo_work> Change: 2009-04-06 09:38:13.000000000 +0200 06:47 < inigo_work> it isn't seems changed 06:47 < inigo_work> doesn't 06:47 < dazo> nope 06:49 < dazo> inigo_work: I'm sorry .... I'm not sure how easy-rsa works under the hood .... might be you should have a look at the script works and try to run the openssl commands manually 06:49 < dazo> or add debug info into the script 06:50 < inigo_work> yes, i will try 06:50 < inigo_work> thanks dazo 06:50 < inigo_work> time to lunch here :) 06:50 < dazo> :) 06:50 < dazo> enjoy! 06:50 < inigo_work> thanks 06:59 -!- betabot is now known as simplechat 06:59 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 07:00 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:00 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 07:04 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 07:12 -!- asdf [n=wtf@pessa.net] has left ##openvpn [] 07:46 < tsunami> running open vpn as just a service from a user gets me an error in the log saying "can't read Auth username from stdin" Any ideas? 08:01 < ecrist> well-covered in the howto 08:26 -!- MissNeBuN [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:49 < Alagar> இனிய புத்தாண்டு நல் வாழ்த்துகள் 08:49 < ThoMe> Hello. 08:50 < ecrist> Alagar: what is that? 08:50 < ThoMe> Spricht hier wer ein wenig deutsch? 08:50 < ecrist> English in here, folks. 08:51 < Alagar> this is greetings of tamil new year 08:51 < Alagar> today is a tamil new year 08:51 < ecrist> ThoMe: please don't PM me. what do you need? 08:53 -!- solexious [n=solexiou@80-41-109-207.dynamic.dsl.as9105.com] has quit [Read error: 110 (Connection timed out)] 08:53 < ThoMe> ecrist: I have a VoIP phone with OpenVPN client. After some time the phone stays are short, whenever anything is renewed. 08:55 < ecrist> ThoMe: you've a lot of variables. 08:55 < ecrist> doesn't the phone work OK over the internet, without the vpn? 08:55 < ThoMe> ecrist I mean "anything is renewed" > "Tue Apr 14 14:59:42 2009 SNOM_370_HERR_WINDELS/77.47.83.155:61014 TLS: tls_process: killed expiring key 08:56 < ThoMe> ecrist: Is it posible a VPN-Connection with less System Requirements on my Client? 08:56 < ThoMe> ecrist: Jep, have the SNOM Phone 370 on 6 places, without VPN. works good. 08:57 < ThoMe> ecrist: 've seen that you connect only with a certificate can build? 08:57 < ThoMe> +I 08:58 < ecrist> I don't run VoIP over VPN, so I can't help you very much with that. 08:59 < ThoMe> ecrist: no, i mean, openVPN. i use three lines, server cert and then the bundle from my client private/pub. its posible with one? 08:59 < ThoMe> ecrist: TLS: tls_process: killed expiring key < you can change the key lifetime, check the man page, not sure the exact config option 09:02 < ThoMe> ecrist: i use google with "key lifetime". thank you very much. have a nice day! 09:03 -!- Wachert [n=wachert@p3EE2F1B2.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 09:05 < ThoMe> ecrist: tls-timeout this? 09:06 < ThoMe> ecrist: or this key-method ? 09:08 < ThoMe> ecrist: or --reneg-sec ? :-) 09:08 < ThoMe> mamia, many options... 09:09 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:09 < ThoMe> ecrist: is reneg-sec a client option or server? 09:10 < theDoc> ecrist: Just leave it alone, ipv6 shouldn't be enabled. 09:10 < ecrist> theDoc: ? 09:10 < theDoc> ecrist: With regards to your ipv6 question in #Cisco 09:11 < ecrist> theDoc: got people getting through the vlans using ipv6 and windows file sharing 09:11 < ecrist> we want to disable that 09:11 < theDoc> ecrist: no ipv6 enable 09:11 < ecrist> unknown command 09:11 < ecrist> tried that 09:11 < theDoc> Odd. 09:12 < ThoMe> ecrist: emm, is this "reneg-sec 604800" the right option? (reneg-sec" ? 09:12 < theDoc> ecrist: What does no ipv6 give you? 09:12 < ecrist> Switch(config)#no ipv6 ^ 09:12 < ecrist> % Invalid input detected at '^' marker. 09:12 < ecrist> Switch(config)#no ipv6 ^ 09:12 < ThoMe> ecrist: :-( 09:12 < ecrist> IOS upgraded needed? 09:13 < theDoc> ecrist: Seems like your IOS doesn't support v6. 09:13 < theDoc> Which switch is it? 09:13 < ecrist> C2960 is all I know. 09:13 < theDoc> ecrist: Do you have access to that switch to do a show version to get the IOS version? 09:14 < ecrist> I posted that in #cisco 09:14 < theDoc> 12.2 is ancient man ;p 09:14 < theDoc> Time for IOS upgrade. 09:14 < ThoMe> ecrist: huhu? 09:15 < theDoc> ecrist: Oops sorry about it, I was thinking about the router IOS which is at 12.4. 09:21 -!- eliasp_ is now known as eliasp 09:37 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:37 < epaphus> Hello all. 09:38 < epaphus> COuld I use the same config files for OpenVPN1.0.9 then the ones I used for 2.0 ? 09:38 < ecrist> prolly mostly ok, but I'd check the docs 09:44 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 09:45 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:50 -!- karlpinc [n=kop@69.17.73.250] has quit [Read error: 110 (Connection timed out)] 09:55 < tsunami> has anyone here had luck with openvpn as non-admin? I've been through docs and am getting a stange error in the log: could not read auth username from stdin. I donno where/what stdin is... 10:05 -!- onats2 [n=15172@221.121.120.254] has joined ##openvpn 10:07 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy, boney_, troy-, onats1, tarbo2, kaii 10:08 -!- Netsplit over, joins: Dougy 10:08 -!- Netsplit over, joins: boney_ 10:09 -!- Netsplit over, joins: kaii 10:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:11 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 10:11 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:11 -!- troy- [n=troy@worldnet.tauri.ca] has quit [SendQ exceeded] 10:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 10:13 < kaii> tsunami: stdin is the input from shell/bash .. openvpn wants to read a password from your keyboard but actually there was nothing to read. 10:13 < kaii> tsunami: configure openvpn to not use keyboard interactive authentification when running as a daemon. 10:13 < tsunami> but i need to enter a password... 10:15 < kaii> either run openvpn interactively on a shell and enter it, or use another method. 10:15 < kaii> its all in the FAQ on openvpn.net 10:15 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: onats1 10:15 -!- Netsplit over, joins: onats1 10:16 < kaii> if you want this connection to be "always connected", password auth is blocking it from reconnect. 10:16 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:16 -!- onats1 [n=15172@221.121.120.254] has quit [Connection reset by peer] 10:16 < kaii> iirc you can provide the password in a file, see FAQ for that 10:17 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:17 < tsunami> my issue is running as non-admin... i can get everything working on admin but not non-admin. I have been through every doc 4 times 10:21 < ThoMe> --reneg-sec n < !howto 10:24 < vpnHelper> Kyle2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:25 < Kyle2> hello there.. ive been through the OpenVPN howto.. and im just trying to get two machines to see each other with OpenVPN.. and i'm currently getting this: Tue Apr 14 15:40:06 2009 us=324142 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down 10:25 < Kyle2> Tue Apr 14 15:40:06 2009 us=324167 Route: Waiting for TUN/TAP interface to come up... 10:25 < Kyle2> but the VPN just doesnt seem to be live 10:26 < Kyle2> openvpn --remote gateway.bar.com --dev tun0 --ifconfig 10.99.99.1 10.99.99.2 --verb 9 10:26 < Kyle2> openvpn --remote foo.bar.com --dev tun0 --ifconfig 10.99.99.2 10.99.99.1 --verb 9 10:26 < Kyle2> those are the two sets of commands ive used for either end 10:30 -!- coChosh9 [i=coChosh9@gateway/tor/x-861bdb4dfd29b5ad] has quit [Remote closed the connection] 10:31 -!- coChosh9 [i=coChosh9@gateway/tor/x-87a24efbb8c9d12d] has joined ##openvpn 10:35 -!- plooo [n=lbz@fw1.aspsys.com] has joined ##openvpn 10:35 < plooo> can you force openvpn to listen a specific interface in the conf? 10:37 -!- Kyle2 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 10:38 < Bushmills> plooo, option --local should do - i never tried that one though 10:40 -!- coChosh9 [i=coChosh9@gateway/tor/x-87a24efbb8c9d12d] has quit [Remote closed the connection] 10:41 -!- nemysis [n=nemysis@132-254.3-85.cust.bluewin.ch] has quit [Connection timed out] 10:42 -!- nemysis [n=nemysis@108-90.3-85.cust.bluewin.ch] has joined ##openvpn 10:42 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:51 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 10:51 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 10:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:56 < plooo> config file though? 10:56 -!- inigo_work [n=inigo@212.21.227.90] has quit [Client Quit] 10:58 -!- aluis__ [n=aluis@e176245079.adsl.alicedsl.de] has quit [Remote closed the connection] 10:59 -!- zheng [n=zheng@114.92.138.88] has quit ["Leaving"] 11:06 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has joined ##openvpn 11:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:13 < Bushmills> usually the same without the leading dashes 11:42 -!- apollo13 [i=pd@unaffiliated/apollo13] has joined ##openvpn 11:42 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 11:43 < apollo13> hi, I am trying to push a new dns server to the clients, but on the client I get (during connection initialization): Tue Apr 14 18:32:06 2009 ERROR: Linux route add command failed: external program exited with error status: 7 11:43 < apollo13> any ideas? 11:44 < apollo13> I am trying something like this: http://paste.pocoo.org/show/112511/ 11:44 < apollo13> oddly enough it works via the NetworkManager (http://projects.gnome.org/NetworkManager/), so I have no idea what's wrong while using the console 11:44 < vpnHelper> Title: NetworkManager - Linux Networking made Easy (at projects.gnome.org) 11:45 < apollo13> !route 11:45 < vpnHelper> apollo13: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:45 < ecrist> apollo13: running as root? 11:45 < apollo13> ecrist: using sudo yes 11:46 < apollo13> clients don't need to communicate with other clients, I only need to reach the network behind the server 11:46 < apollo13> (which works) 11:46 < apollo13> and use dns there, cause of some virtualhosts 11:49 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 11:49 < apollo13> not using root can't get me connected after all, as my sys isn't setup to allows ordinary users to allocate tun/tap devices dynamically 11:52 < apollo13> that's the whole connection log: http://paste.pocoo.org/show/112513/ 11:54 < apollo13> the route itself gets pushed through, as such everything but dns works 12:02 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:03 < apollo13> ecrist: I increased verbosity on the client, could this have something todo with it? 12:03 < apollo13> Tue Apr 14 19:01:33 2009 us=947294 route_gateway_via_dhcp = DISABLED 12:03 < apollo13> Tue Apr 14 19:01:33 2009 us=947314 allow_pull_fqdn = DISABLED 12:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:06 < epaphus> Hello guys, I have a new config for a client to connect to the server.. the client spits a lot of writes after it connects but then it outputs this error.. Tue Apr 14 12:04:16 2009: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:06 < epaphus> Tue Apr 14 12:04:16 2009: TLS Error: TLS handshake failed 12:06 < epaphus> Tue Apr 14 12:04:16 2009: TCP/UDP: Closing socket 12:06 < epaphus> what could this be? 12:12 -!- plooo [n=lbz@fw1.aspsys.com] has quit ["Leaving"] 12:28 -!- apollo13 [i=pd@unaffiliated/apollo13] has left ##openvpn ["Leaving"] 12:35 < tsunami> is it possible to use environment variables within the config file? 12:36 < ecrist> tsunami: please read the docs 12:36 < tsunami> k 12:39 < epaphus> might as well send anybody to read the docs... 12:39 < epaphus> :P 12:39 < ecrist> we do 12:43 < tsunami> i cant find any refernces to environment variables 12:43 < tsunami> .. 12:43 < ecrist> tsunami: what do you want to do 12:43 < tsunami> use environment variables within the config file to standardize on one config throughout the company 12:43 < ecrist> epaphus: have you checked network connectivity? 12:44 < ecrist> tsunami: that doesn't really help 12:44 < epaphus> ecrist, yes 12:44 < ecrist> epaphus: you've got a firewall problem, more than likely. 12:44 < krzee> firewall problems!?!?! but nobody ever has those! 12:44 < krzee> hehehe 12:45 < tsunami> %userprofile%\ca.crt that would be awesome 12:45 < ecrist> tsunami: configs are really just command line arguments 12:46 < ecrist> it may work, give it a shot 12:46 < tsunami> ive tried.. just wondering if anyone has tried to bend that 12:51 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:53 < epaphus> well, i can say for sure its not a firewall problem... I have applied a new fireall that was tested to work.. no go 12:53 < epaphus> could it be a SSL issue? 12:58 < dan__t> what the eff 12:59 < dan__t> Why does OpenVPN always put an underscore after the CN in all the debugging and stuff 12:59 < dan__t> In all env vars etc etc 12:59 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has joined ##openvpn 12:59 < Kyle5> !logs 12:59 < vpnHelper> Kyle5: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:02 < Kyle5> hello there.. im having an issue with openvpn gui on server 2003... ive got two server 2k3 boxes, and the vpn comes up fine, but ive given the 'vpn server' a 10.8.0.1/255.255.255.252 address on its TUN/TAP interface..... but it's allocating a 10.8.0.6/255.255.255.252 to the client.. and it wont route 13:02 < Kyle5> the two clients cant ping each other 13:02 < ecrist> client-to-client 13:03 < ecrist> add that to the server config, restart the daemon, you're done 13:03 < ecrist> !/30 13:03 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:03 < Kyle5> OK.. what does that do specfically? 13:04 < ecrist> it's all in the docs 13:05 < ecrist> you complain of two clients not being able to ping eachother 13:05 < ecrist> add client-to-client to the config 13:06 < Kyle5> ecrist: i added client-to-client and its still giving unrouteable addresses at each end 13:07 < Kyle5> ie: one on 10.8.0.6/255.255.255.252 and the other on 10.8.0.1/255.255.255.252 13:08 < epaphus> aha!! the error message in the server is more detailed then that of the client.. this is the log 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=IT/ST=Italy/O=Internet_Inc./CN=vpn1-3.irfoi.com/emailAddress=ufr@iseoi.com 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 TLS Error: TLS object -> incoming plaintext read error 13:08 < epaphus> sorry for the flood :( 13:12 < epaphus> suggestions..? 13:14 < krzee> Kyle5, thats how it works 13:14 < Kyle5> right.. i think im sort of getting this 13:14 < krzee> see !/30 as ecrist pasted to understand why, see !topology to see how to change it 13:14 < Kyle5> yeah, ive just picked it up 13:15 < Kyle5> ive no problem with the idea.. just want it to work! :) 13:18 < Kyle5> ive picked up the /30 business... but i'm think im still somewhat lost with the IP routing 13:23 < Kyle5> OK.. my client can now ping home by adding a routing entry.. but the server cannot ping the client.. i assume im missing a routing entry? 13:23 < ecrist> Kyle5: your error above leads me to believe they're not connected to the vpn 13:24 < Kyle5> ecrist: the vpn is there for sure, the client can ping the server by adding a route using the /30, but the server cannot ping the client 13:27 < Kyle5> OK.. I think thats sorted 13:27 < Kyle5> client and server can ping each other nopw 13:28 < Kyle5> however, in the example i used, there were some push settings to setup default routing... and i suspect im mising home? 13:28 < Kyle5> push "route 172.16.0.0 255.255.255.0" 13:28 < Kyle5> i just have that one 13:28 < Kyle5> do i need others? 13:32 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 13:32 < ecrist> depends on your network 13:33 < Kyle5> OK 13:33 < fixxxermet> !howto 13:33 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:33 < fixxxermet> !route 13:33 < vpnHelper> fixxxermet: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:34 < dan__t> Ok... I'm still on track for doing closed beta on thursday 13:54 < fixxxermet> My client is getting "Linux route add command failed: shell command exited with error status: 7" when I start openvpn. http://pastebin.com/d750aa1c3 are my config files 13:58 < dan__t> Look at line 19 of client.conf 13:58 < dan__t> What's wrong with it? 13:58 < dan__t> And why are you pushing and pulling the same routes? 13:58 < dan__t> Either push, or pull. 13:58 < fixxxermet> ah. 13:58 < dan__t> Doing both can become mutually exclusive. 13:59 < fixxxermet> I don't know what is wrong with #19. 13:59 < fixxxermet> But removing #18 does allow me to connect 14:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 14:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:00 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 15:06 -!- Solver [n=robert@99.229.28.193] has quit [Read error: 110 (Connection timed out)] 15:13 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 15:21 < epaphus> now I regenerated all my certs.. keys , etc .. and iam getting this error.. anybody have suggestions? 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=IT/ST=Italy/L=Milan/O=Internet_Inc./CN=Internet_Inc/emailAddress=unix3@ijeoi.com 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: TLS Error: TLS object -> incoming plaintext read error 15:28 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 15:33 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 15:36 < fixxxermet> I shouldn't need client-to-client if I have only 1 client, even if I want the server and client LANs to have full access to eachother, right? 15:39 -!- Timpa88 [i=timpa2@c-441170d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:40 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:41 < Timpa88> !interface 15:41 < vpnHelper> Timpa88: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 15:41 < Timpa88> jahaja :P 15:41 < fixxxermet> So... Say my openvpn server is not also the firewall. Pinging a device on the client or server lan won't work because the device won't know where to send the reply back to, as it is on a different network. Which is why I would need to add a route on the gateway? 15:42 < krzie> fixxxermet, for that you just need !route 15:42 < krzie> correct and correct 15:42 < fixxxermet> !route 15:42 < krzie> i explain all of that under the image in !route 15:42 < vpnHelper> fixxxermet: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:42 < krzie> but seems you either read it or understand already 15:42 < Timpa88> the firewall is like shorewall,iptables etc. 15:43 < fixxxermet> Problem is that our gateway / firewall is a dlink box, and doesn't let us mess with routes 15:43 < krzie> i give the other option there too 15:43 < krzie> the easy way is to add the route to the default gateway 15:43 < Timpa88> open a port range fixxxermet? 15:43 < krzie> the alternative is to add a route on every device in the lan 15:43 < fixxxermet> port range? 15:43 < krzie> (every device that needs communication over the firewall) 15:44 < fixxxermet> right 15:44 < krzie> Timpa88, his problem has nothing to do with ports 15:44 < Timpa88> ok sorry 15:44 < krzie> at least not this problem, i havnt scrolled up 15:44 < krzie> he just neds a route back to the vpn network on machines in the lan 15:44 < Timpa88> route add in command 15:44 < Timpa88> :) 15:44 < fixxxermet> My client is .8.10 and I can ping that from the server, .0.47. Curiously, I can also ping my printer, .8.47, though I can not ping any other devices. .8.47 actually replies. Let me check this gateway... 15:44 < krzie> easy way is to add it to their default gateway, but when that cant be done he could still add it to the individual devices 15:45 < Timpa88> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:45 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 15:45 < Timpa88> good site. 15:45 < krzie> fixxxermet, you are rouiting not bridging... right? 15:45 < krzie> thanx =] i wrote that 15:45 < Timpa88> :D 15:45 < fixxxermet> Did you? 15:46 < krzie> sure did 15:46 < fixxxermet> Good one :) 15:46 < krzie> thanx 15:48 < Timpa88> damn, encrypted lvm is taking time to format :( 15:50 < krzie> OSx86 is being a serious pain in my ass too =[ 15:50 < krzie> HCL says my hardware should be fine, yet it seems to not be 15:50 < krzie> but i will get it working... oh yes i will 15:50 < Timpa88> hehe :D 15:50 < Timpa88> debian 5 x64 im using 15:50 < krzie> ahh werd 15:50 < krzie> my nix boxen are all fbsd 15:50 < Timpa88> ooh i see 15:51 < Timpa88> i dont understand the bsd yet :P 15:51 < krzie> although i do have a debian box in a virtual machine for playing with when i need to 15:51 < Timpa88> i'll get on that later in my lafe 15:51 < Timpa88> debian is pretty easy 15:51 < Timpa88> and thats what i want :) 15:51 < krzie> i must say i prefer gentoo to it 15:51 < krzie> but im still a BSD guy really 15:51 < krzie> i only startup linux when i really have to 15:51 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 15:51 < Timpa88> ok :) 15:51 < Timpa88> hehehe 15:52 < Timpa88> you really like to configure all by your self? :P 15:53 < krzie> in reference to gentoo or BSD? 15:55 < Timpa88> gentoo and bsd ... the same 15:55 < Timpa88> you still have to configure EVERYTHING :P 15:56 < krzie> very different, although tbh i like to use the minimal install when i setup BSD 15:56 < krzie> takes a little longer to setup that way, but at least it ONLY has what i want 15:56 < Timpa88> ok :D 15:56 < krzie> and if you do it right, a little longer in the beggining means a lot less work later 15:56 < Timpa88> maybe :) 15:56 < krzie> and i prefer to ONLY have what i need on each box 15:57 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 15:57 < Timpa88> Ok :) 15:58 * plaerzen dances the openvpn dance. 15:58 < krzie> lol 15:58 < krzie> sup plaerzen 16:00 < Timpa88> hehehehe 16:11 < Timpa88> krzie: why do this chan have double # ? :P 16:11 < krzie> double # on freenode means it is not directly associated with the real project 16:12 < Timpa88> oh! i see 16:12 < krzie> meaning the people that run this channel are not part of the openvpn project 16:12 < Timpa88> Ok :) 16:12 < Timpa88> thanks for that info! 16:12 < krzie> np 16:17 < fixxxermet> If .0.47 is my server and .8.0/24 is my client, is route add -net 192.168.8.0 netmask 255.255.255.0 gw 192.168.0.47 the right command for a PC on the server lan? 16:17 < plaerzen> krzee, today is a dramatic day l. . . . . lay-off day *wince* 16:18 < plaerzen> lots of AD accounts to be disabled =s 16:18 < krzie> doh! 16:19 < krzie> fixxxermet sounds good to me 16:21 < fixxxermet> Well I'm trying to ping .0.2 from .8.10 (the client) - running tcpdump -i tun0 on .0.47 (the server) shows "17:19:40.487649 IP 10.8.0.6 > 192.168.0.2: ICMP echo request, id 26995, seq 174, length 64" - why 10.8.0.6 instead of 192.168.8.10 16:23 < fixxxermet> hmm 16:24 < fixxxermet> route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.47 on .0.2 worked 16:24 < fixxxermet> Now pings are responding 16:24 < fixxxermet> But why can't it see the actual IP, instead of the 10.8.0.0 ip? 16:24 -!- bandini [n=bandini@host34-106-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 16:25 < krzie> you mean why do packets flow over the vpn as 10.8.0.x? 16:25 < fixxxermet> yes sir 16:26 < krzie> because of how the kernel handles it 16:26 < krzie> its headed through that interface, so it uses the src ip of it 16:26 < krzie> much more often than not thats how youd want it in other situations 16:27 < fixxxermet> Not how I want it in this case 16:31 < krzie> *shrug* why not? 16:31 < fixxxermet> Well it looks like I can still ping each LANs respective private IPs, so I guess it doesn't matter 16:32 < krzie> exactly 16:32 < fixxxermet> great 16:47 < krzie> sounds like you did all the reading... 16:48 < krzie> if you like you can post your configs without comments on pastebin and ill tell you if theres anything you can do for added security 16:48 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:13 -!- bandini [n=bandini@host34-106-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:19 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 17:22 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:22 < Dougy[Home]> KRZEE !! :D 17:22 -!- Timpa88 [i=timpa2@c-441170d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 17:30 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 17:30 < epaphus> Hey guys, I see there is an option for pass auth aside from SSL.... how exactly is the user prompted for a password? 17:36 < krzie> !factoids search auth 17:36 < vpnHelper> krzie: 'tls-auth' and 'authpass' 17:36 < krzie> !authpass 17:36 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 17:39 < dan__t> So... am I always going to have one tun0 device on the server regardless of how many clients I have connecting? 17:41 < krzie> correct, if you use --server 17:46 < dan__t> Opposed to what? 17:46 < krzie> point to point 17:47 < epaphus> krzie, if I use the client and setup the second NIC so that other users can connect to the internet by placing the vpn client as their default gateway... that means that the auth options wont apply to them.. because the connection would already be made.. right? 17:49 < krzie> it wont apply to anyone until you restart the server 17:49 < krzie> then it will apply to them when they reconnect 17:50 < krzie> but the lan behind the client wont need to auth 17:50 < krzie> they just need the route, which happens after the client auths 17:50 < epaphus> right, the lan isnt really authing.. got it 17:50 < krzie> nah the lan is using a route, nothing to do with openvpn 17:50 < krzie> just happens to be a route that goes over openvpn 17:51 < epaphus> got it 17:51 < dan__t> Got it. 17:52 < dan__t> Cool, ccd scripts are almost done. 17:52 < dan__t> pulls routes from sql etc etc. 17:52 < krzie> --up can go in a ccd? 17:52 < dan__t> what 17:53 < dan__t> no, using client-connect to run a shell script that generates the ccd on the fly 17:53 < krzie> oh ok 17:53 < krzie> so not ccd, gotchya 17:53 < dan__t> Well, sorta. 17:53 < dan__t> client-connect script generates the ccd 17:53 < krzie> i knew that, but forgot 17:53 < krzie> umm no 17:54 < dan__t> Go on. 17:54 < krzie> it is prefered by openvpn over ccd 17:54 < dan__t> what is 17:54 < krzie> it doesnt need to generate anything 17:54 < krzie> !iporder 17:54 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:54 < dan__t> oh er wait client-connect can write to that temp file argument....... 17:55 < dan__t> right? 17:55 < dan__t> I'm trying to send routes to the client. 17:55 < krzie> i believe you can do everything you want from the client-connect script, 17:55 < dan__t> That's all I want to use ccd shit for. 17:55 < dan__t> yeah 17:55 < krzie> without making it setup ccd/ entries 17:55 < dan__t> but I need to write output to the temp file that client-connect sends as argv[1] 17:56 < krzie> werd, i guess you have more experience with --client-connect that me, so i should listen to ya =] 17:56 < dan__t> Yeah: If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1. 17:56 < dan__t> awesome, I can skip ccd altogether 17:56 < krzie> right, thats what i thought 17:56 < dan__t> i need to go take a shower, back in a few. 17:56 < krzie> cool 17:56 < dan__t> yeah from in there I can push "route 1.2.3.4 255.255.255.255" etc etc 17:59 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 18:00 < Dougy[Home]> krzie 18:00 < Dougy[Home]> krzie 18:00 < Dougy[Home]> krzie 18:00 < krzie> dougy 18:00 < krzie> dougy 18:00 < krzie> dougy 18:00 < Dougy[Home]> I got my xeon server 18:00 < Dougy[Home]> =[ 18:00 < Dougy[Home]> =]* 18:00 < Dougy[Home]> http://www.upload3r.com/serve/140409/1239746625.jpg 18:02 < krzie> sweet 18:02 < krzie> tell it i said hi 18:02 < Dougy[Home]> haha 18:02 < Dougy[Home]> its fans got a bit louder 18:03 < krzie> but who cares how loud server fans are 18:03 < krzie> they go in datacenteres full of them 18:04 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 18:04 < Dougy[Home]> lol 18:04 < Dougy[Home]> nono 18:04 < Dougy[Home]> when i told it you said hi 18:04 < Dougy[Home]> its fans got louder 18:06 < krzie> ohhh, lol 18:06 < Dougy[Home]> haha 18:14 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:15 < Timpa88> krzie: u there ? 18:15 < krzie> i am 18:16 < Dougy[Home]> when aint he 18:16 < Dougy[Home]> the fool lives here 18:16 < krzie> lol, ild argue if i had a legit argument to make 18:16 < Dougy[Home]> ahahaa 18:16 < Dougy[Home]> hmm 18:16 < Dougy[Home]> krzie: i got another server today 18:16 < Dougy[Home]> for $26 18:16 < Dougy[Home]> 2 hotswap again 18:17 < Timpa88> krzie: have you used "mydns" sometime? 18:17 < krzie> negative 18:17 < Timpa88> Ok 18:17 < Timpa88> anyone in here that have use/used mydns? 18:17 < krzie> i use bind 18:17 < Timpa88> i prefer that 18:17 < Timpa88> but 18:17 < Timpa88> im using ISPConfig now, and it should use MyDNS 18:17 < Timpa88> but i f*cking can't use my local ip as dns server like 192.168.0.1 18:17 < Timpa88> "unkown hosts" 18:18 < krzie> *shrug* 18:18 < krzie> i dont use web gui's 18:18 < Timpa88> :D 18:24 < Dougy[Home]> krzie: u r baller 18:29 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:42 < krzie> hey ecrist, you here? 18:43 < Dougy[Home]> ecrist ecrist ecrist ecrist ecrist ecrist ecrist ecrist 18:43 * Dougy[Home] is stress testing the hell out of his Xeons 18:50 < Dougy[Home]> ugh 18:50 < Dougy[Home]> huckleberry finn 18:52 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 19:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:39 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:55 -!- troy- is now known as troy 20:02 < troy> krzie, you around? 20:06 < krzee> sure 20:06 < krzee> kinda 20:06 < krzee> bout to start a game of dominoes 20:09 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 20:10 < Timpa88> FINALLY 20:10 < Timpa88> my server is up n running 20:10 < Timpa88> :D 20:11 < Timpa88> Just have to configure the mailserver, but i think i will do that tomorrow maybe... 20:11 < Timpa88> :) 20:18 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:20 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:20 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:43 -!- k0pp [n=k0pp@c-75-71-208-249.hsd1.co.comcast.net] has joined ##openvpn 20:52 -!- scwang [n=scwang@123.118.126.119] has joined ##openvpn 21:00 -!- scwang [n=scwang@123.118.126.119] has left ##openvpn ["Leaving"] 21:05 -!- k0pp [n=k0pp@c-75-71-208-249.hsd1.co.comcast.net] has quit [Remote closed the connection] 21:08 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:20 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:49 < Kobaz> theDoc: using the wrong authentication method? 21:50 < Kobaz> er 22:00 < theDoc> huh? 22:03 < Kobaz> wrong channel 23:46 < reiffert> haha, Kobaz demonstrates his ability to read. 23:47 < reiffert> once again. 23:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Wed Apr 15 2009 00:06 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:34 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:12 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 01:13 < tjz> !redirect 01:13 < vpnHelper> tjz: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 01:13 < vpnHelper> tjz: !ipforward) 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has joined ##openvpn 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has left ##openvpn [] 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has joined ##openvpn 02:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:27 < krzee> Germany++ 04:27 < krzee> http://salem-news.com/articles/january112008/cancer_treatment_11008.php 04:27 < vpnHelper> Title: Breakthrough Discovered in Medical Marijuana Cancer Treatment - Salem-News.Com (at salem-news.com) 04:47 < c64zottel> hello, when creating a CA via openssl, is it possible to enter the PEM pass phrase over cli? 05:02 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 05:04 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 05:09 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 05:25 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:06 < sirus> Hrmm I guess im going to need a proxy server for my IM 06:06 < sirus> openvpn doesn't seem to work for that 06:06 < sirus> :( 06:10 < Bushmills> sirus, openvpn gives you a transport, not a caching mechanism 06:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:11 < Bushmills> but using IM over openvpn without proxy is entirely possible 06:12 < Bushmills> i suppose your problem is either: 06:12 < Bushmills> !route 06:12 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:12 < Bushmills> or restrictive remote 06:14 < krzee> hey bush 06:15 < krzee> you happen to have windows there? 06:25 < Bushmills> yes. one in the kitchen, two in the living room 06:25 < Bushmills> i can see that it is a sunny day 06:25 < reiffert> :) 06:34 < krzee> haha 06:34 < krzee> nevermind 06:34 < krzee> found a friend on aim running windows 06:34 < Bushmills> http://forthfreak.net/snap/windows.png 06:35 < Bushmills> reiffert, interesting for you might be the contents of the jar, bottom left 06:35 < Bushmills> just made a new lemon wine starter 06:37 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 06:38 < Bushmills> krzee, you can talk to windows AIM clients from non-windows machines, no need to run windows yourself. 06:41 < [4-tea-2]> Howdy. I'm routing a /28 over OpenVPN to my home. That includes an IP address for my laptop. I would like to establish a second OpenVPN only for the laptop's IP when I'm on the road. 06:41 < krzee> Bushmills, i needed someone running windows, i found him on aim 06:42 < [4-tea-2]> I'm having a hard time figuring out how to fix the routing when the second OpenVPN is running. I think I need routing protocol daemons everywhere, right? 06:43 < Bushmills> [4-tea-2], maybe use a different user to login, with a different openvpn key when on the road, so a different ip address is assigned to laptop when on the road 06:43 < sirus> Bushmills: well im at work I can seem to connect everywhere else accept aol I use openvpn and I have where the openvpn is the default gateway do I need to push a manual route? 06:43 < krzee> for the laptop just set it up with a VPN ip and NAT it 06:45 < sirus> Bushmills: the PF firewall is alloing all traffic comming from the vpn to the outside world on protocols tcp, udp, icmp 06:46 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has quit [Remote closed the connection] 06:46 < Bushmills> sirus, no idea what the problem is, but be assured that openvpn doesn't filter aim connection 06:46 * Bushmills would point at AOL 06:47 < sirus> hrmm 06:47 < sirus> anywhere else I can connect 06:47 < sirus> just not at work 06:47 < sirus> so I will need a proxy perhaps? 06:47 < Bushmills> sirus, try jabber 06:47 < [4-tea-2]> krzee: NAT seems to be the cheapest solution... I need to use two NAT rules, one for my /28, one for the rest of the world, would you agree? 06:48 < sirus> Bushmills: well I could use meebo but my pidgin client connects to msn,yahoo,icq etc wanna see if I can get aol in to 06:48 < Bushmills> sirus, but - well - AIM and ICQ are in terms of protocol identical, and i know that ICQ works over openvpn, no extra steps needed 06:48 < [4-tea-2]> krzee: since for my /28, the NATted connections should be coming from the server's OpenVPN-tunnel-IP, while for the rest of the world they need to be coming from the server's real IP? 06:49 < sirus> e world on protocols tcp, udp, icmp 06:49 < sirus> 07:46 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has quit [Remote closed the connection] 06:49 < krzee> [4-tea-2], you already have the first tunnel setup, right? 06:49 < sirus> 07:46 < Bushmills> sirus, no idea what the problem is, but be assured that openvpn doesn't filter aim connection 06:49 < sirus> 07:46 * Bushmills would point at AOL 06:49 < sirus> 07:46 < sirus> hrmm 06:49 < sirus> 07:47 < sirus> anywhere else I can connect 06:49 < sirus> 07:47 < sirus> just not at work 06:49 < krzee> sirus, wtf 06:49 < sirus> err 06:49 < sirus> mouse error 06:49 < krzee> hehe werd 06:49 < sirus> Lost connection with server: 06:49 < sirus> Connection interrupted by other software on your computer. 06:49 < sirus> lol 06:49 < [4-tea-2]> krzee: yes, OpenVPN on $server is routing my /28 and I've been using that for a while. 06:50 < sirus> I have no other software :( 06:50 < krzee> [4-tea-2], is the ip you want laptop to come from on an interface on $server? 06:51 < [4-tea-2]> krzee: I think we have to talk about two ips there, because the laptop needs to talk to a) my /28 net and b) the rest of the world. 06:51 < krzee> ahh 06:52 < krzee> well how bout this... 06:52 < [4-tea-2]> krzee: the ip for a) would be the rfc1918 address I'm using within the first OpenVPN tunnel 06:52 < krzee> why does it even need to connect to a different VPN? 06:52 < [4-tea-2]> krzee: the ip for b) would be the server's "real" ip. 06:52 < krzee> or are the ip 06:52 < [4-tea-2]> krzee: is there another way? 06:52 < krzee> or are the ip's being handed out as is, no nat 06:52 < krzee> ? 06:52 < krzee> sure theres another way, you hand out VPN ips and nat each one to the ip you want them on 06:53 < [4-tea-2]> My /28 uses non-1918 routed IP addresses, I hope that answers that question? 06:53 < krzee> then you can have unlimited users on whichever IPs you say 06:53 < krzee> yes, that answers is 06:53 < krzee> back to this: 06:53 < krzee> [07:51] <[4-tea-2]> krzee: I think we have to talk about two ips there, because the laptop needs to talk to a) my /28 net and b) the rest of the world. 06:53 < krzee> so you push a route to the /28 to the client 06:53 < krzee> and you push a route to them for the second vpn 1918 ips 06:54 < Bushmills> [4-tea-2], maybe DNATting the laptop ip address from server to a laptop rfc1918 address, rather than bridging it, is an option. 06:54 < ecrist> good morning, peeps 06:54 < ecrist> Dougy: what's up? 06:54 < krzee> Bushmills, he was never thinking of bridging i dont think 06:54 < krzee> ecrist, he was just doing that cause i asked if you were around 06:54 < ecrist> ah 06:54 < krzee> i found a home for that pc taking up basement space 06:55 < ecrist> ah 06:55 < ecrist> the tower? 06:55 < krzee> yup 06:55 < Bushmills> oh. my mistake, i thought i had picked up "bridge" somewhere 06:55 < krzee> and sorry i been slacking on having you boot the other box, i been working a ton and my spare time has been spent on my osx86 box lately 06:55 < krzee> but im confident ill have that sucker done one of these days! 06:56 < ecrist> oh, doesn't really bother me either way, it's just sitting down there 06:56 < krzee> (hopefully today since my 1.5 seagates get back here today 06:56 < Bushmills> see what lack of coffee can do to a man 06:57 < [4-tea-2]> krzee, Bushmills: thanks for your advice, I think I'm beginning to wrap my head around it, I'll try the nat setup and get back to you. 06:57 < krzee> yw =] 06:58 < Bushmills> gl 06:58 -!- Wachert [n=wachert@p3EE2D5A5.dip.t-dialin.net] has joined ##openvpn 07:01 < ecrist> krzee: my first shot, first target on the range yesterday (first of the day, not ever) http://www.secure-computing.net/files/04142009_bullseye.jpeg 07:03 < krzee> thats badass 07:03 < krzee> except that it says you were shooting a 22 07:03 < krzee> who you gunna stop with that? lil old women? 07:03 < krzee> ;) 07:03 < ecrist> model, not calibre 07:03 < krzee> ohhh 07:04 < ecrist> glock 22 is a .40 07:04 < krzee> doh, my bad 07:04 < krzee> that'll stop some shit 07:04 < ecrist> :D 07:07 < ecrist> http://www.secure-computing.net/files/04142009_40rnds.jpeg is 40 rounds, same day 07:08 -!- nemysis [n=nemysis@108-90.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:10 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has joined ##openvpn 07:10 < krzee> what distance? 07:10 < ecrist> 7 yards 07:10 < krzee> werd 07:11 < ecrist> would be bad-ass if I could do that at 15 yards 07:14 < [4-tea-2]> Do I understand correctly that OpenVPN is able to push/remove a route for vpn_2 to an already established vpn_1? 07:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:14 < ecrist> yes 07:14 < ecrist> you use iroute statements to define routes reachable on other clients 07:14 < ecrist> see here: 07:14 < ecrist> !route 07:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:15 < [4-tea-2]> Yeah, that's where I got that idea from. :D 07:15 < [4-tea-2]> I'm thinking about setting up a host route on every machine in my /28 for my laptop, pointing to my local router (= OpenVPN client). 07:17 < [4-tea-2]> If my laptop is at home, it will talk to all other machines locally using the router, if I'm on the road and the second vpn is established, the router would than, thanks to OpenVPN's extra route, forward all traffic through the OpenVPN connections. 07:17 < [4-tea-2]> I think I like that better than the NAT solution we talked about a couple of minutes ago. 07:19 < [4-tea-2]> But that would only work if my local router (endpoint of vpn_1) would actually get to know when vpn_2 is established or disconnected. I'm not sure I see where/how that's happening. 07:26 < [4-tea-2]> Nah, I guess I misunderstood, iroute seems to be... static. 07:27 < krzee> [08:14] you use iroute statements to define routes reachable on other clients 07:27 < krzee> thats actually not true eric 07:27 < ecrist> o.O 07:27 < krzee> it CAN be true, but by itself isnt 07:28 < ecrist> well, it's 1/2 true 07:28 < ecrist> you still need the route statement in the server config 07:28 < krzee> you use iroute to notify openvpn to handle routing when the kernel points to openvpn but openvpn itself doesnt know which client to send the traffic to 07:28 < krzee> without client-to-client it has nothing to do with other clients accessing said lan 07:29 < krzee> ya the route command tells kernel about the route, then iroute tells openvpn which client to associate it with 07:31 < krzee> oh dude, i read that as 'reachable by other clients' i think you meant the same thing as me 07:31 < krzee> i think you did mean lans behind the clients 07:31 < ecrist> that's what i meant... 07:31 < krzee> bleh i shouldnt try to correct people at 8:30 am 07:31 < ecrist> lol 07:32 < ecrist> s/people/eric/ && s/at 8:30 am/ever/ 07:32 < ecrist> :P 07:32 < krzee> lol 07:32 < krzee> and thats the late version of 8:30am not the early one 07:33 < ecrist> eew 07:34 < [4-tea-2]> Looks like I'm picking up my first idea, using a routing daemon. If nothing else, I might learn something. 07:34 < krzee> *shrug* the NAT sounds 1000x easier 07:35 < krzee> but gl to ya 07:37 < [4-tea-2]> krzee: NAT would result in more work down the road, and existing services in my local net wouldn't work unless they were all told about the new IP. 07:37 < krzee> by 'local net' you mean the /28? 07:38 < krzee> or a lan you current push a route to that you didnt mention 07:38 < [4-tea-2]> krzee: also, I would open local services in the local net, yes, the /28, to other users on the OpenVPN server. 07:38 < krzee> to give them the route, you just add a push route to the server 07:39 < krzee> push "route vpn_network netmask" 07:39 < krzee> i have no idea what that last line meant 07:39 < [4-tea-2]> Sorry, misunderstanding, I think. If I use NAT, not only the laptop, but also the OpenVPN server itself would be able to talk to my local services. I don't want that. 07:40 < krzee> local services as in services on what machines? 07:40 < [4-tea-2]> Let's say my local NFS. 07:40 < krzee> local NFS is what/where 07:40 < krzee> a vpn client? a machine on a lan behind a vpn client? 07:40 < [4-tea-2]> The server is at home in my /28. 07:41 < krzee> and it gets its IP from connecting to the vpn server? 07:41 < [4-tea-2]> The /28 is routed to the vpn server and forwarded to my home via the OpenVPN connection. 07:42 < krzee> why would that open anything up that is not currently opened up? 07:42 < krzee> you just nat traffic thats NOT headed for certain IPs 07:42 < krzee> and pass the traffic that is 07:43 < krzee> but werd 07:43 < krzee> do what feels best for you 07:43 < [4-tea-2]> If I use NAT, all incoming connections from the notebook get the natted ip, which is the ip of the vpn server - wrong? 07:43 < krzee> doesnt have to be all 07:43 < krzee> depends on your rules 07:43 < krzee> (your rules in the firewall that does the NAT) 07:44 < krzee> it'll do whatever you tell it to ;] 07:45 < [4-tea-2]> Well, let's say ip addresses are limited resources and I can't have any more non-rfc1918 addresses than I already got: one for the vpn server, and the /28 for the lan behind the vpn server. 07:46 < [4-tea-2]> If I don't reuse the existing address for the laptop from the /28, and I can't get a new address, the natted connections need to use an existing address, which is the one of the vpn server? 07:46 < [4-tea-2]> My brain hurts. 07:46 < krzee> mine too and i havnt slept 07:46 < [4-tea-2]> Are you the brain doctor? 07:47 < krzee> im gunna try to get this usb stick bootable, get osx86 installing and crash out 07:47 < krzee> sorry to run on you 07:47 < krzee> but ill prolly end up confusing both of us more than help right now 07:47 < [4-tea-2]> I'm gonna revive my ancient knowledge of RIP and see if I end up doing NAT after all. :D 07:52 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:59 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 08:03 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has joined ##openvpn 08:03 < Drarok_> Afternoon! 08:03 < ecrist> Morning! 08:04 -!- troy is now known as troy- 08:04 < Drarok_> Quick question: Do I have to use OpenVPN at the client end? Ie: I can't use Windows built-in VPN like pptp? 08:04 < Bushmills> you can't 08:04 < Bushmills> i.e. you have to 08:05 < ecrist> Drarok_: OpenVPN is it's own protocol. it's different than pptp and cisco SSL vpn 08:05 < Drarok_> Ah, thought so. Fair enough. 08:05 < ecrist> it's still an ssl vpn, but different. 08:06 < theDoc> Is there a comparison chart somewhere on the different vpn implementations? 08:06 < ecrist> not one I'm aware of 08:06 < Drarok_> Planning to use it at work, as our so-called router says it supports VPN, but in actual fact doesn't. If we have to install it on the clients, no big deal, but I couldn't find definitive info. Thanks. :) 08:06 < theDoc> Drarok_: Depends on which router. 08:07 < ecrist> a lot of routers are coming out with built-in vpn support, including comcast's business gateways 08:07 < theDoc> I don't think there's an industry standard wide implementation for vpns like they do for routing protocols. 08:07 < ecrist> they tend to support pptp vpns 08:07 < ecrist> s/routers/consumer routers/ 08:08 < theDoc> ecrist: There isn't a way to mix and match the different vpn implementations yet is there? 08:08 < ecrist> no 08:08 < ecrist> don't think there ever will be 08:09 < ecrist> there are client packages that support multiple vpn types, but that's it 08:10 < theDoc> ecrist: That's a bummer. Hopefully the newer OS's will integrate the different protocols used for pptp, openvpn, cisco 08:12 < ecrist> ah, cisco is proprietary, and only give certain people access to their client software (cco login required) 08:12 < ecrist> openvpn would be a good one to support, however 08:12 < theDoc> ecrist: Yes, that'll be a bummer though, since if I have clients whom move between openvpn implementations and Cisco vpn 08:13 < ecrist> the problem isn't so much the actual encryption of the traffic, they all use standard encryption methods 08:13 < ecrist> it's the featuresets that come along with them 08:13 < theDoc> ecrist: I'm not sure why I can't setup an openvpn tunnel from the Windows stuff. 08:13 < theDoc> Is that a protocol difference? 08:13 < theDoc> That doesn't seem like a feature set issue. 08:13 < ecrist> widnows stuff is PPTP 08:14 < ecrist> you need the openvpn client 08:14 < theDoc> Ah, ok. 08:14 < ecrist> which is SSL 08:14 < krzee> !notcompat 08:14 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 08:14 < theDoc> Oh, figures. 08:24 -!- Wachert [n=wachert@p3EE2D5A5.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 08:29 < Drarok_> Hmmm 08:29 < Drarok_> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=22] 08:30 < theDoc> Drarok_: Upgrade to 2.1rc15 for your client. 08:31 < Drarok_> Win Fista incompatibility? 08:33 < theDoc> Yes. 08:37 < Drarok_> Seems I have to start it from an elevated command prompt, but pinging works :) 08:40 < theDoc> Drarok_: Yes, that's right. 08:41 < theDoc> Because to insert a route into the routing table, they need admin access. 08:47 < Drarok_> Aye, seems to work in the GUI (now I put the configs in the right place...) 08:47 < Drarok_> That damn "Compatibility Files" thing sucks 08:48 < Drarok_> Thanks guys, see you later :) 08:48 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has left ##openvpn [] 08:54 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"] 09:08 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 09:15 -!- Kevin`_ [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 09:17 -!- Kevin` [n=kevin@etmalec.net] has quit ["hai"] 09:17 -!- Kevin`_ is now known as Kevin` 09:25 -!- KaiForce_ [n=chatzill@170.225.31.132] has joined ##openvpn 09:26 -!- KaiForce_ [n=chatzill@170.225.31.132] has quit [Remote closed the connection] 09:27 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 09:34 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 104 (Connection reset by peer)] 09:37 -!- unix3_ is now known as epaphus 10:02 -!- troy- is now known as troy 10:15 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:23 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 10:35 < epaphus> !iroute 10:35 < vpnHelper> epaphus: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:36 < epaphus> !search route 10:36 < vpnHelper> epaphus: There were no matching configuration variables. 10:36 < plaerzen> !ecrist 10:36 < vpnHelper> plaerzen: Error: "ecrist" is not a valid command. 10:36 < ecrist> ? 10:36 < epaphus> !search ccd 10:36 < vpnHelper> epaphus: There were no matching configuration variables. 10:36 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 10:36 < epaphus> how do I pull the info of ccd.. ? :) 10:36 < epaphus> routes withing ccds 10:37 < ecrist> !ccd 10:37 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 10:39 < epaphus> !route 10:39 < vpnHelper> epaphus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:39 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 10:44 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:46 < plaerzen> I just like it when people say my name 10:50 -!- RUS [n=Mirc@mcc-dyn-19-152.kosnet.ru] has joined ##openvpn 10:53 < epaphus> I have read the wiki... but Iam honestly confused and need a little "push" ... my configuration is simpler. I have a client who has a lan behind it (192.168.2.0) it needs to be able to access the VPN. Thats the only LAN in the picture. 10:54 < epaphus> It is my understanding I add.. push "route 192.168.2.0 255.255.255.0" .. and also I would still need an iroute in the ccd of the clients common name? 10:54 < epaphus> iroute 192.168.2.0 255.255.255.0 10:54 < epaphus> Can somebody please confirm this.. I honestly am not understanding this.. 10:55 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 10:57 < epaphus> btw.. my client is configured with TWO nics.. one for the internet (ext_if) and the other for the LAN (int_if) . There is a NAT so that the int_if can access the internet via the ext_if already 10:59 -!- theDoc_ [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:03 < [4-tea-2]> Can I tell OpenVPN to only set up a route AFTER the vpn connection has been established? 11:04 -!- RUS2590 [n=Mirc@mail2.ecomsupplier.com] has joined ##openvpn 11:04 < RUS2590> hi anybody 11:11 < dan__t> Hi. 11:12 < dan__t> What makes you think that a route would work BEFORE the connection was established, [4-tea-2]? 11:12 -!- RUS [n=Mirc@mcc-dyn-19-152.kosnet.ru] has quit [Read error: 110 (Connection timed out)] 11:12 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 11:13 < funky> hello people 11:13 < funky> is it relatively trivial to add AD (or ldap) authentication to openvpn ? 11:13 < funky> do I need a specific version to achieve it? 11:14 < dan__t> I think you need a plugin for that. 11:14 < dan__t> http://code.google.com/p/openvpn-auth-ldap/ 11:14 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 11:15 < funky> thank you, I'm gonna read a bit 11:15 < epaphus> anybody can help me..? on the previous question 11:16 < dan__t> I cannot. 11:16 < dan__t> I've never done that before. 11:19 < funky> dan__t: do you know if this plugin works with AD ? 11:19 < dan__t> I do not know, I've never used it. 11:19 < dan__t> I'd say give it a shot. 11:19 < funky> ok 11:19 < dan__t> I'm not too familiar with AD, either. 11:19 < dan__t> And how "LDAP compatible" it is in that regard 11:19 < funky> yup, me neither 11:20 < dan__t> I thought you could just speak LDAP with AD but I may just be completely retarded. 11:23 < funky> you should, but I just wanted to make it sure 11:25 < [4-tea-2]> dan__t: I don't think it works, but it's there even when there's no vpn connection established, and that's bad (in my special case). 11:25 < funky> Tested against OpenLDAP, the plugin will authenticate against any LDAP server that supports LDAP simple binds -- including Active Directory. 11:25 < funky> FYI 11:26 < dan__t> There's your answer. 11:29 < funky> yup 11:29 < funky> thanks for the info 11:29 < [4-tea-2]> I can't find anything in the manual indicating that it's possible to raise a route only when the connection is active. Yet another plan spoiled. :D 11:32 < [4-tea-2]> All I want is the same fixed address on my laptop, no matter how it's connected, seems so simple, yet I can't wrap my head around it. 11:38 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 11:38 -!- RUS2590 [n=Mirc@mail2.ecomsupplier.com] has quit [Read error: 110 (Connection timed out)] 11:58 -!- epaphus [n=unix3@213.159.9.15] has joined ##openvpn 12:13 < Bushmills> [4-tea-2], i use DNAT on server, to address translate incoming packets through VPN to portable client 12:13 < dan__t> So client-connect will pass a temp file in the form of $1, ok, I got it. 12:13 < Bushmills> though i think somebody here should have a better solution. though it works for me. 12:13 < dan__t> What path is that relative to? 12:15 < [4-tea-2]> Bushmills: I have three different cases... connected to local FE (no VPN), connected to local Wlan (VPN to local server), and connected elsewhere (VPN to remote server). And my brain hurts. 12:15 < dan__t> --tmp-dir 12:15 < dan__t> got it 12:16 < Bushmills> [4-tea-2], if routing runs danger to get messy, you can still ip alias the NIC to multiple ip addresses, and route them differently 12:18 < [4-tea-2]> Bushmills: then my laptop would use up three addresses of my /28? That's expensive, but, yes, I could do that. I'm kinda disappointed that I'm too stupid to do it with only one address, though. 12:18 < Bushmills> [4-tea-2], i don't see the need for three addresses from your /28, because i think that in at least two instances you can use RFC1918 addresses 12:19 < Bushmills> but as you know our setup requirements better than I do, I can't really judge on that. I merely think, one public ip address ought to be enough 12:19 < Bushmills> s/our/your/ 12:21 < Bushmills> such as, why should your portable use one of your /28 addresses (from the remote server) to appear as on your LAN 12:22 < [4-tea-2]> Because then I could use my local services as if it were on my LAN. That's exactly the point. ;) 12:22 < Bushmills> is useless for routing too the portable anyway, because packets sent to that address will go to the server anyway, and not to gateway at LAN 12:23 -!- kraut [i=kraut@blackhole.netzdeponie.de] has left ##openvpn [] 12:23 < Bushmills> no matter how you are connected to the net, packets sent to one public ip address are always routed to one and the same NIC anyway 12:24 < Bushmills> and there you can, if you choose to, decide to send them somewhere else to. such as, to your portable. 12:24 < [4-tea-2]> I kinda lost you somewhere. 12:25 < Bushmills> therefore i am a bit confused why you would want to use ip addresses from your /28 for all possibilities to connect to the net 12:25 < [4-tea-2]> Bushmills: because I'd like my laptop to appear to be on the local lan at all times. 12:26 < Bushmills> [4-tea-2], assume you are owner of ip block a.b.c.0/24. 12:26 < Bushmills> now i ping a.b.c.x 12:26 < Bushmills> where does the ping go to? 12:26 < [4-tea-2]> To my remote VPN server. 12:26 < [4-tea-2]> via VPN to a.b.c.x 12:26 < Bushmills> right. now you connect your notebook to the net through a different gateway. and i ping again. 12:27 < Bushmills> where will the ping go to now? 12:27 < [4-tea-2]> In a perfect world: remote VPN server -> local gateway/VPN server -> notebook 12:27 < Bushmills> it will arrive at the same remote vpn server 12:28 < [4-tea-2]> Yeah. And that one should know where to send it... dynamically. But it seems I can only tell it statically. 12:28 < Bushmills> that's why i am confused about you thinking of using your a.b.c.0/24 addresses to connect to different networks 12:28 < [4-tea-2]> ...or I use a routing daemon and I can't figure out how OpenVPN und ripd would interact. 12:28 < Bushmills> packets will still go to the same vpn server first 12:28 < [4-tea-2]> Bushmills: that's what I want to use OpenVPN for, that's what it's main use is, isn't? 12:29 < Bushmills> and to route them from there to your notebook, you don't need a routing daemon 12:29 -!- epaphus [n=unix3@213.159.9.15] has quit [Connection timed out] 12:29 < Bushmills> yes. what i do for that purpose is, i configured a DNAT rule on the remote server 12:30 < Bushmills> (i think i mentioned that twice already) 12:30 < Bushmills> remote server runs linux 12:30 < [4-tea-2]> Yeah, but I fail to understand how that would help me, though I start to suspect that's entirely my fault. 12:30 < Bushmills> DNAT is specific to iptables which is specific to Linux 12:31 < [4-tea-2]> iptables is my friend. 12:31 < Bushmills> then consider to look at DNAT if there aren't any better suggestions from this channel 12:31 < [4-tea-2]> Bushmills: if I understand you correctly, how would desktop.mynet reach laptop.mynet? 12:32 < Bushmills> i think you could use a bridging config on the server, but that's not my own experience 12:32 < [4-tea-2]> Bushmills: desktop.mynet believes that laptop.mynet is a machine on the local network unless a host route tells it otherwise. 12:33 < [4-tea-2]> Bushmills: that host route would have to be set up ONLY when laptop.mynet has a VPN connection to the VPN server. And that seems to be my problem. 12:33 < Bushmills> remote server is where packets to your /28 go to. that server masquerades incoming packets to one of those addresses and sends it to the RFC1918 address your notebook uses, of your vpn address space 12:34 < [4-tea-2]> Bushmills: remote server is where packets from the outside go. I'm asking about packets from the inside now. 12:34 < Bushmills> [4-tea-2], why? if notebook is offline, it doesn't really matter whether it is routed or not. packets won't arrive at notebook anyway 12:35 < Bushmills> packets from inside to world? what does your /28 have to do with that? 12:35 < [4-tea-2]> Bushmills: the notebook isn't offline. It might be connected to the local wlan ap or to wlan ap anywhere in the world, and it should still (thanks to OpenVPN) get its traffic routed. I can make this work statically, no problem. But I can't make this in a way that it adapts automagically to where the laptop currently is. 12:36 < Bushmills> i think i lost you 12:36 < Bushmills> an address of your /28 on your notebook is relevant for incoming packets, but not for outgoing packets 12:39 < Bushmills> probably all you need is using the remote vpn server as gateway, and set up nat there. 12:40 < [4-tea-2]> Bushmills: actually, I got that already running. ;) 12:40 < Bushmills> one single ip address on remote server is enough for that 12:40 < Bushmills> so what's the problem then? 12:40 -!- benedictus [n=chatzill@150.159-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 12:42 < [4-tea-2]> Bushmills: ping notebook.mynet only works from ping desktop.mynet when the notebook is connected locally by wire. 12:42 < [4-tea-2]> As I said before: 12:42 < [4-tea-2]> All I want is the same fixed address on my laptop, no matter how it's connected, seems so simple, yet I can't wrap my head around it. 12:43 < Bushmills> your notebook has one same fixed address: 127.0.0.1 :D 12:43 < [4-tea-2]> If only for scientific curiosity, I don't want give up yet on finding out whether it's possible. I realize there are plenty of other ways that would achieve something similar. 12:45 -!- benedictus [n=chatzill@150.159-244-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 12:45 < [4-tea-2]> Someone just told me to use "tinc", that supports something called "Automatic full mesh routing"... I wonder if that's all I'm looking for. 12:49 -!- funky [n=repulse@unaffiliated/funky] has quit [Read error: 60 (Operation timed out)] 12:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:55 -!- troy is now known as troy- 12:56 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 13:12 < epaphus> hmmm 13:28 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has joined ##openvpn 13:28 < Drarok_> Evening team. It appears I need ip forwarding, or potentially a different bridging method... 13:29 < Drarok_> Server is running at 10.8.0.0/24, internal network is a 192.168.254.0/24... 13:29 < Drarok_> I want to be able to hit other boxes on the 192 addresss... What should I read? 13:30 -!- Drarok_ is now known as Drarok 13:38 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:24 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 14:33 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 14:40 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < epaphus> HI guys sorry for repeating this unanswered question.. but Iam honestly confused and need a little "push" ... my configuration is simpler. I have a client who has a lan behind it (192.168.2.0) it needs to be able to access the VPN. Thats the only LAN in the picture. 14:47 < epaphus> It is my understanding I add.. push "route 192.168.2.0 255.255.255.0" .. and also I would still need an iroute in the ccd of the clients common name? 14:47 < epaphus> iroute 192.168.2.0 255.255.255.0 14:47 < epaphus> Can somebody please confirm this.. I honestly am not understanding this.. 14:48 < epaphus> btw.. my client is configured with TWO nics.. one for the internet (ext_if) and the other for the LAN (int_if) . There is a NAT so that the int_if can access the internet via the ext_if already 14:54 < ecrist> epaphus: see here 14:54 < ecrist> !route 14:54 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:55 < epaphus> ecrist, i did. thats the wiki.. i said i already read it .. :) 14:56 < ecrist> epaphus: everything else is having the proper routes configured. 15:01 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit ["Leaving"] 15:01 < epaphus> ecrist, have you done this before... I would put the push "route 192.168.2.0 255.255.255.0" , in CCD : iroute 192.168.2.0 255.255.255.0 ... thats it..? 15:05 -!- troy- is now known as troy 15:10 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 15:13 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has joined ##openvpn 15:15 < Kyle5> OK... ive got an Openvpn server on windows 2003 on a 172.16.0.x network.. and an openvpn client (linux) on a 10.1.0.x network.. the openvpn client is able to ping items on the 172.16.0.x network, but the openvpn server cannot ping 10.1.0.x.. the client is running RHEL and ive verified ipv4_forward is enabled but im not sure if i need any iptables entries.. can someone point out if i do or not? theres no firewall running on the bo 15:16 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 15:21 -!- sirus [i=scott@gotpot.org] has quit [Read error: 60 (Operation timed out)] 15:31 < epaphus> !ccd 15:31 < vpnHelper> epaphus: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:32 < Kyle5> epaphus: is that related to my query? 15:32 < epaphus> Kyle5, no 15:32 < Kyle5> oh ok :) 15:41 < ecrist> epaphus: 'proper routes configured' means the rest of the network, outside openvpn 15:42 < epaphus> ecrist, so it doesnt really matter what ccd and route on the server.conf i put... iam pretty much sure i did the right configs outside of VPN... 15:42 < epaphus> that is NAT my internal nic with the external one 15:42 < epaphus> you cant really nat my internal NIC with tun0 15:42 < epaphus> it wil conflict 15:44 < epaphus> well at least now I can ping my endpoint from a LAN computer 15:44 < epaphus> :) 15:44 < epaphus> but i just cant access the internet 15:44 < Drarok> Hmm, I don't think our network is clever enough to set routes... It's just a cheapo router... It seems I can do some kind of NATing, though? 15:47 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 15:51 -!- afonso [n=afonso@bl6-102-90.dsl.telepac.pt] has joined ##openvpn 15:57 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 15:59 < Drarok> Is it possible to have OVPN just pass-thru to the real network, DHCP and all? I'mm guessing not... 16:02 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 16:09 < krzie> sure, if you bridge 16:10 < krzie> usually not something i recommend but im too tired to argue today 16:10 < krzie> (at least for now) 16:10 < epaphus> hello krzie :) 16:11 < Drarok> If it's not recommnded, what's the alternative? 16:12 < Drarok> The OpenVPN box is our FreeBSD dev/svn box, so that's ok, but there's another testing server I'd like to access, and potentially hit samba shares on random boxes inside the LAN 16:16 < dan__t> Anyone ever used any of those SSL accelerator cards with OpenVPN before? 16:17 < dan__t> Wondering if its even worth the cost of just throwing another box at my OpenVPN setup to scale laterally, than to use one of those cards in a single machine. 16:30 < krzie> Drarok: read !route and !wins 16:30 < krzie> epaphus hey 16:31 < Drarok> !route 16:31 < vpnHelper> Drarok: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:32 < Drarok> Back later once I've read not skimmed ;) 16:32 < krzie> =] 16:38 < Drarok> Bleh, the examples are much more complex than I need 16:38 < krzie> thats much better than not being as complex as you need 16:39 < krzie> you can figure out what each ip represents in that, replace with yours what you need, and forget the rest 16:39 < Drarok> Perhaps, but having a case that's similar to what I need would mean I don't need to guess at what's relevant :( 16:39 < krzie> lol ya then you wouldnt have to learn anything, thats true 16:40 < krzie> but the point of my writeup wasnt to give you your personal config, it was to teach you what each of those things mean 16:40 < Drarok> I don't need to learn to an expert route-everything level ;p 16:40 < krzie> so you can adapt it to your personal needs 16:40 < Drarok> Think I might need to read it about 10 times, ho hum 16:40 < Drarok> Perhaps it'll make more sense in the morning :) 16:40 < krzie> the manpage also has a lot more info than you need, but it also has every piece of info that you do need 16:41 < krzie> ;] 16:41 < krzie> in fact thats basically a prerequisite of a good doc 16:41 < krzie> how many lans do you have that need to be routable over the VPN? 16:44 < Drarok> Just one. At the VPN server end, there's 192.168.254.0/24, and the (sometimes multiple, dial-in) clients need to access that. The Server has a single NIC plugged into the 192 LAN, udp port forwarded so I can connect. 16:44 < krzie> simple 16:44 < krzie> just push the route to it's lan to clients 16:45 < krzie> like push "route 10.0.0.0 255.255.255.0" 16:45 < Drarok> Then how do boxes at the LAN end see clients? Or can't they? 16:45 < krzie> assuming its lan was 10.0.0.0/24 16:45 < krzie> did you read not skim my doc? 16:45 < krzie> that is gone over right under the pretty picture 16:46 < krzie> where it says "ROUTES TO ADD OUTSIDE OPENVPN" 16:46 < krzie> it gives 2 ways to do it, and an explanation of what happens before you do it 16:46 < krzie> (aka, why it must be done) 16:46 < krzie> and for the samba... 16:46 < krzie> !wins 16:46 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:47 < Drarok> annpoying work-around? 16:48 < krzie> assuming you cant do it the right way, ya 16:48 < krzie> adding a route to every machine on a lan is very annoying to me 16:49 < Drarok> Yeah, very, but I can't see any mention of a "right" way 16:50 < krzie> you skimming...? 16:50 < Drarok> I just re-read the but under the picture 16:50 < Kyle5> OK.. can someone tell me why when ive got this entry in my routing tables " 10.1.0.0 255.255.252.0 10.3.0.2 10.3.0.1 1 16:50 < Drarok> But that example makes no sense 16:50 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has quit ["Leaving."] 16:50 < Drarok> I don't need the server end to see anything on the client's LAN 16:50 < Drarok> I just want a bog-standard dial-in style vpn 16:51 < Drarok> Where users connect, see the LAN, and are happy. 16:51 < Drarok> :( 16:51 < krzie> Kyle5: 16:51 < krzie> !/30 16:51 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:52 < krzie> Drarok you need to read it for understanding, not to just drop in replace your personal info 16:52 < krzie> but ill explain it anyways 16:52 < Kyle5> OK.. can someone tell me why when ive got this entry in my routing tables "10.1.0.0 255.255.252.0 10.3.0.2".. with 10.3.0.0 being the openvpn subnet.. ive got tcpdump running on tun0 at the other end, but when i ping 10.1.0.10 its not even making it through 16:52 < krzie> if a machine on the same lan as your server gets a packet from the vpn network, how will it reply? 16:52 < krzie> it will check its routing table 16:53 < krzie> NOT find an entry, so send it to the default gateway 16:53 < krzie> which wont have an entry, so send to ITS default gateway (the inet)\ 16:53 < krzie> then it gets dropped because it is 1918 ip 16:53 < Kyle5> yeah i know that 16:53 < krzie> not you kyle 16:53 < Kyle5> oh sorry :P 16:53 < krzie> im still talking to him ;] 16:53 < krzie> ill get to yours in a sec 16:53 < krzie> so Drarok 16:54 < krzie> you have 2 options 16:54 < krzie> give it a route back in the router (easy way) 16:54 < Drarok> I get the problem with LAN clients being unable to reply... 16:54 < krzie> or add a route back to each machine in the lan (annoying other way) 16:54 < Drarok> And our router is rubbish :( 16:54 < krzie> if you cant add a route in your router you gotta do the other way 16:55 < Drarok> Manually on each LAN client? 16:55 < krzie> client? 16:55 < krzie> manually on each machine in the lan, yes 16:55 < Drarok> Box I want to talk to 16:55 < Drarok> But... That's insane! 16:55 < krzie> it must know that for VPN_NETWORK it must route to LAN_IP_OF_VPN_ENDPOINT 16:56 < krzie> no shit, get a router that doesnt suck :-p 16:56 < krzie> my linksys can add routes 16:56 < Drarok> But... 16:56 < krzie> in fact my $15 router can 16:56 < Drarok> Windows Server can do exactly what I want. 16:56 < krzie> no, it cant 16:56 < krzie> unless its the default gateway for the lan 16:56 < Drarok> You forward some ports, you dial in, you can a LAN IP, everything (AFAIK) is happy 16:56 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:56 < krzie> in which case ANYTHING can (if you can add routes to it) 16:57 * Bushmills passes around the weed 16:57 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 16:57 < krzie> yeeeee 16:57 < krzie> hell yes Bushmills 16:58 < Drarok> Hmmm... Perhaps it is the default route, then passes traffic onwards to the router. 16:58 < Drarok> I'm not sure, it's at a clients. 16:58 < krzie> what is the gateway for the lan? 16:58 < Drarok> Can't tell from here. 16:58 < krzie> lol 16:58 < krzie> ifconfig on the fbsd box 16:58 < Drarok> Oh, I know that. 16:58 < krzie> err, route -rn|grep G 16:58 < Drarok> I mean at the WinServer site 16:59 < Drarok> The one that does what I want ;) 16:59 < krzie> you either bridged or the machine is default gateway for its lan, or you setup the routes correctly like im telling you to 16:59 < krzie> NEXT 16:59 < krzie> Kyle5, whats the problem? 17:00 < Kyle5> Ok.. the crux of it is 17:00 < Kyle5> OK.. I've got two lans on either side of the VPN... 10.1.0.x/22 on the Client and 172.16.0.0/24 on the Server .. the OpenVPN Client can ping 172.16.0.x addresses fine, but the OpenVPN Server cannot ping 10.1.x.x addresses. 17:00 < Drarok> Bridging is surely what I want, and all this routes talk is just confusing me >_< 17:00 < krzie> Kyle5: have you read !route? 17:00 < krzie> !route 17:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:01 < Kyle5> yeah i have 17:01 < krzie> i made that writeup for just this kinda stuff 17:01 < Kyle5> and as far as i can see 17:01 < Kyle5> ive got the correct config 17:01 < krzie> ok, !configs 17:01 < krzie> !configs 17:01 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:02 < Kyle5> ok 17:02 < Kyle5> http://pastebin.ca/1393255 17:02 < Kyle5> there you go 17:02 < Kyle5> ive worked with the assumption i dont need iroute because its not multiple lans 17:05 < epaphus> krzie, remember the double NIC thing i was going to do.. to allow PCs on a LAN connect to a second NIC on the vpn client so that they can access the inet? 17:05 < epaphus> krzie, well.. I found out that i didnt need the NAT On the client.. 17:05 < epaphus> packets are being routed ok, because I can ping my endpoint 17:06 < epaphus> however when i traceroute any IP .. it raches the endpoint (VPN server) but then the VPN server doesnt know what to do with the IP... 17:06 < epaphus> i think i need a second NAT in my server 17:07 < krzie> dude 17:07 < krzie> thats what i told you epaphus 17:08 < krzie> EXACTLY what i told you days ago 17:08 < Kyle5> krzie, any ideas? 17:08 < epaphus> ohh iam sorry, i understood that I needed a NAT in the client 17:09 < epaphus> not a second NAT in the server :) 17:09 < krzie> no epaphus, i specificly told you you did not when you said you did 17:09 < krzie> !irclogs 17:09 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 17:09 < krzie> you can go read me telling you that if you want 17:09 < krzie> Kyle5 1min 17:09 < Kyle5> thanks 17:10 < epaphus> krzie, thats ok :) no prob 17:12 < krzie> Kyle5, you have no ccd entries on the sever? 17:13 < Kyle5> no 17:13 < Kyle5> i wasnt sure i needed iroute or not 17:13 < krzie> you need to 17:13 < krzie> !iroute 17:13 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:14 < Kyle5> so... i need to create a a server side ccd file with "iroute 10.1.0.0 255.255.252.0" 17:14 < Kyle5> ? 17:14 < Kyle5> or anything else? 17:15 < krzie> assuming 10.1.0.0/24 is the lan behind the client, right 17:15 < krzie> it must be in a file named COMMON-NAME-OF-CLIENT in the ccd dir you put for --client-config-dir 17:16 < krzie> the server has the route entry, so thats right 17:16 < krzie> then the LAN on the client side needs a route on the gatewya, possibly 2 17:16 < krzie> unless openvpn is running on the default gateway for the client lan 17:16 < krzie> (is it?) 17:17 < Kyle5> its not 17:17 < krzie> ok, do the 2 lans need to talk to eachother? 17:17 < Kyle5> on the client side, its a procurve switch, and is already configured 17:17 < Kyle5> yeah they do 17:17 < krzie> ok so heres what they need 17:17 < krzie> each default gateway on each lan needs to know 2 things 17:17 < reiffert> Please note, there can only be *one* file named COMMON-NAME-OF-CLIENT. 17:18 < reiffert> Just put it all in there. 17:18 < krzie> 1) for 10.3.0.0/24 it sends the traffic to the LAN_IP of the local vpn node 17:18 < epaphus> krzie, i dont understand what i need to NAT In the server. MY original NAT was 10.0.1.0/24 to re0 .... 17:18 < Kyle5> each default gateway needs a route back to the openvpn machine... which needs to have ipforwarding activate? 17:18 < krzie> 2) same thing for the LAN on the other side of the VPN 17:18 < krzie> epaphusgo look in the irclogs 17:19 < epaphus> krzie, so now what..? do i nat re0 to 192.168.2.0/24 ? 17:19 < krzie> i already explained this fully to you and dont wanna repeat myself again after re-learning your setup 17:20 < Kyle5> the other question is.. is there a client-common-name thing for the clientside? 17:20 < epaphus> krzie, i remember you saying ... you must do the exact same thing you did in the server for NAT.. thats all 17:20 < krzie> then go back and read the logs 17:20 < krzie> cause i fully explained it, 2x i think 17:21 < krzie> Kyle5, huh? 17:21 < Kyle5> as in... set the ccd file to the name's common name 17:21 < Kyle5> how the hell do you define the common name of the client? 17:22 < reiffert> everything after 'CN=' 17:22 < Kyle5> the whole lot? 17:22 < reiffert> lemme think about your question. 17:22 * reiffert bed 17:22 < krzie> whole lot? 17:22 < krzie> theres only 1 client with that lan behind it 17:23 < Kyle5> yeah 17:23 < krzie> so thats the common-name you put the iroute in 17:23 < krzie> !ccd 17:23 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:23 < Kyle5> yes 17:23 < Kyle5> but how do i know what the common-name is? 17:23 < Kyle5> theres no definition for it 17:23 < krzie> you made the certs didnt you? 17:23 < Kyle5> yeah 17:23 < Kyle5> oh THAT name 17:23 < Kyle5> ok 17:24 < krzie> a) its in your ipp.txt 17:24 < krzie> b) you specified it when you made the certs 17:24 < krzie> c) its in your logs 17:26 < Kyle5> yeah got it 17:26 < Kyle5> OK 17:26 < Kyle5> will it tell me in the logs if it loaded the CCD file? 17:26 < krzie> sure 17:26 < krzie> the server log you'll see it used the iroute 17:27 < Kyle5> ok...so it didnt 17:27 < Kyle5> bugger 17:27 < krzie> did you restart after adding --client-config-dir 17:27 < krzie> (the server) 17:27 < Kyle5> yeah 17:27 < krzie> !logs 17:27 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:28 < Kyle5> i think its because i havent addressed it properley.. being a windows openvpn server 17:28 < krzie> no diff with this in win vs unix 17:29 < Kyle5> well, in terms of file addressing there is 17:29 < krzie> as long as you gave it the ccd dir correctly 17:29 < krzie> you mean the PATH? 17:29 < Kyle5> yeah 17:29 < krzie> ok true that 17:29 < Kyle5> my fault, i believe 17:30 < Kyle5> thankyou 17:30 < krzie> yw 17:30 < Kyle5> its working as i wanted now, so many thanks 17:30 < krzie> np man 17:31 < krzie> your setup is 2x as hard as Drarok and he already gave up ;] 17:31 < Kyle5> hehe 17:31 < Kyle5> i hadnt clocked i needed the iroute with just one lan on the end.. but there we go 17:31 < krzie> iroute is whenever theres a lan behind the client 17:31 < Kyle5> i know now :P 17:32 < krzie> not just lan, but any ip that openvpn itself wouldnt know about, but the kernel of the openvpn server does send to openvpn 17:32 < Kyle5> yeah of course 17:32 < epaphus> krzie, i downlaoded the logs.. but its a binary format file.. :( 17:32 < krzie> its an internal method for openvpn to relate ips/networks with its clients 17:34 < krzie> its a gzip file 17:34 < krzie> gunzip it! 17:35 < krzie> it'll get a lot bigger when you gunzip it, like my pants 17:39 < epaphus> krzie, i did gunzip it.. in order to get the openvpn.txt ... but that is a binary file 17:39 < epaphus> cant you kindly, repeat to me what I should nat? please 17:39 < krzie> that would require me re-learning your whole setup 17:39 < krzie> lets just put it this way 17:39 < krzie> whatever the source ip of the packets headed to the server 17:40 < krzie> if they are meant to hit the inet 17:40 < krzie> must be natted 17:40 < krzie> (at the server) 17:40 < epaphus> right so: 17:40 < krzie> in the exact same way your current nat works 17:41 < krzie> epaphus type file openvpn.txt 17:41 < krzie> see if its a tar 17:41 < krzie> he might have meant to name it .tgz 17:42 < epaphus> LAN machine (192.168.0.201) -> Client (192.168.0.10) -> tunnel -> server 17:42 < epaphus> but i dont know what IP to nat... 192.168.2.0/24 on the server ? 17:42 < Kyle5> jhhhhhhhhhnjmmmmmmmmmmmmmmmm8888 17:43 < krzie> epaphus, you've been here many days, asking the same questions getting the same answers 17:43 < krzie> i really dont wanna re-understand your network to repeat myself 17:44 < epaphus> nevermind.. thank you krzie i fixed it 17:44 < krzie> great! =] 17:44 < krzie> your network to repeat myself 17:44 < krzie> oops misfire 17:45 < krzie> too easy to copy/paste in this term, lol 17:45 < krzie> krzee@hemp:~> file openvpn.txt 17:45 < krzie> openvpn.txt: ASCII English text, with very long lines 17:46 < krzie> --- Log opened Fri Aug 01 12:49:14 2008 17:46 < krzie> 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 17:46 < krzie> 12:49 -!- ServerMode/##openvpn [+ns] by zelazny.freenode.net 17:46 < krzie> thats not binary dude 17:47 < epaphus> sorry 17:47 < krzie> i just wanted to make sure it was named correctly 17:48 < krzie> so users could read it if they want it 17:50 < Drarok> Blurgh, I give up for the night, found a guide for BSD that said I wanted bridging, now I can't even ping the endpoint! 17:50 < Drarok> krzie: I appreciate your time, though. I'm sure I'll see you again... ¬_¬ 17:50 < Drarok> G'night 17:50 -!- Drarok is now known as drarok 17:51 < krzie> that guide is wrong 17:51 < krzie> in fact most the guides you'll find on google suck 17:51 < krzie> but do whatever makes you happy 17:51 < krzie> bridging will work, its just a waste of overhead and a little less secure 17:57 < epaphus> krzie, ive been here many days.. but ive setup 3 different VPNs with different configs btw 17:57 < krzie> oh i coulda sworn that was the same vpn as day1 17:57 < krzie> i never caught you were asking the same questions for other vpns 17:57 < epaphus> :) 17:58 < krzie> which seems more weird 17:58 < krzie> cause ild think you understood the answers after doing it correctly already 17:58 < krzie> no? 17:59 < epaphus> not completely... i do have clues sometimes 17:59 < krzie> cool ;] 17:59 < krzie> well what matters is you got it fixed up =] 17:59 < krzie> so you did what we were talking about? 18:00 < krzie> got a second nic and made a new seperate network ? 18:00 < epaphus> yes 18:00 < krzie> to have 2 lans, 1 that routes over vpn default and other that routes straight to inet 18:00 < krzie> thats pretty cool 18:00 < epaphus> one LAN. two nics. 1 nic for NET, other for LAN 18:00 < epaphus> by NET I mean internet 18:01 < krzie> but the nic for INET is actually part of a different lan, right? 18:01 < epaphus> yes 18:01 < krzie> ya, coolness 18:04 < krzie> so i guess you've been on an openvpn setup spree from the sound of it 18:04 < krzie> how many more you got on the list? 18:05 < epaphus> iam done.. now I just need to add more NICS.. 18:05 < krzie> more nics...? 18:05 < epaphus> the user that want to get on a specific VPN just plugs his PC to the switch for that VPN 18:05 < epaphus> thats how they wanted the config here to be 18:06 < epaphus> etc 18:06 < krzie> oh i see 18:06 < epaphus> :P 18:06 < epaphus> then if somebody is travelling 18:06 < krzie> you're gunna keep repeating that setup 18:06 < epaphus> and stays in a hotel... 18:06 < epaphus> they connect as a client directly to the server 18:06 < epaphus> with gopenvpn 18:06 < krzie> i take it you're doing this for sidework 18:06 < epaphus> :) 18:10 < epaphus> day over, thanks all 18:10 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:14 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 18:24 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:25 < Kyle5> ok. thanks all and night 18:25 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 18:52 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 113 (No route to host)] 18:59 -!- row [i=row@who.br0ke.me.uk] has joined ##openvpn 19:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 19:02 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["IceChat - Its what Cool People use"] 19:07 < krzie> Dougy here? 19:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 19:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:30 -!- sirus [i=scott@gotpot.org] has quit [Read error: 60 (Operation timed out)] 19:30 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 19:46 < ecrist> sup motha fucka's? 19:46 < krzie> gellin, like magellin 19:47 < ecrist> you keep adding -krzee 19:47 < ecrist> o.O 19:47 < krzie> i wrote it! 19:47 < ecrist> aye 19:47 < ecrist> so the log says. ;) 19:47 < krzie> i dont want it copywritten or anything, but ild like my name on it 19:48 < ecrist> ok, I'll fix it for ya. gimme a few. (muahahahaha) 19:48 < krzie> why would you remove my name from my doc? 19:49 < ecrist> -krzee doesn't look 'clean' to me. I don't mind authorship, though. 19:50 < krzie> clean? im krzee! 19:50 < ecrist> not a big deal, just something I noted. 19:50 < krzie> if i IRCed as Jeff it would say -Jeff ;] 19:50 < ecrist> and I wouldn't like -Jeff 19:50 < ecrist> I wouldn't like -ecrist, either 19:50 < krzie> i see 19:51 < ecrist> ah, you do all your edits anon 19:51 < krzie> well you can change it however you want, just let it say i wrote it 19:51 < krzie> sometimes i do, sometimes not 19:51 < ecrist> well, now. you used to log in 19:51 < krzie> pointless to login to add -krzee or something equally small 19:52 < ecrist> indeed. 19:52 < ecrist> I usually don't log in. 19:52 < ecrist> if you couldn't tell, I watch the full RSS for my wiki. :) 19:52 < ecrist> been getting a fair bit of spam where someone will delete most of an article and replace it with 'adlfaj43rsad4fadf4q' 19:53 < krzie> thats weaksauce 19:53 < krzie> i guess we might hafta remove anon edits then huh? 19:53 < ecrist> indeed. that's why I watch the RSS 19:53 < ecrist> I get maybe 3-5 edits per week. 19:53 < ecrist> most from me. 19:55 < krzie> ya part of me still wants to make a doc to replace !default 19:55 < ecrist> reminds me, I should finish my freebsd + bridged article 19:55 < krzie> but it will be such a pain in the ass 19:55 < krzie> because most of it is OS specific 19:56 < krzie> i guess i could just doc the openvpn specific part (which is damn near nothing) 19:56 < ecrist> I have 8000 things I'd like to do. my most recent project, bbthe.me, is only getting attention at this point because every time someone wants to post an update or new theme, I have to do it manually. 19:56 < krzie> and say "heres what you need to figure out in your OS" 19:56 < ecrist> 'tis why I'm on the puter now. 19:56 < ecrist> krzie + ecrist = OpenVPN Doc Team 19:56 < krzie> ahh cool, so its getting a bit of action? 19:56 < ecrist> yeah 19:57 < ecrist> it would get a ton more if I'd develop the fucking thing 19:57 < krzie> lol 19:57 < ecrist> I probably only get around to posting 2/3 of the themes sent to me. 19:58 < ecrist> job + side company + sheriff dept + wife/kid + social life = bahh! 19:58 < krzie> new kid popped out a bit ago, right? 19:58 < ecrist> not yet 19:58 < ecrist> July 16 19:58 < krzie> oh whoa 19:58 < ecrist> got a plumber in the house today and tomorrow remodelling the basement for a new master bedroom 19:58 < krzie> <-- no sense of time 19:59 < ecrist> then I get to build walls, do electrical, etc. 19:59 < ecrist> and if I think I have time now, wait till the kid comes! 19:59 < ecrist> it's all good. I like being busy. 19:59 < krzie> for real 19:59 < ecrist> brb 20:09 < row> If I am using a ethernet bridge is there anyway I can make certian stuff not go over the bridge and go over my actual connection (windows vista)? 20:09 < row> ie voip stuff? 20:09 < krzie> no but if you use routed mode, yes 20:10 < krzie> which is less overhead therrefor better performance for voip anyways 20:10 < krzie> !tunortap 20:10 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 20:10 < row> k 20:11 < ecrist> krzie: 17:46 ##openvpn: < krzie> 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 20:11 < ecrist> ? 20:11 < krzie> showing him he was full of shit saying the logfile was binary 20:11 < ecrist> ah 20:11 < ecrist> lol 20:11 < ecrist> it's just a gzip 20:12 < krzie> as i told him 20:12 < ecrist> drarok: !freebsd 20:14 < ecrist> krzie: ephadfadsfasdfa (or whatever) has been asking the same questions every day. he doesn't understand network routing. his problem is 100% covered on !routing 20:14 < krzie> i know 20:14 < krzie> he finally got it figured out 20:14 < krzie> after i explained it twice i told him i wouldnt do it again 20:15 < ecrist> oh, I didn't read that far. 20:15 < krzie> told him to read me explaining iot before in the logs 20:15 < krzie> and he finally figured it out after claiming the logs were binary format 20:15 < krzie> lol 20:15 < ecrist> heh 20:16 < ecrist> just bought a computer for our 7 year old. thank god for Apple Remote Desktop 20:16 < krzie> hes getting apple!? 20:16 < krzie> lucky kid! 20:17 < ecrist> new mac mini c2duo 2gb ram samsung 22" lcd 20:17 < krzie> sick 20:17 < ecrist> we're an apple house 20:17 < ecrist> aside from my servers. those are 100% freebsd 20:18 < krzie> just like my house 20:18 < ecrist> though I considered putting Mac OS X server on the new mini 20:18 < ecrist> I'm liking the parental controls, setting time limits and such. with ARD, I can sit here, in my office, and watch what he's doing on his screen, without him knowing. 20:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:19 < krzie> if my parents had that i woulda never gotten into computers 20:19 < krzie> it all started at age 11 with porn 20:19 < krzie> progressed to many illegal activities by age 13 20:19 < ecrist> you were a late bloomer 20:20 < ecrist> ;) 20:20 < krzie> umm, this was '92 20:20 < ecrist> aye 20:20 < ecrist> you've gotta be about my age then. 20:21 < krzie> 27 20:21 < krzie> 28 later in the yr 20:21 < ecrist> I'm not planning on spying on the kid too much. just enough to keep him safe from crazy people out there. 20:21 < ecrist> I'll be 30 in oct... 20:21 < ecrist> ugh 20:21 < krzie> tru, inet has changed a bit since the old days 20:22 < ecrist> I'm really nervous about him getting into gang stuff and pedos finding him. 20:22 < theDoc> Do we see it becoming a platform for pedo's? 20:22 < krzie> theDoc to an extent, yes 20:22 < theDoc> Sooner or later, ipsec/vpn/gre will all be commonly used to encrypt more child porn than ever. 20:22 < ecrist> he's a really outgoing kid who loves to please, so he's susceptible to peer-pressure. 20:23 < theDoc> ecrist: Might I suggest you just keep an eye on him, be open and explain the dangers to him. 20:23 < theDoc> This really isn't the internet of the early 90's. 20:23 < ecrist> theDoc: already there. we've been told we're too open with him. 20:23 < theDoc> I parents did that with me ;p 20:23 < krzie> theDoc i expect onion routing to be used more than those for that 20:23 < theDoc> krzie: I suspect the on demand vpn service I run now will be abused for that sooner or later. I'll be having to do some work on that area. 20:24 < ecrist> with higher-speed connections, I prediction most common network traffic (browsing, email, comms) will be randomly-routed through the net within 5 years. as a common practice 20:24 < theDoc> ecrist: While I wouldn't go so far as to sniff his traffic, I might just log the websites he visits. 20:24 < krzie> however, my belief in privacy is stronger than my hate for that stuff 20:24 < ecrist> when most people have 100Mb+ connections, it'll be a lot easier 20:24 < krzie> while there is nothing more that sickens me more 20:24 < karlpinc> ecrist : Then why arn't people encrypting their email now? 20:25 < ecrist> karlpinc: it'll get there, I suspect. 20:25 < theDoc> krzie: Yes, that's true. However, the government is taking a very strong approach to the whole, if you aren't a criminal, you have nothing to encrypt. 20:25 < krzie> TOTALLY FALSE 20:25 < theDoc> Which worries me, because some of them build a profile of you based on you IM/email/surfing habits. 20:25 < theDoc> Just look at UK/Singapore/China/Australia. 20:25 < karlpinc> ecrist : People don't care. If they cared they wouldn't run that unnamed OS with lots of security holes. 20:25 < krzie> thats like saying you should submit to illegal searches cause if you arent a criminal you have nothing to hide 20:26 < krzie> giving up privacy for temporary security is both stupid and naive 20:26 < ecrist> for me, personally, I don't do/say anything I'm afraid of people seeing. If I do things I don't want public, nobody knows about them. 20:26 < theDoc> krzie: Precisely, it's always more open to abuse. 20:26 < theDoc> ecrist: Precisely! That or encrypt it ;p 20:26 < krzie> i encrypt everything and will never submit to a search, and i have nothing to hide 20:27 < theDoc> krzie: Which country do you live in? 20:27 < krzie> im also very strongly for all the other amendments in the bill of rights as well 20:27 -!- afonso [n=afonso@bl6-102-90.dsl.telepac.pt] has quit [] 20:27 < ecrist> karlpinc: I wouldn't say people don't care. I'd say most people are mis/ill-informed, and don't know any better. 20:27 < krzie> im from california, although i left to the caribbean 20:27 < krzie> i read the patriot act 20:27 < theDoc> I believe there was a couple of high profile cases which involved child porn and encryption. IIRC, the guy was ordered by the courts to provide the decryption key. 20:27 < krzie> that was time for me to leave 20:28 < karlpinc> ecrist : Maybe so, but it won't change. 20:28 < theDoc> I'm not sure what the patriot act entails, I'm not from the US. 20:28 < krzie> think: enabling act from nazi germany 20:29 < theDoc> You've got to be shitting me, america was all for the freedom and stuff and cuddly teddy bears. 20:29 < krzie> yup 20:29 < krzie> i shoulda taken the other pill 20:29 < krzie> woken up and believed whatever i wanted 20:29 < karlpinc> theDoc: American's used to laugh that the Soviets needed a passport to travel within the country. 20:30 < theDoc> karlpinc: Are you guys at the same stage as them already? 20:30 < theDoc> Man, this world is just fucked up, everyone is just stepping on everyone for their own agenda. 20:30 < krzie> its different in america, cause everyone still thinks they have rights 20:30 < krzie> nobody pays attention 20:30 < karlpinc> theDoc: The Feds have passed the Real ID act, which requires the states to issue identity papers, and those will be required to get on transport. 20:31 < karlpinc> theDoc: But it's costing the states money so they're late implimenting. 20:31 < krzie> karlpinc, im impressed, not too many people know bout that 20:31 < theDoc> karlpinc: That's fucking ridiculous. I wonder if they have been wiretapping secretly for sometime now. 20:32 < krzie> theDoc they can wiretap secretly legally now 20:32 < theDoc> Just to keep track of "people whom might be dangerous". For instance, the little kid down the road downloading torrents. 20:32 < krzie> they can even do secret arrests 20:32 < krzie> as long as they claim they suspected terrorism links, NEVER prove it and never talk to a judge 20:32 < karlpinc> theDoc: Years and years. Echelon (sp?) allows member states to spy on the citizens of other member states, and report back. So even though it's Illegal for the US to spy on it's citizens, we trade data with other Echelon members. 20:32 < theDoc> krzie: You guys are coming up on par quick with N.Korea and China. 20:32 < krzie> just "we suspected a link to terrorism" and you have no rights except the 3rd amendment left 20:33 < krzie> theDoc, i know, i left 20:33 < theDoc> krzie: Doesn't the 3rd amendment protect civilian rights? 20:33 < karlpinc> krzie : For somewhere better? 20:33 < theDoc> This is open to abuse in so many ways. 20:33 < krzie> 3rd is you dont have to house troops 20:33 < krzie> karlpinc, depends how you look at it really 20:34 < krzie> the corruption here is know, but makes it easier on me 20:34 < krzie> if someone wanted to tap me here ild know about it very soon, for a fee of course 20:34 < krzie> even tho i do nothing illegal, i like privacy 20:34 < theDoc> I just find it very disturbing. 20:34 < krzie> its the patriot in me, i FULLY believe in the US constitution 20:34 < theDoc> That the amount of people whom have no idea that their privacy is being infringed upon. 20:34 < karlpinc> It's a new age, privacy is obsolete, except for what you enforce yourself. 20:35 < theDoc> karlpinc: I'm starting to feel that it should be mandatory to be tunneling all traffic into a vpn. 20:35 < krzie> theDoc it is to me 20:36 < krzie> i dont even google from my real ip 20:36 < krzie> evvvvver 20:36 < theDoc> krzie: Neither do I. I hop through a vpn server which I own. 20:36 < krzie> i know what i know about openvpn routing from figuring out how to chain vpn's 20:36 < theDoc> I'll be nuts to send plaintext stuff out of this box. 20:37 < theDoc> krzie: Although I feel that this kind of segregation of traffic will sooner or later form a seperate entity or another "internet" 20:37 < krzie> aka a darknet 20:37 < krzie> theres many darknets in existence 20:38 < krzie> encrypted networks closed off to the inet, but running on top of it 20:38 < theDoc> krzie: ah yes. 20:38 < theDoc> krzie: Did you read the new bill that was proposed where the US president could have the power to shutdown any network? 20:38 < karlpinc> krzie : Traffic analysis will reveal you anyway, unless you're also sending random traffic, and even then.... 20:39 < krzie> yes doc 20:39 < krzie> karlpinc this is true, but nothing automated will 20:39 < krzie> as i mentioned i dont actually do anything that anyone cares about 20:39 < krzie> but the watching is all automated 20:40 < krzie> if i did do that kinda stuff ild throw some satelites in the mix 20:40 < theDoc> karlpinc: Do you mean sending traffic to the darknet? 20:40 < karlpinc> krzie : Who knows what's automated. I did some stegnography once and got an immediate request for the file from the MI6 or some such organization in the UK. 20:40 < krzie> he means everything i mentioned 20:40 < theDoc> Oh, ok. 20:40 < krzie> whoa, crazy! 20:41 < karlpinc> krzie: google "trojan cow" 20:41 < theDoc> karlpinc: ! 20:41 < krzie> thats much more than i thought they had 20:41 < krzie> !google trojan cow 20:41 < vpnHelper> krzie: The Trojan Cow Project: ; Security Port Scanner, Trojan Port List: Trojan Cow: ; BD Trojan Cow 1.0: Attack Signature - Symantec Corp.: 20:41 < krzie> hit #1? 20:42 < karlpinc> krzie : Yup. 20:42 < krzie> one thing i dont like is that people often blame the police 20:42 < krzie> but the thing is, they dont make the rules, i fully blame our congress and senate for going along with the BS 20:42 < krzie> and of course 20:43 < krzie> the most blame goes to the people 20:43 < krzie> for without their willful ignorance, none of that stuff would happen 20:43 < krzie> (it wouldnt be allowed to, we have more guns) 20:43 < krzie> (just like the founders intended) 20:45 < theDoc> This is just scary ;p 20:46 < krzie> favorite movie: V for Vendetta 20:47 < dan__t> Hi. 20:47 < dan__t> So, anyone have a clue about CRL formats? 20:47 < ecrist> dan__t: I answered your question ~3 days ago 20:47 < krzie> didnt ecrist tell you all that? 20:47 < krzie> oh, lol 20:47 < dan__t> You did not! 20:48 < krzie> ecrist, i think its groundhog weak 20:48 * ecrist gets logs 20:48 < krzie> err week 20:48 < dan__t> Well maybe you did, but the odds of me being shitfaced were 50/50 20:48 < dan__t> I'd appreciate a moment of your time to bring that subject up, please. 20:48 < ecrist> lol, FINALLY, HONESTY COMES TO ##OPENVPN 20:48 < dan__t> Honest? About drinking? Shit, I'll be the first to admit I'm a 25 year old that drinks like a 22 year old. 20:49 < krzie> dan__t, best way for that is !irclogs 20:49 < krzie> !irclogs 20:49 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 20:49 < dan__t> damnit. 20:49 < dan__t> How far back does it go? 20:49 < ecrist> naw, I'll answer his questions again 20:49 < dan__t> Thank you. 20:49 < krzie> august 20:49 < ecrist> dan__t: they go back to august 1st, 2008 20:50 < dan__t> oic. 20:50 < dan__t> Alright, so assuming I was shitfaced, the CRL is formatted in..... 20:50 < ecrist> it's a PEM encrypted file 20:51 < dan__t> Er. My index.txt says otherwise. 20:51 < ecrist> what does your index.txt say? 20:51 < dan__t> Wait. 20:51 < dan__t> Fuck. I'm confused. 20:52 * ecrist doesn't know anything, and goes away. 20:52 < dan__t> haha 20:52 < dan__t> Yes, I'm confused. 20:53 < dan__t> I had wrongly assumed index.txt was in fact the CRL. 20:53 < dan__t> Now I'm not entirely sure what it is for. 20:53 < dan__t> database index file according to openssl.cf 20:53 < dan__t> cnf 20:53 < ecrist> index.txt is what tells openssl what the next serial should be used (or the last that was used) for a certificate 20:54 < ecrist> aye, so what do you really want to know? 20:54 < ecrist> how to read it? 20:54 < dan__t> what about 'serial'? 20:54 < dan__t> well if its in PEM I can just decode it. 20:54 < ecrist> sigh 20:54 < dan__t> what 20:54 < ecrist> you sound like my 7 year old. 20:54 < krzie> haha 20:55 < ecrist> Dad, how do I do this. Me: Like this. Son: I know. 20:55 < dan__t> Oh, he knows how to extract shit from a .pem, too? 20:55 < dan__t> That's cool. 20:55 < dan__t> index.txt tells openssl what the next serial should be. 20:55 < krzie> he prolly knows how a CRL works 20:55 < dan__t> 'serial' does... the same? 20:55 < dan__t> I see its a hex incremental counter of some sort. to which extent it functions I do not know. 20:56 < ecrist> op ##openvpn ecrist 20:56 * krzie bets ecrist's son could break down PKI to his teacher in class 20:56 < dan__t> haha 20:56 < krzie> then he'ld ask the teacher for their ca.key 20:56 < dan__t> Alright, I guess my confusion ultimately lies in the difference between index.txt and 'serial' 20:56 < krzie> (and get it) 20:57 < ecrist> the index.txt defines the next available serial. 20:57 < ecrist> without it, you start at 0x0 20:57 < dan__t> ok. 20:58 < dan__t> Got it. 20:59 < dan__t> What does the 'serial' file provide OpenSSL with? 21:00 < ecrist> holy shit 21:00 < ecrist> each certificate signed by the CA cert has a serial number 21:00 < dan__t> Yes. 21:00 < ecrist> that's it 21:01 < dan__t> Yeah, why can't OpenSSL use index.txt and increment the last serial found by 1, and use that 21:01 < dan__t> what's 'serial' got to do with it, that's what i'm asking 21:01 < dan__t> "That's just not how it works"? 21:02 < dan__t> I'm trying really hard, but I just understood that there's two serials involved. 21:03 < ecrist> dan__t: read O'Reilly OpenSSL 21:04 < ecrist> or ask in #openssl 21:04 < dan__t> Yeah just popped open the ebook 21:04 < dan__t> obviously i'm confused. 21:07 < dan__t> Besides key generation, we will create three files that our CA infrastructure will need. The first file is used to keep track of the last serial number that was used to issue a certificate. It's important that no two certificates ever be issued with the same serial number from the same CA. We'll call this file serial and initialize it to contain the number 1. OpenSSL is somewhat quirky about how it handles this file. It expects the value to be in hex, 21:07 < dan__t> and it must contain at least two digits, so we must pad the value by prepending a zero to it. The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. 21:07 < dan__t> mkay so openssl doesn't give fuckall about index.txt in regards to the actual serial number used. 21:08 < dan__t> THAT is what I was getting at. 21:08 < dan__t> er, actual serial number used for new certificates. 21:08 < dan__t> That's clever. Good way to do things. That works just the same was as.......... well, nothing. Nothing at all uses this type of counter. Nothing. 21:09 < dan__t> But thanks for going over that again with me. 21:13 < dan__t> What I'm getting at, is I'm trying to make a wrapper that stores this info in SQL. 21:13 < dan__t> I want to maintain a CRL from a database. 21:14 < dan__t> My process invokes OpenSSL to ultimately sign and distribute keys, and I want this CRL to be maintained/modified after each key is either issued or revoked. 21:16 < krzie> you only update a CRL when revoking 21:16 < krzie> what do you plan on updating it with when you simply issue a key 21:17 < krzie> the key to NOT revoke...? 22:46 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 23:09 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 23:21 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn --- Day changed Thu Apr 16 2009 00:03 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:09 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 00:24 < dan__t> No, I plan on updating it immediately after I revoke a key. 00:24 < dan__t> .....as I've said a few times in the last few weeks. 00:34 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:39 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:46 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:47 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:51 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:55 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:15 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 02:27 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:06 < drarok> !freebsd 03:06 < vpnHelper> drarok: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 03:24 < drarok> Righto, it seems there are routing options in our cheapo router! 03:24 < drarok> So now the LAN can ping 10.8.0.1, as it's routed to the IP of the OpenVPN box... 03:25 < drarok> It does mean all traffic will hit the router twice though... LAN clients send to default gateway, which is the router, so it passes traffic to OVPN, which then pushes the tunneled traffic back through its default route... 03:33 -!- c64zottel [n=hans@p5B17ACFD.dip0.t-ipconnect.de] has joined ##openvpn 04:02 -!- ghoti [n=paul@CPE00c095f003f8-CM001371886cc2.cpe.net.cable.rogers.com] has joined ##openvpn 04:02 * ghoti looks around 04:03 < ghoti> question: could openvpn be configured to benefit from a Hifn crypto accelerator? 04:03 * theDoc looks at himself and goes to bed. 04:03 < ghoti> hm, not a bad idea... 04:16 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:17 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has joined ##openvpn 04:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:49 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 04:51 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:52 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 04:52 < drarok> And bingo, I get get one of our hosted server onto the VPN \o/ 04:52 < drarok> Another refuses, potentially a firewall issue :( 04:52 < drarok> Thanks for your time, guys :) 04:59 < drarok> Relevant? 04:59 < drarok> Thu Apr 16 10:59:10 2009 us=508047 UDPv4 WRITE [14] to 87.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 05:00 < drarok> all those 0s can't be good 05:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:39 < drarok> Bingo. 05:39 < drarok> Bad LZO decompression... 05:39 < drarok> --comp-lzo missing >_< 05:39 < drarok> Now both boxen online, woo! 05:48 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 05:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:01 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:10 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:31 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 06:36 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 06:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:30 < ecrist> good morning, folks 07:30 < drarok> Afternoon :( 07:42 < drarok> Can someone explain ifconfig-push, I think it's the source of my problems... 07:42 < drarok> Docs say '--ifconfig-push local remote-netmask ' 07:42 < ecrist> it pushes an Ip to the client. 07:42 < drarok> remote netmask? 255.255.255.0 gives an error... 07:43 < ecrist> ifconfig-push is for ccd entries 07:43 < drarok> Yup, I have 3 ccd files 07:43 < ecrist> so 07:44 < ecrist> ifconfig-push 172.30.0.5 172.30.0.6 07:45 < drarok> What's the relevance of the .5 and .6 ? 07:45 < drarok> I have 3 clients I want to have static IPs, can I use .10 .15 and .20, or are they too close together? 07:47 < ecrist> well, starting at 0, you count up by 4. server take .0/30, so first client available is .5/30 07:47 < ecrist> .4 is the network address, .5 is client, .6 is server virt endpoint, and .7 is broadcast 07:47 < ecrist> it's covered in the howto 07:48 < ecrist> you can avoid the /30 with 2.1 and use of topology 07:48 < ecrist> !/30 07:48 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:48 < ecrist> !/topology 07:48 < vpnHelper> ecrist: Error: "/topology" is not a valid command. 07:48 < ecrist> !topology 07:48 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:53 < drarok> Isn't 1st availble client .4? .0. 1 .2 and .3 used by server? 07:53 < ecrist> 07:47 < ecrist> .4 is the network address, .5 is client, .6 is server virt endpoint, and .7 is broadcast 07:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:57 < drarok> Hmm, I don't think the ccd has anything to do with my current problem 07:57 < drarok> second client complains: 07:57 < drarok> Thu Apr 16 13:57:10 2009 us=999020 UDPv4 WRITE [14] to 87.127.38.144:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 07:58 < ecrist> that line means nothing to me. 07:58 < ecrist> !logs 07:58 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:05 < drarok> http://pastebin.com/m71c09dc7 08:05 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 08:05 < drarok> http://pastebin.com/m1b736a8d 08:09 < drarok> The 2 clients are both on the same LAN, so I could do some magic and route through just one of them, but then if the vpn client box goes down, I lose access to all 3 servers there. 08:12 < drarok> It appears only 1 client works at a time... Hmm 08:17 < ecrist> !configs 08:17 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:17 < ecrist> looks like your clients aren't getting IPs 08:20 < drarok> They're not even doing the TLS bit 08:20 < ecrist> yes they are 08:22 < drarok> http://pastebin.com/m7022ed6 08:23 < drarok> Well, one does, but if I leave it 60 secs, I get a TLS error 08:23 < drarok> (On the broken ones) 08:24 < ecrist> are the server and clients all on the same network? 08:24 < drarok> Noooo 08:24 < drarok> That would be silly :) 08:24 < drarok> Server is next to me, clients are in a datacentre 08:24 < ecrist> ok 08:25 < ecrist> um, you didn't include your ccd entries 08:26 < drarok> [root@bugs /usr/local/etc/openvpn]# cat ccd/data 08:26 < drarok> ifconfig-push 10.8.0.5 10.8.0.6 08:27 < ecrist> that's the client that's not working? 08:27 < drarok> None of them worked last I tried. Seems if I kill the server, leave it a few mins, start back up, one can connect. 08:27 < drarok> But yeah, data can't connect atm 08:28 < ecrist> do your clients each have their own certificate, or are they all using the same one? 08:29 < drarok> Each their own, with unique common names 08:29 < drarok> (Am I right that the ccd file just needs to be named `thecn` ?) 08:29 < ecrist> yes 08:29 < ecrist> client config show logging at verb 3. can you show me logs at verb 6? 08:31 < drarok> Eh? They're all verb 6 08:31 < ecrist> http://pastebin.com/m7022ed6 08:31 < ecrist> line 34 08:31 < drarok> Oh, I'm overriding that 08:31 < drarok> openvpn --config filename --verb 6 08:32 < ecrist> k 08:32 < drarok> http://pastebin.com/m1b736a8d line 148 08:32 < drarok> # 08:32 < drarok> Thu Apr 16 14:00:30 2009 us=410065 verbosity = 6 08:32 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 08:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:33 < ecrist> drarok: looks like you've got some sort of connectivity problem. 08:34 < ecrist> don't think it's related to OpenVPN 08:34 < drarok> So how come one client can connect :( 08:34 < ecrist> see here: http://openvpn.net/archive/openvpn-users/2005-02/msg00442.html 08:34 < vpnHelper> Title: Re: [Openvpn-users] TLS Handshake not happening (at openvpn.net) 08:35 < ecrist> I'm guessing you've a firewall issue 08:37 < drarok> Hmm, but surely no clients could connect then? 08:37 < ecrist> I don't know how you've got your NAT setup 08:39 < drarok> Is it possible the NAT is crap and routing all UDP packets on that port to the 1st client, do you think? 08:44 < ecrist> perhaps 09:00 < [4-tea-2]> Bushmills: a pic says more than a thousand words... I should've probably done this before, but here's a diagramm, for the record: http://mutantenstadl.de/Diagramm1.png 09:21 < ecrist> that's a hard-to-read diagram 09:23 < ecrist> [4-tea-2]: care to explain it, and your problem? 09:24 < [4-tea-2]> The laptop should always be using the same IP address, no matter how/where it's connected. 09:25 < ecrist> an internal IP, or a 'real' IP? 09:25 < [4-tea-2]> As real as it gets. ;) 09:26 < [4-tea-2]> The /28 is routed by my "virtual" ISP to the VPN gateway, I pick it up using OpenVPN, because my "real" ISP is... uhm... hostile. :D 09:26 < [4-tea-2]> And the laptop's ip is one out of that /28 09:27 < [4-tea-2]> My current status is that I can't do that with OpenVPN alone, but perhaps with a combination of OpenVPN and a routing daemon, like ripd. 09:28 < ecrist> properly set up, you can do it with openvpn and a proper 1-to-1 nat 09:29 < [4-tea-2]> ecrist: I wish I could, but I don't see how. 09:31 < plaerzen> [4-tea-2], that looks like a darknet or something 09:32 < drarok> I have achieved a zen-like state. Turned on IP forwarding at the one client that will connect for now, added routes at datacentre. 09:33 < [4-tea-2]> plaerzen: I think for a darknet, there would have to be more lines towards the internet cloud. This is actually only about my local, private net and the one laptop I take on the road with me. 09:34 * plaerzen nods. Cool setup, nontheless 09:34 < ecrist> [4-tea-2]: I'll draw up what you need to do. 09:35 < [4-tea-2]> A simplified "solution" would be to always route all traffic for the laptop through a static VPN connection to the local server - but I'm trying to avoid having to push unnecessary traffic over the DSL line, that's why I think I need two VPN connections and something (ripd) telling the world which one is currently in use. 09:36 < ecrist> ? I'm not really sure what you're trying to do i guess 09:37 < [4-tea-2]> I can try to explain in quick words what the goal is... I think it should become clear together with the diagram. 09:37 < [4-tea-2]> case A) my notebook is connected to my local switch and can stream HD video from my local server (direct connection to get best possible speed) 09:38 < reiffert> explain != quick words 09:38 < reiffert> however, simple routing will solve this for you. local net >> routing to other nets. 09:39 < [4-tea-2]> case B) I take my notebook to the garden, get a rfc1918 address from the wlan AP, establish a VPN connection to local server, get the same IP adress as for case A) and can use all services locally. 09:40 < [4-tea-2]> case C) I'm on the road, connect to the internet in any possible way, establish a VPN connection to the VPN gateway (NOT the "local server", because that's behind the DSL line), and still get the same IP address and routing for that address in my local net changes so it's host routed via the VPN gateway. 09:40 -!- drarok [n=drarok@imma.chargin.mah.laser.drarok.com] has left ##openvpn [] 09:41 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:42 < [4-tea-2]> (in case C) I can obviously not stream HD video, because the DSL line lacks the bandwidth, but I can still access all my local services from local server or even access the desktop machine). 09:42 < [4-tea-2]> If that's a pipe dream, tell me, so I stop wasting time and hurting my brain. :D 09:43 < ecrist> it's a bit of a pipe dream 09:44 < [4-tea-2]> But I succeeded in explaining what I want? 09:44 < ecrist> it can be done, but I think the hassle in setting it up is rather large. 09:44 < ecrist> yes 09:44 < ecrist> really your largest hurdle is your own knowledge 09:45 < [4-tea-2]> That's a hurdle that can be easily overcome. 09:45 < [4-tea-2]> And jumping over that is my main motivation for this, anyway. 09:47 < ecrist> ok, here's what I'll tell you. Can can do what you describe with the following tools: 09:47 < ecrist> 1) OpenVPN 09:47 < ecrist> 2) a firewall with a properly configured 1-to-1 nat 09:48 < ecrist> 3) two openvpn client configs a) full connection and b) just local stuff 09:48 < ecrist> everything else is configured in the ccd entries on the openvpn server for the given client in regards to what is routed over the vpn 09:50 < ecrist> no external routing daemon is needed 09:53 < [4-tea-2]> Without a routing daemon, how will the local server know when the laptop is connected to the VPN gateway? 09:54 < [4-tea-2]> OpenVPN would have to push a host route to the local server when it sees the laptop connect, and remove that route when it disconnects, right? 10:07 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 10:16 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:18 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:23 < mnickels> I can not get the tap driver to install in Vista64 correctly. I am using the administrator account, it still shows up with an exclamation in Device Manager. I am using Oprnvpn-2.0.9-gui-1.0.3-install.exe. Anyone have an idea of what to check? I've disabled the UAC and driver signing. 10:24 < ecrist> [4-tea-2]: yes, but you can do that with client up/down scripts 10:24 < ecrist> :) 10:25 < ecrist> mnickels: you need to use the latest RC, 2.1rc15 for vista 10:27 < mnickels> ahh I knew i was messing up somewhere! I've seen some forum posts that it was working after searching google, But I didn't see what version of software .. thx ecrist 10:32 < epaphus> hello all 10:39 < mnickels> ecrist, can i just install 2.1rc15 over the top of the existing install or do I need to uninstall 2.0.9 ? 10:50 < ecrist> mnickels: I'd uninstall 2.09 10:53 < dan__t> Hi. 10:53 < tjz> hi dot.. 10:53 < tjz> :P 10:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:57 < tjz> wb jeff 10:59 * dan__t stabs krzee 11:00 < tjz> lol 11:16 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 11:30 -!- albech [n=albech@119.42.78.75] has joined ##openvpn 11:31 < albech> can i use openssl on another system to create certificates? the reason i am asking this question is because i dont want to install openssl on my embedded device if it is not needed 11:31 < albech> maybe even use dropbear to create the certs? 11:36 < dazo> albech: In an ideal world, you should never create certificates on the same device as OpenVPN (or any other SSL server) 11:37 < dazo> albech: keys and certs can be created on another box .... ideally, this is a separate box which is not connected to any networks at all ... as the key signing is really a high security task, which provides information to identify a host 11:38 < dazo> in a production environment, you don't want your CA to be compromised 11:41 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 11:49 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:50 < albech> dazo, excellent.. thanks 12:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 -!- seven [n=seven@193.164.131.45] has joined ##openvpn 12:30 < seven> question 12:31 < seven> hello ? 12:32 < seven> is it possible to forward a static ip thowgh openvpn 12:32 < seven> ? 12:32 < seven> through ? 12:33 < seven> anyone ? 12:33 < seven> ------------------------------------------------------------------------------------------------------- 12:34 < seven> blah blah blah 12:34 < seven> yada yada 12:34 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:34 < seven> hello 12:34 < seven> !@1 12:34 < vpnHelper> seven: Error: "@1" is not a valid command. 12:34 < seven> @1 12:35 < Improv> Do certificate authorities/certs/hostkeys define in themselves which directory/openssl config to use? 12:35 < seven> please reform your question 12:36 < Bushmills> seven, the ip which is assigned to client is used. that ip can be static, yes. 12:36 < Bushmills> !ccd 12:36 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:36 < seven> I know about ccd 12:36 < Improv> seven: If I want multiple separate OpenVPNs with their own OpenSSL certificate systems, will different values for "ca/cert/key" do it? 12:36 < seven> but I failed to include a static one in the server.conf 12:37 < Bushmills> i use an entry in ccd dir for the clients with static address 12:37 < Bushmills> but i don't need to tell you because you know 12:37 < seven> Improv : you want separate OpenVPNs with their own OpenSSL certificate systems to do what ? 12:38 < seven> no I need to know 12:38 < seven> give me an example 12:38 < seven> I know about ccd 12:38 < seven> but I need an example for a working static ip 12:38 < Improv> seven: I want to have SSL configs that are entirely independent of each other attached to OpenVPN instances that are entirely independent of each other. 12:39 < seven> what should be included in server.conf and ccd/thelonioughs lines ? 12:39 < Improv> seven: I need to know if the ca/cert/key directives in the OpenVPN config determine which ssldir to use. 12:39 < Bushmills> echo "ifconfig-push 10.10.10.4 10.10.10.5" > ccd/keyname 12:40 < seven> Improv : I am sorry I can't help cause I couldn't get it, sorry dude 12:41 < seven> then 10.10.10.4 is the static IP ? 12:42 < seven> and shouldn't I add some related line to server.conf 12:42 < seven> ? 12:42 -!- Snoopy [n=ubu@p54A16927.dip.t-dialin.net] has joined ##openvpn 12:42 -!- Timpa88 [i=timpa2@91.210.104.125] has joined ##openvpn 12:42 < seven> !static ip 12:42 < vpnHelper> seven: Error: "static" is not a valid command. 12:42 < seven> !ccd 12:42 < vpnHelper> seven: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:42 -!- Snoopy [n=ubu@p54A16927.dip.t-dialin.net] has quit [Client Quit] 12:43 < seven> !static 12:43 < vpnHelper> seven: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 12:43 < Bushmills> seven, just uncommenting client-config-dir ccd from server config should do 12:43 < seven> I'll try it now and feed you back 12:47 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:48 < seven> Bushmills 12:48 < seven> question 12:48 < seven> echo "ifconfig-push 10.10.10.4 10.10.10.5" > ccd/keyname 12:48 -!- troy is now known as troy- 12:49 < seven> which one is the satic IP in here ? 12:49 < seven> ? 12:49 < seven> %! 12:49 < seven> $ 12:49 < seven> $$$$ 12:49 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < Bushmills> seven, first. you can use netmask, for second. 12:50 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < seven> aha 12:52 < seven> look 12:52 < seven> this is the server info 12:53 < seven> ip : a.b.c.d 12:53 < seven> gateway a.b.c.f 12:53 < seven> I have an empy IP 12:54 < seven> a.b.c.n 12:54 < seven> wish to forward it through ovpn 12:54 < seven> ccd exists 12:54 < seven> netmask : 255.255.255.128 12:54 < seven> what should I add to ccd/keyname ? 12:55 < seven> is this true : echo "ifconfig-push a.b.c.n 255.255.255.128" > ccd/keyname 12:56 < seven> and how the client would recognize the gateway 12:56 < seven> what is the gatewat in this case ? 12:56 < seven> a.b.c.d OR a.b.c.f ? 12:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 12:56 < seven> and do we need to make some NATtin job ? 12:57 < seven> Bushmills ? 12:58 < seven> ?!!??? 12:58 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:58 < seven> anyone 13:00 < seven> 1 13:00 < seven> 2 13:00 < seven> 3 13:01 < seven> !ccd 13:01 < vpnHelper> seven: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:01 < seven> !iporder 13:01 < vpnHelper> seven: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:02 < seven> !ipp 13:02 < vpnHelper> seven: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 13:05 -!- seven_ [n=seven@193.164.131.45] has joined ##openvpn 13:05 -!- seven [n=seven@193.164.131.45] has quit [Read error: 54 (Connection reset by peer)] 13:09 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 13:09 < [4-tea-2]> ecrist: no ripd needed, indeed. 13:10 < ecrist> got it working? 13:10 < [4-tea-2]> well... uhm... a prototype. ;) 13:10 < ecrist> excellent! 13:10 -!- mnickels [n=mnickels@12.177.178.136] has quit [Read error: 110 (Connection timed out)] 13:11 < [4-tea-2]> I've been using static keys, so I don't have --up or ccds until I switch to TLS. 13:12 < [4-tea-2]> I think I realize now why Bushmills didn't understand me last night, when I complained that OpenVPN would not allow me to set routes dynamically. I guess the way I used it, it creates all interfaces and routes when the daemon is started, 13:13 < [4-tea-2]> and when using TLS it creates them "on demand" when a client establishes a connection? 13:13 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has joined ##openvpn 13:16 -!- seven_ [n=seven@193.164.131.45] has quit [Read error: 54 (Connection reset by peer)] 13:27 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:27 -!- freezer__ [n=freezer@sd-89-236.stud.uni-potsdam.de] has joined ##openvpn 13:27 < freezer__> hi 13:28 < freezer__> is there an SHA128 in openssl? 13:33 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 13:34 -!- mnickels [n=mnickels@12.177.178.136] has quit [Client Quit] 13:38 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:56 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 13:58 < Kurogane> there are other port use openvpn? becuase i enable the port 1194 tcp/udp incoming and outgoing and still can't connect 14:00 -!- UtopiahGHML [n=libre@rps7452.ovh.net] has joined ##openvpn 14:00 < UtopiahGHML> !howto 14:00 < vpnHelper> UtopiahGHML: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:03 < UtopiahGHML> hi ##openvpn 14:05 < UtopiahGHML> I admit I only skimmed through the howto so if my question is ridiculous just burn me to flame but... I was wondering if I set up OpenVPN on my server running last Debian stable, if I change the config to run it on port 53 (having to DNS daemon started there) and point my openvpn client there, will I be able to browse the net as if I was on the server? 14:05 < UtopiahGHML> s/having to DNS/having no DNS/ 14:07 < ecrist> sure, but you've got to have nat and routing properly configured. 14:11 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 14:12 < krzie> !default 14:12 < vpnHelper> krzie: (default ) -- Returns the default value of the configuration variable . 14:12 < krzie> err 14:12 < krzie> !redirect 14:12 < vpnHelper> krzie: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 14:12 < vpnHelper> krzie: !ipforward) 14:13 < krzie> bleh i need to re-write that 14:13 < krzie> !factoids search ipforward 14:13 < vpnHelper> krzie: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect * 14:13 < vpnHelper> krzie: Joo got it. 14:13 < krzie> grr sorry for the flood 14:14 < ecrist> /kickban krzie excess flood 14:14 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 14:15 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 14:15 < krzie> !learn redirect as to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:15 < vpnHelper> krzie: Joo got it. 14:16 < UtopiahGHML> !autoconfigure target=myserver from=readmybrain 14:16 < vpnHelper> UtopiahGHML: Error: "autoconfigure" is not a valid command. 14:16 < UtopiahGHML> :/ 14:16 -!- albech [n=albech@119.42.78.75] has quit [Connection timed out] 14:18 -!- albech [n=albech@119.42.77.174] has joined ##openvpn 14:31 -!- Timpa88 [i=timpa2@91.210.104.125] has quit [Read error: 110 (Connection timed out)] 14:39 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 < seven__> !def1 14:55 < seven__> !def1 14:55 < vpnHelper> seven__: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 14:56 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has quit ["Leaving"] 14:56 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has joined ##openvpn 14:56 < seven__> !def1 14:56 < vpnHelper> seven__: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:01 < krzie> def1 def1 def1 15:01 * krzie does the def1 dance 15:10 < seven__> I am wondering if it is possible to route internet-resolvable IP using openvpn 15:10 < seven__> u think its possible ? 15:10 < seven__> ?!? 15:10 < krzie> as in: sending inet traffic through server? 15:11 < seven__> no 15:11 < Timpa88> Anyone here know any good VPN Service in Russia? 15:11 < krzie> Timpa88 negative 15:11 < Timpa88> :( 15:11 < seven__> why in russia ? 15:11 < krzie> but i dont know anything in russia 15:11 < krzie> except moscow 15:11 < seven__> I can help 15:11 < Timpa88> outside EU 15:11 < Timpa88> we can this stupid law 15:11 < seven__> wanna vpn service ? 15:11 < Timpa88> yes seven__ 15:12 < seven__> talk to me on pm 15:12 < Timpa88> Ok! 15:12 < krzie> you can get a VPS and run your own 15:12 < Timpa88> yes 15:12 < Timpa88> i know 15:12 < Timpa88> but too expensive 15:12 < krzie> dougy sells them for $5/month 15:12 < Timpa88> we have go this new law 15:12 < Timpa88> and i need to get a vpn outside EU 15:12 < krzie> and he'ld even setup openvpn too i believe 15:12 < krzie> (USA) 15:12 < ecrist> seven__: yes, it is 15:13 < Timpa88> otherwise we have to pay like 30000usd per movie we download 15:13 < Timpa88> and so on ... 15:13 < Timpa88> krzie: reverse dns? dedicated ip ? 15:13 -!- mode/##openvpn [+o ecrist] by ChanServ 15:13 <@ecrist> no warez, or mentions of it, please 15:13 < krzie> Timpa88 very likely both 15:13 -!- Timpa88 was kicked from ##openvpn by ecrist [ecrist] 15:13 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:13 < krzie> but Dougy is the person to ask 15:14 < krzie> ecrist what about my pirated copy of openvpn? 15:14 < krzie> ;] 15:14 -!- mode/##openvpn [-o ecrist] by ecrist 15:15 * krzie copies opensource software for personal use! 15:15 < krzie> 15:16 < ecrist> if I owned this server, that'd be worthy of a k-line, krzie. >:) 15:16 < krzie> damn i forgot to get the openbsd nat rules from epaphus 15:16 < krzie> hahah 15:16 < krzie> its opensource, cant be pirated for personal use! 15:16 < krzie> if its GPL it could be illegal to redistribute (without including the source code) 15:17 < krzie> but for personal use anything goes ;] 15:19 < seven__> I am wondering how to route internet-resolvable IP using openvpn 15:27 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 15:28 < seven__> I am wondering how to route internet-resolvable IP using openvpn 15:33 < krzie> well, you might have to explain what you mean by that 15:33 < krzie> otherwise ill continue to have no clue what you're trying to say 15:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 15:37 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has joined ##openvpn 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has quit [Client Quit] 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has joined ##openvpn 15:41 -!- troy- is now known as troy 15:51 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has quit [Read error: 113 (No route to host)] 15:55 -!- Timpa88 [i=timpa2@67.212.72.189] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:57 -!- Timpa88 [i=timpa2@91.210.104.125] has joined ##openvpn 16:05 < plaerzen> if a pig loses it's voice, is it disgruntled ? 16:06 -!- mode/##openvpn [+o ecrist] by ChanServ 16:06 -!- plaerzen was kicked from ##openvpn by ecrist [ecrist] 16:06 -!- mode/##openvpn [-o ecrist] by ecrist 16:06 < ecrist> he deserved it. 16:06 < ecrist> muahahaha! 16:06 < Timpa88> makt missbrukare 16:07 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 16:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 16:09 < epaphus> hello all 16:09 < epaphus> krzee, u there? 16:10 * plaerzen peers around at everyone and starts spreading anti-ecrist sentiment by calling him little hitler... or perhaps ecristler 16:12 < ecrist> lol 16:14 -!- c64zottel [n=hans@p5B17ACFD.dip0.t-ipconnect.de] has quit ["Leaving."] 16:16 < krzie> ecristler 16:16 < krzie> LOL 16:23 * plaerzen takes a bow. 16:24 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:35 -!- Timpa88 [i=timpa2@91.210.104.125] has quit [Read error: 110 (Connection timed out)] 16:40 < Bushmills> plaerzen, i think most people here simply ignore ecrist 16:45 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:45 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:47 -!- MarcWeber [n=marc@88.80.200.63] has left ##openvpn [] 17:01 < ecrist> Bushmills: that cuts deep... 17:01 < ecrist> krzie: just got back from the range. another bullseye, first shot on target! 17:01 < krzie> nice bro 17:01 < ecrist> 7yds, .40 17:02 < krzie> might be time to backup some 17:02 < ecrist> I did. I'm not so good at 17yds 17:03 < ecrist> out of 49 rounds, only 44 hit paper. 17:03 < krzie> i am with the right gun, but not the avg one 17:03 < krzie> my buddy has a SWEET 45 (totally cant remember the model) 17:03 -!- r_001 [n=r_001@86.99.14.155] has joined ##openvpn 17:03 < krzie> but each piece was made together 17:03 < krzie> has the exact same serial on every piece 17:03 < krzie> also rather expensive 17:03 < krzie> but that thing is SOOOO accurate 17:04 < r_001> how can I use VPN for internet browsing ? 17:04 < krzie> r_001 by reading the topic 17:04 < ecrist> I was wrong 43/49 hit paper, 38 were scoring rounds 17:05 < r_001> krzie: can you send me the topic please 17:05 < krzie> type /topic 17:05 < ecrist> this was rapid fire, too, though. and 1/2 were one handed, 1/2 of those being weak-side 17:05 < krzie> oh damn 17:05 < krzie> i never shoot 1 handed weak side 17:06 < krzie> i bet none would hit from 17 yrds left handed 17:06 < krzie> lol 17:06 < ecrist> hehe 17:06 < ecrist> well, some had to, but those are probably my misses. 17:06 < r_001> !howto enter username 17:06 < vpnHelper> r_001: Error: "howto" is not a valid command. 17:07 < krzie> lol 17:07 < krzie> ok lets do it like this 17:07 < r_001> krzie: what's the free username and password for CISCO free VPN Server ? 17:07 < krzie> heres the howto: 17:07 < krzie> umm dude 17:07 < krzie> cisco uses ipsec 17:07 < krzie> !notcompat 17:07 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 17:07 < r_001> howto: user CISCO ? 17:07 < krzie> no no 17:07 < krzie> !howto 17:07 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:08 < krzie> you CAN NOT use cisco's client with openvpn 17:08 < krzie> !redirect 17:08 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:10 < r_001> krzie: now I convert to OPENVPN, but it ask for Certificate files 17:10 < r_001> what is that ?? 17:10 < krzie> !howto 17:10 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:15 < r_001> krzie: I can't find the import type file at the howto 17:15 < krzie> import? 17:15 < r_001> yes 17:15 < krzie> forget about EVERYTHING that had to do with your ipsec setup 17:16 < krzie> you get to start over if you are moving to openvpn 17:16 < krzie> !notcompat 17:16 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 17:16 < r_001> I'm using kVPN 17:16 < krzie> is that openvpn? 17:16 < krzie> ... 17:16 < r_001> yes, it's a GUI for openVN 17:16 < r_001> openVPN 17:16 < krzie> then why does anything need to be imported... 17:18 < r_001> the certiicated file 17:18 < krzie> if you're already using openvpn, you dont need to import anything 17:21 * ecrist HAHAs at krzie 17:21 < r_001> krzie: I didn't use it before, it's my first time 17:22 < r_001> what is the certificate file types ? 17:22 < plaerzen> .crt 17:23 < plaerzen> krzee, does openvpn connect to Suspension bridge? I have one near my house I would like to network to all my kittens. 17:38 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 17:39 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Client Quit] 17:43 < krzie> hahahah plaerzen 17:43 < krzie> you're on a roll lately 17:44 < krzie> r_001 either read the howto or read the howto 17:44 < krzie> or, read the howto 17:45 -!- freezer__ [n=freezer@sd-89-236.stud.uni-potsdam.de] has left ##openvpn ["Leaving"] 17:48 -!- atglenn [n=atglenn@wiktionary/ArielGlenn] has joined ##openvpn 17:53 -!- r_001 [n=r_001@86.99.14.155] has quit [Read error: 113 (No route to host)] 17:55 < epaphus> krzie, so.. if I have multiple clients on 1 machine.. and multiple NICs .. the best way to route each is through a NAT... right...? 17:56 < epaphus> this would be the first time i do this on the client machine 17:58 < epaphus> actually I would NAT each NIC to the corresponding TUN... 18:03 < epaphus> Iam going to create two client.conf ... one will be TUN1 AND TUN0.. would openvpn know however not to assign them the same IPs? 18:12 -!- alami [n=up@unaffiliated/alami] has joined ##openvpn 18:13 < alami> !howto 18:13 < vpnHelper> alami: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:14 < krzie> epaphus i have no clue what you're trying to say, but i heavily suggest you learn networking if you plan on setting up VPNs for profit 18:14 < krzie> seeing as we arent getting a cut 18:14 < krzie> of course if you feel like cutting someone in, im sure that person would be happy to continue being your personal walkthrough for every business you set these up for 18:20 < epaphus> krzie, you kidding me right? 18:20 < epaphus> please tell me you are. 18:21 < epaphus> krzee, Iam so sorry then.... I guess you should put that in the topic... No help if you are setting up VPNs in your job.. or perhaps contact the users of any linux distro... to see if they use it in production use... and tell them they need to pay 18:22 < epaphus> off course..everybody in this channel sets up VPNs only for personal use. 18:22 < krzie> dude 18:22 < epaphus> its not about where you use it.. its a matter of learning and sharing that... opensource wouldnt be as big as it is if it wasnt for that 18:23 < krzie> you keep asking the same stuff, cause you dont care to learn 18:23 < krzie> you only care to get it setup 18:23 < krzie> then you come back and ask the same type of stuff again for the next job, cause you didnt learn 18:23 < krzie> it gets old 18:24 < epaphus> dude you dont know the case... your just annoyed Iam #6 in the IRC stats for more active hehe.. but believe me... I dont ask the same questions... its similar.. but not the same.. yes they do have to do with routing. 18:24 < epaphus> anyways, thanks for the help. 18:25 -!- afonso [n=afonso@bl6-118-240.dsl.telepac.pt] has joined ##openvpn 18:26 -!- afonso [n=afonso@bl6-118-240.dsl.telepac.pt] has left ##openvpn [] 18:27 < krzie> maybe im the only one who feels this way, we'll see by the amount of response 18:52 < dan__t> Suck my balls. 18:53 < dan__t> How's that for a response? 18:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:54 < krzie> that was like mine, but short and sweet 19:13 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 19:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:14 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:30 < dan__t> hha 19:30 < dan__t> so I'm not going to maintain a CRL as I thought I would. 19:31 < dan__t> I'm just not going to create a ccd, and use ccd-exclusive 19:44 -!- albech [n=albech@119.42.77.174] has quit [Read error: 104 (Connection reset by peer)] 20:09 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 20:10 -!- atglenn [n=atglenn@wiktionary/ArielGlenn] has quit ["Leaving."] 20:13 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:13 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:13 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:15 -!- albech [n=albech@119.42.77.174] has joined ##openvpn 20:40 < zheng> #join #php 21:12 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 21:43 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 21:45 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa 21:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: HardDisk_WP 21:54 -!- Netsplit over, joins: pa 21:54 -!- Netsplit over, joins: HardDisk_WP 22:01 < zheng> TUN is short for tunne, and TAP is short for what? 22:16 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] --- Day changed Fri Apr 17 2009 00:07 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:17 -!- troy [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 00:19 < reiffert> zheng: http://en.wikipedia.org/wiki/TUN/TAP 00:19 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 00:20 < zheng> vpnHelper, Thx, Could you pls give a simple text info about TAP? TAP = what? because I cannot read wikipedia.org, I only use IRC. 00:20 < vpnHelper> zheng: Error: "Thx," is not a valid command. 00:20 < zheng> Thx. 00:21 < zheng> vpnHelper is a robot? 00:21 < vpnHelper> zheng: Error: "is" is not a valid command. 00:21 < zheng> reiffert, pls? 00:23 < reiffert> cant read wikipedia? why is that? 00:23 < theDoc> TAP = network tap 00:23 < theDoc> Simulation of an ethernet device 00:25 < zheng> isee, TAP is not a abbrev, just a analogy symbol. Thanks. 00:27 < reiffert> zheng: dies your government filter out wikipedia even for shanghai? 00:27 < reiffert> does 00:27 < zheng> reiffert, no, not government, it's our company limit, 00:28 < zheng> I cannot use www now. 00:28 < zheng> You know I'm from shanghai? 00:29 < reiffert> 07:29 [freenode] -!- zheng [n=zheng@222.66.224.110] 00:29 < reiffert> whois 222.66.224.110 00:29 < zheng> oic, 00:29 < reiffert> inetnum: 222.66.224.104 - 222.66.224.111 00:29 < reiffert> netname: ACTION-TEC 00:29 < reiffert> descr: Action Tec(Shanghai) Co., Ltd. 00:50 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn 01:27 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, krzie, worch, Dougy, xor|, theDoc, Gumbler, tarbo2, ghoti, row, (+47 more, use /NETSPLIT to show all of them) 01:28 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 01:29 -!- Netsplit over, joins: krzee, ghoti, Alagar, HardDisk_WP, pa, tjz, albech, theDoc, ropetin, alami (+47 more) 01:37 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:38 -!- nemysis [n=nemysis@137-215.3-85.cust.bluewin.ch] has joined ##openvpn 01:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:02 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 02:37 < onats2> hehehe 02:42 -!- Cronix [n=bigluks@et-1-16.gw-nat.bs.ka.oneandone.net] has joined ##openvpn 02:46 < Cronix> hi 02:46 < Cronix> my openvpn client isnt creating a tun / tap device 02:47 < Cronix> running debian lenny 32bit 02:47 < Cronix> kernel 2.6.26-1-686 02:49 < Cronix> on the server machine it starts and gives me an SIOCADDRT: File Exists 02:50 < Cronix> but it creates the Tun0 device on that machine 02:52 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 02:52 -!- alami_ [n=up@p57A74150.dip.t-dialin.net] has joined ##openvpn 02:53 -!- alami_ is now known as alami 03:24 < Cronix> this is my client config: http://pastebin.com/m510857f2 03:27 < Cronix> this is the startup logfile: http://pastebin.com/m7635edcb 03:29 < Cronix> http://pastebin.com/m24b75415 03:30 < Cronix> my ifconfig output 03:32 < Cronix> thats was the clientside 03:32 < Cronix> serverside files: 03:33 < Cronix> Log: http://pastebin.com/m1fc417fe 03:33 < Cronix> config: 03:33 < Cronix> http://pastebin.com/m56f4515c 03:34 < Cronix> ifconfig: http://pastebin.com/m73251dc7 03:34 < Cronix> anything else u need to help me? 03:36 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has joined ##openvpn 03:51 -!- bandini [n=bandini@host115-106-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 04:05 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 04:21 -!- Patrik [n=none@81-233-255-230-no13.business.telia.com] has joined ##openvpn 04:21 -!- Patrik is now known as Guest89974 04:27 < Guest89974> Hi, I'm trying to connect to my ubuntu openvpn server (2.1-rc7) with a windows vista/xp client (ver 2.0.9) but ran into some trouble. "LS Error: TLS key negotiation failed to occur within 60 seconds". Is the certificates wrong or something? 04:30 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:30 -!- zheng3 [n=roger@222.66.224.106] has quit [SendQ exceeded] 04:31 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:31 -!- zheng3 [n=roger@222.66.224.106] has left ##openvpn [] 04:32 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:32 < Guest89974> I also get "WARNING: No server certificate verification method has been enabled." But when following the link in the error message I cannot add the "remote-cert-tls server". It says the option isn't valid. 04:32 < zheng3> hi, 04:33 < zheng3> why TAP's interal routing is based MAC addr, but TUN's interal route is based IP addr? 04:37 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:40 < dazo> zheng3: TAP goes on Layer2 in the OSI stack, iirc ... while TUN goes higher up and does only IP related stuff .... TAP cannot do anything else than MAC, while TUN could probably do both, but as only IP is supported, IP routing is simpler 04:41 < dazo> Guest89974: you probably want to look into --tls-remote instead 04:42 < Cronix> im kinda going crasy here 04:42 < Cronix> it isnt working on my client ;( 04:42 < Cronix> server works like a charm 04:42 < dazo> Guest89974: regard. your key negotiation failure .... try upgrading to 2.1_RC15 ... preferably on both server and client side first 04:42 < Cronix> but i cant get my client to create a tun0 device 04:43 < dazo> Cronix: Using debian on both client and server? 04:43 < Cronix> jup 04:43 -!- Guest89974 is now known as patrik 04:43 * dazo looks 04:43 < Cronix> ^^ 04:43 < patrik> dazo, Ok, I'll take a look 04:43 < Cronix> but kernel of server is diffrent 04:44 < zheng3> dazo, thanks in advance, but I think TAP can also deal L3 packet(IP),so it can unified the intenal ROUTING query method, right? 04:44 < Cronix> client haz 2.6.26 and server haz 2.6.24 04:44 < dazo> Cronix: usually not a problem .... if you have the tun module available and loadable on your client 04:44 < Cronix> i can make 04:44 < Cronix> modprobe tun 04:44 < Cronix> without any problem 04:45 < Cronix> and lsmod | grep tun gives me an valid output 04:45 < Cronix> so tun module is defenetely loaded 04:45 < dazo> Cronix: goodie 04:45 < Cronix> but it wont show up on ifconfig 04:45 < Cronix> and 04:45 < Cronix> ifup tun0 dun works 2 04:46 -!- bandini [n=bandini@host115-106-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 04:46 < dazo> Cronix: silly question ... but you try to start openvpn client as root? .... just needs to be 120% sure 04:46 < Cronix> su && /etc/init.d/openvpn start 04:47 < dazo> Cronix: goodie 04:47 < Cronix> http://pastebin.com/mf20750a 04:47 < Cronix> ifup tun0 output 04:47 < dazo> can you increase verb on your client to 5 ... and then share that result? 04:47 < Cronix> sure 04:47 < zheng3> because after decrypt the cypher packet, TAP can deal the L2 + L3 packet,~ 04:48 < Cronix> omg 04:48 < Cronix> now THATS a huge logfile 04:48 < dazo> Cronix: not as bad as with verb 9 ;-) 04:50 < Cronix> xD 04:50 < dazo> zheng3: TAP goes lower down in the OSI stack, so it can handle all kind of protocols, AppleTalk, IPX, IPv6, whatever .... while TUN is only "scratching the surface", only supporting IP traffic .... so TAP will support any protocols higher up in the OSI stack 04:50 < Cronix> ok here it is 04:50 < Cronix> http://pastebin.com/m4274bdec 04:51 < dazo> zheng3: But the disadvantage with TAP is that you get much more overhead 04:51 < dazo> !tunortap 04:51 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:51 < Cronix> hmm 04:51 * dazo looks at logs again 04:52 < Cronix> ^^ 04:52 < dazo> Cronix: seems fine for me .... no errors here .... and you still do not get any tun device at all? 04:52 < Cronix> nope 04:53 < Cronix> just 04:53 < Cronix> eth0, eth1 and lo 04:53 < zheng3> daze, isee, isee, you means TAP can be able to not ONLY ip packets, so it's HASH key is MAC hw, 04:53 < Cronix> eth0 and eth1 are physical existing network cards 04:53 < Cronix> and lo the loopback localhost thing 04:53 < zheng3> thx!!! 04:53 < Cronix> nothing else 04:54 < theDoc> Oh wtf. 04:54 < theDoc> tpb lost their case. 04:54 < theDoc> >_> 04:54 < Cronix> w00t 04:56 < Cronix> how u know? 04:58 < dazo> zheng3: yeah, on layer2 in the OSI stack, MAC address is the key to establish contact 05:00 < dazo> theDoc: tpb lost!?!? .... well, Sweden is becoming worse and worse in the technical world ... they're even doing packet inspection on all internet traffic passing the country :( 05:00 < zheng3> daze, I get it now, thx again. another question, why TUN can check whether virtual IP is changed? but TAP dont check virtual MAC address changed? 05:01 < zheng3> dazo, sorry~ for my wrong spelling 05:01 < theDoc> dazo: vpn's will be the in thing very shortly:) 05:01 < Cronix> jep 05:01 < Cronix> xD 05:01 < theDoc> Thankfully, I already run a small scale ip vpn company ;p 05:01 < Cronix> i need my vpn to work 05:01 * theDoc ducks 05:01 < Cronix> ;( 05:03 < dazo> zheng3: That's kind of right, as OpenVPN has it's own internal ARP table, so when the VPN IP address changes, it learns which MAC is connected to which IP .... but I've never experienced that a already assigned VPN IP address is changed during a session, but that might be that I haven't experienced OpenVPN in a large scale setup 05:05 < zheng3> dazo, thx for your help 05:05 < dazo> Cronix: I really do not see what's happening on your box at all ... it seems like the tun/tap driver is not working properly ... 05:06 < Cronix> is there any way i can fix that`? 05:06 < dazo> Cronix: do you have /dev/net/tun ? 05:06 < Cronix> lwdeb:/etc/openvpn# cat /dev/net/tun 05:06 < Cronix> cat: /dev/net/tun: Die Dateizugriffsnummer ist in schlechter Verfassung 05:06 < Cronix> lwdeb:/etc/openvpn# 05:06 < Cronix> hmm 05:06 < Cronix> WTF 05:07 < Cronix> Die Dateizugriffsnummer ist in schlechter Verfassung = the fileaccessnumer is in a bad mood 05:07 < Cronix> like that 05:07 < Cronix> what could THAT mean? o0 05:07 < dazo> Cronix: as long as you have that file ... it's fine 05:07 < Cronix> kk+ 05:07 < dazo> Cronix: no, that's a correct state 05:07 < Cronix> alright 05:07 < dazo> Cronix: # cat /dev/net/tun 05:07 < dazo> cat: /dev/net/tun: File descriptor in bad state 05:07 < Cronix> jeah right 05:07 < dazo> But it works on my box 05:07 < Cronix> hmm 05:08 < Cronix> with my client config? 05:08 < dazo> Cronix: I see you are running 2.1_rc11 ... try upgrading to rc15 first 05:08 < Cronix> what? 05:08 < Cronix> how? 05:08 < dazo> Cronix: at first glance, your client config seems sensible 05:08 < Cronix> where? 05:08 < Cronix> sensible? 05:08 < Cronix> what kind of sensible? 05:09 < dazo> Cronix: if it's not in Debian repos .... you can compile it yourself .... it's pretty easy, you need lzo-dev and openssl-dev packages .... and the source from http://www.openvpn.net/ 05:09 < vpnHelper> Title: Welcome to OpenVPN (at www.openvpn.net) 05:09 < dazo> Cronix: client config looks fine 05:09 < Cronix> k 05:09 < Cronix> hm 05:09 < Cronix> is there an svn? 05:09 < Cronix> xD 05:10 < Cronix> pub svn 4 checkout 05:10 < dazo> Cronix: yeah ... but it's quicker to pull the tar ball ..... curl http://openvpn.net/release/openvpn-2.1_rc15.tar.gz | tar xzvf - 05:11 < Cronix> -curl +wget 05:11 < Cronix> have no curl installed 05:12 -!- zheng3 [n=roger@222.66.224.106] has quit [Remote closed the connection] 05:12 < dazo> Cronix: heh ... then you can't unpack on the fly :-P ... but wget works as well 05:12 < Cronix> ^^ 05:12 < Cronix> and on debian 05:12 < Cronix> its not openssl-dev 05:12 < Cronix> its 05:12 < Cronix> libssl-dev 05:13 < dazo> ahh ... well, you caught my main point :) 05:13 < Cronix> ^^ 05:14 < dazo> it's a billion distros available ... I have no intent to learn all of them, only those I want to use myself, and I expect others to know how to handle the distro of their choice ;-) 05:15 < Cronix> ^^ 05:15 < Cronix> i have 4 PC's here 05:15 < Cronix> @ work 05:15 < Cronix> xD 05:15 < Cronix> 2debian, 1mac g3 and 1 dell with win 7 05:15 * dazo goes for lunch 05:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:44 -!- patrik [n=none@81-233-255-230-no13.business.telia.com] has quit [Read error: 113 (No route to host)] 05:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:01 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 06:07 -!- youngpro is now known as pro 07:14 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 07:39 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 110 (Connection timed out)] 07:39 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 07:42 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has joined ##openvpn 07:47 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has quit [Client Quit] 07:47 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:48 -!- EQUIV [n=equiv@217-210-188-35-no110.tbcn.telia.com] has joined ##openvpn 07:49 < EQUIV> can I have a VPN server through a vpn tunnel? 07:50 < EQUIV> I want to split another vpn connection so that more than one can be connected at the same time 07:50 < EQUIV> is that possible? 07:50 < ecrist> sure 07:51 < ecrist> but there are potential mtu issues 07:51 < EQUIV> How do I set up the default gateways? 07:51 < ecrist> it's covered in the man page 07:51 < ecrist> or how to 07:53 < EQUIV> How do I get pptpd to listen on ppp0? 07:54 < ecrist> sorry, we don't support pptp in here. 07:54 < EQUIV> Okey :/ 07:54 -!- EQUIV [n=equiv@217-210-188-35-no110.tbcn.telia.com] has left ##openvpn ["Lämnar"] 08:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:55 -!- seven_ [n=seven@193.164.131.45] has joined ##openvpn 08:56 < seven_> Hi there, do you know a good howto for forwarding resolvable internet static IP to a client over openvpn ? thank you 08:56 < ecrist> seven_: didn't you ask that question yesterday? 08:57 < seven_> sure 08:57 < seven_> but got no answer 08:57 < seven_> do you have one ? 08:57 < ecrist> forwarding resolvable ips is no different that 1918 addresses 08:57 < seven_> look 08:57 < seven_> I could forward those IPs 08:58 < seven_> but server dd not deal with them 08:58 < seven_> did 08:58 < ecrist> sure it does. 08:58 < seven_> they had the IP with no internet 08:58 * plaerzen waves. 08:58 < ecrist> I've done it myself, and I know people who did it. 08:58 < seven_> very nice 08:58 < ecrist> seven_: then you're missing the proper routing on the server end. 08:58 < ecrist> morning, plaerzen 08:58 < seven_> could you give me a copy of the config files 08:59 < ecrist> seven_: they're no different that regular config file 08:59 < seven_> should be natted first then ? 08:59 < ecrist> nat isn't required 08:59 < ecrist> just proper routing 08:59 < seven_> should I put the config here ? 09:00 < ecrist> what am I going to do with it? 09:00 < seven_> well 09:00 < seven_> find the mistake 09:00 < seven_> if exists 09:00 < ecrist> sure, but you haven't really told me your problem. 09:00 < ecrist> !configs 09:00 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:01 < seven_> my problem is : I want to forward a Resolvable static IP 09:01 < seven_> couldn't achive that 09:01 < seven_> look 09:02 < seven_> I have this in my server.conf : 09:02 < seven_> client-config-dir ccd 09:02 < seven_> route the.static.IP subnet 09:02 < seven_> that was in the server.conf 09:02 < ecrist> seven_: have you read this? 09:02 < ecrist> !route 09:02 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:03 < seven_> then I have an error here ? 09:04 < seven_> I have at the ccd/keyname : 09:05 < ecrist> seven_: have you read the link I posted above? 09:05 < seven_> ifconfig-push the.static.IP subnet 09:05 < seven_> I am 09:05 < ecrist> read it, completely, then come back 09:05 < seven_> ok thanks 09:06 < theDoc> hello all 09:09 < seven_> welcome 09:14 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 09:18 < ecrist> lol 09:18 < ecrist> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246 09:18 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 09:22 < epaphus> good morning all :) 09:27 < plaerzen> g'morning 09:28 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:36 < plaerzen> So. How is everyone this fine spring Friday ? 09:37 < ecrist> friggin' fantastic! 09:37 -!- gerente [i=gerente@189.96.241.121] has joined ##openvpn 09:37 < ecrist> I get to round up drunks tonight on a 'safe and sober' detail. mauahahaha 09:37 < ecrist> warm weather = drunk driving 09:39 < gerente> Hi, I create small c program tu run in --up option, this example open and write text in file and return 0, but openvpn always says: script failed: returned error code 1 09:40 < ecrist> my guess is it's failing. 09:40 < gerente> ecrist: yes, but how debug it? 09:41 < ecrist> not sure, really 09:41 < ecrist> what're you doing that you need a binary for the up script? 09:41 -!- damcgett [n=chatzill@mail.voxpilot.com] has joined ##openvpn 09:42 < dazo> gerente: the C program needs to send return 1 or return 0 in the main function to work 09:43 < plaerzen> ecrist, The joys of living right smack downtown. I can stumble home from all the best places. 09:43 < dazo> gerente: I've done this as an experiment earlier, and it worked like a charm .... 09:43 < dazo> gerente: try to create a test program ... which only does return 0 in the main function .... 09:43 < gerente> dazo: hum.. ok 09:44 < dazo> gerente: if that fails ... it might be an issue with the openvpn config .... depends on which version you're running 09:45 < damcgett> Hey, I'm wondering if the following might be possible: I have a openvpn server and a remote client, connection is working fine. Is it possible to configure a route so that other machines on the same network as the remote client can use its vpn connection to access resources on the lan of the vpn server? 09:46 < ecrist> yes 09:46 < ecrist> you just need to do one of two things 09:47 < ecrist> 1) setup nat on the vpn client for the local lan and enable ip forwarding in the kernel, and route the appropriate network 09:47 < ecrist> or 2) read here 09:47 < ecrist> !route 09:47 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:48 -!- Cronix [n=bigluks@et-1-16.gw-nat.bs.ka.oneandone.net] has quit [Remote closed the connection] 09:50 < gerente> dazo: ok, only return 0 and script-security 2 work fine... 09:51 < dazo> gerente: that sounds sensible 09:52 < damcgett> option one sounds good, but the client is using windows xp.. 09:52 -!- seven_ [n=seven@193.164.131.45] has quit [Read error: 104 (Connection reset by peer)] 09:53 -!- seven_ [n=seven@a196-6.adsl.paltel.net] has joined ##openvpn 09:56 < seven_> hi again 09:57 < seven_> hello ? 09:58 * dazo warns seven_ that we don't jump on peoples commands ... we are here and answer when we get questions we can answer 09:59 < seven_> ? 09:59 < seven_> I did not understand 09:59 < seven_> what is my mistake to be warned ? 10:00 < seven_> anyway 10:00 < seven_> I need a working configs 10:00 < seven_> for forwarding a resolvable internet static IPs 10:01 < seven_> and I'll give annual webhosting for free for it 10:07 < [4-tea-2]> seven_: do you have a working VPN connection? 10:08 < seven_> sure 10:08 < seven_> and I can redirect my connection over it 10:09 < [4-tea-2]> seven_: the static IP is routed to the VPN server? 10:09 < seven_> I am not sure 10:09 < seven_> can I give you the configs 10:09 < seven_> so you can check it ? 10:09 < [4-tea-2]> I can traceroute the static IP for you und tell you what's the last hop I see. 10:10 < seven_> but I can't reveale them here, can we continue on private ? 10:10 < [4-tea-2]> If that is your VPN server, you should be good. If not, then not. 10:10 < [4-tea-2]> You can /msg me, if you want. 10:10 < seven_> its my server 10:10 < seven_> and my server 10:10 < seven_> service 10:10 < seven_> may I pm you ? 10:10 < [4-tea-2]> Yes. 10:11 < seven_> thanks 10:31 * plaerzen just poked a paper clip through his eyebrow 10:32 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:51 < ecrist> and, krzee is a bitch, so I wouldn't listen to that advice 10:52 < krzee> hah sucks that my advice was to send ecrist $ then 10:52 < ecrist> doh! 10:52 < krzee> speaking of which, i need to do that pretty soon here 10:53 < krzee> i figure ill have you ship that one tower first 10:53 < krzee> so i can toss both in together 10:53 < ecrist> ok 10:53 < krzee> (both payments) 10:53 < ecrist> http://secure-computing.net/files/04162009_bullseye.jpg 10:53 < ecrist> another one, yesterday. :D 10:54 < krzee> haha 10:54 < krzee> you're just a 007 10:54 < ecrist> I'm going to start shooting at further distances now. 10:56 < krzee> makes sense 10:57 * plaerzen prefers "Riker" 10:57 < plaerzen> I started out as 007, then I got good with the ladies. 10:57 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:00 -!- troy is now known as troy- 11:23 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 11:49 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:54 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 11:54 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 12:01 -!- gerente [i=gerente@189.96.241.121] has quit [Client Quit] 12:02 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 12:02 < hagna> the server says MULTI: bad source address from client [10.1.2.60], packet dropped when pinged from the client 12:03 < hagna> why is it checking? 12:11 < hagna> I added a route for it on the server with "ip route add" 12:17 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 12:21 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 12:21 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 12:23 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 12:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:28 -!- seven_ [n=seven@a196-6.adsl.paltel.net] has quit ["Leaving"] 12:38 < unix3_> hmm.. is it ok if I remove this when starting up my client.. i dont understand what difference it would make.. --management-hold "Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it with the hold release command." 12:43 < hagna> ok so I can route to the client machine at 10.132.0.4, but not the client subnet of 10.1.0.0/16 from the server half of the connection 13:04 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has left ##openvpn [] 13:09 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 13:10 -!- eliasp [n=quassel@78.43.213.203] has quit [Dead socket] 13:13 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 13:14 -!- eliasp__ [n=quassel@78.43.213.203] has joined ##openvpn 13:15 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 13:15 -!- eliasp_ [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 13:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:18 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 13:25 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has joined ##openvpn 13:25 < hoops125> !redirect 13:25 < vpnHelper> hoops125: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:27 < hoops125> What exactly does the bypass-dns directive do? I have it enabled with --redirect-gateway, though all my dns traffic is not going through the vpn 13:29 < hoops125> !nat 13:29 < vpnHelper> hoops125: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:30 < hoops125> !ipforward 13:30 < vpnHelper> hoops125: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:30 < hoops125> !linipforward 13:30 < vpnHelper> hoops125: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:30 < hoops125> !def1 13:30 < vpnHelper> hoops125: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:30 < hoops125> !man 13:30 < vpnHelper> hoops125: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:39 -!- troy- is now known as troy 13:41 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has left ##openvpn [] 13:45 < ecrist> who's the bitch, now? 14:15 -!- albech [n=albech@119.42.77.174] has quit [Read error: 110 (Connection timed out)] 14:15 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 14:16 < plaerzen> you? 14:32 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < [4-tea-2]> How do I execute scripts when the VPN connection is actually established? 14:49 < Bushmills> [4-tea-2], call scripts by name 14:49 < [4-tea-2]> Ah, got it. 14:50 < [4-tea-2]> on the client, with --up-delay, on the server with --client-connect 14:50 < [4-tea-2]> ...I think. 14:50 < [4-tea-2]> But the man page fooled me more than once. ;) 14:51 < [4-tea-2]> Bushmills: what did you mean, can I just call the scripts from the ccd file? 14:51 < [4-tea-2]> (I already set --script-security 2) 14:52 < Bushmills> i misunderstood. thought, connection has been established, and now you want to execute scripts 14:52 < Bushmills> wasn't clear you intended to execute script upon connection 14:54 < [4-tea-2]> I'm still trying to reuse a static IP for a local connection and a VPN connection. 14:55 < [4-tea-2]> Since I used the setup from the "Static Key Mini Howto", that meant I couldn't do the route magic I needed from OpenVPN and had to it with a shell script instead. 14:57 < [4-tea-2]> Now I've switched to ca keys, with server and client, and I'm trying to put the script stuff in the OpenVPN config, in order to get rid of the shell script. 15:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 15:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:03 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 16:12 -!- onats2 [n=15172@221.121.120.254] has quit [Read error: 104 (Connection reset by peer)] 16:15 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:32 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 16:55 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has quit ["Leaving."] 17:02 -!- damcgett [n=chatzill@mail.voxpilot.com] has quit [Read error: 113 (No route to host)] 18:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 18:30 < krzie> [4-tea-2] what pastebin the script 18:38 < krzie> -what 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:02 < dan__t> what's up. 19:08 < krzie> what what 19:08 < krzie> in the butt 19:09 < krzie> i said what what 19:09 < krzie> in the butt 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:39 -!- nemysis [n=nemysis@137-215.3-85.cust.bluewin.ch] has quit [Success] 21:39 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 21:44 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has joined ##openvpn 21:44 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has quit [Client Quit] 21:44 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 23:55 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn --- Day changed Sat Apr 18 2009 00:05 -!- alami_ [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 00:06 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 00:14 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 00:23 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 00:27 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 00:29 -!- Techdeck [n=meh@IGLD-84-228-21-28.inter.net.il] has joined ##openvpn 00:29 < Techdeck> hey fellas 00:30 < Techdeck> I set up an openvpn server just like instructed in the gentoo wiki, I also set up the client and started it / connected to my server 00:30 < Techdeck> it seems my connection to the server is fine, I can even ping myself (10.8.0.6) with no problems through the server 00:30 < Techdeck> problem is, I cannot ping 10.8.0.1 from the client side, and when I go to whatismyip.com I still have my IP, and not the server one 00:30 < Techdeck> any ideas what is the problem? 00:31 < Techdeck> http://en.gentoo-wiki.com/wiki/OpenVPN <-- the gentoo wiki, by the way 00:31 < vpnHelper> Title: OpenVPN - Gentoo Linux Wiki (at en.gentoo-wiki.com) 00:32 < Techdeck> anyone around? 00:44 < Techdeck> come on :9 01:04 -!- onats_ [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 01:05 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 01:07 -!- albech [n=albech@119.42.77.112] has quit [Read error: 104 (Connection reset by peer)] 01:21 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 01:31 < krzee> you cant ping .1 means firewall problem 01:31 < krzee> on the server 01:31 < krzee> !linfw 01:31 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 01:32 < krzee> (the first part of the topic told you to check your firewall ;] ) 01:34 -!- Techdeck` [n=meh@Techdeck.org] has joined ##openvpn 01:40 -!- Techdeck [n=meh@IGLD-84-228-21-28.inter.net.il] has quit [Read error: 104 (Connection reset by peer)] 01:41 -!- Techdeck [n=meh@84.228.21.28] has joined ##openvpn 01:42 -!- Techdeck [n=meh@84.228.21.28] has quit [Read error: 54 (Connection reset by peer)] 01:42 -!- Techdeck [n=meh@84.228.21.28] has joined ##openvpn 01:44 -!- Techdeck` [n=meh@Techdeck.org] has quit [Read error: 104 (Connection reset by peer)] 01:48 -!- Techdeck [n=meh@84.228.21.28] has quit [Read error: 104 (Connection reset by peer)] 02:03 -!- js_ [n=js@193.0.253.161] has quit [Read error: 113 (No route to host)] 02:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: bandini, ropetin 02:06 -!- Netsplit over, joins: ropetin 02:10 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 02:17 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Connection reset by peer] 02:17 -!- bandinia [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 02:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:42 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: js_ 03:06 -!- Netsplit over, joins: js_ 03:12 -!- troy is now known as troy- 03:18 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 03:18 -!- alami_ [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 03:53 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has joined ##openvpn 04:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy, ThoMe, karlpinc, worch 04:04 -!- Netsplit over, joins: karlpinc, Dougy, ThoMe, worch 04:09 -!- SuperEvilDeath16 [n=death@212.206.209.177] has joined ##openvpn 04:13 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has joined ##openvpn 04:16 < Guest88> since i got a vpn connection with openvpn --config client.conf established i cannont connect to sites anymore, just pure ping with ip works. what can i do ? (i have opensuse) 04:18 < Guest88> it seems that name resolution doesnt work any more... 04:19 < Guest88> i tried it with a fresh restart, with networkmanager and without, but it didnt helped 04:21 < krzee> change your nameserver 04:21 < krzee> 4.2.2.1 will work for testing 04:21 < krzee> that can be done in /etc/rc.conf 04:21 < krzee> !factoids search ns 04:21 < vpnHelper> krzee: 'insanity', 'lans', 'pfsense', 'pushdns', 'wins', 'quietopenssl', and 'dns' 04:21 < krzee> !dns 04:21 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1 04:22 < Guest88> got it. /etc/resolv.conf was overwritten... 04:22 < Guest88> thx 04:22 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has quit ["Java user signed off"] 04:26 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [No route to host] 04:27 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has joined ##openvpn 04:31 < Guest88> when i start a connection via openvpn -config asdf.conf - How can I stop this connection. I tried it with /etc/init.d/openvpn stop, but webpages show me, that the ip is still the other one. 04:31 < krzee> killall -9 openvpn 04:32 < Guest88> now i have no internet anymore... :( 04:33 -!- Flumdahl [i=n30@shell.auth.se] has quit [Read error: 110 (Connection timed out)] 04:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:33 < krzee> !configs 04:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:34 < krzee> you havnt said ANYTHING about your setup, nobody can help you without knowing about it 04:34 < Guest88> with killall -9 openvpn && rcnetwork restart i get my old ip back - but i cannot believe that this is the correct way... 04:34 < krzee> correct way? 04:35 < krzee> you run openvpn in daemon mode, killing it is the correct way 04:35 < krzee> the fact that you have no inet means you are using --redirect-gateway 04:35 < krzee> the fact that it doesnt come back means you arent using def1 04:35 < Guest88> and what can i do to have internet after killing? 04:35 < krzee> why do you make me guess your entire setup instead of posting the configs i asked for? 04:37 < Guest88> krzee: http://pastie.org/450630 04:38 < krzee> read this again 04:38 < krzee> !configs 04:38 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:40 < Guest88> i have no server configs 04:40 < krzee> if theres no server, you have nothing to connect to 04:41 < krzee> also 04:41 < Guest88> it is not my server, it the server of university 04:41 < krzee> with comments removed 04:41 < krzee> i even gave the command for it 04:41 < krzee> ok well the university has a setting wrong 04:41 < krzee> most likely they are pushing --redirect-gateway but without this: 04:41 < krzee> !def1 04:41 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:44 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has quit ["Java user signed off"] 05:15 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 05:16 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 05:19 -!- eliasp__ is now known as eliasp 05:33 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 05:40 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 06:15 -!- alami_ [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 06:16 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 54 (Connection reset by peer)] 06:24 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 07:30 -!- alami [n=up@p57A739F9.dip.t-dialin.net] has joined ##openvpn 07:31 -!- alami_ [n=up@unaffiliated/alami] has quit [Read error: 60 (Operation timed out)] 07:36 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has left ##openvpn [] 08:01 < [4-tea-2]> With a static client-to-client setup, OpenVPN uses two IP addresses per connection. 08:01 < [4-tea-2]> With a "real" setup (client-server), it uses four. How come? 08:03 < [4-tea-2]> Does it split the network configured with the "server" statement in one /30 per client? 08:09 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 08:21 -!- Quintin [n=user@208.119.128.251] has joined ##openvpn 08:31 < Quintin> I built a remote support tool that "pushes" a VNC connection to me so I can help clients. But I no longer have a public IP that I can control ... I'm travelling a lot. So, can I have the VPN server forward all traffic on a certain port to the VPN client on a certain port, and then point my helpdesk tool at the VPN server? 08:32 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 08:36 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 08:45 < [4-tea-2]> Quintin: unless you're using the VPN for other stuff as well, I would recommend ssh instead. 08:48 < Quintin> [4-tea-2]: sometimes I use it to drag and drop stuff onto server (samba), otherwise VPN was just to learn how to make it go... how would I do what I need with SSH ??? 08:48 < Quintin> Remember, I don't control the network I am using locally 08:48 < [4-tea-2]> Assuming that VNC uses a single TCP port, SSH port forwarding can probably do what you need. 08:49 < [4-tea-2]> As in: ssh -g -R :localhost: 08:50 < [4-tea-2]> That will bind an ssh tunnel on : on the server, accept traffic from anywhere, and forward that traffic to your local machine, sending it to :. 08:51 < [4-tea-2]> ...as long as this ssh connection is alive. 08:52 < [4-tea-2]> If your target machine is a windows box, "putty" can do port forwarding. Don't know about other clients. 08:53 < [4-tea-2]> If you want to solve the problem with OpenVPN, I think you can do it by redirecting the incoming traffic on the VNC port to the VPN tunnel, possibly with iptables DNAT 09:08 -!- mbutUbuntu01 [n=sampler@static-217-133-40-175.clienti.tiscali.it] has joined ##openvpn 09:08 < mbutUbuntu01> hello folks 09:08 < mbutUbuntu01> I've a little problem... 09:09 < mbutUbuntu01> I've created a link between two servers, but during the night the link went down even if on both servers the openvpn daemon and the tap interface 09:10 < mbutUbuntu01> were (and are still) correctly configured... why the link goes down automatically??? 09:10 < mbutUbuntu01> I need a persistent link 09:13 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:13 < [4-tea-2]> I wasn't aware that OpenVPN closed connections for no good reason. Perhaps --keepalive could help? 09:14 < [4-tea-2]> My crappy DSL router likes to drop natted connections when they are inactive for a while. --keepalive avoids that behaviour. 09:17 < mbutUbuntu01> I'm using keepalive 14 360000 09:17 < mbutUbuntu01> I know 360000 it's a very big value 09:18 < [4-tea-2]> So why do you use it? 09:18 < [4-tea-2]> Wouldn't it be smarter to recognize earlier when the link is down? 09:18 < mbutUbuntu01> because I had the same problem past days 09:18 < mbutUbuntu01> the link went down 09:19 < mbutUbuntu01> right 09:19 < mbutUbuntu01> if I give 14 30, if the server doesn't answer for 30 seconds the client re-resolve the ip of the server??? 09:20 < [4-tea-2]> Not sure, I wouldn't use a DNS name in --remote, because I don't necessarily have a DNS service before the tunnel is established. 09:20 < mbutUbuntu01> I need 09:21 < mbutUbuntu01> I've only dinamic public IPs 09:21 < mbutUbuntu01> no static.... :D:D 09:21 < [4-tea-2]> I see. Perhaps with a 24hr disconnect by the ISP? 09:23 < mbutUbuntu01> no 09:23 < [4-tea-2]> If the server got a new IP every night and it took a while for your dynamic dns service, that would explain why you had a problem every night. 09:23 < mbutUbuntu01> my connections have good quality and reliability 09:24 < mbutUbuntu01> [4-tea-2], so what can I do for a stable VPN link??? 09:25 < [4-tea-2]> So your problem is that for unknown reasons the VPN connection is closed every night and is not automagically re-established until you intervene? 09:25 < mbutUbuntu01> right 09:26 < [4-tea-2]> Have you checked the log file, server and client-side? 09:26 < mbutUbuntu01> I think I sholud say you that the client is behind a router 09:27 < mbutUbuntu01> I've no log files.... I thought openvp wrote automatically logs... 09:27 < mbutUbuntu01> I must write this directive in the .conf 09:28 < [4-tea-2]> On Debian, it's by default configured to log via syslog to /var/log/daemon.log 09:28 < mbutUbuntu01> I'm on archlinux 09:28 < mbutUbuntu01> on both points 09:29 < [4-tea-2]> Well, check the usual suspects. 09:29 < mbutUbuntu01> what? 09:30 < [4-tea-2]> e.g. /var/log/{messages,daemon.log,syslog} or whatever they are called on archlinux. 09:30 < mbutUbuntu01> ok 09:31 < [4-tea-2]> "grep -rl ovpn /var/log/" could give a hint. 09:32 < mbutUbuntu01> [4-tea-2], only question the keepalive flag must be the same on both client and server?? 09:32 < [4-tea-2]> I *think* one keepalive statement will take care of both ends automagically. 09:32 < [4-tea-2]> That's how I understand the man page. 09:33 < [4-tea-2]> Correction: 09:33 < [4-tea-2]> I *think* a keepalive statement ON THE SERVER will take care of both ends automagically. 09:35 < mbutUbuntu01> on the messages.log I've the information on the activation of the link, not on the failure of the link... 09:36 < mbutUbuntu01> on the both client and server I have no info on the failure... 09:36 < mbutUbuntu01> Apr 18 12:27:43 localhost openvpn[6302]: Peer Connection Initiated with 79.53.100.126:1194 09:36 < mbutUbuntu01> yesterday 09:36 < mbutUbuntu01> Apr 18 16:29:16 localhost openvpn[6302]: Peer Connection Initiated with 217.133.40.175:22149 09:36 < mbutUbuntu01> and today 09:36 < [4-tea-2]> It failed silently? Were the openvpn processes still running when you noticed the VPN link was down? 09:37 < mbutUbuntu01> yes 09:37 < mbutUbuntu01> [I have pasted the incorrect line] 09:37 < mbutUbuntu01> daemons and interfaces were up on both sides 09:37 < mbutUbuntu01> but the link was down 09:37 < [4-tea-2]> I'm lost, sorry. 09:38 < [4-tea-2]> I don't think that's supposed to happen. 09:38 < mbutUbuntu01> I'm lost too... it seems to be a paradox 09:38 < [4-tea-2]> My ISP disconnects me each night and I get a new IP, OpenVPN never took more than a few seconds to reestablish the VPN. 09:39 < mbutUbuntu01> I want try to leave an ssh connection or a ping always 09:39 < mbutUbuntu01> is it possible that the router blocks the traffic? 09:39 < [4-tea-2]> You might want to try switching to tcp. 09:39 < [4-tea-2]> Perhaps your router can handle tcp better than udp. 09:40 < mbutUbuntu01> the router is not mine... 09:40 < mbutUbuntu01> I can't have access to the router.... 09:40 < [4-tea-2]> You don't have to. ;) 09:40 < [4-tea-2]> Let OpenVPN use tcp instead of udp. 09:41 < mbutUbuntu01> I need openvpn only because noone wants a few ports forwarded.. 09:41 < mbutUbuntu01> on .the .conf? 09:41 < [4-tea-2]> I think it's worth a try. The router might be smarter handling a tcp connection than single udp packets. 09:41 < [4-tea-2]> Let me see what I use... 09:42 < [4-tea-2]> On the server: "proto tcp-server" in server.conf 09:42 < [4-tea-2]> On the client: "proto tcp" in wifi.conf 09:43 < [4-tea-2]> Hmmm. According to the man page, I should have used "proto tcp-client" on the client. 09:44 < [4-tea-2]> But it works anyway. :D 09:45 < mbutUbuntu01> ok 09:45 < [4-tea-2]> I changed it now to tcp-client, it still seems to work. 09:45 < mbutUbuntu01> proto tcp-server proto tcp-client 09:45 < mbutUbuntu01> works works 09:45 < mbutUbuntu01> keepalive 14 60 09:45 < mbutUbuntu01> on both sides 09:45 < mbutUbuntu01> I hope it works always.... 09:46 < [4-tea-2]> good luck! 09:46 < mbutUbuntu01> but If I have the same problem I don't know how manage it.... 09:46 < [4-tea-2]> I'd suggest as first step: increase verbosity for the log messages 09:47 < mbutUbuntu01> 3 ?? 09:47 < [4-tea-2]> But I think we've addressed the two problems that were involved... the keepalive restart delay, and the router possibly failing to nat udp packages over an extended time. 09:48 < mbutUbuntu01> so you think it should work? 09:48 < [4-tea-2]> Yes, but I also think it shouldn't have NOT worked in the first place. :D 09:49 < mbutUbuntu01> for the keepalive incorrect configuration? 09:50 < [4-tea-2]> I believe you said you used that ridiculously large keepalive value only AFTER the problem started, correct? 09:50 < mbutUbuntu01> I don't perfectly remember but I think yes... 09:51 < mbutUbuntu01> the first experiment I do was a few weeks ago 09:51 < [4-tea-2]> Well, just try and see. I don't think the changes we've done can hurt in any way. 09:52 < mbutUbuntu01> now the link is up 09:52 < mbutUbuntu01> [4-tea-2], thanks 09:53 < [4-tea-2]> my pleasure, hope it helps 09:53 < mbutUbuntu01> even if it will not work I know something new.... :D 10:01 -!- mbutUbuntu01 [n=sampler@static-217-133-40-175.clienti.tiscali.it] has quit ["Sto andando via"] 10:10 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has joined ##openvpn 10:15 < [4-tea-2]> Sweet, now I know how to the local machines in my network that one of them has moved from the local net to a VPN connection. 10:15 < [4-tea-2]> *how to tell 10:30 -!- MissNeBuN [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 10:32 -!- tjz [n=tjz@bb116-15-135-176.singnet.com.sg] has joined ##openvpn 11:06 -!- Quintin [n=user@208.119.128.251] has left ##openvpn [] 11:22 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 11:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:44 -!- r_001 [n=r_001@86.99.21.4] has joined ##openvpn 11:44 < r_001> I need a config file for openVPN, any one can send it to me please 11:45 < r_001> config file! 11:45 < r_001> !config file 11:45 < vpnHelper> r_001: Error: 'supybot.file' is not a valid configuration variable. 11:45 < r_001> !conf file 11:45 < vpnHelper> r_001: Error: "conf" is not a valid command. 11:46 < alami> !menu 11:46 < r_001> !.conf file 11:46 < vpnHelper> alami: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:46 < vpnHelper> r_001: Error: ".conf" is not a valid command. 11:46 < r_001> !menu 11:46 < vpnHelper> r_001: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:46 < r_001> * 11:46 < r_001> !* 11:46 < vpnHelper> r_001: Error: "*" is not a valid command. 11:46 < alami> !help 11:46 < vpnHelper> alami: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 11:46 < r_001> alami: can you send me a config file 11:46 < r_001> it's my first time to use VPN 11:47 < alami> i can't sorry but i will search you one now 11:47 < alami> don't care 11:47 < alami> !factoids search .conf 11:47 < vpnHelper> alami: No keys matched that query. 11:47 < alami> !openvpn 11:47 < vpnHelper> alami: Error: "openvpn" is not a valid command. 11:48 < r_001> how to do run your VPN ? 11:48 < alami> i don't have it now, i have it on VM.. 11:48 -!- lapinferoce [n=eric@bny93-4-82-235-240-122.fbx.proxad.net] has joined ##openvpn 11:49 < alami> hat!factoids search * 11:49 < alami> !factoids search * 11:49 < vpnHelper> alami: More than 100 keys matched that query; please narrow your query. 11:51 < alami> !configs 11:51 < vpnHelper> alami: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:52 < alami> my computer is weired :( 11:52 < alami> wait plz i will restart 11:53 < r_001> alami: tyt 11:54 < r_001> people anyone here know how to configure VPN easy ? 11:55 -!- alami [n=up@unaffiliated/alami] has quit [] 11:57 < Bushmills> r_001, reading the howto and setting up server and client accordingly is the standard method 11:57 < Bushmills> !howto 11:57 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:57 < r_001> Bushmills: I did 11:57 < r_001> but it's useless 11:57 -!- albech [n=albech@119.42.77.112] has quit [Connection timed out] 11:57 < r_001> I'm using kvpn 11:57 < r_001> not command line 11:58 < r_001> I'm new man 11:58 < Bushmills> sorry, i don' know of a simpler way 11:58 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 11:59 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [Remote closed the connection] 11:59 < Bushmills> but if you fail to set it up using kvpn, that way seems to be more complicated 11:59 < r_001> :( 11:59 < r_001> Bushmills: at kVPN, ask for config gile 11:59 < r_001> file* 11:59 < r_001> but I don't know from where I can get it 12:00 < r_001> I just want to use VPN, to open some sites 12:00 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 12:00 < Dougy> hey 12:00 < r_001> my country block skype 12:00 < r_001> so I want to use it to open skype 12:00 < Bushmills> /usr/share/doc/openvpn/examples/ contains example configs 12:01 < Dougy> hey Bushmills 12:01 < Bushmills> how's it, Dougy 12:01 < Dougy> it is 12:01 < Dougy> you? 12:02 < Bushmills> finefine 12:02 * Dougy is excited for wednesday 12:02 < r_001> Bushmills: I have to create server and client !!!? 12:02 < Dougy> yes 12:02 < Bushmills> rainyday nevetheless iamheading outside 12:03 < Dougy> its amazing here 12:03 < Dougy> and im stuck in an office 12:03 < Dougy> lol 12:03 < Bushmills> r_001, yes. if not you, who else? 12:03 < Bushmills> r_001, a consultant, maybe? 12:08 -!- lapinferoce [n=eric@bny93-4-82-235-240-122.fbx.proxad.net] has quit [Remote closed the connection] 12:09 < r_001> Bushmills: do you have any free proxy server ip I can use 12:09 < r_001> or any free VPN server I can connect to 12:12 < Bushmills> r_001, sorry, i have to pay for my servers, can't just pass them on for free 12:12 < r_001> how much ? 12:14 < Bushmills> about 250 dirham 12:15 < [4-tea-2]> r_001: why do the UAE block skype? 12:15 < r_001> to gain profit from hight calls costs 12:15 < r_001> [4-tea-2]: do you have any way to use skype 12:15 < Bushmills> r_001, have you checked out SIP phones? 12:15 < r_001> I tired JAP 12:15 < r_001> same same 12:16 < r_001> JAP isn't working 12:16 < [4-tea-2]> I don't think JAP or TOR will provide the bandwidth needed for telephony. 12:17 < r_001> [4-tea-2]: both of them are blocked too :( 12:17 < r_001> [4-tea-2]: do you have any ideas to solve this problem ? 12:17 < [4-tea-2]> Are you sure, OpenVPN isn't blocked as well? 12:17 < Bushmills> r_001, openvpn is not a public service. it is more like .. a cable implemented in software which you can install between two machines. 12:17 < r_001> Bushmills: is there any public VPN server I can use ? 12:18 < Bushmills> i know of none. which doesn't mean that there isn't any. 12:18 < [4-tea-2]> r_001: if there was and it was public, it would need a lot of bandwidth because a lot of people would be using it, right? 12:19 < r_001> hotspot is one of free VPN server, but I don't know how to connect to it 12:19 < [4-tea-2]> you could rent a root server somewhere and set up your own VPN server there. 12:20 < Bushmills> r_001, best guess is ... 12:20 < Bushmills> what [4-tea-2] said... 12:20 < r_001> [4-tea-2]: how to setup a VPN server there ? 12:20 < Bushmills> command line :D 12:20 < [4-tea-2]> Would OpenVPN run on a virtual server? I don't think they usually offer tun/tap, right? 12:23 < [4-tea-2]> Ah, it seems it depends on the vserver technology in use. 12:23 * Bushmills gone, enjoying the rain 12:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 12:27 < r_001> [4-tea-2]: anyway thank you 12:27 < r_001> have a nice day 12:27 -!- r_001 [n=r_001@86.99.21.4] has quit [Remote closed the connection] 12:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:55 -!- troy- is now known as troy 13:03 -!- Hydroxide [n=jim@debian/developer/jimmy] has joined ##openvpn 13:05 < Hydroxide> hi ... I have a reasonably up-to-date Vista SP1 32-bit install, and I just downloaded OpenVPN 2.1rc15. I'm getting errors from Vista saying that tap0901.sys has known compatibility problems with this version of Windows 13:05 < Hydroxide> is that warning accurate or is it a holdover from the former tap0801 driver which did have problems? 13:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:16 < Hydroxide> never mind, it was just windows handling the situation badly when I had an incompatible older version installed. uninstalling that first worked. 13:16 -!- Hydroxide [n=jim@debian/developer/jimmy] has left ##openvpn [] 13:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:30 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has quit ["Leaving."] 14:15 -!- albech [n=albech@119.42.77.112] has quit [Read error: 110 (Connection timed out)] 14:15 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 14:54 -!- Lilarcor_ [n=Lilarcor@2.sub-97-1-137.myvzw.com] has joined ##openvpn 15:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 15:55 -!- tjz [n=tjz@bb116-15-135-176.singnet.com.sg] has quit [Connection timed out] 16:04 -!- mbutUbuntu01 [n=mbutu@host217-110-dynamic.8-79-r.retail.telecomitalia.it] has joined ##openvpn 16:05 < mbutUbuntu01> hello folks... 16:05 < krzie> hello 16:05 < mbutUbuntu01> I made a giant error 16:06 < mbutUbuntu01> i gave ifconfig tap0 down on remote client 16:06 < mbutUbuntu01> I should give tap0:0 down 16:06 < mbutUbuntu01> a stupid giant error.... 16:06 < mbutUbuntu01> :-( 16:07 < mbutUbuntu01> do you know if after some time openvpn restars the interface? 16:07 < mbutUbuntu01> what a stupid 16:07 < krzie> i dont believe it will 16:07 < mbutUbuntu01> :D:D:D 16:08 < krzie> just tell someone there to reboot it if its a service 16:08 < mbutUbuntu01> I'll wait monday... 16:08 < mbutUbuntu01> eh... 16:08 < mbutUbuntu01> there is no service... 16:08 < krzie> it doesnt start on boot?\ 16:08 < mbutUbuntu01> that machine is in my school 16:08 < mbutUbuntu01> yes it does automatically starts on boot 16:09 < krzie> so a reboot would fix 16:09 < mbutUbuntu01> but I can't reboot the machine 16:09 < mbutUbuntu01> and nobody can... 16:09 < krzie> now i see its not windows, and its running tap 16:09 < mbutUbuntu01> yeah 16:09 < krzie> may i ask what layer2 protocol you use over your vpn? 16:09 < mbutUbuntu01> not windows not... 16:09 < mbutUbuntu01> tcp 16:09 < krzie> thats layer3 16:09 < krzie> !tunortap 16:09 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:09 < krzie> !tcp 16:09 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:10 -!- bandinia [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:11 < mbutUbuntu01> krzie, today someone here helps me on this VPN... I had a problem: the link went down 16:12 < mbutUbuntu01> krzie, what do you mean with tuortap? 16:13 < krzie> if you arent tunneling something destined for a MAC address, you want tun 16:13 < krzie> aka layer2 16:14 < mbutUbuntu01> ok 16:14 < mbutUbuntu01> I use tap 16:17 < krzie> i know 16:17 < krzie> which is why im telling you that 16:18 < krzie> if you were using tun i wouldnt bother telling you that you're most likely wasting overhead 16:19 < mbutUbuntu01> krzie, do you wnat to know were the remote client is?? 16:19 < krzie> huh? 16:20 < mbutUbuntu01> In the electronic music laboratory 16:20 < mbutUbuntu01> I study there in a Music Academy 16:20 < krzie> cool 16:20 < mbutUbuntu01> but noone must know that there is a link between me and there 16:20 < krzie> i dont see how that changes anything... 16:21 < mbutUbuntu01> mmhh 16:21 < mbutUbuntu01> I tried to call and I didn't know that there was a person during the night 16:22 < mbutUbuntu01> he could restart the machine 16:22 < mbutUbuntu01> but I fear he could say that I have access on Academy's private LAN... 16:22 < mbutUbuntu01> I dont'n know... 16:23 < mbutUbuntu01> what would you do? 16:23 < krzie> i prolly wouldnt be tunneling into my schools lan if i wasnt allowed to 16:23 < UtopiahGHML> :) 16:24 < krzie> unless it was to change my grades or something, which im pretty sure isnt what you're doing... 16:24 < krzie> lol 16:24 < mbutUbuntu01> I'm not doing nothing illegal 16:24 < krzie> they allow you to tunnel in? 16:24 < mbutUbuntu01> I only need to work on a project that involves laboratory PCs 16:25 < mbutUbuntu01> krzie, no 16:25 < krzie> so you are giving yourself access that you are not allowed to have? 16:25 < mbutUbuntu01> but You MUST know that in Italy everyone like to stop you doing something cool or intellectual 16:25 < krzie> lol 16:25 < krzie> im pretty sure that has nothing to do with it 16:26 < krzie> its about security, not because its 'cool' 16:26 < krzie> if it was my school network you wouldnt be able to get your vpn out 16:26 < krzie> ;] 16:26 < mbutUbuntu01> krzie, sorry... the "cool" thing is not have a tunnel 16:26 < mbutUbuntu01> the "cool" thing is the project I'm working on 16:26 < krzie> but anyways, do whatever you gotta do 16:27 < krzie> theres nothing you can do bout the fact you broke it remotely 16:27 < krzie> so wait or get it fixed remotely 16:27 < mbutUbuntu01> krzie, I think it's better to wait monday.... 16:27 < mbutUbuntu01> :D:D:D 16:28 < mbutUbuntu01> krzie, what do you mean with "if it was my school network you wouldnt be able to get your vpn out" ?? 16:28 < krzie> i mean ild enforce my rules through technology 16:28 < krzie> not through trust 16:28 < krzie> like if i was their admin 16:29 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 16:29 < mbutUbuntu01> krzie, sorry I'm not engliesh motherlanguage... 16:29 < mbutUbuntu01> I don'w understand 16:29 < krzie> i would make it so you could not connect to a vpn 16:30 * [4-tea-2] just switched his connection from tcp to udp. 16:30 < krzie> good job [4-tea-2] 16:30 < [4-tea-2]> thanks for the link, krzie 16:30 < krzie> np 16:30 < mbutUbuntu01> krzie, you must know also that security is an optional 16:31 < mbutUbuntu01> :D:D 16:31 < mbutUbuntu01> they think that a sure network is a disconnected network 16:32 < mbutUbuntu01> but when you ask to forward a port from the router to an internal server they say "no!!!" 16:32 < mbutUbuntu01> but I say that the risk is about the same... 16:32 < mbutUbuntu01> they say no!!!! 16:32 < UtopiahGHML> 0_o 16:33 < mbutUbuntu01> but If we need a website, the Academy has no money to buy a private host and noone autorize you to forward two stupids ports 16:34 < mbutUbuntu01> I think they are only some pieces of shit 16:34 < krzie> i wouldnt do it either if that makes you feel any better... 16:34 < krzie> anyone need help with openvpn before i go do other things? 16:34 < mbutUbuntu01> so I made this VPN link to have this site and not only... 16:35 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 16:41 < krzie> bash: /usr/bin/grep: Argument list too long 16:41 < krzie> i hate that 16:41 < krzie> then i hafta do a for loop just to grep 16:43 < funky> could any of you paste ifconfig/route from a openvpn server (routed mode) in pastebin.com or any of the sort 16:43 < funky> I don't understand how many networks I finally should have 16:44 < krzie> umm 16:44 < krzie> why dont you paste yours and ill tell you if its right 16:44 < krzie> or tell me what you dont understand... 16:44 < krzie> im guessing its this: 16:44 < krzie> !/30 16:44 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:44 < funky> let's see 16:45 < krzie> server is using .1 ptp .2, first client is using .6 ptp .5, but only server can ping .6 and client can only ping .1 16:45 < krzie> so you dont understand why it would be like that... am i right? 16:45 < funky> mine is much simpler than that 16:45 < funky> ptp ? 16:46 < krzie> in ifconfig 16:46 < krzie> inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffffff 16:46 < krzie> like that 16:46 < funky> aha 16:46 < krzie> yet that box cant ping .2 16:46 < krzie> (cause its internal to openvpn, as explained in !/30 and !topology 16:47 < krzie> it can however ping .6 16:48 < funky> how many interfaces do you have in a simple case scenario ? 16:48 < funky> network interfaces 16:48 < krzie> for my vpn, 1 16:48 < funky> mm 16:48 < krzie> because i use client/server mode i can connect as many clients to that interface as i want 16:48 < krzie> !sample 16:48 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:48 < krzie> thats an example of client/server mode 16:49 < krzie> how bout this 16:49 < krzie> just ask your real question 16:49 < krzie> something along the lines of "i want to do this, im trying to do this, how can i do that" 16:49 < krzie> and we'll go from there 16:50 < funky> ok 16:50 < funky> let's see.. 16:50 < funky> let me think, I got new information with all that stuff that you just gave me 16:51 < funky> I don't want to make you lose your time 16:51 < funky> let me try it by myself 16:51 < krzie> ok 16:51 < funky> thank you very much for your interest 16:51 < funky> are you usually around ? 16:51 < krzie> !irclogs 16:51 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 16:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 16:51 < funky> because I've got some "advanced" questions for later 16:51 < krzie> that has graphs of who is around, what times of the day, etc 16:51 < funky> thank you again 16:52 < krzie> but basically it comes down to im here way too often 16:52 < krzie> and i seem to talk too much, lol 16:52 < funky> XD 16:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:52 < funky> first I want to run a very simple scenario 16:53 < funky> but later, I need -> AD auth, Vlans 16:53 < krzie> whats your end goal 16:53 < krzie> ahh 16:53 < krzie> vlans...? 16:53 < funky> yes, I mean, I got let say 100 users 16:53 < funky> user #1 always has the same ip using cable 16:54 < funky> I want him to get that same IP from the vpn 16:54 < funky> but user #2 has a different ip in a different vlan 16:54 < krzie> !static 16:54 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:54 < funky> yup, I read something about the ccd entries 16:54 < krzie> !ccd 16:54 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:55 < funky> ok, i've got a lot of info 16:56 < funky> thank you 16:56 < funky> reading time 16:56 < krzie> np 17:02 -!- Lilarcor_ [n=Lilarcor@2.sub-97-1-137.myvzw.com] has quit [Client Quit] 17:26 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:26 < Dougy[Home]> hey all 17:26 < Dougy[Home]> krzie: hi 17:26 < krzie> sup doug 17:26 < Dougy[Home]> oh man 17:26 < Dougy[Home]> that was epic 17:26 < Dougy[Home]> lol 17:27 < Dougy[Home]> krzie.. someone spammed the forum and added 17:27 < Dougy[Home]> "PS sorry" 17:27 < Dougy[Home]> at the end 17:27 < krzie> more porn? 17:27 < Dougy[Home]> nope 17:27 < Dougy[Home]> http://www.ovpnforum.com/viewtopic.php?f=6&p=128&sid=6595886f95c695cd7dc0f179e94ab629#p128 17:27 < vpnHelper> Title: OpenVPN Forum View topic - best computer home based business (239 $ per day) (at www.ovpnforum.com) 17:27 < krzie> damn i liked the porn one 17:27 < Dougy[Home]> Haha. 17:27 < Dougy[Home]> Hmm.. man. 17:27 * Dougy[Home] is a bit shaken up at the moment 17:29 < krzie> why? 17:29 < Dougy[Home]> I don't even know 17:29 < Dougy[Home]> but 17:29 < Dougy[Home]> its weird. 17:29 * Dougy[Home] doesn't even know how to explain it 17:29 < Dougy[Home]> but 17:29 < Dougy[Home]> I have a bad gut feeling something bad is going to happen 17:30 < krzie> theres hes removed 17:30 < krzie> along with his posts 17:30 < Dougy[Home]> nice 17:31 < Dougy[Home]> i hate this too, cuz last time i had this feeling a bunch of people i know died in a horrible car wreck 17:31 < Dougy[Home]> fwiw there's another spam post in there 17:31 < krzie> hah more spam too 17:31 < Dougy[Home]> Everyone in here should join the FORUM 17:31 < krzie> lol 17:32 < krzie> why would they, they get help here 17:32 * Dougy[Home] hasn't talked to ecrist in a while 17:32 < Dougy[Home]> because forums are win, krzee 17:32 < Dougy[Home]> krzie I* 17:32 < Dougy[Home]> ....... 17:32 < Dougy[Home]> krzie * 17:32 < Dougy[Home]> Tab key fail. 17:32 < Dougy[Home]> hrm... krzie.. i have a ton of old xeons sitting here.. 17:32 < Dougy[Home]> like 15 17:32 < Dougy[Home]> like Irwindales and some others 17:33 < krzie> ok he's deleted too 17:34 < Dougy[Home]> nice 17:34 < Dougy[Home]> Ahahahhaa. The Yankees are getting spanked,. 17:34 < krzie> savagely 17:34 < krzie> 20/4 17:34 < Dougy[Home]> lmfao 17:34 < Dougy[Home]> i know 17:34 < Dougy[Home]> win 17:35 < krzie> mets fan? 17:35 < Dougy[Home]> yessssssir 17:35 < Dougy[Home]> it's not that i don't like the yankees.. i just hate that they are all spoiled twats 17:35 < krzie> i hate that they try to buy the championship 17:35 < Dougy[Home]> ll 17:35 < Dougy[Home]> lol 17:35 < krzie> so i love when they get spanked like this 17:35 < Dougy[Home]> me too 17:35 < Dougy[Home]> hmm.. i need some new irc networks to go hang on 17:36 < krzie> ohey 17:36 < Dougy[Home]> i have been around the same old shops 17:36 < Dougy[Home]> for 5 years 17:36 < Dougy[Home]> maybe more 17:36 < krzie> whats a website with info on your VPSs? 17:36 < Dougy[Home]> my expensive ones 17:36 < Dougy[Home]> or my cheapo mini ones 17:36 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has joined ##openvpn 17:37 < Dougy[Home]> ? 17:37 < krzie> wouldnt there be 1 link with both infos? 17:37 < Dougy[Home]> neg, i have 2 separate pages 17:37 < krzie> well, both i guess 17:37 -!- mbutUbuntu01 is now known as mbutuarch 17:37 < Dougy[Home]> www.bergenhosting.com/vps.php is my expensive ones (i can always work out a deal for krzee's friends) and www.bergenhosting.com/budgetvm.php are the minis 17:38 < krzie> werd 17:38 < krzie> so the real answer to my first question was www.bergenhosting.com/ 17:38 < krzie> hehe 17:39 < Dougy[Home]> fair enough 17:39 < Dougy[Home]> lol 17:39 * Dougy[Home] was thinking about relaunching BudgetVM.com 17:52 < Dougy[Home]> wow 17:52 < Dougy[Home]> i was looking for "ness" 17:52 < Dougy[Home]> she used to be here a long long time ago 17:52 < Dougy[Home]> <~wahrheit> yeah, i know who you're talking about 17:52 < Dougy[Home]> <~wahrheit> that person hasn't been on this network in probably, i don't know, 4-5 years. it was before i came along 17:52 < Dougy[Home]> krzie: see what i mean about me only having my old diggs? 17:53 < Dougy[Home]> lol 17:53 < krzie> old diggs? 17:53 < Dougy[Home]> as in 17:53 < Dougy[Home]> old hangouts 17:53 < Dougy[Home]> i only have a few places that i have been at for ages 17:53 < Dougy[Home]> lol 17:53 < krzie> ahh 17:54 * Dougy[Home] needs new places to hang out.. and sell servers 17:54 < Dougy[Home]> ahahaha 17:54 < Dougy[Home]> whoo paycheck.. $335 17:55 < krzie> ouch 17:55 < krzie> bet that on shogun rua in tonights fight 17:55 < krzie> 335 can get ya 536 17:57 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:57 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Nick collision from services.] 17:57 -!- Dougyyy is now known as dougy[home] 17:58 < dougy[home]> back 17:58 < dougy[home]> did you say anything to me krzie 17:58 < krzie> whoo paycheck.. $335 17:58 < krzie> ouch 17:58 < krzie> bet that on shogun rua in tonights fight 17:58 < krzie> 335 can get ya 536 17:58 < dougy[home]> ah yea 17:58 < dougy[home]> 335 can get ya 536 17:58 < dougy[home]> lol 17:58 < dougy[home]> 335 for 45 hours of work 17:58 < dougy[home]> after tax 17:58 < dougy[home]> * Disconnected 17:59 < krzie> so 335 turns into 871 17:59 < krzie> (or nothing, depending who wins) 17:59 < krzie> lol 18:02 < dougy[home]> ah 18:02 < dougy[home]> lol 18:07 < karlpinc> What is "direction" in --secret file [direction]? What are the possible values and what do they mean? 18:07 < krzie> !man 18:07 < karlpinc> Where do I rtfm? 18:07 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:08 < reiffert> karlpinc: on the chair, in front of your computer. 18:08 < karlpinc> krzie : Yes, where in there? I read that? 18:08 < krzie> umm, at --secret 18:08 < karlpinc> reiffert : Where it says "i.e. one side should use "0" and the 18:08 < karlpinc> other should use "1""? 18:09 < reiffert> karlpinc: normally people *search* within manpages to read the paragraph around a possible answer and repeat that until illumination. 18:09 < karlpinc> reiffert : Did so, can't find it. Maybe I'm having a brain fart, so I asked here. 18:09 < reiffert> allright, let me help you. 18:09 < reiffert> 01:07 < karlpinc> What is "direction" in --secret file [direction]? What are the possible values and what do they mean? 18:10 < krzie> -secret file [direction] 18:10 < krzie> Enable Static Key encryption mode (non-TLS). Use pre-shared secret file which was generated with --genkey. 18:10 < krzie> The optional direction parameter enables the use of 4 distinct keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks. 18:10 < krzie> When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption. 18:10 < krzie> The direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether. 18:10 < krzie> The direction parameter requires that file contains a 2048 bit key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any version of OpenVPN which supports the direction parameter, will also support 2048 bit key file generation using the --genkey option. 18:10 < reiffert> When the direction parameter is omitted, 2 keys are used bidi- 18:10 < reiffert> rectionally, one for HMAC and the other for encryption/decryp- 18:10 < reiffert> tion. 18:10 < reiffert> The direction parameter should always be complementary on either 18:10 < reiffert> side of the connection, i.e. one side should use "0" and the 18:10 < krzie> Static key encryption mode has certain advantages, the primary being ease of configuration. 18:10 < krzie> There are no certificates or certificate authorities or complicated negotiation handshakes and protocols. The only requirement is that you have a pre-existing secure channel with your peer (such as ssh ) to initially copy the key. This requirement, along with the fact that your key never changes unless you manually generate a new one, makes it somewhat less secure than TLS mode (see below). If an attacker manages to steal your key, everything that w 18:10 < reiffert> other should use "1", or both sides should omit it altogether. 18:10 < reiffert> The direction parameter requires that file contains a 2048 bit 18:10 < reiffert> key. While pre-1.5 versions of OpenVPN generate 1024 bit key 18:10 < krzie> Another advantageous aspect of Static Key encryption mode is that it is a handshake-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random-looking data. 18:10 < reiffert> files, any version of OpenVPN which supports the direction pa- 18:10 < reiffert> rameter, will also support 2048 bit key file generation using 18:10 < krzie> lol 18:10 < reiffert> the --genkey option. 18:11 < reiffert> Time for some bunny hopping 18:11 < karlpinc> Thats nice. So it says there are 4 possibilites, gives two, says you can use 0 and 1 as "pairs". That does not tell me much. 18:11 < reiffert> bbl 18:11 < reiffert> karlpinc: be sure to read the rest on top and above those lines. 18:11 < reiffert> & 18:13 < karlpinc> reiffert : The part that says "direction" is optional, or the paragraph above that? 18:14 < karlpinc> I just don't get it. Suppose I want to enable HMAC-send keys. What value should be supplied for direction? 18:16 < karlpinc> Really what I want to do is use --tls-auth, but I want the client having to do the work. Should the server have 0 or 1 for direction? 18:20 < karlpinc> I.e. 1 requires the other end to do the encryption, or 1 requires this end to do the encryption? 18:21 < karlpinc> Or, does 1 mean don't encrypt? 18:22 < dougy[home]> hrmm 18:22 < dougy[home]> flooders 18:22 < dougy[home]> reiffert!!!!!!!!!!!!!!! 18:22 < karlpinc> dougy[home] : That's what killbots are for. 18:26 -!- troy is now known as troy- 18:29 < krzie> lol 18:29 < krzie> karlpinc, all that is very clearly explained in the manual 18:29 < krzie> !man 18:29 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:29 < krzie> very very clearly explained 18:30 < karlpinc> krzie : I don't see it in the 2.0 manual. Perhaps I should look in the 2.1 manual. 18:31 < krzie> look in the manual which corresponds with your version of openvpn 18:34 < karlpinc> krzie : Ok. I've read both manuals. Would you please point me to the sentence that says what's different when you say "0" than when you say "1"? For that matter, 0 and 1 just appear as a "for instance". Where does it say that those are the only legal values? I just don't see it. 18:35 < karlpinc> krzie : I'm imagining that 1 really means "true -- require the other end to use the secret before I talk to it", but that's a guess. 18:37 < karlpinc> krzie : It could mean "true - have this end use the secret when talking to the other end". I don't see anything spelled out. 18:37 < karlpinc> gone -- will check back for answers. 18:41 < krzie> i have no clue what you're looking for that isnt plainly spelt out in the manual 18:43 -!- mbutuarch [n=mbutu@host217-110-dynamic.8-79-r.retail.telecomitalia.it] has quit ["Leaving"] 18:47 < dan__t> wat 18:50 < dougy[home]> krzie: you say spelt too 18:50 < dougy[home]> ! 18:50 < krzie> *shrug* 18:50 < dougy[home]> i got in trouble in english class for that 19:00 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:00 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:01 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 19:09 < krzie> !route 19:09 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:17 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:22 < krzie> there 19:22 < krzie> i added a forum post about my routing document, and linked the document to it 19:23 < krzie> Written by krzee @ ##OpenVPN @ freenode IRC 19:23 < krzie> Feel free to discuss this document on the unofficial OpenVPN forum at: OpenVPN Forum: Lans behind OpenVPN 19:23 < krzie> http://www.ovpnforum.com/viewtopic.php?f=8&t=98 19:23 < vpnHelper> Title: OpenVPN Forum View topic - Lans behind OpenVPN (at www.ovpnforum.com) 19:23 < Dougyyy> krzie - win 19:26 < krzie> how am i possibly still a junior user? 19:27 < krzie> oh i see, it was never setup 19:28 < Dougyyy> nod 19:29 < krzie> there we go 19:29 < krzie> now im a VPN helper 19:30 < Dougyyy> woot 19:30 < krzie> and after 20 you become a member 19:30 < krzie> after 50 you become a senior member 19:30 < Dougyyy> nice 19:31 < Dougyyy> :) 19:32 < krzie> hey go here 19:32 < krzie> http://www.masflowteam.com/ 19:32 < vpnHelper> Title: **|| MASFLOWTEAM.COM || ** (at www.masflowteam.com) 19:32 < krzie> vote for ghetto george at the bottom bottom right 19:50 -!- troy- is now known as troy 20:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:02 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:12 < krzie> !configs 21:12 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:19 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 21:20 < krzie> !tcp 21:20 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:32 < krzie> hey dougy 21:32 < krzie> how do i make a post sticky and closed? 21:32 < krzie> i made a new post in configuration saying what we need to help them 21:34 < dougy[home]> hmm 21:34 < dougy[home]> hell if ir emember 21:34 < dougy[home]> i dont even remember my user/pass 21:34 < dougy[home]> lol 21:52 < krzie> ... whose forum is this? 21:55 < dougy[home]> what? 21:56 < krzie> like isnt this your forum? 21:56 < dougy[home]> yes 21:56 < dougy[home]> look at my last login date, lol 21:57 < krzie> well common admin... admin! 21:57 < dougy[home]> ahh ah 21:58 < dougy[home]> there we go 21:58 < dougy[home]> Last visit was: 10 Dec 2008 18:40 21:58 < krzie> its stupid that admin stuff is 100 21:58 < krzie> its stupid that admin stuff is 100% seperate from bwosing the forum 21:59 < dougy[home]> yeah 21:59 < krzie> i should be able to delete someones post from there, manage a user from there, make a post sticky from there, close a thread from there 21:59 < dougy[home]> agreed 22:00 < krzie> http://www.ovpnforum.com/viewtopic.php?f=6&t=99 22:00 < vpnHelper> Title: OpenVPN Forum View topic - General rules for getting help (at www.ovpnforum.com) 22:01 < krzie> pls close and sticky it 22:01 < dougy[home]> already was reading it :] 22:03 -!- troy is now known as troy- 22:08 -!- Dougyyy [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:08 < Dougyyy> hmm 22:08 < Dougyyy> FFFFFFS 22:08 < Dougyyy> wifi fails so hard 22:09 < Dougyyy> ecrist: ping 22:09 < dan__t> PONG MOTHERFUCKER 22:12 < Dougyyy> dan__t: you are not welcome here 22:12 < dan__t> No. 22:12 < dan__t> I'm just bored. 22:22 < krzie> heh 22:30 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 22:42 < Dougyyy> meh 22:42 < Dougyyy> gf went to sleep 22:42 < Dougyyy> so im off 22:42 < Dougyyy> cya 22:42 < krzie> what bout that thread 23:09 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["My damn controlling terminal disappeared!"] 23:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:44 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has quit ["bbl"] --- Day changed Sun Apr 19 2009 00:25 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:34 -!- albech [n=albech@119.42.77.133] has quit [Read error: 104 (Connection reset by peer)] 01:00 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:02 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 01:05 -!- albech_ [n=albech@119.42.77.133] has joined ##openvpn 01:21 -!- albech [n=albech@119.42.77.133] has quit [Connection timed out] 01:22 -!- albech_ is now known as albech 01:25 < krzee> !pushdns 01:25 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 01:26 -!- albech [n=albech@119.42.77.133] has quit [Read error: 104 (Connection reset by peer)] 01:50 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 01:53 < reiffert> moin 01:59 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 02:00 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit [Client Quit] 02:10 < krzee> moin moin 02:43 -!- theDoc- [n=andelyx@bb116-15-19-198.singnet.com.sg] has joined ##openvpn 02:49 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 03:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:31 -!- mandh_ [n=chatzill@82.137.216.38] has joined ##openvpn 03:34 -!- mandh_ is now known as mandh 03:40 -!- mandh is now known as mandh12 03:42 -!- mandh12 is now known as mandh 03:44 -!- mandh [n=chatzill@82.137.216.38] has left ##openvpn [] 03:45 -!- mandh [n=chatzill@82.137.216.38] has joined ##openvpn 03:48 < mandh> Hi , i have open vpn client connect to more that remote server , when remote server one fail , it connect successfully to the second one , but when first one back to work , the client still connected to the second one , any hint please 03:48 < mandh> 03:59 -!- mandh [n=chatzill@82.137.216.38] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 04:03 -!- mandh [n=chatzill@82.137.216.38] has joined ##openvpn 04:06 < krzee> only 1 idea 04:07 < krzee> you can have a script check which you're on, if on second one, ping first 04:07 < krzee> if first responds, kill openvpn and start it again 04:08 < krzee> then it will connect to first 04:08 < krzee> *shrug* 04:08 < krzee> or you can connect first and second and make it not matter which you're on 04:08 < mandh> yes 04:08 < krzee> gnite 04:08 < krzee> gf waiting for me 04:09 < mandh> so there is no another solution 04:09 < mandh> build in in openvpn itself 04:28 -!- c64zottel [n=hans@p5B179D59.dip0.t-ipconnect.de] has joined ##openvpn 04:54 -!- lynx_r [n=quassel@95-107-123-151.dsl.orel.ru] has joined ##openvpn 05:09 -!- theDoc- [n=andelyx@bb116-15-19-198.singnet.com.sg] has quit [Read error: 113 (No route to host)] 05:18 -!- nihilstar [n=nihil@89.136.243.243] has joined ##openvpn 05:42 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 05:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:05 -!- nihilstar [n=nihil@89.136.243.243] has quit ["Ex-Chat"] 06:08 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 06:10 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 06:12 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 06:12 -!- onats_ is now known as onats 06:13 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 06:22 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 06:25 -!- mandh [n=chatzill@82.137.216.38] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 07:22 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:22 < gebura> hi 07:23 < gebura> i am looking for help for debugging networkmanager-openvpn , i am on the right place (nobody answer on #nm) ? 07:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:48 -!- lynx_r [n=quassel@95-107-123-151.dsl.orel.ru] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 08:30 -!- row [i=row@who.br0ke.me.uk] has quit [] 08:47 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:01 -!- dougy[home] [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:05 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 09:10 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:15 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:15 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:18 -!- Dougyyy [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 09:21 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 09:52 -!- Yasuo [n=Max@dslb-088-072-201-207.pools.arcor-ip.net] has joined ##openvpn 09:52 < Yasuo> hiho 09:53 < Yasuo> when i connect two clients to a openvpn server, is it normal that they cannot ping each other per default? 09:53 < gebura> firewall problem ? 09:54 < Yasuo> the server is firewalled, but Port 1194 is open and the clients are conencted 09:54 < gebura> ok sory, i misread 09:54 < gebura> no idea 09:54 < Yasuo> according to tcpdump the ping of the 1st client did not reach the 2nd client 09:55 < Yasuo> np 09:55 < gebura> can the server ping each other ? 09:55 < gebura> what is the mask of server / client ? 09:56 < gebura> maybe you can use ip_forwarding (dirty hack but i down know very well openvpn) 09:56 < Yasuo> all masks are 255.255.255.255 09:57 < Yasuo> default config setting 09:57 < gebura> you should test with /24 09:57 < gebura> (= 255.255.255.0) 09:58 < Yasuo> server 10.8.0.0 255.255.255.0 tahst the default 10:00 < theDoc> Yasuo: By default, if your clients are assigned a /30, they cannot ping each other. 10:00 < theDoc> I have that on my setup, I don't really want the clients to be communicating. 10:02 < Yasuo> how do i change it to /24? by server.config? 10:03 < Yasuo> i have a service running on one client, and the 2nd has to access it 10:05 < theDoc> Yasuo: Probably inside server.conf, I'm lazy enough to not want to fire up my config file to check it for you 10:06 < theDoc> !route 10:06 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:06 < Yasuo> server 10.8.0.0 255.255.255.0 10:06 < Yasuo> tahts written down in my config. but the cleints have 255.255.255.255 10:06 < theDoc> Err, No 10:06 < theDoc> Hm 10:06 < theDoc> Yasuo: I believe that's somewhere in the docs, try searching ;p 10:07 < Yasuo> k :P 10:08 -!- troy- is now known as troy 10:08 < Yasuo> maybe i should just run the openvpn on the VM runniong the desired service and forward openvpn's udp-port 10:09 < gebura> Yasuo, you also have to verifiy that your client have a route to 10.8.0.x not only to 10.8.0.1 (if 1 is the server) 10:14 < Yasuo> ok i just had to push it 10:15 < Yasuo> it confused me a bit thats all :) 10:15 < Yasuo> push "route 10.8.0.0 255.255.255.0" 10:36 -!- xororand [n=xororand@unaffiliated/xororand] has joined ##openvpn 10:37 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has quit ["Lost terminal"] 11:09 -!- albech [n=albech@119.42.77.133] has quit [Read error: 110 (Connection timed out)] 11:09 -!- albech [n=albech@119.42.77.158] has joined ##openvpn 12:47 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 13:00 -!- mavimo [n=marco@host93-9-dynamic.104-80-r.retail.telecomitalia.it] has joined ##openvpn 13:01 < mavimo> hi @ all.. 13:23 -!- mavimo [n=marco@host93-9-dynamic.104-80-r.retail.telecomitalia.it] has left ##openvpn [] 13:34 -!- c64zottel [n=hans@p5B179D59.dip0.t-ipconnect.de] has left ##openvpn [] 13:37 < dougy[home]> troy fails 13:39 < troy> ????? 13:39 < troy> bbiab 13:40 < dougy[home]> ahaha 13:40 < dougy[home]> k 14:10 < dan__t> WHAT 14:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 14:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:42 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 14:58 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:06 -!- Yasuo [n=Max@dslb-088-072-201-207.pools.arcor-ip.net] has quit ["Leaving."] 15:09 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:12 -!- Kurogane [i=Kuro@190.53.8.79] has quit ["Saliendo"] 15:31 < dougy[home]> sigh 15:31 < dougy[home]> i try to set up an easy vpn 15:31 < dougy[home]> and fail 15:32 < dougy[home]> there we go.. 15:32 < dougy[home]> it magically worked 15:39 < Bushmills> there's no magic about replicating the steps from the howto 15:39 < dougy[home]> well 15:39 < dougy[home]> vpn was up for 5 minutes and didn't work 15:39 < dougy[home]> then abruptly RDP went through 15:40 < Bushmills> was already open before openvpn connected? 15:40 < dougy[home]> nope 15:41 < Bushmills> any other check you did, like, pinging remote? 15:43 -!- troy is now known as troy- 15:43 < Bushmills> however, would result of setting up openvpn depend on magic, not many people were successfully running it 15:44 < Bushmills> i'd even propose: in case of magic as one ingredient of peer to peer communication, openvpn would be superfluous 15:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:57 -!- troy- is now known as troy 16:47 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:49 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has joined ##openvpn 16:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ThoMe, karlpinc, worch 16:58 -!- Netsplit over, joins: karlpinc, worch 16:58 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:59 -!- Netsplit over, joins: ThoMe 18:02 -!- albech [n=albech@119.42.77.158] has quit [Read error: 60 (Operation timed out)] 18:13 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:23 -!- troy is now known as troy- 19:35 < ecrist> dougy[home]: pong 19:49 < dougy[home]> hihi 19:49 < dougy[home]> :) 19:50 < ecrist> what were you pinging me fore? 19:50 < ecrist> s/e$// 19:52 < dougy[home]> need help 19:52 < dougy[home]> heh 19:52 < dougy[home]> on the forum i mean 19:53 < dougy[home]> is there phpmyadmin on your server somewhere? 19:53 < ecrist> oh, ok, what do you need? 19:53 < ecrist> yes 19:53 < ecrist> 19:53 < ecrist> /sql-admin 19:53 * dougy[home] needs to modify the email address for the admin user so he can recover the pw 19:54 < dougy[home]> now to find the user info 19:55 < ecrist> it's in the phpbb config file 19:55 < dougy[home]> yes 19:55 < krzee> also if you can figure out how to close a thread and make it sticky... 19:55 < krzee> pleae do 19:55 < dougy[home]> i mean i need to find the info to log into the ftp 19:55 < krzee> please 19:55 < dougy[home]> and krzee: once i get the admin pass 19:55 < dougy[home]> ;p 19:55 * ecrist has admin 19:55 < krzee> i made a post for what to give us to get help in configuration 19:55 < ecrist> krzee, you're an admin, iirc 19:56 < krzee> ya, cant find how to do that 19:56 < krzee> ive been removing the spam and whatnot... 19:56 < dougy[home]> ecrist: how is mrs. crist? 19:56 < ecrist> doing good. 19:56 < ecrist> krzee, which forum needs to be closed/stickied? 19:56 < dougy[home]> hmm 19:57 < dougy[home]> google' search is failing me 19:57 < ecrist> the general rules for getting help section? 19:58 < dougy[home]> balls where did i put that email hah 19:59 < ecrist> dougy[home]: resent 20:04 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:06 < dougy[home]> ecrist 20:06 < dougy[home]> did i ever mention you da man? 20:07 < ecrist> :) nope 20:07 < dougy[home]> well, i did now 20:07 < dougy[home]> h.s-c.net/sql-admin ? 20:08 < ecrist> yes 20:08 < dougy[home]> 404 20:12 < ecrist> https://www.secure-computing.net/sql-admin 20:12 < vpnHelper> Title: phpMyAdmin 2.10.0.2 (at www.secure-computing.net) 20:15 * ecrist goes away 20:16 < dougy[home]> oh 20:16 < dougy[home]> i went to hosting./sql-admin 20:16 < dougy[home]> not just s-c.net 20:17 < dougy[home]> krzie: there? 20:26 < dougy[home]> fail 20:38 < krzee> ? 20:43 -!- troy- is now known as troy 21:03 -!- dougy[home] [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 21:09 < karlpinc> krzee : You were spectactularly unhelpful yesterday. I just spent less time reading the code to get the answer than the time I wasted in irc with you. And it was much less frustrating. It's a shame that this channel was a time suck rather than a help. 21:10 < krzee> thats great 21:10 < krzee> i dont even remember you 21:10 < karlpinc> krzee : I could have your handle wrong. If so I apologize. 21:10 < krzee> nah im here pretty often, could have been 21:11 < onats1> lol 21:11 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 21:11 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:32 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 21:56 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has joined ##openvpn 22:53 < zheng> Can PF(i.e. packet filter) control or filter the packets from a client to another client? How to do it? 22:54 < sirus> client to another client? 22:55 < zheng> I means, A<->B, A<->C, but I want to cut the B<->C, is it possible? 22:55 < zheng> yes, client to client? 23:00 < sirus> i dunno 23:07 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 23:10 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has joined ##openvpn 23:10 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 23:13 -!- albech [n=albech@119.42.76.62] has quit [Client Quit] 23:24 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 23:37 -!- scwang [n=scwang@123.118.123.27] has joined ##openvpn 23:54 < krzee> zheng, 23:54 < zheng> krzee, yes 23:54 < krzee> are you asking if there is a way to cut the server out of the chain when openvpn clients communicate? 23:54 < zheng> yes, 23:54 < krzee> so the clients can directly exchange packets...? 23:55 < krzee> cant be done with openvpn 23:55 < krzee> yet 23:55 < krzee> if you are a good coder ild be happy to give you how i think it could be done 23:55 < zheng> can not ? 23:55 < krzee> can not 23:55 -!- c1rcuit [n=c1rcuit@pool-70-111-224-141.nwrk.east.verizon.net] has joined ##openvpn 23:56 < c1rcuit> how do i start openvpn from command line? 23:56 < c1rcuit> i mean termina; 23:56 < c1rcuit> l 23:56 < c1rcuit> lol 23:56 < krzee> !man 23:56 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 23:56 < zheng> yes, I want to know how you think it. 23:56 < krzee> you just run it with the config file 23:56 < krzee> for the most basic 23:56 < krzee> everything else can go in the config 23:56 < krzee> (and anything in the config can be on commandline) 23:57 < krzee> zheng, you're a good coder? 23:57 < c1rcuit> i am getting "openvpn: service not started" 23:57 < zheng> eh, yes, I'm a software engineer. 23:57 < krzee> sweet 23:57 < krzee> ok heres my idea 23:57 < krzee> there would be an extra client config option 23:57 < krzee> to allow it to go direct or not 23:58 < krzee> then the person requesting the connection tells the server it wants to go direct with the client in question 23:58 < krzee> (automaticly based on the config option that told it so) 23:59 < krzee> the server then gives the other client info to make an outbound connection to you 23:59 < krzee> and tells your client about it to, both with all needed info given to it by server 23:59 < krzee> they can even do key exchange through the server 23:59 < krzee> since both know about it, they can make outbound connections at eachother real quick and boom, nat is broken on both sides --- Day changed Mon Apr 20 2009 00:00 < krzee> and keyx is done by server, so just as secure 00:00 < zheng> yes, I know you explain the exchage process. 00:01 < zheng> but I think the internal PF function can OR should be be able to control the c2c traffic? 00:01 < krzee> negative 00:01 < krzee> SSL doesnt work like that 00:02 < krzee> all traffic inside the tunnel needs to go to the server 00:02 < krzee> who then sends it through a completely different ssl tunnel 00:02 < krzee> my idea is the solution to this problem 00:02 < krzee> with built in 2-way nat hole punching 00:03 < zheng> yes, but when FORWARD, it is decrypted and it is plaintext, and server can jugde the intenal ROUTING/ 00:03 < krzee> good luck to you 00:03 < krzee> if you decide to work on my idea pls let me know, that would rule 00:03 < zheng> OK, thank you so much. 00:04 < c1rcuit> when i try to reload something in openvpn, it says that the service is not started (from terminal, in fedora) 00:12 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:12 < krzee> openvpn --config 00:13 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:13 < krzee> if you want the service way you need to setup your os's service stuff correctly 00:13 < krzee> but with openvpn itself thats how you start it 00:13 < krzee> i believe you send a restart signal with kill to reload the config 00:14 < zheng> krzee, there was a misunderstand. I want to know is it possible that the server can connect some clients and cut some clients, not a client forward direct to anothter client. 00:14 < zheng> I means, Server=S, Clients=A,B,C. 00:15 < krzee> so you want some clients can communicate with others and some can not 00:15 < zheng> S --- A, S --- B, S ---C, and A ---B, BUT, A ---X--- C. 00:15 < krzee> i would think you can filter that in the firewall, but im not 100% sure 00:15 < zheng> I means server cut connection between some clients. 00:16 < krzee> if it doesnt work it could be that when openvpn knows a route internally that the packets never hit the kernel 00:17 < krzee> you could also try pushing that client a route to break routing for 10.8.0.0 255.255.255.0 00:18 < krzee> although if that person fixed that route they could still communicate 00:18 < krzee> The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. 00:18 < krzee> ya i dont think the firewall method will work 00:19 -!- c1rcuit [n=c1rcuit@pool-70-111-224-141.nwrk.east.verizon.net] has left ##openvpn ["Leaving"] 00:19 < krzee> When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 00:21 < krzee> so how about this 00:21 < krzee> leave out --client-to-client 00:21 < krzee> give the ones that should communicate a push route "10.8.0.0 255.255.255.0" 00:21 < krzee> in a ccd/ config 00:22 < krzee> i mean push "route 10.8.0.0 255.255.255.0" 00:26 < krzee> that should make them route that traffic to the server, and without --client-to-client that should go to the device before finding its way back to the process 00:40 < zheng> Thx very much, I get it. 00:47 < krzee> np 00:59 -!- scwang [n=scwang@123.118.123.27] has left ##openvpn ["Leaving"] 01:06 < krzee> happy 420 01:06 < tjz> what is 420? 01:06 < tjz> lol 01:15 < krzee> !google 420 01:15 < vpnHelper> krzee: 420 (cannabis culture) - Wikipedia, the free encyclopedia: ; What is 420? What does 420 Mean? The origins of 420 - Concept420: ; Urban Dictionary: 420: 01:15 < krzee> first link 01:28 < tjz> thx jeff 01:29 < tjz> yucks.. 01:29 < tjz> durg.. 01:29 < tjz> drug.. 01:30 < tjz> omg 01:30 < tjz> my friend like this day 01:30 < tjz> he wanna smoke 01:34 < Bushmills> krzee, i think i can bust the last myth ("4:20 is tea time for pot-smokers in Holland.") 01:45 < krzee> it spread world wide ;] 01:46 < krzee> ohh 01:47 < krzee> right 01:47 < krzee> but the part about an rafael is true 01:47 < krzee> im from that general area 02:08 -!- albech [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 02:09 < onats1> anyone up? 02:09 < onats1> krzee? 02:10 < dan__t> No. 02:26 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 02:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:44 -!- c64zottel [n=hans@p5B17B263.dip0.t-ipconnect.de] has joined ##openvpn 04:12 < onats1> you're up 04:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:25 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 05:26 < Coke> Hi. Is it possible to authenticate vpn with only rsa key, no certificates? 05:28 < [4-tea-2]> Coke: check the "static key mini howto" on the OpenVPN page. 05:28 < [4-tea-2]> Coke: you will lose some functionality, though. 05:29 < [4-tea-2]> ...and some security, obviously. 05:30 < Coke> [4-tea-2]: I don't really see how a certificate adds significant amounts of security 05:31 < [4-tea-2]> Coke: if someone records all your VPN traffic and gets hold of your static key later, he can decrypt the recording. 05:31 < Coke> [4-tea-2]: sure. and if he gets hold of a local terminal and my root password I'm also screwed 05:32 < [4-tea-2]> As I understand it, using the TLS stuff, this can be avoided. Don't ask me for details. 05:32 < Coke> the rsa key would be used for tls 05:32 < [4-tea-2]> I just wanted to point it out, I'm not trying to tell you what's best for you. 05:32 < Coke> from what I understand, which isn't much, certificates are basically just fancy keys with additional information in them 05:33 < Coke> Basically, the only reason I don't want to use certificates is 1) I don't need them anywhere else, 2) already got rsa keys for SSH 05:34 < Coke> Also, generating new rsa keys using ssh-keygen is a one-line-shot compared to the 15+ steps and custom scripts under easy-rsa 05:34 < [4-tea-2]> Well, I started with a static key setup, then I noticed I need features that are only available with certs. 05:35 < Coke> such as? 05:36 < Coke> I'm not even sure OpenVPN is what I'm looking for. I have to separate LAN's, 192.168.1.0, that I want to connect together over Internet. 05:37 < [4-tea-2]> !route 05:37 < vpnHelper> [4-tea-2]: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:37 < [4-tea-2]> That should be a helpful read for setting that up. 05:38 < Coke> Indeed, routing seems to be my choice for this, but so far I have not gone past the step of creating certificates. 05:38 < [4-tea-2]> And to answer your last question, I think scripts that are run on client connection are only available with certs. 05:38 < Coke> What? 05:38 < Coke> "scripts that are run on client connection" ? 05:39 < [4-tea-2]> scripts which are run when the VPN connection is actually established, see --client-config-dir 05:40 < Coke> Run where by whom? 05:40 < Coke> I can't do echo "Hello world!" on my client in a terminal? 05:40 < [4-tea-2]> Heh, little misunderstanding. 05:41 < [4-tea-2]> In my setup, I need OpenVPN to run certain scripts when a client connects or disconnects, to fix routing/arp issues. 05:41 < Coke> Hm. I'm not sure VPN is the solution I'm looking for. 05:41 < Coke> All I want is for 192.168.1 packages to be routed via a virtual interface. 05:42 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: zheng 05:43 < [4-tea-2]> Coke: OpenVPN can certainly do that. 05:43 -!- Netsplit over, joins: zheng 05:43 < Coke> [4-tea-2]: but at what administrative cost? 05:44 < Coke> Even with the "easy" rsa scripts it's a 30+ step procedure just to get a connection. 05:44 < [4-tea-2]> Well, I learned a lot setting it up, and now it works. For me, it's been a good experience. 05:44 < Coke> [4-tea-2]: if certificates were useful to me in any other way I might consider spending 40 hours to set it up 05:45 < Coke> but creating a dozen files, requests, keys, signed certs, root certs etc just for one connection is a tad much 05:45 < [4-tea-2]> Well, as I said before -> static key mini howto 05:45 < [4-tea-2]> http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 05:45 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 05:46 < [4-tea-2]> plus !route 05:46 < [4-tea-2]> (...if I understood correctly) 05:47 < Coke> Yes. 05:48 < Coke> What is pem and crt differences? 05:57 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:01 < dazo> Coke: pem - is a file format .... crt is an SSL certificate, which can be formated as PEM, DER or PKCS#12 06:02 < dazo> Coke: I see you have some questions regarding to what benefits SSL certificate has ... 06:03 < Coke> dazo: already read about the limitations of the static key 06:03 < dazo> Coke: most importantly, it is a mechanism for authenticating the server and and clients 06:03 < Coke> dazo: i think most of my questions are regarding the mile long list of things to do just to setup authentication 06:05 < dazo> Coke: SSL certificates should be signed by a Certificate Authority (CA), which is a trusted third party. That means that when a client connects, it can validate if the server certificate is signed by a CA which it trusts. And the same for server can see if the client has a signature by a CA which it trusts 06:05 < Coke> I already made my CA 06:05 < Coke> it created a key file and a pem file 06:05 < Coke> I named them cacert.pem and cakey.pem 06:06 < dazo> Coke: the certificate management is more complex ... but also a lot more safer ... as it gives you control on the server later on to revoke clients which should not have access anymore .... and certificates can also have expiry dates 06:06 < Coke> After that I created a request, from that request I made the server certificate (I think) which resulted in two additional pem files 06:06 < Coke> dazo: I don't need any of those 06:06 < dazo> Coke: if you want something GUI .... you should check out tinyca ... that creates pretty good control over things 06:06 < Coke> dazo: there will only be two computers connected, routing trafic 06:06 < Coke> dazo: no thanks 06:07 < Coke> so I have no need of a root ca 3rd party nor multiple client certificates 06:07 < dazo> Coke: oki ... well, maybe I'm just paranoid ... but I don't see any reasons why not to setup certs when that's the basic security level of SSL, which openvpn is based upon .... if security is not important, why bother about encryption at all? 06:08 < Coke> dazo: ssl also connects using keys 06:08 < dazo> Coke: it's not difficult .... once you just learn the few basic steps 06:09 < Coke> dazo: I don't see the use for them 06:09 < Coke> dazo: there's no need for a 3rd party to verify anything and no need to have multiple, unique authorizations to clients. 06:10 < dazo> Coke: oki ... you don't need it to be a real 3rd party ... but when you created your own CA, that is your own 3rd party ... those files with CA keys and the generated keys, can be locked down on an USB key not connected to a computer at all 06:10 < dazo> Coke: you only need those files when generating new keys 06:11 < dazo> Coke: or to be more correct ... when signing new keys 06:11 < Coke> dazo: my clients don't have real host names either 06:11 < Coke> I'm not really in need of identifying the client since there will ever only be one 06:11 < Coke> I'm reading the ipsec manuals, it looks like it's a lot better at linking two networks together. 06:12 < dazo> Coke: ipsec got even more certificate integration 06:12 < dazo> Coke: certificates is a key factor in most VPN's 06:12 < Coke> but why? 06:13 < Coke> There's only one server and why client for my setup. 06:13 < Coke> and also, ipsec seems to use only keys for connecting net-to-net 06:13 < Coke> you only need certificates when you need to idenfity the client, as suspected. 06:14 < dazo> Coke: you can use certificates to authenticate both ways ... the client can authenticate the server, and vice versa 06:15 < Coke> dazo: for me they only need to be authorized 06:16 < Coke> or I guess authenticated, but they don't need to be identified 06:17 < Coke> dazo: I've got a total of TWELVE files just to setup a two-way secure communication 06:17 < Coke> whereas ssh requires just two. 06:17 < dazo> Coke: and why is that so bad?? .... lacking disk space? 06:17 < Coke> dazo: it really makes no sense for my setup to be so advanced 06:17 < dazo> Coke: And you only need ... config, server key and server cert on the server .... on client you need the same 3 files 06:18 < dazo> Coke: it is not advanced .... it really is not 06:18 < Coke> dazo: compared to rsa key 06:18 < Coke> it matters not, i have my openvpn server running now. guess it accepted all my pem-files 06:20 < dazo> Coke: and remember .... SSH does use client key, server key, and public key as well ... but in the SSL world, the key changes regularly ... SSH uses a complete different approach for that 06:20 < dazo> Coke: and RSA is also what OpenSSH uses ... that's just formats again, just as DSA is 06:22 < dazo> or to be correct, algorithm is the right term for RSA and DSA 06:23 < Coke> dazo: sure. still just need to copy one key into authorized_keys -> done 06:24 < Coke> do I need ca for the client ? 06:24 < dazo> Coke: but it still is not as solid and secure as proper SSL implementation with certificates ... and even OpenSSH can now be configured to use certificates as well, to improve that field 06:25 < dazo> Coke: you need the CA certificate, which is the same as CA cert as you have on the OpenVPN server 06:25 < Coke> Actually, for SSH it makes sense since you want to identify the users 06:25 < Coke> dazo: how come a browser doesn't need it? 06:26 < dazo> Coke: and it makes the same sense on VPN too .... you are letting a user from a unsecure network accessing your internal network ... that's exactly why you need certificates 06:26 < dazo> Coke: your browser does need them .... but you have 2 different approaches 06:27 < dazo> Coke: normally .... the browser only authenticates the server .... and when you don't need to install a CA cert, that's because the web server has already paid VeriSign or somebody else to sign their server certificate 06:27 < Coke> dazo: but I wont 06:27 < Coke> dazo: there's only 1 client that will ever connect and only one server 06:27 < dazo> Coke: but what if that client gets compromised? 06:27 < Coke> dazo: yeh, but the client is authenticated without having a ca locally 06:28 < Coke> dazo: what if they get access to a local terminal and root password? 06:29 < dazo> Coke: that's only limited by physical limitations .... if you place your console on the street ... sure, that's just as bad .... if you place it in a room without windows and only a door which you have the key for, that's safer 06:29 < Coke> dazo: what if someone gets hold of the key? 06:29 < Coke> it's actually more likely someone get hold of the physical key than getting the digital key 06:30 < dazo> Coke: if that's your reality, you have bad control on your physical premises 06:30 < Coke> dazo: it's not a bank 06:31 < Coke> dazo: we have an alarm, but it's still pretty easy to get in if you really want to 06:31 < Coke> in any case, why do I need the CA for the client? 06:31 < Coke> I thought the CA was to be kept safe, unavailable to the public? 06:31 < dazo> Coke: you don't need a CA for the client ... you need the CA certificate 06:31 < Coke> yeh, ca certificate 06:32 < dazo> Coke: the CA key (which is used for signing certificate requests), should be unavailable by the public 06:32 < Coke> If all files are on both client and server, I see no real security upgrade from a regular ssh key. It's just that the ssh key is split up into three files. 06:32 < Coke> ah, the key 06:33 < dazo> Coke: the certificate is only a kind of a signature .... and if that signature matches between what the server/client certificate signature and the CA certificate signature, that's a valid certificate 06:34 < Coke> dazo: why can't the client cert be used as a signature, like it works with browsers? 06:34 < dazo> Coke: the browser uses exactly the same system 06:34 < Coke> dazo: no 06:34 < dazo> Coke: yes 06:34 < Coke> dazo: I only get one certificate from my bank 06:34 < Coke> ONE 06:34 < Coke> oops 06:34 < [4-tea-2]> Coke, if you don't care for privacy, you probably don't need a VPN ("p" for "private"). Why not just use iptunnel (ipip). 06:34 < dazo> Coke: One of my banks, I need to download a client certificate .... which is used to identify me during login 06:35 < Coke> Who said I don't care about privacy? 06:35 < Coke> dazo: yes. 06:35 < Coke> dazo: how many certificates was taht? 06:35 < dazo> Coke: but normal https connections require that the server provides a server certificate which is signed by a trusted 3rd party, which is in your certificate register 06:36 < Coke> dazo: but the client downloads that on the fly 06:36 < Coke> dazo: I thought it worked like this CA cert is used to sign server cert which in turn is used to sign client certs. 06:37 < dazo> Coke: on such client certificates ... the browser generates a private and public key, creates a signing request, sends it to the server which signs the client certificate and sends it back to the browser, which then saves these three files in it's certificate register 06:37 < Coke> dazo: I see. 06:37 < dazo> Coke: http://en.wikipedia.org/wiki/Public_key_infrastructure 06:37 < vpnHelper> Title: Public key infrastructure - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:41 < Coke> dazo: anyway, I should use my server-cert.pem on both server and client? 06:41 < Coke> (as well as the same cacert.pem and server-key.pem) 06:42 < dazo> Coke: the client only needs the CA certificate .... and the client key .... the server needs only the CA certificate and the server key (and the DH params file) 06:43 < dazo> Coke: and the client needs the client certificate .... and the server needs the server certificate 06:44 < Coke> It's attempting to establish TCP connection now 06:48 < Coke> Hm. It's difficult to test the setup if both machines are already on the same LAN 06:51 < dazo> Coke: that's usually not going to work, of obvious reasons - routing .... but if you establish the VPN without any route statements ... you should be able to ping the other VPN end points from both sides 06:51 < Coke> dazo: naw, they just die 06:51 < Coke> Both the server and client are on 192.168.0 already 06:52 < dazo> Coke: exactly, because your probably have a route 192.168.0.0 255.255.255.0 statement in your config files 06:55 < Coke> dazo: sure 06:55 < dazo> Coke: if you comment out those route statements .... your test should work 06:57 < Coke> I didn't have them actually 06:57 < Coke> But I listened on the same interface as the server was setup for 06:57 < Coke> It is, of course, difficult to test it without changing the network on either client or server 06:59 < Coke> There 06:59 < Coke> It works 06:59 < Coke> Sweet. 06:59 < Coke> Although... I have to test which route it takes 07:01 < Coke> Hm. Why does the server behave as both 192.168.1.1 and 192.168.1.5? 07:02 < Coke> and my client got 192.168.1.6, can I control this? 07:04 < Coke> Oh, looks like my server has 192.168.1.1 on the interface. Don't know why it prints "ifconfig 192.168.1.6 192.168.1.5" 07:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 < Coke> Hm, I'm not really sure why it adds those routes, but... yeh. 07:07 < [4-tea-2]> Coke: I wondered about that, too. It doesn't happen with the static key setup. Someone told me it was necessary to circumvent some "Windows-only issue". 07:07 < Coke> those are unpingable addresses 07:07 < Coke> Also, broadcast address doesn't seem to work 07:08 < Coke> Now, this is a connection between machine A and machine B, what I really like is a connection between network A and network B 07:09 < Coke> is it as simple as adding my client machine as default gw for the 192.168.1 net? 07:09 < [4-tea-2]> Coke: didn't you say the local machines in the client network are already in 192.168.1.0/24? 07:10 < [4-tea-2]> pardon, I meant 192.168.0.0/24 07:11 < Coke> yes, they are in 192.168.0.0, but eventually there will be an internet between them 07:11 < [4-tea-2]> I don't think they can share a net, you would have to set up host routes for each machine on the other end. 07:11 -!- Cr0nix [i=irssi@62.141.56.213] has joined ##openvpn 07:11 < Cr0nix> hi al 07:11 < Coke> [4-tea-2]: hey, it says that odd address is "P-t-P" 07:12 < [4-tea-2]> Example: 192.168.0.10 is in the local net, 192.168.0.11 is in the remote net, how would your local machine know that it needs to route .10 differently than .11? 07:12 < Coke> It also has 255.255.255.255 mask and no bcast, so it doesn't work as an ordinary if 07:13 < Coke> [4-tea-2]: because it is mapped as 192.168.1.0/24 07:13 < Coke> [4-tea-2]: it works here right now 07:13 * [4-tea-2] shrugs. 07:13 < Coke> I can ping 192.168.0.9 and 192.168.1.1 to get hold of the same machine 07:13 < [4-tea-2]> See if you have a host route for 192.168.0.9. ;) 07:13 < Coke> imagine I had two physical network cards in these machines, it's the same thing, only instead of a nic it's a tcp connection 07:14 < Coke> no, not for .9 explicitly, but the gateway for 192.168.0.1 is still there 07:14 < [4-tea-2]> Coke: it would be the same problem with two physical nics. 07:14 < Coke> 192.168.0.0/24 07:14 < Coke> [4-tea-2]: what problem? 07:14 < [4-tea-2]> Example: 192.168.0.10 is in the local net, 192.168.0.11 is in the remote net, how would your local machine know that it needs to route .10 differently than .11? 07:14 < Coke> it doesn't 07:15 < Coke> The server has two interfaces, one 192.168.0.9 and one 192.168.1.1 07:15 < Coke> the latter is available only via openvpn 07:15 < [4-tea-2]> You said you're trying to connect to lans. 07:15 < Cr0nix> is here any1 who can point me to a working solution for the routing of internet through the openvpn tunnel? 07:15 < Coke> [4-tea-2]: I am 07:15 < [4-tea-2]> Both lans are using addresses in 192.168.0.0/24. 07:15 -!- troy is now known as troy- 07:15 < Cr0nix> !redirect 07:15 < vpnHelper> Cr0nix: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:16 < [4-tea-2]> Imagine a local setup with two nics, .10 routed via eth0, .11 routed via eth1. 07:16 < Coke> [4-tea-2]: in the future they will be, but I'm testing with two machines on the same LAN now 07:16 < Coke> [4-tea-2]: it can be done 07:16 < Cr0nix> !def1 07:16 < vpnHelper> Cr0nix: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 07:16 < Coke> [4-tea-2]: you just have to specify each route 07:16 < [4-tea-2]> Coke: that's exactly what I said. 07:16 < Cr0nix> !ipforward 07:16 < vpnHelper> Cr0nix: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 07:16 < Coke> [4-tea-2]: openvpn already specifies the routes 07:16 < [4-tea-2]> I don't think they can share a net, you would have to set up *host routes* for each machine on the other end. 07:17 < Cr0nix> !linipforward 07:17 < vpnHelper> Cr0nix: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 07:17 < [4-tea-2]> Well, never mind. If I'm right, you'll find out soon enough. 07:17 < Coke> [4-tea-2]: right about what? 07:17 < [4-tea-2]> ...and if I'm wrong you don't need to worry. 07:17 < Coke> [4-tea-2]: everything works dandy. 07:17 < Coke> [4-tea-2]: in the future my server won't be on this LAN and it won't have 192.168.0.9 as address, it will have some public IP 07:17 < [4-tea-2]> And there will be machines "behind" that server? 07:18 < Coke> [4-tea-2]: indeed. 07:18 < Cr0nix> !nat 07:18 < vpnHelper> Cr0nix: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 07:18 < [4-tea-2]> And they will also receive new, non-192.168.0.0/24 IP addresses? 07:18 < Cr0nix> !linnat 07:18 < vpnHelper> Cr0nix: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 07:18 < Coke> [4-tea-2]: I don't think that's possible or advisable 07:19 < Coke> [4-tea-2]: they will most likely be split up into two networks: 192.168.0 and 192.168.1 07:19 < [4-tea-2]> You can also use 192.168.0.0/25 and 192.168.128.0/25 to split an existing 192.168.0.0/24. 07:19 < Cr0nix> hm 07:20 < Coke> [4-tea-2]: true. but then I'd have to consider that when setting up DNS, broadcasts, etc 07:20 < Cr0nix> is it possible to assign ipv4 AND ipv6 adresses to vpn client? 07:20 < Cr0nix> *clients 07:20 < Cr0nix> so 07:21 < Cr0nix> client -> ipv6 and ipv4 tunnel -> vpn server with native ipv6 and ipv4 07:21 < [4-tea-2]> Will broadcast work across a normal OpenVPN connection? I seem to remember that a bridging setup is needed for that? 07:21 < Cr0nix> -> the interwebs 07:21 < Coke> [4-tea-2]: and then, I guess, it's all about adding a default gw for the alternate network 07:21 < [4-tea-2]> Coke: no, it isn't. ;) 07:22 -!- troy- is now known as troy 07:22 < Coke> [4-tea-2]: no? 07:22 < [4-tea-2]> Coke: it's all about adding a gazillion of host routes in your case, I think. That's why I'm trying to make you think about your network setup. 07:23 < Coke> [4-tea-2]: I already thought about it, with the current limitations I have little else to do about it 07:23 < [4-tea-2]> If there's a possibility that 192.168.0.10 will end up in one lan and 192.168.0.11 will end up in the other lan, your setup is broken by design, methinks. 07:23 < Coke> Ideally, the openvpn server/client would just magically make both 192.168.0 networks act as if they were on the same LAN 07:24 < Coke> [4-tea-2]: it won't, one network will have 192.168.1 and one will have 192.168.0 07:24 < [4-tea-2]> Coke: then don't use 192.168.1.0/24 for the OpenVPN-internal addresses. 07:25 < Coke> [4-tea-2]: I'm not sure what openvpn-internal address is 07:25 < [4-tea-2]> Use one net for lan1, one net for lan2 and a different net for the OpenVPN endpoints. 07:25 < Coke> afaik there are no "internal" addresses 07:25 < [4-tea-2]> The addresses bound to the tun devices 07:25 < Coke> [4-tea-2]: well, they would both have to be public IP's 07:25 < Coke> at least the server 07:26 < [4-tea-2]> Coke: ifconfig tun0 07:26 < [4-tea-2]> Coke: *that* address 07:26 < Coke> or I could setup the hw router properly instead of doing that 07:26 < Coke> [4-tea-2]: that should be the remote net 07:26 < [4-tea-2]> Coke: you said before it was 192.168.1.{1,5,6,whatever} 07:27 < Coke> My server will be 192.168.1.9 on eth0 and 192.168.0.1 on tun0 07:27 < [4-tea-2]> The OpenVPN manual advises against this. 07:28 < Coke> and my client will have reverse, it will have 192.168.0.10 on eth0 and 192.168.1.x on tun0 where x is whatever is decided to do that windows workaround thingie 07:28 < Coke> I don't see any other solution 07:29 < Cr0nix> the iptables command from the official howto dosnt work 07:29 < Cr0nix> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 07:29 < [4-tea-2]> Coke: Ideally, the server would be e.g. 192.168.2.1, on 192.168.0.x a network route for 192.168.1.0/24 would point to the gateway 192.168.2.1. 07:29 < Cr0nix> it gives me an error 07:29 < [4-tea-2]> Cr0nix: what error? 07:30 < Cr0nix> bad argument 'the.ip.address.here' 07:30 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 07:30 < [4-tea-2]> Cr0nix: typo? 07:30 < Cr0nix> nope 07:31 < [4-tea-2]> If you want, paste the full command line with all following lines somewhere and I'll have a look at it. iptables is my friend. 07:31 < Cr0nix> i sux very hardly at iptables 07:31 < Cr0nix> so thx 07:31 < Cr0nix> xD 07:32 < Cr0nix> can i post 3 lines here in cleartext or better use pastebin? 07:33 < [4-tea-2]> three lines is certainly okay 07:33 < Cr0nix> wlan-vpn:/etc/openvpn# iptables -t nat -A POSTROUTING 192.168.178.0/32 -o eth1 -j MASQUERADE 07:33 < Cr0nix> Bad argument `192.168.178.0/32' 07:33 < Cr0nix> Try `iptables -h' or 'iptables --help' for more information. 07:33 < Cr0nix> its the same syntax as mentioned on the openvpn howto 07:33 < Cr0nix> just a diffrent ip adress 07:33 < Cr0nix> +d 07:33 < Coke> [4-tea-2]: why do you want to have a different eth0 ip than the network it is actually on? 07:34 < [4-tea-2]> Cr0nix: you forgot the "-s" 07:34 < Cr0nix> needs interwebs on vpn connection 07:34 < Cr0nix> hm 07:34 < Cr0nix> now no error 07:34 < [4-tea-2]> ;) 07:34 < Cr0nix> but still no internet on my vpn client 07:34 < Cr0nix> damn it 07:35 < Cr0nix> i could kill iptables 07:35 < [4-tea-2]> That could have a gazillion reasons. ;) 07:35 < Cr0nix> jeah but for me its mostly iptables fault 07:35 < Cr0nix> because i dont no realy much about it 07:35 < [4-tea-2]> The VPN connection is established, you can ping the other end? 07:35 < Cr0nix> jup 07:35 < Cr0nix> certificate based auth 07:35 < [4-tea-2]> There's a default route (or two, if you used def1) pointing towards the tun device? 07:35 < Cr0nix> woo? 07:36 < Cr0nix> what? 07:36 < Cr0nix> i just made 07:36 < Cr0nix> push "redirect-gateway" 07:36 < [4-tea-2]> Shouldn't that be "redirect-gateway def1"? 07:36 < Cr0nix> never used def1 07:37 < [4-tea-2]> I think it's the preferred way to set up a default route. 07:37 < Cr0nix> and i have an kinda complicated network setup 07:37 < Cr0nix> xD 07:37 < [4-tea-2]> The default route tells your machine where to send traffic towards teh internets. 07:37 < Coke> [4-tea-2]: of course, this is all complicated by the fact that I'm trying to setup a vpn between two machines on the same lan. :) 07:38 < Cr0nix> vpn-client -> via wlan -> router -> via lan -> vpn server -> internet 07:38 < Cr0nix> thats my network setup here 07:39 < Cr0nix> vpn clients ip on non-vpn connection: 192.168.0.101 07:39 < Cr0nix> vpn clients ip on vpn connection: 192.168.178.6 07:39 < Cr0nix> router ip 07:39 < Cr0nix> 192.168.0.10 07:39 < [4-tea-2]> Cr0nix: paste the result of "route -n" somewhere, please. 07:39 < Cr0nix> kk 07:39 < Cr0nix> xD 07:40 < Cr0nix> from client or server 07:40 < Cr0nix> ? 07:40 < [4-tea-2]> client, please 07:40 < Cr0nix> server = debian, client = win xp 07:40 < [4-tea-2]> Damn. :D 07:40 * [4-tea-2] knows zilch about Windows, sorry. 07:40 < [4-tea-2]> "route /print" or something like that? 07:41 < [4-tea-2]> I meant "C:\> ROUTE.EXE /PRINT" or something like that? ;) 07:41 -!- troy is now known as troy- 07:41 < Cr0nix> xD 07:41 < Cr0nix> jeah im on it 07:42 < [4-tea-2]> Oh, how did you test whether you had internet connectivity on the client after setting up NAT? 07:43 < Cr0nix> ping 208.67.222.222 07:43 < [4-tea-2]> Perhaps your Windows machine is trying to reach the DNS service on your router via the VPN or something like that. Try to ping an IP address instead of a DNS hostname to make sure it's not just a DNS problem. 07:43 < [4-tea-2]> Excellent. ;) 07:43 < Cr0nix> ^^ 07:44 < Cr0nix> http://pastebin.com/m26b53b6f 07:45 < Cr0nix> route PRINT 07:47 < [4-tea-2]> Hmmm. As I said, I don't know much about Windows, but I'm kinda bamboozled because there are routes that use 192.168.178.5 as a gateway, but there's no host route for 192.168.178.5. 07:48 < [4-tea-2]> Not sure whether that's normal or not. 07:48 < Cr0nix> hm 07:48 < [4-tea-2]> Ah, never mind. Found it. :D 07:48 < Cr0nix> xD 07:48 < Cr0nix> as i sayd 07:48 < [4-tea-2]> 192.168.178.4/30 covers it. 07:48 < Cr0nix> my network setup here does even confusing me 07:48 < Cr0nix> xD 07:48 < [4-tea-2]> It seems the client side is okay, let's have a look at the server side. 07:49 < Cr0nix> so what do i need to type in for iptables? 07:49 < Cr0nix> so that all clients in th vpn network are routed over the vpn for internet 07:49 < [4-tea-2]> I'd like to see "route -n" and "iptables -vn -L -t nat" 07:49 < Cr0nix> kk 07:50 < Cr0nix> http://pastebin.com/m3d958114 07:50 < Cr0nix> http://pastebin.com/m447d6c6e 07:51 < Cr0nix> hm 07:51 < [4-tea-2]> Oh, it seems you got some leftovers in there. 07:51 < Bushmills> Cr0nix, on vpn server, something like this: http://scarydevilmonastery.net/masq 07:51 < Cr0nix> how to get rid of the "leftovers" 07:51 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:51 < Bushmills> on clients, you'd make vpn machine gateway 07:51 < [4-tea-2]> "iptables --table nat --flush" should clean them out. 07:52 < Coke> how the heck do I delete a route entry? it just says invalid argument 07:52 < Bushmills> Coke, bring down the interface. or route del ..... 07:52 < Cr0nix> jup [4-tea-2] theyre gone now 07:52 < [4-tea-2]> Cr0nix: then try the last iptables statement again... "iptables -t nat -A POSTROUTING -s 192.168.178.0/32 -o eth1 -j MASQUERADE" 07:52 < Coke> ah, no 07:52 < Coke> I gotta specify for which gateway too 07:53 < Coke> even though there was only one route for the network 07:53 < Cr0nix> hmmm 07:53 < Cr0nix> [4-tea-2]: still no ping reply from outside the vpn network 07:54 < [4-tea-2]> LOL 07:54 < [4-tea-2]> Sorry, I missed something obvious. 07:55 < Cr0nix> xD 07:55 < [4-tea-2]> flush again, then: 07:55 < [4-tea-2]> iptables -t nat -A POSTROUTING -s 192.168.178.0/24 -o eth1 -j MASQUERADE 07:55 < Cr0nix> doen 07:55 < [4-tea-2]> the /32 netmask was wrong. 07:55 < Cr0nix> done 07:55 < Cr0nix> hmm 07:55 < Cr0nix> now that looks good now 07:55 < Cr0nix> xD 07:55 < [4-tea-2]> Excellent. :D 07:56 < Cr0nix> perfect 07:56 < [4-tea-2]> Welcome to the wonderful world of OpenVPN. :D 07:56 < Cr0nix> big thx 07:56 < Cr0nix> ;D 07:56 < Cr0nix> jeah a second time 07:56 < Cr0nix> xD 07:56 < Cr0nix> btwe 07:56 < Cr0nix> btw 07:56 < [4-tea-2]> Cr0nix: Es war mir ein Fest! 07:56 < Cr0nix> is openvpn ipv6 ready jet? 07:56 < [4-tea-2]> no idea, I'm not IPv6-ready yet. 07:56 < Cr0nix> hm 07:56 < [4-tea-2]> My machines are, my provider is, I'm not. :D 07:57 < Cr0nix> im partically ipv6 ready xD 07:57 < Cr0nix> my isp isnt 07:57 < Cr0nix> my machines are via 6in4 tunnel 07:57 < Cr0nix> my dedicated1 is native ipv6 07:57 < Cr0nix> my other 2 dedicated are only ipv4 07:57 < [4-tea-2]> I even got a routed IPv6 from my ISP, but I'm planning to understand it first before I use it, I fear I might rip up large holes in my security setup. 07:57 < Cr0nix> oh jeah 07:57 < Cr0nix> u will 07:58 < Cr0nix> ipv6 dont like nat 07:58 < [4-tea-2]> ip6tables isn't my friend... yet. ;) 07:58 < Cr0nix> ^^ 07:59 < tjz> ip6tables.. i am newbie to using it 08:02 < Cr0nix> xD 08:02 < Cr0nix> hmm 08:02 < Cr0nix> another issue 08:03 < Cr0nix> openvpn wont let me generate more than 1 client certificate 08:04 < Coke> Cr0nix: just run openssl 08:04 < Cr0nix> and then? 08:05 < Coke> Cr0nix: well, first you run openssl req and then openssl ca to certify the request 08:05 < Cr0nix> ive done that already 08:05 < Cr0nix> i have certs and keys for my server and my 1. client 08:05 < Coke> Cr0nix: from that two files will be created, one cert and one key 08:05 < Cr0nix> now i need a key and a cert for my 2. client 08:06 < Coke> Cr0nix: so do exactly what you did for your client once more 08:06 < Cr0nix> k 08:06 < Cr0nix> but after i made the certs for my client for the first time 08:06 < Coke> make sure you change the output names, though 08:06 < Cr0nix> it tells me i need to edit my vars script 08:06 < Cr0nix> but ive done that before already 08:06 < Coke> I use openssl directly, don't know about any hacks 08:07 < Cr0nix> its the easy-rsa stuff from the openvßpn doc folder 08:07 < Coke> Yeh, didn't use that. 08:07 < Coke> It didn't seem easy to me at all. 08:08 < Coke> 15 scripts run in a 20-step tutorial 08:08 < Coke> using openssl you just use one binary twice. 08:08 < Coke> (three times if you're doing the server, for the dh) 08:09 < [4-tea-2]> Cr0nix: I've used the easy-rsa stuff, didn't have any problem. 08:09 < [4-tea-2]> Cr0nix: does it complain about a specific variable? 08:09 < Coke> [4-tea-2]: I didn't manage to get the route working, it has something to do with those extra magic addresses of .5 and .6 08:10 < Coke> [4-tea-2]: but I'll figure it out eventually and make sure that openvpn client behaves like a router for the net. if you could find a link to why this is discouraged I'd appreciate it much. 08:10 < [4-tea-2]> Cr0nix: I used build-key-server and build-key , build-key , etc. 08:10 < Cr0nix> jep 08:10 < Cr0nix> works now 08:10 < Cr0nix> i needed to source the vars file again 08:10 < Cr0nix> worked after that 08:10 < [4-tea-2]> Ah 08:12 < [4-tea-2]> Coke: where did you point the route for the remote lan? 08:12 < ecrist> good morning bitches! 08:12 < Coke> [4-tea-2]: on my client machine 08:12 < [4-tea-2]> ecrist: hello pimp! 08:12 < Coke> no, sorry, on a random other machine in the client side network 08:13 < Coke> I told it to use the client machine as gateway for 192.168.1.0, but it failed, then it turns out I can ping 192.168.1.6 directly from that machine 08:13 < [4-tea-2]> Coke: I mean where did you point it to... route -net 192.168.something.0 network 255.255.255.0 gw something? dev something? 08:14 < Coke> i.e, the client responds to 192.168.1.6 on the 192.168.0.11 interface. or something. 08:14 < Coke> [4-tea-2]: I routed all 192.168.1 through 192.168.0.11 08:14 < Coke> naturally, that was wrong, but it's getting late afternoon here now 08:15 < [4-tea-2]> Coke: there you go. 192.168.0.11 is not the VPN server address INSIDE the VPN connection. 08:15 < Coke> I'm getting ready to leave, so... 08:15 < Coke> [4-tea-2]: yeh, 192.168.1.6 would be correct 08:15 < [4-tea-2]> Well, let's try again tomorrow then. *snicker* 08:15 < Coke> I think. Hehe. Yes. 08:15 < [4-tea-2]> Coke: I don't think so. 08:16 < Coke> [4-tea-2]: yeh, I could ping the 192.168.1.6 address from the 192.168.0 network 08:16 < Coke> that is, my 192.168.0.11 seems to respond when I ping 192.168.1.6 08:16 < [4-tea-2]> Coke: I think 192.168.1.6 is a local address. You cannot tell your machine to use itself as a gateway, that doesn't make much sense. You need to tell it to use the OTHER side of the VPN tunnel as gateway. 08:16 < [4-tea-2]> ie. 192.168.1.1, correct? 08:16 < Coke> [4-tea-2]: i think you're misunderstanding what I did. 08:16 < [4-tea-2]> Probably. 08:16 < [4-tea-2]> Or you're misunderstanding how routing works. ;) 08:17 < Coke> the connection between server and client works fine, I can ping both, what I tried was to use the client machine as gateway from a third machine 08:17 < Coke> I'll figure it out tomorrow. Maybe. :) 08:17 < Coke> It shall be a glorious victory. 08:18 < Coke> How come none of the VPN services available use PROPER authentication? 08:18 < Coke> pptp isn't exactly uncrackable stuff 08:18 < [4-tea-2]> Too much coke makes my nose bleed. 08:19 < Coke> also, afaik they just do login/password 08:19 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 08:21 < Coke> "pptp easy to setup, lacks real specs and security." sounds exactly like Microsoft to me. :) 08:21 < Coke> Ok, thanks anyway, byesies! 08:21 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 08:21 < ecrist> byesies? WTF? 08:22 * ecrist sets mode ##openvpn -gay 08:22 < tjz> LOL 08:22 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:35 < Bushmills> coke, what are the openvpn services? and what is proper authentication? 08:35 < Bushmills> oh. gone already 08:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:37 < [4-tea-2]> Just in time. My nose started bleeding. 08:38 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 08:38 * Bushmills hands [4-tea-2] some platinum and a sledgehammer 08:43 -!- UtopiahGHML [n=libre@rps7452.ovh.net] has left ##openvpn [] 08:45 < mnickels> I have openvpn up and running with the webmin module on my test box. All works great, I do have a problem with the CA residing on this same box. Anyone see a problem with moving the CA.*, serial.txt, and index.txt to a USB thumb drive and creating symlinks from the keys directory to point to the respective files on the USB drive ? That way you could only generate certs if the USB drive is connected. 08:47 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 08:50 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 08:53 < [4-tea-2]> mnickels: excellent idea, I think it needs to be writable to increase the content of "serial.txt", though. 08:55 < dazo> mnickels: that's a very good idea indeed! :) ... You only need CA keys when signing CSR's .... otherwise they should be unavailable. 08:56 < Cr0nix> hm 08:56 < Cr0nix> i run in another issue 08:56 < Cr0nix> xD 08:57 < Cr0nix> if i use push for dns servers 08:57 < Cr0nix> it works fine with the opendns dns server at 208.67.222.222 and 208.67.220.220 08:58 < Cr0nix> but it wont work if i use own dns servers located at our local area network 08:58 < Cr0nix> the dns servers are working without the vpn like a charm 08:58 < [4-tea-2]> Is the DNS server running on the OpenVPN server? 08:58 < Cr0nix> nop 08:58 < Cr0nix> its running at 172.19.86.11 and 172.19.68.12 08:59 < [4-tea-2]> Does the machine running the DNS server know how to reach the VPN client? 08:59 < [4-tea-2]> Have a look at your iptables statement again. 08:59 < Cr0nix> i think it tells the vpn server which then tells it to my client or not? 08:59 < [4-tea-2]> It sets up NAT only for eth1, which is the device your DSL router is connected to, correct? 08:59 < Cr0nix> no 09:00 < Cr0nix> eth1 is linked to our local area network 09:00 < Bushmills> Cr0nix, do DNS allow requests from VPN interface/ip address? 09:00 < Bushmills> (assuming you mean to request DNS through VPN) 09:00 < Cr0nix> with many machines in it 09:00 < Cr0nix> and the router 09:00 < [4-tea-2]> I see. 09:00 < Cr0nix> so we have no pppoe 09:00 < Cr0nix> just dynamic ip's on our internal network 09:01 < Cr0nix> and yes the dns is reachable and answers if i dig it from the vpn server 09:01 < [4-tea-2]> Well, the masquerading *should* take care of it. 09:01 < [4-tea-2]> So tcp to the DNS server works, udp doesn't? 09:02 < Bushmills> "answers if i dig it" - that's an udp request 09:03 < [4-tea-2]> Oh, I thought that was tcp. Sorry. 09:03 < Bushmills> zone transfers are tcp. resolve requests are udp. 09:03 < Cr0nix> ok 09:03 < Cr0nix> changed dns back to our internaL 09:03 < Cr0nix> NSLOOKUP GOOGLE.DE WORKS 09:04 < Cr0nix> PING GOOGLE.DE WONT WORK 09:04 < Cr0nix> sry 4 caps 09:04 < [4-tea-2]> ...but now your shift key is broken. 09:04 < Cr0nix> ^^ 09:04 < mnickels> [4-tea-2], dazo, My real setup needs to be so easy a monkey can use it. Not sure how much easier it can get than webmin and a thumb drive. 09:04 < [4-tea-2]> mnickels: we didn't try to be ironic. It really is a good idea. Go ahead! 09:05 < Bushmills> Cr0nix, try mtr or traceroute 09:06 < [4-tea-2]> Cr0nix: on unices, the difference between ping and nslookup would be that ping uses the local rules for name resolution (e.g. including entries in /etc/hosts), while nslookup always asks a name server. 09:06 < [4-tea-2]> Cr0nix: no idea where your problem is coming from, though. 09:07 < mnickels> [4-tea-2], I use USB drives a often a possible to for this but was not sure if openssl would have a problem with it. I'll give it a test run and see how it goes. 09:07 < Cr0nix> traceroute works 09:07 < Cr0nix> slow like hell but till now it works 09:07 < ecrist> why would openssl have a problem with usb drives? 09:07 < Bushmills> can be a problem with reverse dns. ping may take much longer if rdns doesn't work 09:07 < Cr0nix> hmm 09:08 < Cr0nix> how to check that? 09:08 < Cr0nix> ok IT IS 09:08 < Cr0nix> from hop 7 in tracerout i dont get any hostnames anymore 09:08 < Cr0nix> exept the last hop 09:08 < Cr0nix> from google 09:08 < Cr0nix> that one has an hostname again 09:08 < [4-tea-2]> Cr0nix: that's "normal" 09:09 < Cr0nix> hmk 09:09 < Cr0nix> hm 09:09 < Cr0nix> seems to be rdns 09:09 < Cr0nix> it pings but takes ages to start pinging 09:10 < [4-tea-2]> Huh. I don't see where/how an ICMP reply would try a lookup? 09:10 < Cr0nix> sure 09:10 < Cr0nix> if u ping google.de 09:10 < Cr0nix> it must lookitup first 09:10 < [4-tea-2]> Sure. But google.de doesn't need to resolv MY IP to respond. 09:11 < Cr0nix> hmm 09:11 < Cr0nix> but it takes ages 09:11 < Cr0nix> xD 09:11 < Cr0nix> so 09:11 < Cr0nix> what the hell is going on here xDF 09:11 < [4-tea-2]> And your data packages should appear to have the sender address from your VPN server. If that can talk to your DNS server just fine, so should your client. 09:11 < Bushmills> [4-tea-2], where ping looks up hostname from ip address 09:12 < [4-tea-2]> Bushmills, ah, I see. 09:12 < [4-tea-2]> "ping -n" should help then. 09:13 < Cr0nix> hm 09:13 < Cr0nix> is there a easy method to log all requested sites on the vpn server? 09:14 < Bushmills> increase dns log level. but that's not in vpn config, but in dns config 09:14 < Cr0nix> if i as a vpn client request http://google.com the server should write it in a logfile for my user account 09:14 < vpnHelper> Title: Google (at google.com) 09:15 < Bushmills> asking that from openvpn is akin to asking that from a wire :D 09:15 < Cr0nix> hm 09:15 < Cr0nix> xD 09:15 < Cr0nix> kk 09:15 < Cr0nix> than not possible for me 09:16 < Cr0nix> but thats ok 09:16 < [4-tea-2]> Cr0nix: tcpdump is your friend. 09:16 < Bushmills> running a recursive DNS is not a big deal 09:16 < Cr0nix> i know 09:16 < Cr0nix> 1 have 2 own fully operating dns servers 09:16 < Cr0nix> so im into bind way more than in openvpn 09:16 < Cr0nix> xD 09:16 < [4-tea-2]> Cr0nix: no KiPo-DNS-Sperre for you, huh? ;) 09:16 < Cr0nix> nope 09:17 < Cr0nix> xD 09:17 < [4-tea-2]> same here. :D 09:17 < Bushmills> then you know what to change in config to log dns requests 09:17 < Cr0nix> and fully ipv6 capable dns servers for my domain 09:17 < Cr0nix> as glue in the biz tld dns servers 09:17 < Cr0nix> xD 09:17 < Cr0nix> Bushmills: shure 09:17 < Cr0nix> but i cant use them 09:17 < Cr0nix> xD 09:17 < Bushmills> why not? 09:17 < Cr0nix> i have to use company internal dns servers 09:18 < Cr0nix> and i dont have access to them 09:18 < Bushmills> i thought that's what the use of openvpn was about :D 09:18 < Cr0nix> or i have to create my own dns entrys for the companys intranet 09:18 < Cr0nix> hm 09:18 < Cr0nix> atm its more like a BIG security thing behind our inofficial trainee wifi network 09:19 < [4-tea-2]> I don't like that idea. Better figure out why they are slow to respond. 09:19 < Bushmills> i run recursive+authoritative DNS on the VPN server, and let the local DNS use those, over VPN, as upstream DNS 09:20 < Cr0nix> i have 3 servers in the interwebs 09:20 < Cr0nix> running dns, httpd, ircd and other stuff 09:20 < Bushmills> (my previous provider, BT, was logging and selling where customers connected to) 09:20 < Cr0nix> lol 09:20 < Cr0nix> hmm 09:20 < Cr0nix> so 09:20 < Cr0nix> lemme guess 09:20 < Cr0nix> [4-tea-2]: ur from germany 09:20 < Cr0nix> and 09:21 < Cr0nix> Bushmills: your from GB 09:21 < Cr0nix> xD 09:21 < Bushmills> Cr0nix, no. i lived in Ireland when i had BT as provider 09:21 < Cr0nix> damn 09:21 < Cr0nix> xD 09:21 < Cr0nix> so close 09:21 < Bushmills> but I'm same country as [4-tea-2] 09:21 < Cr0nix> hm 09:21 < Cr0nix> both germany? 09:22 < Cr0nix> or why can u speak german [4-tea-2] 09:22 < [4-tea-2]> I'm in Germany, yes. 09:22 < Bushmills> [4-tea-2], what part? 09:23 < [4-tea-2]> Ruhrgebiet 09:23 < Cr0nix> <- karlsruhe 09:23 < Bushmills> between 09:23 < [4-tea-2]> Xlink FTW 09:23 < Cr0nix> xD 09:24 < Cr0nix> naja 09:24 < Cr0nix> im only using the vpn because out wifi router dont understant wpa2 09:25 < Cr0nix> so i setted up the vpn to protect the network from our company from attacks 09:25 < [4-tea-2]> Cr0nix: Xlink was my ISP from 94 to 98 (I think). 09:25 < Cr0nix> hm 09:25 < Cr0nix> never heard about xlink 09:25 < Cr0nix> am atm @ alice 09:26 < [4-tea-2]> It was the first commercial ISP in Germany. 09:26 < Cr0nix> but working for an other big isp 09:26 < Cr0nix> ^^ 09:26 * [4-tea-2] too. ;) 09:26 < Cr0nix> ^^ 09:26 < Cr0nix> which? 09:26 < [4-tea-2]> frn 09:26 < Cr0nix> hm 09:26 < Cr0nix> frn? 09:26 < [4-tea-2]> "mobilcom debitel" 09:26 < Cr0nix> ahhh 09:26 < Cr0nix> *click* 09:26 < Cr0nix> xD 09:27 < Cr0nix> <- united internet 09:27 < Cr0nix> xD 09:27 < Cr0nix> azubi halt 09:27 < Cr0nix> ^^ 09:27 < [4-tea-2]> Ah, you must be my enemy then. :D 09:27 < Cr0nix> xD 09:27 < Cr0nix> *die debitel die* 09:27 < [4-tea-2]> arch nemesis, even. 09:28 < Cr0nix> ;D 09:28 < Cr0nix> but im so happy that i dont work for the morons ant our DSL dep. xD 09:28 < Cr0nix> <- server section 09:28 < Cr0nix> german datacenter etc 09:28 < Cr0nix> *centers 09:30 -!- mnickels [n=mnickels@12.177.178.136] has quit ["Leaving"] 09:32 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:37 < Cr0nix> hm 09:37 < Cr0nix> anyone here ever experimented with openvpn & etoken 09:37 < Cr0nix> ? 09:38 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Read error: 54 (Connection reset by peer)] 09:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:43 -!- jre2 [n=jre@host217-40-219-201.in-addr.btopenworld.com] has joined ##openvpn 09:43 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 09:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection reset by peer] 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:00 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:13 -!- flokuehn [n=flokuehn@62.111.103.27] has joined ##openvpn 10:15 < tjz> what is etoken? 10:17 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 10:18 < Cr0nix> its a smartcard 10:18 < Cr0nix> builded as a usb stick 10:18 < Cr0nix> to store certificates etc on 10:19 < tjz> cool 10:19 < Cr0nix> openvpn works with etoken since 2.1 10:19 < tjz> hmm.. 10:19 < Cr0nix> but i dont know how i bring my certificates to the format that etoken uses 10:20 < Cr0nix> it needs a pfx, p12 or cer file 10:20 < Cr0nix> and i dont know how the fuck i can convert my crtand keyfiles to a cer, pfx or p12 certificate 10:20 < Cr0nix> thats my main problem atm 10:21 < Cr0nix> and a search for etoken on the openvpn page brings not even one result 10:22 < tjz> not many used etoken w/ openvpn 10:22 < tjz> :) 10:22 < Cr0nix> yeah 10:22 < Cr0nix> i need at least one person who can tell me how i could convert my certs 10:23 < tjz> maybe have the server generate cer,pfx directly? 10:25 < Cr0nix> hm 10:25 < Cr0nix> how? 10:26 < Cr0nix> never used thos formats before 10:26 < Cr0nix> never even heared of them before 10:26 < tjz> same here 10:26 < Cr0nix> damn 10:27 < ecrist> Cr0nix: you're question is an OpenSSL question, not really an OpenVPN question 10:27 < dazo> Cr0nix: have you solved the conversion? 10:27 < dazo> that's also true 10:27 < Cr0nix> dazo: no 10:27 < Cr0nix> and ecrist hm ur right sry 10:28 < dazo> Cr0nix: to make p12 .... openssl pkcs12 -in -out cert.p12 .... and you can also add -CAfile to include CA cert in the same .p12 file as well 10:29 < Cr0nix> ah kewl 10:29 < dazo> Cr0nix: openssl pkcs12 -h ... usually gives you pretty good info on arguments 10:30 < Cr0nix> hm 10:30 < Cr0nix> i ssume i have to merge my .key and .crt to one pem file right? 10:55 < dazo> Cr0nix: yeah, that's right 10:57 -!- jre2 [n=jre@host217-40-219-201.in-addr.btopenworld.com] has left ##openvpn [] 10:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:57 < Cr0nix> kk 10:57 < Cr0nix> done so far 10:58 < Cr0nix> i got the p12 file and imported it to the token 10:59 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:00 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 11:14 -!- dazo [n=dazo@62.40.79.66] has quit [Remote closed the connection] 11:15 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:24 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 11:35 -!- penrod [n=pattonb@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 11:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 11:46 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 11:46 < Cr0nix> hm 11:46 < Cr0nix> damn etoken 11:51 -!- dazo [n=dazo@nat/redhat/x-b40504dd271611ba] has joined ##openvpn 11:52 < Cr0nix> damn it 11:52 < Cr0nix> openvpn acesses the etoken and crashes after that 11:52 < Cr0nix> no error 11:54 -!- Blackshark [n=a@p579FAE0D.dip.t-dialin.net] has joined ##openvpn 11:54 < Cr0nix> it dosnt even crashes completely 11:54 < Cr0nix> it just hungs up after it loaded the certificate from the etoken stick 11:54 < Cr0nix> i have to kill it via task manager 11:56 < Blackshark> hi i have a problem with pushing a route to the client which should let him access other servers. but for some strange reason i can not ping any ip's in the vpn network after the route has been pushed. has anyone a clue on this one? 11:56 < Bushmills> !route 11:56 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:56 < ecrist> Blackshark: I'm guessing you've got conflicting IP address ranges 11:58 < Blackshark> server has "server 172.17.0.0 255.255.255.0" and the route is a static internet ip 11:58 < Cr0nix> i want my eToken 2 work ;( *cry* 12:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 < Blackshark> ecrist: is there something i should know when trying to route to a static internet ip? 12:08 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 12:16 < dazo> Cr0nix: try to start openvpn via strace or gdb .... you might then be able to figure out where it crashes 12:16 < Cr0nix> cant 12:16 < Cr0nix> the client is a windows shitbox 12:18 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:19 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:22 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:27 -!- albech [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 12:30 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:31 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 12:33 < Blackshark> ecrist: i think i know what the problem is. my vpn server is on a internet server with a static ip. but i also want to access this same server throu the secure network which is kind of a loop and the client doen't seem to like it 12:33 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:34 < ecrist> right 12:34 < ecrist> you need to provide an 'internal' IP securely or through DNS foo 12:37 < Blackshark> ecrist: can you give me a link or the command for the config? 12:37 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 12:38 < Blackshark> ecrist: or do you mean a own ip just for the vpn to work 12:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:41 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 12:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:44 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 54 (Connection reset by peer)] 12:49 -!- troy- is now known as troy 12:49 < Blackshark> !redirect 12:49 < vpnHelper> Blackshark: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:50 < Blackshark> !iporder 12:50 < vpnHelper> Blackshark: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 12:51 < Blackshark> !/30 12:51 < vpnHelper> Blackshark: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:57 -!- albech [n=albech@119.42.76.62] has quit [Connection timed out] 12:57 < [4-tea-2]> !topology 12:57 < vpnHelper> [4-tea-2]: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:57 < [4-tea-2]> Ah, nice. 13:03 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 13:07 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 13:19 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 13:33 -!- Blackshark [n=a@p579FAE0D.dip.t-dialin.net] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 13:44 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:45 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has joined ##openvpn 14:09 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 104 (Connection reset by peer)] 14:14 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 14:19 -!- fraktlap is now known as fraktlap_ 14:20 -!- fraktlap_ is now known as fraktlap 14:20 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has left ##openvpn [] 14:21 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 14:27 -!- unix3 [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 14:28 -!- unix3 [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Client Quit] 14:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 14:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:34 < fraktlap> if openvpn can't connect, how do I know if the problem is on myh end or on the vpn providers end? 14:34 < fraktlap> Mine says TLS Error: TLS key negotiation failed to occur within 60 seconds 14:35 < fraktlap> and handshake failed 14:39 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 14:39 < havoc> afternoon 14:57 -!- dli [n=dli@adsl-75-21-89-56.dsl.chcgil.sbcglobal.net] has joined ##openvpn 14:57 < dli> I'm running in server/client mode, how do I get fixed IP for clients? 15:00 < havoc> dli: two ways that I'm aware of.... 15:00 < havoc> three actually 15:01 < havoc> hardcoded on the client, managed by DHCP server by MAC addr, and managed by ovpn server via address pool and client config dir 15:01 < havoc> I *think* those are the ways 15:05 < dli> havoc, don't run dhcpd server 15:05 < dli> havoc, so, I need address pool, and client config dir 15:08 < havoc> if you want to have the ovpn server manage things, yes 15:09 < havoc> then in each client config file you do the ifconfig-push I think 15:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Remote closed the connection] 15:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 15:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:43 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 15:46 < ghoti> So ... if I have DeployStudio Server installed, do I even need the OSX Server System Image Utility? 15:46 < ghoti> Woops, wrong channel. :) 15:52 -!- gebura [n=nnnnnnnn@lescigales.org] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 15:53 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 15:53 -!- geb [n=geb@lescigales.org] has joined ##openvpn 15:57 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has quit [Success] 15:59 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:00 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 16:10 -!- frakt^lap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 16:12 -!- js_ [n=js@193.0.253.161] has quit [Read error: 60 (Operation timed out)] 16:12 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 16:14 * plaerzen dances. 16:18 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 16:28 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 16:30 < havoc> so, openvpn[-gui] on win2k3 as a client, it connects to the ovpn server but the TAP iface can't seem to get an IP from DHCP, while other clients can 16:31 < havoc> I'm guessing the TAP adapter for the version of openvpn I installed is incompatible with win2k3 16:31 < havoc> any thoughts? 16:32 < havoc> I have tried both the stable and development versions of openvpn-gui 16:46 -!- c64zottel [n=hans@p5B17B263.dip0.t-ipconnect.de] has quit ["Leaving."] 16:49 < krzie> ive done it on win2k3 before 16:49 < krzie> check that the firewall isnt active for the tap device 16:56 < havoc> krzie: thanks, I'll check 16:59 < krzie> i cant garuntee anything, i never used bridge mode in windows, but i know the device works in 2k3 16:59 < havoc> I'm not bridging 16:59 < krzie> oh ok, you mentioned dhcp, i assumed you meant from a dhcp server on a bridge 17:00 < havoc> I'm trying to use this win2k3 server as just another VPN client for a remote routed network 17:00 < krzie> ahh cool 17:00 < havoc> yes, addresses are managed by the remote DHCP server 17:00 < havoc> this win2k3 machine is the only problem, a few dozen other working clients 17:00 < krzie> by the openvpn process on the openvpn server, right? 17:00 < havoc> mostly winxp 17:01 < havoc> huh? 17:01 < krzie> as opposed to dhcpd or a router giving dhcp 17:01 < havoc> no, things are managed by DHCP, not openvpnd 17:01 < krzie> umm, how so? 17:01 < krzie> dhcp is not something that flows over a routed tun 17:02 < havoc> TAP, not TUN 17:02 < krzie> so the clients have dev tap? 17:02 < havoc> and yes, over TAP it works fines, I've been using it for a couple years this way 17:02 < krzie> and without a bridge? 17:02 < havoc> the linux clients are TAPs, and the windows clients are as well 17:02 < havoc> no bridge 17:03 < krzie> interesting 17:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:03 < krzie> mind if i see your configs? 17:04 < krzie> if for nothing else maybe i can learn something from them 17:04 < havoc> the ovpn configs are very basic, almost identical the the howto 17:04 < krzie> if i can. please strip comments from them 17:05 -!- frakt^lap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)] 17:05 < havoc> the trick I think is that the ovpn server is a multi-NIC linux box 17:06 < havoc> the DHCP server in this instance is an Windows DHCP server on one of the segments, and the linux box runs dhcp3-relay 17:12 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, havoc, isox, onats1, krzie, qknight, sirus, M06w, dazo, disco-, (+48 more, use /NETSPLIT to show all of them) 17:20 -!- Netsplit over, joins: epaphus, karlpinc, js_, krzie, geb, dli, havoc, krzee, nemysis, bandini (+48 more) 17:23 -!- geb [n=geb@lescigales.org] has quit [Remote closed the connection] 17:24 -!- geb [n=ngeb@lescigales.org] has joined ##openvpn 17:24 < krzie> hahaha i LOVE jager bombs! 17:24 < geb> hi/re 17:26 < Bushmills> why am i not surprised :D 17:26 < krzie> why do i get the fealing that you guys laugh at jager bombs in germany 17:26 < krzie> lol 17:26 < krzie> hey geb =] 17:28 < krzie> havok, well done config... you might wanna try verb 6 on the server / non-working client and see if the logs say anything interesting 17:28 < krzie> or post the logs and ill look 17:28 < havoc> I'm still poking about 17:28 < krzie> theres a couple things you could add for security too, if you're interested ill tell you what they are 17:28 < Bushmills> krzee, no we don't. in fact, that combination isn't seen too frequently 17:29 < Bushmills> krzee, you're more likely to see hard liquor from grain in your beer 17:29 < krzie> a jager bomb is a shot of jager dropped into a glass of red bull, then you drink it all very fast 17:30 < krzie> tastes very good, and is fun 17:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:31 < Bushmills> krzee, what's your date? 17:32 < krzie> my date? 17:32 < Bushmills> meaning, what day is it in your location 17:32 < krzie> its 4/20!!! 17:32 < Bushmills> yes! 17:32 < Bushmills> before you forget 17:32 < krzie> happy 420 bro! 17:32 < Bushmills> hehe 17:33 < krzie> ya i celebrated last night 17:33 < krzie> since ill be at work til after midnight 17:33 < krzie> thats so cool that everywhere in the world knows about that 17:33 < krzie> it comes from where im from 17:34 < Bushmills> i was just reminded of it from the chat in the #electronics channel :) 17:34 < krzie> im actually an op in #420 on efnet 17:36 < Bushmills> remarkable resemblance of 42 and 420 17:36 < krzie> oooo, the answer to life and everything 17:38 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has joined ##openvpn 17:39 < havoc> bah, getting "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine." 17:40 < havoc> yet it's the same setup as every other machine 17:40 < havoc> it's just this win2k3 box that's not working 17:40 < havoc> granted it's the only win2k3 client, but linux, winxp, winxp64, vista, and vista64 clients all work fine, all same configs 17:47 < havoc> oh crap 17:48 < havoc> fixed, stooopid oversight 17:48 < havoc> DHCP service was *disabled* on the client ;) 17:48 < krzie> nice, what was it? 17:48 < krzie> ahhh there ya go 17:48 * havoc kicks the guy who set this up 17:49 < havoc> it's a web server in the DMZ 17:49 < havoc> we want to do backups of it from the LAN side 17:50 < krzie> yanno with tap if someone gets in they can do layer2 attacks on you over your vpn, right? 17:50 < havoc> yeah :| 17:50 < havoc> but there's no other way to do it 17:50 < havoc> this way they don't have full LAN access though 17:50 < havoc> all they can really do is fill up the space on the backup server to quota 17:51 < havoc> vpn/gw/router box controls everything else 17:51 < havoc> what this machine has access to is severely restricted 17:51 < krzie> cant they communicate via ARP? 17:51 < havoc> to what? 17:51 < havoc> they could try to dos the ovpn machine, but that's as far as they get 17:52 < krzie> to the server / machines on server's lan? 17:52 < krzie> via arp over layer2 tunnel... 17:52 < havoc> and since that box also firewalls the client in the dmz they'd knock themselves offline too 17:52 < krzie> not a dos 17:52 < krzie> they can arp poison 17:53 < havoc> eh 17:53 < havoc> I'm not that concerned :) 17:54 < krzie> cool 17:54 < krzie> do you want to hear the other stuff you can do to secure this vpn? 17:54 < havoc> a little downtime is not that big a deal 17:54 < krzie> theres 2 things you arent taking advantage of 17:54 < havoc> and they can only do it when the VPN is active 17:54 < havoc> yeah, I bet I know what they are ;) 17:54 < krzie> btw arp poisoning is NOT a dos attack and does NOT cause downtime 17:54 < krzie> its the mrthod for sniffing across a switched network 17:55 < havoc> yeah, that would do them no good 17:55 < havoc> no good past the router anyway 17:55 < havoc> not the way I have shorewall setup anyway 17:56 < havoc> as it is I'm doing arp proxying for the dmz hosts 17:56 < havoc> this way they have the same IP config in or out of the dmz 17:57 < havoc> krzie: it's a crazy convoluted setup 17:57 < havoc> multiple locations, all essentially Windows shops/clients glued together by linux 17:58 < krzie> cool, just wanted to make you aware of the fact you are opening yourself up to layer2 attacks when you dont need to 17:58 < krzie> but its all upto you, your setup 17:58 < havoc> yeah, there are a few things I need to do yet, I know :( 17:58 < havoc> just lacking time 17:58 < havoc> :( 17:58 < krzie> as for the stuff you could use to strengthen your vpn, !hmac and !mitm to see them 17:59 < havoc> yeah, saw that in the howto 17:59 < krzie> hmac would add hmac sigs to every packet, mitm would prtect you against man in the middle attacks 17:59 < krzie> by typing !mitm and !hmac you will see exactly how to impliment them 17:59 < havoc> the current state of everything is outdated and deperately needs reworking :( 18:00 < krzie> i would go with a very similar setup, but using dev tun 18:00 < havoc> but I'm not gonna worry about it until after June, if I still have a job 18:00 < havoc> krzie: no TUN on windows clients, AFAIK? 18:00 < krzie> negative 18:00 < krzie> dev tun will use the 'tap' interface 18:01 < havoc> ah 18:01 < krzie> it will use less overhead, be an easier setup, not need dhcp service, and no layer2 attacks 18:01 < krzie> of course if you use samba you'd need a WINS server 18:01 < havoc> I need DHCP 18:01 < krzie> whys that? 18:01 < havoc> most of the clients are AD members 18:02 < havoc> Active Directory 18:02 < krzie> oh i see 18:02 < krzie> cant AD work over layer3...? 18:02 < havoc> yes, as I said, *convoluted* :( 18:02 < krzie> or is it layer2 only? 18:03 < havoc> they need an IP on a subent w/ routes to/from the DC's 18:03 < krzie> openvpn can hand out ips without DHCP doing it 18:03 < krzie> as long as that DHCP server knows not to hand out those ips it works fine 18:03 < havoc> right, but it's way easier to manage it from one place 18:03 < krzie> but hell, no huge reason to change it now if it works fine 18:03 < havoc> there are 6 subnets in dhcp 18:04 < krzie> it would still be managed from 1 place, the openvpn server 18:04 < havoc> on the windows dhcp server that is 18:04 < havoc> only one of which is the vpn zone/subnet 18:04 < krzie> but still, its not broke... i understand you not wanting to change it 18:04 < havoc> no, from the vpn server and from the AD DHCP server 18:05 < havoc> AD DNS would also not get updated if ovpn handled it, which breaks all the netbios stuff 18:06 < krzie> gotchya 18:06 < havoc> there's just many many factors involved :( 18:06 < krzie> wins on the AD machine wouldnt handle that? (while allowing samba to work) 18:07 < havoc> no samba 18:07 < krzie> but ya, it works now like i said, why go through all that effort if you dont need to 18:07 < havoc> that would be yet another thing to maintain 18:07 < havoc> I've got 3 routed and one bridged location(s) all interconnected 18:07 < havoc> and all routed/firewalled differently 18:08 < krzie> sounds like thats actually more complicated than it has to be 18:08 < havoc> e.g. my home/office network being small is just bridged, but MASQ'd to the other networks 18:08 < havoc> so I have full access to them, but they have no access to my internal LAN 18:09 < havoc> krzie: I think I know what you're thinking, and I assure you that a central site w/ the other sites as clients was tried 18:09 < havoc> but do to the limited bandwidth at each site users had to be allowed to connect directly to each site 18:10 < havoc> and I set the routing metrics so they could actually be connected to multiple sites at once, but best path would be taken 18:10 < krzie> ahh nice 18:10 < krzie> i gotchya =] 18:10 < havoc> one site was a 6mbps/512kbps ADSL line :( 18:11 < krzie> hah i wish i could get that here 18:11 < havoc> while 2 other sites are *now* 15/2 mbps 18:12 < krzie> ya that makes sense 18:12 < havoc> so yes, it's complicated, but no more than necessary to support the traffic my users dish out :( 18:12 < krzie> understood 18:13 < havoc> I showed you a sanitized client config for one site, there are actually more routes with metrics from 25-50 18:13 < havoc> and the hmac stuff is *kindof* there, but got broken, that line was commented out, and removed from what I showed you 18:14 < havoc> the main issue is that right now I alone *am* the IT Dept. :( 18:16 < krzie> the hmac stuff is very very simple, just a static key 18:16 < krzie> !hmac 18:17 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 18:17 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:18 < krzie> then for MITM, all you do is rebuild the server cert to be signed as a server 18:19 < krzie> and tell the clients to check for it (!mitm / !servercert for details) 18:26 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:28 < havoc> krzie: thanks for the help :) 18:29 -!- havoc [n=havoc@saturn.chaillet.net] has left ##openvpn ["bbl"] 18:50 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 18:51 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 19:36 -!- geb [n=ngeb@lescigales.org] has quit [Remote closed the connection] 19:37 -!- geb [n=nngeb@lescigales.org] has joined ##openvpn 19:39 < geb> hi 19:39 < geb> i was trying to debug network-manager openvpn on debian 19:40 < krzie> !ubuntu 19:40 < vpnHelper> krzie: "ubuntu" is dont use network manager! 19:40 < krzie> ;] 19:40 < geb> after a lot of search (and a valuable help :) ) i find that openvpn didn't export the trusted_ip env var 19:41 < geb> and that explained the problem and the solution (setting it manualy) 19:41 < krzie> setting it manually where? 19:43 < geb> http://pastebin.com/m73d454cd 19:43 < geb> with a dirty hack 19:44 < geb> now it works (i am connected from the vpn) but i wonder to know where to submit the bug report (if it usefull) 19:45 < geb> can anybody help me to see if it is a problem with debian packaging or openvpn ? 19:46 < krzie> sounds like a netmanager specific issue 19:47 < geb> sure ? man openvpn says that trusted_ip should be set (maybe it differ with the calling) 19:48 < krzie> what did it stop from working? 19:48 < krzie> and what version of openvpn do you have installed 19:50 < geb> debian testing 2.1~rc11-1 19:50 < krzie> and when starting the same tunnel without your hack, and without network manager, does it work? 19:50 < geb> yes it work 19:50 < krzie> also rc11 is no good, if gunna use 2.1 use rc15 19:50 < krzie> if it works without network manager but not WITH network manager, you know where the problem is 19:51 < krzie> it has many issues, which is why my bot tells you to not use it when i type !ubuntu 19:51 < geb> http://packages.debian.org/search?keywords=openvpn i don't have much choice :) 19:51 < vpnHelper> Title: Debian -- Package Search Results -- openvpn (at packages.debian.org) 19:51 < krzie> you're aware that openvpn will install fine from source... 19:52 < krzie> meaning you have as much choice as you choose to have 19:52 < geb> :) 19:53 < geb> it works without network-manager but network-manager use trusted_ip for updating routing table, that why there is a problem 19:54 < krzie> if network-manager doesnt work but openvpn does, you found the problem 19:55 < geb> i am note sure i understand well, you think the problem is network-manager ? 19:55 < krzie> it is 19:56 < krzie> cause you see, openvpn doesnt come with a gui 19:56 < geb> but man openvpn says that openvpn should set the $trusted_ip env 19:56 < geb> and it doesn't 19:56 < krzie> so any gui that should work with openvpn needs to conform to how openvpn works 19:56 < krzie> it would SET the var, which could not be exported to a parent 19:57 < krzie> you can only export to children, not parents 19:57 < krzie> but no matter what, its network-managers fault 19:57 < geb> it is in a children 19:57 < krzie> as if they want to work as a gui wrapper for openvpn, they need to conform to openvpn 19:57 < krzie> they cant do something how they expect it to work, they need to do it how it DOES work 19:58 < krzie> openvpn doesnt start network manager 19:58 < krzie> network manager starts openvpn 19:58 < krzie> which means openvpn is a child of NETMAN, and not the other way around 19:58 < krzie> but that does not matter 19:58 < geb> network manager start openvpn, witch start an network-manager process with --up 19:58 < krzie> heres all that matters: 19:59 < krzie> it works when you do it manually, not with network manager 19:59 < krzie> thats ALL that matters 19:59 < krzie> there is no argument to say its not network manager's fault 19:59 < krzie> also, try rc15 to see if that works 20:00 < krzie> because rc11 is known to have some issues (which is why its not the latest 2.1 releasE) 20:00 < geb> ok i will try 20:00 < geb> thanks :) 20:00 < krzie> but if it doesnt work, its metman's fault 20:01 < krzie> anything that doesnt work in netman but does from commandline is netman's fault 20:02 < geb> please note that i am not a netman developer just an user who find a problem and try to find where it come from :) 20:02 < geb> but thanks for your help :) 20:04 < krzie> np =] 20:06 -!- geb [n=nngeb@lescigales.org] has quit [Remote closed the connection] 20:07 -!- geb [n=nnngeb@lescigales.org] has joined ##openvpn 20:14 < geb> krzie, http://pastebin.com/m3539ea6c 20:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:15 < geb> so ... i think it is more a bug related to debian packaging (if rc11 brokes $trusted_ip) than network-manager 20:16 < krzie> ok 20:16 < krzie> so it worked when you installed rc15 from source? 20:16 < krzie> thats the easy way to tell that... 20:17 < krzie> if netman works with rc15 from source, than its either debian packaging or the fact that they are still using rc11 20:17 < theDoc> Only 2.1gb transferred. 20:17 < theDoc> Hmm. 20:17 < krzie> if not, than its netman 20:17 < krzie> sup doc 20:17 < theDoc> 'sup krzee 20:17 < theDoc> Check out the b/w usage after a couple of us have been using the vpn server for a month or so. 20:18 < theDoc> Only 2.1gb, we're kind of light ;p 20:18 < theDoc> I have 3tb worth of transfers to blow 20:20 < krzie> werd 20:20 < krzie> =] 20:22 < geb> krzie, i didn't installed it from sources (will test soon) , but did you see my link ? i seems that it is not network-manager related ( debian's openvpn rc11 don't export $trusted_ip) 20:23 < krzie> right, so its either a problem with debian packaging or with rc11 20:23 < krzie> you'll know for sure if it has anything to do with netman or not when you install from source to fix that problem 20:24 < geb> ok, should i compile it both on the client and the server or only the client ? 20:26 < krzie> are both using rc11? 20:26 < geb> yes 20:26 < krzie> you shouldnt be using rc11 anywhere 20:26 < geb> that's what debian provide 20:26 < krzie> if you choose to use dev branch, try to follow it, its accepted there may be some bugs 20:26 < krzie> thats debian's fault 20:27 < krzie> you can try to convince them to update, or do it yourself 20:27 < geb> i will submit a bug report, but just for testing should i update the server and the client or only the client ? 20:29 < krzie> no clue, i would update both 20:29 < geb> ok, thanks :) 20:45 -!- eliasp_ is now known as eliasp 20:46 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 21:31 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 22:19 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 22:19 -!- floyd_n_milan [n=quassel@203.129.237.147] has joined ##openvpn 22:25 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 22:26 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 22:30 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 22:30 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Remote closed the connection] 23:24 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn --- Day changed Tue Apr 21 2009 00:10 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 110 (Connection timed out)] 01:07 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 02:44 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has joined ##openvpn 02:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:19 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has left ##openvpn [] 03:56 < ThoMe> good morning! 03:56 < ThoMe> :-) 03:56 < ThoMe> knock knock wake up leo! :-) 04:00 < krzee> moin 04:01 < ThoMe> krzee: hallo 04:01 < ThoMe> krzee: du verstehst deutsch? 04:03 < krzee> just english 04:03 < ThoMe> krzee: I would like said to my openvpn server (193.108.19.245) push 04:03 < ThoMe> the net 193.108.19.0 04:03 < ThoMe> like: push "route 193.108.19.0 255.255.255.0 10.55.0.1" 04:03 < ThoMe> is this correct? 04:03 < krzee> !push 04:03 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 04:03 < ThoMe> krzee: push "route 193.108.19.0 255.255.255.0 10.55.0.1" 04:04 < krzee> who is 10.55.0.1? 04:04 < ThoMe> but when i try this then i have no connect anymore :-( 04:04 < ThoMe> 10.55.0.1 is the openvpn server /(internal)\ 04:04 < krzee> then remove that 04:04 < ThoMe> what? 04:04 < krzee> just push "route 193.108.19.0 255.255.255.0" 04:04 < ThoMe> ah ok 04:04 < krzee> so 193.108.19.0 is a network behind the server? 04:05 < ThoMe> Solver: hm, when i try this, wihtout 10.55.0.1 then 04:06 < ThoMe> eem. krzee 04:06 < ThoMe> Tue Apr 21 11:06:27 2009 us=765000 Bad LZO decompression header byte: 0 04:06 < ThoMe> hmm. 04:07 < ThoMe> krzee: my openvpn server has: eth0 = 193.108.19.245 04:08 < ThoMe> krzee: hm :-( 04:17 < ThoMe> krzee: huhu? 04:22 < krzee> !configs 04:22 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:23 < ThoMe> grrr 04:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:37 < krzee> !configs 04:37 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:38 < krzee> no need to message me logs 04:38 < krzee> my bot will tell you what i need 05:02 < krzee> ThoMe, you gunna post your configs...? 05:10 < geb> krzie, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524979 05:10 < vpnHelper> Title: #524979 - openvpn dont set $trusted_ip when launching a child with --up - Debian Bug report logs (at bugs.debian.org) 05:13 < krzee> so netman worked right when ovpn was installed from source? 05:16 -!- troy is now known as troy- 05:16 < geb> i choose to report before completing the test as sugest by a debian developer 05:18 < krzee> weird suggestion but cool 05:42 -!- geb [n=nnngeb@lescigales.org] has quit [Remote closed the connection] 05:43 -!- geb [n=nnnngeb@lescigales.org] has joined ##openvpn 06:00 < ThoMe> krzee: wo, moment. 06:03 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 06:03 < Coke> Hi guys. I have my openvpn server and client connected to each other, is there some magic to making them behave like routers or is it simply a matter of setting up the correct NAT through iptables? 06:04 -!- Lilarcor_ [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 06:04 -!- Lilarcor_ [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 06:05 < Coke> oh wait, it's a simple forward 06:08 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 06:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:58 -!- geb is now known as gebura 06:59 < krzee> !ipp 06:59 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:00 < krzee> !sample 07:00 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:01 < ecrist> heya mother fucking bitch-ass two-timing cum guzzling gutter sluts. 07:01 < krzee> sup eric 07:02 < ecrist> how goes today, krzee? 07:02 < krzee> its still last night ;] 07:03 < ecrist> ahh. 07:03 < ecrist> I'm getting ready to do some trail riding this weekend. 07:03 < ecrist> only a 4-day work-week this week. :) 07:03 < ecrist> preparing to roll ldap out to our last two systems here. 07:04 < ecrist> writing a staff front-end for client account management 07:04 < ecrist> mostly done, but man, what a pita 07:05 < krzee> right on =] 07:07 < ecrist> I have too much to do. 07:07 < ecrist> I still haven't rolled any services over to my new(ish) 1850 07:07 < ecrist> nor have I finished developing the blackberry theme site. 07:07 < ecrist> even though people are *still* wanting more themes posted there. 07:08 < ecrist> oh well. I'm going to look at some porn. 07:09 < ecrist> hey, did you and Dougy get the phpbb stuff figured out? I found your post and locked/stickied it. 07:09 < krzee> ahh werd 07:09 < krzee> howd you do it!? 07:10 < ecrist> I just clicked on moderator control panel and set the options. 07:10 < ecrist> don't you have mod access? 07:12 < krzee> i have admin control panel 07:12 < krzee> no mod control panel 07:12 < krzee> that must be why 07:12 < ecrist> ok, log in/out 07:13 -!- simplechat [n=betabot@li20-55.members.linode.com] has left ##openvpn ["Leaving"] 07:18 -!- thnee [n=thnee@thnee.se] has joined ##openvpn 07:18 < thnee> !howto 07:18 < vpnHelper> thnee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:18 < thnee> 0!redirect 07:18 < thnee> !redirect 07:18 < vpnHelper> thnee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:18 < thnee> !logs 07:18 < vpnHelper> thnee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:18 < thnee> !configs 07:18 < vpnHelper> thnee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:19 < thnee> !interface 07:19 < vpnHelper> thnee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 07:21 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:21 < thnee> i am connecting to a server using '# openvpn config.ovpn', and i get the tun0, and right IP and everything, and it works. but my DNS-settings are not update. the server does push DNS, and another OSX client does get the correct dns-settings. 07:23 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit [Client Quit] 07:23 < thnee> so how do i explore this problem further? it kida sucks to do networking with DNS 07:23 < thnee> without DNS.. 07:23 < ecrist> logs 07:23 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:23 < ecrist> post logs from server and client 07:24 < krzee> the client is osx/? 07:24 < krzee> (that doesnt get the dns settings) 07:24 < thnee> my client is openvpn on linux, that doesnt get the dns settings. the other (OSX) client, does get them 07:24 < krzee> you need a script to update resolv.conf 07:25 < thnee> ok 07:25 < thnee> so openvpn isnt supposed to do this at all? (there isnt really a problem?) 07:26 < krzee> thats my understanding of it 07:26 < thnee> that sucks 07:26 < thnee> and i am supposed to just fix this script myself? 07:26 < krzee> windows a reg setting must be changed to allow it, unix needs a script to update resolv.conf 07:26 < thnee> or is there some package maybe? 07:26 < krzee> i believe a script comes with the source 07:26 < krzee> !pushdns 07:26 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 07:27 < krzee> its mentioned in that thread 07:27 < ecrist> WHAT!?! I have to do something for myself? 07:27 < thnee> ecrist: calm down, it's not that big of a deal 07:27 < tjz> lol 07:28 < krzee> thnee, did you read up on what you were doing...? 07:28 < krzee> -dhcp-option type [parm] 07:28 < krzee> Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic or --ip-win32 adaptive. This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN. 07:28 < krzee> its for win32 07:29 < krzee> but a script can make a unix client use it too 07:29 < krzee> Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". 07:37 < thnee> well this /etc/openvpn/resolv.conf doesnt do much.. it exits immidiately, and nothing is changed 07:37 < thnee> sorry /etc/openvpn/update-resolv-conf 07:39 < thnee> i am simply running it, after connecting to the vpn 07:40 < thnee> doesnt matter if i run it with up or down as argument 07:41 < krzee> lol 07:41 < krzee> no kidding 07:41 < thnee> okay 07:41 < krzee> when it gets called via up variabled are passed to it 07:42 < krzee> when you call it it has no clue what you want 07:42 < thnee> it should say that.. 07:42 < thnee> anyway 07:42 < thnee> maybe i should just add it to my openvpn.conf instead of trying to run it by myself 07:42 < thnee> i was just interested in how it works 07:43 < krzee> read it to see how it works 07:43 < krzee> if you read the manual it doesnt need to say that 07:44 < krzee> because thats how all scripts work with openvpn 07:46 < thnee> ok so i added the up/down to /etc/openvpn/openvpn.conf (which didnt exist), and it does nothing. i am guessing openvpn has some other config file.. 07:47 < thnee> or maybe i should add it to my .ovpn file, but thats not what the script says 07:47 < krzee> the only config files it has is what you tell it 07:47 < thnee> can i put it there? 07:47 < krzee> add it to whatever config file you run in openvpn 07:57 < thnee> ok the synopsis for running openvpn is a little odd 07:58 < thnee> apparently i can run $ openvpn somefile.ovpn, but this doesnt really say in the manual 07:59 < thnee> it does however mention --config 07:59 < krzee> --config file 07:59 < krzee> Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed. 07:59 < krzee> If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file 08:00 < krzee> its not said in the manual you say? 08:00 < thnee> oh 08:00 < thnee> so it's the same 08:01 < thnee> ok then i did it right, cause i added the up/down stuff to my .ovpn file, but it still doesnt change my resolv conf 08:02 < krzee> look in logs 08:03 < thnee> yes they tell me this openvpn_execve: external program may not be called due to setting of --script-security level 08:03 < ecrist> thnee: have you read any of the documentation? 08:03 < thnee> ecrist: yes 08:05 < krzee> !linipforward 08:05 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 08:05 < krzee> !linnat 08:05 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:09 < [4-tea-2]> thnee: script-security 2 08:09 < [4-tea-2]> thnee: this has been a recent change, I don't think it's in the man page. 08:09 < krzee> it is 08:09 < [4-tea-2]> It wasn't when I last checked. 08:09 < thnee> yeah i just read about it at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998 08:09 < vpnHelper> Title: #494998 - tunnels that use update-resolvconf do not start after upgrade anymore - Debian Bug report logs (at bugs.debian.org) 08:09 < krzee> --script-security level [method] 08:09 < krzee> This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 08:09 < krzee> 0 -- Strictly no calling of external programs. 08:09 < krzee> 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 08:09 < krzee> 2 -- Allow calling of built-in executables and user-defined scripts. 08:09 < krzee> 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). 08:09 < thnee> tunnel works, DNS works 08:10 < krzee> The --script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: --script-security 3 system 08:10 < thnee> thanks for the help krzee 08:10 < krzee> np 08:10 < [4-tea-2]> http://openvpn.net/man.html <-- not there 08:10 < vpnHelper> Title: OpenVPN 2.0.x Man Page (at openvpn.net) 08:10 < krzee> right, it was introduced in 2.1rc9 08:10 < ecrist> [4-tea-2]: it's not a feature in 2.0.9 08:10 < krzee> shouldnt belong in 2.0 man page 08:10 < [4-tea-2]> That's what I meant to say before. 08:11 < ecrist> but, it *is* in the man page 08:11 < [4-tea-2]> I should've said "this has been a recent change, I don't think it's in the 2.0.9 man page." 08:11 < [4-tea-2]> Well, the man page on openvpn.net is my main reference, tbh. 08:11 < ecrist> there are two man pages 08:11 < ecrist> one for 2.0.x and one for 2.1.x 08:12 < ecrist> which is on openvpn.net 08:12 < [4-tea-2]> Hmmmm. Indeed. I would bet that a few weeks ago, there was 1.x and 2.0.x, but perhaps I got confused by the versioned HOWTOs. 08:13 < ecrist> there has been a 2.1.x man page for well over a year, at least. 08:13 < [4-tea-2]> Then I got confused. 08:14 < [4-tea-2]> ./nick Smoketoomuch 08:14 < thnee> lol 08:15 < krzee> !man 08:15 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:16 < [4-tea-2]> Can you add "(#4) picking the correct man page is advisable"? ;) 08:16 < krzee> seems useless to me 08:17 < [4-tea-2]> I see, all business. ;) 08:17 < [4-tea-2]> Just trying to make fun of my stupidity. It's the only way I can handle it. ;) 08:18 < krzee> hehehe 08:37 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has quit [Success] 08:59 < ThoMe> krzee: huhu? 08:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:03 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 09:03 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Nick collision from services.] 09:03 -!- theDoc- is now known as theDoc 09:10 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 09:24 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 09:43 < ecrist> what is huhu? 09:46 < [4-tea-2]> huhu is "hello" in german 09:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:47 -!- dli [n=dli@adsl-75-21-89-56.dsl.chcgil.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 09:51 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 113 (No route to host)] 09:52 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 09:52 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 60 (Operation timed out)] 09:54 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 10:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 10:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 -!- tjz [n=tjz@bb220-255-39-133.singnet.com.sg] has joined ##openvpn 10:29 < funky> which method do you recommed me to use for auth against ldap/AD ? 10:39 < ecrist> there is a script out there for such. 10:39 < ecrist> dazo has has a program with claims to assist with the ephria or something 10:39 < ecrist> !ephria 10:39 < vpnHelper> ecrist: Error: "ephria" is not a valid command. 10:40 < ecrist> http://www.eurephia.net/ 10:40 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 10:40 < ecrist> !learn ldap as http://www.eurephia.net/ 10:40 < vpnHelper> ecrist: Joo got it. 10:40 < dazo> funky: I have written an authentication module .... eurephia ... but it do not do AD nor LDAP yet 10:41 < ecrist> !forget ldap 10:41 < vpnHelper> ecrist: Joo got it. 10:41 < dazo> :) 10:41 < ecrist> !learn eurephia as http://www.eurephia.net/ 10:41 < vpnHelper> ecrist: Joo got it. 10:52 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:15 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has quit [Connection timed out] 11:16 -!- nemysis [n=nemysis@214-42.106-92.cust.bluewin.ch] has joined ##openvpn 11:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:22 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:22 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 11:23 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 11:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 11:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:34 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has joined ##openvpn 11:42 -!- albech [n=albech@119.42.76.62] has quit [Success] 11:55 < funky> sorry, I was working 11:56 < funky> http://code.google.com/p/openvpn-auth-ldap/ <- I'm trying this 11:56 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 11:56 < funky> but I still haven't been able to make it work 11:56 < funky> does any of you have tried this method before? 12:32 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:32 < Improv> Hi all - is it hard to connect 2 layer2 OpenVPNs to each other? 12:33 < Improv> Or is it as simple as having the 2 servers mutually accepting each other as clients? 12:34 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 12:35 < krzee> Improv, do you need layer2 between the layer2 servers? 12:36 < krzee> actually, i guess that dont matter... 12:36 < krzee> just start a client on 1 server that connects to the other 12:37 < Improv> krzee: The servers don't intent to participate in the layer2 networks at all 12:37 < krzee> but if they give out ips in the same subnet there could be conflicts if you arent careful about who hands out what addresses 12:37 < krzee> ok, but you do in fact need layer2 vpn, right...? 12:37 < Improv> krzee: Ahh, ok, that shouldn't be a problem - I'll be statically assigning IPs 12:37 < Improv> krzee: Yes. I am integrating OpenVPN into network testbed software. 12:37 < krzee> gotchya 12:38 < Improv> krzee: .... and I'd configure that client to bridge its OpenVPN over the interface of the other OpenVPN... 12:38 < Improv> Is that right? 12:38 < krzee> is there a reason you need 2 servers? 12:38 < krzee> much easier to just have 1 12:39 < Improv> krzee: imagine 2 networks with 1 exposed system each, and then a bunch of systems with no public IPs 12:39 < krzee> i see no problem... 12:39 -!- Alagar [n=helpdesk@dont.rootkit.me] has left ##openvpn [] 12:39 < Improv> krzee: the nonexposed systems don't even have NAT 12:39 < krzee> hell you could do that with 1 server in routed OR bridged 12:39 < krzee> they can communicate with the openvpn machine on their lan, right? 12:39 < Improv> krzee: Yes 12:40 < krzee> ya, np 12:40 < Improv> but they need layer-2 connectivity to nonexposed systems in the other network 12:40 < Improv> and vice versa 12:40 < krzee> still np 12:40 -!- troy- is now known as troy 12:40 < krzee> think of it like this 12:40 < krzee> the tap interface is a virtual interface hooked into a virtual switch with many systems on it 12:40 < Improv> krzee: I don't see how I can avoid needing 2 openvpn instances, one on each of the 2 exposed systems 12:41 < krzee> (not really, but can think of it that way) 12:41 < Improv> and then all nodes as clients 12:41 < krzee> no way 12:41 < krzee> they can ARP to the openvpn node on their network 12:41 < krzee> after the bridge they can ARP through to all machines on the other side 12:41 < krzee> thats what a bridge is 12:41 < krzee> yes you need 2 instances 12:41 < Improv> I need isolation 12:41 < krzee> 1 client 1 server 12:42 < Improv> These packets can't go out over the normal channel. 12:42 < Improv> They *must* have a separate per-experiment IP that's uesr-defined. 12:42 < krzee> all nodes will communicate through the bridge to eachother 12:42 < Improv> and it must be separate from the normal network traffic 12:42 < krzee> IP doesnt matter, thats layer3 12:42 < krzee> layer2 bridge, they will all communicate using ethernet packets 12:42 < krzee> as if they were on the same switch 12:43 < Improv> hmm 12:43 < krzee> because you built a bridge between the 2 networks 12:43 < krzee> think of it as if it were 2 lans with a bridge connecting 12:43 < krzee> all in 1 location 12:43 < Improv> right 12:43 < krzee> its the same thing, only with a fancy vpn instead of a lil lan bridge 12:43 < Improv> I am not convinced that this gives me the depth of isolation I need. 12:43 < krzee> the what stays the same, only the how changes 12:44 < krzee> i have no clue what you mean by isolation 12:44 < krzee> if you bridge, this is what you get 12:44 < krzee> if you dont want that, you want routed 12:44 < krzee> i suggest to * to go routed, but you seem to need layer2 for custom software that must operate on layer2 12:44 < Improv> krzee: I think I need each node to talk openvpn to the exposed node too, in order to completely encapsulate the experimental network 12:45 < krzee> THATS HOW IT WORKS! 12:45 < krzee> arps will go over the vpn to the other side 12:45 < krzee> through their local node 12:45 < krzee> err their local vpn endpoint 12:45 < Improv> krzee: I think I could explain, but it would involve talking a lot more about our architecture than you'd care to know. 12:46 < krzee> welp, thats how a bridge works 12:46 < Improv> krzee: I am not trying to make layer2 bridges between existing networks that are being used "raw", I am trying to more "create" new layer2 networks 12:47 < krzee> then you must make real seperate lans 12:47 < Improv> Our network testbed software creates arbitrary network topologies for experiments.. 12:47 < Improv> and I am integrating OpenVPN into it 12:48 < krzee> ya i dont fully understand, but i think i made myself clear as to what i believe a bridge will give you 12:48 < Improv> Right. I don't think a simple bridge does all I want. 12:48 < krzee> whether thats what you want or not i cant say 12:48 < krzee> you can also pass layer2 without bridging 12:48 < krzee> by using dev tap but no bridge 12:49 < krzee> i cant elaborate on how or why that could help you, but i think you wanna play with it 12:49 < Improv> I'll look into that 12:49 < krzee> and if youd like to make a real detailed post the mail list might be a good place for this one 12:49 < krzee> !mail 12:49 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 12:50 < Improv> I'll send something to the uesrs list as a sanity check, thanks. 12:51 < krzee> np 12:52 < Improv> err... if I can figure out how news.gmane.org works :) 12:53 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 12:55 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:56 < krzee> to signup you want first link 12:56 < krzee> thats just the archive at gmane 13:52 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:56 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has quit ["Leaving."] 14:29 < ecrist> You are the ones that are the ball lickers... 14:31 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- gebura [n=nnnngeb@lescigales.org] has quit [Remote closed the connection] 14:48 -!- gebura [n=nnnnngeb@lescigales.org] has joined ##openvpn 14:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:54 < ecrist> ping krzee, got some freeswitch questions for you at some point. 14:59 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:35 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 15:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:18 < krzie> did you win the nigerian lottery!? 16:32 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 17:02 < [4-tea-2]> Can I bind OpenVPN to two IP addresses without starting it twice? 17:02 < krzie> no, but you can let it bind to all addresses 17:03 < [4-tea-2]> Hmmm. 17:04 -!- gebura [n=nnnnngeb@lescigales.org] has quit [Read error: 60 (Operation timed out)] 17:04 < [4-tea-2]> I set up an alias interface on my VPN server, eth0:vpnhelper. When I try to connect to that IP, I seem to get responses from the main interface (eth0) instead. 17:04 -!- gebura [n=nnnnnnge@lescigales.org] has joined ##openvpn 17:05 < krzie> !factoids search alias 17:05 < vpnHelper> krzie: No keys matched that query. 17:05 < krzie> hrmmmz, i seen someone fix that before 17:05 < krzie> !factoids search ip 17:05 < vpnHelper> krzie: 'tls-cipher', 'iporder', 'winipforward', '2.1-winpass-script', 'chooseip', 'iptables', 'linipforward', 'ipv6', 'ipp', 'ipforward', and 'fbsdipforward' 17:05 < krzie> !chooseip 17:05 < vpnHelper> krzie: "chooseip" is OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). 2 -- Use --client-config-dir file for static IP (next choice). 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 17:05 < krzie> thats not it (happens to be the same as iporder) 17:05 < krzie> !iporder 17:06 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:06 < krzie> !forget chooseip 17:06 < vpnHelper> krzie: Joo got it. 17:06 < [4-tea-2]> I figured I could just let OpenVPN bind to the ip of eth0:vpnhelper to make sure it wouldn't send from the "wrong" address. 17:06 < krzie> !factoids search int 17:06 < vpnHelper> krzie: 'wintaphide', 'lintrafaccnt', and 'interface' 17:08 < [4-tea-2]> Well, I guess I will have to fix it with iptables instead. 17:09 < krzie> 1sec, theres an openvpn option for it 17:11 < [4-tea-2]> There's --float, but that doesn't help me. 17:11 < krzie> ya thats not it 17:15 < [4-tea-2]> Can't find anything in the man page... and this time I actually looked in the right one (2.1) *g 17:20 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 17:21 < krzie> hrm i cant find it either 17:21 < krzie> i also havnt slept 17:25 < [4-tea-2]> I'm trying the iptables SNAT approach, I can always fix it later. 17:31 -!- gebura [n=nnnnnnge@lescigales.org] has quit [Remote closed the connection] 17:31 < krzie> !factoids search win 17:31 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 17:31 < krzie> !winipforward 17:31 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 17:32 -!- gebura [n=nnnnnnng@lescigales.org] has joined ##openvpn 17:32 -!- Gnewt [n=vector@207.115.69.54] has joined ##openvpn 17:32 < Gnewt> !howto 17:32 < vpnHelper> Gnewt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:32 < Gnewt> !route 17:32 < vpnHelper> Gnewt: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:33 < Gnewt> Hmm 17:33 < Gnewt> If I'm VPNed into my server at home and I want to access 192.168.1.1 on my home network, how do I do that? 17:34 < krzie> is your home network behind the server or client? 17:34 < Gnewt> my server is on the home network 17:34 < krzie> !learn winnat as http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 17:34 < vpnHelper> krzie: Joo got it. 17:35 < krzie> do any clients also sit on a 192.168.1.x lan? 17:35 < Gnewt> No my clients are outside of the LAN, usually from my school 17:35 < Gnewt> it's only one client... my laptop on a public network away from home 17:35 < krzie> right, but none of them are on a lan which also has 192.168.1.x, right? 17:36 < krzie> ok, so it is NEVER on 192.168.1.x, right? 17:36 < krzie> cause when it is, this will break stuff 17:36 < krzie> which is why i recommend changing your home lan subnet 17:36 < krzie> to something you never see while out in the wild 17:36 < Gnewt> Ahh yeah I should probably do that 17:36 < Gnewt> because other networks also have stuff on 192.168.1.x 17:36 < krzie> but basically youd just: push "route 192.168.1.0 255.255.255.0" 17:37 < krzie> yes, thats a good idea 17:37 < krzie> make it something rare 17:37 < Gnewt> What can I change it to? Something in the 192.168 or something way far away from that? 17:37 < krzie> !1918 17:37 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 17:37 < krzie> any of those which you think you'll never see out and about 17:37 < Gnewt> Okay, thanks very much :) 17:38 < krzie> 10.something.0.x is usually safe 17:38 < Gnewt> 192.168.240.0 maybe? 17:38 < Gnewt> or that 17:38 < krzie> that should work too 17:38 < Gnewt> Thanks for your help! :) 17:38 < krzie> i dont think ive ever seen 192.168.240.x 17:38 < krzie> np man =] 17:38 < Gnewt> me either 17:38 < Gnewt> Seeya later (I'll idle here) 17:38 < krzie> sounds good 17:38 < krzie> ill prolly be sounding like an idiot pretty soon, i didnt sleep at all 17:41 < [4-tea-2]> Damn. I'm too stupid to fix it with iptables, it seems. 17:41 < [4-tea-2]> It works perfectly well with --local , but I need ovpn to listen on a second address as well. 17:41 < [4-tea-2]> I guess I'm going to duplicate the configuration and start it twice. *sigh* 17:42 < krzie> sure it'll respond from that same ip when you do that? 17:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:51 < [4-tea-2]> Yes, the second IP I need opvn to run on is on a different i/f, and in a different net. 17:52 < [4-tea-2]> It just cannot use the main server IP to respond, because that is one of the IPs that I need to reach _through_ the VPN tunnel. 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:58 < [4-tea-2]> Heh. My routing table on my local server is becoming ridiculously large. 18:00 < krzie> !factoids search max 18:00 < vpnHelper> krzie: No keys matched that query. 18:00 < krzie> !factoids search lim 18:00 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 18:00 < krzie> (something to keep in mind while making your routing table ridiculously large 18:00 < krzie> ) 18:02 < [4-tea-2]> Nah, that's not a problem, those routes are not pushed to the client. 18:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 18:02 < [4-tea-2]> But I'm still running into other problems when I run two ovpns instead of one. 18:02 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:02 < [4-tea-2]> It seems I also need different keys for both instances. :( 18:03 < krzie> false 18:04 < [4-tea-2]> Well, I need different ccd/$ids 18:04 < krzie> if you use ipp.txt you absolutely need a diff one of those 18:04 < krzie> but the keys sure can be the same 18:05 < krzie> may i recommend giving each instance its own working dir 18:05 < [4-tea-2]> One instance serves 192.168.3.0/24, one 192.168.4.0/24, so I need to ifconfig-push the correct address, right? 18:05 < krzie> and copy the keys over instead of using the same path 18:05 < [4-tea-2]> I do that from ccd/$fqdn 18:05 < krzie> if you need static, absolutely 18:05 < krzie> so each gets its own ccd dir 18:05 < [4-tea-2]> But good idea. 18:05 < [4-tea-2]> Yeah, I'll do that. 18:05 < krzie> but the keys themselves will still work fine 18:06 < [4-tea-2]> Righto. 18:08 < [4-tea-2]> Heh, don't do that on-the-fly or ovpn might die. :D 18:08 < krzie> umm no 18:08 < krzie> you're only copying not moving 18:09 < [4-tea-2]> I had the tunnel with the wrong IPs running, reconfigured the server side, restarted the server side. 18:09 < [4-tea-2]> Then the client side died. ;) 18:09 < [4-tea-2]> I don't blame it. 18:09 < krzie> hehe 18:12 < [4-tea-2]> Well, that looks good now. When I enable Wifi on my laptop, it will either connect to my local dsl-router/wlan-ap and build an ovpn connection to the appropriate local ip of my server. 18:13 < [4-tea-2]> When my local wlan is not in reach, it will connect to any wlan ap, and build an ovpn connection to the public ip of my server, which is itself forwarded from my favorite provider through ovpn to my dynamic IP address. 18:15 < [4-tea-2]> When I disable wlan and attach a cable, ovpn is restarted on the laptop (in order to get rid of the tun device) and will try to keep connecting to my server, but locally it's not allowed, so I get an ovpn-free connection via local cable only. 18:15 -!- gebura [n=nnnnnnng@lescigales.org] has quit [Read error: 60 (Operation timed out)] 18:15 < [4-tea-2]> And it only took me the better part of a week. :D 18:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 18:25 < krzie> werd =] 18:25 < krzie> if you have time, maybe you could make a writeup on the wiki about it 18:25 < krzie> !wiki 18:25 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 18:26 < krzie> i always say that to people when they get their unique setups working, nobody ever bothers to write on there besides ecrist and i tho =[ 18:27 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 18:27 < [4-tea-2]> Well, there's one more thing to do: convert the last ovpn connection from static keys to tls, but that should be easy. I'm planning to blog about it on my (German) blog. If I do that, I might actually go the extra step and translate it. 18:28 < krzie> thats plenty easy to change 18:28 < krzie> btw, you use fbsd? 18:28 < [4-tea-2]> Linux 18:28 < krzie> ahh 18:28 < krzie> was gunna say ports/security/ssl-admin is a great tool for managing your certs 18:28 < krzie> you can still use it if you like tho 18:28 < krzie> !ssl-admin 18:29 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 18:29 < krzie> its way cooler than easy-rsa 18:29 < [4-tea-2]> Oh, I'm totally happy with easy-rsa. 18:29 < krzie> werd 18:29 < krzie> i was ready to code my own til ecrist showed me ssl-admin 18:29 < krzie> (he wrote it) 18:30 < [4-tea-2]> I actually created all the keys I needed already, just need to deploy and change the config. 18:30 < krzie> its basically what i would have coded, only i woulda used bash and he used perl 18:30 < krzie> it even packages up the keys with a config and zips them for deployment =] 18:30 < [4-tea-2]> But since that involves changes to my connectivity, I will only do that when I know I can phone someone to fix my fuckups server-side. ;) 18:30 < krzie> and saves the info for future CRL making 18:30 < krzie> haha 18:50 -!- HD2 [n=Marco@velirat.de] has joined ##openvpn 18:51 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Connection reset by peer] 19:06 -!- HD2 is now known as HardDisk_WP 19:24 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:57 -!- ptchinster [n=ptchinst@137.28.246.232] has joined ##openvpn 19:58 < ptchinster> im following the guide here, http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, when i run the bridge-start script, the network becomes unreachable. ive followed it to a T, dont know what i did wrong 19:58 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 19:58 < ptchinster> only diff is of course the IP ranges and values i use 19:58 < krzie> it doesnt set the gateway 19:58 < krzie> add that at the bottom of the script 19:59 < ptchinster> how? 19:59 < ptchinster> gateway $gateway 19:59 < ptchinster> that appended? 19:59 < krzie> the way your OS does it... 19:59 < krzie> likely with the route command 19:59 < ptchinster> linux 20:00 < ptchinster> never used that before 20:02 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:02 -!- theDoc [n=andelyx@119.73.165.162] has quit [Remote closed the connection] 20:02 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:02 < ptchinster> route add default gw 192.168.1.1 eth0 20:04 < ptchinster> should i be adding it to the $eth, the $br or the $tap ? 20:04 < krzie> i dont setup bridged 20:05 < krzie> but br0 makes sense to me... 20:05 < ptchinster> well, thats not it either 20:05 < ptchinster> same problem 20:05 < krzie> welp, keep playing 20:05 < krzie> thats the common problem 20:06 < ptchinster> so then after i find the solution to the common problem, how can i not be like the others and get the fix somewhere in the documention 20:07 < krzie> i guess by messaging the mail list once you solve it 20:07 < krzie> !mail 20:07 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 20:07 < ptchinster> ah, just got it i think 20:07 < krzie> you can likely find others talking about it with a good google 20:14 -!- ptchinster [n=ptchinst@137.28.246.232] has quit ["Leaving."] 20:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 20:40 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:46 < theDoc> Anyone knows why I'm getting ICMP messages public addresses as the source and the vpn client address as destination? 20:47 < theDoc> Doesn't seem like I've established a connection with that particular host prior to that ICMP. 20:47 < theDoc> Oh wait, n/m. I didn't filter it properly 20:47 < theDoc> I did actually. 21:16 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 21:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:28 -!- Schmee [n=zaphod@ppp100-124.static.internode.on.net] has joined ##openvpn 21:29 < Schmee> hi all. Hopefully this isn't off topic too far, but I've had no luck with Google on this subject. I need to connect to an openvpn server, but I need the client end to be router driven rather than client machine driven. Can anyone recommend a router which can be connected to an openvpn server without resorting to openwrt firmware? 22:15 -!- troy is now known as troy- 22:53 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 23:54 < reiffert> !route 23:54 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:55 < reiffert> Schmee: however, openvpn runs on various archs and OS'. --- Day changed Wed Apr 22 2009 00:01 < Schmee> reiffert: I should have mentioned, I need it to run in bridge mode 00:03 < reiffert> so? 00:04 < Schmee> I assume from your response that it doesn't make a difference which mode, openvpn is either supported or not. 00:08 < reiffert> right. 00:10 < onats> i have a vpn server piggybacked onto my home router running dd-wrt. i get frequent disconnects with two clients connected. could it be that the router can no longer handle the load? 00:14 < reiffert> onats: try to monitor the load 00:14 < onats> reiffert, yeah.. actually sometimes it gets to 100%. well it happens often 00:15 < onats> is it possible that any attempts to DDOS brings the load of the router up? 00:15 < Schmee> reiffert: thanks for your help. Back to more research 00:17 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 00:34 -!- albech_ is now known as albech 00:38 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 00:44 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 01:09 -!- Schmee [n=zaphod@ppp100-124.static.internode.on.net] has quit ["Leaving"] 01:33 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has joined ##openvpn 01:36 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 01:45 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn 01:51 -!- SuperEvilDeath16 [n=death@212.206.209.177] has quit [No route to host] 02:26 -!- troy- is now known as troy 02:35 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:36 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:36 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 02:44 -!- troy is now known as troy- 02:48 -!- troy- is now known as troy 03:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 < ThoMe> hello? 03:51 -!- pro is now known as youngpro 03:54 -!- albech [n=albech@119.42.76.62] has quit [Read error: 60 (Operation timed out)] 04:07 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:08 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:08 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 04:31 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 04:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 04:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 < ThoMe> can anybody help me with "net_gateway" ? 05:02 < ThoMe> :-) 05:14 -!- Alocado [n=matthias@vpn075.uni-trier.de] has joined ##openvpn 05:14 < Alocado> hello 05:15 < Alocado> what's the technical difference between server and client certificates? 06:25 -!- Alocado [n=matthias@vpn075.uni-trier.de] has quit [Read error: 113 (No route to host)] 06:45 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has left ##openvpn [] 07:10 < ecrist> morning, folks 07:27 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 07:35 -!- nemysis [n=nemysis@214-42.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:35 -!- nemysis [n=nemysis@178-248.1-85.cust.bluewin.ch] has joined ##openvpn 08:02 < dazo> ecrist: morning! 08:03 < dazo> ecrist: just a quick question ... I believe you know something about this ... but a guy claims that RAID10 has the same advantages as RAID6 .... what do you think about that? 08:03 < ecrist> no, it doesn't 08:03 < dazo> RAID10 is for me striping + mirror .... and nothing close to RAID5 or 6 08:03 < dazo> ecrist: thanks! That's what I thought as well :) 08:03 < ecrist> RAID10 is much faster than RAID 5 or 6 08:04 < ecrist> no overhead to generate parity 08:04 < ecrist> for db servers, I use 10, for backup servers, I use RAID 6 08:04 < dazo> ecrist: yeah, that I can follow 08:04 < dazo> ecrist: thanks again! 08:04 < ecrist> np 08:07 < [4-tea-2]> Where would I put a feature request for ovpn? 08:07 < ecrist> probably on the mailing list 08:07 < ecrist> what feature are you looking for? 08:07 < [4-tea-2]> Binding one ovpn instance to multiple, but not all, interface addresses. 08:08 < ecrist> can you use multiple local statements in the config? 08:09 < dazo> [4-tea-2]: I believe that's been discussed on the openvpn-users list already .... but please, bring it up again :) 08:10 < dazo> ecrist: I believe that it is meant to only listen for connection on specific interfaces .... like only eth0 and eth2 but not eth1, kind of 08:10 < ecrist> I don't understand 08:11 < [4-tea-2]> ecrist: no, only the first one is honored, the following --local statements are ignored. 08:11 < [4-tea-2]> dazo: that's kinda what I need. I want ovpn to bind to one (not all) addresses on eth0 (which has three addresses), and to eth1. 08:12 < ecrist> for now, I'd just bind to all, filter at the firewall 08:12 < [4-tea-2]> ecrist: that doesn't solve my problem, sadly. 08:12 < dazo> thats the only solution now 08:12 < [4-tea-2]> I'm running two ovpn instances now. 08:12 < ecrist> why? 08:12 < [4-tea-2]> (actually three, but the third one doesn't matter) 08:12 < ecrist> what am I missing? 08:13 < [4-tea-2]> One on eth0:ovpnhelper, one on eth1. 08:13 < [4-tea-2]> ecrist: when I bind ovpn to eth0, and try to establish a tunnel to the IP address of eth0:ovpnhelper, the response packets originate from the MAIN address of eth0. 08:13 < [4-tea-2]> ie. I connect to x.y.z.3 and x.y.z.1 responds. 08:14 < ecrist> so? 08:14 < [4-tea-2]> I need to reach x.y.z.1 THROUGH the tunnel. 08:14 < ecrist> sounds like you're missing a push route 08:15 < [4-tea-2]> ...and --float, if you take THAT approach. 08:15 < [4-tea-2]> But I don't like that approach. 08:15 < ecrist> ok 08:16 < [4-tea-2]> I don't think .3 should be sending packets that appear to be originating from .1. 08:16 < ecrist> [4-tea-2]: it's going to, it's not an OpenVPN issue, it's a TCP/IP stack issue on your OS 08:17 < ecrist> and it's a common issue 08:17 < [4-tea-2]> If it's not a ovpn issue, why does it work when ovpn is bound to .3 only? 08:18 < ecrist> because it's a TCP/IP stack issue. 08:18 < ecrist> if you have *any* daemon bound to multiple IPs on the same subnet, the responses will originate from the first IP in the subnet listed on the interface. 08:19 < ecrist> FreeBSD jails do it differently, but they've fixed the stack for those. 08:19 < ecrist> and also, the daemons are only bound to a single IP 08:19 < [4-tea-2]> ecrist: well, that's why I have that feature request. 08:20 < ecrist> ok, it's a sound reason, just arguing semantics at this point. it's not *really* an OpenVPN problem. 08:20 < [4-tea-2]> I understand. 08:21 < [4-tea-2]> Well, I think I understand. :D 08:21 < ecrist> if I may, why do you have openvpn listening to multiple IPs? 08:22 < [4-tea-2]> It's listening to a public IP so I can connect from teh interwebs, and to a local IP so I can connect from Wlan. 08:22 < ecrist> why not just listen to the public IP? 08:23 < [4-tea-2]> Because then all my traffic would be routed upstream by my DSL-Router/Wlan-AP, just to be routed back to the public IP which is not known to the router. 08:24 < [4-tea-2]> I'd rather keep traffic as local as possible, mainly for bandwidth reasons. 08:24 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has joined ##openvpn 08:24 < ecrist> if the public and private IPs are on the same system, nothing would leave your network, or go 'upstrea' 08:25 < [4-tea-2]> The router isn't aware the public IP is local. 08:25 < [4-tea-2]> It's forwarded to my local server using ovpn. ;) 08:26 < ecrist> hrm, I'm glad your setup is working for you, but it sounds overly-complicated. 08:27 < [4-tea-2]> ecrist: actually, it's pretty simple. I have a /28 which is routed to a server in teh interwebs, I pick it up there using ovpn, and I have a laptop with an address from that /28 that I want to use with the SAME address no matter where I am. 08:28 < [4-tea-2]> So I need one ovpn connection for the /28, and one ovpn connection from my laptop to a machine within that /28. 08:28 < [4-tea-2]> ovpn-over-ovpn :D 08:30 < [4-tea-2]> Also, the DSL-router is not what I consider a trusted system, so it's isolated on an own interface and I make sure that I never route "plain" (unencrypted) traffic over it. All my (untrusted) DSL provider get's to see is the ovpn connection. 08:33 < [4-tea-2]> ecrist: I got a diagram if you believe in pictures saying more than a thousand words. ;) 08:34 < ecrist> naw 08:42 < [4-tea-2]> ;) 08:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:50 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:51 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:40 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 09:40 < straterra> Hi..I'm getting the letters r and w spammed in to my openvpn log file..has anyone seen this before? 09:40 < ecrist> not i 09:43 < Bushmills> straterra, check file system. in case of write error, blocks may end up being part of file, but uninitialised. 09:43 < straterra> hmm 09:44 < straterra> all r/w 10:11 < dazo> straterra: check your verb settings in the config file 10:11 < dazo> straterra: verb > 4 usually gives this 10:11 < straterra> verb 5 10:12 < straterra> another admin set it..thanks 10:12 < dazo> straterra: if you want verbose info for logging ... 3 is user enough 10:12 < dazo> usually, I meant 10:12 * dazo leaves for today 10:16 < straterra> thanks 10:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:34 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:04 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has left ##openvpn [] 11:07 -!- ScribbleJ [n=nnsj@99-35-164-150.lightspeed.dwgvil.sbcglobal.net] has joined ##openvpn 11:09 < ScribbleJ> Hi guys... using openvpn, auth pam option, I want to require a username/password forr all connection /except one/... which should just auth with the cert as standard. Is this possible? 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:09 -!- Timpa88 is now known as Timpa 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:11 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:19 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:19 < Improv> Anyone here know much about the mailing lists? My post was rejected for some reason. 11:19 < ecrist> what was the reason? 11:20 < ecrist> I'm guessing a mail server misconfig on your part 11:20 < Improv> It just said "you are not allowed to post" 11:20 < Improv> I don't see any explicit reason in the message 11:20 < ecrist> I think you may need to be subscribed. 11:20 < Improv> (the "not allowed to post" came from lists.sourceforge.net, not from gname.org where I posted it, if that helps) 11:21 < ecrist> ah 11:21 < ecrist> gname.org is just a mirror, not the actual list. 11:21 < Improv> Ohh 11:21 < Improv> So I should post through sourcefnord 11:48 -!- Alagar [n=helpdesk@dont.rootkit.me] has quit [Remote closed the connection] 11:53 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:01 -!- xororand [n=xororand@unaffiliated/xororand] has quit ["delete this;"] 12:20 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:33 < dan__t> Ok. 12:33 < dan__t> We're almost ready to go........ 12:39 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 12:45 -!- dupondje- [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 12:46 < dupondje-> I'm trying to make my 2 networks communicate with each other by using a OpenVPN server (with public ip) 12:46 < dupondje-> but Can't get it working, I can connect to the server etc 12:46 < dupondje-> but can't connect to the other network 12:47 < dupondje-> 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' 12:48 < dupondje-> this is the push reply :) 12:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:54 -!- albech_ [n=albech@119.42.76.2] has joined ##openvpn 12:55 -!- albech [n=albech@119.42.76.62] has quit [Success] 12:56 -!- theDoc- [n=andelyx@bb121-7-61-77.singnet.com.sg] has joined ##openvpn 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:04 -!- theDoc- [n=andelyx@bb121-7-61-77.singnet.com.sg] has quit [] 13:05 < dupondje-> can't even ping the server :s 13:05 < dupondje-> wtf 13:05 < dupondje-> with its OpenVPN ip 13:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:15 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 13:22 -!- ScribbleJ [n=nnsj@99-35-164-150.lightspeed.dwgvil.sbcglobal.net] has left ##openvpn ["Leaving"] 13:25 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:34 -!- dupondje- [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 13:36 -!- albech_ is now known as albech 13:46 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:16 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:10 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 15:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:27 -!- Lilarcor_ [n=Lilarcor@53.sub-97-130-194.myvzw.com] has joined ##openvpn 15:27 -!- Lilarcor_ [n=Lilarcor@53.sub-97-130-194.myvzw.com] has quit [Remote closed the connection] 15:40 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit ["Ik ga weg"] 16:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:00 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 17:01 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 17:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:05 < Dougy> hello there childrens 17:08 < krzie> i got 2 compaq 42u raqs for sale, 400$ 17:09 < Dougy> hmmmmmm 17:09 < Dougy> meh 17:09 < Dougy> i'll pass 17:10 < Dougy> sup krzie 17:12 < krzie> chillen, you? 17:15 < Dougy> nada man 17:16 < Dougy> taking preorders atm 17:19 < Dougy> :P 17:20 < Dougy> Grrrrrr :, 17:20 < Dougy> :< 17:20 < Dougy> ecrist: ping 17:27 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:49 -!- sirus [i=scott@gotpot.org] has quit [Read error: 113 (No route to host)] 17:54 < Dougy> krzie im dying of boredom 17:55 < Dougy> bring in the hookers 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 18:02 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 18:19 < krzie> ya im bored as shit too 18:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 18:20 < Dougy> haha 18:20 < Dougy> troy fails 18:31 < Dougy> http://www.upload3r.com/serve/220409/1240443016.jpg 18:39 < krzie> nice 18:40 < Dougy> my new toy 18:43 < krzie> werd 18:56 < Dougy> :) 20:08 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:29 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 20:31 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:35 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 20:37 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 21:56 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 113 (No route to host)] 21:57 < tjz> hey dougy 21:57 < tjz> :) 22:01 < dougy[home]> hey ! 22:03 < dougy[home]> tjz 22:26 < tjz> hehe 22:26 < tjz> long time never see you here 22:26 < tjz> :P 22:26 < tjz> how are you doing? 22:33 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:35 < tjz> -_- 22:35 < tjz> i see double 22:35 < tjz> lol 22:39 < ecrist> Dougy: pong 22:42 < ecrist> :\ 22:50 < tjz> lol 22:50 < tjz> do you guys run openvpn on linux as root ? 22:51 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 22:51 < krzie> i dont run it as root anywhere 22:52 < krzie> linux/bsd/osx 22:52 < tjz> yea 22:52 < krzie> because you never run anything as root unless you absolutely have to 22:52 < tjz> i think better security practice to run it as another user? 22:52 < tjz> yea 22:52 < krzie> you must start it as root, then you can tell it to drop privs 22:53 < tjz> hmm 22:53 < tjz> drop privs as in ? care to explain? 22:54 < krzie> see --user and --group in the manual 22:54 < theDoc> Yep, run it as root and it drops it to another user called nobody ;p 22:58 < tjz> ahh 22:58 < tjz> thxx, keff 22:58 < tjz> jeff 22:58 < tjz> :P 22:58 < tjz> txh thedoc 22:58 < tjz> :) 23:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:29 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 23:30 < ecrist> why was dougy pinging me? 23:42 < ecrist> nm, going to sleeeeeeep 23:52 -!- troy is now known as troy- --- Day changed Thu Apr 23 2009 00:08 -!- sirus [i=scott@gotpot.org] has quit [Read error: 104 (Connection reset by peer)] 00:08 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 00:16 -!- funky [n=repulse@unaffiliated/funky] has quit [Read error: 110 (Connection timed out)] 00:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 00:41 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 01:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 01:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:30 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has quit [Remote closed the connection] 01:31 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 02:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:16 < theDoc> tjz: Surprise, you're singaporean. 02:16 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has left ##openvpn [] 02:23 -!- troy- is now known as troy 02:34 < tjz> omg 02:34 < tjz> i am 02:34 < tjz> you are... 02:34 < tjz> theDoc is n=andelyx@unaffiliated/thedoc * oh-snap! 02:34 < tjz> -_- 02:34 < theDoc> Yep, unaffiliated. 02:34 < theDoc> Singaporean as well ;p 02:34 < tjz> oh 02:34 < theDoc> really la, singaporean. 02:34 < tjz> hahaha 02:35 < theDoc> will not bluff you one. srs! 02:35 < theDoc> heh 02:35 < tjz> hahaha 02:35 < theDoc> How to indentify a singaporean ;D 02:35 < tjz> use our powerful singlish 02:35 < tjz> :p 02:35 < theDoc> ho seh liao la! I need a few more servers for my vpns:)) 02:35 < tjz> wow 02:35 < tjz> what are you working on? 02:36 < theDoc> tjz: anonymous vpn tunnels for lease :) 02:36 < tjz> cool 02:36 < theDoc> A couple more, a couple more. 02:36 * theDoc whistles. 02:37 < tjz> lol 02:37 * theDoc is going partially deaf in his right ear :( 02:37 < tjz> serious? 02:37 < tjz> lol 02:37 < tjz> hmm 02:38 < tjz> how come 02:38 < theDoc> Serious, I've been hearing a good constant buzzin' 02:38 < tjz> hmm.. 02:38 < tjz> from computer speaker or contruction site? 02:38 < theDoc> Neither, army days. 02:39 < tjz> omg 02:39 < tjz> yea 02:39 < theDoc> tjz: I used to be in armor. 02:40 < theDoc> Live firing and all, it's not good for your hearing. 02:40 < theDoc> engine + live firing of the 75mm maingun + gpmg = bad 02:40 < tjz> waaa 02:40 < tjz> that one really loud 02:40 < tjz> -_- 02:41 < tjz> but 02:41 < tjz> you are still in the 20s.. 02:41 < tjz> so young ..got such problem 02:41 < tjz> -_- 02:42 < theDoc> Unfortunately. :) 02:43 < theDoc> tjz: I guess you're in your 20's as well 02:44 < tjz> yea 02:45 < tjz> brb 02:45 < theDoc> brb, indeed. 02:45 < theDoc> I'm surprised to find a singaporean here though 03:01 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Kevin` 03:05 -!- Netsplit over, joins: Kevin` 03:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 03:48 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 03:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:21 -!- AnAnt [n=anant@41.196.129.148] has joined ##openvpn 04:21 < AnAnt> Hello, is it possible to configure the openvpn server (& client) to authenticate using UNIX accounts on the server ? 04:24 < krzee> sure 04:25 < krzee> using PAM 04:28 < krzee> (in a --client-connect script iirc 04:28 < krzee> there should be an auth pam script in the source 04:29 < krzee> in the source tar.gz 04:29 -!- nemysis [n=nemysis@178-248.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:30 -!- nemysis [n=nemysis@77-242.3-85.cust.bluewin.ch] has joined ##openvpn 04:33 < AnAnt> krzee: auth-pam.pl 04:33 < krzee> there ya go 04:34 < AnAnt> so, nothing to be done on server side ? 04:34 < AnAnt> oh, sorry 04:34 < krzee> thats what goes on the server 04:36 < AnAnt> krzee: --auth-user-pass-verify can't be put in server.conf ? 04:38 < krzee> !authpass 04:38 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 04:38 < krzee> yes, it can 04:38 < krzee> maybe thats what i was thinking of as opposed to --client-connect 04:39 < krzee> ahh yes 04:39 < krzee> first hit in manual was for --auth-user-pass-verify\ 04:39 < krzee> For a sample script that performs PAM authentication, see sample-scripts/auth-pam.pl in the OpenVPN source distribution. 04:42 < AnAnt> the script says: For real world usage, see the auth-pam module in the plugin 04:42 < AnAnt> # folder. 04:46 < AnAnt> hplugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" 04:46 < AnAnt> !openvpn-auth-pam.so 04:46 < vpnHelper> AnAnt: Error: "openvpn-auth-pam.so" is not a valid command. 04:47 < AnAnt> !plugin 04:47 < vpnHelper> AnAnt: Error: "plugin" is not a valid command. 04:47 < AnAnt> hmmm 04:58 < ThoMe> krzee: huuh? 04:58 < ThoMe> krzee: receive money? 05:25 -!- sirus [i=scott@gotpot.org] has quit ["leaving"] 05:27 < AnAnt> !pam 05:27 < vpnHelper> AnAnt: Error: "pam" is not a valid command. 05:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:44 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:10 -!- AnAnt [n=anant@41.196.129.148] has left ##openvpn [] 07:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:34 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:39 -!- onats_ is now known as onats 07:39 < onats> haro! 07:40 < ecrist> oh, haro hans brix! 07:47 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 07:52 -!- row [i=row@who.br0ke.me.uk] has joined ##openvpn 07:52 < row> Anyone here run openvpn server on a virtuozzo guest? 07:52 < row> And does it actuall work :P 07:53 < row> ah found out it is possible 08:11 -!- Dougy [n=me@67.80.62.212] has joined ##openvpn 08:11 < ecrist> pong Dougy 08:11 -!- gebura [n=nnnnnnnn@lescigales.org] has left ##openvpn ["Quitte"] 08:29 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 08:36 -!- Dougy [n=me@67.80.62.212] has quit [Read error: 113 (No route to host)] 08:41 -!- ghoti [n=paul@CPE00c095f003f8-CM001371886cc2.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 08:42 -!- autoditac [n=autodita@p579E18F4.dip.t-dialin.net] has joined ##openvpn 08:43 < autoditac> hi. is there something like a 'logon message' that i can set? 08:47 < [4-tea-2]> autoditac: I don't think so. Who/what would display that message? ;) 08:50 < autoditac> Dunno. NetworkManager-openvpn displays that in a notification bubble. 08:51 < [4-tea-2]> autoditac: I see, that might be nice, but I don't think ovpn has a feature like that (at least I don't remember reading anything like it in the man page). 09:00 < ecrist> there really isn't one at this point in time. 09:12 < autoditac> ecrist: would be nice to have. vpnc has that, and i always like to join those vpns that say "Welcome in our house" :-) 09:14 < ecrist> Post a feature-request to the mailing list. 09:14 < ecrist> you could code it yourself, and submit a patch, as well. 09:16 < autoditac> ecrist: you definitely don't want that :-) 09:17 < autoditac> i should better sponsor a bounty or something like that. 09:41 -!- Yhetti [n=wes@75.150.50.65] has joined ##openvpn 09:43 < dazo> autoditac: I'd be willing to look into such a patch, if I just can get some spare time for it :) ... would be a fun patch to write, though :) 09:45 < Yhetti> Grr.. So I had a working OpenVPN setup for months using AES-128-CBC; installing some new DDWRT routers and changed everything to Blowfish and now none of the remotes will link to the server; all of them hit the 60 second timeout. Per the logs, the keys are correct (clearly, they didn't change) but the TLS fails after 60 seconds on every connection. What did I miss? 09:48 < dazo> Yhetti: seriously speaking ... I'd try another fw than dd-wrt .... I've had some bad experiences with them regarding security, which they neglected ... so if it's a buggy openvpn in there, I wouldn't be that much surprised 09:48 < Yhetti> I haven't actually moved anything to dd yet, it's still the old Linux routers 09:48 < Yhetti> with AES swapped for BF as the only change : / 09:49 < dazo> Yhetti: have a look at x-wrt (using openwrt in the bottom) ... I swapped to that one, and I'm happy! 09:49 < Yhetti> However, I'll def. look into other firmwares. DD was just my first test run 09:50 < Yhetti> Sorry, I should have mentioned that I didn't swap the hardware out yet : ) 09:50 < dazo> Yhetti: I discovered some iptables rules which allowed access from two different IP addresses in Germany ... I mentioned it on their phorum, and they never wanted to post an advisory about it .... just "yes, it will be fixed in the next release" 09:50 < Yhetti> weird..although, probably not surprising 09:51 < Yhetti> I'll take a look at x-wrt as soon as I can get my remotes back up : ) 09:51 < Yhetti> any thoughts on why changing the encryption type (I changed on both ends) would cause the TLS to suddenly fail? 09:51 < dazo> unfortunately ... but OpenWRT has behaved nice ... and X-WRT is the GUI extension on top of OpenWRT ... really easy to setup 09:52 < Yhetti> oh..apparently I just figured it out 09:52 < Yhetti> openvpn uses the kernel crypto modules? 09:53 < dazo> Yhetti: usually that's because of unsynch'ed ciphers, wrong static keys (--tls-auth) ... or in some cases also the network layer (sometimes you need to use tcp mode, instead of the preferred udp) 09:53 < dazo> Yhetti: OpenVPN uses OpenSSL 09:54 < dazo> Yhetti: also try to check out with verb 4 ... if you see some other warnings in the logs ... could be issues with MTU or other network related things 09:55 < dazo> Yhetti: which openvpn versions are involved? 09:55 * plaerzen waves. 09:57 < Yhetti> 2.0.9 Debian packages 09:57 < Yhetti> As soon as I did a modprobe blowfish it started working 09:58 < Yhetti> Which just raises further questions... 10:01 < Yhetti> x-wrt looks cool 10:06 < Yhetti> Now if only I could do 'modprobe rot13'. Get some real speed up in here... 10:19 < dazo> Yhetti: rot13!?!? .... I hope that was a joke .... 10:20 < Yhetti> : ) 10:20 < dazo> Yhetti: it might be that openssl uses the kernel encryption .... not sure about it, to be honest 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:22 < Yhetti> Probably does. I guess that way if you have hardware acceleration it will actually work 10:22 < Yhetti> oh well....it's up now. Going to give your suggestion a shot. And thanks for your time : ) Have a good day 10:22 -!- Yhetti [n=wes@75.150.50.65] has quit ["Ex-Chat"] 11:19 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has quit ["Leaving."] 11:21 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 11:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 < reiffert> moin 11:35 < theDoc> moin'! 11:36 < Bushmills> grias di 11:36 < reiffert> Moin theDoc 11:36 < reiffert> howdy Bushmills! 11:37 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:37 < theDoc> Oh dear, I just killed a conversation on another network :) 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:11 -!- rashed2020_ [n=admin@67.205.245.208] has joined ##openvpn 12:11 < rashed2020_> Hey guys 12:12 < rashed2020_> Are there any dis/advantages to having openVPN on the router as opposed to a box sitting inside the network? 12:25 < row> if openvpn goes nuts does not take down router? 12:27 < rashed2020_> Is that it? I read somewhere about something to do with bridging, but I lost the link =( I was hoping somewhere here would know what I'm talking about 12:29 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 12:29 < CyBerNetX> !route 12:29 < vpnHelper> CyBerNetX: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:29 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:31 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has left ##openvpn ["Leaving"] 12:34 -!- albech [n=albech@119.42.76.2] has quit [Read error: 54 (Connection reset by peer)] 12:48 < epaphus> Hello.. I have a gateway with two seperate VPN client configurations running. Behind this machine I have one LANs. None of the client.configs have -redirect gateway on (they would conflict) . MY question is what config must I do to allow the machine on the LAN to access the internet via a SINGLE vpn client ? 12:50 < epaphus> Desktop1 (172.168.1.200) --> Server_with-two-clients (172.168.1.100) -> VPN -> VPN server1 12:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:55 -!- rubydiamond [n=rubydiam@123.236.183.91] has joined ##openvpn 13:01 -!- albech [n=albech@119.42.76.2] has joined ##openvpn 13:12 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:32 < dan__t> hi 13:38 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 13:47 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 13:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:02 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:15 -!- autoditac [n=autodita@p579E18F4.dip.t-dialin.net] has left ##openvpn [] 14:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:33 -!- penrod [n=pattonb@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 14:43 < krzee> rashed2020_, if you are using routing and connecting lans, running it on the router has the advantage of not needing routes added to the router 14:43 < krzee> !route 14:43 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:44 < krzee> you can see what im talking about under the picture in "ROUTES TO ADD OUTSIDE OPENVPN" 14:54 < Dougy> hmm 14:54 < Dougy> krzeeeeeeeeeeeeeeeeeeeeeeeeeeeeee 14:55 < dan__t> o. 14:55 < dan__t> er, no. 14:59 < Dougy> ? 14:59 < Dougy> you are a grouch 14:59 < Dougy> go away. 14:59 < ecrist> Dougy: what were you pinging me for? 15:00 < Dougy> ecrist: password reset :-X 15:00 < ecrist> for what? 15:00 < Dougy> the info you sent me, i remember changing the pw 15:00 < Dougy> but no idea what the hell i set it to 15:00 < ecrist> lemme look it up 15:00 < Dougy> i use about 400 passwords literally and dont want to bomard your box trying to get it 15:00 < Dougy> cuz i have 400 diff ones and in that 400 theres probably 3 or 4 versions of each 15:02 < ecrist> ok, send me a pm with a new pass 15:02 < ecrist> I'll set it now. 15:02 < ecrist> the ssh password, right? 15:02 < Dougy> yes 15:02 < Dougy> so i can ftp 15:02 < Dougy> i just need to get phpbb config info 15:03 -!- troy is now known as troy- 15:04 < ecrist> send me a PM, otherwise you're SOL. I'm leaving in two minutes until next week 15:04 < Dougy> kk 15:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:04 < Dougy> can i change the pw 15:04 < Dougy> later 15:04 < Dougy> ? 15:04 < ecrist> sure, I don't care 15:04 < Dougy> or should this be the one its gonna stay 15:20 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 15:22 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 15:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 15:31 < Dougy> yayyyyyyyyyyyyyyyyyyyyy 15:46 < Dougy> wtf 15:46 < Dougy> i fail at ppbb 15:46 < Dougy> phpbb 15:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:55 < Dougy> krzee 15:55 < Dougy> grrrrrrrrrrr 15:57 < Dougy> !tcp 15:57 < vpnHelper> Dougy: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:58 < krzee> ? 15:58 < Dougy> i got admin user krzee 15:58 < Dougy> the pw 15:58 < Dougy> but cant seem to figure out how to give user douglas admin privs 15:58 < Dougy> i can goto admicnp and stuff but cant moderate posts 16:00 < krzee> sux4u! 16:01 < Dougy> :( 16:01 < Dougy> ugh god 16:01 < Dougy> someone is having me set up openvpn on windows 7 16:01 < krzee> !win7 16:01 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 16:01 < Dougy> does it need to be that to work? 16:01 < Dougy> he wants to redirect all traffic 16:02 < krzee> !redirect 16:02 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:02 < Dougy> i have that already 16:02 < Dougy> push "redirect-gateway def1 bypass-dhcp" 16:02 < Dougy> hes using 2.0.9 16:02 < krzee> !win7 16:02 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 16:02 < Dougy> now where is 2.1 rc15 for linux so it can match 16:02 < krzee> use the source luke 16:04 < Dougy> kk 16:04 * Dougy wasnt thinking 16:05 < krzee> however 16:05 < krzee> if you arent using anything 2.1 specific 16:05 < krzee> other sides can be 2.0 if you like 16:14 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:24 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 16:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:36 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 16:37 < SgtPepperKSU> !iporder 16:37 < vpnHelper> SgtPepperKSU: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:39 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:42 < dougy[home]> the hellllllllllllllllllllllllllllllll 16:43 < dougy[home]> this guys pc connects and dhcp gives them 10.0.50.6, but the main server cant ping it 16:43 < dougy[home]> and vice versa 16:45 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 113 (No route to host)] 16:54 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 16:55 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:01 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Typone 17:02 -!- Netsplit over, joins: Typone 17:07 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:13 -!- troy- is now known as troy 17:26 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 17:38 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:50 < krzee> Dougy, check for errors in logs with verb6 17:51 < krzee> likely a win route add problem 17:51 < krzee> if so, see !winroute 17:56 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 18:26 < dan__t> hey 18:27 < dan__t> shut your mouth 18:27 < dan__t> !! 18:27 < vpnHelper> dan__t: Error: "!" is not a valid command. 18:27 < dan__t> !!!! 18:27 < vpnHelper> dan__t: Error: "!!!" is not a valid command. 18:27 < dan__t> !!!!!!!!sdf 18:27 < vpnHelper> dan__t: Error: "!!!!!!!sdf" is not a valid command. 18:28 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:32 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 18:32 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 19:09 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:13 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 19:13 -!- onats1 is now known as onats 19:19 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 19:24 < onats> morning 19:26 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, Typone 20:04 -!- Netsplit over, joins: M06w, Typone 20:39 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:40 < Dougy> WOW 20:40 < Dougy> COOOOOOOOOOOOOL 20:40 < Dougy> :D:DD:D:D:D:D:D:D: 21:13 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:22 < tjz> lol! 21:24 < onats> what is? 22:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 22:33 -!- dallas [n=dallas@70.122.232.154] has joined ##openvpn 22:34 < dallas> anyone figure out how to . ./vars ? 22:34 < dallas> apparently, I'm an idiot... 23:22 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn 23:42 -!- albech [n=albech@119.42.76.2] has quit [Read error: 110 (Connection timed out)] 23:46 -!- albech [n=albech@119.42.76.2] has joined ##openvpn --- Day changed Fri Apr 24 2009 00:16 -!- dallas [n=dallas@70.122.232.154] has quit ["leaving"] 01:20 -!- nemysis [n=nemysis@77-242.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:20 -!- nemysis [n=nemysis@210-232.1-85.cust.bluewin.ch] has joined ##openvpn 01:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:44 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [] 02:47 -!- keisangi [n=quassel@118.6.213.154] has joined ##openvpn 02:48 -!- keisangi [n=quassel@118.6.213.154] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 03:15 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 03:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:47 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 04:04 -!- Alagar [n=helpdesk@dont.rootkit.me] has quit [Remote closed the connection] 04:16 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 04:43 -!- c64zottel [n=hans@p5B17AC41.dip0.t-ipconnect.de] has joined ##openvpn 05:19 -!- c64zottel [n=hans@p5B17AC41.dip0.t-ipconnect.de] has left ##openvpn [] 05:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:45 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 06:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:15 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 07:04 -!- thnee [n=thnee@thnee.se] has left ##openvpn [] 07:06 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 07:11 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Client Quit] 07:17 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 07:41 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Read error: 113 (No route to host)] 08:07 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 08:37 -!- Dougy [n=me@67.80.62.212] has joined ##openvpn 08:37 < Dougy> Anyone need some hostin'? 08:39 -!- ozirus [n=Furkan@88.244.229.137] has joined ##openvpn 08:48 < dazo> Dougy: what do you provide ... and to what price? 08:49 < Dougy> dazo: i can do just about anything and everything 08:49 < Dougy> what do you need? 08:50 < dazo> Dougy: diskspace primarily 08:50 < dazo> Dougy: and preferably rsync access 08:51 < dazo> Dougy: and it must be accessible over a secure link .... ssh or openvpn 08:52 < Dougy> pm sent 09:14 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 09:18 < Dougy> Anyone else need something hosting related ? 09:18 < Dougy> :] 09:18 -!- ozirus [n=Furkan@88.244.229.137] has left ##openvpn [] 09:20 < [4-tea-2]> Dougy: where is the server located? 09:20 < [4-tea-2]> what country, I mean? 09:21 < Dougy> USA 09:23 < [4-tea-2]> They're preparing a copy of the Great Firewall of China in my home country. 09:24 < [4-tea-2]> Having a leg in the USA (and/or UK) might be useful in the long run. *ponder 09:27 < Dougy> Eek. 09:27 < Dougy> Great firewall of china, ha 09:27 < Dougy> yeah, i heard germany was getting bad, AU to 09:27 < Dougy> o 09:30 < [4-tea-2]> It's starting to have an impact. The law for the German GFWoC is in preparation, and while they said they would only use DNS blocking, they're now aiming for packet inspection. Unrelated to that, loads of youtube videos are already blocked because of some Germany-only copyright issue. 09:31 < Dougy> LAme. 09:32 < [4-tea-2]> Got an OpenVPN-accessible squid in your product portfolio? ;) 09:32 < Dougy> Nope. :( 09:33 < [4-tea-2]> Damn. ;) 09:34 < Dougy> I have VPS's you can set that up on, though 09:34 < Dougy> ;] 09:34 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 09:34 < Deffie> hi all, just starting with openvpn, i've been able to connect a client to the work LAN through an umts connection and everything in the lan works 09:35 < Deffie> but the client doesnt get the default gateway 09:35 < Dougy> (Just for everyone here...) 09:35 < Dougy> !forum 09:35 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 09:35 < Deffie> and I have specified redirect-gateway 09:35 < Dougy> !configs 09:35 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:36 < Deffie> :) 09:36 < Deffie> ok thank you 09:37 < [4-tea-2]> Deffie: perhaps also supply the line from the logfile containing "PUSH_REPLY" 09:37 < Dougy> [4-tea-2]: why not just use openvpn and use redirect-gateway 09:38 < [4-tea-2]> Dougy: ? 09:38 < Dougy> <[4-tea-2]> Got an OpenVPN-accessible squid in your product portfolio? ;) 09:39 < [4-tea-2]> Dougy: Oh, I wouldn't want to redirect all my traffic to the US. 09:39 < Dougy> Ah. 09:40 < Dougy> Just web? 09:40 < Deffie> http://pastebin.com/m53d308b9 09:40 < Deffie> it is just the log 09:40 < [4-tea-2]> Dougy: yeah, I don't think German politicians realize that the Internet has got more to offer than http, so they won't bother blocking anything else. Yet. 09:41 < Dougy> SSH tunnel? 09:41 < Deffie> and the server seems working ok, so maybe theres something in the client which isnt right 09:41 < [4-tea-2]> Deffie: I like "redirect-gateway def1", not sure whether that should be a problem, though. 09:41 < Deffie> do i need redirect-gateway in the client config too ? 09:41 < [4-tea-2]> Deffie: no 09:42 < Dougy> no 09:43 < [4-tea-2]> Deffie: as I understand it, def1 will add two almost-default routes instead of trying to overwrite/change an existing default route. Try that, if you want. 09:44 < [4-tea-2]> Deffie: if it works, "route -n" should show two routes with mask 128.0.0.0 and your "old" default route (which will be ignored as long as the 128.0.0.0-routes exist). 09:46 < [4-tea-2]> Dougy: tunneling ip over ip (ie. web traffic over ssh) does have disadvantages. 09:46 < Dougy> Fair enough 09:48 < [4-tea-2]> Dougy: have you tried ovpn with your virtualization solution? It should work as long as the guest system can set up tun devices, right? 09:50 < Dougy> yes 09:50 < Dougy> it's Xen 09:50 < Dougy> it can do anything 09:50 < Dougy> its hw level virtualization 09:54 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 09:55 < CyBerNetX> !howto 09:55 < vpnHelper> CyBerNetX: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:04 * plaerzen dances the ovpn dance. He does it horribly. 10:05 < Dougy> Lol 10:06 < [4-tea-2]> plaerzen: I liked it, especially the part where your expressed your emotions about --client-config-dir. 10:08 < plaerzen> [4-tea-2], I was practising that part last night actually. I was having problems with the transition from that to --client-connect 10:11 -!- Lilarcor_ [n=Lilarcor@238.sub-97-131-26.myvzw.com] has joined ##openvpn 10:18 < [4-tea-2]> plaerzen: try this for inspiration: http://www.youtube.com/watch?v=4ULVQOneeZE :D 10:18 < vpnHelper> Title: YouTube - Praise You - Fatboy Slim (at www.youtube.com) 10:18 < [4-tea-2]> Damn you, vpnHelper, you spoiled it! 10:22 -!- Lilarcor_ [n=Lilarcor@238.sub-97-131-26.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 10:23 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 10:26 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 10:26 < Optic> yo! 10:26 < Optic> have any of you tried using openvpn on windows embedded? 10:26 < Dougy> n 10:28 < plaerzen> lol 10:28 < Optic> hum 10:30 < Optic> or slipstreamed openvpn into a windows installer? 10:32 < Dougy> what? 10:32 < Optic> automated mass deployment of openvpn 10:32 < Optic> on windows ;) 10:48 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 10:50 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 10:55 -!- tjz [n=tjz@bb220-255-39-133.singnet.com.sg] has quit [Connection timed out] 10:57 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:22 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has left ##openvpn ["Leaving"] 11:26 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 11:28 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 11:31 -!- zheng [n=zheng@114.92.138.88] has quit [Client Quit] 11:49 < krzee> lol 11:49 < krzee> cant say i have 11:56 -!- [4-tea-21 [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 12:02 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit [Connection refused] 12:27 < krzee> !winroute 12:27 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 12:36 -!- albech [n=albech@119.42.76.2] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- tjz [n=tjz@bb116-15-38-124.singnet.com.sg] has joined ##openvpn 12:53 -!- Dougy [n=me@67.80.62.212] has quit [Read error: 110 (Connection timed out)] 12:53 -!- albech [n=albech@119.42.76.130] has joined ##openvpn 13:15 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 13:19 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 13:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 13:54 < Dougy> isp fail... 13:57 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 14:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:08 -!- [4-tea-21 is now known as [4-tea-2] 14:18 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:24 < rashed2020_> !brigde 14:24 < vpnHelper> rashed2020_: Error: "brigde" is not a valid command. 14:24 < rashed2020_> !bridge 14:24 < vpnHelper> rashed2020_: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP 14:24 < vpnHelper> rashed2020_: addresses. (but not samba, see !wins) 14:24 < rashed2020_> Whaaat... I'm confused now... 14:25 < rashed2020_> Which one supports broadcasting? 15:18 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 15:19 < Carlos_Tico> hi i need help 15:19 < Carlos_Tico> anyone here who can give me a hand ? 15:19 < Dougy> i don't know 15:19 < Dougy> you have to tell me the problem first 15:19 < Carlos_Tico> oh ok .. 15:19 < Carlos_Tico> i can connect to my vpn 15:19 < Carlos_Tico> but i cannot see the network 15:20 < Carlos_Tico> any ideas ? 15:25 < Carlos_Tico> hello !!!!!!!!!!!!!!!!!!!!!!!!!! 15:25 < Dougy> nope 15:26 < Carlos_Tico> please Dougy 15:26 < Carlos_Tico> give me a hand 15:27 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [] 15:30 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 15:30 < Carlos_Tico> !route 15:30 < vpnHelper> Carlos_Tico: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:32 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [Client Quit] 15:51 < plaerzen> haha. Drunk at lunch. 15:52 < reiffert> "Cannot see the network" - "Follow the cable at the back of your PC" 16:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 16:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:10 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 17:10 < Carlos_Tico> anyone here ? 17:11 < Carlos_Tico> anyone here ? 17:45 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [] 18:08 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 18:14 < _impuls> !redirect 18:14 < vpnHelper> _impuls: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:15 < _impuls> !ipforward 18:15 < vpnHelper> _impuls: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 18:15 < _impuls> !linipforward 18:15 < vpnHelper> _impuls: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 18:15 < _impuls> !nat 18:15 < vpnHelper> _impuls: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 18:16 < _impuls> !linnat 18:16 < vpnHelper> _impuls: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:19 -!- youngpro [n=pro@teamaustralia.net.au] has quit [Read error: 60 (Operation timed out)] 18:20 < _impuls> !route 18:20 < vpnHelper> _impuls: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:22 < Dougy> Anyone need any kind of hostings? 18:42 < _impuls> I have a routing problem within my very simple openvpn/client constellation I tried to fix for 2 days now. 18:43 < _impuls> If someone could take a look at my config for a minute and give me some advice... 18:43 < _impuls> http://loos.stoerimpuls.net/random/openvpn/ 18:43 < vpnHelper> Title: Index of /random/openvpn (at loos.stoerimpuls.net) 18:57 < krzie> _impuls, strip the comments from the config 18:57 < krzie> like here: 18:57 < krzie> !configs 18:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:57 < Dougy> hey krzie :] 18:57 < krzie> sup soug 18:57 < krzie> doug 18:57 < Dougy> nada 18:57 < Dougy> trying to sell vps's man 18:58 < krzie> good luck 18:58 < krzie> over-saturated market 18:58 < Dougy> yes it is 18:58 < Dougy> to an exten 18:58 < Dougy> t 18:58 < Dougy> managable though 18:58 < krzie> then even when you get a bunch of customers, the work vs income ratio is fucked up 18:59 < Dougy> not true either 18:59 < krzie> oh ya? 18:59 < Dougy> yea 18:59 < Dougy> i have about $500/mo coming in off on my node 19:00 < Dougy> maybe.. 5 tickets a month? 19:00 < krzie> ok well thats much better than what i normally hear about 19:01 < _impuls> krzie: done ;) 19:01 < krzie> you're saying you profit $500/mo from selling vps's? 19:01 < _impuls> could you pls have a look at it again 19:01 < Dougy> no krzie not yet 19:01 < Dougy> i profit about 275 19:01 < Dougy> can prob fit another 50/mo worth on this current box 19:02 < Dougy> then back into the red i go 19:02 < krzie> _impuls where is 192.168.1.0 19:02 < _impuls> this is my clients - my home network 19:02 < krzie> $275/mo is not enough for me to setup a business 19:02 < _impuls> 10.10.1.0 is my tun0 on the server 19:03 < Dougy> krzie, it isnt 19:03 < Dougy> but 19:03 < Dougy> when it takes me about 2 hours of man power per month that isnt setting up new orders 19:03 < Dougy> just 2 hours tech 19:03 < Dougy> $275/month is doable :) 19:03 < krzie> _impuls is there other clients that will access the home network when logged into the vpn? 19:04 < _impuls> well, i want to use it as a inet traffic gateway at uni/other wifis 19:04 < krzie> ok... 19:04 < _impuls> so, its just gonna be me really 19:04 < krzie> so what exactly is the problem? 19:05 < _impuls> well, I cant get anything through 19:05 < krzie> when the client connects 19:05 < krzie> can he ping 10.10.1.1? 19:05 < _impuls> no ping from the client to anything behind the server 19:05 < _impuls> I can ping the servers tun 19:05 < _impuls> 10.10.0.1 19:05 < _impuls> but nothing behind it 19:05 < _impuls> no traceroute - none 19:05 < krzie> you didnt say there was a lan behind the server... 19:06 < _impuls> Nah, misunderstanding 19:06 < _impuls> I mean the inet could 19:06 < _impuls> *cloud 19:06 < krzie> linux? 19:06 < _impuls> yes 19:06 < _impuls> both 19:07 < krzie> !linipforward 19:07 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:07 < krzie> !linnat 19:07 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:07 < _impuls> did everything 19:07 < krzie> evidently not 19:07 < _impuls> did everything ;) 19:07 < krzie> if you had ip forwarding enabled, and NAT correctly setup for your vpn network, it would work ;] 19:07 < _impuls> heh 19:07 < _impuls> just reassured it as I came in the channel 19:08 < krzie> also 19:08 < krzie> !tcp 19:08 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:08 < _impuls> oh 19:08 < krzie> thats not causing your problem 19:08 < krzie> but its something good to know 19:09 < krzie> also, is the server able to reach machines on the 192.168.1.0 LAN? 19:09 < _impuls> well, I'd use UD, but you know how funny the fw rules on a wifi router sometimes can be 19:09 < krzie> another thing you will wanna know is that when you are connecting from the outside world, and want to reach the 192.168.1.0 lan, if you are on that same subnet your routing will get fubar 19:09 < krzie> UD=? 19:10 < _impuls> P 19:10 < krzie> it always worked for me 19:10 < krzie> even behind cheapo wifi routers 19:10 < krzie> but thats upto you, just wanted to make you aware of that 19:11 < _impuls> thx 19:11 < krzie> paste your iptables rules, im no linux guy but ill take a glance 19:12 < _impuls> oh for christs sake... apparently I can only ping either machines through tun0 if I have push redirect gateway DISabled 19:12 < _impuls> driving me nuts 19:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 19:13 < _impuls> already wasted a couple of hours on this... bah 19:13 < _impuls> gimme a sec for the tables... 19:19 < _impuls> okay, there is nothing in there besides iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:19 < _impuls> btw - reason I couldn't ping it was because of a firewall checking crontab script... 19:20 < _impuls> disregard that... 19:21 < _impuls> http://loos.stoerimpuls.net/random/openvpn/iptables-client+server 19:23 < _impuls> krzie: so, status quo - both nodes are able to connect through tun0 ips - both ways, but NOT server to 192.168.1.0 19:23 < krzie> lol 19:23 < krzie> <_impuls> okay, there is nothing in there besides iptables -t nat -A 19:23 < krzie> POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:23 < krzie> did you ever stop to think about what that rule means? 19:24 < krzie> and why it totally doesnt apply to you... 19:24 < _impuls> mate,I changed the IPs 19:24 < krzie> good 19:24 < krzie> (thats not what you said above) 19:24 < krzie> !linfw 19:24 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:25 < krzie> (also have the postrouting rule) 19:26 < krzie> oh wait a sec.. 19:26 < krzie> http://loos.stoerimpuls.net/random/openvpn/client-route 19:26 < krzie> that looks like you didnt have redirect-gateway 19:27 < _impuls> hmm... come again? 19:27 < _impuls> the pus redirect gateway is enabled atm 19:28 < Dougy> hm 19:28 < Dougy> what are some other cool channels on here worth hanging out in? 19:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:31 < _impuls> krzie: It does look a lot like a simple errorin the routing tables to me... 19:31 < krzie> *shrug* depends what you're into dougy 19:31 < _impuls> just cant figure out whats wrong.. 19:31 < krzie> _impuls update the client.route after connecting with redirect gateway 19:32 < _impuls> just for the record, why is he trying to route to 10.10.1.5 if the client has .6 and the server .1 ? 19:32 < krzie> !/30 19:32 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:33 < krzie> its because you are using topology net30 19:33 < krzie> as explained in detail above 19:33 < _impuls> thx... 19:33 < krzie> np 19:33 < Dougy> krzie: just some places to meet new and interesting people 19:34 < _impuls> (note to myself - take networking classes next semester) 19:34 < Dougy> anything *nix interests me 19:35 < _impuls> AD update the client.route after connecting with redirect gateway ... 19:35 < _impuls> I cant really follow you there 19:36 < _impuls> which entry to update... 19:37 < _impuls> OHA 19:38 < krzie> dougy, #freeswitch is a channel dedicated to the telephone software of the same name, if that interests you... 19:38 < krzie> its far superior to asterisk 19:38 < Dougy> hmm 19:38 < Dougy> i've never heard of 19:38 < krzie> you're prolly not hardcore into phones and whatnot 19:38 < Dougy> not even softcore into 19:38 < krzie> have you heard of metaswitch? 19:39 < krzie> oh ya thats why then 19:39 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.new 19:39 < Dougy> so krzie 19:39 < Dougy> this guy is paying me $50 an hour to work on his server 19:39 < _impuls> MULTI: bad source address from client [192.168.1.3], packet dropped 19:39 < Dougy> (install csf firewall, compile php and apache, and secure /tmp, and install eaccelerator) 19:39 < Dougy> lol 19:39 < krzie> _impuls thats cause your ccd entry is in the wrong place 19:40 < krzie> !ccd 19:40 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:40 < _impuls> common name should be michael.. 19:40 < krzie> your common-name is michael.client.loos.stoerimpuls.net 19:40 < _impuls> oh 19:40 < krzie> maybe it SHOULD be, but you didnt make it that way 19:40 < _impuls> ;) 19:40 < krzie> also, are you using ipp.txt as an attempt to have static ips? 19:41 < _impuls> yeah 19:41 < krzie> !ipp 19:41 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 19:41 < _impuls> never worked though 19:42 < _impuls> aaha 19:43 < krzie> so fix that stuff 19:43 < krzie> then i want you to connect to the vpn, and show me the client log, and client routing table 19:43 < krzie> hell, server log too 19:44 < krzie> use verb 5 on both sides 19:44 < krzie> until we're done, then you can go back to a more reasonable verbosity when you're done troubleshooting 19:45 < _impuls> cool, working on it... 19:46 < krzie> now remember when using static ips 19:46 < krzie> it MUST be .6 .10 .14 .18 etc 19:46 < _impuls> I just uncomment it for now... 19:46 < krzie> if you continue using net30 19:46 < krzie> uncomment it? 19:47 < _impuls> comment it 19:47 < krzie> ok 19:48 < Dougy> http://cgi.ebay.com/Supermicro-X7DVL-E-B-Intel-5000V-Dual-Xeon-Motherboard_W0QQitemZ120402439527QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item120402439527&_trksid=p3286.c0.m14&_trkparms=72%3A1205|66%3A2|65%3A12|39%3A1|240%3A1318|301%3A1|293%3A1|294%3A50 19:48 < vpnHelper> Title: Supermicro X7DVL-E-B Intel 5000V Dual Xeon Motherboard - eBay (item 120402439527 end time May-05-09 16:31:20 PDT) (at cgi.ebay.com) 19:48 < Dougy> hmmmmmmmmmmmmmmmmmmm 19:48 * Dougy scratches his chin interestedlyt 19:48 < Dougy> interestedly 19:48 < krzie> i dont think you can make interested an adverb by adding ly 19:49 < krzie> erronious! 19:49 < Dougy> ol 19:49 < Dougy> ok 19:49 < Dougy> s/interestedly/interested-like 19:51 < krzie> shit i was wrong anyways 19:51 < krzie> in·ter·est·ed (ntr-std, -tr--std, -t-rstd) 19:51 < krzie> adj. 19:51 < krzie> 1. Having or showing curiosity, fascination, or concern: I'm interested to hear about your family. 19:51 < krzie> 2. Possessing a right, claim, or stake: an interested party in the estate. See Usage Note at disinterested. 19:51 < krzie> inter·est·ed·ly adv. 19:51 < krzie> inter·est·ed·ness n. 19:51 < Dougy> hehehehehe 19:51 < Dougy> win 19:51 < krzie> you in fact CAN add ly on it 19:51 < krzie> sounds so wrong 19:52 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.server.new2 19:52 < _impuls> starting at minute 44/45 19:52 < _impuls> client is coming.. 19:54 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.client.new2 19:54 < _impuls> same issues like before 19:56 < _impuls> YOU LEGEND! 19:56 < _impuls> restarted openvpn 19:56 < _impuls> It works! 19:56 < _impuls> thanks a lot mate 19:56 < krzie> yw =] 19:56 < _impuls> hehehehehe 19:57 < _impuls> aaaawesome 19:57 < _impuls> can't tell you how great - I spent a whole day on this shit 19:57 < _impuls> it was the common name thing, eh?! 19:57 < krzie> seems so 19:57 < krzie> for static... 19:57 < krzie> !static 19:57 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 19:58 < krzie> also if you wanna repost server/client configs i can tell you anything you're missing 20:00 < _impuls> !ccd 20:00 < vpnHelper> _impuls: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:00 < _impuls> !iporder 20:00 < vpnHelper> _impuls: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 20:01 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 20:05 < _impuls> krzie: thanks again, I wont bother ya any longer. I think I can figure out the rest myself 20:05 < krzie> cool =] 20:05 < krzie> np 20:05 < _impuls> gnight guys! 20:05 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has left ##openvpn [] 20:12 < Dougy> krzie is the shit 20:12 < Dougy> (Y) 21:00 -!- troy is now known as troy- 21:03 -!- DJ_HaMsTa [n=woot@c-69-136-240-75.hsd1.nj.comcast.net] has joined ##openvpn 21:03 < DJ_HaMsTa> !howto 21:03 < vpnHelper> DJ_HaMsTa: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:04 < DJ_HaMsTa> would PPTP slow down my connection ? 21:07 -!- troy- is now known as troy 21:07 < Dougy> hey troy 21:11 -!- DJ_HaMsTa [n=woot@c-69-136-240-75.hsd1.nj.comcast.net] has quit [] 21:26 -!- troy is now known as troy- 21:48 -!- nemysis [n=nemysis@210-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:49 -!- nemysis [n=nemysis@93-144.3-85.cust.bluewin.ch] has joined ##openvpn 21:52 < krzie> would PPTP slow down my connection ? 21:52 < krzie> !notopenvpn 21:53 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:15 -!- tjz [n=tjz@bb116-15-38-124.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 22:38 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:55 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 22:56 < Dougy> its tjz 22:59 < tjz> hey dougy ^_^ 22:59 < tjz> looong time no see you 22:59 < tjz> :) 22:59 < Dougy> hey hey 22:59 < Dougy> sup? 23:00 < tjz> doing great =) 23:00 < tjz> How are you doing? 23:01 < Dougy> So so 23:01 < Dougy> still got that openvz vps? 23:01 < tjz> hahaha 23:01 < tjz> yea 23:01 < Dougy> word 23:01 < Dougy> where from? 23:01 < tjz> got it working long time ago 23:01 < tjz> oh 23:01 < tjz> it is on my own hardware node 23:01 < tjz> hehe 23:01 < tjz> just keep playing around 23:02 < tjz> hehe 23:14 -!- Gnewt [n=vector@207.115.69.54] has quit [Connection timed out] 23:17 < krzee> has anyone here used PAM auth in 2.1? 23:21 < tjz> cool 23:22 < tjz> haven'try but look interesting to add another security layer 23:22 < tjz> i mean authentication layer.. 23:24 < Dougy> bed soon 23:24 < Dougy> krzee 23:24 < Dougy> i love people who pay me $50/hour to do easy shit 23:24 < Dougy> > * Install/update eAccelerator 23:24 < Dougy> > * MySQL 5.0 23:24 < Dougy> > * Change SSH port (also configure APF as necessary) 23:24 < Dougy> > * Add wheel user and disable direct root login over SSH 23:24 < Dougy> like that 23:24 < tjz> dougy, i want the $$ 23:24 < tjz> omg 23:24 < tjz> good $$ 23:24 < krzee> dougy, some guy from here gave me $30 to help him with openvpn via msg versus free in the channel 23:24 < tjz> $$_$$ 23:25 < krzee> (was very cool of him) 23:25 < tjz> ($$)_($$) 23:25 < tjz> lol 23:25 < Dougy> nice 23:25 < Dougy> tits with dollar signs 23:25 < Dougy> win 23:26 < tjz> hahaha 23:30 < tjz> lunchie time 23:30 < tjz> :) 23:30 < tjz> *yum* *yum* 23:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:40 < Dougy> i hate you, libxml, i hate you. 23:50 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] --- Day changed Sat Apr 25 2009 00:02 < tjz> lool 01:01 < reiffert> talking about -devel? 01:38 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:53 -!- gallatin [n=gallatin@dslb-092-073-124-237.pools.arcor-ip.net] has joined ##OpenVPN 02:04 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 02:20 -!- albech [n=albech@119.42.76.130] has quit ["Leaving"] 02:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:48 -!- rubydiam_ [n=rubydiam@123.236.183.220] has joined ##openvpn 02:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 03:10 -!- rubydiam_ [n=rubydiam@123.236.183.220] has quit [Success] 03:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:10 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 04:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:33 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 05:21 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 05:37 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:06 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:06 < Dougy> hey al 07:06 < Dougy> l 07:11 -!- gallatin [n=gallatin@dslb-092-073-124-237.pools.arcor-ip.net] has quit ["Client exiting"] 07:13 < Bushmills> 'morning Dougy 07:14 < Dougy> Hey dood 07:14 < Dougy> What's up? 07:21 * Dougy pokes Bushmills 07:32 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 07:36 < Bushmills> felt sympathetic for you greeting, and nobody greeting back 07:36 < Bushmills> can be frustrating 07:40 < tjz> lol 07:41 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 07:43 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Client Quit] 07:49 < Dougy> lol 07:49 < Dougy> nah im used to it 07:49 < Dougy> hmmm 07:49 < Dougy> what local businesses can i go bother to buy web hosting from me... 07:52 < Bushmills> Dougy, try ultra on #physics, he was in specific need of a service 07:53 < Dougy> you got it 07:53 < Dougy> does he know you? 07:53 < Bushmills> no, unless he doesn't ignore my occasional comments there 07:54 < Dougy> oh 07:54 < Dougy> any idea what he was in need of 07:54 < Bushmills> yes. his provider has cut access to a voip server 07:55 < Dougy> ah 07:55 < Dougy> #physics oh lord 07:55 * Dougy 's brain will melt 07:56 < Bushmills> ventrilo, it was. max 8 users 07:59 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn [] 08:54 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 09:00 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 09:13 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 09:18 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 09:20 < fixxxermet> I am attempting to build a key for a second client, but the .crt file that is created has a size of 0. A .csr file is also created (which wasn't the last time that I did this)? 09:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 09:56 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:56 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 09:56 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 09:59 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has joined ##openvpn 10:15 < [4-tea-2]> fixxxermet: using easy_rsa? 10:18 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 10:52 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 11:02 < fixxxermet> [4-tea-2]: yes sir 11:03 < [4-tea-2]> Did you remember to source ./vars again? (just guessing) 11:07 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 11:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:40 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 12:10 -!- isox [n=dacurmud@209.144.31.10] has quit [Remote closed the connection] 12:10 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has joined ##openvpn 12:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 13:15 -!- onoes [n=gokusv@96.57.117.26] has joined ##openvpn 13:24 < onoes> I just installed openvpn on this wondows box, but I see no icon to launch it in the tray 13:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:30 < Bushmills> !howto 13:30 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:37 < Bushmills> /bindkey ctrl-alt-H "!howto\n" 13:37 < Bushmills> oops 13:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:53 -!- _impuls [n=MRD@gateway.theta.stoerimpuls.net] has joined ##openvpn 13:54 < _impuls> !topology 13:54 < vpnHelper> _impuls: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:55 < _impuls> !redirect 13:55 < vpnHelper> _impuls: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:55 < _impuls> !ipforward 13:55 < vpnHelper> _impuls: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:55 < _impuls> !nat 13:55 < vpnHelper> _impuls: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:01 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit ["leaving"] 14:07 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:10 -!- onoes [n=gokusv@96.57.117.26] has quit [Read error: 60 (Operation timed out)] 14:32 -!- _impuls [n=MRD@gateway.theta.stoerimpuls.net] has quit [Read error: 110 (Connection timed out)] 14:39 -!- david_G [n=dave@modemcable064.248-203-24.mc.videotron.ca] has joined ##openvpn 14:40 < david_G> anybody can help me with client-disconnect option of openvpn? 14:42 < david_G> the script is not executed when my client disconnect ... but client-connect script exit(0) ... 14:42 < david_G> like said in the man page 14:44 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 14:45 < david_G> ? 14:47 -!- david_G [n=dave@modemcable064.248-203-24.mc.videotron.ca] has quit ["leaving"] 15:07 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has quit [Remote closed the connection] 15:41 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit ["Leaving"] 16:32 -!- joejax [n=joejax@70-4-230-207.pools.spcsdns.net] has joined ##openvpn 16:32 -!- evilGary [i=gary@freenode/staff/colchester-lug.gary] has joined ##openvpn 16:33 -!- joejax [n=joejax@70-4-230-207.pools.spcsdns.net] has quit [Client Quit] 16:33 -!- evilGary [i=gary@freenode/staff/colchester-lug.gary] has left ##openvpn [] 17:34 < krzie> !logs 17:34 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:34 < krzie> oops 17:34 < krzie> !irclogs 17:34 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 17:38 < krzie> !route 17:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:58 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:50 -!- nemysis [n=nemysis@93-144.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:51 -!- nemysis [n=nemysis@100-190.3-85.cust.bluewin.ch] has joined ##openvpn 19:14 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has quit ["Leaving."] 19:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:57 -!- nemysis [n=nemysis@100-190.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:58 -!- nemysis [n=nemysis@218-123.3-85.cust.bluewin.ch] has joined ##openvpn 19:59 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 110 (Connection timed out)] 20:23 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 20:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [] 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:32 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 22:32 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Client Quit] 22:32 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 23:30 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:30 < Dougy> heyo 23:59 < theDoc> http://www.youtube.com/watch?v=9BxNJRxGbgE&feature=related 23:59 < theDoc> :) 23:59 < vpnHelper> Title: YouTube - Discovery Channel - I Love the World (with lyrics) (at www.youtube.com) --- Day changed Sun Apr 26 2009 00:16 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 00:32 < pekster> Hmm, !redirect isn't quite correct with the requirement of NAT if public IPs are used for VPN clients, but I suppose anyone doing that probably isn't using the bot for advice :P 00:34 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 00:38 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 60 (Operation timed out)] 00:41 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:33 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 03:37 -!- xerxes [n=xerxes@BAG3da4.bag.pppool.de] has joined ##openvpn 03:40 < xerxes> please help, i have no idea what a vpn is...what is it good for? 03:42 < theDoc> It's for cuddles :) 03:43 < xerxes> haha 03:44 < xerxes> my boss said, he will not give me an account to his machine, but with a vpn 03:49 < theDoc> What a fucking douchebag. 03:49 < theDoc> You can't connect to that machine unless you have an account on it. 03:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:51 < xerxes> yeah..i know...so i need some sort of vpn...the only thing i know is openvpn is a vpn 03:52 < theDoc> xerxes: Once again, having a vpn doesn't grant you access to any machine 03:53 < xerxes> so he did a joke on me? 03:53 < xerxes> aw 03:53 < theDoc> I don't know but for sure, a vpn doesn't grant you access to any machine. 03:54 < xerxes> hm...im out of ideas 05:06 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 05:08 -!- xerxes [n=xerxes@BAG3da4.bag.pppool.de] has quit [Read error: 104 (Connection reset by peer)] 05:23 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has joined ##openvpn 05:23 < dar__> elo! 05:23 < dar__> i m looking for a way to set a passphrase on client's private key ? 05:23 < dar__> i can't find any way to do that 05:26 < dar__> !redirect 05:26 < vpnHelper> dar__: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 05:32 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 06:28 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:43 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 07:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 07:47 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 08:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 08:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 08:15 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 08:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 08:50 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 09:12 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:24 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 09:26 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn [] 09:29 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 09:30 < theDoc> Anyone in? 09:30 < theDoc> wtb some help 09:30 < theDoc> :) 09:38 < reiffert> 16:37 -!- Irssi: ##openvpn: Total of 55 nicks [0 ops, 0 halfops, 0 voices, 55 normal] 09:38 * theDoc has some issues with openvpn on the linux box 09:38 < theDoc> :9 10:06 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:14 -!- zooko [n=user@nooxie.zooko.com] has joined ##openvpn 11:09 < pekster> theDoc: What kind of issues? 11:13 < theDoc> pekster> not sure why the openvpn server isn't pushing routes to my nix client machine. 11:13 < theDoc> everything isn't tunneling via the vpn at all even though i'm connected. 11:14 < pekster> theDoc: Does the client you want routes pushed to include the 'client' or 'pull' directive? 11:15 < pekster> Also, if you want "everything" tunneled via the VPN, you'll probably be wanting the 'redirect-gateway' option, optionally with the 'def1' paramater which adds giant /1 routes instead of replacing the default gateway 11:16 < theDoc> pekster> the config works fine on my winxp box 11:16 < theDoc> just not on the nix. 11:17 < pekster> You're not using something odd like a route-noexec option or something, right? Care to pastebin the config? 11:18 < pekster> Or route-nopull, which doesn't pull routes :) 11:20 < theDoc> pekster> i just got this nix box working, i just did an apt-get install openvpn and well, i haven't gone though any config files at the moment. everything was done via gui. 11:21 < pekster> I tried networkmanager once, and it sucked at doing sane things with OpenVPN. If you can get it working with a config file and connecting with some variation of 'openvpn --config /path/to/config' then you need to get the GUI to act correctly 11:22 < theDoc> hmm 11:22 < theDoc> I'll take a look at it 11:23 < pekster> I have a coworker that got networkmanager working finally for our company VPN, but he had to do some poking at the gconf settings for the application; I don't have more specifics than that since I just use config files where I can tell what's happening 11:25 < theDoc> pekster> don't fret it, i'm just enjoying the whole nix thing now 11:25 < theDoc> :p 11:25 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 11:25 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:57 -!- markus__ [n=markus@anonym.vpntunnel.se] has joined ##openvpn 12:06 -!- markus__ [n=markus@anonym.vpntunnel.se] has quit ["Lost terminal"] 12:08 -!- zooko [n=user@nooxie.zooko.com] has quit [Remote closed the connection] 12:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:15 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 12:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 13:47 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has quit ["~"] 14:02 -!- rjd [n=rjd@sigkill.se] has joined ##openvpn 14:02 < rjd> !route 14:02 < vpnHelper> rjd: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:03 -!- _niko [n=OMGZboob@niko-niko.co.uk] has joined ##openvpn 14:04 < rjd> If openvpn clients shouldn't be able to talk to each others, do I have to divide each client into a different subnet? 14:04 < rjd> Tried with iptables rules, both in table nat and filter but can't prevent them to communicate. Is that not possible as long as their on the same network segment? 14:07 < _niko> !howto 14:07 < vpnHelper> _niko: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:07 < _niko> !redirect 14:07 < vpnHelper> _niko: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:08 < reiffert> rjd: --client-to-client 14:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:12 < rjd> thanks 14:13 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 14:13 < Dougy> Heyh 14:13 < Dougy> krzie: there>? 14:15 < _niko> !nat 14:15 < vpnHelper> _niko: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 14:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 14:20 < krzee> Dougy, !ask 14:21 -!- rubydiam_ [n=rubydiam@123.236.183.138] has joined ##openvpn 14:22 < _niko> !linnat 14:22 < vpnHelper> _niko: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:23 < Dougy> krzee: haha 14:23 < Dougy> freebsd is pissin gme off 14:35 < krzee> dougy, would you like to rephrase your complaint in the form of a question? 14:35 < krzee> :-p 14:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 14:38 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 14:42 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 14:42 < Dougy> krzee: nah 14:42 < Dougy> im just formatting the box 14:42 < Dougy> fuck the customer 14:42 < krzee> wow 14:42 < krzee> remind me to shop with you 14:43 < krzee> o_O 14:43 < Dougy> well 14:43 < Dougy> he told me i could 14:43 < Dougy> i told him i could dig around but its not likely to fix 14:43 < Dougy> so i tol d him im taking backups which i am and then format 14:45 < Dougy> w00t 14:45 * Dougy is selling a server 14:45 < Dougy> krzee: wanna buy an amd opt? 14:45 < Dougy> : 14:45 < Dougy> :P 15:22 -!- rjd [n=rjd@sigkill.se] has left ##openvpn [] 15:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 16:00 -!- rubydiam_ [n=rubydiam@123.236.183.138] has quit ["Leaving..."] 16:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:21 -!- Timpa88_ [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 16:47 -!- Timpa [n=timpa@193.13.142.180] has joined ##openvpn 17:05 -!- Timpa88_ [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 17:12 -!- chrisbray [n=chris@92-235-81-218.cable.ubr06.brom.blueyonder.co.uk] has joined ##openvpn 17:12 -!- Timpa [n=timpa@193.13.142.180] has quit [Read error: 110 (Connection timed out)] 17:14 < chrisbray> Hi guys, I've got openvpn working great, remote access is perfect, but can anyone help me with setting up an openvpn filter in syslog so openvpn's logging goes to /var/log/openvpn rather than /var/log/messages? I've tried "!openvpn\n *.* /var/log/openvpn" but it seems to go to both for some reason :( 17:20 -!- Timpa88 [n=timpa2@193.13.142.180] has joined ##openvpn 17:21 -!- Timpa88 [n=timpa2@193.13.142.180] has quit [Client Quit] 17:23 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:27 < krzie> 1sec 17:27 < krzie> !man 17:27 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:29 < krzie> --log file 17:29 < krzie> Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart. 17:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:31 < krzie> thats 1 way, by avoiding syslog all together 17:31 < chrisbray> krzie: I can't just use syslog with a localX facility and then use the syslog features for piping and sending to a remote machine etc? 17:32 < chrisbray> It'd be nice if I could have it alert the syslog on my desktop when I had a login etc.. 17:32 < krzie> im sure you can, but i was just offering something inside openvpn 17:32 < krzie> your question might be better answered in a linux help chan im thinking 17:33 < krzie> although im sure if someone here knows offhand they'd be happy to share 17:33 < chrisbray> Do you know what facility code OpenVPN uses when it writes to the syslog? 17:34 < chrisbray> I can't seem to find an option to set it anywhere. 17:35 < krzie> no idea 17:35 < Dougy> :\wget/exit 17:35 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit ["leaving"] 17:37 < chrisbray> More investigation I think! Thanks for your help :) 17:37 < krzie> np 17:38 < krzie> although i think maybe putting syslogd in debug mode could help you figure out what facility its using 17:40 < krzie> oh no not debug mode, verbose mode 17:40 < krzie> -v Verbose logging. If specified once, the numeric facility and 17:40 < krzie> priority are logged with each locally-written message. If speci- 17:40 < krzie> fied more than once, the names of the facility and priority are 17:40 < krzie> logged with each locally-written message. 17:41 < krzie> so running syslogd with -vv will make it print logs with facility name 17:41 < krzie> note, im looking at syslogd in freebsd, ymmv 17:48 -!- onoes [n=gokusv@pool-98-109-202-70.nwrknj.fios.verizon.net] has joined ##openvpn 17:57 -!- nemysis [n=nemysis@218-123.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 17:58 -!- nemysis [n=nemysis@109-34.3-85.cust.bluewin.ch] has joined ##openvpn 18:03 < _niko> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 18:03 < _niko> sorry about that 18:04 < _niko> keep right clicking thinking i am in ubuntu =[ 18:04 -!- chrisbray [n=chris@92-235-81-218.cable.ubr06.brom.blueyonder.co.uk] has quit ["leaving"] 18:10 -!- onoes [n=gokusv@pool-98-109-202-70.nwrknj.fios.verizon.net] has quit [Read error: 54 (Connection reset by peer)] 18:30 < troy-> is there an openvpn client for blackberry? 18:30 < krzie> does it run windows mobile? 18:30 < troy-> mm nope 18:31 < krzie> then not that i know of, ecrist would likely know for sure, he runs a bb theme site 18:31 < troy-> thanks 18:32 < krzie> yw 18:34 < _niko> I finally conceed, I really didnt want to ask here until i felt i really tried. I am having trouble with the traffic forwading part of setting up my vpn, I tried the iptables command found in the howto with no result 18:34 < krzie> !redirect 18:34 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:35 < krzie> thats what you're talking about _niko 18:35 < krzie> ? 18:35 < _niko> yeah 18:35 < _niko> I went through that stuff earlier though 18:36 < krzie> !configs 18:36 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 18:42 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 18:46 < _niko> http://pastebin.com/m32aec1a6 18:47 < krzie> !tcp 18:47 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:47 < krzie> not your problem, but something you wanna know 18:47 < _niko> ok 18:48 < krzie> i see a couple other things you should be doing, but ill save that for after 18:48 < krzie> people always start crying when i tell them how to make their vpn better before i help them solve their immediate problem 18:48 < krzie> !logs 18:48 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:49 < krzie> also, i see you're using 2.1_rc7 18:49 < krzie> rc7 has known issues, we're at rc15 now 18:51 < _niko> Ok,that was the version from apt, i forget they are not always up to date 18:52 < krzie> while i wait for the logs, are you using ipp.txt as an attempt to have static ips? 18:52 < _niko> I think so 18:53 < krzie> !ipp 18:53 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 18:53 < _niko> oh ok, I not actually bothered about having a static ip or ont 18:53 < krzie> ok 18:54 < _niko> where can I find the logs? 18:55 < krzie> if you are putting it in the background with daemon command, it'll be going through syslog 18:56 < _niko> ok 18:56 < krzie> oh i see you dont have daemon in the configs 18:56 < krzie> you let it run in the foreground? 18:56 < krzie> or you add --daemon on commandline? 18:58 < _niko> no i didnt add --deamon but it was running the the backgound on the server, I have found them though 18:58 < krzie> howd you background it without --daemon? 19:01 < _niko> to be honest i dont know. As far as im aware openvon is running when ther server starts 19:02 < krzie> ahh your os's stuff must add --daemon 19:03 < _niko> um, Im not sure where the logs for a connectoin start in this file 19:03 < krzie> stop openvpn 19:03 < krzie> on both sides 19:04 < krzie> verb 6 19:04 < krzie> then start it 19:04 < krzie> after connection is 100% finished, pastebin both logs 19:04 < _niko> ok 19:11 < _niko> do you want these logs in seperate pastebins? 19:13 < _niko> http://pastebin.com/m6fd864e5 19:14 < _niko> here they are all in one big pastebin 19:18 < krzie> ok that looks good 19:18 < krzie> so after you connect 19:19 < krzie> can client ping 10.8.0.1? 19:19 < _niko> yes 19:19 < krzie> can it ping 209.85.171.100? 19:20 < _niko> i can try 19:21 < _niko> no 19:21 < krzie> !linnat 19:21 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:21 < krzie> pastebin a dump of your iptables rules? 19:21 < krzie> also, double check ip forwarding is eanbled 19:21 < krzie> enabled 19:23 < _niko> i have no iptables rules anymore apart from to one placed in by iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:23 < krzie> !linfw 19:23 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:24 < krzie> so iptables is set to that above, along with the NAT command 19:24 < krzie> right? 19:24 < _niko> and Ip forwading is on, at least that is what sysctl.conf tells me 19:24 < _niko> yes 19:24 -!- galen [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has joined ##openvpn 19:24 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 19:25 < galen> Under ideal situations, how much latency is added when going through an OpenVPN tunnel? 19:25 < krzie> !linipforward 19:25 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:25 < krzie> _niko: cat /proc/sys/net/ipv4/ip_forward 19:25 < krzie> if its 1, its enabled 19:26 < krzie> galen, no idea... but i can tell you that you can make it best by using UDP and checking mtu with --mtutest 19:26 < krzie> !mtu 19:26 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 19:26 < krzie> --mtu-test i mean 19:26 < _niko> i get permisson denied even with sudo 19:26 < galen> krzie: i was hoping or some indications before i went too far down with testing 19:26 < galen> i agree, udp is best 19:26 < krzie> the manual agrees as well 19:26 < krzie> !tcp 19:26 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:28 < krzie> _niko, thats very weird 19:28 < _niko> it is, I didi uncomment the line in sysctl.conf for ip forwading and the server has been rebooted since then 19:28 < krzie> if you're root you should have access to * 19:29 < galen> krzie: i was just hoping for some useful reference values 19:29 < _niko> i will try it as su 19:29 < krzie> galen, i know you were 19:29 < galen> and yes, tcp on tcp sucks. i know this personally. 19:29 < krzie> the other thing that can come into play is which cipher you use 19:29 < krzie> by default its blowfish 19:30 < krzie> reference values, i have none 19:30 < krzie> oh and cpu usage obviously comes into play as well 19:32 < _niko> i tired the echo 1 >.... as root 19:32 < _niko> and nothing was echoed 19:32 < krzie> i didnt say to echo anything 19:33 < krzie> _niko: cat /proc/sys/net/ipv4/ip_forward 19:33 < _niko> oh cat 19:33 < _niko> sorry 19:34 < _niko> yeah 19:34 < _niko> 1 19:41 < krzie> ya that echo command you entered set it to 1 even if it wasnt 19:41 < krzie> double check you still cant ping that ip i said 19:41 < _niko> Krzie: I can ping 209.85.171.100 19:41 < _niko> just tried it 19:41 < _niko> and it happened 19:41 < krzie> ok 19:41 < krzie> so now ping google.com 19:41 < krzie> lets make sure dns is working... 19:42 < _niko> nothing 19:42 < krzie> grep nameserver /etc/resolv.conf 19:43 < _niko> grep nameserver /etc/resolv.conf 19:43 < _niko> nameserver 212.13.194.71 19:43 < _niko> nameserver 212.13.194.96 19:43 < krzie> host google.com 19:44 < _niko> ? 19:44 < krzie> type that 19:44 < _niko> command not found 19:44 < krzie> umm 19:44 < krzie> the command host wasnt found? 19:44 < Timpa88> krzie: can you do a lookup for me ? please? host skalet.org 19:45 < krzie> skalet.org has address 193.13.142.180 19:45 < krzie> skalet.org mail is handled by 10 mail.skalet.org. 19:45 < Timpa88> thanks 19:45 < Timpa88> :) 19:45 < _niko> that what it said 19:45 < Timpa88> does http://193.13.142.180/ works for you? or www.skalet.org? 19:45 < _niko> paul@niko-niko:~$ host google.com 19:45 < _niko> -bash: host: command not found 19:45 < krzie> weird 19:45 < krzie> gentoo? 19:45 < _niko> ubuntu 19:46 < Timpa88> in ubuntu it should be there :S 19:46 < _niko> i will see if i can install it 19:46 < _niko> paul@niko-niko:~$ host google.com 19:46 < _niko> google.com A 74.125.45.100 19:46 < _niko> google.com A 74.125.67.100 19:46 < _niko> google.com A 209.85.171.100 19:46 < Timpa88> correct 19:47 < krzie> _niko, but you cant ping google.com? 19:48 < _niko> um, was i ment to be doing this on the client :o 19:48 < Timpa88> krzie: if i have vpn on my server, and the ip is "193.13.142.180" and using nat routing on that machine too with shorewall .. why cant i surf into 193.13.142.180 but i can ping it? 19:48 < krzie> yes niko 19:48 < _niko> bugger 19:48 < _niko> the client is win 19:50 < _niko> i can ping the ip 209.85.171.100 but not google.com and im not sure about the dns stuff for win 19:55 < krzie> when i had you grep for nameservers, was it on client? 19:55 < _niko> no 19:55 < _niko> that was the server 19:56 < krzie> should be on client 19:57 < _niko> I'm not sure how to so something like that on win 19:57 < krzie> well, figure out what your NS is set to 19:57 < krzie> i believe ipconfig/all 19:59 < _niko> would it be the dns servers part? 19:59 < krzie> right 20:00 < _niko> DNS servers : 160.5.41.1 - 4 20:00 < krzie> try changing it to 4.2.2.1 20:03 < _niko> sorry, did you mean the dns ip's from the physical network adapter or from the tap-win32 adapter? 20:03 < krzie> dude 20:04 < krzie> just make your windows computer use 4.2.2.1 as its nameserver 20:04 < krzie> i dont even use windows, i cant walk you through changing its settings 20:05 < _niko> ok, will find out how. 20:05 < krzie> !dns 20:05 < vpnHelper> krzie: "dns" is Level3 open recursive DNS server at 4.2.2.1 20:06 < _niko> ok i have 20:07 < krzie> now stuff works =] 20:09 < krzie> your problem after we got the ip pinging was that your NS could only be reached while connected via your ISP 20:09 < krzie> so when tunneling to the server out to the net DNS couldnt work 20:09 < krzie> now you changed it to an open recursive NS, everything should be up and running 20:20 < _niko> :0 20:20 < _niko> it does work 20:20 < _niko> dude i think i love you, i have spent too long trying to do this 20:20 < _niko> thank you 20:21 < krzie> yw 20:22 < _niko> there are a few things i still dont understand but i think i will do some reading on that 20:22 < krzie> you interested in knowing what you should add? 20:22 < krzie> for added security.. 20:23 < krzie> well im gunna head out, if you wanna know what i was gunna say see !mitm and !hmac 20:24 < _niko> Ok then 20:24 < _niko> Thank you 20:24 < krzie> yw 20:24 < _niko> !mitm 20:24 < vpnHelper> _niko: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 20:25 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Read error: 110 (Connection timed out)] 20:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:36 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:42 < ecrist> sub bitches? 21:42 < onats> lol 21:43 < onats> morning 22:46 < tjz> lol 22:59 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 23:08 -!- _niko [n=OMGZboob@niko-niko.co.uk] has left ##openvpn [] 23:31 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:50 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon Apr 27 2009 00:03 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 00:05 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 00:13 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 01:27 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 01:30 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:02 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:05 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 02:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:44 < krzee> !route 02:44 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:49 -!- galen [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:05 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:26 -!- ThoMe [i=tm@tm.muc.de] has quit ["leaving"] 03:26 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 03:32 -!- rashed2020_ [n=admin@67.205.245.208] has quit [] 04:05 -!- row [i=row@who.br0ke.me.uk] has quit [] 04:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:15 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 04:21 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 04:21 < mattock> Hi guys, I tried to find a solution from the new and old OpenVPN sites and the mailing lists archives, but didn't find anything concrete... I hope you can provide an answer to a few simple questions... 04:21 < mattock> is OpenVPN entirely GPLv2-licensed? Or are there proprietary/dual-licensed (GPL+closed source) components in it? Also, what would I do if I wanted to contribute documentation or code to the project? 04:22 < Coke> Quick question: I'm thinking about using a bridged network to connect two offices separated by a wan (internet). My plan is to use 192.168.1. for the host net and 192.168.2. for the branch office, is this a recommended setup? 04:22 < mattock> I'm trying to figure out how open the project to "external" developers 04:24 < theDoc> Coke> what subnet mask are you using? 04:26 < Coke> theDoc: 255.255.255.0 04:26 < Coke> theDoc: I'm guessing I could do with like /16 04:26 < theDoc> Coke> sure you can 04:26 < Coke> theDoc: but why? 04:26 < Coke> It's not like the C-nets are scarse on 192.168 04:27 < theDoc> Coke> Depends on your subnet scheme no? 04:27 < Coke> theDoc: there's none at the moment. 04:28 < Coke> theDoc: actually, I'm reading the docs now about bridging, seems that my branch office could connect to the same net? 04:29 < Coke> maybe even get an ip from the 192.168.1 network dhcp? 04:29 < Coke> i.e no need for two different subnets at all 04:30 < Coke> Hm, the FAQ pretty much answered me already 04:48 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 04:53 < reiffert> I run two dhcp servers on each side. 04:53 < reiffert> and I'm filtering out dhcp request from the wrong side of the net to prevent trouble. 04:53 < Coke> reiffert: sounds overly complicated 04:53 < Coke> but it will give you some redundancy when the connection is severed 04:54 < reiffert> It allows people to work even when the connection is down. 04:54 < Coke> yes 04:56 < reiffert> Coke: whats your OS openvpn is running on? 04:56 < Coke> reiffert: archlinux 04:56 < Coke> and Debian 04:56 < Coke> I could add some iptable rules to prevent broadcasts for dhcp leases perhaps 04:57 < reiffert> hamburg:~# ebtables -L 04:57 < reiffert> Bridge table: filter 04:57 < reiffert> Bridge chain: INPUT, entries: 2, policy: ACCEPT 04:57 < reiffert> -p IPv4 -i tap1 --ip-proto udp --ip-sport 67 -j DROP 04:57 < reiffert> -p IPv4 -i tap1 --ip-proto udp --ip-sport 68 -j DROP 04:57 < reiffert> Bridge chain: FORWARD, entries: 0, policy: ACCEPT 04:57 < reiffert> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT 04:58 < Coke> so, just blocking udp 67 and 68 is enough? 04:59 < reiffert> with ebtables, yes. 04:59 < Coke> ebtables?? 04:59 < reiffert> yes. 04:59 < Coke> I'm using iptables, but the syntax looks similar 05:00 < reiffert> Once you start reading about ebtables is and what it does, you'll soon get an idea. 05:02 < Coke> reiffert: it's for bridge interfaces only? 05:07 < reiffert> http://ebtables.sourceforge.net/ 05:07 < vpnHelper> Title: ebtables (at ebtables.sourceforge.net) 05:08 < Alagar> hi i have deleted one folder with shift key . is any tools available to recover that folder. iam using Recovery Active Undelete RAID v5.5 but iam not able to findout that folder. i have deleted now only. iam using windows xp pro. sp2 05:09 < reiffert> Alagar: This irc channel is about openvpn. 05:10 < Alagar> reiffert: sorry 05:16 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 05:36 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 05:36 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 05:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:46 -!- Timpa88 [n=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 06:01 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 06:12 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Nick collision from services.] 06:12 -!- Timpa88_ [n=timpa@193.13.142.180] has joined ##openvpn 06:12 -!- Timpa88_ [n=timpa@193.13.142.180] has quit [Remote closed the connection] 06:13 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 06:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:29 -!- zxcvop1 [n=Admin@120.28.148.175] has joined ##openvpn 06:31 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 06:38 -!- zxcvop1 [n=Admin@120.28.148.175] has quit [Connection reset by peer] 06:39 -!- zxcvop1 [n=Admin@120.28.148.175] has joined ##openvpn 06:39 -!- zxcvop1 [n=Admin@120.28.148.175] has left ##openvpn [] 06:40 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Read error: 110 (Connection timed out)] 06:46 -!- clau30 [n=clau@91.11.40.115] has joined ##openvpn 06:46 < clau30> hi.. how can I connect to a openvpn server using no authentication? 06:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 06:49 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 06:57 -!- Deffie_ [n=Deffie@mail.nectarine.info] has joined ##openvpn 07:02 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 113 (No route to host)] 07:05 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:09 -!- clau30 [n=clau@91.11.40.115] has quit [Remote closed the connection] 07:09 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 07:09 -!- clau30 [n=clau@91.11.40.115] has joined ##openvpn 07:10 -!- sniffersp [n=sniffers@200-201-138-22.static.spo.ifx.net.br] has joined ##openvpn 07:12 < sniffersp> help 07:12 < sniffersp> my openvpn error 07:12 < sniffersp> Authenticate/Decrypt packet error: cipher final failed 07:13 < sniffersp> 07:13 < sniffersp> good day, can someone help me with this error? "Authenticate / Decrypt packet error: cipher final failed" 07:18 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 07:19 < dazo> sniffersp: please ... have a look at the topic of the channel .... We need !logs and !configs and maybe !interface 07:19 < dazo> !logs 07:19 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:19 < clau30> !howto 07:19 < vpnHelper> clau30: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:21 < sniffersp> http://de.pastebin.ca/1404789 07:21 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 07:26 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:27 < sniffersp> :(:( 07:28 < sniffersp> dazo, help-me please 07:29 < dazo> sniffersp: let me guess ... you've not read your logfile carefully .... have you? 07:29 < dazo> sniffersp: you have 4 warnings .... and one of them states: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' 07:29 < dazo> sniffersp: fix those 4 warnings, and you might have it working 07:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Remote closed the connection] 07:33 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:38 < sniffersp> :( 07:39 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 07:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Remote closed the connection] 07:46 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:49 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 07:51 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 07:51 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:56 < reiffert> link-mtu > 1500 doesnt make much sense. 07:56 < reiffert> I'd remove that. 07:57 < theDoc> Indeed. 07:58 * theDoc bounces. 07:58 < clau30> bounce, bounce 07:58 < theDoc> bounce, bounce bounce! 07:58 < theDoc> I wish someone would code a console based msn client. 07:58 < theDoc> :) 07:58 < reiffert> !kick 07:59 < vpnHelper> reiffert: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:59 < theDoc> That would be fun. 08:00 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 08:00 < ecrist> good morning 08:00 -!- pekster is now known as Guest92433 08:00 < theDoc> hey ecrist ;D 08:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:55 -!- clau30 [n=clau@91.11.40.115] has quit [Remote closed the connection] 09:13 -!- marcus_ [n=Marcus@03741-1.kunden.mk-netzdienste.de] has joined ##openvpn 09:16 < marcus_> hi all. i have set up multiple openvpn server configurations with different udp ports and tun adapters. in the 'server ...' string i have also defined different ip ranges. 09:17 < marcus_> but all clients seem to receive the server route address from the first config in alphabetic order 09:24 < [4-tea-2]> marcus_: how is that possible if they connect to a different port which is served by a ovpn instance with a dedicated configuration? 09:27 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:28 -!- nemysis [n=nemysis@109-34.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 09:29 -!- nemysis [n=nemysis@71-81.106-92.cust.bluewin.ch] has joined ##openvpn 09:32 -!- c64zottel [n=hans@p5B17B289.dip0.t-ipconnect.de] has joined ##openvpn 09:33 < marcus_> [4-tea-2], that's what i wonder, too. i am going to prepare a past so maybe you could take a look at it. mom 09:35 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 09:36 < marcus_> lan2lan: http://pastebin.centos.org/25886 09:36 < marcus_> i am working with ccd files btw. 09:38 < marcus_> and here the roardwarrior.conf: http://pastebin.centos.org/25889 09:39 < marcus_> the route that is pushed to the rw: 10.9.0.1 255.255.255.255 10.10.2.1 10.10.2.2 30 09:44 -!- sniffersp [n=sniffers@200-201-138-22.static.spo.ifx.net.br] has quit ["Saindo"] 09:47 -!- carpe_ is now known as plaerzen 09:48 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:49 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 09:50 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 09:54 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Read error: 113 (No route to host)] 09:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:59 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 10:02 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 10:04 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 10:21 -!- nemysis [n=nemysis@71-81.106-92.cust.bluewin.ch] has quit [Connection timed out] 10:22 -!- nemysis [n=nemysis@163-66.3-85.cust.bluewin.ch] has joined ##openvpn 10:28 -!- marcus_ [n=Marcus@03741-1.kunden.mk-netzdienste.de] has quit ["Leaving"] 10:35 < ecrist> ping krzie 10:45 -!- pawpro [n=Miranda@host86-147-6-91.range86-147.btcentralplus.com] has joined ##openvpn 10:46 < pawpro> hello everybody. What is whichopensslcnf? I'm getting problems sourcing vars setting up openvpn 2.1rc7 on openbsd4.4 10:46 < ecrist> first, upgrade to 2.1rc15 10:47 < pawpro> thanks ecrist. Do you by any chance know where to get a tgz package for openbsd for it? 10:48 < ecrist> nope, sorry. 10:58 -!- nemysis [n=nemysis@163-66.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:59 < karlpinc> pawpro : It's in ports. 11:00 < karlpinc> pawpro : (Although maybe not the version you want.) 11:01 < karlpinc> pawpro : The good thing about ports are that they tend to work with the OS version you're using. 11:11 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has joined ##openvpn 11:11 < victor-> if I have two openvpn servers, will openvpn client cycle through indefinitely? or will it stop at the last server in the list? 11:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:19 < ecrist> victor-: depends on if you have retry-infinite in the config 11:20 < victor-> ecrist: is that the same as 'resolv-retry infinite' ? i thought that only applies to DNS names? 11:20 < victor-> what if it resolves but can't connect? 11:21 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 11:32 -!- bthesorceror [n=bthesorc@209.106.203.252] has joined ##openvpn 11:34 -!- nemysis [n=nemysis@109-178.3-85.cust.bluewin.ch] has joined ##openvpn 11:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:53 < ecrist> victor-: it's the same, it's not just DNS, it's connections, too 11:55 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:56 -!- nemysis [n=nemysis@109-178.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:56 < Improv> Hey all - if I've started an openvpn instance but not given it a specific interfacename (e.g. tun rather than tun3), is there a good way to figure out what it took? 11:57 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has joined ##openvpn 11:57 < bragon> Hi 11:57 < bragon> i'm reading the FAQ 11:58 < bragon> In the documentation we could read : 11:58 < bragon> The VPN carrier connection must currently use IPv4 endpoints, however there's a patch which can be found in the openvpn-devel archives which adds IPv6 support. This patch will probably be merged into the mainline post-2.0. 11:58 < bragon> i want to know where i can find this patch please :) 11:58 < bragon> i want to setup a ipv6 only vpn, and i need to test that 11:59 < Improv> bragon: The FAQ says it can be found in the openvpn-devel archives 11:59 < bragon> i'm on it 11:59 < Improv> so if I were you I'd go poking around in there 11:59 < bragon> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 11:59 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 11:59 < bragon> it's the good place not ? 12:01 < Improv> bragon: Actually, I wonder if that's the --tun-ipv6 patch 12:02 < Improv> Ifso, OpenVPN 2.1 has it 12:02 < bragon> ok 12:02 < bragon> thanks 12:06 < ecrist> Improv: sure 12:06 < ecrist> figure out which IP you gave it. 12:08 < Improv> ecrist: If it's Layer2, it doesn't have an IP 12:11 < Improv> ecrist: I basically need a way to distinguish large numbers of layer2 OpenVPNs without assigning them interfaces 12:11 < Improv> (specific interfaces, I mean) 12:19 < krzee> then name them specially 12:20 < krzee> you can name the process specially with --daemon 12:20 < krzee> and i believe you can staticly make the interface with a diff name as well 12:21 < krzee> and large numbers of layer2 vpns sounds like a terrible setup personally... 12:23 < ecrist> don't listen to krzee. he's a bitch who still sips from his mother's teat. 12:23 < ecrist> :P 12:23 < Improv> krzee: aha, the --daemon advice is spot-on 12:23 < Improv> krzee: But ... I do need to know what interface a given openvpn took so I can know how to bridge it 12:24 < krzee> you specify that with --dev 12:25 < Improv> krzee: I don't want to specify, I want to know. 12:25 < ecrist> krzee, he doesn't want to do that. 12:25 < krzee> *shrug* if you specify you wont know? 12:25 < ecrist> Improv: I'm curious as to why you don't want to assign it an interface number 12:25 < Improv> ecrist: Because I don't want to need to keep track of what interfaces I have already used 12:26 < krzee> and ecrist got it wrong, i actually sip from HIS mother's teat 12:26 < Improv> ecrist: I am gluing openvpn into a network testbed system called emulab - our openvpn server will dynamically allocate/teardown dozens of openvpns at a time 12:26 < krzee> Improv, create a wrapper which will make the interface for that specific openvpn instance, set openvpn config file to use it, andnstart openvpn 12:26 < krzee> oh god this again? 12:27 < Improv> ecrist: So I would prefer to let it pick an interface and let me know... 12:27 < krzee> didnt jjk on the maillist explain that openvpn is not what you want for this? 12:27 < ecrist> script it. 12:27 < Improv> krzee: He didn't exactly say that. 12:27 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 12:27 < ecrist> as krzee said, write a wrapper 12:28 * krzee bows out of the conversation 12:28 < Improv> I might do that... hmm 12:28 < ecrist> actually, iirc, tun/tap/gif tunnels are created with the PID that created them as part of the meta data 12:28 < ecrist> just pull that. 12:28 < krzee> hey thats correct 12:28 < krzee> good point 12:28 < ecrist> tun0: flags=8051 metric 0 mtu 1500 inet 172.30.1.89 --> 172.30.1.90 netmask 0xffffffff Opened by PID 999 12:29 < Improv> Oh... that's very nice. 12:30 < Improv> Yes, that will do nicely. 12:30 < Improv> Thanks for the hints. The --daemon and the ifconfig metadata will get me what I want 12:43 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:45 -!- nemysis [n=nemysis@89-14.3-85.cust.bluewin.ch] has joined ##openvpn 12:48 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:59 < bragon> ok 12:59 < bragon> i have ipv6 on my openvpn client 13:00 < bragon> but when i want to ping6 an host i have that in the server's log : 13:00 < bragon> Need IPv6 code in mroute_extract_addr_from_packet 13:00 < bragon> i google this issues but not a my answer 13:13 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has joined ##openvpn 13:13 < plazmacrow> hello@all 13:13 < plazmacrow> I've problems sending DNS-Server via tun-tunnel 13:14 < plazmacrow> I'm using gentoo (on both sides), and the "push dhcp"-option 13:15 < plazmacrow> but the dns-server isn't recognised :-( 13:15 < plazmacrow> any ideas? 13:15 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 13:16 < Improv> plazmacrow: The clients don't get the dns-server you specify in their resolv.conf ? 13:18 < plazmacrow> Improv, thats correct. The specified DNS doesn't appear in the client-resolv.conf 13:22 < plazmacrow> the PUSH control message on the client-side is showing the specified options (including DNS-Server and domain) 13:24 < Improv> http://openvpn.net/archive/openvpn-users/2006-06/msg00097.html 13:24 < vpnHelper> Title: Re: [Openvpn-users] DNS push for Linux clients? (at openvpn.net) 13:24 < Improv> I wonder if that is still accurate 13:27 < ecrist> yes, it is. 13:29 < plazmacrow> ugh, that looks so dirty 13:30 < plazmacrow> but it seems to be the only way (beside using briding) 13:32 < Improv> plazmacrow: Getting married to OpenVPN seems a bit extreme. 13:33 < ecrist> o.O 13:34 < Improv> ecrist: Besides, because of gender issues, briding it might not be suitable for everyone. 13:35 < plazmacrow> ooops. typo - i meant "bridging" ;) 13:35 < ecrist> Improv: that depends on it's social acceptance in one's given region, and whether one likes to pitch or catch. 13:35 < Improv> plazmacrow: Aww.. it would've been a beautiful wedding 13:36 < Improv> Do you, plazmacrow, take OpenVPN to be your lawfully wedded bride, to configure and protect against unwanted signals, in sickness and in health... 13:36 < plazmacrow> LOL 13:36 < plazmacrow> Yes, I (try to) do ;) 13:37 < Improv> I now pronounce you man and VPN software. You may now kiss the bride 13:37 < Improv> ecrist: I bet you don't have a lot of weddings on this channel, eh? 13:45 < plazmacrow> okay, thank you guys. I still love OpenVPN ;) 13:45 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 13:49 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:55 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has left ##openvpn [] 14:01 -!- Schiz0|SD [i=schiz0@unaffiliated/schiz0] has joined ##openvpn 14:02 < Schiz0|SD> I'm having problems getting OpenVPN to give out static IPs. I added the client-config-dir to my config file, as well as created the dir. I created two files in there, "client1" and "client2" (which are the names in the ssl keys for those clients), but it's not giving out the proper IPs 14:03 < Schiz0|SD> I don't see "OPTIONS IMPORT: reading client specific options from ..." in my log files for openvpn, so it's not detecting the file or something? 14:11 < ecrist> !logs 14:11 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:24 < reiffert> Schiz0|SD: client1 is the Common Name of the certficate or just the CERT Filename? 14:25 < Schiz0|SD> common name 14:25 < Schiz0|SD> sorry, was afk for a min 14:25 < reiffert> !configs 14:25 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:25 < Schiz0|SD> yeah, i made sure I used the common name for each one 14:27 < Schiz0|SD> actually, i just got it working. I chmod'd everything 666 and tried it, so it's gotta be a permissions/ownership problem somewhere 14:38 < Schiz0|SD> Hm, now I'm having a problem connecting the clients :-\ 14:40 < Schiz0|SD> http://pastebin.ca/1405251 14:41 < Schiz0|SD> Server is 10.8.4.1, client1 is 10.8.4.2, client2 is 10.8.4.3. (That's the setup that gives the connection errors) 14:42 < Schiz0|SD> I ran --show-valid-subnets but I didn't really understand it. I tried changing some numbers around in tnhe IP, but now neither client can connect, haha 14:46 < reiffert> !topology 14:46 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:46 < reiffert> !/30 14:46 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:47 < reiffert> Schiz0|SD: windows anywhere? 14:47 < reiffert> !factoids search win 14:47 < vpnHelper> reiffert: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', and 'winnat' 14:47 < Schiz0|SD> both clients are windows, server is FreeBSD 14:47 < reiffert> Schiz0|SD: then you must change the topology to net30 14:47 < Schiz0|SD> ok, I'll look around and figure it out 14:47 < Schiz0|SD> Thanks 14:48 < reiffert> !net30 14:48 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:22 -!- bthesorceror [n=bthesorc@209.106.203.252] has quit [] 15:27 < krzie> reiffert why does he need to use net30? 15:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:47 -!- adnc_ [n=numer@p54857A1D.dip.t-dialin.net] has joined ##openvpn 15:48 < adnc_> hello, i'm trying to set up openvpn on my openwrt and i do get 15:48 < adnc_> Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 15:48 < krzie> !configs 15:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:48 < adnc_> http://pastebin.com/m19928305 15:49 < krzie> umm 15:49 < adnc_> with this config 15:49 < adnc_> what could be wrong? 15:49 < krzie> ive never seen a config like this 15:49 < krzie> why all the extra stuff 15:49 < krzie> option etc etc 15:50 < adnc_> krzie: it is for openwrt 15:50 < krzie> weird 15:50 < krzie> i thought openwrt was basically a linux 15:50 < adnc_> yes, they manage it like this 15:50 < adnc_> krzie: ;) yes it is 15:51 < krzie> umm, ok 15:51 < krzie> heres what configs usually look like: 15:51 < krzie> !sample 15:51 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:52 < krzie> why are you using bridge mode? 15:52 < adnc_> krzie: i'm very new to vpn, i took this as an example 15:52 < adnc_> i'll have just a few users with me 15:52 < krzie> you plan on using any layer2 protocols?\ 15:52 < adnc_> no, not that below 15:53 < adnc_> application layer protocols would be enough for me 15:53 < krzie> layer3 (ip) 15:54 < adnc_> yes 15:54 < krzie> you want tun then 15:54 < krzie> take this as your new example: 15:54 < krzie> !sample 15:54 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:55 < krzie> wow 15:55 < adnc_> krzie: ok, let me try to handle it with your example 15:55 < krzie> does that really say verb 256!?!? 15:56 < adnc_> krzie: yes, i set it to 256 in the hope it would give me some more information, but it didnt at all 15:56 < krzie> no kidding 15:57 < krzie> --verb n 15:57 < krzie> Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output. 15:57 < krzie> 0 -- No output except fatal errors. 15:57 < krzie> 1 to 4 -- Normal usage range. 15:57 < krzie> 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. 15:57 < krzie> 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels). 15:57 < adnc_> ok, i understand 15:57 < adnc_> so 3 should be ok for the example i think 15:58 < adnc_> what does local mean? which ip address is this? 15:58 < krzie> the ip to bind to on the interface 15:59 < adnc_> what is the client-config-dir? 15:59 < krzie> !ccd 15:59 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:59 < krzie> you know theres a manual, right? 15:59 < krzie> !man 15:59 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:02 < Bushmills> as far nobody here has been called "weenie" for admitting to have read the manual 16:02 < Bushmills> afaik :D 16:02 < krzie> lol 16:02 < krzie> moin! 16:03 < Bushmills> moinmoin, mr krzie 16:04 < adnc_> i've no such key for tls-auth i generated with easy-rsa 16:04 < krzie> !hmac 16:04 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 16:04 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:06 < adnc_> krzie: this looks good! 16:06 < adnc_> Initialization Sequence Completed 16:06 < adnc_> now i need to configure i client 16:06 < krzie> and are there lans behind openvpn? 16:06 < adnc_> krzie: only one 16:07 < krzie> behind server or client 16:07 < adnc_> behind server 16:07 < krzie> and server is the router for that lan? 16:07 < adnc_> yes 16:07 < krzie> what is the subnet of that lan? 16:07 < adnc_> 255.255.255.0 16:07 < krzie> thats the netmask... 16:08 < krzie> what is the ip the server sits on... 16:08 < adnc_> it is a simple class c, 192.168.1.x 16:08 < krzie> there we go 16:08 < krzie> 192.168.1.x 16:08 < krzie> push "route 192.168.1.0 255.255.255.0" 16:10 < krzie> (in the server config) 16:10 < adnc_> krzie: thank you 16:10 < krzie> since the client has the config option client, it implies --pull which makes all pushed config options work 16:10 < krzie> yw 16:19 < adnc_> krzie: i get on the client 16:19 < adnc_> TLS Error: cannot locate HMAC in incoming packet from 192.168.1.2:1194 16:20 < adnc_> have you got an idea what this could be caused from. i used the same ta.key file from the vpn server i generated there 16:20 < krzie> you need the EXACT same file on both sides 16:20 < adnc_> i do 16:20 < krzie> and server has 0, client has 1 16:20 -!- c64zottel [n=hans@p5B17B289.dip0.t-ipconnect.de] has quit ["Leaving."] 16:20 < adnc_> yes, can i somehow confirm this on the running openvpn server? 16:21 < krzie> no, you need access to both 16:21 < adnc_> since the config file is a bit different on the server, i wonder if there is a way to see it on the running openvpn 16:21 < adnc_> i do have access to both 16:22 < krzie> you restarted openvpn on both sides after modifying the configs... right? 16:22 < adnc_> krzie: yes i did 16:22 < adnc_> 192.168.1.102:40543 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 16:22 < adnc_> this is on the server 16:22 < adnc_> when i connect from my client 16:22 < adnc_> but my client is already connected to this server via wlan 16:22 < adnc_> and has an ip 16:23 < adnc_> i was hoping that it gets a second ip now 16:23 < krzie> they're on the same lan? 16:23 < adnc_> yes 16:23 < adnc_> is this a problem? 16:23 < krzie> no, but coulda been mentioned earlier 16:23 < krzie> also a GREAT reason to not be bridging 16:23 < adnc_> i see, well i'm testing it, so normally i would use vpn when i'm not on the same lan 16:24 < krzie> !configs 16:24 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:24 < krzie> !logs 16:24 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:25 < adnc_> krzie: is there something i could do? 16:25 < adnc_> ok 16:27 < adnc_> http://pastebin.com/d74a0b0f7 16:27 < adnc_> krzie: hope this would help 16:27 < krzie> !logs 16:27 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:28 < adnc_> the client log is on the bottom, i'll add the server logs aswell 16:28 < krzie> btw 2.1rc_11 has known problems 16:28 < krzie> we use 2.1_rc15 now 16:28 < adnc_> 2.0.9 here 16:29 < krzie> # 16:29 < krzie> Mon Apr 27 23:26:51 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009 16:31 < adnc_> http://pastebin.com/d4ba867c1 16:31 < adnc_> this has server config, client config and also logs from server and client 16:33 < krzie> if openwrt is linux i dont get why it uses that f'ed up style config 16:33 < krzie> instead of a normal file 16:34 < adnc_> krzie: i can not change this and openwrt is well distributed open source router 16:34 < krzie> i am willing to bet it can run a normal config 16:34 < krzie> and im interested to see if you have the same issue when you do so 16:35 < adnc_> krzie: i could try to rewrite this config and start maybe bypass this config style 16:35 < krzie> just make the config look normal and start openvpn from commandline 16:35 < adnc_> ok 16:36 < adnc_> krzie: what format would the fiel then have, just simple line by line 16:36 < adnc_> without equals sign 16:36 < adnc_> like the config you gave me 16:36 < krzie> like the config i gave you 16:36 < krzie> which is also like the configs in the howto 16:36 < adnc_> ;) 16:36 < krzie> which is also like your client config 16:36 < krzie> which is also like every config on earth except your server :-p 16:37 < adnc_> hehe 16:37 < krzie> also, grab a md5 checksum of ta.key on both machines 16:37 < krzie> krzee@hemp:~> md5 rc.conf 16:37 < krzie> MD5 (rc.conf) = d425cb953a709296e5b8f88b7c69139d 16:37 < adnc_> krzie: it is really not my fault, if i would go to openwrt channel and start with this config, they would say, hold on, this looks much different 16:37 < krzie> they should be = 16:37 < krzie> cool, but i will only work at getting you up with openvpn 16:38 < adnc_> sure 16:38 < krzie> when that works you can go to them and see why their way doesnt work, if it doesnt 16:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:38 < adnc_> i somehow have the same feeling and believe that briding did also not work because of this 16:38 < adnc_> style of config 16:39 < krzie> bridging wouldnt have gone well while already on the same lan anyways 16:39 < krzie> you cant bridge a lan to itself 16:39 < adnc_> i understand 16:40 < krzie> ever plugged a switch into itself before? 16:40 < adnc_> krzie: i had nothing in the client-config-dir 16:40 < krzie> then remove the config option 16:41 < adnc_> krzie: i understand your idea 16:42 < adnc_> ohh ohh 16:43 < adnc_> Cannot load private key file /etc/openvpn/wrt.key': error:02001002:lib(2):func(1):reason(2): error:20074002:lib(32):func(116):reason(2): error:140B0002:lib(20):func(176):reason(2) 16:43 < adnc_> Mon Apr 27 23:42:38 2009 us=705611 Error: private key password verification failed 16:43 < adnc_> when i start from the command line with --config server.conf 16:43 < adnc_> this key does not have a password 16:43 < krzie> you password protected your private key?? 16:43 < adnc_> no i didn't i left it empty 16:44 < krzie> well thats what the error points to 16:44 -!- pawpro [n=Miranda@host86-147-6-91.range86-147.btcentralplus.com] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 16:44 < adnc_> but with the openwrt stylish config this error didn't occure 16:46 < adnc_> when easy-rsa asks for password and i leave it empty, does it set an empty password or is the password not set at all 16:48 < krzie> which file did you run to make it in easy-rsa? 16:49 < krzie> im quite sure that the openwrt style config is for a wrapper, and not for starting it from commandline 16:49 < adnc_> build-key-server 16:50 < krzie> interesting 16:50 < krzie> well, if the ta.key copied correctly, my guess is that your openwrt style config isnt right 16:50 < adnc_> but i'm not using this anymore 16:51 < krzie> ild also be shocked if the push route command worked right on that style config 16:51 < krzie> paste the new config then 16:52 < adnc_> http://pastebin.com/d3fd11ab4 16:52 < krzie> you dont see anything wrong with the line with key in it? 16:53 < adnc_> ohh 16:53 < adnc_> i do 16:53 < adnc_> of course 16:53 < krzie> the line that openvpn told you it was having a problem in... 16:53 < adnc_> ahhh 16:53 < adnc_> now the initialization is complete 16:54 < adnc_> i'll try using my client now 16:54 < adnc_> ahh 16:54 < adnc_> i think that does work 16:54 < adnc_> Mon Apr 27 23:54:20 2009 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 16:54 < adnc_> Mon Apr 27 23:54:20 2009 Initialization Sequence Completed 16:55 < adnc_> this is normal i suppose 16:55 < krzie> ya if this isnt the real reason you're setting up the vpn ignore it 16:56 < krzie> if on the otherhand you were planning on securing your wifi with openvpn, we would have more to do 17:00 < adnc_> krzie: i thank you very very much 17:00 < adnc_> i need to get up early tomorrow otherwise i would have loved to do a bit more on openvpn 17:00 < krzie> yw 17:03 -!- adnc_ [n=numer@unaffiliated/adnc] has quit ["Lost terminal"] 17:04 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:12 -!- Lilarcor [n=Lilarcor@246.sub-97-22-98.myvzw.com] has joined ##openvpn 17:24 -!- Lilarcor [n=Lilarcor@246.sub-97-22-98.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 17:35 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 17:36 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:36 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:42 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Connection timed out] 18:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:58 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 19:44 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 20:28 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:31 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 21:00 -!- nemysis [n=nemysis@89-14.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:01 -!- nemysis [n=nemysis@186-58.3-85.cust.bluewin.ch] has joined ##openvpn 21:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 22:06 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 22:32 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 22:46 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 22:46 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 23:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:26 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn --- Day changed Tue Apr 28 2009 00:39 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 00:47 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:11 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 01:13 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:40 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has joined ##openvpn 01:47 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has quit [Client Quit] 01:49 -!- Reisen [n=OMGZboob@niko-niko.co.uk] has joined ##openvpn 02:04 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["brb :)"] 02:48 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 02:55 -!- adnc [n=numer@141.41.40.146] has joined ##openvpn 03:00 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 03:03 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 03:32 -!- theDoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 03:32 -!- theDoc_ is now known as theDoc- 03:41 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:52 -!- theDoc- is now known as theDoc 03:55 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has joined ##openvpn 04:03 -!- adnc [n=numer@141.41.40.146] has quit ["Lost terminal"] 04:08 -!- Reisen [n=OMGZboob@niko-niko.co.uk] has left ##openvpn [] 04:26 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 04:29 < Coke> Can someone explain to me why a key and dh file are needed to get the certificate connection going? 04:30 < Coke> They are not needed when authenticating against web servers. 04:30 < Coke> And is there some "all-in-one-file" solution to openvpn clients with certs? 04:43 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:00 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 05:18 -!- zheng [n=zheng@222.66.224.110] has quit [Client Quit] 05:41 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 05:43 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:47 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has joined ##openvpn 05:47 < plazmacrow> hello@all 05:49 < plazmacrow> what is the reason for error "OpenVPN: Out of Memory"? I have enough free ram and hdd space. 05:55 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has left ##openvpn [] 06:19 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, pa, plaerzen, ropetin, Alagar, onats_, karlpinc 06:21 -!- Netsplit over, joins: Alagar, onats_, ropetin, plaerzen, karlpinc, krzie, pa 06:50 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:58 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 07:04 -!- theDoc [n=andelyx@bb116-15-1-233.singnet.com.sg] has joined ##openvpn 07:07 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 110 (Connection timed out)] 07:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:21 -!- zxcvop [n=Admin@222.127.187.183] has joined ##openvpn 07:22 < Coke> I see no errors or warnings, but then the client just exits with Connection reset, restarting [-1] 07:22 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:22 < Coke> I've got verbosity up to 11 07:22 < Coke> server reveals VERIFY ERROR: depth=0, error=self signed certificate 07:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 07:23 < Coke> The certificate has been signed using my own ca cert, so it's not self signed. 07:25 -!- zxcvop [n=Admin@222.127.187.183] has left ##openvpn [] 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:32 < Coke> Can I turn whatever this option is off? 07:42 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 07:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:56 < Coke> fuck it 07:56 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 08:00 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 08:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:04 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has left ##openvpn [] 08:25 < ecrist> morning, folks 08:37 < onats_> good evening 08:38 -!- onats_ is now known as onats 08:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:13 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 09:22 < frankS2> Hi, i am trying to make some certificates, but it do not proceed, as described here: http://pastie.org/461172 09:22 < frankS2> I wonder if anyone know how ot fix this? 09:23 < frankS2> I am following this how-to http://www.freebsddiary.org/openvpn-easy-rsa.php 09:23 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 09:23 < plaerzen> morning ecrist 09:23 < ecrist> frankS2: you run freebsd? 09:23 < frankS2> yes sir 09:24 < ecrist> cd /usr/ports/security/ssl-admin && make install clean 09:24 < ecrist> copy/edit /usr/local/etc/ssl-admin/ssl-admin.conf accordingly, and enjoy 09:24 < ecrist> let me know if you run into any bugs, I wrote it. ;) 09:24 < frankS2> Oh, okay. thank you ecrist 09:24 < frankS2> hehe i will 09:25 < frankS2> installed now, im gonna start editing 09:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 09:33 < frankS2> ecrist: ive installed now, where can i find "create CA" under the menu? Does it have a different name? 09:35 < ecrist> lemme look at my verbiage 09:36 < ecrist> option CA 09:37 < frankS2> hm, i cant see it in the list 09:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 09:39 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 09:39 < frankS2> got it 09:40 < frankS2> *takes glasses on* 09:45 < frankS2> ecrist: what about "Create a client certificate" ? where can i find that 09:46 < ecrist> option 4 09:47 < ecrist> it's not only openvpn related app 09:49 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 09:56 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 10:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 10:10 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 10:10 < straterra> My openvpn client seems to connect to the VPN server ok..but it just sits there with two VERIFY OK messages and never pushes any routes 10:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:11 < straterra> Oh..tls key negotiation failed :/ 10:11 < straterra> I copied the ta.key file from the server..its the exact same file :/ 10:20 < ecrist> I love people who answer their own questions. :) 10:22 < straterra> I'm just going to remake all of my keys.. 10:23 < straterra> DH generation FAIL 10:25 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 10:25 < maninthemiddle> hi 10:25 < maninthemiddle> what options do i need in client.conf to make openvpn get its ip address automatically? 10:25 < maninthemiddle> i assume server is configured correctly 10:26 < maninthemiddle> because it gives this message in log when i connect 10:26 < maninthemiddle> Tue Apr 28 18:18:52 2009 us=760538 MULTI: Learn: 10.30.90.6 -> forbit-afwbkbc/212.93.100.151:53758 10:26 < maninthemiddle> and if i then set ip address for tun0 on client to 10.30.90.6, and also add corresponding route, everything works 10:27 < maninthemiddle> but there should be a way for openvpn to do this automatically? 10:28 < maninthemiddle> both the server and client are linux boxes 10:33 -!- _impuls [n=MRD@pns-200-127.demo.tuwien.ac.at] has joined ##openvpn 10:34 < _impuls> hey guys! Quick question: how can I make openvpnd accept all source addresses in ccd/$common-name for a user? 10:35 < _impuls> would 0.0.0.0 do? 10:51 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: qknight 10:53 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 10:54 < frankS2> Hi, i am not able to connect to my openvpn server, client and server logs are here: http://pastie.org/461287 anyone tell me what this means? 10:58 < straterra> I dont understand why Diffie Hellman is so slow 10:58 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:58 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:07 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 11:07 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 11:34 -!- Intensity [i=[5S34qXF@unaffiliated/intensity] has joined ##openvpn 11:38 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 11:38 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 11:47 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:52 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has quit [Read error: 110 (Connection timed out)] 11:55 -!- _impuls__ [n=MRD@pns-200-127.demo.tuwien.ac.at] has joined ##openvpn 11:56 -!- _impuls [n=MRD@pns-200-127.demo.tuwien.ac.at] has quit [Read error: 104 (Connection reset by peer)] 12:00 < _impuls__> hey guys! Quick question: how can I make openvpnd accept all source addresses in ccd/$common-name for a user? 12:10 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn 12:18 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 12:22 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:22 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 12:23 < __8472> hi, i'm not sure if i fully understand the meaning of this "while non-Windows clients can accept them by using a client-side up script which parses the foreign_option_n environmental variable list" , from here http://openvpn.net/index.php/documentation/howto.html#dhcp 12:23 < vpnHelper> Title: HOWTO (at openvpn.net) 12:24 < __8472> what precisely should i set up with that "up" script? and where or how? 12:24 < dazo> __8472: Check out the man page for --up 12:25 * dazo goes home 12:25 < __8472> dazo: i did, but still i'm not sure what should be set 12:35 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit ["Leaving"] 12:52 -!- _impuls__ [n=MRD@pns-200-127.demo.tuwien.ac.at] has quit ["Lost terminal"] 13:15 -!- Timpa88 [n=timpa@193.13.142.180] has left ##openvpn [] 13:16 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 13:22 -!- _impuls_ [n=you@213.47.89.128] has joined ##openvpn 13:22 -!- Timpa88_ [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 13:22 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Nick collision from services.] 13:22 -!- Timpa88_ [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 13:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:54 < _impuls_> !howto 13:54 < vpnHelper> _impuls_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:54 < _impuls_> !route 13:54 < vpnHelper> _impuls_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:58 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:59 < _impuls_> Does still none know how to get the openvpnd to accept IPs from any local network [those which are not explicitly listed in ccd/$common-name]? 14:00 < _impuls_> Problem is, I get a class C IP at home, a class B at uni - - its likely to be different in any other (wifi) enviroment. 14:18 -!- ekristen [n=ekristen@68.33.133.72] has joined ##openvpn 14:19 < ekristen> I have the openvpn gui from openvpn.se downlaoded, I am trying to vpn to my server vpn, is there a howto on which options I need to select 14:19 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 14:39 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has joined ##openvpn 14:44 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 14:44 -!- ekristen [n=ekristen@68.33.133.72] has quit [] 15:12 < krzie> _impuls_ i dont fully understand the question... 15:12 < krzie> are you saying when at 1 location you have 1 lan behind the client to share, when at another you have a different lan behind the same client to share, and other locations you will be on random lan's with no lan to share? 15:19 < _impuls_> krzie: Hey man! 15:19 < _impuls_> Well, its not that I want to share anything behind my laptops 15:21 < _impuls_> I just can't get any traffic through if I'm i.e at Uni (where I get a 10.10.x.x) because I only got my home network (a 192.168.1.x) in my users ccd/michael.~ 15:22 < _impuls_> So it says the usual MULTI: bad source address from client, packet ... 15:23 < _impuls_> I know, I could put every net I use in the ccd and the push "route -etc-" in the server.conf... 15:23 < _impuls_> but that can't be the solution 15:23 < _impuls_> or is it..? 15:29 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:33 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 15:34 -!- _impuls [n=you@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 15:35 -!- _impuls_ [n=you@213.47.89.128] has quit [Client Quit] 15:52 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 15:52 < Wofl> !howto 15:52 < vpnHelper> Wofl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:53 < Wofl> hey guys, i need a quick opinion. 15:53 < Wofl> I have an dd-wrt router, which i could use as an openvpn server 15:54 < Wofl> i also have an old desktop connected to the router, which i could also use as a server 15:54 < Wofl> what would be a better option? 15:54 < Wofl> the router would be right there on the interface, might be helpful to hav it there 15:55 < Wofl> the desktop has more power in terms of cpu and ram and such (by a long shot), so i dunno 15:56 < ropetin> Wofl: how many users will you have connecting, and how much throughput are you expecting? 15:56 < Wofl> not very many users, mainly me with maybe 2-3 computers, plus a few servers on the local network 15:57 < ropetin> THe local servers would connect to the VPN? Seems unusual :) 15:57 < Wofl> throughput should be at least capeable of handling ssh/imap and a few others 15:57 < ropetin> However, in my experience if it's one or two concurrent, you'll be fine, otherwise you might run into a performance issue 15:58 < Wofl> well, what i need is a way to have my laptop be able to connect to my server from anywhere, local network or out in the worls 15:58 < Wofl> the router or the server? 15:59 < Wofl> or what would be the best solution? 16:05 < ropetin> But the point of the VPN would be to bring your remote users/systems locally, so they local boxes don't need to connect to the VPN. 16:05 < ropetin> No matter, I'd say if you have the server available for it, use it 16:17 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.9/2009040821]"] 16:26 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Read error: 104 (Connection reset by peer)] 16:27 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 16:44 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:55 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 16:57 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Client Quit] 16:58 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:04 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 17:05 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 17:05 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 17:05 < scooby2> thats better 17:06 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 17:06 < scooby2> Is there any type of idle timeout setting? For PCI compliance I need to kick idle people offline. 17:06 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 17:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:09 < scooby2> ahh, --inactive 17:09 < scooby2> maybe 17:10 -!- adnc [n=numer@unaffiliated/adnc] has quit ["leaving"] 17:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:21 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has quit ["Leaving."] 17:24 -!- lepine2 [n=lmacguir@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 17:25 < lepine2> Can a client publish it's own local network to the rest of the vpn network? 17:26 < lepine2> i know there's a setting to tell the server that a client has such and such networks available, but will the rest of the clients know? 17:27 < lepine2> or because the VPN becomes the main route, does just adding the routes to client1's local subnet on the server make it work? The server knows the routes to that subnet, and because all traffic for client2 goes through the server, it will route appropriately? 17:28 < lepine2> sorry if that's not exactly clear 17:30 < krzie> no lepine 17:30 < krzie> and here is why: 17:30 < krzie> !iroute 17:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:31 < krzie> except on your last part of your question 17:31 < krzie> if you are using redirect-gateway, and dont have a more specific route set for the lan, and client-to-client is enabled, yes it will just work 17:32 < lepine2> i didn't completely understand the iroute factoid ... will re-read a few times ... 17:32 < krzie> but the server must know about the lans behind clients via an iroute or nothing will be able to access them 17:32 < lepine2> but yes, i am using redirect-gateway, and set no routes 17:32 < krzie> basically heres what it means 17:32 < krzie> iroute has nothing to do with the kernel routing table 17:32 < krzie> the kernel routing table tells the OS to send the packets to openvpn 17:32 < krzie> but since its a server it doesnt know which client has that LAN 17:32 < krzie> unless you have an iroute entry 17:33 < krzie> the iroute entry is the glue for that 17:33 < lepine2> that's what i was thinking, the client tells the server it has such subnet ... therefore, the server adds routing to those via the tun interface ... and because all other clients have all traffic go through the vpn, and can see other clients, it would work. 17:33 < krzie> thats not how it works 17:33 < krzie> it must be an iroute, it must be in a ccd entry 17:33 < krzie> openvpn isnt setup to allow clients to make changes on the server 17:33 < lepine2> re-reading ... 17:34 < krzie> only the server can make changes on the clients (assuming --client or --pull ) 17:34 < lepine2> yeah, i guess that would be a huge security risk ... iroute 0/0 kind of thing ... 17:35 < lepine2> so what does iroute do exactly? if it does not alter the servers routing table? 17:35 < lepine2> or am i still misunderstanding? 17:36 < lepine2> and is there more than one way to have the client tell the server 'i have such subnet behind me' ... 17:36 < krzie> it is internal to openvpn 17:36 < krzie> tells the server which client the lan belongs to 17:36 < krzie> since the kernel can only point a network to openvpn 17:37 < krzie> the OS kernel routing table cant point to tun0:clientname 17:37 < krzie> only tun0 17:37 < lepine2> ah! 17:37 < lepine2> gotcha 17:37 < krzie> then openvpn gets packets for 192.168.1.x and says WTF i dont have any clients with that ip! 17:37 < krzie> but with the iroute, it does 17:38 < lepine2> alright, so the kernel routing table is not involved, but it comes down to about the same 17:38 < lepine2> openvpn is userspace, hence no kernel 17:38 < lepine2> wait, that wasn't sensical 17:38 < lepine2> *didn't make sebse 17:39 < lepine2> nm 17:39 < krzie> heh 17:39 < krzie> you're just confusing yourself now 17:40 < lepine2> is having a middle man (server) to connect a host to a network the best idea? considering the network (and vpn client) would be natted and no possibility of punching a hole (so can't run the server on the network) 17:40 < lepine2> would run the server on a routable host on the net 17:40 < lepine2> let the clients see each other and have an iroute 17:41 < krzie> if you have 2 machines which you cant open a port on, thats your only option 17:42 < lepine2> our windows admin barely knows IOS, and we have the ugliest router setup 17:43 < krzie> wtf is a windows admin doing running cisco routers!? 17:43 < krzie> smack the people who gave him that duty 17:43 < lepine2> we have one router and two switches, nothing worth speding a network admin on ... however, i would have paid for a decent consultant instead :-/ 17:43 < lepine2> oh, no worries, i'm sticking it to my bosses soon 17:44 < lepine2> are you a core developer? 17:45 < lepine2> you've been here helping everytime i've chimed in 17:45 < krzie> nah no devs here 17:45 < lepine2> ah 17:45 < krzie> the ## in ##openvpn means its not directly related to the project 17:45 < lepine2> oh, right 17:45 < krzie> whereas channels with a single # are 17:45 < krzie> (here on freenode) 17:45 < lepine2> it's a question of endorsement i think 17:45 < krzie> something like that 17:46 < lepine2> Always wondered why so many projects wouldn't list the channe; 17:46 < krzie> it was #openvpn before, but completely unmonitored and needed to be fixed 17:46 < lepine2> i mean, they don't have to vouch, or staff it ... just say it's there 17:46 < krzie> good question, no idea 17:47 < lepine2> that might bring quite a bit of people who don't bother reading the docs though 17:47 < krzie> we offered openvpn to use our forum and wiki in addition to us using #openvpn, they decided against it 17:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:47 < lepine2> "our forum" ? 17:47 < krzie> !forum 17:47 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:47 < krzie> !wiki 17:47 < lepine2> because there's some organization behind this channel? 17:47 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 17:47 < lepine2> ah! 17:47 < lepine2> cool 17:49 < lepine2> i guess it keeps interactions to a minimum, and makes the mailing list the only medium they have to monitor 17:49 < krzie> *shrug* we woulda been monitoring it 17:49 < lepine2> which isn't necessarily a bad thing 17:49 < krzie> like we currently do 17:49 < lepine2> right 17:50 < krzie> we only offered them to post it on their site to give people the option to seek help on it 17:50 < krzie> since their forum and wiki are no longer around 17:50 < lepine2> and even that they refused? 17:50 < lepine2> hmmm, that's a little fascist i think 17:50 < krzie> ya, they said they could run it instead, we didnt like that since they let their last ones die, we dont want it to die 17:51 < krzie> but it dont matter really, we'll help those that find us 17:51 < krzie> and the mail list is a GREAT place for help 17:51 < krzie> some really knowledgeable people on there 17:52 * lepine2 just learned openvpn was incorporated 18:06 < _impuls> krzie: do you think you have an idea how to fix that problem I wrote about above? 18:06 < krzie> i didnt fully catch what it was 18:06 < _impuls> from before: 18:07 < _impuls> I just can't get any traffic through if I'm i.e at Uni (where I get a 10.10.x.x) because I only got my home network (a 192.168.1.x) in my users ccd/michael.~ 18:07 < _impuls> So it says the usual MULTI: bad source address from client, packet ... 18:07 < _impuls> I know, I could put every net I use in the ccd and the push "route -etc-" in the server.conf... 18:07 < krzie> you shouldnt need a ccd entry unless you are sharing the lan 18:08 < krzie> you need to figure out why your OS is sending its source address as public ip instead of the IP on the interface it is sending out of 18:08 < krzie> and tell it to stop 18:09 < _impuls> so, if I remove the ccd, I still have the push "route ip netmask" in the server.conf 18:09 < _impuls> for my specific local lan Im connecting from 18:09 < _impuls> well, I'll give it a shot 18:10 < krzie> are you sharing any lans over vpn? 18:10 < _impuls> nope 18:11 < _impuls> I'm just using it as an Inet gateway 18:12 < _impuls> Apr 29 01:11:53 loos ovpn-server[19039]: michael.client.loos.stoerimpuls.net/213.47.89.128:44445 MULTI: bad source address from client [192.168.1.2], packet dropped 18:12 < krzie> then you dont need a push route or an iroute 18:13 < krzie> you need to figure out why your OS is sending its source address as 18:13 < krzie> public ip instead of the IP on the interface it is sending out of 18:13 < _impuls> After removing my ccd & push route 18:13 < krzie> and tell it to stop 18:13 < krzie> i already told you 18:13 < _impuls> fair enough... 18:13 < _impuls> its the same with my other laptops - wierdly enough 18:14 < _impuls> so I guess its maybe rather on the server side... ? 18:19 < krzie> negative 18:19 < krzie> the problem is your client is sending packets with external ip as its source address 18:19 < krzie> as opposed to the ip on the interface its going through 18:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:31 < _impuls> This is driving me nuts - I checked the clients config - seems to be okay according to serveral tutorials 18:33 < krzie> IT IS OK 18:33 < krzie> its an os issue, not openvpn 18:42 -!- nemysis [n=nemysis@186-58.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:43 -!- nemysis [n=nemysis@25-137.3-85.cust.bluewin.ch] has joined ##openvpn 18:43 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:43 < Dougy> heyo 18:51 < _impuls> Hmm. I think I might just throw together a script that parses the neglected IP out of the logs and throw it in the ccd 18:52 < krzie> or you could figure out why your os is sending the other interface's ip as its source address 18:52 < krzie> whatever makes you happy i guess 18:57 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, _impuls, isox, Intensity, krzie, qknight, M06w, dazo, disco-, youngpro, (+43 more, use /NETSPLIT to show all of them) 18:57 -!- Netsplit over, joins: frankS2, Dougy, nemysis, lepine2, Stevethe1irate, scooby2, _impuls, Kreg-Work, Intensity, floyd_n_milan (+43 more) 19:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 19:29 -!- _impuls [n=you@chello213047089128.17.14.vie.surfer.at] has quit [Read error: 104 (Connection reset by peer)] 19:30 < ecrist> evening, folks 19:31 < Dougy> hey 19:31 < Dougy> weren't you going away for a week? 19:31 -!- prop_ [n=dd@77.126.240.136] has joined ##openvpn 19:32 < ecrist> no, I went away for a weekend. 19:32 < Dougy> i misread then 19:32 < krzie> werrrrd 19:32 < Dougy> i thought you said week 19:32 < Dougy> not weekend 19:32 < prop_> !howto 19:32 < vpnHelper> prop_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:34 < krzie> recurring is where its at 19:34 < Dougy> wrong window krzie 19:34 < Dougy> :p 19:34 < krzie> lol 19:34 < krzie> forgot to re-do the /q 19:45 < prop_> hey, I'm a complete noob and I'm still reading to understand better, I just wanna make sure I'm on the right track: 19:46 < krzie> ... 19:46 < prop_> I have a laptop with XP, I would like to use Public hot-spot wifi places. (such as coffeeshops and malls) .. and I would like to keep my privacy by using a secured connection to a remote centos server of mine, for accessing anything web related (http/https/sftp/ftp/ssh/pop/smtp) 19:46 < krzie> !redirect 19:46 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:47 < Dougy> prop_: you could ddo that 19:47 < Dougy> route all traffic through 19:47 < Dougy> or install openvpn on the server and access the server via its LAN ip 19:47 < krzie> umm, i think you misread something dougy 19:48 < krzie> oh wait maybe i did 19:48 < prop_> is there a 'cleaner' way of accessing the bot? or I should start ! ! ! each of the suggestions? (/privmsg it?) 19:48 < Dougy> oh 19:48 < Dougy> prop_: do you wnat to just access that particular server securely 19:48 < krzie> prop_ are you trying to only access services on 1 specific server? 19:48 < Dougy> or route everything through that server so your outgoing traffic is encrypted 19:48 < Dougy> ? 19:48 < krzie> of the whole inet over the vpn 19:48 < prop_> no :) 19:48 < Dougy> no what 19:49 < Dougy> we are thinking two different things (krzie and i) 19:49 < krzie> whole inet or 1 server? 19:49 < prop_> I want to use my laptop "regularly" .. http .. https .. ftp sftp ssh mail and such ... but tunnel everything though a "secured" server? 19:49 < krzie> ok, what i thought 19:49 < krzie> !redirect 19:49 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:49 < Dougy> my fault then :< 19:49 < Dougy> what krzie says 19:49 < krzie> as for bot commands, theres some in the topic, the rest good luck finding on your own ;] 19:50 < prop_> ok, let me try to /privmsg the bot instead of flooding here :) 19:50 < krzie> good luck with that 19:50 < prop_> !def1 19:50 < vpnHelper> prop_: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:50 < ecrist> don't think the bot does pvmsg 19:50 < krzie> it does, but you need to know the syntax 19:50 < prop_> ecrist: apparently it won't for the same public commands :\ 19:50 < krzie> (which i dont offhand) 19:51 < krzie> fine 1sec 19:51 < prop_> well if you guys don't mind I'll post these commands publicly, then ok :) 19:51 < prop_> !ipforward 19:51 < vpnHelper> prop_: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 19:51 < prop_> (getting interactive? :) 19:51 < krzie> [msg(vpnHelper)] factoids whatis ##openvpn def1 19:51 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] "def1" is (#1) used in 19:51 < krzie> redirect-gateway, Add the def1 flag to override the default gateway 19:52 < krzie> there you go, thats the syntax 19:52 < prop_> oh, thanks 19:52 < krzie> yw 19:52 < prop_> btw, my requirement is native to general 'vpn' usages? or there are 'other' more appropriate usages for a vpn in general? 19:53 < krzie> your is 1 or the 3 most normal setups 19:54 < krzie> the other 2 would be a ptp link, and sharing lans with eachother over the vpn 19:54 < krzie> if it wasnt common i wouldnt have bothered to setup !redirect, that one was a PITA 19:54 < krzie> lol 19:55 < krzie> as you noticed when you typed !ipforward and it wanted you to choose between 3 options 19:55 < prop_> ic, as far as I could read .. the 'processing' concern is the same for both server and client? (mine is my laptop) 19:55 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 19:55 < krzie> processing as in CPU? 19:55 < prop_> krzie: yea, whats why I said as 'getting interactive' :) 19:55 < prop_> yes, CPU processing time/usage? 19:55 < krzie> ild expect so, they're encrypting and decrypting the same amount of packets 19:56 < krzie> for every packet one encrypts, the other decrypts, and visa versa 19:56 < prop_> (one would think encrypting will be much harsher.. but I guess my logic is flawed) 19:56 < krzie> maybe slight additional usage from server since it must also NAT and forward 19:56 < Dougy> krzie ya'll be ignorin mah pm 19:57 < krzie> oh were you waiting for a reply on something? lol 20:12 < Dougy> ahhahahahah 20:21 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 20:30 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:39 < prop_> I think that I might have wasted my time :) 20:39 < prop_> I'm using a OpenVZ account, last time I tried - I couldn't really modify anything "sysctl.conf" related 20:40 < prop_> so its pretty much a dead-end for me? 20:40 < krzie> you arent root? 20:41 < prop_> on the openvz account? yes 20:41 < krzie> dougy here can sell you a VPS that openvpn will work on 20:41 < prop_> but it seems that 'root' might not be enough for sysctl.conf? 20:41 < krzie> well if you're root you can enable ip forwarding 20:42 < Dougy> hahaha krzie 20:42 < Dougy> way to throw in a sales pitch for me 20:42 < krzie> ;] 20:42 < prop_> mm.. well it seems the 'setting' been accepted, not very sure how to make sure it really works ... I'll have to keep going and see where it gets me 20:42 < krzie> you in linux? 20:42 < Dougy> what setting in sysctl.conf did you change 20:42 < Dougy> prop_ 20:42 < Dougy> ? 20:43 < prop_> Dougy: currently I tried manually assign 1 to /proc/sys/net/ipv4/ip_forward, and it kept it 20:43 < krzie> !linipforward 20:43 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:43 < Dougy> yeah 20:43 < Dougy> to think i just typed that whole thingo ut 20:43 < Dougy> and put it on my clipboard just in cse 20:43 < Dougy> case 20:43 < Dougy> for nothing 20:43 * Dougy suicides 20:43 < prop_> last time I tried to change my TCP stacks, it pretty much gave me permission denied 20:43 < krzie> lol 20:43 < prop_> heh :) 20:43 < Dougy> so krzie 20:43 < Dougy> can i count you in for sure? 20:43 < Dougy> like 100% 20:44 < krzie> yes 20:44 < prop_> (100% count on him? for what?.. a bank job? :) 20:44 < Dougy> shhhhhh 20:44 < krzie> as a customer 20:44 < Dougy> quiet 20:44 < krzie> hes a pimp, im gunna be buying my hoes from him 20:44 < Dougy> krzie pm again 20:45 < prop_> oh, ic 20:45 < krzie> jk he sells dedicated servers and VPSs 20:45 < prop_> he has a website? :) 20:46 < krzie> http://www.bergenhosting.com/dedicated.php 20:46 < vpnHelper> Title: Bergen Hosting (at www.bergenhosting.com) 20:46 < Dougy> thats the servers 20:53 < Dougy> :> 21:07 < theDoc> Say guys, anyone uses vim to code webpages? :) 21:08 < krzie> im sure some people do 21:09 -!- lepine2 [n=lmacguir@ip-70-38-54-219.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 21:09 < theDoc> I'm wondering if I should give that a go. 21:09 < theDoc> I'd have to err, figure out how to color code it all. 21:12 -!- lepine1 [n=lmacguir@74.59.36.93] has joined ##openvpn 21:17 -!- lepine [n=leprecha@70.38.54.219] has joined ##openvpn 21:19 < lepine> how does one have a client ignore the redirect-gateway directive? 21:19 < lepine> !redirect-gateway 21:19 < vpnHelper> lepine: Error: "redirect-gateway" is not a valid command. 21:19 < lepine> !redirect 21:19 < vpnHelper> lepine: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:19 < lepine> !def1 21:19 < vpnHelper> lepine: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:20 < krzie> theres a noroute or nopull directive, something like that 21:20 < krzie> check the manual 21:21 < lepine> reading 21:22 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 21:23 < lepine> success! route-nopull 21:29 < Dougy> theDoc 21:29 < Dougy> never 21:30 < theDoc> Wha? 21:32 < Dougy> Say guys, anyone uses vim to code webpages? :) 21:33 < theDoc> Oh, you don't. 21:33 < theDoc> Well, that's normal I guess. 21:33 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 21:33 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 22:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:06 < prop_> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 22:08 < theDoc> No, it simply means you don't have the permissions to be doing stuff to /dev/net/tun? 22:08 < prop_> well, due to the fact I'm under a openvz .. means nothing I can do about it? 22:09 < prop_> I can only assume this 'module' is mandatory for openvpn? 22:09 < theDoc> prop_: Sorry, no idea on openvz. 22:09 < theDoc> and yes, I think it's mandatory for openvpn. 22:09 < theDoc> I could be wrong on that 22:10 < prop_> ic, I guess I'll try to google some more, see if there are any known workarounds 22:11 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 22:19 -!- plaerzen [n=carpe@66.11.76.242] has joined ##openvpn 22:24 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 22:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 22:36 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 22:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 22:56 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:30 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn --- Day changed Wed Apr 29 2009 00:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:39 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 00:40 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:40 < onats1> hey 00:49 < onats1> is there a gui helper to connect/disconnect available for linux? 01:52 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:10 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 02:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:13 < dan__t> NetworkManager has an OpenVPN plugin. 02:14 < dan__t> Hey krzie, got a really weird one for you 02:14 < dan__t> So I'm going to specify multiple servers that a client will connect to, per their configuration file. 02:15 < dan__t> However I want to be able to tell the client which server to connect to - after already having connected to a server. 02:15 < dan__t> So the client connects to one of these servers, groovy. I then want to push another server directive, so the client disconnects and then connects to that server I just told it to reconnect to. 02:15 < dan__t> Is there anything like that? 02:17 < dan__t> Think of it as the server acting like an intermediary proxy or some shit 02:17 < dan__t> Client first connects to IT, then that server tells the client which server to actually reconnect ot. 02:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 02:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:44 -!- deception [i=oc80z@root.servergirl.net] has joined ##openvpn 02:53 < dan__t> hmm 02:54 < dan__t> The problem being, I want to be able to SNAT IPs to clients using iptables hackery. However, some of those IPs might be on different machines etc etc. 03:01 < dan__t> And unfortunately I'm not able to do any kind of automated binding on the different machines etc etc 03:02 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 03:27 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 03:27 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 03:38 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:39 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 03:48 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 03:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:54 -!- prop__ [n=dd@77.126.240.136] has joined ##openvpn 03:56 -!- prop_ [n=dd@77.126.240.136] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- gmarselis [n=gmarseli@93.97.20.215] has joined ##openvpn 04:15 < gmarselis> hey guys 04:16 < gmarselis> question: does openvpn fire "events" during login and timeout/logout times? 04:23 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- idk-nva [n=niels@80.127.101.10] has joined ##openvpn 04:40 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 04:40 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 04:44 < gmarselis> yes there are 04:44 < gmarselis> --client-connect 04:44 < gmarselis> --client-disconnect 04:44 < gmarselis> i love you 04:45 -!- gmarselis [n=gmarseli@93.97.20.215] has left ##openvpn [] 04:49 -!- idk-nva2 [n=niels@idk.xs4all.nl] has joined ##openvpn 04:58 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 05:00 -!- idk-nva [n=niels@80.127.101.10] has quit [Read error: 110 (Connection timed out)] 05:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:50 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has joined ##openvpn 06:05 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 06:11 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has quit ["Leaving."] 06:12 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 06:13 < Coke> Quick question: what is the test done to match the server and client certificates? What is preventing someone from using any client certificate from the same CA and connect to my server? 06:14 < Coke> The client is currently testing for a proper server CN (using tls-remote), but can the reverse be done? 06:20 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 06:46 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 06:47 -!- mattock [n=mattock@195.236.127.254] has quit [Client Quit] 06:53 < prop__> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 06:53 < prop__> theres no workaround? 'tun' is mandatory? 07:03 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:09 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 07:10 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:22 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 07:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 07:30 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 104 (Connection reset by peer)] 07:31 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:50 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 07:56 -!- adnc [n=numer@unaffiliated/adnc] has quit ["Lost terminal"] 07:58 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 08:19 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 08:42 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 08:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 08:53 < adnc> !config 08:53 < vpnHelper> adnc: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:53 < adnc> !example 08:53 < vpnHelper> adnc: Error: "example" is not a valid command. 08:53 < adnc> !samples 08:53 < vpnHelper> adnc: Error: "samples" is not a valid command. 08:53 < adnc> !help 08:53 < vpnHelper> adnc: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 08:54 < adnc> there were some samples, does anyone know how to get them printed by the bot or where they are 08:59 < krzee> lol 08:59 < krzee> !sample 08:59 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 08:59 < krzee> !factoid search sam 08:59 < vpnHelper> krzee: Error: "factoid" is not a valid command. 08:59 < krzee> !factoids search sam 08:59 < vpnHelper> krzee: 'sample' and 'samba' 09:00 < krzee> !list factoids 09:00 < vpnHelper> krzee: change, forget, info, learn, lock, random, search, unlock, and whatis 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "encryption": Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf; "hmac": The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional 09:00 < vpnHelper> reiffert: level of security above and beyond that provided by SSL/TLS.; "quietopenssl": also see !ssl-admin for a sweet tool for managing your certs 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "configs": please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn.; "redirect": to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.; "pastebin": please 09:00 < vpnHelper> reiffert: paste anything with more than 5 lines into pastebin or a similar website 09:00 < reiffert> !all 09:00 < vpnHelper> reiffert: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "irclogs": http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.); "iptables": then run iptables -F, iptables -Z after being SURE policies are set to accept; "notcompat": openvpn only connects to openvpn 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "ssl-admin": if you use freebsd, it is in ports; "winpass": openvpnGUI for windows has a change password feature that will change the passphrase on your .key files; "ifconfig": usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of 09:01 < vpnHelper> reiffert: the virtual ethernet segment which is being created or connected to. 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "win_noadmin": and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista; "static": also see !ccd and !iporder; "winroute": you may need to turn off routing and remote acess in administrative tools - routing and remote access 09:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "winroute": many users also report it helps to add route-delay to give the interface extra time to get up; "notopenvpn": your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem; "fbsdbridge": http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging 09:01 < vpnHelper> reiffert: openvpn in freebsd 09:01 < krzee> easy there reiffert 09:01 < reiffert> hey 09:01 < reiffert> whats up 09:01 < adnc> ahh 09:01 < adnc> !sample 09:01 < vpnHelper> adnc: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:01 < adnc> thank you 09:01 < adnc> cool 09:01 < krzee> yw 09:02 < reiffert> !beer 09:02 < vpnHelper> reiffert: Error: "beer" is not a valid command. 09:02 < reiffert> !cool 09:02 < vpnHelper> reiffert: Error: "cool" is not a valid command. 09:02 < reiffert> !yes 09:02 < vpnHelper> reiffert: Error: "yes" is not a valid command. 09:02 < krzee> need i make it ignore you? 09:02 < adnc> krzee: these are the examples you showed me two days ago aren't they 09:02 < krzee> adnc, likely 09:02 < reiffert> Do whatever comes up to your mind :) 09:03 < krzee> cool, ordering a sandwich on the phone in that case 09:03 < reiffert> :) 09:03 < onats_> who wants a beer? 09:04 < onats_> reiffert, whats the good beer from where you're from? 09:04 < reiffert> I recall 30 to 50 .. 09:05 < reiffert> and of course the one Bushmills was creating himself 09:05 < reiffert> ginger-beer 09:06 < krzee> the weed beer we made in northern california was good 09:06 < adnc> krzee: with your example would the connecting client get an ip 09:06 < krzee> umm 09:06 < krzee> !man 09:06 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:06 < onats_> weed beer? brewed from weed? or just mixed with grass? 09:06 < krzee> see --server 09:06 < onats_> reiffert, US? 09:07 < adnc> how is this handled, i used this example and it connects but no routes are available 09:07 < krzee> brewed from weed, like pot 09:07 < onats_> 30 - 50 good beers? 09:07 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 09:07 -!- onats_ is now known as onats 09:07 < reiffert> on high level of canbicogenes or after using a steam extractor? 09:07 < reiffert> onats: .DE 09:08 < krzee> i dunno what canbicogenes 09:08 < krzee> are 09:08 < krzee> but we made it just like they made hemp beer, but with real pot 09:08 < onats> ahhh ok 09:08 < onats> is hoegaarden from there? 09:08 < krzee> pot is actually related to hops 09:09 < onats> krzee<--- pothead 09:09 < krzee> sure 09:09 < onats> hehehe 09:09 < reiffert> the active component, unfourtunatly googles doesnt know my word-creation :( 09:10 < krzee> i worked in the medical marijuana biz for a couple yrs, grew with tractors and whatnot 09:10 < krzee> oh cannabinoids? 09:10 < onats> oh yeah... i remember i saw some ads for shoes made of hemp 09:10 < reiffert> ah, that sounds like it 09:10 < prop__> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 09:10 < krzee> yes, high levels 09:10 < prop__> theres no workaround? 'tun' is mandatory? 09:10 < krzee> do you know what cat does? 09:11 < reiffert> bbl, afk 09:11 < krzee> http://www.google.com/search?hl=en&q=marijuana+hops&btnG=Google+Search&aq=f&oq= 09:11 < onats> prop++, how about doing a sudo when you execute the command? 09:11 < vpnHelper> Title: marijuana hops - Google Search (at www.google.com) 09:11 < prop__> krzee: I got a vague idea :) 09:11 < prop__> onats: as root 09:11 < onats> oh ok 09:11 < krzee> onats, it shouldnt work 09:11 < krzee> he's trying to cat a network device 09:12 < krzee> cat is for concatenating files (or printing them to the screen) 09:12 < prop__> krzee: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 09:12 < krzee> tun isnt a file, its a device node 09:12 < onats> haha ok 09:12 < onats> i thought he was running a script or something 09:14 < adnc> WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 09:14 < adnc> is it possible to define that vpn uses a different subnet 09:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:16 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 09:17 < krzee> both sides are on the same lan? 09:17 < adnc> yes 09:18 < adnc> but i tried it from a different lan aswell 09:18 < adnc> and it does the same 09:18 < krzee> do you plan on sharing either lan with the other? 09:18 < adnc> no 09:18 < krzee> then ignore it 09:18 < krzee> what is your goal anyways 09:18 < adnc> but it doesnt work 09:18 < krzee> what is "work" 09:18 < adnc> i would like to access my local lan from outside via vpn 09:18 < krzee> that is sharing a lan! 09:18 < krzee> LOL 09:18 < adnc> ok, no ip routing to the lan 09:18 < krzee> thats exactly what i just asked you 09:19 < adnc> krzee: sorry for my bad english 09:19 < adnc> i missunderstood you 09:19 < krzee> you can NOT do that with 2 lans on the same subnets 09:19 < krzee> one must get re-numbered 09:19 < adnc> ok 09:19 < adnc> what exactly would i have to do? 09:20 < krzee> change the lan's subnet 09:20 < adnc> mhh 09:20 < adnc> krzee: i didn't understand. i only have one lan 09:21 < krzee> heh 09:21 < krzee> ok you have a client and a server 09:21 < adnc> yes 09:21 < krzee> both are on 192.168.1.x 09:21 < adnc> yes 09:21 < krzee> change one to something else 09:22 < adnc> is it possible to assign the client a different subnet-address 09:22 < adnc> so instead of changing the ip of the client or the server having the openvpn-lan on a different address 09:24 < krzee> it has nothing to do with the address assigned by openvpn 09:24 < krzee> my smaple files use 10.8.1.x for the openvpn subnet 09:24 < adnc> krzee: i thank you very much 09:24 < krzee> sample 09:25 < adnc> !push 09:25 < vpnHelper> adnc: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 09:29 < adnc> my client prints out this 09:29 < adnc> /sbin/ifconfig tun0 10.8.1.6 pointopoint 10.8.1.5 mtu 1500 09:29 < adnc> but i can not ping to 10.8.1.5 09:29 < adnc> is this normal? 09:29 < adnc> shouldn't it be reachable 09:29 < krzee> no 09:29 < krzee> !/30 09:29 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:30 < krzee> you should be pinging 10.8.1.1 09:30 < adnc> but even this ip is not reachable 09:30 -!- prop__ [n=dd@77.126.240.136] has quit [] 09:31 < krzee> then something is wrong 09:31 < krzee> !configs 09:31 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:31 < krzee> !logs 09:31 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:31 < adnc> ok 09:37 < adnc> http://pastebin.com/d58e393f 09:38 < adnc> and my lan address is 192.168.1.0 09:40 < krzee> and the client is on what lan...? 09:40 < adnc> 192.168.1.0 09:40 < adnc> and has the ip at the moment of 102 09:41 < krzee> and server lan is what? 09:41 < adnc> also 192.168.1.0 and has ip 2 09:41 < krzee> didnt i tell you you had to change ones? 09:42 < krzee> [10:21] both are on 192.168.1.x 09:42 < krzee> [10:21] change one to something else 09:42 < adnc> i was today outside at a friends home he has a different ip range and it still didn't work 09:42 < krzee> i didnt say that was all 09:42 < krzee> but i made it clear you needed to change that 09:43 < adnc> yes, but if i do this i won't be able to talk here 09:43 < krzee> ok well good luck 09:43 < krzee> ill be back later 09:43 < adnc> maybe you could tell me what else i would have to do 09:43 < adnc> and i could do all together 09:46 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 09:46 < maninthemiddle> hi 09:47 < maninthemiddle> i have openvpn client and openvpn server 09:47 < maninthemiddle> client connected successfully and got ip 09:47 < maninthemiddle> but they cannot ping each other.. 09:47 < maninthemiddle> firewalls are turned off 09:47 < maninthemiddle> what can be the reason? 09:49 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 09:54 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has joined ##openvpn 09:55 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has quit [Client Quit] 09:55 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 09:59 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 10:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:05 -!- idk-nva2 [n=niels@idk.xs4all.nl] has quit [] 10:12 -!- ekristen_ [n=ekristen@68.33.133.72] has joined ##openvpn 10:13 < ekristen_> the client cert for the openvpn client, does that need to be signed by the ca crt? 10:14 < ekristen_> or is it just a generated key and generated cert from the key for the client? 10:14 -!- ekristen_ is now known as ekristen 10:25 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 10:25 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has joined ##openvpn 10:27 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:36 -!- joelsolanki [i=joelsola@123.237.172.89] has joined ##openvpn 10:36 < joelsolanki> Hi all 10:36 < joelsolanki> !redirect 10:36 < vpnHelper> joelsolanki: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:38 < joelsolanki> !/30 10:38 < vpnHelper> joelsolanki: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:38 < joelsolanki> !topology 10:38 < vpnHelper> joelsolanki: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:49 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 10:52 < __8472> hi, how should that damn resolvconf work? because i'm trying to get it work, and it instantly works somehow strange on its own. once it changes the /etc/resolv.conf, next time it just leaves there previous entries , damn it 10:54 < __8472> another time it just doesn't change anything. 11:02 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:04 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit [Read error: 104 (Connection reset by peer)] 11:19 < ekristen> hello 11:20 < ekristen> so I have a successful vpn tunnel 11:20 < ekristen> using pki 11:20 < ekristen> but none of my traffic is going through the tunnel 11:22 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 11:24 < ekristen> can anyone help? 11:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 11:29 < krzee> what traffic do you expect to go through the tunnel? 11:33 < krzee> ekristen, 11:33 < ekristen> traffic to my hosts that reside on the other side, ssh, ftp, http, https, 11:34 < krzee> on the other side as in a lan behind the other side, or the internet in general 11:35 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 11:36 < ekristen> nm, its working, the guy I was working with is an idiot 11:36 < ekristen> that was telling me it wasn't working 11:40 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Remote closed the connection] 11:41 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:41 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 11:41 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has quit [Connection timed out] 11:42 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 11:46 -!- ekristen [n=ekristen@68.33.133.72] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit ["Leaving"] 12:06 -!- adnc_ [n=numer@p54855958.dip.t-dialin.net] has joined ##openvpn 12:16 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has joined ##openvpn 12:17 -!- adnc [n=numer@unaffiliated/adnc] has quit [Read error: 110 (Connection timed out)] 12:29 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn 12:38 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit ["Leaving"] 12:45 -!- lepine1 [n=lmacguir@74.59.36.93] has left ##openvpn [] 12:50 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:52 < joelsolanki> krzee: HI 12:53 < joelsolanki> is it possible to bridge the lan on windows machine on which openvpn is also working but acting as vpn client ? 12:53 < joelsolanki> my aim is vpn server should be able to communicate with lan machines which are behind vpn client 12:53 < joelsolanki> possible ? 12:55 < krzy> i dont use bridge 12:55 < krzy> but its very possible with routed setup 12:56 < krzy> in fact i wrote a doc about how to connect lans behind server + clients, to see it type: !route 13:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:13 < joelsolanki> aha 13:13 < joelsolanki> !route 13:13 < vpnHelper> joelsolanki: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:13 < joelsolanki> checking your doc 13:22 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 13:34 -!- adnc [n=numer@p54856A7F.dip.t-dialin.net] has joined ##openvpn 13:37 -!- joelsolanki [i=joelsola@123.237.172.89] has quit [] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:49 -!- adnc_ [n=numer@p54855958.dip.t-dialin.net] has quit [Connection timed out] 13:51 -!- Gumbler is now known as Gumbler|NotHere 13:51 -!- Gumbler|NotHere is now known as Gumbler 14:12 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:12 < Dougy> krzie 14:12 < Dougy> ping 14:13 < Dougy> pingpingpingpingpingpingpingpingpingpingpingping 14:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:24 < Dougy> afk 14:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:59 < krzie> kickass bro 15:06 < ecrist> what's kickass? 15:06 < krzie> he got a cheap mb for me 15:06 < ecrist> sweet 15:08 < Dougy> yeah 15:08 < Dougy> p4sga+ for $30 15:08 < Dougy> its socket 478 tho 15:24 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 15:26 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 15:29 -!- Timpa88 [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:29 < Dougy> hey 15:30 < reiffert> ho 15:30 < Dougy> hey reiffert 15:30 < Dougy> :) 15:31 < reiffert> whats up Dougy? 15:32 -!- Timpa88 is now known as Timpa 15:34 < Dougy> nothing 15:34 < Dougy> bored out of my mind 15:40 < krzie> do i really need to fill this out? 15:40 < krzie> oops /q 15:40 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:01 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 16:16 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:29 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- nemysis [n=nemysis@25-137.3-85.cust.bluewin.ch] has quit [Connection timed out] 16:34 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has joined ##openvpn 17:24 -!- adnc [n=numer@p54856A7F.dip.t-dialin.net] has quit ["leaving"] 17:30 < prop__> krzie: cat: /dev/net/tun: File descriptor in bad state 17:30 < prop__> krzie: now it works :) 17:54 -!- floyd_n_milan_ [n=mrugesh@124.247.220.202] has joined ##openvpn 17:55 -!- SanninMan [n=User@ch1.cproxy.cz] has joined ##openvpn 17:55 < SanninMan> yo 18:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:03 -!- SanninMan [n=User@ch1.cproxy.cz] has left ##openvpn ["Leaving"] 18:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 19:22 < Dougy> anyone need hosting? 19:28 < prop__> may I /privmsg you? 19:28 < Dougy> you may certainly 19:40 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has quit ["Leaving."] 19:43 -!- lepine [n=leprecha@70.38.54.219] has left ##openvpn [] 19:46 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 19:46 < onats1> buzz! 20:23 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:30 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 20:40 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Remote closed the connection] 20:41 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 20:42 -!- unix3 [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 21:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:20 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 21:29 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 21:52 -!- karlpinc [n=kop@meme-net.meme.com] has quit ["BitchX: a new fragrance for men, by Calvin Klein"] 22:56 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn 23:27 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit [Remote closed the connection] 23:36 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn --- Day changed Thu Apr 30 2009 00:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:25 < dan__t> hi. 00:25 < dan__t> krzie, wake up. 00:37 < dan__t> Well, that idea didn't work.......... 00:38 < dan__t> I need to use OpenVPN as sort of a router for other OpenVPN connections. 00:39 < dan__t> Reason being is that I want to SNAT certain clients, identifiable by their TLS CN, to use certain IPs. Those IPs might not be present on the machine that they're connecting to. 00:39 < dan__t> i.e. I'd have multiple 'server' directives in the client conf file 00:39 < dan__t> I might as well just drop the connection, and assume/hope the OpenVPN client just goes down that list. 00:46 < dan__t> Yea, that might be the best approach. 01:17 < reiffert> dan__t: create a tunnel between the servers 01:18 < dan__t> But I don't want to pass that traffic through the tunnel. 01:18 < dan__t> er, the traffic that the client would be using. 01:18 < dan__t> Because server A and server B might be across the world from each other. 01:18 < dan__t> I don't want to incur extra bandwidth charges just to tunnel that. 01:18 < reiffert> then use a dynamic routing protocol 01:24 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Read error: 104 (Connection reset by peer)] 01:25 < dan__t> I don't have that kind of control 01:28 < dan__t> I can't BGP or anything between peering points. 01:29 < reiffert> What was krzie's idea that you claim it was failing? 01:43 < dan__t> What? I never claimed such things. 01:43 < dan__t> I don't see a response to my question, I just looked through logs, perhaps you're confused? 01:52 < reiffert> 07:25 < dan__t> krzie, wake up. 01:52 < reiffert> 07:37 < dan__t> Well, that idea didn't work.......... 01:53 < dan__t> Sorry, I was trying my own idea. 01:53 < reiffert> ah 01:53 < reiffert> and what is it? 02:01 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 02:08 < dan__t> trying to see how a client would use mulltiple servers 02:08 < dan__t> round-robin or random or what 02:23 < dan__t> Doesn't look reliable, but it may just need more testing. 02:23 < dan__t> I'm tired and a few beers deep, I'll need to play with it some other night. 02:30 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 02:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:48 -!- adnc [n=numer@141.41.40.139] has joined ##openvpn 03:48 < adnc> !route 03:48 < vpnHelper> adnc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:09 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit [Read error: 110 (Connection timed out)] 04:16 -!- joelsolanki [i=joelsola@123.237.172.62] has joined ##openvpn 04:16 < joelsolanki> !route 04:16 < vpnHelper> joelsolanki: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:16 -!- joelsolanki [i=joelsola@123.237.172.62] has quit [Client Quit] 04:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 04:35 -!- adnc [n=numer@141.41.40.139] has quit [Read error: 60 (Operation timed out)] 04:38 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 04:38 -!- albech [n=albech@118.173.14.75] has joined ##openvpn 04:39 -!- prop__ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 05:03 -!- zheng [n=zheng@222.66.224.110] has quit [Client Quit] 06:19 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 06:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 06:36 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 06:41 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 06:49 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 07:02 -!- dazo [n=dazo@nat/redhat/x-b40504dd271611ba] has quit ["Leaving"] 07:06 -!- dazo [n=dazo@nat/redhat/x-4a26375fe2be66dc] has joined ##openvpn 07:17 -!- dazo [n=dazo@nat/redhat/x-4a26375fe2be66dc] has quit ["Leaving"] 07:17 -!- dazo [n=dazo@nat/redhat/x-47a430b4e0c1081a] has joined ##openvpn 07:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:29 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 08:29 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 08:48 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 08:48 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 08:50 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 08:52 -!- Timpa [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:14 -!- Lilarcor [n=Lilarcor@167.sub-97-23-66.myvzw.com] has joined ##openvpn 09:18 -!- Lilarcor [n=Lilarcor@167.sub-97-23-66.myvzw.com] has quit [Client Quit] 09:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 09:47 -!- degrade [n=degrade@unaffiliated/degrade] has joined ##openvpn 09:50 < degrade> Does anybody have installed OpenVPN in Windows? 09:50 < albech> anyone here have a working openvpn installation in ubuntu 9.04 through the openvpn plugin in the network manager? 09:50 < degrade> It's possible to use OpenVPN client with Micro$oft Windows PPTP Server? 09:51 < albech> degrade, im fairly sure it isnt 09:51 < albech> degrade, download the openvpn windows gui 09:52 < degrade> albech: I will Try. The Client VPN from Windows close my network and use the VPN exclusively. 09:53 < degrade> albech: It's a feature, I know. But I need that my local Network doesn't close. 09:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:53 < albech> deception, i understand 09:53 < degrade> albech: I think that other client works with a other fashion. 10:06 -!- albech [n=albech@118.173.14.75] has quit [Remote closed the connection] 10:09 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 10:10 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:10 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 10:19 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:32 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:09 < dazo> degrade: OpenVPN != PPTP ... not compatible and will never be 11:11 < dazo> degrade: btw ... configuring openvpn on windows is almost the same as in Linux 11:12 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:22 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:25 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 11:26 < degrade> dazo: thx 11:27 -!- degrade [n=degrade@unaffiliated/degrade] has quit ["leaving"] 11:31 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 11:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:47 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 11:47 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:48 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 11:49 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:52 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 12:26 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 12:31 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 12:32 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 12:51 < dan__t> Hi. 13:09 -!- theDoc [n=andelyx@116.197.244.5] has joined ##openvpn 13:17 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has quit [Client Quit] 13:48 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:54 -!- asdzxc [n=azurit@adsl-dyn-160.95-102-50.t-com.sk] has joined ##openvpn 13:54 < asdzxc> hi 13:55 < asdzxc> how can i set OpenVPN to redirect all traffic through tunnel but only for some of my clients (not for all) ? 14:04 < asdzxc> it is possible to configure per user settings ? 14:06 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 14:08 -!- plaerzen [n=carpe@66.11.76.242] has quit [Read error: 104 (Connection reset by peer)] 14:08 < asdzxc> anyone here ? 14:09 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 14:23 -!- deception [i=oc80z@root.servergirl.net] has quit [] 14:31 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:32 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has joined ##openvpn 14:42 -!- temoto-mobi [n=temoto@78-106-109-221.broadband.corbina.ru] has joined ##openvpn 14:43 < temoto-mobi> Hello. Can i configure openvpn client to filter routes it is accepting? Or maybe not accept routes at all? 14:43 < temoto-mobi> Damn server overrides my default route. 14:51 < bragon> its possible to fixe the @mac off a tap0 device ? 14:57 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 14:57 -!- asdzxc [n=azurit@adsl-dyn-160.95-102-50.t-com.sk] has left ##openvpn [] 14:58 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 15:03 -!- temoto-mobi [n=temoto@78-106-109-221.broadband.corbina.ru] has left ##openvpn ["WeeChat 0.2.6.1"] 15:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:08 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 15:19 -!- Timpa [i=timpa@c-851170d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:48 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:09 < troy-> is there a webclient version of openvpn? 16:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 16:47 < dan__t> hey bitches. 16:47 < dan__t> how/why/where would there be, troy-? 16:47 < dan__t> What are you looking to do? 16:48 < troy-> dan__t, i want a user to be able to login to the private network via a web-browser without client software 16:48 < dan__t> Kind of like how Juniper's shit works? 16:48 < dan__t> Not that I know of, no. 16:48 < troy-> or the Cisco platform, ya 16:48 < dan__t> Yea that's some bad-ass shit. 16:48 < dan__t> OpenvPN does not do that. 16:48 < dan__t> Trying to think of what I saw a while ago... did sort of the same thing. 16:55 -!- prop__ [n=dd@77.124.153.214] has quit [Connection timed out] 17:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:09 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 17:27 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 17:29 < scyld> Hi ppl! Just a funny thing. Is there a way to establish a connection to a openvpn server with TLS cert expired? 17:29 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 17:29 < eliasp> hi 17:30 < scyld> I mean server cert expired, client cert is fine... 17:34 < eliasp> i have trouble using ccd ... it seems my ccd files are ignored... i have openvpn running with this arguments: 17:34 < eliasp> /usr/sbin/openvpn --config /etc/openvpn/management.conf --writepid /var/run/openvpn.management.pid --daemon --cd /etc/openvpn 17:35 < eliasp> as i'm using --cd /etc/openvpn i put my client-config-files into /etc/openvpn/ccd 17:35 < eliasp> i have a file evsrv002 there which contains 17:35 < eliasp> ifconfig-push 10.5.3.17 10.5.0.1 17:36 < eliasp> but when evsrv002 connects it gets another random IP 17:36 < eliasp> what's wrong with my config? 17:42 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 < Dougy> :> 18:02 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 18:07 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 18:12 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["leaving"] 18:39 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:42 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 18:53 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, isox, Intensity, krzie, qknight, M06w, dazo, disco-, youngpro, rubydiamond, (+44 more, use /NETSPLIT to show all of them) 18:54 -!- Netsplit over, joins: frankS2, prop_, epaphus, troy-, Dougy, eliasp, rubydiamond, Timpa, jfkw, floyd_n_milan (+40 more) 18:54 -!- Netsplit over, joins: Pagautas, [4-tea-2], Bushmills, jameswhite 18:56 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 19:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:01 < ecrist> foo 20:07 < Dougy> hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 20:07 < Dougy> ecrist 20:07 < ecrist> sup? 20:07 < Dougy> nothing 20:07 < Dougy> sleepy as heck 20:07 < Dougy> you? 20:08 < ecrist> browsing the web. my new PFD shipped today, so I'm happy. 20:09 < ecrist> http://dogbytecomputer.com/mustang-md3183-u-bk-cr-deluxe-automatic-inflatable-w-hammar-inflator.html 20:09 < vpnHelper> Title: Mustang MD3183-U-BK/CR Deluxe Automatic Inflatable W/Hammar Inflator (at dogbytecomputer.com) 20:09 < reiffert> moin 20:09 < Dougy> nice 20:09 < ecrist> howdy, reiffert 20:10 < Dougy> ecrist: i am about to sign a colocation contract 20:10 < Dougy> tomorrow 20:10 < Dougy> :X 20:10 < ecrist> where? 20:11 < ecrist> I'm upgrading my cable internet service tomorrow. 20:11 < ecrist> 22Mb/5Mb 20:11 < Dougy> cool 20:11 < Dougy> I got 20:11 < Dougy> 10U, 10Amps, 20 Mbps on a 100MB port for $400 20:11 < Dougy> in new york city 20:11 < ecrist> not too shabby 20:11 < ecrist> which provider? 20:11 < Dougy> as in, the dc? 20:11 < Dougy> or the bw 20:11 < ecrist> don't you work for a colo? 20:11 < Dougy> yeah uhh 20:11 < Dougy> lets not go ther 20:11 < Dougy> e 20:12 < ecrist> lol 20:12 < Dougy> simply said nothing of mine is going in that "datacenter" 20:12 < Dougy> nothing wrong with the netowrk 20:12 < Dougy> everything wrong with the datacenter 20:12 < ecrist> bandwidth provider 20:12 < Dougy> right now, singlehomed cogent 20:12 < Dougy> in next 2 months.. WVFiber and Verizon are being added 20:12 < ecrist> who's the ISP? 20:12 < ecrist> (datacenter owner) 20:12 < Dougy> the building isnt just a DC 20:13 < Dougy> its also a department of justice headquarters 20:13 < Dougy> among other things 20:13 < Dougy> its over 30 stories tall 20:13 < ecrist> why does the size of the building matter? 20:13 < ecrist> it doesn't make the dc more reliable 20:13 < Dougy> doesnt 20:13 < Dougy> the floor of the bldg is owned by Cogent 20:16 < Dougy> supposedly extremely nice 20:16 < Dougy> all locking APC racks 20:18 < ecrist> my data center is in the basement of a one-story ranch-style home. 20:18 < ecrist> :P 20:18 < prop_> http://74.86.94.210/1.txt , is there hope for me? 20:19 < prop_> tried to read whatever guide I could find for the past two days, can't quite understand what/where I do wrong :| 20:19 < ecrist> 100Amps of service, 84u of space, and 22Mb/5Mb of bandwidth on dual gigabit links. :) 20:20 -!- youngpro [n=pro@teamaustralia.net.au] has quit [Read error: 110 (Connection timed out)] 20:20 < Dougy> cool ecrist 20:20 < ecrist> prop_: firewall issue 20:20 < ecrist> CONN_REFUSED is caused by firewalls 20:21 < ecrist> or the daemon not running on the other end. 20:22 < prop_> ecrist: I execute it manually 20:22 < prop_> ecrist: (this is the server side stdout) 20:23 < prop_> ecrist: the client is inside a lan, it there something special it needs? (for somereason I failed to see such requirement of the client) 20:26 < ecrist> not really. 20:26 * ecrist goes away 20:44 < prop_> ok, changed the default port 1194 --> 94 , and used TCP instead of UDP .. now I got a different issue.. lets try to google it up 21:34 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:33 < eliasp> i have network trouble with one of my clients (hanging SSH connections, etc.) and i get messages in the server log like these: http://dpaste.com/39899/ 22:33 < eliasp> what does this MULTI mean in this case? something critical? 22:33 < eliasp> the affected host is evsrv002.... nx9420-eliasp is my laptop-client... 22:34 < eliasp> i only get these messages, they don't appear for any other host 22:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 23:01 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has joined ##openvpn 23:03 < Plecebo> Hello, I have a vpn that is having trouble staying connected. I'm able to connect, and able to remote desktop into a computer on the remote network. All works for a few minutes (3-5) then the remote desktop session dropps and I can no longer ping the remote computer. Oddly my client says that it is still connected and doesn't really indicate that it is lost connection or anything. 23:05 < Plecebo> Here is my client.conf http://pastebin.com/m3c41b298 23:10 < Plecebo> and my server.conf http://pastebin.com/m7d8ae9a8 23:25 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has quit ["Leaving"] 23:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn --- Day changed Fri May 01 2009 00:07 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:11 -!- theDoc_ [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:12 -!- theDoc_ [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 00:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 00:20 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:21 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 00:45 -!- onats__ [n=onats@122.53.134.78] has joined ##openvpn 00:47 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 00:48 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 00:50 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 00:52 < theDoc> Does openvpn support native v6 implementation yet? 01:55 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 02:19 < dan__t> v6? 02:19 < dan__t> v6 what 02:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 02:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 02:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:42 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, Typone 02:43 -!- Netsplit over, joins: M06w, Typone 02:45 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 03:02 -!- onats__ [n=onats@122.53.134.78] has quit [Read error: 110 (Connection timed out)] 03:20 -!- lolipop [n=soontak@219.95.197.122] has joined ##openvpn 03:32 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 03:50 -!- c64zottel [n=hans@p5B17AC88.dip0.t-ipconnect.de] has joined ##openvpn 03:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 04:46 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 05:01 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 05:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 05:07 -!- lolipop [n=soontak@219.95.197.122] has quit [Remote closed the connection] 05:18 -!- gallatin [n=gallatin@dslb-088-078-178-092.pools.arcor-ip.net] has joined ##OpenVPN 05:59 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 06:03 < feinoM> Hello :) I have a VPN client on network A connected to a VPN on network B. The client uses the DNS server on network B. I'm using a up-script to get this done. The problem is that when the local lease time expires for the client, the DNS server entries in /etc/resolv are replaced. Is there some way to avoid this? 06:41 -!- MarcWebe1 [n=marc@88.80.200.63] has joined ##openvpn 06:42 < MarcWebe1> Are there any known problem running openvpn on x86_64 systems (linux)? The strang thing is: scp shows 100%. But it doesn't terminate. running scp from a 32 bit system (same setup) works fine. 06:42 < ecrist> MarcWebe1: I'm not aware of any 64-bit specific problems with openvpn 06:43 < ecrist> if scp is at 100%, i'd say you've got some other issue 06:43 < MarcWebe1> Where to star debuggin this? 06:43 < MarcWebe1> it's the same with git push/pull 06:52 < MarcWebe1> Oh. well. it works for small files. 06:57 < MarcWebe1> It starts hanging when the file has 1295 bytes or more. 06:57 < ecrist> it works OK when not transferring over openvpn tunnels? 06:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 06:59 < MarcWebe1> ecrist: Sure. I've never encountered any trouble. But I don't forward packages through the vserver then. 06:59 < ecrist> don't know what a vserver is 07:00 < MarcWebe1> vserver= virtual server. I pipe my internet traffic through a small root (private) server having broadband connection to do traffic shaping. 07:16 < MarcWebe1> Using --fragment and --mssfix made it work :-) 07:18 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:31 < ecrist> glad you were able to fix it 07:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:49 < MarcWebe1> I got these values: Fri May 1 14:19:55 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1437] 07:49 < MarcWebe1> Can I deduce fragment and mssfixx options from this output? 07:49 < MarcWebe1> Can I make the server push those options to the client? ( I got wrong context errors or such) 07:56 -!- hyphenex [n=hyphenex@209.20.74.93] has joined ##openvpn 07:56 < hyphenex> Hey, I'm trying to run openVPN, but I'm getting the following error Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/openvpn.conf:5: secret (2.1_rc15) 07:57 < ecrist> !configs 07:57 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:57 < ecrist> !logs 07:57 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:59 < hyphenex> my config file is at http://paste2.org/p/195720 07:59 < hyphenex> how might I find the logs? 08:07 < ecrist> if you run openvpn from the command line, they're in stdout 08:08 < ecrist> are you following a howto? 08:09 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 08:11 < hyphenex> ecrist: no errors then, just that one when I try and run 08:41 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 08:43 -!- hyphenex [n=hyphenex@209.20.74.93] has quit ["leaving"] 09:38 -!- gallatin [n=gallatin@dslb-088-078-178-092.pools.arcor-ip.net] has quit ["Client exiting"] 09:47 -!- Timpa [i=timpa@c-851170d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:56 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 09:58 -!- prop__ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 09:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:08 -!- gregHome [n=gleblanc@75.108.45.57] has joined ##openvpn 10:22 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 10:56 -!- mrpockets [n=mrpocket@CPE-67-48-248-23.new.res.rr.com] has joined ##openvpn 10:56 < mrpockets> Hello! 11:02 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:06 < Bushmills> rostock nach 6 min 1:0 gegen KL 11:17 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 11:19 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 11:25 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:31 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:32 -!- nemysis [n=nemysis@107-79.3-85.cust.bluewin.ch] has joined ##openvpn 11:39 -!- mrpockets [n=mrpocket@CPE-67-48-248-23.new.res.rr.com] has left ##openvpn [] 11:41 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 12:33 -!- Timpa [i=timpa@c-0a1070d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 12:37 -!- Timpa [i=timpa@c-0a1070d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 12:46 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:57 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:04 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 13:05 < Solvik> !redirect 13:05 < vpnHelper> Solvik: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:05 < Solvik> !def1 13:05 < vpnHelper> Solvik: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:12 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 13:24 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:40 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Success] 13:49 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Gumbler, Intensity, rubydiamond, ropetin, onats_, mikkel, temba 13:51 -!- Netsplit over, joins: temba, mikkel 13:51 -!- Netsplit over, joins: rubydiamond, Gumbler, Intensity, ropetin 13:51 -!- ekristen [n=ekristen@c-68-33-133-72.hsd1.md.comcast.net] has joined ##openvpn 13:51 < ekristen> Question, does openvpn traffic look like standard SSL traffic? 13:52 -!- onats_ [n=onats@122.53.139.235] has joined ##openvpn 13:58 -!- ekristen [n=ekristen@c-68-33-133-72.hsd1.md.comcast.net] has quit [] 14:36 -!- Solvik [n=solvik@oxyradio.com] has left ##openvpn ["Quitte"] 14:47 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 14:48 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:21 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:22 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 15:36 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:09 < krzie> wassup 16:09 -!- krzie [i=krzee@unaffiliated/krzee] has left ##openvpn [] 16:09 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:44 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 17:09 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:36 -!- c64zottel [n=hans@p5B17AC88.dip0.t-ipconnect.de] has quit ["Leaving."] 19:17 -!- Cr0nix [i=irssi@62.141.56.213] has quit [Read error: 110 (Connection timed out)] 19:27 -!- onats_ [n=onats@122.53.139.235] has quit ["Ex-Chat"] 19:38 -!- Celsiux-Nulled [n=Nullesd@85.17.165.5] has joined ##openvpn 19:38 < Celsiux-Nulled> hello :) 19:38 < Celsiux-Nulled> I have a question anybody around ? 20:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:26 < krzie> !ask 20:26 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 20:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:42 < prop__> SO - I managed to make my VPN scheme, 'openvpn server' on the remote machine(CentOS), 'openvpn client' on the laptop(XP) ... a problem I stumbled: 20:43 < prop__> my download transfer rate ability is ~300KByte, .. when I try to download from the openvpn server - I manage to get ~300KByte 20:44 < prop__> when I try to download from a machine outside from the openvpn server, the speed drops to 30KByte. 20:44 < prop__> (the server downloads that link at ~10MByte, and my client directly can download it at ~300KByte... but through the VPN .. its only 30KByte?) 20:53 < krzie> i dont understand what you mean 20:53 < krzie> are you saying the client is redirecting its gateway to go through the server? 20:54 < prop__> krzie: correct 20:54 < krzie> and that over the vpn it can get 300kb/s direct from server 20:54 < krzie> or outside the vpn it gets that speed 20:54 < prop__> both are correct, through the vpn it gets 300kb from the server, but 3rd party gets only 30KB 20:54 < krzie> you using udp or tcp? 20:55 < prop__> 300KByte is its ~ability 20:55 < krzie> in fact, do this: 20:55 < prop__> TCP 20:55 < krzie> !configs 20:55 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:55 < krzie> ahh 20:55 < krzie> read this: 20:55 < krzie> !tcp 20:55 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:55 < prop__> krzie: giveme a minute or so :) 20:56 < krzie> i no longer need your configs 20:57 < prop__> oh, it was a typo? 20:57 < krzie> there was a line of questions that you stopped me from needing to ask with your first answer 20:57 < krzie> seeing your configs would have stopped me from needing to go down a little list 20:57 < prop__> heh, I see you're experienced enough :) 20:58 < prop__> so let me read up on the tcp-tcp issue, and then try to figure out what requirement UDP has from my client-side 20:58 < krzie> been here awhile 20:58 < krzie> hehe 20:58 < krzie> client just needs to be able to make an outbound udp connection 21:00 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:01 < prop__> mm.. I thought TCP are doing a "connection" .. while UDP is more of a "hit and run" ? .. wouldn't that imply the client needs to listen on a UDP port? 21:02 < krzie> negative 21:02 < krzie> when a machine makes an outbound connection it knows (as does nat) to pay attention for responses 21:02 < krzie> otherwise you'd need to open a port for every udp protocol you use, which would damn near render udp useless 21:08 < prop__> krzie: well, it doubled it. now its stablized at ~60KB .. and the direct server access is still ~300KB 21:10 < krzie> everything must flow through the server to and from you to outside world 21:10 < krzie> including ack's and whatnot 21:10 < krzie> which could make the whole flow slower i would imagine 21:10 < krzie> you may be able to squeeze some more throughput with compression 21:10 < krzie> --comp-lzo or something like that 21:10 < prop__> mmmm 21:10 < krzie> !man 21:10 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:10 < krzie> its in there 21:11 < prop__> lzo is enabled on the default .conf I believe 21:11 < krzie> also, you may find testing your MTU to be useful 21:11 < krzie> !mtu 21:11 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 21:11 < prop__> (I used the default .conf) 21:11 < krzie> i dunno what default conf you have 21:11 < krzie> but check it anyways 21:11 < prop__> yes, its enabled on my .conf 21:11 < krzie> in !mtu just use #2 21:12 < krzie> add --mtu-test to the client config and connect up 21:12 < krzie> it'll test for a couple minutes and let you know your optimal mtu 21:13 < prop__> I'll have to look at openvpn.org for the mtu-test, one moment 21:13 < krzie> why do you need to look at openvpn.org for that 21:14 < prop__> because I'm not quite sure what/where/when? 21:14 < prop__> "openvpn --mtu-test" ? 21:14 < krzie> add --mtu-test to the client config and connect up 21:14 < krzie> it'll test for a couple minutes and let you know your optimal mtu 21:14 < krzie> err 21:14 < krzie> just mtu-test in the client config 21:17 < prop__> krzie: ok, added to the .conf and its running now 21:17 < prop__> I initially tried: "openvpn --mtu-test client.conf" 21:18 < krzie> if you have more than 1 option you must use --config 21:18 < krzie> you can only omit --config if its the only option passed 21:18 < prop__> oh, ic - mybad 21:18 < krzie> time for me to go 21:18 < krzie> gl to ya 21:18 < prop__> ok man, thanks a lot! 21:18 < krzie> yw 21:18 < prop__> I'll readup again on your info/links .. just to get a bit inshape :) 22:48 -!- Celsiux|Nulled [n=Nullesd@189.152.3.218] has joined ##openvpn 22:51 -!- Celsiux|Nulled [n=Nullesd@189.152.3.218] has quit [Remote closed the connection] 22:51 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 22:53 < Celsiux|Nulled> hi 22:54 < Celsiux|Nulled> does anybody knows how can I assign an specific IP to each client (external IP I am using openvpn to access internet) , because right now it only uses the main IP of the server 22:55 < Celsiux|Nulled> I have been searching on google and email lists but no answers to this so far 22:56 < Celsiux|Nulled> any idea or pointer? even if somebody has experience with that I am willing to remunarate for the task 23:06 -!- Celsiux-Nulled [n=Nullesd@85.17.165.5] has quit [Read error: 110 (Connection timed out)] 23:13 < ecrist> fuckers 23:14 < Celsiux|Nulled> ? 23:15 < ecrist> what is your question, worded differently? 23:16 < ecrist> nm. I'm going to bed. 23:18 < Celsiux|Nulled> ok 23:18 < Celsiux|Nulled> here is 23:18 < Celsiux|Nulled> I want to be able to assign each vpn client a different ip instead of the main shared server ip 23:18 < ecrist> each client does have its own IP 23:19 < Celsiux|Nulled> like I have around 10 ips (public) on my server but when I connect a vpn client to the server it always takes the main server ip 23:19 < ecrist> oh, that's an OS thing, really 23:19 < Celsiux|Nulled> iptables? 23:19 < ecrist> not any real good way around that 23:19 < ecrist> iptables would be a good way to remedy it 23:20 < Celsiux|Nulled> so one question if you willing to help I am not really good at admin stuff etc 23:20 < Celsiux|Nulled> lets say 23:20 < ecrist> i'd do it with PF, but I use a 'real' OS. :) 23:21 < Celsiux|Nulled> I would have to add a rule for each internal ip assigned by openvpn to route the traffic thru each extra ip I have? 23:21 < ecrist> yep 23:21 < Celsiux|Nulled> PF? 23:38 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 23:42 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has left ##openvpn [] --- Day changed Sat May 02 2009 00:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:37 -!- bandinia [n=bandini@host174-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 01:37 -!- Celsiux-Nulled [n=Nullesd@174.36.13.132-static.reverse.softlayer.com] has joined ##openvpn 01:44 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 01:53 -!- sond [n=sond@203.109.175.179] has joined ##openvpn 01:54 < sond> anyone home ? 01:55 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 01:55 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 01:58 -!- Celsiux-Nulled [n=Nullesd@174.36.13.132-static.reverse.softlayer.com] has quit [Read error: 110 (Connection timed out)] 02:10 -!- sond [n=sond@203.109.175.179] has quit ["Leaving"] 03:13 -!- sond [n=sond@203.109.168.200] has joined ##openvpn 03:22 < sond> hmmm its up and running but doesn't showup via a netstat or nmap scan.. 03:29 -!- sond [n=sond@203.109.168.200] has quit ["Leaving"] 04:48 -!- MoonMaker [n=Thomas@BAC12b2.bac.pppool.de] has joined ##openvpn 04:50 < MoonMaker> Hi All. I've a question about scripting. Is it possible to open a messagebox when a user will connect from a client? I want to give the client user more information about openvpn and errors. 04:51 -!- prop__ [n=dd@77.124.153.214] has quit [Connection timed out] 04:53 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 05:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:10 < prop_> my client's download speed from a target(no-vpn): ~300KB.. while client from the vpn server: 300KB.. while the server downloads from the target: 10MB ... while the client uses VPN tunnel, through that server.. the speed is only ~60KB 05:11 < prop_> the client is under XP, openvpn's client, UDP, comp-lzo 05:20 < Bushmills> prop_, traffic shaping by provider? 05:24 < prop_> Bushmills: mm? 05:24 < prop_> Bushmills: 1. direct access of the client to the target = 300KB 05:24 < prop_> Bushmills: 2. direct access of the server to the target = 10MB 05:25 < prop_> Bushmills: 3. client through a VPN to the target = ~60KB 05:26 < prop_> (HTTP GET transfer, using 'wget') 05:55 < frankS2> is there any command line way to add ppl to your addressbook in SHR? 06:00 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 06:05 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 06:05 < theDoc> Hello all, anyone might have an idea why route-push isn't working when I connect via gnome-network-manager? 06:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 06:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:00 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 07:51 -!- nemysis [n=nemysis@107-79.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:52 -!- nemysis [n=nemysis@79-38.3-85.cust.bluewin.ch] has joined ##openvpn 08:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:09 < dmarkey> i want to join the network of 2 xen servers through a LAN 08:09 < dmarkey> a DHCP server is at one end 08:09 < dmarkey> through a WAN, sorry 08:11 < dmarkey> can openvpn be used for this 08:12 -!- MoonMaker [n=Thomas@BAC12b2.bac.pppool.de] has left ##openvpn [] 08:13 < [4-tea-2]> Since Xen supports tun/tap: yes. 08:15 < ecrist> dmarkey: yes 08:19 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 08:22 < dmarkey> ecrist: http://pastebin.com/m7841f7d 08:22 < dmarkey> that that look right for the server side 08:28 < dmarkey> does* 08:34 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 08:34 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 08:35 -!- Lilarcor [n=Lilarcor@8.sub-97-130-237.myvzw.com] has joined ##openvpn 08:43 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:01 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 09:02 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:04 -!- Lilarcor [n=Lilarcor@8.sub-97-130-237.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 09:04 -!- vpat [n=vaibhav@61.83.230.23] has joined ##openvpn 09:06 -!- vpat [n=vaibhav@61.83.230.23] has left ##openvpn [] 09:30 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 09:30 < Dougy> krzie: ping 09:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:42 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 09:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 09:54 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 09:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:11 -!- vieq [n=vieq@unaffiliated/vieq] has joined ##openvpn 10:11 -!- vieq [n=vieq@unaffiliated/vieq] has left ##openvpn ["I am outa here"] 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:34 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 10:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Nick collision from services.] 10:35 -!- theDoc_ is now known as theDoc 10:40 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 10:54 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 11:17 < Dougy> grr 11:17 < Dougy> krzie krzee w/e 11:18 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:19 -!- albech [n=albech@117.47.84.248] has quit [Client Quit] 11:20 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:21 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:26 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:27 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:43 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:44 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:52 * Dougy smacks krzie 12:08 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 12:14 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 12:48 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has joined ##openvpn 12:59 -!- prop_ [n=dd@77.124.153.214] has quit [Connection timed out] 13:06 < Dougy> imunna beat him 14:08 -!- c64zottel [n=hans@p5B1783F3.dip0.t-ipconnect.de] has joined ##openvpn 14:25 -!- c64zottel [n=hans@p5B1783F3.dip0.t-ipconnect.de] has quit ["Leaving."] 14:41 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 15:01 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 60 (Operation timed out)] 15:36 < prop_> I can't figure it out: my vpn client uses the tunnel for internet access and DNS (redirect) 15:37 < prop_> if I traceroute IP addresses, random sites ... they all go through the 10.8.0.1 of the VPN server 15:38 < prop_> BUT... if I try traceroute PUBLIC_IP_OF_VPN_SERVER .... it shows its actually using the 'direct' route via my router? 15:39 < prop_> is there a special 'rule' for the public IP of the vpn server to be routed directly, and not via the tunnel --> public_ip ? 15:40 < Bushmills> prop_, how would openvpn talk to the vpn server if route to it was going through openvpn? 15:40 < prop_> Bushmills: thats a very very good question 15:41 < prop_> Bushmills: so if I want to judge the tunnel's transfer speed, I should actually use the internal IP, as in 10.8.0.1 15:42 < krzie> correct 15:42 < Dougy> KRZIE 15:42 < Dougy> PM 15:42 < Dougy> !!%!%!#% 15:42 < vpnHelper> Dougy: Error: "!%!%!#%" is not a valid command. 15:42 < krzie> dougy, i know you well enough you dont hafta ask, can just pm me 15:42 < Dougy> i did 15:42 < Dougy> hours ago 15:42 < krzie> i wasnt here 15:42 < krzie> as you may have noticed ;] 15:42 < Dougy> 5 hours ago 15:42 < Dougy> you should check 16:13 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 16:14 < project2501a> hey guys, what's the order of the arguments passed by --[dis]connect-script ? $IP $COMMON_NAME or reverse? 16:15 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:16 < project2501a> --client-connect excuse me 16:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 16:28 < Bushmills> project2501a, tmk, args are not passed at all but can be expanded from environment variables 16:31 < project2501a> ah! cool. i didn't quite understand that part in the man page 16:31 < project2501a> cool 16:32 < project2501a> Bushmills: is it common_name ? all lowercase? 16:33 < project2501a> OOH. SEXY!!!1 trusted_ip and untrusted_up 16:33 * project2501a bows down to the author of openvpn 16:35 < Bushmills> project2501a, all lowercase 16:37 < project2501a> <3 <3 <3 16:56 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:56 < Dougy> going home 17:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 17:05 * krzie streaks acrossed the channel 17:14 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 17:41 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 17:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 17:59 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 18:13 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has left ##openvpn [] 18:14 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 18:22 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [Remote closed the connection] 18:43 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: worch 18:44 -!- Netsplit over, joins: worch 18:48 -!- apollo13 [i=pd@static.88-198-99-60.clients.your-server.de] has joined ##openvpn 19:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 54 (Connection reset by peer)] 19:32 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 19:47 -!- MarcWebe1 [n=marc@88.80.200.63] has left ##openvpn [] 20:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:33 -!- prop_ [n=dd@77.124.153.214] has quit [] 21:04 -!- SuperEvilDeath17 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 21:04 -!- floyd_n_milan_ [n=mrugesh@124.247.220.202] has joined ##openvpn 21:04 -!- gregHome_ [n=gleblanc@75.108.45.57] has joined ##openvpn 21:04 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 21:05 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 21:06 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 21:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 21:20 -!- gregHome [n=gleblanc@75.108.45.57] has quit [Read error: 113 (No route to host)] 21:20 -!- yarihm [n=yarihm@adsl-68-124-30-156.dsl.pltn13.pacbell.net] has joined ##openvpn 21:20 < yarihm> hi everyone 21:21 < yarihm> when I assign an IP to a user having a bridged VPN, can he then change it using ifconfig and have the tunnel still work? 21:40 < Celsiux|Nulled> the end user? 21:48 < yarihm> yes 21:48 < Dougy> Celsiux|Nulled: nulled? 21:48 < yarihm> ? 21:48 < yarihm> Celsiux|Nulled, did you refer to my question? 23:21 -!- chasing`Sol [n=Ahmed@1.0.0.127.reverse-dns.net] has joined ##openvpn 23:40 -!- zxcvop [n=Admin@222.127.158.58] has joined ##openvpn 23:43 -!- chasing`Sol [n=Ahmed@1.0.0.127.reverse-dns.net] has quit ["Leaving"] 23:44 < zxcvop> anyone 23:44 < zxcvop> ? 23:47 -!- zxcvop [n=Admin@222.127.158.58] has left ##openvpn [] --- Day changed Sun May 03 2009 00:27 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 00:31 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 00:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 01:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:22 -!- Intensity [i=[5S34qXF@unaffiliated/intensity] has quit [Remote closed the connection] 03:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:42 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 04:00 -!- nemysis [n=nemysis@79-38.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:01 -!- nemysis [n=nemysis@208-237.3-85.cust.bluewin.ch] has joined ##openvpn 05:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:23 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:07 -!- js_ [n=js@193.0.253.161] has quit [Remote closed the connection] 07:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:43 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 08:51 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 09:09 -!- seljo [n=matija@82.193.209.4] has joined ##openvpn 09:10 -!- seljo [n=matija@82.193.209.4] has left ##openvpn [] 09:10 -!- seljo [n=matija@82.193.209.4] has joined ##openvpn 09:10 < seljo> hi 09:11 < seljo> can someone explain the tun mode ? 09:11 < seljo> !iporder 09:11 < vpnHelper> seljo: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 09:12 < seljo> !interface 09:12 < vpnHelper> seljo: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:12 < seljo> !topology 09:12 < vpnHelper> seljo: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:12 < seljo> noone ? 09:13 -!- seljo [n=matija@82.193.209.4] has left ##openvpn [] 09:20 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 10:05 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 10:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:23 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 10:29 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 10:34 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 60 (Operation timed out)] 10:36 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 10:37 -!- unix3 [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 10:54 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 11:03 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 11:05 < fixxxermet> !howto 11:05 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:08 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 11:11 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 11:38 < fixxxermet> I am getting an error when starting openvpn. http://pastebin.com/d386f9f26. I have verified my client file (clientKyle.crt: OK). Any other ideas? 11:43 -!- nemysis is now known as nemysis_ 11:52 -!- nemysis_ is now known as nemysis 11:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:13 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 12:22 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 12:59 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit [Read error: 60 (Operation timed out)] 13:03 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 13:04 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit [Read error: 111 (Connection refused)] 13:11 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 13:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 13:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 13:25 * plaerzen waves 13:34 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] 13:39 -!- giovanni_ [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 13:39 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit [Read error: 110 (Connection timed out)] 13:46 < fixxxermet> http://pastebin.com/d1116e4b6 Can anyone help me with that error? 14:06 < fixxxermet> Sun May 3 15:03:08 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=MARYLAND/L=CATONSVILLE/O=SwiftStaffing/CN=ronlinuxdell/emailAddress=rswift@domain.tld The CN isn't being set right while I am building the ca files. 14:19 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 14:20 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 14:24 -!- apollo13 [i=pd@unaffiliated/apollo13] has left ##openvpn ["Leaving"] 14:27 -!- giovanni_ [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit ["Sto andando via"] 15:10 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 15:16 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 15:23 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:39 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 15:45 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has quit [Remote closed the connection] 16:00 -!- Schiz0|SD [i=schiz0@unaffiliated/schiz0] has quit [Read error: 110 (Connection timed out)] 16:08 -!- yarihm [n=yarihm@adsl-68-124-30-156.dsl.pltn13.pacbell.net] has left ##openvpn ["Leaving"] 16:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 16:19 -!- gregHome_ [n=gleblanc@75.108.45.57] has quit [Read error: 104 (Connection reset by peer)] 16:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:42 < dan__t> http://www.speedtest.net/result/465719975.png 17:53 -!- mikkel [n=mikkel@84.238.113.66] has quit [Client Quit] 17:59 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:12 < krzie> damn man 18:12 < krzie> thats fatty 18:25 < krzie> fixxxermet what CN are you trying to have? 18:27 < fixxxermet> krzie: Shouldn't the CN be the same as the IP that you are connecting to in client.conf with the 'remote' option? 18:28 < krzie> no 18:28 < krzie> it should be whatever you decide to name each machine 18:29 < krzie> as long as its unique its fine 18:29 < krzie> i have a CN of CA on my CA, server for my server, and random names for each client 18:29 < krzie> i dont think spaces would be handled right, prolly same for some other chars too 18:37 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:41 < fixxxermet> krzie: So when building my CA, the CN should match the hostname? And then the server key hostname is server? 18:41 < krzie> it does NOT need to be a hostname 18:41 < krzie> just anything unique 18:42 < fixxxermet> ok 18:53 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:54 < fixxxermet> so I guess the CN error is not related to my problem. 18:55 < reiffert> type = server 18:55 < fixxxermet> whats up? 18:55 < reiffert> nsCertType = server 19:21 < Guest92433> nsCertType is discouraged compared to an EKU of clientAuth or serverAuth 19:21 -!- Guest92433 is now known as pekster 19:59 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 20:57 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 21:01 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 60 (Operation timed out)] 21:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 21:18 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has joined ##openvpn 21:19 < zig> hi all, I've setup a standard openvpn server (with server.conf provided in examples doc) 21:19 < zig> there is one think I do not understand, the server ip is 10.8.0.1 (I(m using nat, not a bridge) 21:20 < zig> but a defaullt gateway was defined as 10.8.0.2 on the server too; whad does it correspond to ? 21:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 21:21 < zig> additionally; when a client connect, no route is defined to it via the nat interface 21:21 < zig> I had to add it manually 21:39 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:29 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has quit [Read error: 113 (No route to host)] 22:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 22:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] --- Day changed Mon May 04 2009 00:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 00:04 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:26 -!- frank__ [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn 00:37 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:50 -!- infinity_ [i=brendon@saleen.netcal.com] has quit ["leaving"] 00:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 00:57 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:03 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 01:16 -!- worch [i=worch@battletoad.com] has quit [Read error: 60 (Operation timed out)] 01:16 -!- worch [i=worch@battletoad.com] has joined ##openvpn 01:29 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 01:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:45 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:57 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:11 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:13 -!- zig [n=zig@118.6.196.219] has joined ##openvpn 02:15 < krzee> !route 02:15 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:25 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 02:33 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 02:38 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 03:30 < dazo> !tunortap 03:30 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 03:35 -!- zig [n=zig@118.6.196.219] has quit [Read error: 113 (No route to host)] 03:37 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:43 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 04:04 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 04:04 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 04:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:40 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 05:44 -!- frank__ [n=frank@ti500720a080-1234.bb.online.no] has quit [Read error: 110 (Connection timed out)] 05:51 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [] 05:51 -!- bagpuss_thecat [n=bagpuss_@2001:41c8:1:5253:0:0:0:2] has joined ##openvpn 05:54 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 05:54 -!- DeviantPeer [n=kvirc@87.196.181.110] has joined ##openvpn 05:54 < DeviantPeer> Hi all. 05:59 -!- floyd_n_milan_ is now known as floyd_n_milan 06:06 < reiffert> Hi DeviantPeer. 06:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 06:50 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 06:51 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 06:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 08:04 -!- exoeoeoeoe [i=Executio@dslb-094-223-191-212.pools.arcor-ip.net] has joined ##openvpn 08:05 < exoeoeoeoe> http://3x3cut10n3r.mybrute.com/ <-- have fun & good luck 08:05 < vpnHelper> Title: 3x3cut10n3r My Brute (at 3x3cut10n3r.mybrute.com) 08:05 -!- exoeoeoeoe [i=Executio@dslb-094-223-191-212.pools.arcor-ip.net] has quit [Remote closed the connection] 08:10 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:17 -!- frank__ [n=frank@ti500720a080-6624.bb.online.no] has joined ##openvpn 08:26 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: bandinia, isox, frank__, feinoM, qknight, M06w, dazo, disco-, youngpro, xor|, (+46 more, use /NETSPLIT to show all of them) 08:27 -!- Netsplit over, joins: krzee, frank__, epaphus, nemysis, Deffie_, polaru, DeviantPeer, bagpuss_thecat, floyd_n_milan, jfkw (+46 more) 08:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:49 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 08:55 -!- frank__ [n=frank@ti500720a080-6624.bb.online.no] has quit [Read error: 110 (Connection timed out)] 09:07 -!- Cronixx [i=irssi@62.141.56.213] has joined ##openvpn 09:07 < Cronixx> hi all 09:07 < Cronixx> i wanna bin a static ip to the connected openvpn client 09:07 < Cronixx> is that even possible? 09:08 < Cronixx> so the client is accessible from outside via the openvpn servers static public IP 09:08 < Cronixx> like dyndns with IP's 09:09 -!- bagpuss_thecat [n=bagpuss_@2001:41c8:1:5253:0:0:0:2] has left ##openvpn [] 09:09 < Cronixx> is that even openvpn related or is it more iptables related question? 09:10 < project2501a> hey guys, question: can i make the damn openvpn server NOT timeout every connection? 09:11 < project2501a> is there an option that says "keep connection alive even if it's udp"? 09:11 < Cronixx> have u set keepalive in config? 09:12 < Cronixx> like 09:12 < Cronixx> keepalive 10 60 09:13 < project2501a> let me see. the server keeps resetting the connections. maybe i should enter keepalive on my end 09:14 < project2501a> ya i had keepalive 10 20 09:14 < Cronixx> hm 09:14 < project2501a> on my client 09:14 < Cronixx> try setting it higher 09:15 < project2501a> i just lowered that to 1 20 09:15 < project2501a> why higher? 09:15 < Cronixx> 10 30 or even 10 40 09:15 < Cronixx> because lower setting lets the server less time to answer 09:15 < project2501a> ah 09:15 < Cronixx> so if the server answers slow 09:15 < Cronixx> you could increese that time 09:15 < project2501a> erh, it's a hp dl320 09:15 < Cronixx> to let it wait loger for a reply 09:15 < project2501a> dual xeon :D 09:15 < Cronixx> ergo not time out the connection 09:15 < project2501a> on a fiber line :D 09:15 < Cronixx> hmm 09:15 < project2501a> ya 09:16 < Cronixx> im working on an dl360 with dual xeon atm 09:16 < project2501a> Cronixx: that's where *i* am at. at that "hmm" 09:16 < Cronixx> xD 09:16 < project2501a> i'm like wtf 09:16 < project2501a> i got 100mbit connection to my house 09:16 < Cronixx> omg 09:16 < project2501a> and the server is at work 09:16 < Cronixx> i want 2 09:16 < project2501a> and the piece of shit times out 09:16 < Cronixx> hmmm 09:16 < Cronixx> very strange 09:17 < project2501a> i need some cash so i can go buy a cisco router so i can deal with this problem permanently 09:17 < project2501a> anyway 09:17 < Cronixx> xD 09:17 < project2501a> set keepalive to 1 20 09:17 < Cronixx> maybe you can help me? 09:17 < project2501a> let's see what happens 09:17 < project2501a> Cronixx: sure 09:17 < project2501a> whatever i can bro 09:17 < Cronixx> i have a setup 09:17 < Cronixx> 2 servers 09:17 < project2501a> don't we all? :D 09:17 < project2501a> heheh :D 09:17 < project2501a> go ahead 09:17 < Cronixx> one is at a datacenter 09:18 < ecrist> good morning, folks 09:18 < Cronixx> with 3 static public ips 09:18 < Cronixx> and the other one at home 09:18 * project2501a waves to ecrist 09:18 < Cronixx> static ip to 09:18 < Cronixx> but firewalled 09:18 < Cronixx> so 09:18 < Cronixx> i now have a vpn tunnel between the servers 09:18 < Cronixx> now i want to set 1 of the 3 static IP's as the tunnel endpoint 09:19 < Cronixx> so the second server at my home is reachable from the static ip of the server in the datacenter 09:19 < Cronixx> every port needs to be forwarded to the server at my home / the vpn client 09:19 < Cronixx> for that ip 09:19 < Cronixx> it's done via iptables right? 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:20 < project2501a> ya 09:20 < Cronixx> damn 09:20 < Cronixx> i cant do a fu*k with iptables 09:20 < project2501a> hehe 09:20 < project2501a> is it production? 09:20 < Cronixx> sure 09:20 < Cronixx> wanna run a CSS server on the client 09:20 < project2501a> ya don't mess with production 09:20 < project2501a> oh, css. 09:20 < project2501a> dude :P 09:20 < Cronixx> oh its going to be production 09:20 < Cronixx> atm it isnt 09:20 < Cronixx> its a high end server 09:21 < Cronixx> just need to have a static ip 09:21 < Cronixx> ;D 09:21 < project2501a> have an internal ip and assign the tun to that 09:21 < Cronixx> css-server -> openvpn-client -> openvpn server -> static ip 09:21 < Cronixx> and other way round 09:21 < project2501a> or rather set the tun to the static ip you with 09:21 < project2501a> but 09:21 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 54 (Connection reset by peer)] 09:21 < Cronixx> how? 09:22 < project2501a> s/with/wish/ 09:22 < Cronixx> im not that crack in networking 09:22 < Cronixx> ;( 09:23 < project2501a> well, provided you run linux, modprobe tun; lsmod | grep tun 09:24 < project2501a> see if the tun module is loaded in the kernel 09:24 < Cronixx> the tunnel is already setted up 09:24 < project2501a> did you ifconfig the tunnel to the ip you want? 09:26 < Cronixx> how? 09:26 < Cronixx> w8 09:26 < Cronixx> i'll show u my configuration files 09:26 < project2501a> why? 09:26 < project2501a> ip forwarding is done via iptables 09:27 < Cronixx> http://pastebin.com/m65c8a211 09:27 < Cronixx> how does the iptables statement has to look like? 09:29 < project2501a> erh, dude, read the manual :P 09:29 < Cronixx> i hate iptables ;C 09:29 < Cronixx> the prob is 09:29 < Cronixx> i dont have eth0 - 2 on the server 09:29 < Cronixx> onyl venet0:0 - 2 09:30 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:57 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [] 10:00 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 10:02 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 10:02 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 10:04 -!- Cronixx [i=irssi@62.141.56.213] has quit ["Lost terminal"] 10:04 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:40 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:51 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 10:56 -!- DeviantPeer [n=kvirc@87.196.181.110] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 11:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:35 -!- Timpa [n=timpa@c-c31470d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 11:41 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:42 -!- arturob [n=bandini@host230-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 11:56 -!- bandinia [n=bandini@host174-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 12:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:20 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 12:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:29 -!- prop_ [n=dd@IGLD-84-228-155-161.inter.net.il] has joined ##openvpn 12:33 < prop_> guys, is there something I'm missing about the whole VPN operation? is there a real reason why a 300KByte line gets a penalty to -6Kbyte- ? 12:33 < prop_> I use IP#1 of the server, to connect to the VPN server, and I use IP#2 - to make GET HTTP request 12:33 < prop_> IP#1 = 300KByte , IP#2(through the tunnel) .. currently ~6KB 12:38 -!- arturob [n=bandini@host230-23-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 12:44 -!- Cronix [n=Cr0nix@e180070100.adsl.alicedsl.de] has joined ##openvpn 12:44 < Cronix> hi all 12:44 < Cronix> is there a good tutorial for ip based routing out there for openvpn? 12:45 < Cronix> !redirect 12:45 < vpnHelper> Cronix: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:45 < Cronix> !ipforward 12:45 < vpnHelper> Cronix: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:45 < Cronix> !linipforward 12:45 < vpnHelper> Cronix: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:46 < Cronix> !nat 12:46 < vpnHelper> Cronix: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:46 < Cronix> !linnat 12:46 < vpnHelper> Cronix: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:46 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has joined ##openvpn 12:47 < Cronix> thats useless 12:47 < Cronix> because i xont have eth0 etc on my server 12:47 < Cronix> theyre called venet0:0 etc for me 12:47 < prop_> virtual environment? 12:47 < Cronix> and iptabled throws out errors if i use them instead of eth0 etc 12:47 < Cronix> thats why i need ip based forwarding 12:48 < Cronix> but there arent any links or howtos out there 12:48 < Cronix> or lets say i havent found them 12:48 < prop_> Cronix: virtual environment? 12:48 < Cronix> jup 12:48 < Cronix> VRS server 12:48 < Cronix> need it for pseudo static ip of a server at my home 12:48 < prop_> Cronix: have you tried "venet0" ? 12:48 < Cronix> dosnt even exists 12:48 < Cronix> i have 3 ve nets 12:49 < Cronix> all 3 with a diffrent static public ip 12:49 < Cronix> venet0:0 is one ip 12:49 < Cronix> venet0:1 is one 12:49 < Cronix> and venet0:2 is an other one 12:49 < prop_> you don't have venet0 ? 12:49 < Cronix> nope 12:50 < Cronix> thats why i need to forward using source and xdestination ip 12:50 < prop_> "cat /dev/net/tun" ? 12:50 < Cronix> but it isnt even documented very well 12:50 < Cronix> exists 12:50 < Cronix> cat: /dev/net/tun: Die Dateizugriffsnummer ist in schlechter Verfassung 12:50 < Cronix> but thats normal 12:50 < Cronix> the vpn connection is etablished 12:51 < Cronix> i can ping between the servers 12:51 < Cronix> i can even ssh from one to another 12:51 < Cronix> but i need to use one of my 3 static ip's as defauklt route to route all the vpn traffic to the internet 12:51 < Cronix> but as i sayd 12:51 < prop_> mind to pastebin your ifconfig ? 12:51 < Cronix> those devices got only venet0:* 12:51 < Cronix> sure 12:52 < Cronix> ok 12:52 < Cronix> got venet0 but that localhost 12:52 < Cronix> sry 12:52 < prop_> Cronix: use venet0 12:52 < Cronix> but thats localhost 12:52 < prop_> use venet0 , define source and target 12:52 < prop_> iptables -t nat -L ? 12:53 < Cronix> how? 12:53 < Cronix> and why venet0? 12:53 < Cronix> it points to localhost 12:53 < Cronix> http://pastebin.com/d6a60fa25 12:53 < Cronix> my ifconfig 12:54 < prop_> what your iptables says ^^ ? 12:54 < Cronix> havent done anything with iptables jet 12:54 < Cronix> what do u want me to do? 12:54 < prop_> "iptables -t nat -L" 12:54 < Cronix> http://pastebin.com/m7a358c3f 12:54 < Cronix> empty 12:56 < Cronix> what i want 12:56 < Cronix> is 12:56 < Cronix> something like a DMZ 12:56 < Cronix> from the static IP# 12:57 < Cronix> to the server which is connected via VPN 12:57 < Cronix> and back 12:57 -!- frank__ [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 12:58 < prop_> not sure if I understand 12:59 < Cronix> server1 is reachable on the internet via 3 diffrent static IP's 12:59 < Cronix> one of the 3 IP should be used as gateway to the connected vpn client 12:59 < Cronix> so every port on that ip will be forwarded to the client 13:00 < Cronix> and every acces of the internet from the client should go out as this ip 2 13:00 < prop_> Cronix: well, now its more clear 13:00 < Cronix> so actually change the ip usage from server to client 13:00 < prop_> Cronix: well, now its more cleartry: iptables -t nat -I POSTROUTING -s VPN_CLIENT_IP -o venet0 -j SNAT --to GATEWAY_IP 13:00 < Cronix> so that the server cant use it anymore because every port will be used by the other server 13:00 < Cronix> and thats all? 13:01 < prop_> Cronix: that suppose to route the source to the public, regards the opposite direction I'm not familiar 13:01 < Cronix> hm 13:01 < Cronix> okay 13:01 < Cronix> thx xD 13:01 < prop_> but it could be that just switching places of source and target should work 13:01 < Cronix> trying now 13:02 < Cronix> do i need to echo 1 to some file? 13:03 < prop_> "echo 1 > /proc/sys/net/ipv4/ip_forward" 13:03 < Cronix> hm 13:03 < Cronix> still landing on the vpn server via ssh 13:04 < prop_> what do you mean 13:04 < Cronix> the client is connected 13:04 < Cronix> ive typed the 3 lines 13:04 < Cronix> (copy pasted them) 13:04 < Cronix> and ssh'd to the ip ive forwarded 13:04 < Cronix> but instead of been connected to the vpn client im connected to the vpn server 13:05 < prop_> check the opposite direction 13:05 < prop_> try from the client --> out to the world 13:05 < Cronix> how? 13:05 < Cronix> k 13:05 < Cronix> 1 sec 13:06 < Cronix> nope 13:06 < Cronix> still the internet ip of the client 13:06 < Cronix> do i need to change something clientside? 13:07 < prop_> push "redirect-gateway" <-- is on the server.conf ? 13:07 < prop_> push "dhcp-option DNS 10.8.0.1" <-- server.conf ? 13:08 < Cronix> jup 13:12 < prop_> mmmm 13:12 < prop_> Cronix: http://openvpn.net/index.php/documentation/howto.html#redirect 13:12 < vpnHelper> Title: HOWTO (at openvpn.net) 13:12 < prop_> Cronix: try reading up on that, I'm not sure whats wrong 13:12 < Cronix> alright 13:15 -!- arnold_ [n=arnold@85-127-205-89.dynamic.xdsl-line.inode.at] has joined ##openvpn 13:18 -!- epaphus [n=unix3@190.10.68.227] has quit [Client Quit] 13:19 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has quit ["Quitte"] 13:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:21 < arnold_> !interface 13:21 < vpnHelper> arnold_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 13:21 < arnold_> anyone can help me on a nasty problem with openvpn ? 13:22 < arnold_> my vpn was already working but since a restart of the server it doesn't work anymore 13:22 < arnold_> I get a connection to it 13:22 < arnold_> but I cannot ping 10.8.0.X (vpn tun0 devices) nur my destination LAN (192.168.2.X) 13:33 < ecrist> is openvpn running on the server? 13:33 < ecrist> !logs 13:33 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:37 < arnold_> http://pastebin.com/d2a729827 13:37 < arnold_> server 13:38 < ecrist> line 189 sticks out... 13:38 -!- Timpa [n=timpa@c-c31470d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:39 < arnold_> but route should be set 13:39 < arnold_> [root@server openvpn]# netstat -rn 13:39 < arnold_> Kernel IP Routentabelle 13:39 < arnold_> Ziel Router Genmask Flags MSS Fenster irtt Iface 13:39 < arnold_> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 13:39 < arnold_> 195.202.174.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 13:39 < arnold_> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 13:39 < arnold_> 10.8.0.0 192.168.2.10 255.255.255.0 UG 0 0 0 eth0 13:39 < arnold_> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 13:39 < arnold_> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 13:39 < arnold_> 0.0.0.0 195.202.174.1 0.0.0.0 UG 0 0 0 eth1 13:40 < ecrist> don't paste your routing table here, that's what pastebin is for. 13:40 < ecrist> ok, I don't know what that script does, but something exited wrong. all I'm saying. 13:40 < arnold_> http://pastebin.com/m7ae5c5d9 13:40 < ecrist> firewall missing some rules that you added manually? 13:40 < arnold_> nope should be all fine 13:40 < arnold_> also when I deactivate firewall it doesn't work 13:41 < ecrist> where are the client logs? 13:42 < arnold_> need to check how I can copy them (Tunnelblick doesn't like copy/paste) 13:43 < arnold_> client logs from command line: 13:43 < arnold_> http://pastebin.com/m767f85e2 13:43 < arnold_> I even cannot ping 10.8.0.X which I should be able even if routing is fucked up 13:45 < ecrist> rigt-click, select copy 13:45 < ecrist> it just doesn't like the command-c 13:45 < ecrist> can you ping 10.8.0.1? 13:46 < arnold_> no 13:46 < arnold_> here are the logs from tunnelblick: http://pastebin.com/m6585f309 13:47 < ecrist> ok, if you have an IP assigned by OpenVPN, it appears you have 10.8.0.6, you should be able to ping 10.8.0.1 13:48 < arnold_> but I cannot 13:48 < ecrist> if you cannot, it's 99% likely it's a firewall issue. 13:49 < arnold_> firewall is turned off 13:49 < ecrist> iptables? 13:49 < ecrist> !iptables 13:49 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 13:49 < arnold_> http://pastebin.com/m628e0c11 13:49 < arnold_> this is my current iptables setup 13:49 < arnold_> on the server 13:49 < ecrist> I'm the wrong one to ask about iptables, read the links from vpnHelper 13:50 < arnold_> at the moment it is set to accept anything 13:50 < ecrist> most people forget one set of tables or something when they disable their firewall 13:50 < arnold_> will check the pages 13:54 < arnold_> even with this config it doesn't work: 13:54 < arnold_> http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 13:54 < vpnHelper> Title: OpenVPN/Firewall - Secure Computing Wiki (at www.secure-computing.net) 13:55 < arnold_> this is my tun0 on the client: 13:55 < arnold_> tun0: flags=8851 mtu 1500 13:55 < arnold_> inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 13:55 < arnold_> open (pid 1226) 13:56 < arnold_> any I even cannot ping this one 13:56 < arnold_> noname:~ arnold$ ping 10.8.0.6 13:56 < arnold_> PING 10.8.0.6 (10.8.0.6): 56 data bytes 13:56 < arnold_> ^C 13:56 < arnold_> --- 10.8.0.6 ping statistics --- 13:56 < arnold_> 1 packets transmitted, 0 packets received, 100% packet loss 13:56 < arnold_> , 14:01 < arnold_> any ideas ? 14:29 -!- Intensity [i=[HiX103q@panix1.panix.com] has joined ##openvpn 15:16 -!- arnold_ [n=arnold@85-127-205-89.dynamic.xdsl-line.inode.at] has quit [] 15:19 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:20 -!- znh [n=user@unaffiliated/znh] has joined ##openvpn 15:20 < znh> Hello lads 15:21 < znh> I have a few clients that make use of the redirect-gateway paramanter in the server config. can I configure a client to not listen to that paramanter? 15:21 < znh> I'd rather not touch the server's configuration file 15:23 < znh> *paramenter 15:28 < krzie> sure 15:28 < krzie> its somethi9ng along the lines of route-nopull or something 15:28 < krzie> !man 15:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:29 < znh> --route-noexec 15:29 < znh> Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 15:29 < krzie> --route-nopull 15:29 < krzie> When used with --client or --pull, accept options pushed by server EXCEPT for routes. 15:29 < krzie> When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. 15:29 < znh> oh 15:29 < krzie> it will ignore pushed routes with that 15:29 < krzie> but allow the rest of pull to work 15:30 < krzie> aka exactly what you asked for 15:30 < znh> I googled --route-nopull.. no results!? 15:30 < krzie> why use google when you have a manual 15:30 < znh> no clue. Im kinda brainwashed by Google 15:30 < krzie> fine, then use it right 15:31 < krzie> !google route-nopull 15:31 < znh> I can't find --route-nopull either on the man page 15:31 < vpnHelper> krzie: Gmane -- Mail To News And Back Again: ; Gmane -- Mail To News And Back Again: ; [Openvpn-devel] [PATCH] Default route metric: 15:31 < znh> closest thing I can find is route-noexec 15:31 < krzie> oh ya it seems to be a 2.1 option 15:32 < znh> using 2.0.9 here 15:32 < krzie> seems we found the problem 15:32 < krzie> upgrade the client you want not to pull to 2.1 15:32 < znh> won't I have issues with diffrent versions? 15:33 < krzie> you tell me 15:33 < krzie> (after trying) 15:33 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:33 < znh> (o really) 15:33 < krzie> i dont expect it to because i believe the stuff gets pushed both ways, but with nopull gets ignored by client 15:33 < znh> 2.1 is a development version correct 15:34 < krzie> i know they can connect fine, if the server uses something cthe client doesnt there would be a problem 15:34 < krzie> but i think this would be fine 15:34 < krzie> yes, 2.1 is devel 15:36 < znh> mm upgraded the client, connected without errors. yet no communication with the VPN 15:36 < znh> default gateway points to non-vpn though 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'route' cannot be used in this co 15:37 < znh> ntext 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'redirect-gateway' cannot be used in this context 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'route' cannot be used in this co 15:37 < znh> ntext 15:38 < znh> without route-nopull it works out of the box. It's not a version conflicting 15:38 < krzie> !configs 15:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:39 < znh> http://pastebin.com/m38db2f79 15:39 < krzie> ... 15:40 < krzie> missing a few things 15:40 < znh> you tell me 15:40 < krzie> read what my bot said agai9n 15:40 < krzie> !configs 15:40 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:43 < znh> http://pastebin.com/m5b0e5aef 15:45 < krzie> what does and doesnt work when you connect the above client? 15:45 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Nick collision from services.] 15:45 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:45 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 15:45 < Dougy> krzie 15:45 < Dougy> you know what makes me sad 15:45 < Dougy> that $25 backplane is too big for your server 15:45 < Dougy> so its useles 15:45 < Dougy> s 15:45 < krzie> lol 15:45 * Dougy sighs 15:45 < Dougy> $25 -> garbage 15:46 < znh> it can reach the internet through the LAN router. Client can't ping VPN router or anything on the VPN's LAN 15:46 < znh> with route-nopull that is. 15:48 < znh> tracert indicates that traffic is routed through the LAN router 15:49 < Dougy> krzie im gonna kill someone 15:49 < Dougy> :'( 15:49 < krzie> znh no kidding 15:49 < krzie> znh, ping 192.168.90.1 from the client after connecting 15:49 < znh> tried. times out 15:50 < krzie> znh 15:50 < krzie> !logs 15:50 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:50 < krzie> i only want the client log 15:51 * Dougy grunts 15:51 < krzie> also, something importasnt for you to know 15:51 < Dougy> gr 15:51 < krzie> !tcp 15:51 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:51 < Dougy> the backplate is a tower backplate 15:51 < Dougy> LAME 15:51 < krzie> dougy, helps to pay attention to what you're buying ;] 15:51 < Dougy> wel 15:52 < Dougy> i knew what i was buying 15:52 < Dougy> but this chassis is anal 15:52 < Dougy> http://www.google.com/url?sa=t&source=web&ct=res&cd=7&url=http%3A%2F%2Fwww.supermicro.com%2Fproducts%2Fchassis%2F1U%2F512%2FSC512L-200.cfm&ei=d1X_ScaQGoaeM_fF9a0E&usg=AFQjCNESju4h2c4IICny66RrwqPEv9_XkA 15:52 < vpnHelper> Title: Super Micro Computer, Inc. - Products | Chassis | 1U | SC512L-200B (at www.google.com) 15:52 < Bushmills> what is "remote IP-HERE 1194" ?? 15:52 < Dougy> http://www.supermicro.com/products/chassis/1U/512/SC512L-200.cfm 15:52 < vpnHelper> Title: Super Micro Computer, Inc. - Products | Chassis | 1U | SC512L-200B (at www.supermicro.com) 15:52 < znh> can't avoid TCP. UDP is blocked by firewall at allot of clients 15:52 < krzie> Bushmills hes hiding his ip cause he trusts us enough to get help but hes scared that we'll all hack him if he gives his ip 15:52 < Bushmills> did you massage the config to remove the actual ip adress there, or was that literally taken 15:53 < znh> removed IP on purpose. everyone can read pastebins :) 15:53 < krzie> yet he doesnt bother to use HMAC keys or check the server cert to stop MITM attacks 15:53 < Bushmills> ah, ok. looked a bit like an unfinished client config 15:54 < krzie> (which btw is explained in !hmac and !mitm ) 15:54 < Bushmills> moin moin krzie. 15:54 < krzie> moin 15:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:55 < krzie> http://www.youtube.com/watch?v=B7NTYeRg5Dg 15:55 < vpnHelper> Title: YouTube - A monkey trying to rape a goat (at www.youtube.com) 15:55 < Bushmills> grin 15:55 < znh> http://pastebin.com/m1cd182e3 client's log verb 6 15:57 < krzie> znh, add these to the client config 15:57 < krzie> route 192.168.90.0 255.255.255.0 15:57 < krzie> route 192.168.1.0 255.255.255.0 15:57 < krzie> then reconnect 15:58 < znh> Fuck yeah! 15:58 < znh> Thanks monkey. that did the trick 15:58 < krzie> yw 15:59 < znh> !hmac 15:59 < vpnHelper> znh: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls 15:59 < vpnHelper> znh: static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:00 < krzie> oh right you arent using UDP 16:00 < krzie> so that wont help, but you still want !mitm 16:00 < znh> !mitm 16:00 < vpnHelper> znh: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 16:00 < znh> I used build-key-server script 16:00 < krzie> !servercert 16:00 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 16:01 < krzie> grr its not there 16:01 < krzie> !sample 16:01 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:01 < krzie> !learn mitm as then use: ns-cert-type server in the client config 16:01 < vpnHelper> krzie: Joo got it. 16:01 < znh> is it really that bad to use TCP as protocol? 16:02 < krzie> did you bother reading the link? 16:02 < krzie> !tcp 16:02 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:02 < krzie> worst case ild do this: 16:02 < znh> I did bother. It's just not that easy 16:02 < krzie> run openvpn 2x, 1 for udp 1 for tcp 16:02 < krzie> 192.168.90.0 and 192.168.91.0 16:03 < krzie> then use blocks to try udp first, with fallback to tcp 16:03 < krzie> so anyone who can will use udp 16:03 < krzie> also if you dont run a NS on the server, use udp port 53 for server 16:03 < krzie> it will be open in more firewalls 16:03 < znh> m good one 16:07 < znh> can you explain in easy english what the downside is of using TCP? 16:07 < Dougy> krziue 16:07 < Dougy> krzie 16:07 < Dougy> i checked out the dc yesterday 16:07 < Dougy> i think im gonna sign up 16:07 < krzie> when you tunnel tcp over tcp the retransmission stuff built into tcp works against you 16:08 < krzie> a single retransmission can trigger a flood of retransmissions building on eachother from inside and outside the tunnel 16:08 < krzie> and degrade your whole tunnel 16:08 < znh> mm so on bad connections this would occur 16:08 < krzie> if you fully read that link it explains perfectly 16:09 < krzie> even with pictures 16:09 < project2501a> hey guys 16:09 < krzie> you just cant skim it 16:09 < krzie> znh, people have reported issues on good connections 16:09 < project2501a> is there anyway to make openvpn maintain the connection open? 16:09 < project2501a> like switch it to tcp? 16:09 < krzie> project2501a, read on --keepalive 16:09 < krzie> tcp is bad, read this: 16:09 < krzie> !tcp 16:09 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:09 * project2501a is reading 16:10 < project2501a> krzee: i got --keepalive on my client side, should i add it to the server side as well? 16:10 * znh loves that IE8 blocks about:blank by default 16:10 < krzie> project2501a, i expect after you understand what it is/does you wont need to ask that 16:11 < project2501a> krzee: hai hai krzee-sama 16:11 < plaerzen> sweet. I _may_ be reviewing papers for LISA '09 16:11 < project2501a> krzee: gomenasai! 16:11 < project2501a> plaerzen: can i haz free pass? :D 16:11 < Dougy> LISA? 16:11 < project2501a> sysadmin-con 16:11 < krzie> project2501a you speaking english? 16:11 < plaerzen> large installation system administration 16:11 < Dougy> ooh 16:12 < Dougy> hmm 16:12 < Dougy> cod5. 16:12 < project2501a> krzee: um, english, greek, german, spanish, italian and some japanese. 16:12 < project2501a> why? 16:12 < Dougy> whoa 16:12 < Dougy> i wish i spoke all those 16:12 < krzie> krzee: hai hai krzee-sama 16:12 < krzie> krzee: gomenasai! 16:12 < project2501a> oh, sorry :) 16:12 < project2501a> Dougy: i wish i was presenting a paper in LISA 16:12 < znh> project2501a: mio nomo estas Johano 16:13 < project2501a> znh: viva chinco de mayo :D 16:13 < znh> omfg 16:13 < Dougy> yo tengo un monstruo in mi pantalones 16:13 < Dougy> en* 16:13 < project2501a> Dougy: you wish :D 16:13 < Dougy> nope 16:13 < Dougy> yo tengo 16:14 < project2501a> anyway, happy zapatistas liberation movement day. 16:14 < project2501a> let's seeeeeee, sysadmin on a Plan 9 grid... 16:14 < Dougy> afk 16:14 < project2501a> plaerzen: where's lisa 09 taking place? 16:15 < znh> project2501a: btw that was Esperant 16:15 < znh> Esperanto 16:15 < plaerzen> project2501a, baltimore 16:15 < project2501a> znh: it looked italian-ish 16:16 < znh> that's the power of the language.. everyone can read it 16:16 < znh> and learn it :p 16:16 < project2501a> :D 16:16 < znh> I wish the fucknuts of the internets used that instead of English :) 16:17 < znh> !offtopic 16:17 < project2501a> znh: convince /b/ to use esperando ;) 16:17 < vpnHelper> znh: Error: "offtopic" is not a valid command. 16:17 < znh> heh. I have my doubts about /b/'s intelligence 16:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 16:17 < project2501a> that's the whole point, aint it? 16:18 < znh> "anonymous" 'chit-chat' 16:26 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 16:27 -!- znh [n=user@unaffiliated/znh] has quit ["Lost terminal"] 16:27 < project2501a> i just read the man page and added keepalive on the server conf 16:28 < project2501a> is there a way to test the server conf without restarting it? 16:28 < krzie> no 16:28 < Dougy> yes 16:28 < Dougy> run it on another dev server 16:28 < Dougy> ;] 16:28 < project2501a> Dougy: heh. ya, that's my project for tomorrow morning 16:29 < chrisbdaemon> Hey, I could use some help. I'm trying to setup openvpn on my OpenBSD 4.5 server and I get a whole bunch of errors when I put the openssl.cnf file that comes with the package, http://pastebin.com/d68d14b97 16:30 < chrisbdaemon> i think it might be something to do with "export KEY_CONFIG=`$EASY_RSA/openssl.cnf $EASY_RSA`" but i'm not sure.. 16:30 < chrisbdaemon> thats in vars btw 16:32 < krzie> that should be fine if $EASY_RSA is set right 16:34 < chrisbdaemon> which I didn't change, is openssl.cnf supposed to be a shell script? it looks like vars is trying to execute it.. 16:36 < chrisbdaemon> and it looks nothing like any shell scripts i've seen, more like just a plain configuration file 16:36 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 16:36 < krzie> no its not a shell script 16:37 < krzie> its the config file for openssl 16:37 < krzie> "export 16:37 < krzie> KEY_CONFIG=`$EASY_RSA/openssl.cnf $EASY_RSA`" 16:37 < chrisbdaemon> iirc, putting something in backticks executes it doesn't it? 16:37 < krzie> that exports a variable named KEY_CONFIG 16:37 < chrisbdaemon> ` 16:37 < krzie> those should be single quotes 16:38 < chrisbdaemon> the aren't :\ 16:38 < chrisbdaemon> thye* 16:38 < chrisbdaemon> they* 16:38 < krzie> time to fix it then 16:38 < krzie> i dont use easy-rsa 16:38 < krzie> i use ssl-admin 16:38 < krzie> !ssl-admin 16:38 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 16:39 < chrisbdaemon> and its not just openbsd's package that has that line in vars set like that, its in the source tarball from the openvpn site 16:40 < krzie> then it must work that way normally 16:40 < krzie> since shittons of people use it 16:40 < krzie> but as i said, i dont use easy-rsa 16:42 < chrisbdaemon> yea 16:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:51 < chrisbdaemon> well, thanks for the help 16:51 < chrisbdaemon> cya 16:51 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 17:26 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 17:40 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 104 (Connection reset by peer)] 17:50 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 18:10 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 18:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:25 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 18:40 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 18:48 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:10 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:00 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:02 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 20:02 < Skiff> !howto 20:02 < vpnHelper> Skiff: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:10 -!- ido-- [n=wtf@212.199.189.65] has joined ##openvpn 20:11 < prop_> anybody can help with transfer speed issues? 20:13 < ido--> hrm. i have a server 10.8.0.0 255.255.255.0 directive, and i'm testing my setup on a localhost (openvpn running on router, however for testing I"m connecting from within lan, yes i know its not that good). 20:14 < ido--> anyhow, when connecting, i notice the server is sending this to the client: SENT CONTROL [ido2]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,ifconfig 10.8.0.6 10.8.0.5' (status=1) 20:14 < ido--> whats 10.8.0.5 ? 20:14 < krzie> !/30 20:14 < ido--> the servers ip is 10.8.0.1 20:14 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:15 < krzie> its a normal byproduct of the net30 topology which is default 20:16 < ido--> hrm. 20:16 < ido--> i am connecting from a windows host to a linux server. 20:17 < ido--> oh. i get it 20:17 < ido--> so .5 is the network address, and .6 is the virtual ip ? (of the client) 20:19 < krzie> virtual ip? 20:19 < krzie> .6 is the client's vpn ip 20:19 < krzie> .5 is internal to openvpn 20:19 < krzie> just like .2 on the server 20:19 < krzie> that link explained it all 20:19 < ido--> yeahk, thats what i meant. 20:21 < ido--> krzie, mind taking a look at this please: http://www.pastebin.ca/1412884 20:22 < ido--> if .5 is internal to the vpn, can it be the gateway ? 20:22 < krzie> just let openvpn handle it itself, it will do it correctly 20:22 < krzie> dont question what its doing 20:22 < ido--> i haven't added anything.. 20:22 < krzie> if you're having a problem related to that its on your end, not openvpn's 20:22 < krzie> ok, so whats the problem? 20:22 < ido--> those are all by default from the openvpn 20:23 < ido--> hrm 20:23 < krzie> do you need help with something? 20:23 < ido--> 192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30 20:24 < krzie> as i said 20:24 < krzie> do you need help with something? 20:24 < ido--> well 20:24 < ido--> when i have this routing table 20:24 < ido--> my cpu usage on the client starts going up 20:25 < ido--> and i have no network connectivity to 192* 20:25 < krzie> you using redirect-gateway 20:25 < krzie> ? 20:25 < ido--> nope 20:26 < ido--> but if you look at the routing table 20:26 < krzie> pushing a route to 192.168.0.0? 20:26 < ido--> yes 20:26 < krzie> lol 20:26 < krzie> you think that could somehow work while on-lan> 20:26 < krzie> ? 20:26 < krzie> you made a routing loop, of course the cpu goes up 20:26 < ido--> i know, thats what i was trying to say 20:26 < krzie> ok, comment out the push route 20:26 < krzie> or get off your own lan 20:26 < ido--> oh, wait. 20:27 < ido--> it does the push route by itself 20:27 < ido--> i've disabled it.. 20:27 < krzie> !configs 20:27 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:27 < krzie> also this: 20:27 < krzie> is your end project going to be on-lan or off-lan? 20:27 < ido--> why would i have it on-lan ? 20:27 < krzie> some people like to use it to secure wifi and whatnot 20:28 < krzie> but yes, very good question 20:28 < ido--> oh. right 20:28 < ido--> sec. 20:28 < krzie> why DO you have it onlan 20:28 < krzie> if thats not part of the goal, stop doing it 20:28 < ido--> actually i might need it on-lan too 20:28 < krzie> why? 20:29 < ido--> hrm. cross that out. i can live without that 20:29 < krzie> why were you thinking... 20:29 < krzie> to have machines in the lan communicate over the vpn too? 20:31 < krzie> cause if so, that can be done by reading !route 20:31 < ido--> http://www.pastebin.ca/1412893 20:31 < krzie> what is your REAL goal 20:31 < ido--> the conf is there 20:31 < ido--> off-lan access to lan 20:32 < fixxxermet> I have two clients accessing my server. One client is a desktop, which I use to directly access the server and the network. tcpdump shows this client as 10.8.0.10. The other client access the server through a gateway (his vpn client) and tcpdump shows that client as 192.168.8.40 20:32 < ido--> multiple clients 20:32 < fixxxermet> Problem is that when I add a 10.8.0.0 route to the computers on the server's LAN, client2 can not access the network, but client1 can 20:34 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has quit [Client Quit] 20:37 < ido--> krzie ? 20:38 < krzie> fixxxermet, right, they need a route to 192.168.8.0 as well 20:39 < krzie> as well as every lan they need to communicate with 20:39 < krzie> easiest done through their default gateway 20:39 < krzie> this is explained in my routing writeup 20:39 < krzie> !routew 20:39 < vpnHelper> krzie: Error: "routew" is not a valid command. 20:39 < krzie> !route 20:39 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:39 < krzie> right under the network diagram 20:39 < fixxxermet> Unfortunately most gateways do not allow you to add custom routes 20:40 < ido--> then you need to add the route per machine on the lan? 20:40 < krzie> ya if they're cheap enough 20:40 < krzie> yes, as explained in my writeup 20:40 < krzie> ido 20:40 < krzie> # 20:40 < krzie> ifconfig 10.3.0.1 10.3.0.2 20:40 < krzie> # 20:40 < krzie> server 10.8.0.0 255.255.255.0 20:40 < krzie> why? 20:41 < ido--> oh. the first is a mistake. 20:41 < ido--> forgot that. 20:41 < krzie> no kidding 20:41 < ido--> eh. 20:41 < krzie> also you have the push route 20:41 < krzie> that you said you didnt have 20:41 < ido--> you said or I said ? 20:42 < krzie> it does the push route by itself 20:42 < krzie> i've disabled it.. 20:43 < ido--> hrm. yeah, but should it ? 20:43 < krzie> thats what broke you on-lan 20:43 < krzie> it should be there when off-lan 20:43 < ido--> hrm. 20:43 < ido--> any other comments besides those ? 20:43 < krzie> yup 20:43 < krzie> a few 20:43 < ido--> shoot.. 20:43 < krzie> almost dunno where to start 20:43 < krzie> ok... 20:44 < krzie> why on earth would you get rid of the whole cert system and ONLY use a pw? 20:44 < krzie> you dont like security? 20:44 < krzie> that ifconfig line needs to go all together 20:44 -!- Skiff [n=skiff@unaffiliated/skiff] has quit ["Leaving"] 20:44 < krzie> mode server is useless, it knows from the --server statement 20:45 < krzie> your LAN is on 192.168.0.x, so any time your client is on 192.168.0.x when remote, shit will break 20:45 < krzie> duplicate-cn is not a good idea 20:45 < ido--> how do i fix that ? (the duplicate subnet) 20:45 < krzie> you should use HMAC sigs (!hmac) 20:45 < krzie> and you never posted a client config, said what OS or version of openvpn) 20:46 < ido--> server linux 2.0.9 20:47 < ido--> clients on windows, 2.1 20:47 < krzie> why do you have client-cert-not-required 20:47 < krzie> how many clients do you plan on having? 20:47 < ido--> not so many actually 20:47 < krzie> did you make this yourself or copy/paste it from some walkthrough? 20:47 < ido--> 4-5 i suppose 20:47 < ido--> nope 20:48 < krzie> nope what 20:48 < ido--> didn't copy it. 20:48 < ido--> i actually did read a lot of the man page 20:48 < krzie> if i say "this or that" nope cant be an answer 20:48 < krzie> unless it was niether i guess 20:49 < krzie> ok, so why are you using certs, but saying they are not needed to connect? 20:49 < ido--> using only the ca to verify i'm connecting to the correct server 20:49 < ido--> but the server won't be able to verify its clients 20:49 < krzie> and how exactly does chpass check a password? 20:49 < ido--> env vars? 20:50 < krzie> chpass is used to add or change user database information 20:50 < ido--> no, hardcoded.. 20:50 < ido--> quick hack 20:50 < ido--> as i said, not so many clients 20:50 < krzie> umm, this is a completely messed up config imo 20:50 < krzie> ild start over 20:50 < ido--> ehe:) thanks. 20:50 < krzie> seriously 20:51 < ido--> i apprecate it. 20:51 < krzie> you have 4 or 5 clients, why not generate a cert for each? 20:51 < ido--> fixing the config as you said before. 20:51 < ido--> hrm. 20:51 < ido--> because that requires maintnence 20:51 < theDoc> krzie: You can use certs to just verify the identity of the server you are connecting to and use user/pass to authenticate against it. 20:51 < krzie> how so? 20:51 < theDoc> krzie: That's what I have running :) 20:52 < krzie> theDoc i wanted to see if thats what he was doing, but he didnt post his client config 20:52 < krzie> (even those my bot says BOTH) 20:52 < theDoc> ahhh. 20:52 < ido--> krzie, thats what i said earlier 20:52 < ido--> "using only the ca to verify i'm connecting to the correct server" 20:52 < krzie> ahh, that sentance didnt make sense to me 20:53 < krzie> i see what you were trying to say now tho 20:53 < theDoc> krzie: Do you happen to have an idea on how to tunnel vpn traffic through a transparent proxy which requires a login and which only permits http traffic over it? 20:53 * theDoc has such a problem :) 20:53 < krzie> actually yes 20:53 < krzie> thats built into openvpn 20:53 < ido--> http-proxy ? 20:53 < krzie> something like that, yup 20:53 < theDoc> krzie: Ahh, care to point me to some resources? 20:53 < theDoc> I'll take a look at it. 20:54 < krzie> !man 20:54 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:54 < krzie> look at every instance of the word proxy 20:54 < theDoc> I have an idea on what to do, was looking for some guides. 20:54 < krzie> screw a guide, use the manual 20:54 < theDoc> bbl, :) breakfast time. 20:54 * theDoc waves 20:54 < ido--> theDoc, its only about 3 directives. 20:54 < krzie> half the guides out there lead people to here with screwed up configs 20:54 < ido--> true. 20:54 < theDoc> krzie: ahaha. 20:55 < theDoc> I would just rebuild it myself and learn from it. 20:55 < krzie> ild like to see socks5 auth in openvpn 20:55 < krzie> it does socks5 but no auth 20:55 < krzie> http-proxy however, does do auth 20:55 < ido--> krzie, so does it now make more sense why client-cert-not-required+auth-user-pass-verify ? 20:56 < krzie> yes and no 20:56 < ido--> why not ? 20:56 < krzie> yes because i know what you're doing 20:56 < ido--> but you still prefer certs ? 20:56 < krzie> no because you are making your vpn far less secure because you dont wanna make 4 certs 20:56 < ido--> ok, thats someone true. 20:56 < ido--> hrm 20:57 < theDoc> krzie: It would be hell if I had something like 1,000 users and all of them are on certs:p 20:57 < theDoc> I'll spend my entire day doing certs for people 20:57 < ido--> should i make the certs with passcodes ? 20:57 < ido--> that is, if they're kept safe 20:57 < krzie> theDoc not so much, you had to get them all setup to begin with, with something like ssl-admin it would pack up their zip for you when you make them 20:58 < theDoc> krzie: Customers/end users don't want to be dealing with certs :P they want to just push buttons and make it into their account :P 20:58 < krzie> plus you could just script something to make them all in batch mode, go fuck your girl a time or 2, and have everything done including their configs and all zipped up 20:58 < theDoc> after all, I run an anonymous vpn tunnel service :P 20:58 < krzie> with certs they dont need a pw 20:58 < krzie> which is EASIER for the end user 20:58 < krzie> they click, connected 20:58 < theDoc> krzie: Yep, but they hop onto other comps and also want to use their vpn :P 20:58 < krzie> and they had to deal with a config file 20:58 < krzie> the cert is just as much effort 20:58 < ido--> theDoc, a free one ? :) 20:58 < krzie> at the exact same time 20:59 * krzie notes he said "customers / end users" 20:59 < ido--> !hmac 20:59 < vpnHelper> ido--: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 20:59 < vpnHelper> ido--: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 20:59 < krzie> as in "not people who just get free stuff" 21:00 < krzie> regardless 21:00 < krzie> theDoc, you have an argument for why not to use certs, he does not 21:00 < prop_> should I experience a huge transfer speed decrease while using a VPN as a gateway? 21:00 < krzie> prop_ depending on a bunch of factors, but pretty much yes 21:01 < ido--> i changed back to certs krzie, you made me change my mind. 21:01 < prop_> krzie: squid for eaxmple, for HTTP ... has almost no penalty 21:01 < theDoc> I'd think that if you start encapsulating your packets in ipsec, more overhead :) 21:02 < ido--> hrm. 21:03 < ido--> anything else i should change ? 21:03 < ido--> before i burn a new image ? 21:06 < krzie> ido, post BOTH configs again 21:06 < krzie> if you want that question answered 21:06 < ido--> sec 21:09 < ido--> http://www.pastebin.ca/1412918 21:10 < krzie> prop, you should also make sure you are using UDP, compression if it makes sense to, and have a good MTU 21:10 < krzie> ido--, add proto udp to both configs 21:10 < ido--> isn't udp the default ? 21:11 < krzie> ahh good you have tls-auth 21:11 < krzie> you said you were checking that the server was the server with certs before 21:11 < krzie> but your client config doesnt do it 21:11 < prop_> krzee: tried everything you suggested so far 21:11 < krzie> !mitm 21:11 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 21:12 < prop_> krzee: I guess I'm doomed to use customized proxies :| 21:12 < ido--> doesn't ns-cert-type just very that the cert of the server is only for servers and not clients/email/etc or something? 21:12 < krzie> also check cpu usage on both sides when its slow 21:13 < prop_> krzie: cpu/ram is practically empty - and its always slow - today it was like 6KB slow 21:13 < krzie> ido, right, it tells the client to be sure that the cert which was sign4ed by the same CA was actually made for a server 21:13 < krzie> ido, otherwise i can use your cert to auth with you 21:13 < ido--> yeah i know 21:13 < ido--> i wrote some code that used libssl in the past 21:14 < krzie> cool, so go stop MITM attacks by adding that 21:14 < ido--> done. 21:14 < krzie> remote 192.168.0.1 \ 21:14 < ido--> yeah, its a tmp statement. 21:14 < krzie> that is the biggest reason i dont like people changing stuff to sanatize configs 21:15 < krzie> in reality its just remote right? 21:15 < ido--> yep 21:15 < ido--> actually, without the port 21:15 < krzie> you still gunna use passes? 21:15 < ido--> i just wrote the part now 21:15 < ido--> what are passes ? 21:15 < krzie> remove these 21:15 < krzie> # 21:15 < krzie> duplicate-cn 21:15 < krzie> # 21:15 < krzie> username-as-common-name 21:16 < ido--> hrm. still thinking about that. 21:16 < ido--> i think i'llremove them tho 21:16 < krzie> duplicate-cn is better of not being there 21:16 < krzie> username-as-common-name is 100% pointless in the config you posted 21:17 < ido--> true. 21:17 < ido--> removed. 21:17 < krzie> (the latest one) 21:17 < krzie> ok, repost configs 21:17 < krzie> oh wait 21:17 < krzie> you forgot to keep the push 21:17 < krzie> this config is for use outside the lan, keep the push 21:17 < krzie> the push was only bad INSIDE the lan 21:17 < ido--> oh. ok 21:17 < ido--> i got it now 21:17 < krzie> comment it out when testing inside the lan 21:17 < ido--> because it was in-lan, it added the push automatically 21:18 < ido--> gotcha! 21:18 < ido--> am i right ? 21:18 < krzie> no no 21:18 < krzie> it never added it automaticly 21:18 < krzie> you had it there when you shouldnt have 21:18 < krzie> it will NEVER push its lan without being told to 21:18 < ido--> weird then. i have no idea why i had it then 21:18 < ido--> one second. 21:19 < ido--> hrm 21:19 < ido--> how would i know the best MTU ? 21:19 < krzie> !mtu 21:19 < krzie> #2 21:19 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 21:19 < krzie> #2 21:19 < ido--> it depends on where i'm connecting from 21:19 < ido--> which i don't know atm. 21:19 < krzie> you're usually fine without specifying anything 21:20 < krzie> if you will be at the same place a lot its good to test it and set it up for that 21:20 < krzie> but how can anyone know what you need MTU at when you dunno where you'll be... 21:20 < ido--> MTU ping test = isn't there an icmp for this ? 21:20 < krzie> we could make it shitty so its good if you come from a satelite, but odds are you'll find some open wifi more often, hhehe 21:21 < krzie> what? 21:21 < krzie> ping IS icmp 21:21 < krzie> its icmp mode 8 iirc 21:21 < krzie> (for request) 21:22 < ido--> hrm 21:22 < ido--> i was talkin about path mtu 21:22 < ido--> yeah, it does that with ping iirc now 21:23 < krzie> ok i officially have no clue what you're talking about 21:23 < krzie> anyways, paste the new configs 21:23 < ido--> path MTU discovery 21:24 < krzie> ya openvpn doesnt do that 21:24 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 21:24 < ido--> hrm 21:24 < ido--> if i have a slow link 21:25 < ido--> anything special i should add ? 21:25 < krzie> you should prolly figure out what kinda mtu you'll be wanting when you're out 21:25 < krzie> go around to a few places youd use it from and use mtu-test in the clients config 21:26 < krzie> you already have adaptive compression 21:26 < ido--> http://www.pastebin.ca/1412931 21:26 < krzie> also since this sounds road-warrior setup like 21:26 < krzie> you want to change the subnet your server's LAN uses 21:27 < krzie> cause this wont work anywhere with 192.168.0.x as their subnet 21:27 < krzie> just make it 192.168.54.x or something 21:27 < krzie> then it shouldnt conflict with anything 21:28 < ido--> hrm. 21:28 < ido--> oh well. 21:28 < ido--> i've had same ip's on the lan for a decade or so 21:28 < ido--> eh. 21:28 < krzie> nice, due for a change then! ;] 21:28 < ido--> s/had/had the 21:29 < ido--> eh 21:30 < Dougy> HMM 21:30 < Dougy> krzie this dc is slackin mad balls 21:30 < Dougy> i want to sign the contract already 21:31 < ido--> thanks a lot krzee 21:31 < ido--> krzie. gonna test it now ! 21:31 < krzie> ido, read up on --ping that you are using, you will likely want to replace it with --keepalive 21:31 < krzie> after that, these are nice configs 21:32 < ido--> why the fuck are ebay/paypal so stupid 21:32 < krzie> because they already have your $ 21:32 < krzie> o_O 21:32 < ido--> paypal won't let me select paying out of my own balance, and offers only to pay from my bank account. 21:32 < ido--> they really do want my $$ 21:32 < krzie> nah it'll take from your balance first, just isnt an option 21:33 < ido--> i've got two accounts 21:33 < krzie> whether you pick bank or credit, it goes from your balance first 21:33 < ido--> personal and premiere 21:33 < ido--> and i want to pay half the personal (form balance) and the rest with CC which is linked to the second account 21:34 < krzie> hah good luck 21:34 < krzie> best you could do easily would be xfer from 1 to another (losing a percentage) then pay with cc 21:34 < ido--> the ebay account was linked to the second account, but noooo, paypal doesn't allow paying for an item which was bought with an ebay account not link to itself 21:35 < ido--> actually they did allow it back then 21:35 < ido--> anywho, i unlinked my paypal account from ebay, and linked the other one 21:35 < ido--> and it does show up as linked to it in ebay 21:36 < ido--> but again, no, paypal refuses to let me use my ebay account, says its already linked to another account 21:36 < ido--> someone should get fired for this 21:36 < krzie> haha 21:36 < ido--> "This auction account has already been registered by another PayPal account" 21:37 < ido--> fuck them, its registered with THIS paypal account (at least thats what it says on ebay's site) 21:37 < krzie> any more help with your vpn? 21:37 < ido--> hrm 21:37 < ido--> building an imge to test it with 21:37 < ido--> i'll return later if i'll need anything 21:37 < ido--> thanks a lot ! 21:38 < krzie> yw 21:38 < ido--> wonderful service around here 21:38 < ido--> cheers 21:38 < krzie> hehe 21:39 < ido--> oh 21:40 < ido--> actually i do have another question 21:40 < ido--> smaller one though 21:40 < ido--> i need another server/client pair 21:41 < ido--> in-lan 21:41 < krzie> why 21:41 < ido--> hrm. 21:41 < ido--> i've got a G1 googlephone 21:41 < krzie> those support tuntap? 21:42 < ido--> i want to tunnel a connection over tcp from it to the host (connected with usb, with a tcp port forwarded over it) 21:42 < ido--> i've got openvpn+tun.o compiled 21:42 < krzie> cool, good luck with that 21:42 < ido--> eh, 21:43 < ido--> anywho, what should i setup ? 21:43 < ido--> no need for encryption/compression/users/anything what-so-ever 21:43 < krzie> i actually have no clue what you're trying to do 21:43 < ido--> only in-lan 21:43 < krzie> no need for encryption/compression/users/anything what-so-ever 21:43 < krzie> that means you dont want openvpn 21:43 < krzie> think about a GRE tunnel or something 21:44 < krzie> although i dont see why you even need a tunnel 21:44 < krzie> what is the goal 21:45 < ido--> because i can have only specific ports forwarded 21:45 < ido--> and i want full network access 21:45 < krzie> no idea, hope that goes well for you, openvpn is likely not what you want 21:45 < ido--> why not ? creating a tunnel over a tcp connection ? 21:46 < krzie> no need for encryption/compression/users/anything what-so-ever 21:46 < krzie> that means you dont want openvpn 21:46 < krzie> a tunnel without any of that is just that, a tunnel 21:46 < ido--> i don't think GRE would work 21:46 < krzie> just use a tunnel, openvpn is a little overkill for that 21:47 < ido--> what other options do i have ? 21:47 < krzie> why do you need ports forwarded to your phone 21:47 < krzie> you gunna host services on it? 21:49 < ido--> no 21:49 < ido--> i'd like to have full internet access when its connected to my computer via usb when i have no wifi around 21:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:02 < krzie> ido, what does that have to do with port forwarding? 22:07 < ido--> hrm. ok, i wasn't clear on that 22:08 < ido--> the only way of communicating between the G1 and my pc directly over usb, is by using their debug utility, which can forward a port to the G1. 22:09 < ido--> now if i make a tunnel between the two, i can have full network access from the G1 via the PC. 22:09 < ido--> I've just found a way to a tunnel using SSH, but thats a bit limiting, since windows doesnt have an sshd 22:10 < ido--> well, not without cygwin. i wonder if it'll work with the cygwin one. 22:10 < ido--> actually i'm not sure it would, because it probably wouldn't know how to work with the tun device on windows 22:10 < ido--> ugh. 22:11 < ido--> openvpn would work though. 22:17 < krzie> one of us doesnt know what "forward a port" means 22:17 < krzie> im thinking its not me 22:18 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:18 < krzie> a forwarded port is only needed for a machine behind a nat to be contacted when it has a service listening for connections 22:18 < krzie> which is NOT what you seem to be talking about 22:19 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 22:33 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 22:33 < freaky_t> !logs 22:33 < vpnHelper> freaky_t: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 22:33 < freaky_t> !howto 22:33 < vpnHelper> freaky_t: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:35 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 22:36 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 54 (Connection reset by peer)] 22:37 < ido--> krzie: I know what I'm talking about, the port is "forwarded" over the usb link (embedded in their driver for debugging purposes) 22:37 < ido--> anyhow, i got it working... minimal config, works like a charm 22:37 < krzie> what port! 22:37 < ido--> whichever tcp port i choose.. 22:37 < krzie> so to make an outbound connection you are saying it must be configured for port forwarding 22:38 < ido--> pc->G1 22:39 < ido--> the other way around isn't possible.. 22:39 < krzie> nm it doesnt matter 22:40 < ido--> i need to get port forwarding on windows though 22:40 < ido--> i saw it somewhere on the web today 22:47 -!- ido-- [n=wtf@212.199.189.65] has quit [] 22:49 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:49 < onats> hey guys, how do i check the IP's of the clients that connect to the vpn server? 22:50 < krzie> automated or on the fly? 22:52 < krzie> (@onats) 22:53 < onats> krzie, on the fly.. 22:53 < krzie> management interface might have that 22:53 < onats> just want to check now the IP of a particular client, coz i need to connect to it.. 22:53 < onats> management interface?? 22:53 < krzie> you can also give them static ips if you like by seeing !static 22:53 < onats> i dont think i have that yet.. 22:54 < onats> well thats in the plan, but i haven't really dug into it yet... 22:55 < onats> krzie, via command line? 22:56 < krzie> you could also see your status file or log 22:56 < krzie> if you use ipp.txt that should have it as well 22:57 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:57 < onats> ok lemme check.. tnx 22:57 * onats turned off logging 22:59 < krzie> well if you dont have a log, status file, ipp, management interface, or static ips, i dont think you can 23:12 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 23:26 < onats> krzie, the status file doesn't grow that much right? 23:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:29 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 23:32 -!- freaky_t [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 23:39 -!- Cr0nix [n=Cr0nix@e180070205.adsl.alicedsl.de] has joined ##openvpn 23:48 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 23:56 -!- Cronix [n=Cr0nix@e180070100.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:58 -!- boolias [n=boolias@c-98-207-42-206.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Tue May 05 2009 00:00 < boolias> hi there, anyone in have a minute to explain pkcs#12 files and how an openvpn server generates those for me? 00:01 -!- boolias is now known as oradude 00:02 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 00:05 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:42 -!- oradude [n=boolias@c-98-207-42-206.hsd1.ca.comcast.net] has quit [] 01:03 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:11 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 54 (Connection reset by peer)] 01:12 -!- lataffe [n=lars@89.10.28.212] has joined ##openvpn 02:02 < freaky_t> hi all i have a problem running a samba server over the vpn. in the logs from samba in log.nmbd it says 02:02 < freaky_t> [2009/05/05 08:50:38, 0] nmbd/nmbd_subnetdb.c:create_subnets(207) 02:02 < freaky_t> create_subnets: Waiting for an interface to appear ... 02:02 < freaky_t> and nothing else happens 02:02 < freaky_t> can anyone help me please? 02:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:21 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:22 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:22 -!- freaky_t [i=alpha@member.team-box.net] has quit [Remote closed the connection] 02:35 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 02:45 < freaky_t> !man 02:45 < vpnHelper> freaky_t: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:19 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 03:21 -!- crocr [n=sveniu@leia.ifi.uio.no] has joined ##openvpn 03:32 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 04:09 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 04:28 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 04:29 -!- nsar [n=nsar@121.54.32.108] has joined ##openvpn 04:29 < nsar> hello 04:29 -!- youngpro [n=pro@203.217.10.114] has joined ##openvpn 04:29 < nsar> some help may i have with the certificates for server to multiple clients 04:29 < nsar> ? 04:31 -!- nsar [n=nsar@121.54.32.108] has quit [Client Quit] 04:31 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:44 -!- youngpro [n=pro@203.217.10.114] has quit ["changing servers"] 04:44 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 04:49 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 04:50 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 04:51 < alinuxskyper99> Hi installed openvpn on server 2003 ...on my same lan and I can connect however I can not ping 10.8.0.1 .. it times out...I did not push any networks yet 04:56 < onats> !certificates 04:56 < vpnHelper> onats: Error: "certificates" is not a valid command. 04:56 < onats> !config 04:56 < vpnHelper> onats: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 04:56 < onats> !sample-configs 04:56 < vpnHelper> onats: Error: "sample-configs" is not a valid command. 04:56 < onats> !sample 04:56 < vpnHelper> onats: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:56 < onats> there 05:02 < reiffert> !factoids search sample 05:02 < vpnHelper> reiffert: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 05:02 < reiffert> !factoids search sam 05:02 < vpnHelper> reiffert: 'sample' and 'samba' 05:02 < reiffert> !factoids search cert 05:02 < vpnHelper> reiffert: 'servercert', 'certs', and 'nocert' 05:29 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 05:54 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 05:56 < andriijas> i have 2 boxes at home, neither of them is the gateway to internet. one of them has an openvpn server which works fine and it can ping my laptop which is connected to the vpn from office, but how can i make my other box at home connect to my roadwarrior laptop? 05:56 < andriijas> the laptop can ping both computers from the vpn 06:09 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:11 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:12 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:14 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has left ##openvpn [] 06:16 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 06:16 -!- youngpro [n=pro@203.217.10.114] has joined ##openvpn 06:20 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:22 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:23 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:24 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:24 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:25 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:25 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:39 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 06:42 -!- tuxinator [n=chatzill@195.34.89.245] has joined ##openvpn 06:44 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:59 < ecrist> morning 07:12 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 07:45 -!- sticky [n=zach@2001:470:1f11:5a7:b167:612a:7dd5:7964] has joined ##openvpn 08:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:37 -!- eliasp_ [n=quassel@95.208.45.212] has joined ##openvpn 08:51 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 09:01 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 09:08 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:16 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:00 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 10:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 < i3lack0p> having an issue setting up a OpenVPN host with multi client. This is my first attempt. http://pastebin.com/d6dfaed32 is a tail of my log on the client side 10:18 < i3lack0p> !howto 10:18 < vpnHelper> i3lack0p: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:20 < ecrist> i3lack0p: what os? 10:27 < i3lack0p> Host is CentOS 5.1 guest is winxp sp3 10:28 < i3lack0p> but other guest will include Mac OS X, Windows Vista, Windows XP and a few Ubuntu clients 10:35 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:38 < i3lack0p> what im looking to do is have these clients VPN to the server and access a Samba share on the node 10:41 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Deffie 10:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy_, pekster 10:45 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 10:46 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:52 -!- i3lack0p [i=merlin@69.69.150.7] has quit [Read error: 104 (Connection reset by peer)] 10:52 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 10:53 -!- i3lack0p [i=merlin@69.69.150.7] has quit [Read error: 104 (Connection reset by peer)] 10:53 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 10:54 -!- pekster is now known as Guest26656 11:01 -!- onats__ [n=onats@122.53.134.78] has joined ##openvpn 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 11:13 -!- epaphus [n=unix3@78.46.79.204] has joined ##openvpn 11:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 11:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 11:25 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 11:26 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < Alagar> is there dead peer detection mechanism active in our vpn gateway 11:35 < Alagar> i got the above question from my boss. what is the meaning of this 11:36 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:40 -!- bakers [n=bakers@bar-1.web-ster.com] has joined ##openvpn 11:40 < theDoc> Alagar: Sounds like it sends packets to you at intervals and if you don't respond after x seconds, it considers you disconnected 11:43 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has joined ##openvpn 11:44 < VeRteXz> !interface 11:44 < vpnHelper> VeRteXz: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:44 < VeRteXz> !route 11:44 < vpnHelper> VeRteXz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:44 < VeRteXz> !configs 11:44 < vpnHelper> VeRteXz: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:44 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has left ##openvpn ["Bye Bye All"] 11:44 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has joined ##openvpn 11:45 < Alagar> theDoc: thanks. one more help please. iam using fortigate 100A VPN Firewall how to findout Dead peer detection mechanism active or not? 11:46 < theDoc> Alagar: I'd spoon the firewall and whisper lovingly into her ears and tease her into telling me. 11:46 < theDoc> That's what I would do. I think you would want to try reading the manual. 11:46 < bakers> Can I create a client cert that requires a username and a password? 11:47 < theDoc> Yes. 11:55 < bakers> theDoc: How does one do that? 11:55 < theDoc> bakers: It's 1am, :p I just got back from work and I'm not really in the mood at the moment :p 11:55 < theDoc> It's somewhere in the guide I believe. 11:55 < theDoc> I'm lazy enough to not want to search it for you. 11:58 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has left ##openvpn ["Bye Bye All"] 12:01 -!- epaphus [n=unix3@78.46.79.204] has quit ["Leaving"] 12:07 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 12:10 < i3lack0p> I am looking to set up OpenVPN host that a number of remote nodes and VPN to for establishing a Samba transfer... client to host... Host is CentOS 5.1 w/ OpenVPN 2.0.9, Client is Windows XP SP3 w/ OpenVPN 2.0.9... this is error im getting: http://pastebin.com/d6736f785 12:11 < i3lack0p> never establishes IP address and ability to communicate 12:16 < i3lack0p> hello? 12:18 < ecrist> see line 5 12:18 < ecrist> !configs 12:18 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:22 < i3lack0p> Client: http://pastebin.com/d3bc70457 | Host: http://pastebin.com/d1dc0443a 12:23 < i3lack0p> Host is CentOS 5.1 w/ OpenVPN 2.0.9, Client is Windows XP SP3 w/ OpenVPN 2.0.9 12:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:26 < ecrist> !logs 12:26 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:26 < i3lack0p> ok 12:34 < i3lack0p> Client Log: http://pastebin.com/d7b07be5e | Host Log: http://pastebin.com/d10b1724 12:38 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:40 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 12:43 < bafman> hello, one quick question. I have "local" network with GW/server 192.168.1.1 running openvpn. Remote network is the same IP range also with colliding IP of GW/Server. Is there any way how to compensate without changing the IP of local range? 12:50 < svenx> ask the twats who set up the server side why they chose the most common ip range in home networks :) 12:50 < svenx> other than that, you can simply add some routes 12:51 < svenx> oh wait, gw also collides.. hm 12:51 < ecrist> reading now, i3lack0p 12:52 < bafman> svenx: me ;-). I created a home LAN, these days I decided SSH is not enough, thus I would like to add VPN. Most of the networks of my friends share the same layout 12:52 < ecrist> gotta tell you, that error is stumping me. 12:53 < ecrist> your configs looks fine 12:53 < bafman> I was wondering adding a new virtual IP for the GW/Server 12:53 < svenx> bafman: aha. that's possible. also, you could use the routing method of openvpn, and rather define a "rare" subnet to use for vpn clients 12:54 < bafman> svenx: but the virtual IP is a must then 12:55 < ecrist> i3lack0p: does the client ever get the .5 address assigned to the interface? 12:56 < ecrist> bafman: no, you need to renumber 12:56 < svenx> bafman: yes 12:56 < svenx> bafman: ..if your vpngw only has a single interface 12:58 -!- bakers [n=bakers@bar-1.web-ster.com] has quit ["Leaving"] 12:59 < bafman> svenx: or leave it as it is and when VPN is up, exclusively use remote IP range ... 12:59 < bafman> gents thank you for hinting 13:11 -!- netnoodle [n=netnoodl@pcp045837pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 13:12 < netnoodle> hello, im using linux and the client is unable to redirect the gateway through the vpn automatically. i need to manually change the gateway using the "route" command in linux, but i'm not sure how to do this 13:20 < i3lack0p> ecrist: sorry wife grabbed me... according to OpenVPN GUI its been alocated, but the Local Area Connection 2 ( bound to TAP-Win32) keeps looking for DHCP addreess 13:21 < ecrist> hrm, it shouldn't be. 13:21 < ecrist> I don't have a lot of windows openvpn experience, sorry. 13:22 < i3lack0p> i dont either... ihave done site to site openvpn tunneling with static ips, but this is stumping 13:22 < ecrist> read here, see if anything sticks out to you 13:22 < ecrist> !freebsd 13:22 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:23 -!- clebig [n=clebig@87.100.60.106] has joined ##openvpn 13:24 < clebig> hi 13:27 -!- sticky [n=zach@2001:470:1f11:5a7:b167:612a:7dd5:7964] has quit ["Leaving"] 13:30 -!- netnoodle [n=netnoodl@pcp045837pcs.pcv.reshall.calpoly.edu] has quit [Remote closed the connection] 13:31 < clebig> I have a problem when I try to revoke a certificate, could you help me, here the output of revoke-full command : http://pastebin.fr/4423 13:37 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:41 -!- frank__ is now known as frankS2 13:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 13:52 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 13:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:55 < i3lack0p> ecrist: i switched over to my slackware box and tested it as a client. http://pastebin.com/d49cdae83 is what i got... but looking at i think ineed to gen the tun devices 14:01 < ecrist> i3lack0p: do you have the tun kernel module/device available? 14:08 < i3lack0p> lol im a dumbass... i just figured out my problem 14:08 < ecrist> please share 14:08 < i3lack0p> i had disabled the dhcp client service on my windows box cause i never us DHCP on it... its always static 14:09 < ecrist> ahhhhh 14:09 < ecrist> :) 14:09 < i3lack0p> so the adapeter couldnt recieve/send dhcp... like i said... dumbass 14:12 < ecrist> good to figure it out 14:48 -!- clebig [n=clebig@87.100.60.106] has quit ["The vast majority of our imports come from outside the country"] 14:57 -!- i3lack0p [i=merlin@69.69.150.7] has quit ["User pushed the X - because it's Xtra, baby"] 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:36 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:52 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 16:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:16 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:22 -!- prop_ [n=dd@IGLD-84-228-155-161.inter.net.il] has quit [Success] 17:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:40 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 17:57 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:44 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:18 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 19:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:56 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:01 < onats> buzz 21:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 22:17 < onats> how do i create a tun device? 22:18 < onats> openvpn --mktun --dev tun0 --dev-type tun? 22:29 < onats> !tun 22:29 < vpnHelper> onats: Error: "tun" is not a valid command. 22:55 -!- prop_ [n=dd@84.228.155.161] has joined ##openvpn 23:17 -!- jetole [n=Joe@204.13.0.100] has joined ##openvpn 23:28 -!- Cron1x [n=Cr0nix@e180071180.adsl.alicedsl.de] has joined ##openvpn 23:45 -!- Cr0nix [n=Cr0nix@e180070205.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Wed May 06 2009 00:02 -!- epaphus [n=unix3@201.199.192.2] has joined ##openvpn 00:19 < reiffert> !factoids search tun 00:19 < vpnHelper> reiffert: 'mactuntap' and 'tunortap' 00:19 < reiffert> !factoids search mknod 00:19 < vpnHelper> reiffert: No keys matched that query. 00:20 -!- epaphus [n=unix3@201.199.192.2] has quit ["Leaving"] 00:20 < reiffert> onats: mknod /dev/net/tun c 10 200 00:23 < onats> reiffert, i got it this time. the library on my openwrt for tun drivers wasn't compatible 00:23 < onats> thanks:D 01:26 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:27 -!- mattock [n=mattock@gw.tietoteema.fi] has quit [Remote closed the connection] 01:27 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:48 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:08 < tuxinator> is it a good idea to put the route-method exe and route-delay 2 options in to global config? 02:27 -!- prop- [n=dd@84.229.209.63] has joined ##openvpn 02:31 -!- prop_ [n=dd@84.228.155.161] has quit [Read error: 60 (Operation timed out)] 02:46 < krzee> for windows 02:46 < krzee> but route-delay 2 might be a lil small 02:46 < krzee> i believe 30 is default if you specify route-delay with no arg 02:46 < krzee> !winroute 02:46 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 02:47 < krzee> thats only useful when a windows route cant be added 03:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:41 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:57 -!- prop_ [n=dd@84.229.209.63] has joined ##openvpn 05:01 -!- prop- [n=dd@84.229.209.63] has quit [Read error: 104 (Connection reset by peer)] 05:14 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:19 -!- eliasp_ is now known as eliasp 05:41 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:12 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 06:14 -!- prop_ [n=dd@84.229.209.63] has quit [Read error: 110 (Connection timed out)] 06:38 -!- onats__ [n=onats@122.53.134.78] has quit [Read error: 110 (Connection timed out)] 06:38 -!- onats__ [n=onats@122.53.137.107] has joined ##openvpn 06:43 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:52 < ecrist> krzee: server's powered up 06:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:20 -!- lataffe [n=lars@89.10.28.212] has quit [Read error: 145 (Connection timed out)] 07:31 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 08:12 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 08:29 -!- lolmaus [n=lolmaus@77.72.19.231] has joined ##openvpn 08:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 08:29 < lolmaus> Hi! I've set up an openvpn server on my linux virtual server. I would like to connect to it from my WinXP machine. Can i use standard Windows VPN connection or i have to install OpenVPN too? 08:30 < lolmaus> The server is in bridging mode 08:33 < ecrist> you need openvpn 08:34 < ecrist> 'windows standard vpn' is PPTP/L2TP 08:34 < ecrist> OpenVPN is OpenvPN 08:35 < lolmaus> Thx 08:55 < lolmaus> Where do i put key files on Windows? 09:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 09:20 -!- crocr [n=sveniu@leia.ifi.uio.no] has quit [Read error: 60 (Operation timed out)] 09:23 -!- tuxinator [n=chatzill@195.34.89.245] has quit ["ChatZilla 0.9.84 [Firefox 3.0.9/2009040821]"] 09:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:37 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 09:39 < dazo> lolmaus: in directory on the HD ... normally no special key management thing ... if you use OpenVPN GUI, you'll find the folder via the Start menu 09:41 < dazo> lolmaus: to be precise, the path to the key files are defined in your config ... if no full path is given, it's relative to the directory of the config file 09:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 -!- nibu [n=bau@unaffiliated/nibu] has joined ##openvpn 10:10 -!- bau_ [n=bau@189.81.146.18] has joined ##openvpn 10:12 -!- nibu [n=bau@unaffiliated/nibu] has quit [Read error: 110 (Connection timed out)] 10:30 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 10:31 < JScoobyCed> Hi, I am issuing "openvpn --mktun --dev tap0"... and then, I cannot see and tap0 interface in "ifconfig" and when I start the client it says "no such device tap0" 10:32 < JScoobyCed> the openvpn server is on WindowsXP configured with "dev tap", does that mean I can't access it from a linux machine? 10:33 < JScoobyCed> how to persist the 'tap' device? 10:37 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:41 < dazo> JScoobyCed: do you do --mktun --dev tap0 on the Windows box? 10:41 < JScoobyCed> dazo: nope, on ubuntu 10:42 < JScoobyCed> on windows box I created the tap interface using the tools provided by openvpn 10:42 < dazo> JScoobyCed: if you do ifconfig -a .... or ifconfig tap0 .... do you see the interface in this setup? 10:42 < dazo> JScoobyCed: yeah, that was what I was about to recommend 10:42 < JScoobyCed> I could access the windows openvpn when my machine was windows 10:43 < JScoobyCed> yes, ifconfig -a shows the device tap0 10:43 < dazo> JScoobyCed: there are no restriction on cross-platform connections .... so it should not be any issues with that, for sure 10:43 < dazo> JScoobyCed: and the openvpn process starts without any issues on the Ubuntu box? 10:43 < JScoobyCed> dazo: thanks for the 'ifconfig -a', I forgot about that 10:44 < JScoobyCed> dazo: so my tap0 device is here... why openvpn cannot see it? 10:44 < JScoobyCed> dazo: I tried to run as root, doesn't change 10:45 < JScoobyCed> dazo: should I 'ifconfig tap0 up ...' the interface? or config IP ? 10:45 < dazo> JScoobyCed: I presume you start openvpn as root ... so I would recommend you to set log level to 6 (verb 6 in config) ... and pastebin it .... you might even see some warnings in logs which can help you out 10:45 < JScoobyCed> ok, going to try that now 10:46 < dazo> JScoobyCed: no, that's not needed .... but the openvpn process must be started as root ... in *nix you can put --user and --group which will then "degrade" OpenVPNs privileges when it is done with the stuff needing root privileges 10:46 < dazo> JScoobyCed: I'll be waiting for logs then 10:47 < JScoobyCed> dazo: ok, got the logs 10:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:47 < JScoobyCed> dazo: how to 'pastebin' ? :) 10:47 < dazo> !pastebin 10:47 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:48 < JScoobyCed> !pastebin Wed May 6 22:46:42 2009 us=349210 OPTIONS IMPORT: timers and/or timeouts modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349242 OPTIONS IMPORT: --ifconfig/up options modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349270 OPTIONS IMPORT: route options modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349586 ROUTE default_gateway=192.168.41.1 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349700 Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349734 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 10:48 < vpnHelper> JScoobyCed: Error: "pastebin" is not a valid command. 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349775 Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349811 Exiting 10:48 < ecrist> !logs 10:48 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:48 < JScoobyCed> errr... not sure I did it well 10:48 < JScoobyCed> ok, trying logs 10:49 < JScoobyCed> !logs Wed May 6 22:46:42 2009 us=349210 OPTIONS IMPORT: timers and/or timeouts modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349242 OPTIONS IMPORT: --ifconfig/up options modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349270 OPTIONS IMPORT: route options modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349586 ROUTE default_gateway=192.168.41.1 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349700 Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349734 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 10:49 < vpnHelper> JScoobyCed: Error: "logs" is not a valid command. 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349775 Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349811 Exiting 10:49 < ecrist> I don't think you understand 10:49 < ecrist> you need to copy/paste into a web browser to www.pastebin.ca 10:49 < dazo> lol 10:50 < JScoobyCed> !!... sorry guys 10:50 < vpnHelper> JScoobyCed: Error: "!..." is not a valid command. 10:50 < JScoobyCed> dazo: http://www.pastebin.ca/1414344 10:50 < JScoobyCed> is that the way ? 10:50 < dazo> JScoobyCed: seems a lot better ;-) 10:50 < ecrist> yes 10:51 < JScoobyCed> dazo : I got only the client logs, no access to server since this morning that i switched to ubuntu 10:51 < JScoobyCed> dazo: do u need the full log? I put only the relevant errors 10:51 < dazo> JScoobyCed: ehhh .... I'm confused now .... do you have problems on you Ubuntu or Windows box? 10:52 < JScoobyCed> dazo: with ubuntu 10:52 < dazo> JScoobyCed: and what you showed me here, is from the Ubuntu log? 10:52 < JScoobyCed> dazo: the openvpn server is on windows xp 10:52 < JScoobyCed> dazo: I used to connect to it from windows openvpn cleint 10:52 < dazo> JScoobyCed: ubuntu logs - where you have problems? 10:53 < JScoobyCed> dazo: but now I formatted and instaled ubuntu 10:53 < JScoobyCed> now I cannot access to the windows openvpn server from ubuntu openvpn client 10:53 < JScoobyCed> that was the ubuntu openvpn client lg 10:53 < JScoobyCed> dazo: log 10:54 < dazo> JScoobyCed: that's fine enough ... good ... now I know more what I'm looking at 10:54 < JScoobyCed> dazo: sorry, I didn't explained at first 10:54 < dazo> JScoobyCed: so ifconfig -a gives you tap0 .... but openvpn do not see it ... that's very odd ... 10:55 < dazo> JScoobyCed: can we please see your config file as well? 10:55 < JScoobyCed> dazo: ok, hold on 10:55 < dazo> (just pastebin that one as well) 10:55 < JScoobyCed> dazo: sorry, I have to go (meeting with client) I'll pastebin in an hour 10:55 < JScoobyCed> dazo: or I'll wait 10:55 < JScoobyCed> dazo : tahnks 10:56 < dazo> JScoobyCed: oki ... no prob ... I might not be here at that point ... but there are a lot of others here which should be able to follow up 10:57 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has quit ["Leaving."] 10:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:09 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 11:11 -!- albech [n=albech@119.42.76.84] has quit [SendQ exceeded] 11:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:29 -!- rubydiam_ [n=rubydiam@123.236.183.243] has joined ##openvpn 11:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 11:40 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Intensity, feinoM, M06w, freaky_t, xor|, Dougy, vpnHelper, Typone, dmarkey, bau_, (+15 more, use /NETSPLIT to show all of them) 11:42 -!- Netsplit over, joins: feinoM 11:42 -!- nemysis [n=nemysis@145-184.3-85.cust.bluewin.ch] has joined ##openvpn 11:43 -!- Netsplit over, joins: freaky_t, Typone, M06w, reiffert, CybDev 11:43 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 11:44 -!- jetole [n=Joe@204.13.0.100] has joined ##openvpn 11:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 11:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:44 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 11:46 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 11:46 -!- bau_ [n=bau@189.81.146.18] has joined ##openvpn 11:46 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 11:46 -!- damentz [i=damentz@support.team.at.shellium.org] has joined ##openvpn 11:46 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 11:47 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 11:47 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 11:47 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 11:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:47 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 11:47 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 11:47 -!- Intensity [i=[HiX103q@unaffiliated/intensity] has joined ##openvpn 11:47 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 11:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: dmarkey, Gumbler, Intensity, ropetin 11:47 -!- Netsplit over, joins: Intensity, dmarkey, Gumbler, ropetin 11:47 -!- nemysis is now known as Guest84910 11:51 -!- bau__ [n=bau@189.81.146.18] has joined ##openvpn 11:52 -!- bau_ [n=bau@189.81.146.18] has quit [Read error: 113 (No route to host)] 11:52 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has joined ##openvpn 12:00 -!- Guest84910 is now known as nemysis 12:01 -!- nemysis is now known as Guest28032 12:01 -!- Guest28032 is now known as nemysis_ 12:01 -!- nemysis_ is now known as Guest47847 12:02 -!- Guest47847 [n=nemysis@145-184.3-85.cust.bluewin.ch] has quit ["I am off"] 12:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:33 -!- bau__ [n=bau@189.81.146.18] has quit ["Saindo"] 12:42 -!- jtc_0043 [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has joined ##openvpn 12:45 < jtc_0043> hi, can anyone please help me get my openvpn routing working? ... i have a ovpnserver with the local ip 10.0.0.145 gw 10.0.0.254 sm 255.255.255.0, ovpn server gives the client the ip 10.1.0.6 in the openvpn.conf: server 10.1.0.0 255.255.255.0 ... how can i route the client to the 10.0.0.0 network? 12:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:49 -!- bandini [n=bandini@host192-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:00 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 13:00 < JScoobyCed> dazo: in case you're still here, please find my client.opvn: http://www.pastebin.ca/1414467 13:00 -!- jtc_0043 [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has quit [Read error: 54 (Connection reset by peer)] 13:01 < JScoobyCed> dazo: no server config, but I used the one from the HOWTO documentation on openvpn website 13:07 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has left ##openvpn [] 13:12 -!- benedictus [i=chatzill@d51A5C736.access.telenet.be] has joined ##openvpn 13:18 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 13:22 -!- benedictus [i=chatzill@d51A5C736.access.telenet.be] has quit [Client Quit] 13:23 -!- rubydiam_ [n=rubydiam@123.236.183.243] has quit [Client Quit] 13:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 13:35 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:56 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 14:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:26 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 14:26 -!- Celsiux-Nulled [n=Nullesd@189.152.112.56] has joined ##openvpn 14:40 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 14:45 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 14:49 -!- zooonga [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has joined ##openvpn 14:49 < zooonga> hi, i have a ovpnserver running on a server with ip 10.0.0.145 and gw 10.0.0.254 sm 255.255.255.0, ovpn server gives the client the ip 10.1.0.6 in the openvpn.conf: server 10.1.0.0 255.255.255.0 ... how can i route the client to the 10.0.0.0 network? 14:53 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 15:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:08 -!- coincoin1611 [n=coincoin@ASt-Lambert-154-1-59-6.w90-61.abo.wanadoo.fr] has joined ##openvpn 15:08 < coincoin1611> hi 15:08 < coincoin1611> it is the first time i set up a vpn 15:08 < ecrist> hi 15:08 < coincoin1611> and i succeded 15:08 < coincoin1611> but 15:09 < coincoin1611> the client can ping all the computer in my netword (where is the server) 15:09 < coincoin1611> but i cannot ping all the computers in the netword where the client is 15:09 < coincoin1611> do you have any idea ? 15:10 < ecrist> !iroute 15:10 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 15:10 < ecrist> and 15:10 < ecrist> !route 15:10 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:10 < coincoin1611> i read it right now 15:22 < coincoin1611> does this hold for bridge vpn ? 15:22 < ecrist> yes, if you're going to route other networks 15:22 < ecrist> you also need to make sure ip forwarding is enabled on the required clients/servers 15:23 < coincoin1611> the two networks are on the same subnet 192.168.1.0 with the same netmask 255.255.255.0 15:23 < coincoin1611> i took care of setting different ip adresses for all computers 15:23 < coincoin1611> do i even have to set up routes ? 15:24 < ecrist> if they're all the same address space, no 15:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:25 < coincoin1611> ok right now i am setting /proc/sys/net/ipv4/ip_forward to 1 15:25 < ecrist> also, make sure you've bridged the interfaces on both the client and server 15:25 < ecrist> and you're not blocking traffic on the firewall 15:26 < coincoin1611> yes with brctl ? i have done that it is br0 15:31 < coincoin1611> i have wireshark on my vpn server 15:31 < coincoin1611> and when from the server network i ping a computer on the client network 15:31 < coincoin1611> the arp request is sent received by the vpnserver and just after wirehark tells me that 15:31 < coincoin1611> the vpn server sends an UDP packet to the client 15:31 < coincoin1611> normally the client should diffuse this arp request no ? 15:35 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 15:58 -!- googleman [n=zaeaze@41.221.18.166] has joined ##openvpn 15:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:00 < googleman> hi all 16:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:02 < googleman> how i do to configure openvpn to open a port range for external use like torrent emule ? 16:02 < JScoobyCed> hi. I still have issues with my winxp (openvpn server, using dev tap TAP001) <-> Ubuntu (openvpn client, using dev tap) 16:03 < JScoobyCed> I did 'openvpn --mktun --dev tap0' and issuing 'ifconfig a' shows the 'tap0' device 16:03 < JScoobyCed> but when I try to connect to the server it says 'tap0 : file not found (error 2)' 16:16 -!- coincoin161 [n=coincoin@90.61.226.6] has joined ##openvpn 16:16 -!- coincoin161 [n=coincoin@90.61.226.6] has left ##openvpn [] 16:23 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:25 < JScoobyCed> !quit 16:25 < vpnHelper> JScoobyCed: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:25 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has left ##openvpn [] 16:27 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 16:33 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:33 -!- coincoin1611 [n=coincoin@ASt-Lambert-154-1-59-6.w90-61.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 16:37 < krzie> definitely, i havnt played with it but i know its there 16:38 < krzie> oops wrong chan 16:47 -!- zooonga [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 17:11 -!- ariel [n=ariel@200-126-118-240.bk8-dsl.surnet.cl] has joined ##openvpn 17:24 -!- SeveredCross [n=bojanr@about/csharp/regular/severedcross] has joined ##openvpn 17:25 < SeveredCross> Hi y'all. Can someone help me WRT the Authenticate/Decrypt packet error: cipher final failed error? 17:25 < SeveredCross> Would it be caused by a firewall on the server side? 17:33 < SeveredCross> Hmm, I fixed that by switching ciphers, but I still don't have a connection through the VPN. 17:40 < SeveredCross> Configs at http://pastebin.com/f1a6ee8f8 (client) and http://pastebin.com/f84fc7ff (server) 17:41 < SeveredCross> (I realize the push route on the server isn't needed, it's cruft) 17:47 -!- epaphus is now known as Brun2 17:51 -!- dazo [n=dazo@nat/redhat/x-47a430b4e0c1081a] has quit [Read error: 110 (Connection timed out)] 17:54 -!- googleman [n=zaeaze@41.221.18.166] has quit [Read error: 110 (Connection timed out)] 17:54 -!- googleman [n=zaeaze@41.221.27.166] has joined ##openvpn 17:59 < SeveredCross> Hmm. 17:59 < SeveredCross> Apparently, the tun interface is receiving packets, but isn't sending anything back. What could cause this? 18:03 -!- googleman [n=zaeaze@41.221.27.166] has quit ["Leaving"] 18:19 -!- Celsiux-Nulled [n=Nullesd@189.152.112.56] has quit [Connection timed out] 18:24 -!- bandini [n=bandini@host192-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:28 -!- Celsiux|Nulled [n=Nullesd@189.152.112.56] has joined ##openvpn 18:29 -!- Brun2 [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:30 < krzie> a firewall 18:30 < krzie> or a... firewall 18:31 < krzie> possibly a firewall 18:31 < krzie> or a routing issue 18:31 < krzie> but much more likely a firewall ;] 18:32 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has joined ##openvpn 18:35 < SeveredCross> krzie: I opened the TUN interface wide, and nothing happens 18:35 < SeveredCross> . 18:35 -!- epaphus [n=unix3@201.199.34.174] has joined ##openvpn 18:35 < SeveredCross> (I have iptables rules to accept everything on the TUN interface, and to let everything go out) 18:36 -!- Celsiux|Nulled [n=Nullesd@189.152.112.56] has quit [Remote closed the connection] 18:36 < SeveredCross> Hmm, looks like I might've missed it on the OUTPUT chain 18:39 < SeveredCross> Yeah, I added an allow all on output tun0, and nothing happens. 18:41 < krzie> !configs 18:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:47 -!- epaphus [n=unix3@201.199.34.174] has quit [Read error: 60 (Operation timed out)] 18:48 < SeveredCross> Actually, I got it working. :) 18:54 -!- Timpa [i=timpa@c-191770d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:55 < krzie> what was it? 19:03 < SeveredCross> krzie: Just kinda....magically started working. 19:03 < SeveredCross> *shrugs* 19:04 * SeveredCross disappears. 19:04 -!- SeveredCross [n=bojanr@about/csharp/regular/severedcross] has left ##openvpn [] 19:14 < krzie> (aka it was his firewall) 19:14 < krzie> hehe 19:32 < krzie> ecrist here? 19:54 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 20:25 -!- ariel [n=ariel@200-126-118-240.bk8-dsl.surnet.cl] has quit ["Saliendo"] 20:45 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 20:46 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 20:52 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 20:53 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 21:39 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit ["Leaving"] 22:22 -!- las3r [n=las3r@c-66-31-200-74.hsd1.ma.comcast.net] has joined ##openvpn 22:30 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 22:56 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 23:09 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 110 (Connection timed out)] 23:10 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:19 -!- Cr0nix [n=Cr0nix@85.180.70.46] has joined ##openvpn 23:31 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:35 -!- Cron1x [n=Cr0nix@e180071180.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:41 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:41 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn --- Day changed Thu May 07 2009 00:04 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 00:13 -!- knoxville [n=knoxvill@c-71-63-138-244.hsd1.mn.comcast.net] has joined ##openvpn 00:14 < knoxville> when I add push "route 192.168.1.0 255.255.255.0" and push "redirect-gateway" on the server.conf file, my windows client no longer gets internet, and ideas? 00:15 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:19 < knoxville> bump! 00:20 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has quit [Connection timed out] 00:29 < knoxville> bump 00:37 < onats> what's the LAN ip of your windows client? 00:38 < onats> !tls 00:38 < vpnHelper> onats: Error: "tls" is not a valid command. 00:38 < onats> !tls-error 00:38 < vpnHelper> onats: Error: "tls-error" is not a valid command. 00:38 < onats> krzie, are you there? 00:40 < knoxville> onats, 192.168.1.50 00:41 < onats> and the vpn server's? 00:41 < knoxville> onats, 192.168.1.145 or 10.8.0.1 00:41 < onats> they are on the same LAN? 00:42 < knoxville> onats, right now they are just for the setup to get it working 00:42 < onats> ideally, your vpn server should be on a different subnet... 00:42 < knoxville> onats, correct, this I know, and it will be when I move my laptop on the road 00:45 < knoxville> ok I was able to get it working a little bit, I added this on the server side "route add default gw 192.168.1.254" and now the client is working great 00:45 < knoxville> the question now is, how can I make sure this happens when clients connect 00:48 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 00:49 < bsdbandit> im having 2 issues with openvpn 2.0 on openbsd 4.5 first issue that openvpn hangs when trying to start the openvpn server manually and 2 when trying to start up openvpn i noticed that the date show Wed Dec 31 1969 00:49 < bsdbandit> can someone help me out with this one 00:49 < bsdbandit> z/ 00:49 < bsdbandit> ? 00:50 < bsdbandit> :( 00:50 < onats> put it in a CCD file? 00:50 < onats> knoxville, put it in a ccd file? 00:51 < onats> are you routing all internet traffic to your home server? 00:54 < knoxville> onats, I will if that gets it working 00:57 < knoxville> onats, this is what I need to do Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines). 01:01 < bsdbandit> yes 01:01 < knoxville> any help on the route portion 01:01 < bsdbandit> the openvpn server and firewall all run on the same machine 01:01 < knoxville> not in my case 01:01 < knoxville> it runs on my LAN not the gateway 01:02 < bsdbandit> oh ok 01:02 < bsdbandit> you might want to put that on the gateway 01:02 < knoxville> bsdbandit, yeah I was looking to do it eventually but there has to be a way to route it to work 01:04 < lolmaus> When adding a TAP thingie on my WinXP 64-bit, i get the following error: 01:04 < lolmaus> C:\Program Files (x86)\OpenVPN>"C:\Program Files (x86)\OpenVPN\bin\tapinstall.ex 01:05 < lolmaus> e" install "C:\Program Files (x86)\OpenVPN\driver\OemWin2k.inf" tap0801 01:05 < lolmaus> tapinstall.exe failed. 01:05 < lolmaus> Any solutions? 01:09 < onats> knoxville, are you using all command line, from a config file? 01:10 < knoxville> yeah complete terminal 01:10 < onats> ok 01:14 < onats> knoxville 01:14 < onats> i think you need to add something like this: iroute 192.168.1.0 255.255.255.0 01:14 < knoxville> onats, that would be on my server correct 01:15 < onats> yes, but it should be pushed to the clients 01:15 < knoxville> iroute is not a command in linux 01:15 < knoxville> it must have to go in the server.conf 01:15 < onats> yes.. 01:15 < knoxville> but I already have the push "route 192.168.1.0 255.255.255.0" in their 01:15 < onats> but in my setup, its in the ccd files 01:16 < onats> what do you need to do again? 01:16 < onats> basically heres my setup. i have 3 vpn sites, with different subnets, and all clients behind those LAN's can ping the clients in the other lans. 01:17 < onats> what setup do you want to achieve? 01:17 < knoxville> allow the clients be able to access the entire La 01:17 < knoxville> LAN 01:17 < onats> ok. same here 01:17 < knoxville> the 192.168.1.0/24 01:17 < onats> was able to do that 01:17 < knoxville> wats in your ccd file 01:17 < onats> do you have two sites? 01:18 < onats> on my server, i have something like this too: 01:18 < onats> iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT 01:18 < jetole> Page is down => http://openvpn.net/index.php/documentation/howto.html 01:18 < onats> 192.168.66.0 is the vpn subnet 01:18 < jetole> MySQL is running in read only, page cannot do an insert 01:19 < jetole> Thought an admin may be listening 01:19 < jetole> also wasn't doing this 30 mins agp 01:19 < jetole> *ago 01:20 < onats> jetole, are you on the right channel? 01:23 < jetole> yes 01:23 < jetole> did you look at the URL 01:23 < lolmaus> SOS, i've got this tapinstall.exe failed on windows xp 64-bit 01:27 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 01:28 < jetole> hmmm, I would like that howto to be up since I am trying to figure out how to patch against mitm 01:39 < reiffert> moin 01:42 -!- knoxville [n=knoxvill@c-71-63-138-244.hsd1.mn.comcast.net] has quit [Remote closed the connection] 01:42 < lolmaus> SOS, i've got this tapinstall.exe failed on windows xp 64-bit 01:44 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:49 -!- deception is now known as oc80z 01:50 -!- Mikaku [n=Mikaku@unaffiliated/mikaku] has joined ##openvpn 01:50 < Mikaku> fyi something is wrong in the http://openvpn.net/ web site: 01:51 < Mikaku> jtablesession::Store Failed 01:51 < Mikaku> DB function failed with error number 1290 01:51 < Mikaku> and more ... 01:51 < reiffert> We dont have that under control. 01:51 < Mikaku> reiffert: ah ok 01:51 < reiffert> Try the -devel mailinglist 01:52 < reiffert> But I doubt that the author will pay attention to anything that comes from the community. 01:53 < Mikaku> oh 01:53 < reiffert> There are so many proposals on the devel mailinglist that just get ignored totatlly. 01:54 < Mikaku> sad to hear that 01:54 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 01:55 < Mikaku> I thought that the author would be around this channel as it happens in other projects' channels 01:56 < reiffert> That would be very nice, indeed. 02:01 < Mikaku> sure :) 02:03 < reiffert> Even the mailinglist seems to be community-only to my eyes. It's been a long time that I saw a statement from the author. 02:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:06 < Mikaku> well the project seems to be a bit freeze because I don't see much activity in the version numbers 02:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:08 < Mikaku> 2.1 is stuck in RCs 02:12 < jetole> Mikaku: Actualy I already noticed this with the howto page and posted it a little while ago but I hadn't checked the rest of the site yet 02:13 < jetole> The error described on the howto pahe is that SQL is in read only mode and therefor cannot insert. I am hoping this is maintance related on the openvpn site since it seems hard to put MySQL into read only by accident 02:13 < Mikaku> jetole: ok thanks 02:13 < jetole> yeah, same error on http://openvpn.net/ about MySQL being in read only mode 02:15 < jetole> huh, I think this effectively implies that openvpn.net is using Joomla if I am not mistaken 02:15 < jetole> I mean the error it is giving about jos_session 02:15 < Mikaku> it seems that affects all the web site 02:15 < jetole> could also be custom writen and the author just named his table the same with the exact same format but I doubt it 02:15 < jetole> Mikaku: yeah it probably should 02:18 < jetole> well I found the hotwo via the wayback machine, http://web.archive.org/web/20080203163312/http://openvpn.net/howto.html 02:18 < jetole> 2008 is the newest one they seemded to have 02:18 < Mikaku> I use Google cache for that 02:19 < jetole> yeah I was actually looking for google cache first but didn't know the url and "google archive" didn't help too much 02:19 < Mikaku> the problem is that you can't follow links inside 02:19 < jetole> well you can with the archive.org 02:19 < jetole> try the url I just posted 02:19 < Mikaku> yep :) 02:19 < jetole> what is the google cache url? 02:20 < Mikaku> search for this in Google: http://openvpn.net/howto.html 02:20 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 02:20 < Mikaku> and click on Cache 02:20 < jetole> click on Cache? 02:21 < jetole> Dammit, why do they make that so hard to find 02:21 < jetole> :P 02:21 < Mikaku> ;) 02:21 < jetole> actually I did just finish what I was looking for. I followed the steps for creating a cert that stops mitm on the server and wasn't sure how to configure the client to follow this but I just figured it out 02:22 < jetole> gonna go have a smoke, bbiab 02:22 < Mikaku> ok 02:26 < lolmaus> SOS, i've got this tapinstall.exe failed error on windows xp 64-bit. Can anyone help me with it? 02:27 -!- Cope_ [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 02:28 -!- Cope_ is now known as Cope 02:30 < Mikaku> fyi http://openvpn.net/ is working again 02:30 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 02:32 < jetole> so it is 02:33 < jetole> I am assuming this was a maintnance issue since like I mentioned, it's hard to put MySQL into read only mode by accident 02:33 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 < Mikaku> you're right 02:40 < jetole> can someone recommend a good windows gui for openvpn where the user will not have administrative rights on the system? 02:43 < reiffert> openvpngui, bundeld with openvpn. 02:44 < jetole> also, is it possible to have a the client key/cert with the same name for all clients however the clients will not have the same CN in each one? I am thinking of creating a template directory and don't want to have to edit the config file for each client but can simply copy the key/cert into the template dir with the common name and send the template dir to clients 02:44 < jetole> reiffert: thanks 02:44 < krzee> !win_noadmin 02:44 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 02:44 < reiffert> !factoids search cert 02:44 < vpnHelper> reiffert: 'servercert', 'certs', and 'nocert' 02:45 < reiffert> !certs 02:45 < vpnHelper> reiffert: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 02:46 < onats> reiffert, i'm getting a TLS Error: TLS handshake failed error. do you have any suggestions where to start? 02:46 < reiffert> jetole: 02:46 < reiffert> !factoids search duplicate 02:46 < jetole> um, lemme clearify this a little, suppose both John and Leo each have client.crt and client.key inside their config file, same name on each seperate computer but the CN for Leo is 'CN=leo' and for John 'CN=john' 02:46 < vpnHelper> reiffert: No keys matched that query. 02:46 < reiffert> jetole: however, --duplicate-n 02:46 < reiffert> jetole: however, --duplicate-cn 02:46 < Cope> I want to set up a remote access vpn to allow some users access to a windows machine in the office 02:46 < jetole> reiffert: but that isn't a duplicate cn 02:46 < Cope> I have a machine with one NIC, and I have an external IP availale 02:47 < Cope> Is the one NIC a problem? 02:47 < krzee> no 02:47 < reiffert> cert filename doesnt matter. 02:47 < jetole> Cope, no it isn't but you simply will want to firewall where they have access to 02:47 < jetole> reiffert: thats what I thought but wanted to make sure 02:47 < jetole> thanks 02:47 < krzee> reiffert, he is asking if he can use the same cert just change CN 02:47 < krzee> i think 02:47 < jetole> krzee: no 02:48 < jetole> I mean new certs will be created for each one 02:48 < krzee> ok 02:48 < reiffert> krzee: no, differnet certs but same filename each time, namely: client.crt client.key 02:48 < jetole> it was really just the file name I was wondering about 02:48 < krzee> my bad 02:48 < Cope> jetole: right, so as to only allow access to the windows machine? 02:48 < krzee> oh so his conf doesnt change 02:48 < jetole> Cope: right 02:48 < krzee> gotchya 02:48 < krzee> totally legit 02:48 < jetole> krzee: yes 02:48 < jetole> yeah, lol 02:48 < jetole> appreciate it guys 02:48 < Cope> Now - I've heard about IP conflicts unfortunately the office subnet is 192.168.1.0/24 02:48 < krzee> although ssl-admin will do the config packaging for you 02:48 < onats> TLS Error: TLS handshake failed <--- anyone have suggestions where to start looking? 02:48 < krzee> assuming you supply it with the base client config 02:49 < Cope> If $user is also on the same subnet, will they be able to route to the windows box on the office network? 02:49 < krzee> it'll give you a lil zip with their keys and their config 02:49 < krzee> Cope, if you set it up that way 02:49 < jetole> just saves some admin headache for sending out packages to a bunch of employees, this way I can just copy leo.crt, into template/client.crt, same thing for the key, and then tar it and send it to him 02:49 < krzee> !route 02:49 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:49 < krzee> cope, thats for you 02:49 < jetole> without worrying about changing cert name in the config each time 02:49 < krzee> Cope, that explains what to do when lans are behind server / client 02:49 < jetole> krzee: I don't think route is too helpful 02:50 < krzee> jetole, thats for Cope 02:50 < jetole> a route can only go as small as allowing ... 02:50 < jetole> oh, you know what 02:50 < jetole> that works 02:50 < reiffert> jetole: I made some config templates and I create the user files by the help of sed and zip. 02:50 < jetole> a route is 4 addresses I believe but one is net, one is router, one is host and one is broadcast 02:50 < krzee> so does ssl-admin 02:51 < jetole> ah I hate running zip on linux 02:51 < krzee> ssl-admin does it for you *shrug* 02:51 < jetole> alright, well back to work for me 02:52 < Cope> krzee: that doesn't seem to match my situation: users may be on 192.168.1.0/24; office network is -also- on 192.168.1.0/24; How can packets be routed from home to office over a vpn? 02:52 < krzee> cant change office's lan? 02:52 < Cope> not easily 02:52 < krzee> could use the NAT hack 02:52 < Cope> certainly not by tomorrow, when the vpn is needed 02:53 < Cope> !nathack 02:53 < vpnHelper> Cope: Error: "nathack" is not a valid command. 02:53 < krzee> hrm good call 02:53 < jetole> Cope: thats kinda like an anti tcp/ip situation 02:53 < krzee> i should make a !nathack 02:53 < Cope> jetole: that's what worries me 02:53 * Cope thinks hard. 02:54 < Cope> the windows box doesn't have to be on 192.168.1.0/24 - as long as there's a local router, it could be on a different subnet, connected to the vpn box maybe 02:55 < krzee> !learn nathack as when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine. 02:55 < vpnHelper> krzee: Joo got it. 02:55 < jetole> Cope: how should your home machine know if you want 192.168.0.50 on it's lan or vpn unless you specify 192.168.0.0/24 to be on both or you specify a route with higher priority for a subsection of 192.168.0.0/24, lets say 192.168.0.0/29 which comes first and is routed to your office but in this case 192.168.0.0/29 must not have any addresses within it that you will need to access simultaneously on your home network on 192.168.0.0/24 02:56 < Cope> jetole: exactly 02:56 < krzee> !learn nathack as the vpn endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:56 < vpnHelper> krzee: Joo got it. 02:56 < krzee> there you go cope 02:56 < krzee> !nathack 02:56 < vpnHelper> krzee: "nathack" is (#1) when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine., or (#2) the vpn 02:56 < jetole> Cope: I would in fact change my home lan to a non conflicting subnet like 192.168.10.0/24 02:56 < vpnHelper> krzee: endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:57 < krzee> jetole, he was saying the clients MAY be on that 02:57 < krzee> as in they are not under his control 02:57 < jetole> ah right 02:57 < krzee> best option is to change server lan 02:57 < Cope> krzee: right - they are random users, and non-technical 02:57 < krzee> but if that is also not in his control, he can use the nathack 02:57 < jetole> well I have that same situation which I am simply going to advise that you change it and if you don't then cry to someone else 02:58 < krzee> its true 02:58 < krzee> but theres another way as well 02:58 < krzee> i advise the same as you most the time 02:58 < Cope> I can change the server LAN, just not today - would be a significant upheaval 02:58 * jetole re reads the nethack 02:58 < krzee> not net 02:58 < krzee> NAT 02:58 < Cope> !nathack 02:58 < jetole> and where's the amulet of yandor, did a grue eat it? 02:58 < vpnHelper> Cope: "nathack" is (#1) when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine., or (#2) the vpn 02:58 < vpnHelper> Cope: endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:58 < krzee> network address translation 02:58 -!- dazo [n=dazo@nat/redhat/x-1f91edc3c30070cd] has joined ##openvpn 02:59 < krzee> !forget nathack * 02:59 < vpnHelper> krzee: Joo got it. 02:59 < krzee> !learn nathack as when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine. 02:59 < vpnHelper> krzee: Joo got it. 02:59 < jetole> actually the nethack doesn't sound like a valid solution unless you are only expecting incomming traffic without sending any 02:59 -!- Mikaku [n=Mikaku@unaffiliated/mikaku] has left ##openvpn [] 02:59 < krzee> !learn nathack as the vpn endpoint with nat will also need ipforwarding enabled (see !ipforward and !nat) 02:59 < vpnHelper> krzee: Joo got it. 02:59 < krzee> its NOT a nethack 02:59 < krzee> NAT! 02:59 < krzee> lol 02:59 < krzee> nat nat nat! 03:00 < Cope> ok so my vpn server has one IP - some publically routed one 03:00 < krzee> cope 03:00 < krzee> heres how it works 03:00 < krzee> currently: 03:00 < jetole> nat too, I mean no matter what, you really should not have the same subnet on both ends and you're looking at only doing a hack to get around it 03:00 < jetole> thats just basic TCP/IP 03:01 < Cope> jetole: yes - I agree, and I can and will change the server lan, i just can't do it quickly 03:01 < krzee> the client connects, gets a route to 192.168.1.0 over vpn 03:01 < krzee> which breaks * 03:01 < jetole> Cope, well I agree however there is another solution, you mention that you only have one machine on the server lan they need access to? 03:01 < krzee> hrm 03:01 < krzee> !forget nathack * 03:01 < vpnHelper> krzee: Joo got it. 03:01 < jetole> brb, getting a glass of water 03:01 < Cope> jetole: that's correct; for now we need only access one machine - the windows one 03:02 < krzee> i dont think thats the situation for it actually, lemme think a sec 03:02 < krzee> ohh 03:03 < jetole> ok, this is easy 03:03 < krzee> nathack was for something very similar but not exactly the same 03:03 < jetole> Cope, figure out what net you want to change the lan to, for example, let's say you want to change it to 10.10.0.0/24 03:03 < krzee> its a hack for when you cant add the route to the router for the foreign subnet 03:03 < jetole> add a second IP address to the windows server on that network 03:03 < jetole> do the same thing for the openvpn server 03:03 < jetole> and tell openvpn to forward routing for that net only 03:04 < krzee> actually good call 03:04 < jetole> I do "good calls" occasionally 03:04 < Cope> how does the widnows server know how to route on the 10.10.0.0/24 subent? 03:04 < Cope> do i specify the vpn ip as the route? 03:04 < jetole> you specify a subnet for it 03:05 < jetole> actually I believe you might need to but then again 03:05 < krzee> not vpn ip 03:05 * Cope goes to look at the windows server 03:05 < krzee> you tell vpn to give clients a route to that ip through vpn 03:05 < jetole> my ovpn uses 10.100.0.0/24 and none of the internal computers have needed a manual route update 03:05 < jetole> then again I just realized my ovpn server is also a router 03:06 < Cope> right the windows machine has a spare nic --- Log closed Thu May 07 03:09:29 2009 --- Log opened Thu May 07 06:49:40 2009 06:49 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:49 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 06:49 -!- Irssi: Join to ##openvpn was synced in 1 secs 06:49 < jetole> !gui 06:49 < vpnHelper> jetole: Error: "gui" is not a valid command. 06:50 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:50 < ecrist> krzie: I'm here now. 07:06 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 07:06 -!- las3r [n=las3r@c-66-31-200-74.hsd1.ma.comcast.net] has left ##openvpn [] 07:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:29 -!- Zulan [n=foooooo@141.30.64.40] has joined ##openvpn 07:30 -!- mosno [n=mosno@unaffiliated/mosno] has quit ["leaving"] 08:27 < Zulan> Hi, I am looking for something to compress multiple packets into one. Since I haven't found any working solution I have thought about hacking that it into openvpn, however it looks like the main processing is very single-packet oriented... Any thoughts on this? 08:27 < ecrist> why do you want to compress multiple packets into one? 08:27 < ecrist> really, you should just change your MTU, but most networks won't handle more than 1522, or less. 08:28 < Zulan> I want to reduce IP/UDP overhead 08:28 < ecrist> right, you need to change MTU 08:28 < ecrist> you can't really combine multiple packets in to one. 08:28 < Zulan> how would that help? 08:29 < ecrist> perhaps you should read about MTU, and how TCP/IP actually works? 08:29 < Zulan> I think i know fairly well how MTU and IP works 08:30 < ecrist> well, you must know more than I, then. good luck 08:30 < Zulan> The problem is that the tiny packets are sent by a closed source application at a high frequency 08:30 < Zulan> and due to the IP overhead the bandwidth requirement is very high 08:32 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: reiffert, CybDev 08:33 -!- Netsplit over, joins: reiffert, CybDev 08:33 < Zulan> I wan to do the combination, with the tunnel, not at a normal network level, i might have stated that incomprehensible 08:35 < Bushmills> Zulan, but tunneled packets still come with headers 08:37 < Bushmills> in fact, more headers. the tunneled packets carry headers, and the tunnel itself too. 08:37 < Zulan> Of course, but If i can put 5 packets into one, I only have one IP header sent through the bottleneck connection rather than 5 08:39 < Zulan> (well bascially I have to carry the 5 IP headers inside the tunnel anyway, but i could comress them) 08:39 < Bushmills> i might look at vtun, in your case 08:40 < Zulan> Actually I considered that, but that is not avaiable for the proprietary OS that the proriatary application runs on :/ 08:43 < Zulan> do you have a rough idea how much overhead openvpn introduces to a single packet? 08:44 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 08:44 < sunta> jo 08:45 < sunta> erm hi;) 08:45 < sunta> guys, which router supports openVPN? forgot which;:( 08:47 < sunta> dlink somewhat? 08:47 < ecrist> any that runs OpenWRT 08:47 < sunta> got an example? 08:48 < sunta> I want to connect a remote office with it. easier than setting up 10clients or? 08:49 < ecrist> http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html 08:49 < vpnHelper> Title: Supported Hardware (at www.dd-wrt.com) 08:49 < ecrist> sunta: I'd setup a freebsd server as the client on that end and push the entire network across 08:49 < ecrist> !freebsd 08:49 < ecrist> !route 08:49 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:49 < ecrist> !iroute 08:49 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:49 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:49 < Bushmills> Zulan, increase of latency here is neglectable. close to measurement noise level. 08:49 < sunta> good idea 08:50 < ecrist> sunta: http://www.dd-wrt.com/wiki/index.php/Supported_Devices 08:50 < vpnHelper> Title: Supported Devices - DD-WRT Wiki (at www.dd-wrt.com) 08:50 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 < onats__> wazzah! 08:51 < sunta> what is freebsd though? 08:51 < sunta> just kiddin! 08:51 < Zulan> So i guess its in the range of ~20 bytes per packet? 08:51 < sunta> thx ecrist ! 08:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Nick collision from services.] 08:52 -!- cpm_ is now known as cpm 08:52 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 -!- Timpa [i=timpa@c-191770d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:31 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:35 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has quit [Success] 09:52 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has joined ##openvpn 09:54 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:07 < frankS2> Hi, anyone here got any experince with ssl-admin? I am folling the MAN on secure-computing.net to create a certificate, but the only certs i get is ca.crt and ca.key and the dh1024 file 10:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:25 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 10:34 -!- Zulan [n=foooooo@141.30.64.40] has quit ["Konversation terminated!"] 10:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:08 -!- kachu [n=Zumbi@ip65-46-72-90.z72-46-65.customer.algx.net] has joined ##openvpn 11:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:35 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 11:41 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 11:51 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:18 < frankS2> that means im missing 1 file 12:21 -!- jeiworth [n=jeiworth@189.177.186.95] has joined ##openvpn 12:24 < jeiworth> hi, i have a question regarding bridged vpn setup, i configured my bridge-start script and put it together with the bridge-stop into /usr/sbin, i can run it and it creates the bridge but how do i automate this on system boot? edit the openvpn service script in /etc/init.d/ or is the bridge persistent even for reboots? 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 12:50 -!- kachu [n=Zumbi@ip65-46-72-90.z72-46-65.customer.algx.net] has quit [Read error: 104 (Connection reset by peer)] 12:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:00 -!- jeiworth [n=jeiworth@189.177.186.95] has quit [Read error: 60 (Operation timed out)] 13:09 -!- jeiworth [n=jeiworth@189.177.186.95] has joined ##openvpn 13:11 -!- oandarilho01 [n=kvirc@in.databras.com.br] has joined ##openvpn 13:12 < oandarilho01> greetings! someone with PKCS#11 experience? 13:14 < oandarilho01> is there a 2.1 version post-rc15 ? 13:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:46 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has quit [Read error: 60 (Operation timed out)] 14:14 < krzee> rc15 is the latest 14:14 < krzee> !download 14:14 < vpnHelper> krzee: "download" is http://www.openvpn.net/index.php/downloads.html 14:14 < krzee> it will be there when theres newer 14:23 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 14:24 < Hydrant> hello all... I'm setting up openvpn, and I didn't realize that I have to do some extra work to get the openvpn server to work with other servers on the LAN... I need some help or direction to resources to figure out how to configure routing for other systems on the LAN to be able to communicate with the openvpn client 14:24 < Hydrant> !route 14:24 < vpnHelper> Hydrant: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:30 < Hydrant> k I have a question 14:30 < Hydrant> I want to set my router to forward traffic from the VPN clients to the VPN then right... 14:30 < krzee> huh? 14:31 < Hydrant> so if 192.168.2.10 gets a response from 10.8.0.2 for instance... it would send the response to the gateway at 192.168.2.1... and I'd want to route the 10.8.x.x traffic back through the VPN somehow ? 14:31 < krzee> ok thats not vpn clients 14:31 < krzee> thats LAN machines 14:32 < Hydrant> on the vpn server side 14:32 < krzee> and yes, that was covered in !route under the drawing 14:32 < Hydrant> yah, looking at it 14:32 < Hydrant> I'm a bit unclear on the exact solution 14:33 < krzee> if 192.168.2.x is the lan being accessed over openvpn 14:33 < krzee> then the machine on that lan running openvpn is the gateway for the vpn 14:33 < krzee> so it must be running ip forwarding (!ipforward) 14:33 < Hydrant> ah 14:34 < Hydrant> so I can add a route for the addresses of VPN clients on the router to that gateway once I have ipforwarding then 14:34 < krzee> and the router on its lan must know that for 10.8.0.x it sends packets to the machine running openvpn 14:34 < Hydrant> yah okay 14:34 < krzee> actually im not 100% you need ip forwarding 14:34 < krzee> try it first without ip forwarding 14:34 < Hydrant> okay I'll just add to the route table and see what happens 14:35 < krzee> on the router for that lan 14:35 < krzee> is the lan behind the server? 14:35 < Hydrant> the wiki is good by the way, I see you wrote it... but it might be a bit more help if you were to have a simple section first, then show the more complex example next 14:35 < Hydrant> yes 14:35 < Hydrant> the router currently is directly on the net 14:35 < Hydrant> and forwards openvpn port internally to the OpenVPN server 14:36 < Hydrant> oh sorry 14:36 < Hydrant> no, the lan isn't behind the server 14:36 < krzee> so you pushed a route? 14:36 < Hydrant> yes 14:36 < krzee> wait wait 14:36 < krzee> where is the lan? 14:36 < krzee> behind a client or a server? 14:36 < krzee> (relation to vpn) 14:37 < Hydrant> the lan is behind a linksys router that's currently forwarding the vpn port to an internal server 14:37 < krzee> heh 14:37 < krzee> not in relation to the inet 14:37 < krzee> in relation to the vpn 14:37 < Hydrant> ah 14:37 < Hydrant> well... I suppose behind the server then 14:37 < krzee> is it the lan with ovpn server or client 14:37 < Hydrant> openvpn server 14:38 < Hydrant> I have no interest in openvpn client networks 14:38 < krzee> ok, then its behind the server as far as vpn is concerned 14:38 < Hydrant> so I also wasn't sure if I needed client-client or not 14:38 < krzee> the router / firewalls are bypassed because they only exist on the outside of the tunnel 14:38 < krzee> well, do you need clients to access eachother? 14:38 < krzee> (without hitting the kernel / firewall rules) 14:39 < krzee> client-to-client allows openvpn to handle routing clients to eachother without hitting the kernel 14:39 < krzee> all internally 14:39 < krzee> as explained in: 14:39 < krzee> !man 14:39 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:41 < Hydrant> I would want say 10.8.0.11 to know about 10.8.0.12... 14:41 < Hydrant> but not to really use each other as gateways for their networks 14:43 < Hydrant> k... I setup a static routing table 14:43 < Hydrant> I don't seem to be able to ping other systems though, lemme see what the logs say 14:43 < Hydrant> !logs 14:43 < vpnHelper> Hydrant: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:44 < Hydrant> !iproute 14:44 < vpnHelper> Hydrant: Error: "iproute" is not a valid command. 14:44 < Hydrant> !interface 14:44 < vpnHelper> Hydrant: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:46 < Hydrant> !ipforward 14:46 < vpnHelper> Hydrant: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:46 < krzee> did you push a route to clients for the lan? 14:46 < Hydrant> !linipforward 14:46 < vpnHelper> Hydrant: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:46 < Hydrant> krzee: I adjusted my default router (linksys router) 14:46 < Hydrant> added a static route 14:46 < krzee> did you push a route to clients for the lan? 14:46 < krzee> (as explained if you read my walkthrough) 14:46 < Hydrant> I'm not sure what you mean 14:46 < Hydrant> oh, you mean adding route 14:47 < Hydrant> err. push route 14:47 < Hydrant> yes 14:47 < krzee> push "route 192.168.2.0 255.255.255.0" 14:47 < krzee> and the router on the lan is what OS? 14:47 < Hydrant> http://rafb.net/p/LKZXNV17.html 14:47 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:48 < Hydrant> it's a $89 linksys router :-P 14:48 < Hydrant> everything else is linux systems 14:49 < krzee> is it running linux or linksys firmware? 14:50 < Hydrant> linksys firmware 14:51 < Hydrant> http://rafb.net/p/XJYpTb38.html 14:51 < krzee> ok 14:51 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:51 < Hydrant> here is my route table on the router 14:52 < krzee> !configs 14:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:53 < Hydrant> server: http://rafb.net/p/lWiksH16.html 14:53 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:54 < Hydrant> client: http://rafb.net/p/g2qRHm47.html 14:54 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:56 < Hydrant> is there a way to see how packets are getting routed around? just traceroute I guess? 15:01 < Hydrant> aha... with ipforwarding it works perfectly! 15:10 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 15:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:46 -!- jeiworth [n=jeiworth@189.177.186.95] has quit [Read error: 110 (Connection timed out)] 16:00 -!- jeiworth [n=jeiworth@189.177.123.182] has joined ##openvpn 16:19 -!- bi0os_ [n=bi0os_@67.227.82.47] has joined ##openvpn 16:19 < frankS2> Hi, anyone here got any experince with ssl-admin? I am folling the MAN on secure-computing.net to create a certificate, but the only certs i get is ca.crt and ca.key and the dh1024 file 16:19 < frankS2> so i am missing the server.key/crt 16:23 -!- bi0os_ [n=bi0os_@67.227.82.47] has left ##openvpn [] 16:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:35 -!- KavanS [n=KavanS@static-71-117-242-28.ptldor.dsl-w.verizon.net] has joined ##openvpn 16:53 -!- oandarilho01 [n=kvirc@in.databras.com.br] has quit ["KVIrc 3.4.0 Virgo http://www.kvirc.net/"] 17:02 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 17:34 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:23 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has joined ##openvpn 18:24 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has quit [Remote closed the connection] 18:25 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has joined ##openvpn 18:48 < reiffert> frankS2: ecrist and krzee know all about it 18:48 < ecrist> frankS2: do you have the latest version from SVN, or are you on FreeBSD, using ports version? 18:48 -!- eliasp [n=quassel@95.208.45.212] has quit [Read error: 131 (Connection reset by peer)] 18:49 < frankS2> freebsd ports 18:49 * ecrist wrote ssl-admin 18:49 -!- freaky_t [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 18:49 < ecrist> the latest ports tree has the latest working copy of ssl-admin, so all the bits should b there. 18:49 < frankS2> http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed 18:49 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net) 18:49 < frankS2> i followed this 18:50 < ecrist> option 'S' will build an OpenVPN server certificate 18:50 < ecrist> that page is a little out of date. 18:50 < ecrist> see 18:50 < ecrist> !freebsd 18:50 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 18:50 < ecrist> but every thing else should apply 18:50 < ecrist> see option S on the ssl-admin menu 18:51 < frankS2> oh ok 18:51 < frankS2> the how-to should be updated then 18:51 < frankS2> hehe 18:51 < krzee> frankS2, did you choose S for server? 18:51 < frankS2> krz: no i just followed the manual 18:51 < krzee> ahh 18:51 < krzee> ya that was before S was added 18:52 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 18:52 < krzee> sup eric 18:52 < ecrist> nm. you? 18:52 < krzee> chillen 18:52 < ecrist> I got your server powered-up, btw. 18:53 < krzee> thinkin bout going out in a few but the girl dont feel good 18:53 < ecrist> aww 18:53 < krzee> ya i saw, thanx 18:53 < ecrist> wife and I are going to Disturbd concert tomorrow. :) 18:53 < krzee> niiiice 18:55 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 18:56 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:59 < freaky_t> hi all i have a problem with the bridging setup. i have 1 ethernet device on that server (eth0). and im trying to create a bridge on it using the bridge-start script. but everytime i run the bridge-start script, my connection to the server gets lost and i cant connect to it anymore usingn ssh. i then have to restart the server. 19:00 < freaky_t> in the log theres this message: 19:00 < freaky_t> Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 19:00 < freaky_t> oh wait no 19:00 < freaky_t> sorry wrong one 19:00 < freaky_t> this: 19:00 < freaky_t> May 8 01:39:43 master ovpn-server[19845]: /usr/bin/openssl-vulnkey -q -b 1024 -m 19:00 < freaky_t> May 8 01:39:44 master ovpn-server[19845]: TUN/TAP device tap0 opened 19:01 < freaky_t> can anyone help me? 19:03 < krzee> does the bridge script set a gateway for it? 19:04 < freaky_t> hm? 19:04 < freaky_t> what gateway? 19:04 < krzee> after it creates the bridge it must set a gateway 19:04 < krzee> right at the end 19:04 < krzee> common problem 19:05 < krzee> my guess is that if you set a gateway manually if it wasnt a remote box it would start working 19:05 < freaky_t> ok so what should i do now? 19:06 < freaky_t> how do i add this gateway? 19:06 < krzee> have it rebooted and add that to the script 19:06 < krzee> do you really need bridged? 19:06 < krzee> usually people try bridge but they should be using routed 19:06 < freaky_t> I want bridged so we can see each others PCs in the network 19:07 < freaky_t> what should I add to the script? 19:07 < krzee> with an IP protocol? 19:07 < freaky_t> i mean using windows network file sharing 19:07 < krzee> wins server? 19:07 < freaky_t> hmm 19:08 < freaky_t> would I only need to run a wins server to achieve that we can see each others PCs? 19:08 < krzee> yup 19:08 < freaky_t> oh cool 19:08 < krzee> !tunortap 19:08 < freaky_t> ^^ 19:08 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 19:08 < krzee> hrm 19:08 < krzee> !bridge 19:08 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 19:08 < vpnHelper> krzee: (but not samba, see !wins) 19:08 < freaky_t> !wins 19:08 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:09 < freaky_t> what is a good wins server? 19:09 < krzee> windows only? 19:09 < freaky_t> maybe some linux too 19:09 < krzee> well the wins server can be on linux very easily, its part of samba 19:09 < krzee> you just change like 2 lines 19:09 < krzee> or whatever, its explained in the above link 19:09 < freaky_t> I can't get samba to run 19:10 < krzee> then you tell the windows machines to use him as the wins server 19:10 < freaky_t> i've allready posted to the mailing list 19:10 < freaky_t> nobody answers me since 2 days 19:10 < krzee> ya i use NFS (but i also dont use windows) 19:10 < krzee> iv e setup 19:10 < krzee> err 19:10 < krzee> ive setup samba before, but not much 19:11 < freaky_t> it doesnt recognize the interface 19:12 < krzee> try with tun 19:12 < freaky_t> yea 19:12 < freaky_t> i tried that with tun 19:12 < freaky_t> it tells me it cant find any interfaces 19:13 < krzee> when the vpn was already up? 19:13 < freaky_t> [2009/05/08 02:13:01, 0] lib/interface.c:load_interfaces(543) 19:13 < freaky_t> WARNING: no network interfaces found 19:13 < freaky_t> yea 19:13 < krzee> *shrug* i dont really use samba 19:13 < krzee> im sure they have a help channel somewhere 19:13 < freaky_t> i was there too asking for help and nobody answered me 19:13 < krzee> or a linux help chan would have people that use that 19:14 < freaky_t> i also searched for it using google 19:14 < krzee> still, not openvpn 19:14 < freaky_t> but i couldnt find anything that helped me 19:14 < freaky_t> ok :\ 19:14 < freaky_t> isnt there any single wins server? 19:14 < krzee> no idea 19:15 < freaky_t> hm ok thank you 19:15 < krzee> whats the goog tell you 19:15 < krzee> !google wins server 19:15 < vpnHelper> krzee: WINS server role: Configuring a WINS server: General: ; What Is WINS?: Windows Internet Name Service (WINS): ; Windows Internet Name Service - Wikipedia, the free encyclopedia: 19:15 < krzee> Setting up a WINS Server 19:15 < krzee> 29 Nov 2008 ... A WINS server can help hold down broadcast traffic when there are multiple computers on your network. This server has a static IP address ... 19:15 < krzee> (36) 19:16 < krzee> err (#6) 19:16 < freaky_t> ? 19:16 < freaky_t> hmm 19:16 < freaky_t> it just doesnt want to listen 19:18 < krzee> http://technet.microsoft.com/en-us/library/cc787764(WS.10).aspx 19:18 < vpnHelper> Title: Content not found (at technet.microsoft.com) 19:18 < Bushmills> grin 19:18 < krzee> sup Bushmills 19:19 < Bushmills> if there's "microsoft" written somewhere, it is usually at the begin of a cascade of errors :D 19:20 < krzee> lol 19:21 < Bushmills> still, my last message came made it, instead of giving me some message like "error: server timed out" 19:23 < Bushmills> but sometimes it's a bit frustrating. i am also on the #asm channel, and for a reason i cannot fathom, most questions come from people, trying to learn asm, using masm, under windows. 19:23 < Bushmills> what a bizarre combination, especially for learning first steps. 19:23 < krzee> haha 19:24 < krzee> like learning how to snow ski on a tropical island 19:24 < krzee> except less cool sounding 19:25 < Bushmills> more like, starting to learn skateboarding on a 70 incher, in the tube at hawaii, 19:25 < Bushmills> or learning to fly in a sukhoi acrobatics plane 19:26 < theDoc> or maybe, just simply painful:) 19:26 < Bushmills> yeah, but both alternative learning methods above imply that :) 19:28 < Bushmills> so when the bot said " Title: Content not found (at technet.microsoft.com)" it gave me some great relief 20:01 -!- jeiworth_ [n=jeiworth@189.234.35.254] has joined ##openvpn 20:01 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Nick collision from services.] 20:01 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 20:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:01 < Dougy> heoy 20:01 < Dougy> heyo 20:02 < Dougy> krzie ding 20:02 < Dougy> mother f 20:02 < Dougy> krzie when you got a min, wanna assist in forum clean up 20:03 -!- KavanS [n=KavanS@static-71-117-242-28.ptldor.dsl-w.verizon.net] has quit ["Leaving"] 20:08 < Dougy> eh' 20:08 < Dougy> i got it 20:08 < Dougy> 30 threads gone 20:12 < freaky_t> krzee can u pls tell me how to set/create that gateway in the bridge-start script? because samba doesnt listen and i want people to see each other in the vpn 20:14 -!- jeiworth [n=jeiworth@189.177.123.182] has quit [Read error: 110 (Connection timed out)] 20:37 < onats> krzee, are you there? 20:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:41 < onats> !logs 20:41 < vpnHelper> onats: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:41 < onats> !configs 20:41 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:41 -!- jeiworth_ [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 20:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:07 < ecrist> bitches 21:08 < ecrist> Dougy: why not setup captcha and some other features to prevent SPAM? 21:08 < ecrist> I've been doing a ton of clean-up, but haven't gotten around to it in a week or two... 21:16 < Dougy> yeah 21:16 < Dougy> i cleaned up myself 21:16 < Dougy> i guess i should enable captcha one of these days 21:17 < Dougy> its my site, i guess i should start taking care of it 21:17 < Dougy> :X 21:17 < freaky_t> :D 21:17 < ecrist> I went in at one point and fixed permissions, I think I removed anon edits 21:17 < ecrist> oh, btw, I hacked the DB to give me admin/founder privs. hope you don't mind. ;) 21:18 < ecrist> gave those rights to krzee, too 21:22 < Dougy> no problems 21:22 < Dougy> i thought i had already done that 21:22 < Dougy> my b 21:23 < Dougy> fail. 21:23 < ecrist> eh, it was right before you disappeard for a while. 21:23 < Dougy> ecrist: epic fail 21:23 < Dougy> Timing cached reads: 4042 MB in 2.00 seconds = 2024.45 MB/sec 21:23 < Dougy> Timing buffered disk reads: 20 MB in 3.60 seconds = 5.56 MB/sec 21:23 < ecrist> no biggy. easy to hack a DB when the DB is on my server. :) 21:23 < Dougy> thats on a RAID 10 array. 21:24 < ecrist> ick, that's nasty 21:24 < Dougy> lame 21:24 < Dougy> its running 16 domUs 21:24 < Dougy> when it was under no load it was a lot better why 21:24 < Dougy> when it was under no load it was a lot better * 21:24 < Dougy> Timing cached reads: 7434 MB in 1.99 seconds = 3728.42 MB/sec 21:24 < Dougy> Timing buffered disk reads: 464 MB in 3.01 seconds = 154.23 MB/sec 21:24 < Dougy> ^ no load 21:25 < ecrist> I forgot to benchmark my new array 21:25 < ecrist> I'm going to do it now 21:27 < ecrist> ecrist@leopard:~-> dd if=/dev/random of=test.bin bs=1024k count=2000 21:27 < ecrist> 2000+0 records in 21:27 < ecrist> 2000+0 records out 21:27 < ecrist> 2097152000 bytes transferred in 55.518069 secs (37774225 bytes/sec) 21:29 < ecrist> that's 302 Megabits/sec on write for a 2G file 21:29 < ecrist> read from /dev/random 21:29 < ecrist> that's a RAID 60 21:29 < ecrist> 12 disks 21:30 < ecrist> I can't remember what it came to, but I did a RAID1 with all 12 disks, and it was *REALLY* fast 21:30 < ecrist> all SAS disks, 10k 21:30 < ecrist> oh, wait, sorry, SAS bus, SATA2 disks @ 7.2k 21:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 < ecrist> krzee's a bitch, though, so don't think anything of it 21:34 < krzee> lol 21:34 < ecrist> :) 21:34 < ecrist> krzee, have you ever read 'Lights Out'? 21:35 < krzee> nah 21:35 < krzee> i remember the game from when i was lil tho 21:35 < ecrist> the game? 21:35 < ecrist> no, it's a book, written by an on-line forum of people, early 2000's 21:35 < krzee> http://en.wikipedia.org/wiki/Lights_Out_(game) 21:36 < ecrist> http://secure-computing.net/files/lightsout.pdf 21:36 < ecrist> it's a 611 page book 21:36 < krzee> topic? 21:36 < ecrist> I, honestly, have spent my past two work-days reading it. 21:36 < ecrist> on page 416 now. 21:36 < ecrist> knowing you, a bit, you may enjoy it 21:38 < krzee> right on 21:38 < krzee> thc 21:38 < krzee> thx 21:38 < krzee> Saving to: `lightsout.pdf' 21:38 < ecrist> I don't read books, usually, because if I start a good one, I don't quit till it's done. 21:39 < ecrist> I owe the boss ~13 hours 21:39 < ecrist> I didn't get that email, btw. 21:40 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 21:41 < Dougy> itsw krzie ! 21:46 < Dougy> s/krzie/krzee/ 22:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:07 -!- jeiworth [n=jeiworth@189.163.165.139] has joined ##openvpn 22:21 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has joined ##openvpn 22:21 < lough> anyone use openvpn/openvpn-gui under windows 7? 22:25 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:34 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has quit [] 22:37 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has joined ##openvpn 22:38 < lough> im using windows 7 and i installed openvpn 2.1 rc16 and set the installer to vista compatability and run as administrator but when i click on the shortcut for the gui on my desktop, the icon doesnt show up in the notification tray but the process is running 22:38 < lough> rc15* 22:38 < ecrist> iirc, win7 isn't fully supported yet 22:39 < ecrist> sorry 22:40 < lough> hmm ok i got it to work 22:41 < lough> i had to set openvpn.exe and openvpn-gui.exe to vista compatability and have them run under admin privs 22:49 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has quit [] 22:53 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 23:08 -!- Cron1x [n=Cr0nix@e180069134.adsl.alicedsl.de] has joined ##openvpn 23:17 -!- Cr0nix [n=Cr0nix@85.180.70.46] has quit [Read error: 145 (Connection timed out)] 23:31 -!- Xpistos [n=x@76.9.163.133] has joined ##openvpn 23:32 < Xpistos> We are using ClarkConnect (4.3) at work and are trying to decide what would be better OpenVPN or OpenSwan. Does OpenVPN have a plugin of WebMin? 23:32 < ecrist> not that I'm aware of 23:42 -!- jeiworth [n=jeiworth@189.163.165.139] has quit [Read error: 110 (Connection timed out)] 23:58 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] --- Day changed Fri May 08 2009 00:14 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:20 < dan__t> hi. 01:03 -!- Xpistos [n=x@76.9.163.133] has quit [Remote closed the connection] 01:37 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- Timpa [i=timpa@193.13.142.180] has quit [Read error: 113 (No route to host)] 02:21 -!- onats__ [n=onats@122.53.137.107] has quit [SendQ exceeded] 02:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:05 < alinuxskyper99> hi all ..got OpenVPN setup on a windows server..and Cisco router is the gateway...now I can ping the server..I want to be able to ping the computers on the subnet 03:05 < alinuxskyper99> should I add a route to the router pointing to the server / 04:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:03 -!- Isen [n=marcus@pub.sizeit.se] has joined ##openvpn 05:04 < Isen> Hello. Anyone know if it is possible to have a list of active openvpn certificates? 05:04 < Isen> Instead of putting disabled in the client username in the ccd folder i put "active" on those that should work 05:04 < Isen> Can it be configured in anyway like that? 05:28 < frankS2> ecrist: another question, with ssl-admin. how can i create keys for the client to connect? which keys does the lcient have to use, and where should i place them in the openvpn server config? 05:50 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 06:37 -!- Cr0nix [i=irssi@62.141.56.213] has joined ##openvpn 06:37 < Cr0nix> hi all 06:38 < Cr0nix> any 1 can tell me how i do forward all the invoming traffic on a specific static ip of the vpn server to one of my vpn clients 06:38 < Cr0nix> outgoing is working 06:38 < Cr0nix> i can browse the web with the ip of the vpn server 06:39 < Cr0nix> but i need to create some servers on the vpn client which should be reachable via one of the 3 static ip's the vpn server has assigned 06:39 < Cr0nix> how do i do that? 06:39 < Cr0nix> so 06:39 < Cr0nix> if i for eg. ssh to the vpn servers static internet IP 2 it should forward it to the vpn client 06:40 < Cr0nix> so im connected via ssh to the client and not to the server 06:40 < Cr0nix> how do i do that? 06:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:06 < Cr0nix> 69 users online and not even one is talking... OMFG 07:11 -!- Timpa [n=timpa@c-611370d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 07:14 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 07:15 < ecrist> frankS2: use option '4' in ssl-admin 07:15 < ecrist> you just need plain-ol' client SSL certs 07:15 < ecrist> they don't have to be part of the server config at all 07:16 < ecrist> for that, generate the CRL, available on the menu, and put that somewhere, and point your OpenVPN config to it. It should auto-update each time your revoke a certificate. 07:16 < ecrist> it should have been auto-generated when you created your CA cert. 07:31 -!- Timpa [n=timpa@c-611370d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 07:33 -!- skon_ [n=skon@123.208.1.176] has joined ##openvpn 07:43 -!- skon_ [n=skon@123.208.1.176] has left ##openvpn ["Leaving"] 08:52 < Cron1x> any1 here who can answer my question please? 08:53 < ecrist> Cron1x: you need policy-based routing on your firewall 08:53 < ecrist> which is beyond the scope of this channel 08:53 < ecrist> someone may be willing to help you, but it can be complicated 08:54 < Cron1x> hmm 08:54 < Cron1x> alright 08:54 < Cron1x> i wanna make a server available through the ip of the vpn server 08:54 < Cron1x> because the server is located at my home 08:54 < Cron1x> and i need a "static ip" 08:55 < Cron1x> like dyndns just with ip via vpn 08:55 < ecrist> sure, you can do that with a reverse NAT of sorts 08:55 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: qknight, Cope, troy- 08:58 -!- Netsplit over, joins: qknight 08:58 -!- Netsplit over, joins: Cope 09:02 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:10 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 09:11 -!- ThomasI [n=thomas@unaffiliated/thomasi] has joined ##openvpn 09:12 < ThomasI> !redirect 09:12 < vpnHelper> ThomasI: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 09:30 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 09:40 < frankS2> ecrist: oh ok.. thanks, so you create the client certs WITH the server file. ofcourse just ike ssh keys 09:49 -!- unix3 [n=unix3@190.10.68.228] has quit ["Leaving"] 09:50 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:53 -!- unix3 is now known as epaphus 10:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 10:43 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Success] 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:09 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 54 (Connection reset by peer)] 11:11 -!- jeiworth [n=jeiworth@189.177.29.193] has joined ##openvpn 11:12 -!- ThomasI [n=thomas@unaffiliated/thomasi] has quit ["Bye Bye!"] 11:28 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has quit ["leaving"] 11:36 -!- jeiworth [n=jeiworth@189.177.29.193] has quit [Read error: 104 (Connection reset by peer)] 11:39 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 11:43 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:53 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:42 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 12:42 -!- krzy [i=nobody@hemp.ircpimps.org] has left ##openvpn ["Leaving"] 13:27 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:27 -!- Guest26656 is now known as pekster 13:40 -!- jeiworth_ [n=jeiworth@189.177.22.63] has joined ##openvpn 13:43 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 13:49 -!- sixtwo [i=moneybag@has.no.info.tm] has joined ##openvpn 13:54 -!- jeiworth__ [n=jeiworth@189.177.22.63] has joined ##openvpn 13:54 -!- jeiworth_ [n=jeiworth@189.177.22.63] has quit [Read error: 104 (Connection reset by peer)] 13:55 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Read error: 110 (Connection timed out)] 14:12 -!- nate [n=nate@vodka.booze.org] has joined ##openvpn 14:12 < nate> !logs 14:12 < vpnHelper> nate: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:12 < nate> !configs 14:12 < vpnHelper> nate: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:12 < nate> !interface 14:12 < vpnHelper> nate: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:13 < nate> so while I am digging all that up, let me ask the question. I'm able to secure a connection to the server but I cannot obtain an IP address via DHCP(from openvpn) 14:14 < nate> linux server, windows client. 14:14 < nate> dhcp just times out on the client and assigns me a 169.x.x.x IP 15:26 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:52 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit ["Leaving"] 16:27 -!- jeiworth__ [n=jeiworth@189.177.22.63] has quit [Read error: 110 (Connection timed out)] 17:01 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 17:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:16 -!- EspritNett [n=Espritne@41.140.252.6] has joined ##openvpn 17:17 < EspritNett> i want to configure vpn 17:18 < EspritNett> i have a router 3com integred firewall 17:20 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 17:29 < krzie> keep going... 17:42 -!- EspritNett [n=Espritne@41.140.252.6] has quit [Connection timed out] 18:25 -!- sixtwo [i=moneybag@has.no.info.tm] has quit [Remote closed the connection] 18:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:55 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:05 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:10 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:34 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 20:48 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:28 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has quit [Read error: 113 (No route to host)] 21:33 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 22:10 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:45 -!- albech [n=albech@119.42.76.84] has quit [Read error: 60 (Operation timed out)] 22:55 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 23:08 -!- Cronix [n=Cr0nix@e180066066.adsl.alicedsl.de] has joined ##openvpn 23:24 -!- Cron1x [n=Cr0nix@e180069134.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 23:46 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 60 (Operation timed out)] 23:53 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 23:56 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] --- Day changed Sat May 09 2009 00:12 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 00:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 00:35 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:15 -!- theDoc [n=andelyx@bb116-15-137-19.singnet.com.sg] has joined ##openvpn 01:15 -!- theDoc [n=andelyx@bb116-15-137-19.singnet.com.sg] has quit [Client Quit] 01:16 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:27 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 01:30 -!- Guiri [n=Guiri@76-204-5-74.lightspeed.livnmi.sbcglobal.net] has joined ##openvpn 01:31 < Guiri> So I have a migraine from this :-). Can anyone lend a hand? I compiled and installed it on OS X. I gave it a launchdaemon so it starts but I can't find where it stores the config file 01:31 < Guiri> Or figure out that Tun/Tap thing 01:32 < Guiri> !howto 01:32 < vpnHelper> Guiri: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:33 < krzee> it stores the config whereever you put it 01:33 < krzee> openvpn /path/to/ 01:34 < krzee> !tunortap 01:34 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 01:46 < Guiri> krzee: ./vars doesn't seem to pass my key directory that I define in easy-rsa and throws an error on clean-all 01:46 < Guiri> Any ideas? 01:46 < Guiri> The entire directory is written out in the script 01:47 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 01:47 < krzee> did you follow it exactly? 01:48 < krzee> as in 01:48 < krzee> . ./vars 01:51 < Guiri> ah 01:51 < Guiri> thanks 01:51 < Guiri> sorry for the dumb questions 01:51 < Guiri> but this is difficult for me 01:52 < krzee> yw 02:07 < Guiri> Yeah I'm making headway now. Transferred the sample configs and generated the keyfiles at 2048 bits 02:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:22 -!- bandini [n=bandini@host142-110-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 02:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 03:16 -!- bassliner [n=armin@deepbass.org] has joined ##openvpn 03:17 < bassliner> !configs 03:17 < vpnHelper> bassliner: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:18 -!- gallatin [n=gallatin@dslb-092-073-122-121.pools.arcor-ip.net] has joined ##OpenVPN 03:18 -!- Guiri [n=Guiri@76-204-5-74.lightspeed.livnmi.sbcglobal.net] has left ##openvpn [] 03:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:34 -!- carpe_ [n=carpe@66.11.76.242] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:03 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 05:04 -!- Alagar [n=helpdesk@pool-173-58-10-241.lsanca.fios.verizon.net] has joined ##openvpn 05:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:02 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 06:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:52 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has quit ["Leaving"] 07:01 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 07:20 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 07:23 -!- Alagar [n=helpdesk@pool-173-58-10-241.lsanca.fios.verizon.net] has quit [Remote closed the connection] 08:02 -!- EspritNett [n=Espritne@41.140.252.4] has joined ##openvpn 08:04 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 08:06 -!- azaghal [n=azaghal@198.225.178.212.adsl.dyn.beotel.net] has joined ##openvpn 08:09 < azaghal> Hello. Is it possible to tell OpenVPN daemon to close a connection to a particular client in some way? (without restarting it) 08:12 -!- gallatin [n=gallatin@dslb-092-073-122-121.pools.arcor-ip.net] has quit ["Client exiting"] 08:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:21 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Read error: 104 (Connection reset by peer)] 08:27 -!- EspritNett [n=Espritne@41.140.252.4] has quit [Connection timed out] 08:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 08:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 09:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:05 < Dougy> hey all 09:05 < Dougy> anyone awake in here at all 09:06 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=6&t=129 / http://www.ovpnforum.com/viewtopic.php?f=5&t=124 09:06 < vpnHelper> Title: OpenVPN Forum View topic - revoking a certificate (at www.ovpnforum.com) 09:06 < Dougy> if anyone wants to look / read / comment 09:12 < Bushmills> pre- or post coffee awake? 09:13 < Dougy> donno how competent you are 09:13 < Dougy> take a look at them two :> 09:13 < Bushmills> certificates aren't my speciality 09:14 < Bushmills> i suppose that was written as response to a question 2 days ago 09:17 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has joined ##openvpn 09:32 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 09:34 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 09:35 < Dougy> lol 09:35 < Dougy> what about second one Bushmills 09:39 < bassliner> !help 09:39 < vpnHelper> bassliner: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:40 < bassliner> !help pki 09:40 < vpnHelper> bassliner: Error: There is no command "pki". 09:40 < Dougy> !forum 09:40 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 09:40 < bassliner> !help define 09:40 < vpnHelper> bassliner: Error: There is no command "define". 09:52 < freaky_t> krzee u there? 09:52 < Dougy> nope he is not 09:54 < Bushmills> Dougy, well, most likely cause, indeed. 09:54 < Dougy> que? 10:10 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 10:38 < Dougy> Anyone need any colocatino? 10:38 < Dougy> colocation 10:45 -!- Blu3 [i=david@BlueLabs/Blu3] has joined ##openvpn 10:46 < Blu3> !redirect 10:46 < vpnHelper> Blu3: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:48 < Blu3> i've an oddity about using port based routing (iproute2) and openvpn. i have my rules all set such that the right packets get routed out the vpn and properly nat'd but the response comes back in, is seen on tun0 w/ tcpdump, but it never makes it to the userland application. in short, i use iptables to fwmark packets, ip rule match to the fwmark goes via a table, ip route for that table goes out the vpn. three statements 10:49 < Blu3> i've done routing like this before, not using openvpn, and it works fine. is there something about openvpn that i'm missing? 10:52 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 10:53 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 11:08 -!- Cr0nix [i=irssi@62.141.56.213] has quit [Remote closed the connection] 11:09 * Dougy yawns 11:09 < Dougy> Blu3: i'm sure you'll ask me since i spoke 11:10 < Dougy> i have no clue 11:15 < Blu3> :) nah, if you don't know, no worries 11:15 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has quit [Success] 11:25 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 11:26 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 11:34 < Blu3> hmm, i think i solved it. i forgot to disable RP 11:42 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:43 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 12:09 -!- epaphus is now known as andep 12:09 -!- andep [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 12:10 -!- zend [n=unix3@201.199.62.74] has joined ##openvpn 12:14 < zend> Hello all. I have this scenario. PC on Private LAN --> Client without redirect-gateway enabled -> server 12:15 < zend> If I start the client with redirect-gateway my PC (which is configured to have the client as its default gateway) can surf the internet through the VPN without any problem. 12:16 < zend> However, iam trying to disable redirect-gateway on the client, and be able to have the PC still connect through the internet via the client. What would i need? 12:17 < zend> I have no special NAT rule in the client, I was thinking of a special NAT rule on the server? iam wrong? 12:19 < zend> krzee, u there? 12:21 -!- Blu3 [i=david@BlueLabs/Blu3] has left ##openvpn ["I ❤♥❤ Guys"] 12:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:55 < freaky_t> hi all i have a problem with samba and openvpn. im trying to run samba for filesharing and wins server. but when i start it, nmbd says it cant find any interface. if i only run nmbd with debug lvl to 10 (max) it says: 12:55 < freaky_t> not adding non-broadcast interface tun0 12:55 < freaky_t> WARNING: no network interfaces found 12:55 < freaky_t> but i want it to listen on tun0 12:56 < freaky_t> i have allready posted to the samba mailinglist and asked several times in #samba but nobody can help me. can anybody pls help me im trying this since 5 days :( 12:56 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:10 < freaky_t> or is anyone here who can tell me what line i have to add to the bridge-start script to not disconnect me from my server when i run the bridge-start script? because it's a dedicated server with only 1 ethernet card 13:11 < freaky_t> krzee u there? 13:12 < zend> funny how i ended my question with "krzee u there?" u do too 13:14 < freaky_t> yea hehe 13:14 < freaky_t> he was about to tell me a solution for my problem with the bridge-start script. but then he told me to use tun and try it. but it doesnt work as samba (nmbd) doesnt wanna listen on non-broadcast interfaces 14:07 < freaky_t> server 10.8.0.0 255.255.255.0 in the config 14:07 < freaky_t> another question. does anybody know how i can change the netmask of the tun (tun0) interface openvpn creates on every startup? because i want 255.255.255.0 but it is 255.255.255.255 even though i have server 10.8.0.0 255.255.255.0 in the config. 14:09 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 14:29 < jetole> freaky_t: this sounds like more of a samba issue to me 14:29 < freaky_t> yea 14:30 < freaky_t> and what about the last question? :D 14:30 < jetole> freaky_t: I don't believe you can, tun0 is a point to point connection _I_THINK_ 14:31 < freaky_t> aha ok 14:32 < jetole> actually 14:32 < jetole> and I was just thinking about this while I was afk for a min 14:32 < jetole> why do you want to change it 14:32 < jetole> what are you trying to do? 14:32 < freaky_t> i dont know someone told me to do it 14:33 < freaky_t> and when i manually changed the subnet mask of the interface 14:33 < freaky_t> to 255.255.255.255 the samba server started 14:33 < freaky_t> and nmbd bound to 10.8.0.1 14:33 < freaky_t> ;D 14:33 < freaky_t> but now suddenly it works 14:33 < freaky_t> i dont know why 14:33 < jetole> uh... neat 14:33 < freaky_t> ill soon restart the server and check if it still works 14:33 < jetole> there are options in sb.conf to define which nic to bind to 14:33 < freaky_t> but i cant reach samba from my client pc 14:34 < freaky_t> sb.conf? 14:34 < jetole> but I don't know that much about samba 14:34 < jetole> smb.conf 14:34 < freaky_t> yea i know but as i said, nmb always said not binding to non-broadcast interface tun0 14:35 < jetole> well I know tun0 is not a broadcast interface but I am not sure why it would not bind if wins-server is enabled 14:35 < jetole> in fact 14:35 < jetole> even netbios supports over tcp 14:36 < jetole> I played with this a little but since I also have a win2k3 server in the office I just chose to use that for WINS and had ovpn push the wins server via dhcp 14:36 < jetole> and that works for me 14:37 < freaky_t> hm ok 14:38 < freaky_t> ill restart my server now ill brb in 10 mins 14:44 -!- freaky_t [i=alpha@member.team-box.net] has quit [Remote closed the connection] 14:47 < zend> can anybody help me on my Client without redirect-gateway enabled -> server . How to route question... ? 14:51 -!- tuxsmouf [n=tuxsmouf@105.197.81-79.rev.gaoland.net] has joined ##openvpn 14:54 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 14:54 < Hydrant> hello all... I've gotten VPN up, now I'm looking at how hard it's going to be to have DNS working 14:55 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 15:09 < freaky_t> ok everything still working but i cant connect to the share on the server 15:10 < freaky_t> only via net use i can add a drive on my vista pc to that share 15:11 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 15:31 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:08 < krzie> zend: i assume you read !route 16:08 < krzie> Hydrant, see !pushdns if you have any issues 16:09 < krzie> freaky_t, still gotta get a wins server up, i still cant help, if you use samba see !wins 16:09 < krzie> its seriously just a line or 3 in the samba config 16:10 < krzie> jetole seems to have experience with it in windows too 16:12 < freaky_t> ok great ill try it thank you :D 16:13 < freaky_t> !wins 16:13 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:13 < zend> krzee, you assume correctly.. however i need more then that.. iam confused.. 16:14 < zend> krzee, route now iam trying to route 172.16.1.200 (pc lan IP) to tun 0 on the client. 16:14 < zend> that doesnt appear to make a difference 16:14 < zend> i can still ping the endpoint 16:19 < freaky_t> hm, krzee i still cant see the server in my network 16:20 < freaky_t> well i can use net use to make a drive to a share 16:26 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 16:28 < Timpa> Anyone that can source routing in FreeBSD ? 16:28 < freaky_t> still can't see anyone from the network 16:28 < freaky_t> im out of ideas :P 16:28 < krzie> freaky_t then you arent using WINS correctly 16:28 < freaky_t> i even set it as domain master 16:28 < freaky_t> how should I use it? 16:28 < krzie> no idea, i dont use wins 16:28 < krzie> as ive said 5 times 16:29 < freaky_t> oh yea sorry 16:29 < freaky_t> ^^ 16:29 < krzie> but everyone else ive told to use wins seems to get it working in under 5 min 16:29 < freaky_t> well 16:30 < freaky_t> i dont know what im doing wrong 16:30 * zend doesnt know either 16:30 < zend> krzee, can you help me... ? :D 16:31 < krzie> zend, explain your problem and why you think its not covered in !route 16:32 < zend> !route 16:32 < vpnHelper> zend: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:33 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:33 < freaky_t> umm, with an netmask of 255.255.255.0 on 10.8.0.0 am I in the same subnet as 10.8.0.1 as 10.8.0.6 ? i think i am ... 16:34 < freaky_t> i had some tutorial the last time 16:34 < freaky_t> but i can't find it anymore 16:37 < freaky_t> well yes 16:38 < freaky_t> i just used some calculator ;D 16:38 < freaky_t> i am in another workgroup but i dont think that matters? 16:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:40 < zend> krzee, scenario: PC on Private LAN --> Client without redirect-gateway enabled -> server . Iam trying to enable my PC to access on the internet through the vpn. In regards to what !route says to do I have done: 16:42 < zend> setup route 172.16.1.0 255.255.255.0 in the server.conf, also in the server a file with the common name of the client in /etc/openvpn/ccd/ 16:42 < zend> with: iroute 172.16.1.0 255.255.255.0 16:42 < freaky_t> well i dont get anything that looks like a error message in the logs 16:42 < freaky_t> hm 16:42 < krzie> but !route has nothing to do with accessing the inet 16:43 < krzie> if you want to access the inet through the server you want !redirect 16:43 < zend> !redirect 16:43 < vpnHelper> zend: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:43 < krzie> and why is redirect-gateway disabled? thats what you want 16:43 < krzie> only need iroute if you are accessing a lan behind the client 16:44 < krzie> as is made clear in !route 16:44 < zend> krzie, I have it disabled because I want the client to continue to have the default gateway as it is... BUT at the same time be able to provide internet through the established VPN to my PC. 16:44 < krzie> (and in !iroute) 16:44 < zend> thats what the challenge to me is 16:44 < krzie> no kidding 16:44 < krzie> thats like saying you want to make a pie, you want it to be apple, but you want it to be cherry, but it cant be apple AND cherry 16:44 < zend> If i enable --redirect-gateway-.. sure I get internet on my PC... 16:44 < krzie> the only way you make inet go over the VPN is by changing the gateway 16:45 < krzie> thats exactly how it works 16:45 < krzie> i guess you could run a socks proxy on the vpn ip and do it that way 16:45 < krzie> but then you can only route stuff that uses socks over the vpn 16:45 < zend> yes the gateway.. but I dont want to change the default gateway for the client. Isnt there a way to route 172.16.1.0/24 through the client to the VPN without changing the default gateway of the client ? 16:45 < krzie> and then you dont even need the vpn really 16:46 < krzie> what is it you really want, you are saying 2 different things 16:46 < krzie> you say you want INET, then you say you only want 172.16.1.0/24 which is NOT inet 16:47 < zend> I want to route 172.16.1.0/24 through the client to the VPN so that 172.16.1.0/24 has the same internet the VPN server has. 16:47 < freaky_t> find_workgroup_on_subnet: workgroup search for FREAKYYDE on subnet UNICAST_SUBNET: found. 16:47 < zend> i dont want to change the default gateway in the client though 16:47 < freaky_t> i really dont get what im doing wrong :\ 16:47 < freaky_t> ive used the guide from !wins 16:47 < krzie> zend: THEN YOU WANT redirect-gateway 16:48 < krzie> you also want to change the LAN machines to use the vpn client's lan ip as their gateway 16:48 < krzie> then you want NAT on the server 16:48 < krzie> and the server's NAT must NAT the vpn ips, as well as the LAN ips that are behind client 16:48 < krzie> you need the iroute you mentioned 16:49 < zend> krzie, i dont mean to be annoying.. but I dont want to change the default gateway in the clientbecause that means the client would also access the internet through the VPN 16:49 < zend> which is what i dont want 16:49 < krzie> then change the machine that is the client to one you do want that for 16:49 < krzie> when you understand routing you'll see why 16:51 < zend> ok let me change some pieces of something i intended to do in the future so that you can understand me better. 16:51 < freaky_t> is anybody in here familiar in using samba as a wins server? i dont see the server in the network and i cant connect to it using \\10.8.0.1\\ 16:51 < zend> krzie, what if I want to run in the client machine TWO VPN channels... and connect to it two LANs. Then channel 1 lan to one VPN, and the other lan to the second VPN. See why i need my default gateway on the client to be independent ? 16:52 < Dougy> krzie 16:52 < Dougy> what up my main man 16:52 < krzie> zend, i have no idea what you're saying 16:53 < zend> ok.. bare with me .. i appreciate it: 16:54 < freaky_t> hm :\ 16:54 < zend> bottom line is.. I want to route the internet that my PC has to use the internet on the vpn server through the client setup as a gateway for the PC. Based on that..... I know --redirect-gateway does this.. but that means that the client would also have all the outgoing connection routed through the VPNs internet too.. which is what i dont want. 16:55 < zend> Is it possible? 16:57 < zend> krzie 17:00 < reiffert> route del default gw ; route add default gw 17:00 < Dougy> HAI 17:00 < Dougy> THAR 17:00 < reiffert> WHAT 17:02 < Dougy> supsupsuspuspusup 17:02 < reiffert> shock to the system 17:03 < zend> reiffert, i think that would conflict with everything 17:03 < reiffert> zend: lets discuss it, why do you think so? 17:04 < zend> reiffert, this being applied in the client. correct ? 17:05 < reiffert> (you are right on the one hand, lets find a proper solution, which you already gave). Just have a close look on how redirect-gateway works and do it exactly like it works, but just on the server side. That is keep the connection to the openvpn client active and add a new default gw. 17:06 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 17:06 < zend> reiffert, "Just have a close look on how redirect-gateway works and do it exactly like it works, but just on the server side." why do you say "just on the server side"? 17:09 < reiffert> I think that what you want is: connect an openvpn client to an openvpn server and have the server take the client as its new default gateway. 17:10 < reiffert> So you have to assure that the client-server communication still uses the old gateway, even if the server takes a new default gateway afterwards. 17:10 < reiffert> is this what you want? 17:12 < zend> reiffert, nop... the server shouldnt be touched.. 17:12 < reiffert> allright, lets start over. what is what you want? 17:12 < zend> reiffert, PC on a private lan -> client connected to the VPN -> vpn server . 17:13 < zend> PC has its default gateway set to the client. 17:13 < reiffert> lets try to reduce the details as much as possible for now 17:13 < zend> goal is to have the PC connect to the internet through the client to the VPNs internet. 17:13 < zend> that is easily done by setting as we know.. the client with redirect-gateway 17:14 < zend> this scenario works 100% 17:14 < zend> however.. my dilemma is. 17:14 < zend> not using redirect-gateway on the client.. because I dont want the client to use the internet of the VPN server by default. 17:14 < reiffert> I can follow your explanation until "PC". 17:14 < zend> ok.. 17:15 < reiffert> try to use "Openvpn-client" and "Openvpn-server" 17:15 < zend> reiffert, there are 3 parties in this picture. 17:16 < reiffert> ok 17:16 < zend> "PC on a private lan" under the "openvpn-client" and the "openvpn-server" which the openvpn-client connects to. 17:16 < zend> are we clear on that? 17:16 < reiffert> let me rephrase 17:17 < zend> sure. 17:17 < reiffert> we have six parties, three on each side. One side got a router/gateway, an openvpn instance (client or server) and multiple other computers in the same LAN. 17:18 < zend> that configuration is suitable to explain what i want to do too. lets go with it 17:19 < reiffert> client server communication does work, allright. 17:19 < zend> correct 17:19 < reiffert> now lets add some numbers: 17:19 < reiffert> openvpnserver-lan is 192.168.100.0/24 17:19 < reiffert> openvpnclient-lan is 192.168.200.0/24 17:20 < zend> okey. 17:20 < reiffert> One Computer on the Client LAN, should send packets to one of the computers on the server-lan, right? 17:20 < zend> nop. 17:20 < zend> the server LAN isnt needed. 17:21 < zend> can we delete that ? 17:21 < reiffert> delete what, server LAN isnt needed? 17:21 < zend> it isnt. 17:21 < reiffert> k 17:21 < reiffert> One Computer on the Client LAN, should send packets to the openvpn-server, right? 17:21 < zend> if we use that it will make this more complicated. 17:21 < zend> correct 17:22 < reiffert> Tell this computer: 17:22 < reiffert> Send all packets that should travel to 192.168.100.0/24 to the openvpn-client. In terms of a unix route-command this looks likee: 17:23 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.15 17:23 < reiffert> where 192.168.100.15 is the openvpn client 17:23 < reiffert> oh, my wrong! 17:23 < reiffert> where 192.168.200.15 is the openvpn client 17:23 < zend> correct. thats done. 17:23 < zend> i follow you 100% 17:23 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:24 < reiffert> so packets travel from a computer to the openvpn client which hands them to the openvpn server. 17:24 < reiffert> step one is done, now lets take a look on how packets get back. 17:25 < zend> correct command would be: route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.15 17:25 < zend> right? 17:25 < reiffert> correct command on the client lan's computer? 17:26 < zend> lets back one step please 17:26 < reiffert> all right, where to? 17:26 < zend> We are on the computer behind the openvpn-client and we want to send packets to the openvpn-server 17:26 < reiffert> allright. 17:26 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:27 < reiffert> 200.15 is the openvpn client 17:27 < reiffert> 100.0 is the openvpn server lan 17:27 < zend> this applied in the computer behind the openvpn-client? 17:28 < reiffert> applies on the computer that belongs to the same LAN as the openvpn-client, yes. 17:28 < reiffert> +does 17:28 < zend> ok. *thinking* 17:28 < reiffert> let's assume the computer got 200.225 17:28 < reiffert> ping 192.168.100.10 will send this packet to 200.15 17:29 < zend> right 17:29 < zend> iam with you. 17:29 < zend> i dont know why we did this.. but go ahead 17:29 < reiffert> 200.15 (the client) will send this packet to 10.8.0.1 (the server), the server will internally route to it's outer IP address 100.10 17:29 < zend> correct. 17:30 < zend> how did the client do all that? a nat? 17:30 < reiffert> what you will have to add in the openvpnn server config file is push "route 192.168.100.0 255.255.255.0" 17:30 < reiffert> no, routing. no nat. 17:30 < reiffert> but thats just 50%, it's just one way. 17:30 < reiffert> we still have to care about the way back. 17:30 < zend> lets make a parenthesis 17:31 < reiffert> [] 17:31 < zend> We are just sending packets to 192.168.100.0 .. which yes.. its getting routed to where i want.. however.. remember that the PC shoudl route ALL packets (internet) to the client via the vpn 17:32 < reiffert> it's just sending all packets for destination 192.168.100.0 to the openvpn client 192.168.200.15 17:32 < reiffert> because we were adding a -net route: 17:32 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:33 < zend> thats what iam saying. What if the computer pings google.com ? 17:33 < reiffert> the computer will send a packet to google.com via its default gateway, e.g. 192.168.200.254 17:34 < zend> thats where we dont agree 17:34 < reiffert> ah, go on. 17:34 < reiffert> should the packet travel over the VPN as well? 17:34 < zend> the idea is to have the default gateway setup as 192.168.200.15 17:34 < zend> yes 17:34 < reiffert> all right, just do: 17:34 < reiffert> route del default gw 192.168.200.254; route add default gw 192.168.200.15 17:35 < zend> ok, lets move on :) 17:35 < zend> so now the packet is in .15 17:35 < reiffert> openvpn tunnel: server: 10.8.0.1, client: 10.8.0.5, ok? 17:35 < zend> fine 17:36 < reiffert> packet is at .15 17:36 < zend> right 17:36 < reiffert> packet will go to 10.8.0.5, will go to 10.8.0.1, will go to 192.168.100.10 17:36 < zend> who is 192.168.100.10 ? 17:36 < reiffert> openvpn server 17:36 < zend> ok. 17:37 < zend> same page.. go on.. 17:37 < zend> (it needs to reach google) 17:37 < reiffert> will get to 192.168.100.254 which is the gateway of that lan 17:37 < zend> ok. and off it went. 17:37 < zend> good. 17:37 < reiffert> now let's see about the reply from google. 17:38 < reiffert> 100.254 doesnt know yet, that it should send packets for destination 192.168.200.0 to 192.168.100.10 17:38 < reiffert> that's where we can take a decision: 17:39 < reiffert> either use NAT on 192.168.100.10 17:39 < reiffert> or talk to your gateway: he gateway, do as I say. 17:39 < zend> nat.. 17:39 < zend> (i already have it like that) 17:39 < reiffert> NAT complicates things. Routing much easier. 17:40 < zend> ok 17:40 < reiffert> ok, NAT. 17:40 < reiffert> (I like the Hey router, do as I say-part much more :-) 17:40 < reiffert> so NAT, after all the packet from google gets to 100.254 17:40 < reiffert> which hands it to 100.10 17:41 < reiffert> which knows about NAT which hands it to 10.8.0.5 17:41 < reiffert> which hands it to 200.225 (whatever is the computer in that lan) 17:42 < reiffert> this is the time where you tell me that it doesnt work, right? 17:43 < zend> all of this works 17:43 < zend> sec.. 17:43 < reiffert> :) 17:43 < reiffert> What was your problem/goal again please? 17:44 < zend> How to ping google.com from the client and not have it travel through the VPN to the server. 17:45 < reiffert> 00:34 < reiffert> should the packet travel over the VPN as well? 17:45 < reiffert> 00:34 < zend> yes 17:45 < reiffert> now you want the opposite? 17:45 < zend> I was referring to the packet originated on the LAN computer. not the packet originated on the client. 17:45 < reiffert> let's start over you are confusing me. 17:45 < reiffert> 200.225 got default gw 200.15? 17:46 < zend> 200.225 is the computer right? 17:46 < reiffert> yes 17:46 < zend> then yes 17:47 < reiffert> 00:44 < zend> How to ping google.com from the client and not have it travel through the VPN to the server. 17:47 < zend> yes 17:47 < reiffert> route add -host google.com netmask 255.255.255.255 gw 192.168.200.254 17:47 < zend> :( 17:47 < reiffert> ? 17:48 < reiffert> 00:45 < reiffert> 200.225 got default gw 200.15? 17:48 < zend> i cant do that for all possible URLs for traffic originated from the client. 17:48 < zend> yes, i stand behind that 17:48 < reiffert> then packets to google.com will travel over the vpn. 17:49 < reiffert> (and answers will do as well= 17:49 < reiffert> ) 17:49 < zend> are you familiar with --redirect-gateway ? 17:49 < reiffert> yes. 17:49 < zend> this is all posible thanks to this 17:50 < reiffert> right. 17:50 < zend> I really appreciate the diagram but i cant continue using it.. it is really much less complicated 17:50 < reiffert> but I still dont understand your statement: send everthing over the tunnel versus: dont send everything over the tunnel. 17:51 < zend> bottom line.. 17:51 < zend> working scenario is this: 17:51 < zend> a.) PC has its default gateway setup to the client. All pakctes reach the client. 17:51 < reiffert> PC? 17:52 < reiffert> ah, ok. 17:52 < zend> b.) openvpn-client has --redirect-gateway enabled 17:52 < reiffert> ok 17:52 < zend> so packet by default just goes over to tun, and off to.. 17:52 < reiffert> ok 17:52 < zend> c.) packet gets to vpn server and off to the internet. 17:53 < reiffert> ok 17:53 < zend> dilemma: 17:53 < zend> since client has --redirect gateway enabled .. if I ping google.com (or anything) that would also travel through the VPN. I dont want that. I dont want --redirect.gateway enabled. 17:54 < reiffert> let me rephrase: 17:54 < reiffert> you want that locally generated packets dont travel over the tunnel? 17:55 < zend> correct, thus not using --redirect-gateway 17:55 < reiffert> you dont want locally generated packets travel over the tunnel? 17:55 < zend> correct 17:55 < reiffert> I think that a proper solution will be OS dependent 17:56 < reiffert> 200.15 OS is? 17:56 < zend> assume its linux for easier ;) 17:56 < reiffert> policy routing www.lartc.org 17:56 < reiffert> have fun. 17:57 < reiffert> ip route 2 17:57 < zend> policy routing..? 17:57 < reiffert> e.g. send locally generated packets to 200.254 17:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:59 < zend> hm 18:00 < reiffert> let me ask that question on a german debian channel 18:00 < reiffert> http://lartc.org/howto/lartc.rpdb.multiple-links.html 18:00 < reiffert> looks like a start 18:00 < vpnHelper> Title: Routing for multiple uplinks/providers (at lartc.org) 18:01 < zend> hmm ok.. i thoght it would be simpler 18:01 < zend> but thank you...... 18:01 < reiffert> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg06649.html 18:01 < vpnHelper> Title: [LARTC] fwmark routing of locally generated packets (at www.mail-archive.com) 18:01 < reiffert> http://lkml.indiana.edu/hypermail/linux/net/0308.3/0058.html 18:01 < vpnHelper> Title: Linux-Net Archive: Re: policy routing on locally generated packets, ip source addressselction, application routing (at lkml.indiana.edu) 18:02 < zend> thank you.. 18:02 < reiffert> http://osdir.com/ml/security.firewalls.netfilter.devel/2003-08/msg00178.html 18:02 < vpnHelper> Title: Re: policy routing on locally generated packets [s: msg#00178 security.firewalls.netfilter.devel (at osdir.com) 18:03 < reiffert> iproute2 can do routing based on a fwmark value 18:04 < reiffert> so you have to mark locally generated packets on your firewall / iptables 18:04 < reiffert> and there you are. 18:06 < zend> reiffert, thank you for taking the time to review this with me 18:07 < reiffert> What will it take for you to step the last two steps for a proper solution? 18:07 < reiffert> Any motivation that can be applied to you? 18:11 < zend> a beer :P 18:11 < zend> haha 18:11 < zend> thanks.. 18:11 < reiffert> well, now I'm curious .. 18:11 < reiffert> why is it that important for you, that locally generated packets do not travel over the tunnel? 18:13 < zend> so that I can add another instance of openvpn-client 18:13 < reiffert> oh, you should have mentioned that earlier in this conversation. 18:14 < reiffert> --redirect-gateway def1 18:14 < reiffert> done. 18:15 < zend> uhm... 18:16 < zend> i still have to "teach" what VPN to use in what case 18:17 < reiffert> updating my router, I might loose internet for some time, bbl 18:20 < zend> !def1 18:20 < vpnHelper> zend: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:34 < zend> reiffert, u there? 18:42 < zend> reiffert, please ping me when you are back :D 18:46 < reiffert> . 18:47 < zend> reiffert, I *think* this can be done differently.. 18:49 < zend> I started up my client without --redirect-gateway.. thus I have tun0 configured but nothing routed to it. 18:49 < zend> My routing table looks like this: 18:50 < reiffert> Ah, allright, let me guess: 18:50 < reiffert> On the PC in the client LAN: 18:50 < reiffert> route add default gw 192.168.100.10 18:50 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 18:50 < zend> hold please.. ;) 18:50 < zend> sec 18:51 < zend> without redirect-gateway enabled the client routing tables look this: http://pastebin.com/d3d07443b 18:51 < zend> are we clear on what I have at this moment ? reiffert 18:52 < reiffert> yep, do you think my approach might work as well? 18:52 < zend> please note that my client box has TWO nics.. one with 192.168.1.1 attached (current default gateway) and another with 172.16.1.1 18:53 < zend> hold, we can discuss this at the end so that i dont loose the point ;) 18:53 < zend> my PC uses 172.16.1.1 as the default gateway 18:54 < zend> so.. as soon as I add redirect-gateway and nat internal_if and external_if .. it works. (thats not the config i want.. but i want to make sure we are on the same page) 18:54 < zend> are we? 18:54 < reiffert> think so 18:55 < zend> ok so.. question is.. 18:56 < zend> taking for granted i dont have --redirect-gateway enabled, and that link i gave is you is my current routing table.. is there anyway that I can put it so that all destinations that come from the NIC attached to the 172.16.1.1 get routed to 10.0.1.9? 18:56 < zend> leaving my defualt gateway as it is 18:57 < zend> there must be a way without tagging packets 18:57 < reiffert> current routing table on the PC? 18:57 < zend> sec 18:59 < zend> reiffert, www.pastebin.com/d3d2d280 18:59 < zend> err sec 18:59 < reiffert> * Unknown post id, it may have expired or been deleted 19:00 < zend> http://pastebin.com/d3d2d280 19:00 < zend> its in spanish, but youll understand it :) 19:00 < zend> (windows btw) 19:00 < reiffert> uh, thats windows. 19:01 < reiffert> ok, here is my plan: 19:01 < reiffert> dont use redirect-gateway 19:01 < reiffert> on the windows computer add two routes: 19:01 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 192.168.200.15 19:01 < reiffert> route add default gw 192.168.100.10 19:02 < reiffert> 1st line should be: 19:02 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 19:02 < reiffert> however, it's 2 o'clock in the morning, I'm heading to bed 19:03 < zend> ok.. 19:03 < zend> thank you for all your help 19:03 < zend> i advanced and have it lots more clear 19:03 < reiffert> yw 19:07 < krzie> the way that makes sense to me is to make a machine that SHOULD be sending its inet through server the vpn endpoint 19:07 < krzie> then let the machines route their inet through that machine 19:07 < krzie> let that machine use redirect-gateway 19:07 < krzie> then if the current vpn endpoint needs access to the VPN as well it can, but is not forced to route inet over it 19:11 < freaky_t> krzie can u tell me how to add this gateway to the bridge-start script if u can remember? because i'd like to try a bridging setup i cant get samba to run like this 19:14 < krzie> its just the route command 19:14 < krzie> read up on it for your OS 19:14 < freaky_t> I don't know what to route 19:15 < krzie> linux? 19:15 < krzie> bsd? 19:15 < krzie> osx? 19:16 < freaky_t> linux 19:16 < krzie> route add default gw 19:16 < freaky_t> what should be the gateway then? 19:17 < freaky_t> the problem is that im getting disconnected when i run the bridge-start script 19:17 < freaky_t> and i have to reboot the server 19:17 < krzie> if you caont answer that for your network a vpn is too advanced for you to be honest 19:17 < freaky_t> because i only have one NIC 19:17 < reiffert> setup the bridge before running openvpn. 19:18 < freaky_t> i know 19:18 < reiffert> just add the tap adapter to the bridge after openvpn server starts 19:18 < freaky_t> krzie i dont know why im getting disconnected from my server when i run the bridge-start script so i dont know what to route where 19:18 < reiffert> or, on the client side, add the tap adapter to the bridge when it's getting connected to the server. 19:18 < krzie> you are changing its connection to the inet, you MUST get disconnected 19:18 < reiffert> brctl addbr br0 19:18 < reiffert> brctl addif br0 eth0 19:18 < reiffert> in prior run: ifconfig eth0 0.0.0.0 promisc up 19:19 < freaky_t> i cant i'd get disconnected 19:19 < reiffert> afterwards: ifconfig br0 192.168.1.1 or whatever your eth0 ip was. 19:19 < freaky_t> it's a dedicated server 19:19 < krzie> then figure out WINS 19:19 < freaky_t> im trying since ages 19:19 < reiffert> on debian you can handle everything with network/interfaces file 19:19 < freaky_t> nobody can help me 19:19 < freaky_t> google doesnt tell me anything useful 19:20 < reiffert> && bed 19:21 < freaky_t> cya 19:21 < krzie> screw google, everyone who i suggested it to just read the manual i linked !wins too and it worked 19:23 < freaky_t> for me it doesnt 19:23 < freaky_t> dump workgroup on subnet UNICAST_SUBNET: netmask= 10.8.0.1: 19:23 < freaky_t> FREAKYYDE(1) current master browser = UNKNOWN 19:23 < freaky_t> MASTER 40899a03 (master server) 19:23 < freaky_t> i dont know what i should do 19:24 < zend> krzie, the idea was to have multiple LANs using different IPs as their default gateway to the client machine... BUT ALSO have that same client machine have multiple client instances to different VPNs.. and then according to the IP the LANs used as their gateway route them to the appropiate VPN. 19:24 < zend> route their internet through the appropiate VPN that is 19:25 < zend> i cant do that because 1 VPN "steals" the default gateway 19:25 < zend> which is why i wanted to not start it up with --redirect 19:29 < zend> ive seen cisco routers with ipsec do this.. :( 19:34 < krzie> hrm 19:34 < krzie> im curious if this can work or not, give it a shot 19:34 < krzie> lets say 10.8.0.1 is 1 vpn server 19:34 < krzie> so the client has 10.8.0.6 for vpn ip 19:34 < krzie> and we'll say it is 192.168.0.10 on its LAN 19:35 < krzie> tell another machine on that lan this: 19:35 < krzie> 10.8.0.0/24 routes to 192.168.0.10 19:35 < pekster> Why not have the DNS server for the corporate LAN accept dynamic record updates for VPN clients? 19:35 < krzie> 0.0.0.0 routes to 10.8.0.1 19:35 < freaky_t> i've sent another eMail to the samba mailinglist 19:35 < pekster> Then use DNS as it was intended to; resolve client names to IPs :) 19:36 < zend> pekster, for that each PC would be its own client.. and thats not the idea. 19:37 < pekster> Ah, okay, I'm coming into this a bit late in the game 19:37 < zend> krzie, *thinking* 19:37 < pekster> So the clients are given IPs from a DHCP server on the remote network, not the corp DHCP? 19:38 < krzie> freaky_t, you could also try a broadcast relay 19:38 < krzie> ive never attempted it but reiffert has mentioned it a few times as an alternative to WINS 19:39 < freaky_t> i wouldnt know what to relay where and how. 19:39 < freaky_t> ill try a broadcast relay if everythign else fails 19:39 < freaky_t> now im trying to get help ont he samba mailinglist 19:39 < krzie> i believe it just relays broadcasts 19:39 < krzie> not like you need to know about them 19:39 < freaky_t> thank you for ur help by the way ;D 19:40 < freaky_t> yea but i think i would have to set it up in some way 19:41 < zend> krzie, ive read your propal 5 times and I honestly do not understand it.. I only understand the IP of the vpn server is 10.9.0.1, and the client is 10.8.0.6 . Thats it.. 19:41 < pekster> When I set up remote sites for a corp network at my last job, we had the border router for the net doing DHCP-relay to the HQ DHCP server, and then it took care of DNS registration in the AD environment, allowing you to hit \\client-at-remote-site as you'd expect 19:42 < zend> krzie, and that there is machine in the LAN with 192.168.0.10 19:42 < krzie> heh 19:42 < krzie> ok lets do it this way 19:42 < krzie> what is the VPN address of the server, and the client? 19:43 < freaky_t> now it works 19:43 < freaky_t> dump workgroup on subnet 10.8.0.1: netmask= 255.255.255.0: 19:43 < freaky_t> FREAKYYDE(1) current master browser = MASTER 19:43 < freaky_t> MASTER 408c9a03 (master server) 19:43 < freaky_t> i didnt do anything 19:43 < zend> VPN server: 10.0.1.1 , Client is 10.0.1.9 19:43 < krzie> and what is the IP address of the client on the lan (same machine as vpn client, but LAN ip) and what is the IP of the machine on the lan that needs to default route through the VPN? 19:44 < freaky_t> but i still cant see the server 19:44 < freaky_t> ill try bcrelay 19:44 < zend> you mean the IP address of the gateway of the PC, and the IP of the PC krzie ? 19:45 < krzie> theres 2 boxes on the lan that matter 19:45 < krzie> the vpn endpoint and the machine that wants to route through it 19:45 < krzie> what are both their IPs on the lan 19:46 < zend> 172.16.1.1 , and the IP of the PC is 172.16.1.201 19:47 < krzie> so tell 172.16.1.201 that for 172.16.1.0 255.255.255.0 it routes through 172.16.1.1 19:47 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 10.0.1.1 19:48 < krzie> then tell it for 0.0.0.0 0.0.0.0 (aka default) it routes through 10.0.1.1 19:49 < krzie> oops i messed up 19:49 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 19:49 < krzie> 10.0.1.1 19:49 < krzie> i meant: 19:50 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 172.16.1.1 19:50 < krzie> but honestly i dunno if that will work or not 19:50 < krzie> if it does, it will do what you want 19:52 < zend> hmm i appreciate your effort.. but iam burned.. i will review this tomorrow...... 19:53 < krzie> basically its this: 19:53 < krzie> the machine on the lan needs to know the server vpn ip is its default route 19:53 < krzie> but for that it needs routes to it 19:53 < zend> true 19:53 < krzie> so you tell it for 172.16.1.0 255.255.255.0 it routes through 172.16.1.1 (for its lan) 19:54 < krzie> that could already be there, depending on your setup 19:54 < zend> its there 19:54 -!- bandini [n=bandini@host142-110-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 19:54 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through172.16.1.1 19:54 < zend> wait.. sec.. 19:54 < zend> who do i tell these two? the client? or the pc? 19:57 < krzie> the pc in the lan who wants to route over the vpn 19:58 < krzie> basically, it gets a route to the local vpn endpoint 19:58 < zend> sorry krzie but why should the PC do any type of change.. this is messy.. as far as the PC goes it should only connect to a PORT and grab the lease from dhcp.. the client should do all the routing.. 19:58 < krzie> then it gets a route to vpn server over that 19:58 < krzie> then it gets a default route over that 19:58 < krzie> hey, you're the one who wants to do it the hard way 19:59 < zend> yeah but that hard way I think should be done withing the client ;) 19:59 < krzie> good luck to you 19:59 < zend> after all, this is a router 19:59 < zend> ill keep you posted 19:59 < zend> thank you 20:01 < krzie> heres the thing you're missing 20:01 < krzie> everything is based on source and destination address 20:02 < krzie> if the machine on the lan just sends traffic at its default gateway, the traffic will go to whatever route the destination matches on the router 20:02 < krzie> for inet traffic that will be the default gateway 20:02 < krzie> (which was my first suggestion) 20:03 < freaky_t> krzie i dont know what i should relay :\ 20:03 < krzie> my last suggestion gets around that fact 20:04 < freaky_t> krzie can u help me? 20:04 < krzie> zend, personally what ild do is have a seperate box for every VPN 20:04 < freaky_t> u're the only perso i can ask but i dont wanna go on your nerves so just tell me ;D 20:04 < krzie> which requires nothing extra since you already want boxes to connect over that vpn 20:04 < freaky_t> person 20:05 < krzie> then let all extra machines that need to route over it route via the vpn endpoint for that network 20:05 < krzie> then use redirec-gateway 20:05 < krzie> freaky_t, i have never used samba, never use windows, do not use windows filesharing, have never wanted WINS or a broadcast relay 20:05 < freaky_t> hm ok :( 20:05 < krzie> so i can NOT help with them more than saying people use them to achieve your goal 20:06 < freaky_t> ok thank you :\ 20:06 < krzie> but i use the hell out of openvpn 20:06 < freaky_t> hehe, what do u use it for? 20:06 < krzie> so openvpn specific questions i have a much better chance of helping with 20:06 < freaky_t> do u use any network services? 20:07 < freaky_t> for the vpn 20:07 < freaky_t> anything nice to have for example? 20:07 < freaky_t> ;D 20:07 < krzie> umm 20:07 < krzie> well ive setup chains of them to anonymimze source of inet traffic 20:07 < krzie> i use it on some boxes as a secure way to enter the box 20:07 < freaky_t> hm ok 20:07 < freaky_t> ok ;D 20:07 < krzie> no services listening to the world other than openvpn, everything else only listening on the vpn 20:07 < freaky_t> thanks ^^ 20:08 < krzie> i use it for secure communications, ie: running an IRCD only internal to the vpn 20:08 < krzie> secure access to internal networks 20:08 < freaky_t> :) 20:09 < krzie> stuff like that 20:09 < freaky_t> ok 20:09 < krzie> i dont need to trust the security of services or protocol if i only allow them over the vpn 20:09 < freaky_t> yea 20:10 < krzie> some things also support socks, but not socks auth, so i run an open relay inside the vpn 20:10 < krzie> then only a connected vpn user can use it 20:10 < freaky_t> ok ;D 20:11 < krzie> theres an alternative for ya zend 20:11 < krzie> you could use a socksifier like the app proxifier on all machine that need to default over vpns 20:12 < krzie> then on the server you could run a socks daemon only listening on VPN ips 20:12 < krzie> then configure each lan machine to use whichever vpn you choose 20:12 < krzie> kind of like what i do, only for a very different reason 20:12 < krzie> i use socks to selectively route over the vpn 20:12 < krzie> torrents dont go over it, mail does, etc etc 20:13 < krzie> which i can specify based on IP range, port range, application, or any combination of those 20:14 < krzie> i can also choose to use all except what i say, or only what i say 20:18 < freaky_t> ill try to connect using my laptop running kubuntu now maybe i get more error messages there 20:22 < zend> krzie, why is it that I just couldnt nat the 172.16.1.0/24 network to tun0.. and thats it? i tried it a million times.. 20:22 < zend> but i will seek about that 20:25 < krzie> because the traffic wont even try gto go to the vpn to get NAT'ed 20:26 < krzie> you will need a nat too if you go the route way 20:26 < krzie> not if you go the socks way 21:04 < freaky_t> krzie well i can connect using Dolphin smb protocol. but it isnt shown under network 21:11 < freaky_t> so krzie could u tell me what gateway i should add in the bridge-start script? it just doesnt work whatever i try 21:27 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:43 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 21:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:54 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 60 (Operation timed out)] 21:58 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 22:02 -!- azaghal_ [n=azaghal@195.252.105.9] has joined ##openvpn 22:07 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 22:07 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 131 (Connection reset by peer)] 22:07 -!- zend [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:18 -!- azaghal [n=azaghal@198.225.178.212.adsl.dyn.beotel.net] has quit [Read error: 113 (No route to host)] 22:28 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 22:29 -!- admin__ [n=admin@193.227.191.91] has quit [Connection timed out] 23:04 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 23:06 -!- albech_ [n=albech@119.42.76.84] has quit [Client Quit] 23:06 -!- Cr0nix [n=Cr0nix@e180064168.adsl.alicedsl.de] has joined ##openvpn 23:07 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 23:07 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- Cronix [n=Cr0nix@e180066066.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 23:13 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 23:18 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 23:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 23:32 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 23:35 -!- tjz [n=tjz@bb219-75-13-49.singnet.com.sg] has joined ##openvpn --- Day changed Sun May 10 2009 00:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 00:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:43 -!- tech [n=tech@76.25.242.237] has joined ##openvpn 00:44 < tech> anyone know how to use pptpd with ubuntu? 00:46 < krzee> !notovpn 00:46 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 01:00 < tech> ok how would I setup the openvpn server 01:01 -!- rubydiam_ [n=rubydiam@123.236.183.119] has joined ##openvpn 01:01 < krzee> !howto 01:01 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:01 < krzee> !manual 01:01 < vpnHelper> krzee: Error: "manual" is not a valid command. 01:01 < krzee> !man 01:01 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 01:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:05 -!- rubydiam_ [n=rubydiam@123.236.183.119] has quit [Read error: 54 (Connection reset by peer)] 01:27 < tech> ok have it installed and tried running config command and get a wierd message with vars 01:32 < krzee> you likely didnt type . ./vars like it said to 01:32 < krzee> the first . matters 01:32 < tech> yes I did 01:33 < tech> I just want to setup a vpn server with linux and windows client 01:33 < tech> I don't see any instructions for using this with a windows client krzee 01:34 < krzee> cause you just skimmed the howto 01:34 < krzee> dont expect to set this up as simply as microsoft office 01:34 < krzee> it will require a lot of reading and some understanding of networking 01:34 * reiffert is waiting for a sentence like: Hm, I cant connect to this cisco vpn server .. why didnt anyone tell me? 01:35 < tech> I have setup vpn's with windows server in the past, and they were quite easy to setup 01:36 < krzee> im curious how he found his way here to ask a pptp question 01:36 < krzee> yes 01:36 < krzee> microsoft is the quick and easy way 01:36 < tech> cause I am trying to do vpn 01:36 < krzee> openvpn is the secure way 01:36 < krzee> (note, i didnt say quick or easy) 01:36 < tjz> lol 01:37 < tech> my question is, how would I use a windows client with this? 01:37 < krzee> !howto 01:37 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:37 < krzee> openvpn runs on windows 01:37 < reiffert> Your initial question looks more like if anyone knows how to run pptpd on ubuntu.. 01:37 < tech> yea, that's where I started 01:37 < reiffert> it's quite simple. 01:37 < reiffert> /etc/init.d/pptpd start 01:38 < tech> yes I ran that and can run that on ubuntu 01:38 < krzee> !notcompat 01:38 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 01:38 < tech> but the windows client doesn't connect to it 01:38 < tjz> they are different products 01:38 < reiffert> tech: it does not? OpenVPN is your way then. 01:38 < tech> vpnHelper, thanks for that. then I need to NOT use this because it is useless 01:38 < vpnHelper> tech: Error: "thanks" is not a valid command. 01:39 < tech> bye now 01:39 -!- tech [n=tech@76.25.242.237] has quit ["Leaving"] 01:39 < krzee> damn that bot is lagged 01:39 < krzee> (or i am) 01:39 < reiffert> Always remember, those people keep our income high. 01:40 < tjz> lol 01:42 < krzee> hahah 01:44 < reiffert> 08:41 [freenode] CTCP PING reply from krzee: 46.806 seconds 01:44 < tjz> LOL 01:45 < krzee> sounds bout right =/ 01:45 < krzee> [02:45] * Ping reply from reiffert: 2.22 second(s) 01:45 < reiffert> stop sucking porn 01:45 < krzee> there we go 01:45 < reiffert> ah, there we go# 01:45 < reiffert> 08:45 [freenode] CTCP PING reply from krzee: 1.030 seconds 01:46 < tjz> O_o 01:49 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:54 -!- azaghal_ is now known as azaghal 02:10 < theDoc> Woohoo! 02:13 < krzee> yayyyyyy 02:13 < krzee> that woohoo mean you figured out the answer to my post here: http://www.insanelymac.com/forum/index.php?s=&showtopic=141154&view=findpost&p=1137316 02:13 < krzee> ??? 02:13 < vpnHelper> Title: [how to] Intel DG35EC - InsanelyMac Forum (at www.insanelymac.com) 02:43 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:48 -!- azaghal [n=azaghal@195.252.105.9] has quit [Read error: 131 (Connection reset by peer)] 03:03 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 03:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:12 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 03:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 03:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:37 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 54 (Connection reset by peer)] 04:37 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 04:38 -!- albech_ [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 05:19 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 05:26 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 05:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 05:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:40 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 60 (Operation timed out)] 05:42 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 05:44 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 05:49 < gregd> hi guys, i've got very strange behaviour using openvpn 2.0.9 server. I've got it configured as tun/udp server and keys for 2 clients generated. When I connect to it one client (always the same one) works perfectly fine (pinging google).. whilst the other one is loosing packets all the time on the way server-google. Client-server connection is always fine. What can be the cause? 05:54 < theDoc> gregd: How do you know that packets are dropping? 05:54 < gregd> theDoc: ping does not get respond for every one...I would say 10% to 20% are lost 05:55 < theDoc> gregd: Where are you pinging from? 05:55 < theDoc> gregd: Is that from your box or from the server? 05:55 < gregd> i'm located in the uk and the openvpn server in the us 05:55 < gregd> from my box im pinging 05:56 < theDoc> gregd: Is the other box also on the same physical LAN which the afflicted box is in? 05:56 < gregd> yes... that are 2 laptops... both on my desk.. the same laptops.. the sa,me operating system the same LAN 05:57 < gregd> is it possible that openvpn gives different gateways for each of the hosts connected? 05:58 < gregd> i'm just trying to generate new certificates and restart the whole configuration on server side 06:02 < theDoc> gregd: No, I don't think so. 06:03 < theDoc> gregd: Openvpn doesn't throw up different gateways. 06:03 < theDoc> gregd: Just check your assignment for the dns/subnet/gateway given. It should be the same if you are using route-push directive on your server. 06:03 < gregd> the other thing that i suspect is to use masquarad instead of NAT, will try it in a few minutes 06:03 < theDoc> gregd: Yeah, you should be using masquarad. 06:04 < theDoc> I'm still trying to find a way to bypass a http-proxy which I don't own :p 06:04 < theDoc> hmm. 06:04 < gregd> lol ;) 06:05 < theDoc> gregd: Not for anything neferious :) 06:05 < theDoc> Just tech knowledge :) 06:05 < theDoc> At the end of the day, if you do that in an organization where they have a clue :P you're just setting yourself up to get fired by the management. 06:05 < theDoc> I can see someone using that in schools, but in a workplace, hardly. 06:06 < gregd> that's somehow true.. but if u do it (create openvpn) on a udp and change port to less suspected one... if think you are rather safe ;) 06:06 < theDoc> gregd: True, but if the proxy server drops all traffic except http on port 80 :) 06:07 < gregd> get a vps and put openvpn tcp on 80? 06:07 < theDoc> Trying to masquerade your vpn traffic over the http connection is just another excuse for the management to fire you when they find out. 06:07 < theDoc> gregd: I rent out vpn tunnels :p 06:07 * theDoc chuckles. 06:08 < gregd> so now put a smart port forwarding and done ;) 06:08 < theDoc> I'm contemplating on getting another few windows 2k3 boxes so I can have better interopability for the windows users whom don't want to be tied to openvpn. 06:08 < theDoc> gregd: I just realized that my SP drops vpn traffic over port 80 :) 06:09 < gregd> hmm is it possible at all? 06:09 < theDoc> gregd: No idea, might be possible with NBAR. 06:09 < theDoc> or some kind of DPI. 06:10 < gregd> so how does youtube work than or.... skype.. they stream media over port 80... so there should be a clue 06:11 < theDoc> gregd: Yep, they might just filter vpn traffic on 80. 06:11 < theDoc> I know for sure that you can't assign port 80/8080 for http servers you run at home :) 06:35 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 06:35 -!- gregd [n=gregd@98.142.208.61] has joined ##openvpn 06:36 -!- gregd_ [n=gregd@98.142.208.61] has joined ##openvpn 06:39 -!- gregd [n=gregd@98.142.208.61] has quit [Read error: 104 (Connection reset by peer)] 06:49 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 06:49 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 06:54 -!- gregd_ [n=gregd@98.142.208.61] has quit [Read error: 110 (Connection timed out)] 07:07 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 07:22 -!- albech_ [n=albech@119.42.76.84] has quit [Client Quit] 08:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 08:58 < freaky_t> krzee i've set the wins server to my server's ip in my client's tap device - i can now ping "master" etc. but i still cant connect using normal windows filesharing 08:58 < freaky_t> it doesnt even connect 09:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:11 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 09:12 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 09:45 < Bushmills> oh? has krzee turned windows expert recently? 09:45 < Bushmills> http://forthfreak.net/misc/ola.gif 09:51 < freaky_t> \o/ 09:51 < freaky_t> ? :D 10:12 < Dougy_> oO 10:15 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 10:28 < Dougy_> GOD DAMN SPAMMING BASTARDS 10:28 * ecrist laughs at shitty forum operators 10:29 < ecrist> http://www.twincitiescarry.com/forum/viewtopic.php?t=12763 10:29 * Dougy_ goes to add captcha and clean up 10:29 < ecrist> not at you dougy 10:29 < ecrist> this guy that owns/runs the forum above, arrogant asshole 10:29 < ecrist> tried to ban me, didn't realize I have access to more IPs than he can ban. 10:29 < ecrist> hell, most of my web browsing is done through tor and other such anonymizers, anyways 10:30 < ecrist> page 7, I posted, after he'd banned me, and I got an angry email from him claiming I was hacking his web site. 10:31 < Dougy_> lol 10:31 < Dougy_> ecrist 10:31 < Dougy_> theres quite a few actual posts popping up on there 10:31 < Dougy_> and i dont know how to help any of em 10:31 < Dougy_> lol 10:31 < ecrist> oh, I'll look, gimme a few. 10:31 < Dougy_> http://www.ovpnforum.com/viewtopic.php?f=6&t=139&sid=640fb2d0cba7bbc577b7e8bcf538f3d5 10:31 < vpnHelper> Title: OpenVPN Forum View topic - Getting web access out of C-h-i-n-a (at www.ovpnforum.com) 10:31 < Dougy_> redirect-gateway 10:31 < Dougy_> no? 10:31 < Dougy_> :p; 10:32 < Dougy_> and there's http://www.ovpnforum.com/viewtopic.php?f=6&t=129 10:32 < vpnHelper> Title: OpenVPN Forum View topic - revoking a certificate (at www.ovpnforum.com) 10:32 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 10:33 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:33 < Dougy_> and last but not least http://www.ovpnforum.com/viewtopic.php?f=5&t=124 10:33 < vpnHelper> Title: OpenVPN Forum View topic - Using redirect-gateway in Windows XP (at www.ovpnforum.com) 10:44 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 10:44 -!- zug [n=m@94-192-16-41.zone6.bethere.co.uk] has joined ##openvpn 10:45 < zug> does anybody know how I can connect openvpn through a public server to avoid port forwarding 10:46 < zug> but then have the two endpoints directly connected to each other? 10:46 < ecrist> what? 10:46 < ecrist> I'm confused 10:46 < zug> not sure if its possible.. 10:46 < zug> ok 10:46 < zug> two openvpn clients 10:46 < zug> one server 10:46 < zug> can I both clients connect the server, but then be able to talk directly to each other 10:46 < zug> without having to go via the server? 10:47 < ecrist> no 10:47 < ecrist> their vpn session is between them and the server 10:48 < ecrist> the server has to be an intermediary 10:48 < zug> hmm ok thanks 10:56 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 11:05 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: jameswhite, Bushmills, rubydiamond, troy- 11:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:21 -!- Bushmills [n=nnnnnnl@verhau.de] has joined ##openvpn 11:21 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 11:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:23 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 11:23 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Read error: 54 (Connection reset by peer)] 11:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 11:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 11:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 11:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:42 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 11:44 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 12:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:26 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 12:26 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 12:31 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 12:31 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Connection reset by peer] 12:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:53 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 12:54 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 13:07 < krzee> !mitm 13:07 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 13:07 < krzee> !hmac 13:07 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 13:07 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 13:08 < krzee> !servercert 13:08 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 13:09 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 13:11 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 13:11 < krzee> !ssl-admin 13:11 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:12 -!- zend [n=unix3@201.199.62.74] has joined ##openvpn 13:12 < zend> hello 13:15 < zend> krzee, ive been reading on NAT more.. and it seems *technically* to do exactly what I want. In fact when I put it in practice I can still ping my endpoint.. but thats about it.. if I try pinging something else it generates a lot of writes in the vpn server but doesnt return anything.. you said that NAT and tun are not compatible.. why so? 13:18 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Remote closed the connection] 13:18 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 13:20 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 13:20 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 13:24 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 13:40 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 13:48 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 13:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:51 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 13:52 -!- gregd [n=gregd@98.142.208.61] has joined ##openvpn 14:11 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 14:14 < zend> krzee, i found the way to do it like i wanted to ;) 14:15 < reiffert> how so? 14:16 < krzie> ya pls explain 14:23 < reiffert> just curious, did my proposal have any chance to work? 14:24 < reiffert> that was: 14:24 < zend> Well, actually reiffert found it not me.. I just did research today and confirmed in fact I think it is the way to do.. 14:24 < zend> policy routing 14:24 < zend> :P 14:24 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 14:24 < reiffert> route add default gw 192.168.100.10 14:25 < krzie> right, on the machine in the lan, not the router... right? 14:25 < reiffert> right. 14:25 < krzie> thats the same thing i told him, heheh 14:25 < reiffert> krzie: same thing = policy routing or those 2 routing lines? 14:25 < krzie> well the last thing i told him, not the first 14:25 < krzie> the idea behind those 2 lines 14:26 < krzie> i didnt know it had a name 14:26 < zend> yeah but reiffert proposed policy routing in the router 14:26 < zend> which is not the same as this example 14:26 < reiffert> I was proposing policy routing on the openvpn client machine. 14:26 < zend> ohh 14:26 < zend> yeah, correct 14:26 < zend> not the PC obviously 14:26 < zend> the openvpn client machine 14:26 < reiffert> but then those two routing lines for the LAN machine (windows) came to my mind. 14:26 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Connection timed out] 14:27 < zend> reiffert, well i didnt research on the later one.. because I think this is cleaner 14:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:27 < reiffert> nah, policy routing is OS dependent. 14:27 < zend> true.. 14:27 < reiffert> just plain routing is more clean and sane. 14:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:28 < reiffert> please try my later one as well, I'm really curious. 14:28 < zend> reiffert, well thank you... :) 14:28 < zend> and krzie for the help. 14:28 < reiffert> Want my paypal address? 14:29 < krzie> i do i do! 14:29 < krzie> password too! 14:29 < zend> :-) 14:29 < reiffert> :) 14:30 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 14:31 -!- admin__ [n=admin@193.227.191.91] has quit [Connection timed out] 14:33 -!- gregd [n=gregd@98.142.208.61] has quit [Read error: 104 (Connection reset by peer)] 14:43 < project2501a> hey guys. i'm a bit confused and i'm getting conflicting information: is it true that an openvpn connection gets dropped because ovpn runs over udp? 14:43 < Dougy_> hah 14:44 < Dougy_> reiffert: 14:44 < Dougy_> lol 14:44 < project2501a> sorry for the stupid question, but i can't get a straight answer as to why does my ovpn connection get re-initiated every now and then 14:45 < krzie> it should re-key every hour 14:45 < krzie> you actually getting disconnected? 14:45 < project2501a> yup 14:46 < project2501a> more than once an hour 14:46 < krzie> !config 14:46 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:46 < krzie> err 14:46 < krzie> !configs 14:46 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:46 < project2501a> krzie: getting configs, be right with you 14:50 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 14:50 < project2501a> .... aaand vpn timed out :P hold please 14:51 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 14:53 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Client Quit] 14:53 < krzie> you use tcp? 14:53 < krzie> connecting over something like ppp pppoe satelite? 14:53 < project2501a> heh 14:53 < project2501a> i wish 14:53 < project2501a> something is screwing up the config 14:53 < project2501a> erh, the connection 14:54 < project2501a> no, it's just straight dsl into work. work is on fiber from BT 14:56 < Dougy_> hey krzie 14:56 < Dougy_> ewwwwwwwwwww 14:56 < Dougy_> BT 14:56 < krzie> why ewww bt 14:57 < Dougy_> bt sucks 14:57 < krzie> he has better options over there? 14:58 < project2501a> not where i'm at mate 14:58 < krzie> ya its easy for people who are in FIOS range to say that 15:00 < Dougy_> fios can kiss my ass too 15:00 < Dougy_> krzie 15:00 < Dougy_> check out what my isp does 15:00 < Dougy_> http://www.cedmagazine.com/News-Cablevision-DOCSIS30-101-Mbps-042809.aspx 15:00 < vpnHelper> Title: Cablevision pushes DOCSIS 3.0 needle to 101 Mbps (at www.cedmagazine.com) 15:00 < krzie> ya docsis3 is good 15:01 < Dougy_> 101Mbps 15:01 < Dougy_> uncapped 15:01 < Dougy_> for $100 15:01 < krzie> ecrist is in the first location to carry docsis3 15:02 < krzie> mssfix 1200 15:02 < krzie> why? 15:02 < krzie> and i refuse to read your client.conf 15:02 < krzie> you did not strip comments 15:03 < krzie> push "route 10.22.0.0 255.255.254.0" 15:03 < krzie> you have a million of those 15:03 < krzie> why not just 10.22.0.0 255.255.0.0 15:03 < reiffert> I'm on 32mbit for EUR 22,90/month 15:04 < krzie> i get 1.5mbit down 768kbit up for ~ $100/us 15:04 < krzie> per mo 15:04 < reiffert> 2mbit up 15:06 < reiffert> incl. telefon "flatrate" 15:09 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:14 < project2501a> krzie: oh, sorry about not stripping the comments 15:14 < project2501a> krzie: good question about the route. i've asked that myself, and apparently it's for "security puproses". but i think it's bullshit 15:15 < krzie> are there any other 10.22 networks? 15:15 < krzie> if not, there is NO difference from your vpn's perspective 15:15 < project2501a> we got a bunch of them 15:15 < project2501a> and apparently not all are supposed to be accessed 15:16 < krzie> !factoids search lim 15:16 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 15:16 < project2501a> by everybody 15:16 < project2501a> oooh 15:16 < project2501a> seriously? 15:16 < project2501a> did i mention that my work is like dilbert's workplace? 15:16 < project2501a> heh 15:19 -!- Cr0nix [n=Cr0nix@e180064168.adsl.alicedsl.de] has quit [Remote closed the connection] 15:21 < krzie> also you have mssfix 15:21 < krzie> do you have a good reason for that? 15:21 < project2501a> we got windows clients 15:22 < krzie> so? 15:22 < project2501a> that config is as old as the first linux kernel :( 15:22 < krzie> thats not an OS thing, its a MTU thing 15:22 < project2501a> *nod* 15:22 < krzie> and it could be whats screwing you up 15:22 * project2501a reads up on mssfix 15:23 < krzie> !man 15:23 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:24 < project2501a> i got it open, mate 15:24 < project2501a> i thought that mssfix was there to fix the problem with the windows tcp stack 15:25 < krzie> negative 15:25 < krzie> its part of a group of settings for fixing MTU issues 15:25 < krzie> like if you were on ppp pppoe or satelite 15:26 < project2501a> oooh 15:26 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 15:27 < project2501a> see, learning shit like that on your own, or as said in latin "in vacuo" 15:27 < project2501a> is impossible 15:28 < project2501a> which is one of the things pissing me off: if i don't talk to other people, how the heck am i going to find out stuff about apocryphal stuff like this? 15:34 < project2501a> openvpn honors SIGHUP as "read conf again" right? 15:35 -!- zend [n=unix3@201.199.62.74] has quit ["Leaving"] 15:35 < krzie> not sure but its in the man 15:35 < krzie> under SIGNALS 15:35 < project2501a> *nod* read that. says so 15:35 < project2501a> says that it does so 15:35 < project2501a> just making sure 15:37 < project2501a> nope 15:37 < project2501a> it died on a -SIGHUP signal 15:37 < project2501a> hmm 15:37 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has left ##openvpn [] 15:38 < krzie> SIGHUP 15:38 < krzie> Cause OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections. 15:38 < project2501a> yup 15:38 < project2501a> mine died :( 15:38 < project2501a> i read that in the manual 15:38 < project2501a> but apparently this one died *sigh* 15:38 < krzie> you remember when i typed !configs 15:38 < project2501a> ya 15:38 < krzie> you left out almost everything 15:38 < project2501a> did i? 15:38 < krzie> read the WHOLE THING again 15:39 < krzie> !configs 15:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:39 < project2501a> *nod* 15:39 < project2501a> sorry mate :) 15:39 < project2501a> thank you for your help, i don't mean to be difficult 15:39 < krzie> its ok, i cant fiogure out why damn near nobody reads the whole message frmo the bot 15:39 < krzie> from 15:40 < project2501a> i can tell you why 15:41 < project2501a> i didn't read it cuz i wanted a solution in a hurry. so, i didn't read the whole message, just the "pastebin the config" and the "use grep" 15:41 < project2501a> but then the "use grep" step was out sight, so i completely forgot about it 15:41 < project2501a> hm 15:41 < krzie> but it leads to taking a longer time 15:41 < project2501a> ya 15:41 < project2501a> sign of the times, mate 15:41 < project2501a> seriously 15:42 < project2501a> i see it in other parts of society, and i detest it. but then i go and do it myself in my own work. 15:42 < project2501a> which basically proves i'm an idiot ;) 15:42 < krzie> lol 15:42 < project2501a> or no different than any other member of the society 15:44 < project2501a> fast food, fast work, faster results, "no, you're being too slow", "sysadmins do everything right the first time", "losers try, winers take home the prom queen and fuck her" 15:44 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 15:44 < project2501a> i'm writing an article on that "winner all the time" culture 15:45 < reiffert> isnt project2501a the guy whose initial question was about pptpd? 15:45 < krzie> i thought losers took her to prom, winners fucked her when they had free time 15:45 < krzie> no that was someone else i believe 15:45 < krzie> his config shows someone set it up had a clue 15:46 < reiffert> :) 15:47 < reiffert> I just read a single line from project2501a. 15:47 < reiffert> 22:41 < project2501a> i didn't read it cuz i wanted a solution in a hurry. 15:47 < krzie> tru 15:47 < reiffert> So the other guy fell into my mind .. 15:47 < krzie> at least he admits it i guess, seeing as 75%+ do it as well 15:48 < project2501a> reiffert: sorry, not me mate 15:49 < reiffert> project2501a: sorry, not you mate? 15:49 < project2501a> why shouldn't i admit it? i mean, i had this config dropped into my lap and i don't have particular experience with openvpn. no reason to play it like i'm l33t or anything. 15:49 < krzie> not him that was askin bout pptpd 15:49 < project2501a> what krzie said ^-- 15:50 < krzie> comment mssfix from server and client, see how that works 15:50 < project2501a> already did that 15:50 < krzie> if it fixes it you must remove it from all clients 15:50 < project2501a> and testing it 15:50 < reiffert> krzie: right, although it sounds like him until now :) 15:50 < krzie> hehe gotchya 15:50 < project2501a> reiffert: i'm sorry if i sound whiny 15:50 < project2501a> or clueless 15:50 < krzie> reiffert i was just refering to reiffert: sorry, not me mate 15:50 < reiffert> krzie: jup, that was clear. 15:51 < project2501a> ah, yeah, well, i'm a Greek guy, who has lived in the US for 10 years and now, i'm in the UK. i pick up the lingo ;) 15:51 < reiffert> project2501a: nah, whiny is far from an excuse why you refuse to read docs. 15:51 < krzie> im pissed off, i need to pickup a pci-e vid card for my osx86 box, but no computer stores open on sunday 15:51 < ecrist> fuckers 15:52 < krzie> seriously! 15:52 < krzie> they should be open during the day when i need parts 15:52 < project2501a> reiffert: true that. i am reading the docs, but at my level of knowledge some section of the man page seem, well, apocryphal 15:52 < reiffert> project2501a: thats why people made a howto page. For the beginners and impatient ones. 15:52 < project2501a> read the howto as well 15:52 < reiffert> read as in past tense? 15:52 < krzie> reiffert mssfix is covered in the howto? 15:53 < reiffert> krzie: standard beginners config files are. 15:54 < krzie> his configs arent very beginner, but you wouldnt know that cause they're too top secret to post to the chan (lulz) 15:54 < ecrist> lol 15:54 < project2501a> reiffert: ya, as in past tense, when i got this dropped on my lap. i'm stupid, but not that much to come here and ask for help without doing _some_ reading up before hand ;) . i know how this works. i need to bridge the knowledge gap between me and the guy who set that openvpn up, that's all. 15:54 < reiffert> ah mental ignore will fix that. 15:54 < project2501a> krzie: nah, not "top secret" just scared of the boss 15:55 < krzie> heres the trick: 15:55 < project2501a> bad time to lose my job 15:55 < krzie> remove the remote line 15:55 < project2501a> *nod* will do 15:55 < krzie> then theres no priv info 15:55 < krzie> it connects, so remote line isnt a problem 15:56 < reiffert> openvpn.net is down btw 15:57 < reiffert> once again. 15:57 < reiffert> and back online. wohoo. 15:59 < project2501a> http://rafb.net/p/3vuLHd71.html <-- my client config 15:59 < vpnHelper> Title: Nopaste - client config (at rafb.net) 15:59 < krzie> looks good 16:00 < krzie> a tls static key wouldnt be a bad idea, but doesnt mean the end of the world if you dont have it 16:00 < krzie> for info on that see !mac 16:00 < krzie> err see !hmac i mean 16:00 < project2501a> *nod* 16:00 < project2501a> http://rafb.net/p/faI8Rm54.html <-- current server config 16:00 < vpnHelper> Title: Nopaste - current server config (at rafb.net) 16:00 < project2501a> removed the mssfix 16:01 < krzie> its working? 16:01 < krzie> )problem solved?) 16:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:02 < project2501a> krzie: i'm testing it now mate 16:02 < project2501a> it's been half an hour since i re-started it 16:03 < project2501a> and the connection is stable 16:03 < project2501a> that might have been the whole thing.... 16:03 < project2501a> there's no passing of knowledge from previous sysadmins at my work 16:04 < krzie> thats common 16:04 < project2501a> so, the reason that option was there, might have been that 3 years ago, we had a 1mbit line, which was high-latency 16:04 < project2501a> but now we got 100mbit 16:04 < project2501a> but i'll never now that 16:05 < krzie> the 1mbit was isdn? 16:05 < krzie> or ppoe maybe 16:05 < ecrist> ISDN doesn't do 100Mbit 16:05 < krzie> 1mbit 16:05 < ecrist> ISDN doesn't do 1mbit 16:06 < ecrist> it maxes out at 128k, really. after that, you're considered fractional T1 16:07 < krzie> k 16:07 < krzie> still coulda been pppoe 16:07 < project2501a> or E1 in europe 16:07 < project2501a> but yeah, basically it was slow 16:08 < project2501a> i think i'll buy you beers guys 16:08 < reiffert> want our paypal account? 16:09 < project2501a> reiffert: i keep reading your nickname as "reiser" 16:09 < project2501a> hans, is that yoU? 16:10 < reiffert> yes, thats me. 16:10 < project2501a> where did you get the connection in prison? :D 16:10 < reiffert> directed wave lan. 16:11 < project2501a> deadly connection, i suppose 16:11 < project2501a> the fees must be murder 16:23 < project2501a> looks like the mssfix was at fault 16:24 < project2501a> i haven't been sending data down that route, and it's stable 16:24 * project2501a pops open a newcastle brown ale 16:24 < project2501a> cheers guys 16:32 -!- zug [n=m@94-192-16-41.zone6.bethere.co.uk] has quit [] 16:33 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 17:19 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has joined ##openvpn 17:21 -!- epaphus [n=unix3@201.194.13.22] has joined ##openvpn 17:22 < Skered> I would guess you can't do this only becuase it seems the best way to allow a non-admin to run OpenVPN. However you can use subinacl to allow a user to start/stop OpenVPN service can you use subinacl to also allow a user to make routing changes? 17:26 < reiffert> !subinacl 17:26 < vpnHelper> reiffert: Error: "subinacl" is not a valid command. 17:35 -!- `Ned [n=Ned@98.155.203.22] has joined ##openvpn 17:57 < ecrist> what did I do? 17:57 < krzie> !factoids search admin 17:57 < vpnHelper> krzie: 'ssl-admin' and 'win_noadmin' 17:57 < krzie> !win_noadmin 17:57 < vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 18:45 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 19:57 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:26 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Excess Flood] 20:27 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 20:28 -!- epaphus [n=unix3@201.194.13.22] has quit [Read error: 110 (Connection timed out)] 20:33 < freaky_t> hey krzie i got wins working. i had to set the openvpn server as wins server on the client network card 20:33 < freaky_t> but i still cant see the server 20:33 < freaky_t> and cant connect to it using windows 20:33 < freaky_t> using \\10.8.0.1\\ 20:33 < freaky_t> but that's a samba thing 20:48 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 21:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 21:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:21 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 21:34 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit ["leaving"] 21:52 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 22:55 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 23:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:33 -!- floyd_n_milan_ is now known as floyd_n_milan 23:37 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon May 11 2009 00:23 -!- agnogenic [n=agnogeni@c-98-212-193-28.hsd1.il.comcast.net] has joined ##openvpn 00:48 < agnogenic> Hello, I'm having an issue with openvpn. :02001002:system library:fopen:No such file or directory: 00:48 < agnogenic> error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 00:50 < agnogenic> I have not been able to google this. I just installed my system, and am waiting for xorg to compile. 00:55 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 00:55 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 00:57 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Client Quit] 01:01 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 01:01 < Delf> howdy 01:02 < Delf> !howto 01:02 < vpnHelper> Delf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:02 < Delf> Is it possible to create a mesh network with openvpn? 01:03 -!- agnogenic [n=agnogeni@c-98-212-193-28.hsd1.il.comcast.net] has quit [Client Quit] 01:05 < Delf> anyone? 01:10 < Delf> 69 people and no one is here :( 01:25 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 01:30 < reiffert> Delf: it's not. 01:34 < Delf> Any other program similar to OpenVPN that does mesh? 01:35 < reiffert> This is #openvpn. 01:35 < Delf> I thought it was ##OpenVPN 01:36 < Delf> I know what the topic is, sorry for talking outside of it. 01:39 < reiffert> Delf: it's not a matter of asking me private or on a public channel, it's just that this channel is about openvpn and it's not about mesh networks, nor expect people to know about similar to openvpn software that does mesh. 01:40 < Delf> reiffert: Ok 01:42 < Delf> !topology 01:42 < vpnHelper> Delf: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:50 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:56 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 54 (Connection reset by peer)] 01:57 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:15 -!- Artelius [i=router@60-242-27-57.static.tpgi.com.au] has joined ##openvpn 02:20 < Artelius> Hi, I've had a routed VPN running for a while and recently it stopped working 02:20 < Artelius> The first time, a server restart fixed it but it has returned, and restarts on both ends don't help 02:21 < Artelius> The error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 02:25 < Artelius> Oh well, I thought not. 02:25 -!- Artelius [i=router@60-242-27-57.static.tpgi.com.au] has quit [] 02:40 < krzee> lol @ impatient 02:48 -!- mRCUTEO [i=cuteo@58.26.212.3] has joined ##openvpn 02:48 < mRCUTEO> hiya tjz 02:48 < mRCUTEO> hiya krzee 02:48 < mRCUTEO> :D 02:48 < mRCUTEO> hiya everyone :D 02:51 < Bushmills> yes, as if leaving the channel would somehow accelerate getting an answer 02:51 < tjz> omg 02:51 < tjz> mrcuteo! 02:51 < tjz> super duper MIA!!! 02:51 < tjz> lol 02:51 < mRCUTEO> :D 02:52 < tjz> i can sense you are real busy 02:52 < tjz> :P 02:52 < tjz> hehe 03:00 < krzee> wassup =] 03:07 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:08 < mRCUTEO> :D 03:16 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 03:17 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 03:22 -!- mRCUTEO [i=cuteo@58.26.212.3] has quit [] 03:31 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Remote closed the connection] 03:34 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 03:35 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Remote closed the connection] 03:38 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 03:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 03:58 -!- c64zottel [n=hans@p5B17B05C.dip0.t-ipconnect.de] has joined ##openvpn 04:07 -!- c64zottel [n=hans@p5B17B05C.dip0.t-ipconnect.de] has left ##openvpn [] 04:11 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 04:32 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 04:32 < krzee> http://www.ovpnforum.com/viewtopic.php?f=10&t=141 04:33 < vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at www.ovpnforum.com) 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:35 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 05:35 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 131 (Connection reset by peer)] 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:05 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has left ##openvpn [] 06:11 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 06:14 < boojit> Hi: I have a security question about OpenVPN. We have a bunch of remote small networks that we tie together via an openVPN client at each remote site connecting to an OpenVPN server. We have it configured so any client at remote endpoint 1 can access any client at remote endpoint 2 through the openVPN connectivity. 06:15 < boojit> Someone asked me, if an attacker was to gain access to the OpenVPN server, would they be able to see the unencrypted conversation between client at RE 1 and client at RE 2? 06:16 < boojit> essentially, does the conversation between RE1 and the openVPN server get decrypted and re-encryped before deliver to RE2? 06:17 < boojit> or is the conversation between RE1 and RE2 encrypted end-to-end? 06:42 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:46 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit ["No Ping reply in 90 seconds."] 06:46 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:54 < boojit> ok found the answer to my query, and yeah, that was obvious now I think about it: http://article.gmane.org/gmane.network.openvpn.user/26489 06:54 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 07:19 -!- CybDev [n=cybdev@unaffiliated/cybdev] has quit [Remote closed the connection] 07:21 -!- CybDev [i=cybdev@abducted.by.aliens.org] has joined ##openvpn 07:22 < Delf> Can i set up OpenVPN to be both Client AND server? 07:23 < ecrist> no 07:23 < ecrist> you need to run it twice 07:24 < Delf> I see 07:25 < Delf> each instance with seperate adapter? 07:27 < reiffert> virtual adapter. 07:27 < Delf> yes 07:28 < reiffert> yes. 07:28 < reiffert> tun0, tun1, ... 07:28 < reiffert> tap0, tap1, ... 07:29 < Delf> is it possible to run two instances as service? 07:29 < reiffert> OS? 07:29 < Delf> win xp 07:29 < reiffert> dunno 07:29 < reiffert> but most probably. 07:30 < Delf> Problem is, you cannot have same ip# for both 07:30 < Delf> virtual adapters 07:30 < reiffert> that's called a feature. 07:30 < Delf> Which? 07:30 < reiffert> 14:30 < Delf> Problem is, you cannot have same ip# for both 07:31 < boojit> I run two instances of OpenVPN with no problem, but that's on linux. 07:31 < Delf> I see 07:32 < Delf> i can run multiple instances of OpenVPN too but i dont seem to them run as a service on win xp 07:32 < dazo> Delf: in Windows, I believe you'll need to create the second TUN/TAP adapter (via the OpenVPN group in the Start menu) ... then it'll work out 07:32 * dazo is not a Windows guru 07:32 < Delf> dazo: yes, i do have two adapters 07:33 < Delf> Can one instance connect to multiple servers? 07:33 < dazo> Delf: :) ... anyway, each of the adapters needs different IP's that's for sure 07:33 < dazo> Delf: nope 07:34 < dazo> Delf: but you can list several remotes, and it will reconnect to the next one if one fails 07:34 < Delf> yes, that i have tried. 07:34 < Delf> simply by adding more lines of remote 07:34 < dazo> Delf: one process = one connection .... but for the server, it can handle multiple clients 07:35 < dazo> but for clients, it's 1:1 07:35 < Delf> Yes, but a server cannot connect to a remote server, can it? 07:35 < dazo> Delf: exactly ... in that case, the server is a server and not a client .... server accepts connections, clients initiates connections 07:36 < Delf> would there be a problem if there could be hybrids? 07:36 < dazo> Delf: you configure OpenVPN to be either a server or a client ... it cannot be both at the same time .... but you can run several openvpn processes with different configs at the same time 07:37 < Delf> yes, thats what i thought earlier. But then i run into the problem of having different ip# for each adapter 07:37 < dazo> there's no way around that 07:39 < Delf> I'm trying to create a mesh, but it seems like OpenVPN cannot do that. 07:39 < dazo> I don't think OpenVPN supports such infrastructure at all 07:42 < Delf> If it was possible to both accept and initiate connections, and if server could ask clients to connect to eachother it would be nice. Thats while not having client-to-client in the server config 07:42 < Delf> it be nice. 07:43 < dazo> mm ... but that's not where OpenVPN is today ... but it's open source ... just to start hacking ;-) 07:43 < Delf> I'm not a coder of any kind. I don't know much of anything either. 07:45 < Delf> Maybe theres a reason this feature does not exist. I remember a while ago someone had made some posts about this 07:45 < Delf> perhaps a security issue or something, i dont know. 07:47 < Delf> Is it even called mesh networking? Were not talking about wi-fi 07:47 < dazo> Delf: might be ... anyway, a mesh network is to create ad-hoc networks with features as connection sharing .... normally, that's not what you really want if you want a secure VPN ;-) 07:48 < dazo> s/create ad-hoc/automatically create ad-hoc/ 07:48 < Delf> ? 07:48 < reiffert> sigh. 07:48 < reiffert> !factoids search mesh 07:48 < vpnHelper> reiffert: No keys matched that query. 07:49 < dazo> reiffert: was I that far away? 07:49 < reiffert> !learn mesh as openvpn does do mesh networking. 07:49 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:49 < dazo> ahh 07:49 < Delf> brb 07:51 < dazo> !learn mesh as openvpn does do mesh networking. 07:51 < vpnHelper> dazo: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:51 < dazo> :( 07:51 < dazo> !whoami 07:51 < vpnHelper> dazo: I don't recognize you. 08:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 08:24 < ecrist> I think I'm going to get rid of anon edits on the wiki 08:24 < ecrist> !learn mesh as openvpn does do mesh networking 08:24 < vpnHelper> ecrist: Joo got it. 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:30 < reiffert> ecrist: you missed a "not"? 08:31 < reiffert> so was I 08:32 < dazo> yeah, a 'not' is missing 08:34 < ecrist> 07:51 < dazo> !learn mesh as openvpn does do mesh networking. 08:34 < ecrist> 07:49 < reiffert> !learn mesh as openvpn does do mesh networking. 08:34 < dazo> I know ... I didn't see it until you mentioned it :) 08:34 < ecrist> !forget mesh 08:34 < vpnHelper> ecrist: Joo got it. 08:35 < ecrist> !learn mesh as openvpn does not do mesh networking 08:35 < vpnHelper> ecrist: Joo got it. 08:35 < dazo> ecrist: thx! 08:35 < ecrist> no problem 09:07 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 09:10 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 09:11 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 09:43 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:45 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 09:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:46 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 09:46 < carpe_> hi 09:47 -!- carpe_ is now known as plaerzen 09:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 09:47 -!- theDoc_ [n=andelyx@208.99.194.194] has quit [Client Quit] 09:48 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:09 < ecrist> sup, plaerzen 10:15 < plaerzen> oh, the usual 10:15 < plaerzen> work work. 10:19 < ecrist> aye, same here. 10:19 < ecrist> finally get to take my concealed weapons class on saturday. ::cheers:: 10:20 < js_> i always forget, what' the setting on the server to enable that clients can speak to eachoter? 10:20 < ecrist> client-to-client 10:23 < js_> any client side configuration needed? 10:23 < ecrist> Dougy_: I've enabled avatars on teh forum, and I've added a forum rules entry for the configuration sub topic 10:23 < js_> nevermind, the client had changed ip 10:23 < ecrist> js_: no 10:23 < js_> what's a good way to set static ips for clients? 10:23 < ecrist> !static 10:23 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 10:24 < js_> !ccd 10:24 < vpnHelper> js_: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 10:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:40 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 10:59 < plaerzen> ecrist, what do you need concealed weapons for? 10:59 < ecrist> shooting bad guys 11:00 * plaerzen frowns. 11:06 < ecrist> why the frown? 11:06 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Read error: 110 (Connection timed out)] 11:07 < ecrist> http://secure-computing.net/files/04142009_40rnds.jpeg 11:07 < ecrist> I'm a good shot. ;) 11:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:20 < plaerzen> lol you should have changed the target at some point before it was 1/4 gone 11:27 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 11:36 -!- youngpro [n=pro@203.217.10.114] has quit [Read error: 145 (Connection timed out)] 11:41 -!- ke4qqq [n=ke4qqq@fedora/ke4qqq] has joined ##openvpn 11:44 < ke4qqq> hey guys - I have resolv-retry infinite set in my config file, have 'push "dhcp-option DNS xx.xx.xx.xx"' and most of my clients have no problems with resolution, however, I have a single winxp client that gets another dhcp-option (domain) but is resolving against their ISPs dns server. Thoughts on what I need to look for? 11:45 * dazo wonders if ecrists picture is a result of one bullet .... or several ..... :-P 11:48 < ecrist> dazo, 49 rounds of a 50 round box 11:49 < ecrist> the other one, was in the first target: http://secure-computing.net/files/04142009_bullseye.jpeg 11:49 < ecrist> ke4qqq: sounds like they have a static DNS server set in their networking config 11:50 < ke4qqq> ecrist - don't think so, but I'll check 11:51 < ke4qqq> ecrist: nope - all the wired and wireless adapters on that machine acquire dns via dhcp 12:10 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 12:11 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 12:13 -!- a-l-p-h-a [n=a-l-p-h-@unaffiliated/a-l-p-h-a] has joined ##openvpn 12:14 < a-l-p-h-a> I'm just wondering something... if I'm at home, and connected to my office openVPN, whatever i'm surfing, can it get logged? My question is does the vpn connection act as a proxy, or do I connect straight out? 12:16 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:19 < ecrist> depends on how the routing is done, a-l-p-h-a 12:27 < a-l-p-h-a> route-method exe 12:27 < a-l-p-h-a> route-delay 2 12:27 < a-l-p-h-a> that's what's in the config with regards to routing. 12:27 < ecrist> look at your OS routing table 12:28 < a-l-p-h-a> ooh. 12:28 < ecrist> if they're monitoring you, look for a 0/1 route 12:28 < ecrist> or, a redirection of DNS services 12:32 < a-l-p-h-a> cool... all the hops in my tracert are my isp's. 12:35 < ecrist> verify DNS, and you're good to go 12:59 -!- hallo99 [n=johannes@xdsl-87-78-126-234.netcologne.de] has joined ##openvpn 13:00 < hallo99> I need to connect to an openvpn server, which requires me to give a username password, how can I put these into the config file, so I don't have to be asked if I start the vpn 13:01 < ecrist> you need to compile OpenVPN to support it, first off 13:02 < hallo99> I am using debian, I hope they did that for me 13:03 < dazo> hallo99: make sure that you're running the latest version .... 2.1_rc15 .... I'm not sure if Debian is that fresh 13:03 < ecrist> hallo99: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 13:03 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 13:03 < ecrist> search the page, about half way down for auth-user-pass 13:07 < hallo99> It works, thanks a lot 13:17 < ecrist> no problem 13:18 -!- a-l-p-h-a [n=a-l-p-h-@unaffiliated/a-l-p-h-a] has left ##openvpn [] 13:21 -!- hallo99 [n=johannes@xdsl-87-78-126-234.netcologne.de] has quit ["leaving"] 13:40 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 14:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:49 < jeiworth> sorry for this n00b question but where can i find the web gui for openvpn that is also showed on the openvpn homepage? in the gui section there appear to be only binaries for various platforms... 14:49 < ecrist> can you give me a link? 14:49 < ecrist> are you talking about the access server? 14:50 < ecrist> !learn access-server as penVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. There are a number of server configurations options supported which are a carefully selected ... 14:50 < ecrist> ... subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server. 14:50 < vpnHelper> ecrist: Joo got it. 14:50 < ecrist> !forget access-server 14:50 < vpnHelper> ecrist: Joo got it. 14:50 < ecrist> !learn access-server as OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. 14:50 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !learn access-server as There are a number of server configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server. 14:51 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !learn access-server as http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 14:51 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !access-server 14:51 < vpnHelper> ecrist: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations 14:51 < vpnHelper> ecrist: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:58 < jeiworth> ecrist: thanks, looking into it 14:59 < jeiworth> i was starting to fear that the openvpn project was slowly but surely dying, looking at the latest updates, especially of the guis 14:59 < ecrist> not dying. there are only two core people to the project, and they want to keep it that way. 15:00 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 15:00 < jeiworth> only 2? wow, thats not a whole lot, and they dont want any help? 15:01 < ecrist> nope 15:04 < jeiworth> hmm and i see they want to start making money, just registered and got a free lic key for 5 connecting clients :D 15:04 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 15:05 < Tatster> !route 15:05 < vpnHelper> Tatster: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:05 < Tatster> !howto 15:05 < vpnHelper> Tatster: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < Tatster> Hi all. I've been testing out Adito (SSL browser-based VPN) but run into a few stability issues and noted that in recent posts on forums that there is discussion about the Adito project coming under the OpenVPN umbrella 15:07 < Tatster> stumbled across http://beta.openvpn.net and thought "mmm this looks quite good" 15:07 < vpnHelper> Title: Welcome to OpenVPN (at beta.openvpn.net) 15:07 < jeiworth> this bot is quite talkative *g* 15:08 < Tatster> but reading some stuff today I saw somewhere that it is limited to 2 concurrent users - is this correct ? 15:08 < jeiworth> Tatster: i just registered there and got a free license valid for 5 connections 15:09 < Tatster> jeiworth: ok, that sounds promising. While that will probably be enough for me at this point in time, do you know what the score is with more users ? 15:10 < jeiworth> Tatster: hmm depends on what you are referring to, resource limits? i think the biggest limitation anyone will have in a private dsl-line is bandwidth 15:11 < APTX|> I'm trying to set up openvpn 2.1.x as server on windows 2k8. I used the default config file, only modified the cert paths. It starts up properly, but configures the network device to use the IP 169.254.70.216 which is not in the 10.8.0.0 network. What's going on? 15:11 < jeiworth> i am currently running a "normal" openvpn installation (standard package from ubuntu repo) and we have a 2mbps/348kbps line, its ok for 2-3 but then it gets really slow 15:14 < Tatster> jeiworth: yeah, I guessed that would be the case, was just a bit puzzled by the docs saying 2 concurrent 15:16 < jeiworth> Tatster: hmm strange, the docs for the beta, or which one? 15:18 < Tatster> it was in the OpenVPN access server admin guide 15:18 < Tatster> 3.2 Obtain License Key 15:18 < Tatster> Before you can begin Access Server configuration, you will need to obtain a license key for 15:18 < Tatster> OpenVPN Access Server. License keys, including free 2 concurrent connection license keys, can 15:18 < Tatster> be obtained from www.openvpn.net once you are registered and signed in to the website. Once you 15:18 < Tatster> have your license key, you can highlight and copy it so that you are ready to paste it when you run 15:18 < Tatster> ovpn-configserver. 15:18 < Tatster> oops sorry, though that would go on one line 15:23 < jeiworth> spamm0r ;oP 15:23 < jeiworth> hmm well, i am not sure if that means that you get 5 client licenses and only can use 2 at the same time or not 15:24 < jeiworth> however, i like the idea of the client setup through the browser though 15:25 < Tatster> it still requires users to download and installed the packaged file 15:25 < Tatster> just presents it to them as a single pre-configured exe 15:25 < jeiworth> exactly 15:26 < jeiworth> anyway, i am trying to build my own according to this http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 15:26 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 15:31 < ecrist> jeiworth: the making-money part is only for the access server 15:31 < ecrist> the core openvpn should stay free/open 15:33 < Tatster> ecrist: so do I understand it correctly then that the access server is what gets you the auto-generated client package and a scripted server install, whereas with the core server doesn't have these features ? 15:34 < ecrist> yes 15:34 < ecrist> but, you can build your own 'generator' 15:34 < jeiworth> ecrist: yes, that is how i understand it 15:34 < ecrist> ssl-admin packages keys for you 15:37 -!- Intensity [i=[HiX103q@unaffiliated/intensity] has quit [Remote closed the connection] 16:13 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has left ##openvpn ["Leaving"] 16:14 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 16:22 -!- multiverse [n=multiver@209.147.120.138] has joined ##openvpn 16:42 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 16:44 < krzie> i dont see a reason to pre-package 16:44 < krzie> all you need to do is have them install openvpn, and give them a zip with keys / config 16:44 < krzie> with a batch file in the zip to place them in the right place 16:45 < krzie> and boom, done 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [No route to host] 16:48 -!- Intensity [i=[d6X6ISA@panix1.panix.com] has joined ##openvpn 16:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:21 < APTX|> ... I still don't know what the problem was, but setting ip-win32 to manual and setting the ip address/mask by hand worked. Somehow the driver failed to set the adress properly :/ 17:22 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Read error: 110 (Connection timed out)] 17:32 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 17:37 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 17:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 18:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection timed out] 18:03 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 18:04 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 18:07 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 18:12 -!- Lilarcor [n=Lilarcor@208-59-127-87.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 18:12 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:13 < krzie> APTX| got logs from the failed attempts? 18:18 < APTX|> krzie: well I could set ip-win32 back to default and give you whatever you want... the problem was that the console said it telling the device to set an IP address (via dhcp) and a comepletely different one got set :/ 18:18 < krzie> show me 18:18 < krzie> if you wanna try to make it work that way 18:18 < krzie> if you're happy with this, so am i 18:23 -!- Lilarcor [n=Lilarcor@208-59-127-87.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 18:24 < APTX|> riiight... 18:24 < APTX|> I just figured it out 18:24 < krzie> nice, what was it? 18:25 < APTX|> the dns client service was disabled 18:25 < krzie> ahh 18:25 < krzie> i was thinking it might be a service, dunno that i woulda came up with that exact one tho 18:25 < krzie> in fact im pretty sure i wouldnt have 18:25 < krzie> (i dont really use win) 18:25 < APTX|> I've enabled it when I ran OpenVPN as a service, as it was a dependancy 18:26 < krzie> any other depended on services? 18:28 < krzie> !learn win_services as if the adapter fails to set the IP properly check that dns client service is enabled. 18:28 < vpnHelper> krzie: Joo got it. 18:28 < APTX|> well the OpenVPN service depends on the DHCP client and tap-win32 18:28 < krzie> tap-win32 is a service? 18:29 < krzie> !forget win_services 18:29 < vpnHelper> krzie: Joo got it. 18:29 < APTX|> that I can't really say, but it comes up in the services' dependancies list 18:30 < krzie> !learn win_services as if the adapter fails to set the IP properly check that dns client service, DHCP client service, and tap-win32 is enabled. 18:30 < vpnHelper> krzie: Joo got it. 18:30 < krzie> nice, thanx =] 18:33 < APTX|> ... I meant dhcp not dns 18:33 < krzie> oh 18:33 < krzie> i woulda thought of that one then 18:33 < APTX|> sorry, there is no dns service involved 18:33 < krzie> hehe 18:33 < krzie> !forget win_services 18:33 < vpnHelper> krzie: Joo got it. 18:33 < krzie> !learn win_services as if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 18:33 < vpnHelper> krzie: Joo got it. 18:34 < krzie> !forget win_services 18:34 < vpnHelper> krzie: Joo got it. 18:34 < krzie> !learn win_ipfail as if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 18:34 < vpnHelper> krzie: Joo got it. 19:25 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Read error: 60 (Operation timed out)] 19:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has left ##openvpn [] 19:31 -!- multiverse [n=multiver@209.147.120.138] has quit ["Leaving"] 19:47 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Remote closed the connection] 19:48 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 20:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:36 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:10 -!- Delf1 [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 21:11 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Read error: 104 (Connection reset by peer)] 21:29 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 21:41 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 22:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:30 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 22:40 -!- multiverse [n=multiver@00121729f848.click-network.com] has joined ##openvpn 22:41 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 23:04 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 23:16 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: theDoc, Bushmills, freaky_t, Isen, tuxsmouf 23:16 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: isox, `Ned, feinoM, krzie, M06w, dazo, disco-, ke4qqq, nemysis, pa, (+39 more, use /NETSPLIT to show all of them) 23:17 -!- Netsplit over, joins: frankS2, Isen, tuxsmouf, freaky_t, Bushmills, theDoc, Celsiux-Nulled, project2501a, multiverse, jeiworth (+44 more) 23:21 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:32 -!- Delf1 is now known as Delf 23:34 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:40 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue May 12 2009 00:00 -!- multiverse [n=multiver@00121729f848.click-network.com] has quit ["Leaving"] 00:18 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 00:26 -!- albech [n=albech@119.42.76.84] has quit ["Leaving"] 01:06 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 01:06 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:20 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has quit [Read error: 113 (No route to host)] 01:33 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:33 < onats> hai! 01:51 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 01:51 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:56 < dan__t> Hi. 01:56 < reiffert> hi 01:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:32 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 02:39 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has joined ##openvpn 02:40 < mRCUTEO> !redirect 02:40 < vpnHelper> mRCUTEO: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:40 < mRCUTEO> !def1 02:40 < vpnHelper> mRCUTEO: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 02:41 < mRCUTEO> !ipforward 02:41 < vpnHelper> mRCUTEO: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 02:41 < mRCUTEO> !winipforward 02:41 < vpnHelper> mRCUTEO: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 02:43 < mRCUTEO> !linipforward 02:43 < vpnHelper> mRCUTEO: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 02:43 < mRCUTEO> !topology 02:43 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:44 < mRCUTEO> !iporder 02:44 < vpnHelper> mRCUTEO: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:46 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has quit [] 02:46 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:54 < reiffert> star trek schon angeschaut? 02:59 < krzee> schlong 03:07 -!- master_of_master [i=master_o@p549D669D.dip.t-dialin.net] has joined ##openvpn 03:16 < Bushmills> grin 03:17 < krzee> my osx86 box finally works!!!!! 03:19 < krzee> <-- very happy 03:23 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:26 < Bushmills> non-apple hardware on which you got applesoft working? 03:28 < krzee> yes 03:28 < krzee> a dg35ec with a q9400, 8gb ddr2 667 ram, nvidia 9400GT 03:29 < Bushmills> nice 03:30 < krzee> hell ya man, im stoked! 03:33 < krzee> o and a 1.5TB sata2 drive 03:34 < Bushmills> what? not a scsi raid?? 03:36 < krzee> lol, no 03:36 < krzee> i dont even like scsi 03:36 < krzee> you can get 10k sata drives now 03:37 < krzee> scsi is too expensive $/gig 03:39 < Bushmills> interface speed or raw media transfer speed is not everything that matters. 03:42 < krzee> right, size does too 03:42 < krzee> and price 03:44 < Bushmills> scsi does have technical advantages. those also come to bear in multitasking environments 03:49 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 04:03 -!- c64zottel [n=hans@p5B17AE45.dip0.t-ipconnect.de] has joined ##openvpn 04:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:17 -!- tjz [n=tjz@bb219-75-13-49.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:44 -!- surya [n=surya@203.129.237.147] has joined ##openvpn 05:56 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Read error: 104 (Connection reset by peer)] 05:57 -!- frankS2 [n=frank@ti500720a080-0156.bb.online.no] has joined ##openvpn 06:07 -!- project2501a [n=gmarseli@msend2.ebuyer.com] has joined ##openvpn 06:24 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 06:24 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:35 -!- tjz [n=tjz@bb121-6-114-207.singnet.com.sg] has joined ##openvpn 06:47 < ecrist> morning, folks 06:50 < theDoc> hello! 06:50 < dazo> morning 06:50 * theDoc has to make a note not to do sysadmin work while drunk:) 06:51 < theDoc> I locked myself out of a server in the US this morning:) 06:51 < ecrist> lol 06:51 < ecrist> that sucks 06:51 < theDoc> lol, thankfully it's a demo system and I got the guys to reinstall the box 06:55 < theDoc> ecrist: I'd like to point out some errors in your Cisco IOS wiki 06:55 < theDoc> :p 06:55 < ecrist> please do 06:55 < theDoc> Shift + Ctrl + 6 would kill the process, not shift + 6 06:55 < ecrist> better yet, correct them 06:55 < theDoc> err, control+6 does it 06:56 < theDoc> Err, fuck 06:56 < theDoc> Ctrl+6 doesn't do it. 06:56 < theDoc> It's ctrl shift 6 iirc 06:56 * theDoc slaps himself 06:56 < ecrist> so, I *was* correct? 06:56 < ecrist> o.O 06:56 < theDoc> Nono, wrong. 06:56 < theDoc> It's control shift 6. 06:56 < theDoc> You have control 6. 06:57 < ecrist> ah, could you correct it? 06:57 < theDoc> Do you mind if I make an account? 06:57 < ecrist> not at all 06:57 < theDoc> I don't profess to be a Cisco junkie but I could contribute a few HOW-TO's, since I'm labbing at home. 06:58 -!- frankS2 [n=frank@ti500720a080-0156.bb.online.no] has quit ["Konversation terminated!"] 07:05 -!- frankS2 [i=nobody@algorit.me] has joined ##openvpn 07:24 < theDoc> Anyone has ever tried to make openvpn work with Cisco ASA/PIX/Concentrator? 07:25 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 07:25 < muh2000> hi 07:25 < theDoc> 'sup man 07:27 < muh2000> when openvpn starts and the server freezes, what is most likely responsible for freezing it? the tun/tap module? suse9.3 07:27 < theDoc> muh2000: Your entire server locks up? 07:27 < theDoc> and you can't ssh in either or the process fucks itself? 07:29 < muh2000> theDoc: not mine, the server of a acquaintance... he said the complete server freezes. (i guess no ssh/login) sounded serious 07:30 < muh2000> openvpn runs rockstable on my boxes :D 07:30 < theDoc> muh2000: As far as I know, I've never seen such an issue, could quite possibly be a hardware issue? 07:32 < muh2000> theDoc: hmmm i dont think so, everything else is running fine. or maybe an issue with openvpn&the nic...? 07:32 < theDoc> muh2000: Highly unlikely. 07:32 < muh2000> ok 07:32 < theDoc> muh2000: What does dmesg throw up, if there's any possiblity of doing a strace or something. 07:32 < theDoc> I'm not sure ;p 07:33 < muh2000> i ma not at the box nor have i contact right now to him. but since it froze i think there wouldnt be much possible doing dmesg. maybe tail -f kern.log at the next try on another terminal 07:34 < theDoc> Could be. 07:34 < theDoc> muh2000: I don't think openvpn would just break the box. 07:34 < muh2000> my advice to him was building openvpn from sources and upgrading ^^ 07:34 < theDoc> muh2000: or just do apt-get install openvpn-server 07:35 < muh2000> i think it is the tun module since it is the only "bigger" thing that gets moved into the system. 07:35 < muh2000> theDoc: suse doesnt have apt-get :D 07:35 < theDoc> muh2000: Is that some obscure NIC you are using? 07:36 < muh2000> not that i know of (not me, a friend of me... but doesnt matter ) 07:37 < muh2000> are there any nics known to make trouble? 07:38 < theDoc> muh2000: I'd say that if that was the case, your OS would have problems as well. 07:38 < theDoc> Not just limited to openvpn 07:38 < muh2000> ok 07:39 < muh2000> my guess is that there is something wrong with the kernel. 07:40 < muh2000> well i know later maybe more. 07:40 < theDoc> Maybe with the tun module. 07:40 < theDoc> Yeah. 07:40 < muh2000> i gave him some advice i would do in such a situation - i am looking forward to how this plays out :) 07:40 < theDoc> Indeed. 07:41 < theDoc> I'm just waiting for my server to be rebuilt. 07:41 < theDoc> I was screwing around today and guess what, I broke stuff ;) 07:41 < muh2000> LOL 07:41 < muh2000> hardware or software wise? 07:41 < theDoc> muh2000: I turned off ssh :) 07:42 < muh2000> rofl :D 07:42 < theDoc> muh2000: I'm in Singapore, my box is in US :) 07:42 < muh2000> no rescue boot system? 07:42 < theDoc> Stupid company wanted to charge me 110 USD to turn ssh on. 07:42 < theDoc> I told them to go fuck themselves and they can reinstall it for me for free. 07:42 < theDoc> Jesus christ. 07:42 < muh2000> lol 07:42 < theDoc> It's a demo/test system anyway 07:42 < muh2000> monit could help in such situations 07:43 < theDoc> muh2000: I wish there was something like, reload in 5. 07:43 < theDoc> Something like Cisco, where if you fuck up, the config doesn't save and it reloads in 5 mins :) 07:43 < muh2000> http://mmonit.com/monit/ 07:43 < vpnHelper> Title: Monit (at mmonit.com) 07:44 < muh2000> it can do a restart if a process isnt on. 07:44 < theDoc> Awesome. 07:44 < theDoc> muh2000: But to be honest, I was screwing around with webmin and I proceeded to royally fuckup after I messed with ssh stuff in a GUI :p 07:44 < theDoc> Proof that GUI's are evil. 07:44 < muh2000> word 07:45 < muh2000> never liked webmin or similar tools anyway :) 07:45 < theDoc> muh2000: I use this because it's a demo system and I have a colleague whom isn't an extreme console monkey working on it too. 07:45 < theDoc> Tried to make it easier for him. 07:45 < muh2000> hehe 07:45 < theDoc> First time ever, locking myself out ;p 07:45 < muh2000> :) 07:46 < theDoc> Now, I need to email goaddy to change my email address. 07:46 < theDoc> How stupid ;p 07:46 < muh2000> lol 07:47 -!- surya [n=surya@203.129.237.147] has quit ["Leaving"] 08:11 < krzee> !win7 08:11 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 08:12 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 08:56 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 08:59 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 09:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:12 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 09:23 -!- Ubuntuuuu [n=Roseenet@41.248.245.111] has joined ##openvpn 09:24 < Ubuntuuuu> i want to configure vpn 09:24 < Ubuntuuuu> , i have a router 3com integred firewall 09:24 < Ubuntuuuu> and a server ubuntu 09:24 < theDoc> epic, http://img17.imageshack.us/img17/4121/k4vsjpg.jpg 09:24 < theDoc> :) 09:24 < theDoc> nsfw. 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:25 < Bushmills> i want a cup of tea 09:26 < Bushmills> i have a water kettle 09:26 < Bushmills> and a cup 09:26 < Bushmills> :P 09:30 < reiffert> get some tea at the supermarket 09:47 < Ubuntuuuu> i see that people here talk about food not vpn 09:47 < Ubuntuuuu> :( 09:48 < Ubuntuuuu> :s 09:51 < theDoc> We occasionally talk about .. other stuff ;p 09:53 < Ubuntuuuu> ok 09:53 < reiffert> Ubuntuuuu: your VPN question is? 09:54 < Ubuntuuuu> iwant to configure vpn , i have a router 3com and a server ubuntu , 09:54 < reiffert> I want a cup of tea, I have a water kettle and a cup. 09:54 < reiffert> your VPN question is? 09:55 < reiffert> however: 09:55 < reiffert> !howto 09:55 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:55 < reiffert> start here. 09:55 < Ubuntuuuu> where i will configure vpn in the router or in the server?? 09:56 < theDoc> Ubuntuuuu: On your server, router does routing. 09:56 < theDoc> Unless you have something like a Cisco and you can run your site-to-site vpn via the router. 09:57 < Ubuntuuuu> i want to acced via internet in my network 09:57 < theDoc> Well, that doesn't make sense. 09:57 < theDoc> It's like saying, I want to download the internet. 09:57 < Ubuntuuuu> ok 09:58 < Ubuntuuuu> i dont have a great knowlege , im just a student, ok thank you very much 10:00 < theDoc> Ubuntuuuu: Aren't we all students? ;) 10:01 < Ubuntuuuu> i don t know , ok no problem , thanks 10:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 10:12 -!- multiverse [n=multiver@209.147.120.138] has joined ##openvpn 10:12 < multiverse> Hi, I followed this tutorial - http://www.howtoforge.com/openvpn-server-on-centos-5.2 - to get openvpn working. I get: VERIFY ERROR: depth=0, error=unsupported certificate purpose - Here is my conf and logs: http://pastebin.com/de689c66 10:12 < vpnHelper> Title: OpenVPN Server On CentOS 5.2 | HowtoForge - Linux Howtos and Tutorials (at www.howtoforge.com) 10:13 < multiverse> I actually used CentOS 5.3 instead of 5.2. 10:21 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 10:30 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:36 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 10:41 < reiffert> multiverse: and here is the openvpn howto, including standard configs: 10:41 < reiffert> !howto 10:41 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:42 < reiffert> multiverse: please note that 1723 is the pptpd default port. openvpn runs on 1194. 10:43 < reiffert> multiverse: your client config requires to take a client cert and key file. not the server one. 10:44 < reiffert> You'll get the idea, once you read the howto-paragraph about certificates. 10:58 -!- throughnothing [n=will@74.205.24.229] has joined ##openvpn 11:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:09 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 11:15 < ecrist> theDoc: I've added some content to the cisco page for backups, see if that's incorrect for me, please? 11:15 < ecrist> :) 11:25 -!- Ubuntuuuu [n=Roseenet@41.248.245.111] has quit ["Quitte"] 11:32 < multiverse> reiffert: thanks. Should I uninstall the openvpn I yummed from rpmforge? 11:35 < reiffert> multiverse: ask a guy that knows about your distribution. I do now. 11:35 < reiffert> now = not 12:08 < dazo> multiverse: which version of openvpn did you find there? 12:09 < dazo> multiverse: I know RHEL and Fedora ships openvpn-2.1_rc15, iirc ... so if you have that from rpmforge, I don't see any reason why to throw that one out 12:09 * dazo double checks RHEL 12:10 < dazo> RHEL - openvpn-2.1.0.29.rc15.el5 12:11 < dazo> (that is RHEL 5.3) 12:11 < dazo> (it's found in the EPEL btw) 12:19 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:26 < multiverse> dazo: I have openvpn-2.0.9-1.el5.rf installed 12:27 < dazo> multiverse: I would recommend you to trace down then 2.1_rc15 package ... CentOS 5.3 should be able to handle RHEL 5.3 EPEL packages pretty well 12:28 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:32 < multiverse> dazo: is that release pertinent to the howto posted by reiffert? 12:34 < dazo> multiverse: well, 2.1 RC15 is quite newer (and also just as stable) and does also contain several bugfixes ... so running the latest version everywhere will help avoid some troubles 12:34 -!- rreyes [n=rodrigo@76-222-222-201.adsl.terra.cl] has joined ##openvpn 12:34 * dazo needs to drive and pick up wife ... back tomorrow 12:35 < rreyes> hi all... has anyone tried to use vpn for accessing a sonicwall NSA 2400 VPN? 12:36 < reiffert> yes. 12:40 -!- viric [n=viric@62.57.137.96] has joined ##openvpn 12:40 < viric> Hello! 12:40 < viric> I'd like to use openvpn... 12:40 < viric> I have a machine with a public IP, which could run openvpn 12:40 < viric> And I have two machines, behind NAT, which should be in the same "network". I want them to connect to the public machine openvpn 12:41 < viric> with openvpn 12:41 < viric> Is it possible that the openvpn instance in the public machine doesn't put traffic into any tun or tap device? 12:41 < viric> I've seen "--dev null" as an option, but I don't understand if it's anything I'd need. 12:44 < Bushmills> viric, but you want the server to send and receive traffic through tun0, that's how the clients talk to the server 12:45 < viric> that's how the server talks with the rest of the network layer of the OS 12:45 < viric> as far as I understand. 12:45 < viric> The clients will have its tun device, sure. 12:46 < Bushmills> on both sides are tun devices. those act as virtual NICs, through those can server and clients have ip addresses in the same network 12:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:47 < viric> mmm 12:47 < viric> maybe I can simply setup UDP 'nat' in the public network 12:47 < viric> And then I don't have to run any openvpn program in the public server. 12:48 < viric> in the public *machine* I mean. 12:49 < Bushmills> sure, if that suits your cause 12:50 < rreyes> reiffert: Any advice on where to start? 12:50 < rreyes> any tutorial? 12:51 < Bushmills> on page 1? 12:51 < viric> Ok, I'll go for the iptables manual. 12:52 < rreyes> Bushmills: Funny... any tutorial on how to to use vpn for accessing a sonicwall NSA 2400 VPN? 12:52 < viric> mmm no, that doesn't fit my case. 12:52 < viric> :( 12:52 < Bushmills> oh, ok. i read it as "any advice on where to start any tutorial" :D 12:52 < rreyes> Bushmills: :D 12:54 < viric> rreyes: there is a howto 12:55 < rreyes> viric: Really? Where can I find it? 12:56 < viric> for openvpn? 12:56 < viric> http://openvpn.net/index.php/documentation/howto.html 12:56 < vpnHelper> Title: HOWTO (at openvpn.net) 13:00 < reiffert> rreyes: !howto 13:00 < reiffert> rreyes: start at the howto. 13:01 < viric> so 13:01 < viric> I think that what I want is some kind of udp forwarder, which I can't implement with iptables 13:02 < viric> If I knew how to search, whether anyone wrote that... 13:09 < reiffert> so .. what is what you want? 13:13 < viric> I have two machines behind NAT 13:13 < viric> I want them to meet with openvpn, when one of them wants. 13:15 < viric> Additionally, I have a public machine available, but I don't want unencrypted traffic to go through it. 13:15 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:15 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:16 < viric> So I think of writting a program for the public machine which will forward data between two udp ports 13:16 < viric> The destination of those udp ports will be the address of the latest received packet. 13:17 < reiffert> I cant imagine what you are trying to establish... just too specific sentences. 13:17 < viric> machineA connects to the public machine udp port (where the 'forwarder' listens) 13:17 < reiffert> try to step away from examples. 13:17 < viric> machineB connects to the public machine udp port2 (where the 'forwarder' listens) 13:17 < viric> reiffert: ? 13:18 < reiffert> I cant follow you. 13:18 < viric> I've seen some nat-traversal programs... but none of the machines behind NAT have a firewall with a static public address 13:18 < viric> Mmm 13:18 < viric> Do you understand my problem, before trying to understand the only solution I thought of? 13:19 < viric> :) 13:19 < reiffert> no. 13:19 < viric> ok 13:19 < viric> I have two machines, behind NAT. The public address of both NAT firewalls isn't static. 13:19 < reiffert> I dont understand this. 13:19 < viric> oh. 13:19 < Bushmills> viric, running openvpn on the public machines sounds pretty much like what you want. 13:19 < viric> Bushmills: the public machine isn't safe. 13:20 < Bushmills> (and set up the two peers as openvpn clients) 13:20 < viric> reiffert: what you don't understand? any word? 13:21 < viric> Bushmills: I don't trust the processes in the public machine 13:21 < viric> Bushmills: so I'd prefer there to be nothing unencrypted. 13:22 < reiffert> viric: I do understand the words: two, NAT, public address, firewall. I do not understand if those two machines are in the same subnet and so on. 13:22 < viric> reiffert: those machines are behind two different NAT machines, the internet being in the middle of the NAT firewalls 13:22 < reiffert> viric: now we come closer to what my crystal ball would have told me. 13:22 < viric> machine1 -- firewall -- internet -- firewall2 -- machine2 13:23 < viric> Sorry, I didn't mention the internet. 13:23 < reiffert> for me it pretty much looked like: 13:23 < viric> I want a vpn between machine1 and machine2. Same net, not the same subnet. 13:23 < reiffert> machine1 -- 13:23 < reiffert> machine2 |-- firewall 13:23 < reiffert> but however, machine1 -- firewall -- internet -- firewall2 -- machine2 13:23 < viric> ok, sorry. 13:24 < reiffert> two options: 13:24 < reiffert> take bushmills advise, let openvpn server run on an internet machine 13:24 < viric> I have a public machine in the internet, whose address doesn't change, and I don't trust its processes. 13:24 < reiffert> tell firewall1 to portforward udp/1194 to machine1 and let the openvpn server run on machine1. 13:25 < viric> reiffert: machine1 doesn't know the address of firewall2, and machine2 doesn't know the address of firewall1 13:25 < Bushmills> (doesn't comply with requirement " want them to meet with openvpn, when one of them wants.") 13:25 < viric> because the firewalls don't have static addresses 13:25 < reiffert> viric: solve this by using dyndns or similar. 13:25 < reiffert> Bushmills: meet with whom? 13:26 < viric> and I may not have access to the firewall configuration 13:26 < Bushmills> was one stated requirement, further up 13:26 < reiffert> viric: have fun writing your whatever program. 13:26 < viric> yes. 13:26 < viric> :D 13:26 < Bushmills> but client can't initiate communication if server on the other end isn't online 13:27 < viric> Bushmills: fine. 13:27 < viric> Whenever a machine goes online, it should be reachable for any vpn. 13:27 < viric> I think I can achieve that with a user program forwarding udp packets. 13:27 < Bushmills> for *any* .. you're sure about that? 13:28 < Bushmills> such as "your vpn can re reached by mine when it is online" 13:28 < viric> for any "vpning", I mean. So if machine1 is up, machine2 should be able to start the openvpn. And also the other way round. 13:28 < Bushmills> do you have a lot of pr0n which i can download? 13:28 < viric> ? :) 13:28 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 13:29 < Bushmills> that's a new meaning of "vpn", namely "virtual public network" 13:30 < viric> I'd like as if both machines are in the same net, through the interne. 13:30 < viric> internet. 13:30 < Bushmills> do reiffert's suggestion 2 13:31 < viric> It's like an ipsec tunnel configuration, but I simply don't know the remote addresses. But I have a machine, whose address I know, and can be a forwarder. 13:32 < viric> Of the two firewalls... One of them, I cannot touch. The other, isn't always the same. As... it could be any firewall. 13:32 < Bushmills> put client behind the one you can't touch 13:32 < viric> connecting to what? 13:33 < Bushmills> to server on the other peer 13:33 < viric> the other peer is a mobile station, which can be behind some firewalls. 13:33 < viric> In the sense... not always the same firewall. 13:33 < viric> I could make it update a dyndns hostname. 13:34 < Bushmills> get a trustworthy machine with a public ip address 13:34 < viric> but nevertheless... I don't think I can manipulate the other firewall. 13:34 < viric> Bushmills: :) ok 13:34 < viric> First I'll program a bit. I think I can get it working. 13:34 < viric> without trusting anything. 13:35 < viric> but my machines. 13:36 < Bushmills> run an encrypted tunnel thorugh a tunnel. have the outer tunnel go through the public machine 13:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:37 < viric> ah, yes. 13:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:37 < viric> that can also work. 13:39 < viric> I don't know how to do that with openvpn.. 13:39 < Bushmills> i'd think of openvpn as the outer tunnel 13:40 < viric> and the inner? 13:40 < Bushmills> but what to use for inner tunnel, no idea. would have to look for something myself 13:40 < viric> ok. 13:40 < viric> ipsec would be fine. 13:40 < reiffert> or use a socks proxy 13:41 < Bushmills> probably something very simple should do 13:41 < viric> nowadays I'm using ssh tunnels with a socks proxy 13:41 < viric> but as that goes using TCP, it isn't very reliable. 13:41 < viric> moreover, given the good connection I have with my ISP. 13:41 < viric> I thought I could get it better with openvpn 13:42 < Bushmills> i might look at vtun, whether that's suitable as inner tunnel 13:42 < viric> ok. 13:43 < viric> thank you! 13:43 < Bushmills> np. gl. 13:43 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:43 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:52 < ecrist> Boats and Hos 13:53 < ecrist> Bushmills: tunnels in tunnels is bad, mmkay? 13:54 < Bushmills> don't run openvpn over pppoe 13:54 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:56 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 14:01 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:01 -!- muh2000 [n=muh2000@pc010.whatismyipv6.info] has joined ##openvpn 14:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:07 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 14:14 -!- bandini [n=bandini@host75-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 14:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 14:20 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:26 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:30 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:30 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:34 -!- project2501a [n=gmarseli@msend2.ebuyer.com] has quit [Read error: 60 (Operation timed out)] 14:41 < viric> Bushmills: I finally wrote the udp forwarder 14:41 < viric> it works fine 14:45 < freaky_t> is there any openvpn client for windows xp SP3? 14:45 -!- Timpa [i=timpa@193.13.142.250] has quit ["Reconnecting."] 14:45 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 14:49 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Operation timed out] 14:51 < xattack> freaky_t: its supposed openvpn works fine in all versions of windows 14:51 < freaky_t> no 14:51 < freaky_t> i mean the openvpn gui 14:52 < freaky_t> and openvpn 14:52 < freaky_t> it doesnt work with winxp SP3 14:52 < freaky_t> can anyone help me? 14:53 < xattack> freaky_t :which version of openvpn gui are you using ? 14:53 < freaky_t> http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe 14:53 < reiffert> use a recent openvpn. 2.0.9 is ancient. 14:54 < freaky_t> this is the current stable oO 14:54 < xattack> freaky_t :try this page http://www.openvpn.net/index.php/downloads.html 14:54 < vpnHelper> Title: Downloads (at www.openvpn.net) 14:55 < xattack> there?s a couple of new versions which you can try 14:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:56 < freaky_t> ok thanks xattack 15:00 < freaky_t> xattack it also doesnt work. the user is missing many menu entries 15:00 < freaky_t> context menu entries 15:00 < freaky_t> in the openvpn guy 15:00 < freaky_t> gui 15:01 < xattack> freaky_t:now , which version are you using? 15:02 < xattack> ? 15:03 < freaky_t> http://www.openvpn.net/release/openvpn-2.1_rc15-install.exe 15:03 < freaky_t> the current development version 15:04 < freaky_t> xattack wait ill show u a picture 15:04 < freaky_t> im using windows vista btw for me it works just not for the friend with windows xp sp3 15:04 < freaky_t> www.cmaass.de/isaberso.JPG 15:04 < freaky_t> here 15:05 < freaky_t> that's how the client context menu looks like 15:05 < freaky_t> he installed everything 15:06 < xattack> mmmm, does he has administrators account in that computer ? 15:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 15:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 15:07 < freaky_t> he has admin access but wait 15:07 < xattack> ok 15:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 15:09 < freaky_t> xattack the user as which hes installing openvpn has admin rights he says 15:09 < freaky_t> any other ideas? oO 15:10 < xattack> no , to be honest with you , i dont know , im using the same OS and the same SP and im not having problems with ovpn ..... .... 15:11 < krzie> !logs 15:11 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:11 < freaky_t> wait 15:12 < freaky_t> he says that when trying to install it says the tap device is incompatible im waiting for him to tell me the exact error message 15:12 < krzie> hes not in the channel? 15:12 < freaky_t> where is the log from the client? 15:12 < freaky_t> no wait 15:12 < freaky_t> ill ask him to join 15:12 < xattack> ok 15:12 < freaky_t> hes not that good in english 15:13 < freaky_t> these are the errors: 15:13 < freaky_t> http://www.cmaass.de/openvpn.png 15:13 -!- Stone[t] [n=stone@pD9E672A2.dip.t-dialin.net] has joined ##openvpn 15:13 < freaky_t> hey Stone[t] ;D 15:13 < freaky_t> there he is 15:13 < freaky_t> oh Stone[t] that error is ok i think 15:13 < freaky_t> just click Installation fortsetzen 15:14 < Stone[t]> hi 15:14 < krzie> thats not errors 15:14 < freaky_t> yea 15:14 < krzie> thats just a picture of him needing to install the driver 15:14 < freaky_t> yea it says that the driver failed the windows compatibility test or whatever 15:14 < krzie> no shit, cause they didnt pay microsoft 15:14 < freaky_t> ok simply install it stone 15:15 < krzie> and why should they 15:15 < freaky_t> yea ;D 15:15 < krzie> just install it 15:15 < freaky_t> he has reinstalled openvpn several times now 15:15 < freaky_t> krzee do u think theres anything in the client logs? 15:15 < krzie> how would i know? 15:16 < krzie> from what ive seen he hasnt even tried to run it, and i dont read minds 15:16 < freaky_t> maybe u've seen his pic http://www.cmaass.de/isaberso.JPG there is almost nothing listed in the context menu of the openvpn gui 15:17 < freaky_t> no connect or whatever 15:17 < freaky_t> so i thought maybe the gui cant find openvpn 15:17 < freaky_t> but he said he installed everything from the installer 15:17 < freaky_t> Stone[t] findest du logs? 15:17 < xattack> freaky_t:usually logs are in in the directory where openvpn is installed 15:17 < Stone[t]> mom 15:17 < freaky_t> Stone[t] im verzeichnis von openvpn sollten die logs sein 15:17 < freaky_t> xattack ok thanks hes looking for it 15:18 < Stone[t]> no errorlogs 15:18 < xattack> fille tanke 15:19 < freaky_t> ok he cant find error logs 15:19 < freaky_t> :((( 15:19 < xattack> mmm , so no erros logs ..., could he paste the complete path where he look for that logs , please? 15:20 < freaky_t> Stone[t] du sollst den kompletten pfad uns sagen wo du nach den loggs guggst 15:20 < Stone[t]> \OpenVPN\log \OpenVPN 15:20 < Stone[t]> and in all other folders... 15:20 < freaky_t> Stone[t] kompletten pfad 15:20 < Stone[t]> C:\Programme\OpenVPN... 15:21 < freaky_t> ok 15:21 < xattack> ok 15:23 < freaky_t> so any ideas? :\ 15:25 -!- bandini [n=bandini@host75-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:25 < xattack> well mmmmmm, i guess the problem is in your system, you could try to install it in the windows safe mode and see what happens , but that not a solution at all , i mean as i told you i have at this moment the same plataform and verision that your friend and it?s working find , may be something in your windows get fu****d .......may be reinstalling it (the OS) or you can try ms tech support in order to verify that all is working fine in you OS 15:25 < xattack> ...but that guys always lacks! 15:26 < xattack> good luck...see ya 15:26 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:26 < Stone[t]> hm... 15:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:43 -!- Stone[t] [n=stone@pD9E672A2.dip.t-dialin.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:48 < multiverse> reiffert: thanks for the help, I got it working 15:48 < multiverse> dazo: thanks for the help, I got it working 15:52 < freaky_t> ok i think we'll not use openvpn 15:52 < freaky_t> because nothing is working and im trying since 1 week 15:53 < freaky_t> thank you for all your help ;D 15:53 < krzie> im still waiting for someone to actually say what the problem is 15:53 < krzie> lol 15:53 < krzie> but that works too 15:54 < freaky_t> i have thousand of problems 15:55 < freaky_t> samba doesnt work 15:55 < freaky_t> my friend cant connect to the vpn 15:55 < freaky_t> i dont understand why im getting some subnet mask 15:55 < freaky_t> it says dhcp server is at 10.8.0.5 but i dont run any dhcp server 15:55 < krzie> samba is not openvpn related 15:55 < freaky_t> 10.8.0.5 is also not pingable 15:55 < krzie> for why its .5 you need to understand !/30, it is doing exactly what it should 15:55 < krzie> it should NOT be pingable 15:56 < reiffert> :) 15:56 < krzie> its internal, and can be done differently if using 2.1 by reading !topology 15:56 < freaky_t> krzee i cant see anyone in the network 15:56 < krzie> and for why he cant connect, i still havnt seen any logs 15:56 < freaky_t> he doesnt have any logs 15:56 < freaky_t> look at the picture! 15:56 < krzie> thats cause your wins isnt setup right, i remember saying that many times now 15:56 < krzie> fuck the picture 15:57 < freaky_t> at the picture there is no Connect menu entry 15:57 < krzie> tell him to enable logging then 15:57 < freaky_t> how should anything be logged 15:57 < freaky_t> krzee and i dont know how to set up wins 15:57 < krzie> LOL, windows users 15:57 < freaky_t> if its not working 15:57 < krzie> "it doesnt say connect, what do i do!?" 15:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 15:57 < freaky_t> it has NO entries. only about and quit. 15:58 < krzie> it doesnt say connect cause his config isnt in the right place with .ovpn file extension 15:58 < freaky_t> my openvpn has connect/edit config/show status etc. 15:58 < freaky_t> that's missing and it seems like openvpn gui doesnt find openvpn maybe that's why all the entries are missing 15:58 < krzie> maybe because the files arent in the right places with the right file extension, like i just said 16:00 < freaky_t> and even if he can connect we still can't see each other on the network. i let samba run as WINS and set WINS server to 10.8.0.1 on my network card options (client) if i then try to ping "master" which should be the netbios name of the server it starts pinging some server at gts7.westmaster.com if i then set the network card to be private network on it it pings a IP of my server but not the main 16:00 < freaky_t> IP where the openvpn server listens 16:01 < freaky_t> also the network card isnt private per default i need to manually set it every time 16:02 < krzie> "network card isnt private per default" 16:02 < krzie> huh? 16:02 < freaky_t> the network behind it 16:02 < krzie> i have no clue what you're saying 16:02 < freaky_t> in windows vista at the network center where u see all your connections it says the network behind the openvpn adapter is public - when i change it to private it pings some other ip of my server 16:03 < krzie> oh lol 16:03 < krzie> vista is so gay 16:03 < krzie> im way glad ive never had to use it 16:03 < krzie> and i never will 16:03 < krzie> hey reiffert you here? 16:03 < freaky_t> :( 16:11 < reiffert> playing with my PCI Wifi card 16:12 < krzie> werd 16:12 < krzie> i got my osx86 box up, very happy =] 16:12 < krzie> turns out i needed an external vid card 16:12 < reiffert> successfully managed to make it play as WPA client. 16:12 < krzie> nice, wpa_supplicant? 16:12 < reiffert> yeah, after some driver hell in the linux kernel 16:13 < krzie> patched it up for reinjection? 16:13 < reiffert> as you might know they were changing all wifi API's three times in the last couple of month 16:13 < reiffert> dunno yet, thats the next thing on my list 16:13 < freaky_t> krzee u were right it was .ovpn i forgot to tell him that he has to change it from .conf 16:13 < krzie> werd, you used aircrack before? 16:15 < krzie> reif, if not feel free to ask me if you get questions after you get all patched up 16:16 < krzie> i used to help a lil in their chan 16:16 -!- znh [n=znh@unaffiliated/znh] has joined ##openvpn 16:16 < znh> Hello lads :) 16:16 < krzie> i dont really help with that anymore, but would be happy to help you of course 16:16 < reiffert> aircrack before, configuring the WEP and open Accesspoints around my place, so that I have a free Wifi CHannel. 16:16 < krzie> nice 16:16 < znh> I'm using OpenVPN (server: win2k3) and experiencing high latency with protocols such as IRC. 16:17 < krzie> oh and reif, you have experience with bc relays right? i think freaky_t could use help with making one instead of using wins if you do 16:17 < krzie> znh, 16:17 < krzie> !configs 16:17 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 -!- jeiworth [n=jeiworth@189.163.140.114] has joined ##openvpn 16:17 < reiffert> bcrelay -i eth0 -o tun0 16:17 < reiffert> bcrelay -o eth0 -i tun0 16:17 < freaky_t> reiffert when do i have to execute that? 16:17 < reiffert> when eth0 and tun0 is up 16:18 < freaky_t> so it automatically does that 16:18 < znh> krzie, i'd rather not. My photo memory can answer all your questions :) 16:18 < freaky_t> do i have to do it after every reboot? 16:18 < krzie> znh, well hopefully it can guess my questions too, cause i dont feel like asking them all 16:19 < krzie> but basically, make sure you're using udp, with compression, and check your MTU and make sure you dont have MTU settings messing anything up 16:19 < krzie> and good luck =] 16:20 < reiffert> doh 16:20 < reiffert> Authentication with 00:24:fe:01:bc:1f timed out. 16:20 < reiffert> Association request to the driver failed 16:20 < krzie> locked to the chan? 16:20 < reiffert> but it was working minutes ago ... 16:20 < reiffert> bound to 192.168.179.25 -- renewal in 375469 seconds. 16:20 < krzie> i believe thats done with iwconfig 16:21 < reiffert> wlan0 IEEE 802.11bg ESSID:"breadboard" 16:22 < znh> I love the SSID 16:22 < freaky_t> reiffert how do u run these commands? i mean did u put them in some file to automatically start the relaying? 16:22 < reiffert> freaky_t: I were using them when playing around on pptp, so a totally different piece of vpn software 16:22 < krzie> freaky_t, test them manually, if it works how you want run them in an up script 16:22 < reiffert> do as krzie says 16:23 < krzie> reiffert, does he only need that on the server? 16:23 < reiffert> good question. 16:24 < reiffert> Associated with 00:24:fe:01:bc:1f 16:24 < reiffert> WPA: Key negotiation completed with 00:24:fe:01:bc:1f [PTK=CCMP GTK=TKIP] 16:24 < reiffert> CTRL-EVENT-CONNECTED - Connection to 00:24:fe:01:bc:1f completed (auth) [id=0 id_str=] 16:24 < krzie> woohoo! 16:24 < freaky_t> ok ill test it now 16:24 < reiffert> http://snap.reifferscheid.org/1242163470.png 16:25 < reiffert> bound to 192.168.179.25 -- renewal in 335713 seconds. 16:25 < reiffert> doesnt look that stable to me. 16:26 < reiffert> now I'm online via WPA wifi 16:26 < viric> How do you usually start openssh for it to rest in background? 16:26 < viric> openvpn I mean 16:26 < krzie> openssh? 16:26 < reiffert> sshd & 16:26 < viric> :) 16:26 < krzie> ahh 16:26 < krzie> --daemon or put daemon in the config 16:26 < viric> as non root? 16:26 < krzie> you MUST start openvpn as root 16:26 < viric> really? 16:26 < krzie> you can drop privs after 16:27 < viric> mmm 16:27 < krzie> it adds routes and changes if stuff 16:27 < viric> ah yes for the routes. 16:27 < krzie> and to set ips and whatnot... 16:27 < viric> right. 16:27 < freaky_t> im running both bcrelay commands atm. how do i test if it works? ping master says it cant find host. and trying to access \\10.8.0.1\\ also doesnt work 16:27 < viric> ok. 16:27 < krzie> and hopefully to read your keys, which should only be readable by root... 16:27 < viric> :) 16:28 < freaky_t> i can connect to a friend 16:28 < viric> ok. 16:28 < reiffert> Now I switched from psk="plaintext" to psk=whatwpa_passphrase puts out, and it associates with the AP within milliseconds. 16:28 < viric> openvpn won't die unless something very bad happens, right? 16:28 < reiffert> allright, time to hack the neighbour-LAN, I saw his WPA password last time on his router. 16:29 < viric> so I can simply start it once at the boot scripts 16:29 < krzie> catching the 4-way handshake can be a PITA 16:30 < krzie> but its easy to do, just need really good signal and a few tries 16:30 < reiffert> krzie: I already saw his password. 16:30 < reiffert> krzie: after some disassoc requests and some time you'll pretty soon get the 4 data packets. but what follows is just password attack 16:30 < freaky_t> if i have server 10.8.0.0 255.255.255.0 in the server.conf ... i get 10.8.0.6 and a friend gets 10.8.0.14 ... are we in different subnets? i dont think so? oO 16:31 < freaky_t> windows file sharing should work or? 16:31 < krzie> right but you said you wanna hack it, makes me think you mean you wanna capture his 4-way handshake and put his PW in your brute force dict file 16:32 < reiffert> I should gain access to his wifi, his LAN will be the next target 16:34 < reiffert> WPA: 4-Way Handshake failed - pre-shared key may be incorrect 16:34 < reiffert> hrmn 16:34 < reiffert> CTRL-EVENT-CONNECTED - Connection to 00:0c:f6:21:64:c9 completed (auth) [id=0 id_str=] 16:34 < krzie> once you have his wifi you have his LAN 16:34 < krzie> just poison the arp cache 16:34 < reiffert> 23:34:40.224435 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 16:34 < reiffert> 23:34:41.554164 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 16:35 < krzie> then run some driftnet for fun ;] 16:35 < reiffert> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=3.07 ms 16:35 < krzie> watch every image go over his network on the fly ;] 16:35 < krzie> then you can play with cookie theft and whatnot if you like 16:36 < krzie> plenty of fun to be had, lol 16:36 < freaky_t> krzee doesnt work the bcrelay :( 16:37 < krzie> sux 16:39 < freaky_t> !wins 16:39 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:41 < viric> --daemon works well. Thanks :) 16:41 < krzie> yw 16:42 < viric> reiffert: here is the udp forwarder I use. It works great: http://nopaste.org/p/aLJvvzbj5 16:42 -!- megaflow [n=multiver@209.147.114.155] has joined ##openvpn 16:43 < freaky_t> brb restart 16:49 < freaky_t> krzee to let this bcast work, do i have to disable the wins server? 16:49 < freaky_t> or can it still run? 16:50 < krzie> back to me having never ran wins, or a bc relay 16:50 < krzie> i dont use windows * 16:50 < krzie> including filesharing 16:50 < freaky_t> ok :}\ 16:50 < freaky_t> :\ 16:50 < freaky_t> sorry 16:50 < freaky_t> ^^ 16:51 -!- multiverse [n=multiver@209.147.120.138] has quit [Read error: 110 (Connection timed out)] 16:53 < reiffert> viric: looks sane. 16:54 < reiffert> viric: nah, it doesnt. 16:54 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 16:54 < reiffert> put lines before the for loop: 16:54 < reiffert> int res; 16:54 < reiffert> FD_ZERO(&readfds); 16:54 < reiffert> FD_SET(s1, &readfds); 16:54 < reiffert> FD_SET(s2, &readfds); 16:55 < reiffert> just the FD_ZERO, FD_SET ones. 16:55 < reiffert> add some error checking on bindport() 16:59 -!- baby_jeebus [n=multiver@209.147.120.138] has joined ##openvpn 16:59 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 17:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:06 -!- megaflow [n=multiver@209.147.114.155] has quit [Read error: 110 (Connection timed out)] 17:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 17:09 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 17:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:15 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 17:22 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 17:22 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:29 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:29 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:39 -!- c64zottel [n=hans@p5B17AE45.dip0.t-ipconnect.de] has quit ["Leaving."] 17:39 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:42 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:42 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:47 < feinoM> !redirect 17:47 < vpnHelper> feinoM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:48 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:48 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:56 -!- jeiworth [n=jeiworth@189.163.140.114] has quit [Read error: 110 (Connection timed out)] 18:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 18:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:49 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:49 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 19:10 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 110 (Connection timed out)] 19:11 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Remote closed the connection] 19:12 -!- Delf [n=Eldkraft@36-171-96-87.cust.blixtvik.se] has joined ##openvpn 19:14 -!- Delf1 [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 19:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:32 -!- Delf [n=Eldkraft@36-171-96-87.cust.blixtvik.se] has quit [Read error: 110 (Connection timed out)] 19:39 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 19:40 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 19:40 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 19:44 -!- baby_jeebus [n=multiver@209.147.120.138] has quit ["Leaving"] 19:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:05 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- Delf1 is now known as Delf 20:14 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:22 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:22 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 20:22 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 20:27 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 20:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 20:41 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 20:46 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 20:51 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:52 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:57 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 22:03 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Connection timed out] 22:17 < theDoc> Question guys, what does this directive do? crl-verify keys/crl.pem 22:17 < krzie> !man 22:17 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:20 < theDoc> hehehe 22:39 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has joined ##openvpn 22:39 < mRCUTEO> hiya all 22:45 -!- Stanlin1 [n=steelgun@89.250.5.159] has joined ##openvpn 22:45 < Stanlin1> HALP!!! 22:46 < Stanlin1> how to get the list of the sessions that are open? 22:47 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has quit [] 22:49 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 22:57 < theDoc> Stanlin1: Try /etc/openvpn/openvpn-status or something :) 22:58 < Stanlin1> theDoc: thank you doctor 22:58 < Stanlin1> ill try now 22:59 < krzie> theres also a signal to update the status file 22:59 < krzie> theres also a management interface you can telnet into if you set it up 23:01 < Stanlin1> cat: /etc/openvpn/openvpn-status.log: Permission denied 23:01 < krzie> be root 23:01 < krzie> or use sudo 23:01 < Stanlin1> krzie: what is that management tool? 23:01 < Stanlin1> yeah, i can be root, but i need to delegate to normal users 23:02 < krzie> its not heavily documented, but its in the manual 23:02 < krzie> and its CLI only 23:02 < theDoc> Stanlin1: chmod 744 23:02 < theDoc> is your friend. 23:02 < krzie> why would you need normal users to see the status file? 23:03 < Stanlin1> krzie: i want a normal user, to connect to a remote client, however he doesnt know the remote client opened in the VPN server, how he can know the current list of IP's available for connection? 23:04 < theDoc> Stanlin1: Why should he know? 23:04 < theDoc> You can configure an avaliable pool of ip's for use. 23:04 < theDoc> ccd is your friend too. 23:05 < Stanlin1> well the remote user opened an OpenVpn conextion to the ServerA, now the user in ServerA wants to SSH into the remote computer? 23:06 < Stanlin1> openvpn opened an session with an ip like 10.9.4.45 to the serverA, the user on ServerA needs to SSH 10.9.4.45, but the problem is, how does he know that ip? 23:06 < theDoc> Stanlin1: Why don't you look into reverse ssh for that? 23:06 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 23:06 < krzie> !static 23:06 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 23:06 < krzie> machines that will be connected to should have static ips 23:07 < krzie> kinda like in your home or office network 23:07 < theDoc> krzie: I run dhcp everywhere :p 23:07 < Stanlin1> but i cant use static, many users will connect at the same time, generating ramdom ips 23:07 < theDoc> Stanlin1: How many users? 23:07 < krzie> umm 23:07 < Stanlin1> 100 at the same time, from everywhere 23:07 < krzie> that doesnt matter 23:07 < krzie> its not based on when 23:07 < krzie> its based on who 23:08 < krzie> bbl 23:08 < Stanlin1> so how the ServerA operator, know the 100 ip's? 23:08 -!- albech_ [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 23:11 < theDoc> Sorry, was sending out emails about ospf fucking up ^^; 23:11 < pekster> Personally I'd look at either static IPs for each CN connecting (not sure if that's based on the cert or auth user in your case), or do something like create a *.vpn.yourcompany.com DNS subdomain that the VPN server owns and have it update records when clients connect, so like jdoe.vpn.yourcompany.com resolves to that client's IP 23:13 < Stanlin1> mhhh, i just need something line 23:13 < Stanlin1> what is the name of the CLI for openvpn? 23:13 < pekster> "the CLI" ? 23:14 < Stanlin1> ermm.. okey... 23:14 * Stanlin1 types cli ..... waits.... nothing happens 23:15 < pekster> What are you referring to when you ask for the CLI for openvpn? My openvpn is at /usr/sbin/openvpn since it was compiled to go there. Or do you mean the management interface over telnet? 23:15 < Stanlin1> well im looking for anything at /usr/sbin as normal user.... nothing showing up 23:16 < pekster> On a Unix-like system I presume? By convention binaries are owned by root:root, and usually have mode 755 so anyone can run them 23:16 < Stanlin1> centos 23:16 < Stanlin1> ok found it 23:16 < pekster> 'which openvpn' should help there 23:17 < Stanlin1> found it /usb/sbin/openvpn --list-connections 23:18 < Stanlin1> dang no such option 23:18 < Stanlin1> what is the option to get the connections list 23:19 < pekster> There is none. If you have set your configuration to generate a status file you can find a list of active connections in that file, or if you have the management interface enabled you can telnet to it and query the connections that way 23:20 < pekster> Or you can send a SIGUSR2 to the openvpn process and it will send the status output to the logging facility as configured in the openvpn configuration (and potentially sending it to your system logger unless you redirected output to a file) 23:20 < pekster> All of which is described very well in the manpage 23:20 < Stanlin1> ok ill figure out 23:20 < Stanlin1> i guess 23:21 < Stanlin1> chmod 744 23:21 < pekster> Try searching for the --status option, the text "SIGUSR2" or the --management options for starters 23:21 < pekster> (in the manpage, in case that wasn't clear) 23:21 -!- slestak [n=sromanow@c-71-205-162-193.hsd1.mi.comcast.net] has joined ##openvpn 23:22 < pekster> And executables are usually 755 so that people other than root may run them 23:22 < pekster> Otherwise _only_ root will be able to run them (or whoever the owner is) 23:26 < theDoc> Hmm, this is odd 23:26 < theDoc> ooo. 23:26 < theDoc> It's half working 23:26 < theDoc> hmac issues 23:26 < theDoc> >_> 23:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:31 < slestak> does this sound like an appropriate use for openvpn? i cannot vpn (cisco ssl vpn) from favorite wifi spot to work because of ip conflict. but i can from home. can i use openvpn to route from wifi spot to home, bring up cisco vpn from home to work? 23:33 < theDoc> I'm wondering if I should implement HMAC for openvpn. 23:33 * theDoc frowns. 23:34 < pekster> slestak: That would work, sure. Or talk the admin at the office to use a different IP range less likely to conflict with public wifi 23:35 < pekster> theDoc: HMAC issues? Unless you're willing to trade authenticity for a resolution to your problem turning it off is usually a Bad Idea 23:35 < slestak> pekster: the range that conflicts is our largest division, i think i'll get plenty of kickback 23:35 < pekster> Yea, I sort of figured 23:36 < pekster> Your other option would be a VM or something, so your VM doesn't conflict with the wifi even though your host does 23:36 < theDoc> pekster: I rent out anonymous vpn tunnels. 23:36 < slestak> i tought about that, but i use a netbook most of the time 23:37 < theDoc> pekster: I'm saying that because I'm wondering if it's too much of a hassel to be sending out ta.key files to people. 23:38 < slestak> might still be an idea, the vm. wonder if kvm would work on this atom processor 23:38 < pekster> Oh, you're talking the extra authentication - yea, I don't bother with that generally given the hassle, and it's really only useful to prevent dDoS (in which case that's not the proper solution anyway) or if you want protection in case the cipher you use is cryptographically compromised 23:38 < theDoc> Yeah, I was talking about that extra rubber padding. 23:39 < theDoc> Which would actually be too much of a bloody hassel if you ask me. 23:39 < pekster> Indeed. And I don't see the point (except perhaps to reduce the pMTU, which is a negative point IMHO) 23:39 < theDoc> I don't reckon you can make openvpn work without the ca.crt file eh? 23:40 < pekster> Not unless you use static (non-TLS) encryption, and then you only get 2 hosts and no perfect-forward-secrecy 23:40 < theDoc> Yeah, that's a bitch. 23:40 < theDoc> I'll force a roll out of ca.crt. It's just one fucking file anyway. Clients with a clue can deal with it ;p 23:40 < pekster> You can get by without client keypairs if you have a user-auth-pass script, although then you're trusting that authentication with your network access 23:41 < theDoc> pekster: I use that. It's really too much of a hassel for end users to be using certs and stuff, when half of them don't even know what it's for. 23:41 < theDoc> ;( 23:41 < theDoc> So the easy way out would be to use a user/pass. 23:42 < pekster> If you already have the authentication infrastructure (Active Directory, RADIUS, LDAP, whatever) in theory it's all logged & audited there too, not that an audit does much good after some idiot used p@ssw0rd as the credentials 23:43 < pekster> Strong passwords, good social policies, employee training, and required password changes can help there 23:44 < pekster> Tehnical limits sort of help, but take the Active Directory "complexity requirements" - the password "Password1" meets those as it has upper/lower/number (no need for a symbol since you have the other 3 categories) 23:44 < pekster> Clearly social policies are also important to prevent that 23:44 < theDoc> Indeed. 23:44 < theDoc> pekster: Security is all encompassing. 23:45 < theDoc> It's not just big evil passwords 23:45 -!- slestak [n=sromanow@c-71-205-162-193.hsd1.mi.comcast.net] has left ##openvpn [] 23:47 < pekster> Sure, but evil-doers take the easy way out. Why break into a safe when someone will happily give you the combination if they think you're there to help. Humans are frequently the weakest element, and thus security systems need to be designed with that in mind. Such is the danger of using --client-cert-not-required with OpenVPN, although it does save headache deploying, installing, and maintaining employee certs 23:48 < theDoc> pekster: Unfortunately, that's the case. 23:49 < theDoc> pekster: There has to be a trade off between usability and security. 23:51 < Stanlin1> dammit openvpn aint working 23:52 < Stanlin1> oh this is ridiculous 23:52 < Stanlin1> i cant SSH if im not a root 23:53 < theDoc> Hm, anyone knows where the openvpn config file is stored in gnome-network-manager? 23:53 < pekster> Perhaps ##linux or #centos would be better suited to that 23:53 < Stanlin1> lol i can 23:53 < Stanlin1> sorry im the idiot one 23:54 < Stanlin1> it was ssh root@windows7.storage.microsoft.com 23:54 < Stanlin1> i forgot to add, "root" 23:54 < pekster> theDoc: Heh, a co-worker who uses Ubuntu spent quite a while hunting that down; IIRC there's some config burred in the gnome configuration file that you can access with gconfmanager or whatever it's called 23:55 < theDoc> Jesus :p 23:55 < pekster> TBH I think NetworkManger can rot and be eaten by crows, especially for the crappy OpenVPN support, but if you get it working all the better 23:56 < theDoc> pekster: Yeah, I'm not sure why it refuses to read from /etc/openvpn/client.conf 23:56 < theDoc> :) 23:56 < pekster> It uses its own leet configuration 23:56 < pekster> Almost as bad as using a registry under "other" OS's 23:56 < theDoc> Yeah, this is a horror. 23:56 < pekster> Try a serach for openvpn in the gnome configuration manger app and that should get you started anyway 23:57 < pekster> Or just go back to using a terminal :P 23:57 * pekster likes his '/etc/init.d/openvpn.home start' syntax 23:57 < theDoc> lmao, I just want to click my way through this. 23:57 < theDoc> pekster: Since this is like, making it work for end users, I wouldn't expect a single one of them to find their way around a console. 23:58 < Stanlin1> thank you guys, have a lovely evening 23:59 < pekster> Or just write a wrapper that uses python or something to draw a user/password prompt and feed it to the openvpn process --- Day changed Wed May 13 2009 00:00 < pekster> Add 2 buttons to the window-manager app bar for "connect" and "disconnect" and call it good 00:00 < theDoc> pekster: I'm no programmer :p 00:06 < pekster> Google can probably give you what you need for a simple user: password: prompt, and then just write it to /dev/shm or somewhere sane, chmod 600, feed it to openvpn via the --auth-user-pass option and then destroy it 00:07 < pekster> Time for me to grab some sleep. Good luck! 00:45 -!- Stanlin1 [n=steelgun@89.250.5.159] has left ##openvpn [] 01:03 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 01:24 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 01:24 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:41 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:42 < dan__t> Hi. 01:42 < dan__t> Welp, its been fun. 01:43 < reiffert> moin 01:43 < dan__t> I apprecaite all your help, especially you krzie and reiffert and ecrist 01:43 < dan__t> Looks like this customer decided to stop funding my project. 01:44 < dan__t> I just moved, so I'll need a bit to find all my code and assemble it, but I'll hand it over to you all shortly. 01:44 < theDoc> dan__t: Which project is it? 01:45 < dan__t> eh automated generation of a pre-packaged Windows installer of OpenVPN 01:45 < theDoc> ah. 01:45 < dan__t> Taking the Windows source, rebuilding it with nsis while incorporating a configuration and tls keypairs 01:45 < dan__t> well, key, rather. 01:45 < theDoc> How much funding were you getting? I could help fund it to keep it going ;p 01:45 < dan__t> Nothing fancy, but there's some neat SQL stuff in there. 01:46 < dan__t> Wasn't so much the money, but the market to sell this service to 01:46 < dan__t> And to be honest I don't think OpenVPN is the most appropriate tool for it. 01:47 < theDoc> dan__t: I think one of the biggest issues which I face as a vpn provider for end users is the whole package which they have to deal with. 01:47 -!- master_of_master [i=master_o@p549D669D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:48 < dan__t> Yea... the idea is solid from a technical perspective. Almost. 01:48 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:48 < dan__t> But expecting people to install some software on their machine to use said service kind of kills the idea. 01:48 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:48 < theDoc> dan__t: Some people can deal with it, others don't. 01:48 < dan__t> Exactly. 01:49 < dan__t> Too bad though, I fucking love OpenVPN. 01:49 < dan__t> Amazing piece of software for sure. 01:49 < theDoc> dan__t: Infact, most end users don't want to install another software. Well, those whom know the value of the vpn will use it, those whom don't, simply don't. 01:49 -!- master_of_master [i=master_o@p549D2EF4.dip.t-dialin.net] has joined ##openvpn 01:49 < theDoc> It's pretty much like teaching people how to setup home-based routers. 01:49 < theDoc> Some people just can't do it. 01:50 < dan__t> Yes exactly - the people who understand the value of installing it. 01:50 < dan__t> Yep. 01:50 < theDoc> I'm getting quite ticked off with this customer. 01:50 < dan__t> What kind of business are you in, if you don't mind me asking? 01:50 < theDoc> They want a revamp of their network but they want me to justify buying a Cisco. 01:50 < dan__t> You provide this as a service? 01:50 * theDoc shakes a fist. 01:50 < theDoc> dan__t: Yep. 01:50 < theDoc> dan__t: on-demand vpn service. no logs, nothing. 01:51 < theDoc> You come in, pop your stuff, throw me the cash and off you go. 01:51 < theDoc> It's a don't ask, don't tell approach. 01:52 < dan__t> Understood. 01:52 < dan__t> Which geographical markets? 01:53 < theDoc> dan__t: asia for now. 01:53 < dan__t> Very nice. 01:53 < theDoc> The EU/US markets have their own ipvpn providers. I don't have to be there. 01:53 < dan__t> Mind me asking what your pricing model is? 01:53 < theDoc> dan__t: Sorry, :p I'd have to pass on that. 01:53 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 01:53 < dan__t> Understood. 01:54 < dan__t> adito looked pretty neat. 01:54 < theDoc> dan__t: I wouldn't say it's used for neferious purposes, it's just really, would you want your details to be floating on public networks? 01:54 < dan__t> If it wasn't a wrapped-up piece of shit. 01:54 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:54 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:54 < theDoc> dan__t: I somehow dislike ssl-browsers which claim to be vpns. 01:55 < dan__t> I had nothing but good experiences with the Juniper VPN. 01:55 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:55 < dan__t> Do you know of any others such as that? 01:56 < theDoc> Not really. 01:56 < theDoc> Cisco VPN is a total mess. 01:56 < theDoc> I'd avoid those. 01:56 < theDoc> What I would be interested in would be running my own mplsvpn network which carries a multitude of vpn traffic over it 02:03 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 02:03 < dan__t> Yeah that would be pretty rad. 02:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:04 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:04 < theDoc> I wonder if I were to try to build something like that, how fast would it be before everyone starts screaming their heads off and yelling, ZOMG! CHILD PORN NETWORK! 02:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:07 < krzee> CHILD PORN NETWORK 02:07 < theDoc> I believe the stigma of vpn's in the common man's eye is that it's probably going to be used for neferious means like child porn. 02:07 < theDoc> See, I told you. 02:07 < theDoc> >:) 02:07 < krzee> see, i disagree 02:07 < krzee> i dont think the common person thinks that 02:07 < dan__t> haha 02:07 < krzee> just the media / gov 02:07 < theDoc> krzee: Tell that to the common man in the parliament ;p 02:07 < krzee> exactly 02:07 < theDoc> If we can't see what you send, it MUST be child porn! 02:08 < krzee> they dont have that thought because they are common men, they have them because they're the gov 02:08 < dan__t> idunno, either way, I'm done. 02:08 < dan__t> heh 02:09 < krzee> done with what dan 02:12 < theDoc> All that media hype. 02:12 < theDoc> The most I can see is that the vpn is abused to bypass government filters 02:13 < krzee> but thats not new 02:13 < krzee> so can socks, ssh tunnels, etc 02:14 < krzee> by not new i meant not unique 02:14 < krzee> do you like to tell everyone everything you say? 02:15 < krzee> cause if not you understand privacy and should be able to want that on the inet if you want! 02:15 < krzee> (im not talking to you specificly) 02:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:30 < Bushmills> gpg has the reputation of being used by terrorists only. even though, german ministry of trade and economics financially supported the development, by donation. sue them for 9/11! 02:30 < Bushmills> well, scrap the "only" 02:31 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:33 < Bushmills> what i mean to say is, their position can not credibly be changed when a different means of secure communiation is the subject. 04:12 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:17 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 06:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:09 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 07:25 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 07:30 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:30 < ecrist> morning, fuckers 07:30 < ecrist> krzee: I suck, and haven't shipped that box yet. 07:31 < ecrist> I should send it this week. 07:41 < mattock> Can't resist taking part in the conversation :)... Child porn/terrorism/whatever is a convenient excuse to limit freedom in the internet. We have a "child porn law" here in Finland. As an end result the police has a secret list of blocked sites. Fortunately it's not mandatory for the ISP's to block those. Those who opposed the law were naturally labeled as promoters of child porn, even though circumventing the blockage is trivial for anyone with little 07:41 < mattock> ... and now I got to split :) 07:42 < mattock> bye 07:42 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 08:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 08:10 < krzee> !ssl-admin 08:10 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:10 < krzee> ecrist, no worries bro =] 08:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:31 -!- bassliner [n=armin@deepbass.org] has quit ["leaving"] 09:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:08 < rreyes> Hi all... I am trying to configure openVPN but I am getting a ""Please edit the vars script to reflect your configuration, then source it with "source ./vars" message eventhough I sourced the vars file 10:09 < Bushmills> and? 10:09 < ecrist> rreyes: I'd do what it says. 10:09 < rreyes> I did what it said and still get the message 10:10 < ecrist> did you edit the script? 10:10 < rreyes> yeap 10:10 < rreyes> I did 10:11 < Bushmills> do you source the script from the same command line where, und just before, you try to generate keys? 10:15 < rreyes> yes 10:16 < rreyes> that's what I am doing 10:16 < ecrist> despite the number of 'yes I did,' you missed something 10:16 < ecrist> rreyes: what OS you using? 10:16 < rreyes> Ubuntu 10:16 < rreyes> 9.04 10:18 < ecrist> what shell? 10:18 < rreyes> I am very new to openVPN but all I want is to connect to a Sonicwall 2400 vpn 10:19 < ecrist> rreyes: you can't use openvpn to connect to sonicwall vpn 10:19 < rreyes> mmmmm... what should I use then? 10:19 < rreyes> openswan? 10:20 < Bushmills> vpn is a generic term, almost like "program" 10:21 < Bushmills> openvpn isn't. that's a specific implementation of a vpn 10:21 < rreyes> I see 10:21 < rreyes> mmmm... 10:21 < Bushmills> to connect to the sonicwall vpn, you'd use the client software which works with ut 10:21 < Bushmills> it 10:21 < rreyes> interesting 10:31 < theDoc> There's sslvpn, ipsec vpn and some other propietary vpn implementations like cisco, juniper. 10:31 < theDoc> I don't think there's outright interopability with all of them at the moment. 10:32 < ecrist> *and* ssl vpns aren't all the same 10:35 < rreyes> wow 10:35 < rreyes> ok... thanks, guys 10:35 < rreyes> I will try to use the client for windows 10:35 < ecrist> cisco has an ssl vpn, which is incompat with openvpn 10:36 < rreyes> and see if I can make it work in Linux since linux is on a VM over Windows now 10:36 < ecrist> my guess is the sonic wall vpn is a PPTP, which has an included client in both Windows and Mac 10:36 < rreyes> do you think that will work? 10:36 < theDoc> Doesn't pptp have some security flaws? 10:36 < ecrist> yes 10:37 < theDoc> The only issue with vpn implementations is the lack of multi-vendor support. 10:38 -!- rodrigo__ [n=rodrigo@76-222-222-201.adsl.terra.cl] has joined ##openvpn 10:39 < rodrigo__> in my specific case, that means I might now be able to connect directly from Linux 10:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:56 -!- rreyes [n=rodrigo@76-222-222-201.adsl.terra.cl] has quit [Read error: 110 (Connection timed out)] 11:04 -!- rodrigo__ [n=rodrigo@76-222-222-201.adsl.terra.cl] has quit [Read error: 110 (Connection timed out)] 11:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:11 -!- throughnothing [n=will@74.205.24.229] has quit ["leaving"] 11:15 -!- jeiworth [n=jeiworth@189.177.122.84] has joined ##openvpn 11:28 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:09 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 12:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Remote closed the connection] 12:32 -!- ke4qqq [n=ke4qqq@fedora/ke4qqq] has left ##openvpn [] 12:36 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 12:42 -!- bigjohnto [n=bigjohnt@68.147.24.5] has joined ##openvpn 12:42 < bigjohnto> vista 32bit and 64bit both need the route-exe lines in the config ifle correct? 12:42 < ecrist> i believe so 12:43 < bigjohnto> cool thanks :) 12:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:45 -!- bigjohnto [n=bigjohnt@68.147.24.5] has left ##openvpn [] 13:08 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 13:13 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:16 -!- jeiworth [n=jeiworth@189.177.122.84] has quit [Read error: 110 (Connection timed out)] 13:30 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 13:32 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 13:32 < SM2k> hey gang, been struggling with what appears to be a routing issue and openVPN 13:33 < SM2k> I'm using the openVPN server on the pfSense, and I can connect with a (linux) openVPN client, but can't reach machines behind the pfSense. 13:34 < SM2k> running wireshark I can see packets arriving at the target machine on the LAN, and responses going out. 13:35 < SM2k> so somehow the packets are being dropped on the way back out of the pfSense. I've checked the routing table and there's a proper looking route for tun1 13:36 < ecrist> pfsense... shudder 13:36 < SM2k> so my guess is I'm missing something with NAT or filter 13:36 < ecrist> my guess is you're missing an allow rule 13:37 < SM2k> well... I've tried everything I can think of in terms of allow rules. 13:37 -!- jeiworth [n=jeiworth@189.163.185.99] has joined ##openvpn 13:43 < ecrist> SM2k: pfSense is really just FreeBSD + PF + crappy web gui to manage it 13:43 < ecrist> I'd have to point you to the pfsense folks, really. 13:43 < SM2k> aye 13:43 < ecrist> I *am* proficient in FreeBSD + PF, but not their web gui 13:43 < ecrist> sorry 13:43 < ecrist> !freebsd 13:43 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:44 < ecrist> if you care to see how to do it for yourself. 13:44 < ecrist> though, I don't think I cover PF in that howto 13:45 < SM2k> understood that it's a web GUI on top of the real deal. 13:49 -!- viric [n=viric@62.57.137.96] has left ##openvpn [] 14:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < ecrist> SPOOOOON 14:22 -!- c64zottel [n=hans@p5B17B18F.dip0.t-ipconnect.de] has joined ##openvpn 14:31 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 14:33 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:04 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:06 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 15:13 < SM2k> ecrist: http://slexy.org/view/s2O5UT4HMH I'm getting that when running route monitor on the pfsense box while pinging from the openvpn client 15:13 < vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org) 15:14 < SM2k> I assume this means pfSense is doing something bizarre instead of setting up routing rules correctly... 15:30 < ecrist> SM2k: !configs and !logs would help 15:49 -!- c64zottel [n=hans@p5B17B18F.dip0.t-ipconnect.de] has left ##openvpn [] 15:57 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 15:57 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:57 < SM2k1> I've been having crappy connectivity all week due to WiMAX sucking. not sure if any of my posts actually made it here 16:00 < SM2k1> not sure how much of this actually posted: http://pastebin.eu/pastebin.php?show=236263 16:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:03 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:36 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has quit ["Leaving."] 16:37 -!- viric [n=viric@62.57.137.96] has joined ##openvpn 16:37 < viric> Hallo 16:37 < viric> I have routing problems... 16:39 < viric> the communication between the two openvpn hosts goes fine 16:39 < viric> but between one of those hosts, and the rest of the net... bad. 16:39 < krzie> !configs 16:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:39 < viric> ook 16:39 < viric> thanks 16:39 < viric> I'm pasting to nopaste 16:42 < viric> http://nopaste.org/p/a7RFYiPdc 16:42 < viric> here are the routing tables 16:43 < viric> A packet from 10.0.0.1 to 192.168.0.xx in 10.0.0.1, passes into the other end's tun device, and then to the other end's br0, and then the tcp server answers back from 192.168.0.xx to 10.0.0.1, this gets into the tun device, but this doesn't reach the original end. 16:44 < krzie> i dont remember asking for the routing tables, you plan on doing what !configs said? 16:45 < krzie> you said tun, and br0 16:45 < krzie> you bridging or routing... 16:45 < viric> both 16:45 < krzie> actually dont answer that, see !configs 16:45 < viric> but the bridge doesn't have any relationship with the openvpn 16:45 < viric> it's for qemu tap devices 16:48 < viric> http://nopaste.org/p/agGrJVrg4 now 16:51 < krzie> ya i dunno if you can do that with a ptp vpn 16:51 < krzie> use client/server and it'll work easier 16:51 < krzie> !sample 16:51 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:51 < krzie> !route 16:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:51 < viric> I'll play a bit more with my actual config 16:52 < krzie> the thing is, openvpn doesnt know about the route 16:52 < viric> should it know? 16:52 < krzie> so it gets to the tun, but openvpn doesnt route it over the tunnel 16:52 < krzie> thats why iroute exists for client/server mode 16:52 < krzie> !iroute 16:52 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:53 < viric> aha, here it is. I'll try 16:53 < krzie> iroute can only be used in client/server, and then only in a ccd entry for the client who has the lan 16:53 < viric> ouch. 16:53 < krzie> sample is a client/server config 16:54 < krzie> route is my walktrhough to know everything you could want about connecting lans in openvpn 16:54 < krzie> not walktrhough really, but something like that 16:54 < krzie> its not to give you your exact setup, its to teach you * about lans behind openvpn 16:55 < viric> ok 16:59 < viric> can I use '--remote' in server mode? 16:59 < krzie> do you see it in my !sample? 16:59 < viric> no 16:59 < viric> it's only in the client 17:02 < viric> :( I'd like to set up internal routing without client/server mode... 17:04 < krzie> good luck to you then 17:06 < viric> both of my openvpn machines are behind firewals+nat, and I can't control the routing/nat in the firewalls 17:06 < krzie> so? 17:07 < viric> so I don't know how to connect to an openvpn server 17:07 < krzie> same way as now... 17:07 < viric> hummm 17:07 < viric> well. I'm using a trick. 17:07 < viric> I have a public machine available 17:08 < viric> I wrote a udp-forwarding program in that public machine. 17:08 < krzie> suonds like public machine is your server 17:08 < viric> my openvpn1 talks to the public machine, openvpn2 too, and the public machine forwards the packets conviniently as if openvpn1 and openvpn2 were connected 17:08 < viric> well... I don't trust my public machine much, and I don't want the traffic to be decrypted there. 17:09 < krzie> dunno dude 17:09 < viric> I've seen the "client-to-client" parameter 17:09 < krzie> client-to-client bypasses the kernel by letting openvpn route the traffic between clients internally 17:10 < viric> I suppose I have no choice other than running openvpn in the public machine. 17:10 < viric> and using the client-to-client 17:11 < krzie> could always get a cheap vps 17:11 < krzie> Dougy_ sells them for real cheap 17:11 < viric> vps? 17:11 < krzie> virtual private server 17:12 < viric> ah 17:12 < viric> that's the public machine I don't trust. A vps. 17:12 < viric> Maybe I should trust it more. 17:12 < krzie> basically your own machine, but many of them on 1 hardware 17:13 < viric> ok, I'll battle more tomorrow. 17:13 < viric> Thank you for your time 17:15 < krzie> yw 17:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:47 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:59 < reiffert> moin 18:00 < reiffert> I got openvpn running on my Cable Modem - Router, ar7 hardware, avm fritzbox 7270 18:00 < reiffert> works like a charme. Bridged setup of course (of course) :) 18:01 < reiffert> 4 port ethernet switch, bgn wifi, annex a/b DSL, ISDN and 2times analog telefon connectors. Internal Answering machine, facsimile receiving, facs. sending via remote capi. 18:02 < reiffert> 350Mhz Mipsel, 64MB Ram, 16MB Flash, and USB Connector 18:02 < reiffert> 10W Power Consumption ag 18:02 < reiffert> avg 18:06 < krzie> moin 18:06 < krzie> my osx86 box is gangster 18:06 < krzie> all hax are in the hidden EFI partition that osx ignores 18:06 < krzie> my bootloader reads * from there and prefers the stuff there to the main install 18:07 < krzie> so i can update using software update and worry about nothing 18:09 < reiffert> hax? hidden partition? why is that? 18:10 < krzie> osx isnt supposed to run on PC 18:10 < krzie> so you need special bootloader and kexts for the HW 18:10 < krzie> so my kexts and other stuff i need special for osx because of my HW are in the hidden EFI partition 18:10 < reiffert> what kind of processors do you need to run osx on x86? 18:11 < krzie> GPT spec has a 200MB EFI partition which apple never uses, but honors 18:11 < krzie> so my stuff is there 18:11 < krzie> ideally a core proc, but AMD works with voodoo and SSE2 works too 18:11 < krzie> but ideally a core proc with SSE3 18:11 < reiffert> even ancient amd athlon 3200+? 18:12 < krzie> honestly i dunno, but likely yes 18:12 < krzie> when i say with voodoo i mean a special kernel 18:12 < krzie> the voodoo kernel 18:12 < reiffert> sounds really intresting. 18:12 < reiffert> any bookmarkable howto? 18:13 < krzie> the entire insanelymac forum 18:13 < reiffert> I *hate* forums ... 18:13 < reiffert> I always end up in reading long shitty bullshit bla bla 18:13 < krzie> *shrug* thats where the info is 18:14 < reiffert> any detailed step 1 to 10 around there? 18:17 < krzie> negative, its more complicated than that 18:18 < krzie> need to know exactly what mobo you have for anything like that 18:18 < krzie> then you'll still be reading multiple howto's 18:18 < reiffert> Think I'll stick to my ibook then 18:19 < krzie> but if you get a DG35EC i can give you what you need 18:19 < krzie> you can build a badass box with that for around 600 18:19 < krzie> 8GB ram, quad core q9400 18:20 < krzie> 1.5TB hd 18:21 < reiffert> every time I hit a online configurator I end up around 2.500 - 3.000 EUR .. which is a dual quad core xeon with plenty of RAM. 18:21 < krzie> you gotta build it yourself bro 18:22 < krzie> just grab a DG35EC mobo, a q9400, seagate 1.5TB, 8GB ram 18:22 < krzie> i just got the mobo, ram, HD for $300 US 18:22 < krzie> then you need a supported vid card, i chose a nvidia 9400 GT 18:22 < krzie> i suggest sticking to nvidia pci-e 18:23 < reiffert> When I compare the total price against the single component prices I end up in 1:1 18:23 < reiffert> ack on nvidia 18:24 < reiffert> however, not enough money atm and a working machine under my desk = Im happy 18:25 < krzie> wered 18:26 < krzie> werd 19:11 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:11 < Dougy> hey all 19:18 < ecrist> it's, "hey ya'll" 19:19 < Dougy> lol 19:19 < Dougy> sorry eric 19:21 < ecrist> so, when are you going to get around to sprucing up the ovpnforum site? 19:21 < Dougy> hmm 19:21 < ecrist> some graphics, ranking, etc? 19:21 < Dougy> graphics i fail at 19:21 < Dougy> so never 19:21 < Dougy> ranking not sure what you mean 19:21 < Dougy> when i stop being bombarded with projects at school ill look into it some 19:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:30 < Dougy> krzie: hi 19:31 < krzie> high 19:32 < Dougy> hi 19:32 < Dougy> uh 19:32 < Dougy> you still want that colo right 19:33 < krzie> i paid for the box right...? 19:33 < Dougy> yes 19:33 < krzie> so umm 19:33 < krzie> of course 19:33 < Dougy> lol ok 19:33 < Dougy> i faxed in the final paperwork about 3pm 19:33 < krzie> cool, im in no rush 19:33 < Dougy> i am going to rack all 7 of these boxes at 3pm on saturday 19:34 < krzie> i still need to format/reinstall 2 servers in cali, 19:34 < Dougy> krzie guess what 19:34 < Dougy> im lead bidder on another 19:34 < Dougy> P4 2.8 ghz, 3gb, 2x120gb sata (2 hotswap) 19:34 < Dougy> current bid - $1 19:34 < Dougy> :) 19:34 < krzie> how rare! 19:34 < krzie> lol 19:34 < krzie> til someone snipes 19:34 < Dougy> and it comes with a spare 250w psu also 19:35 < Dougy> fuck that 19:35 < Dougy> max bid is 100 on this boy 19:35 < Dougy> lol 19:35 < Dougy> snipers can kiss my arse 19:35 < krzie> sniped by 101! 19:35 < Dougy> ill be watching 19:35 < Dougy> when it ends 19:35 < Dougy> 19:41:21 on may 16 my time 19:35 < Dougy> saturday at 7pm 19:36 < Dougy> man, i cant believe the damn colo is full 19:37 < krzie> you pre-sold the whole thing? 19:37 < Dougy> lets see 19:37 < Dougy> ive sold 4 19:37 < Dougy> 5* 19:37 < Dougy> out of the 7 19:37 < Dougy> 2 are just other servers i built with parts i had (2xCore2duo E6750, 2gb ram, 2x250gb sata) 19:38 < Dougy> but yes, as of right now, its 100% covered (the space) 19:39 < Dougy> http://www.upload3r.com/serve/130509/1242261584.jpg 19:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:03 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: kala, Solvik, feinoM, M06w, Typone 20:03 -!- Netsplit over, joins: M06w, Typone 20:04 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: boojit, js_, HardDisk_WP, flokuehn, Kevin`, worch 20:05 -!- Netsplit over, joins: Kevin`, worch, flokuehn 20:05 -!- Netsplit over, joins: boojit, HardDisk_WP, js_ 20:06 < Dougy> Anyone need any colo? 20:16 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 20:16 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 20:16 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 20:27 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 21:08 -!- jeiworth [n=jeiworth@189.163.185.99] has quit [Remote closed the connection] 21:10 -!- jeiworth [n=jeiworth@189.163.185.99] has joined ##openvpn 21:10 -!- jeiworth [n=jeiworth@189.163.185.99] has quit [Read error: 104 (Connection reset by peer)] 22:03 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 22:08 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 22:29 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 22:30 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 22:32 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:11 -!- theDoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 23:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 23:26 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 23:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 23:36 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:42 -!- albech_ [n=albech@119.42.76.101] has joined ##openvpn 23:47 -!- bk [n=bk@c-98-193-243-188.hsd1.tn.comcast.net] has joined ##openvpn 23:47 < bk> i need help 23:47 < bk> in ubuntu 9.04 23:47 < bk> on finding the file "myvpn.conf" 23:54 -!- albech__ [n=albech@119.42.76.101] has joined ##openvpn 23:59 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu May 14 2009 00:03 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 00:04 -!- bk is now known as bk|away 00:04 -!- bk|away [n=bk@c-98-193-243-188.hsd1.tn.comcast.net] has left ##openvpn [] 00:10 < theDoc_> Anyone knows if openvpn can deal with /31 point-to-point address assignments? 00:11 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:11 < gebura> hi 00:12 < theDoc_> hehehe! 00:14 -!- albech_ [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 00:14 -!- albech__ [n=albech@119.42.76.101] has quit [Success] 00:25 < gebura> i am looking for an information about ipv6 & openvpn 00:27 < gebura> is there a way to add route or address without directly in the config file (without using --up) ? 00:27 < gebura> it seems that --ifconfig $ipv6_1 $ipv6_2 don't work 00:28 < gebura> thanks in advance :) 00:28 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 00:39 -!- albech [n=albech@119.42.77.164] has joined ##openvpn 00:51 < gebura> !ipv6 00:51 < vpnHelper> gebura: "ipv6" is http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 01:02 -!- albech_ [n=albech@119.42.77.164] has joined ##openvpn 01:14 -!- albech__ [n=albech@119.42.77.164] has joined ##openvpn 01:18 -!- albech [n=albech@119.42.77.164] has quit [Read error: 110 (Connection timed out)] 01:21 -!- albech_ [n=albech@119.42.77.164] has quit [Connection timed out] 01:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D2EF4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:49 -!- albech__ [n=albech@119.42.77.164] has quit [Read error: 54 (Connection reset by peer)] 01:50 -!- master_of_master [i=master_o@p549D470E.dip.t-dialin.net] has joined ##openvpn 01:50 -!- theDoc_ [n=andelyx@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 02:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:25 -!- albech [n=albech@119.42.76.205] has joined ##openvpn 02:28 -!- albech [n=albech@119.42.76.205] has quit [Read error: 104 (Connection reset by peer)] 02:36 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:44 -!- albech [n=albech@119.42.79.172] has joined ##openvpn 03:03 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 03:10 -!- Isen [n=marcus@pub.sizeit.se] has quit [Remote closed the connection] 03:11 -!- albech [n=albech@119.42.79.172] has quit [Read error: 110 (Connection timed out)] 03:55 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 60 (Operation timed out)] 04:35 -!- theDoc [n=andelyx@116.197.252.9] has joined ##openvpn 04:35 < theDoc> !route 04:35 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:35 < theDoc> !nat 04:35 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 04:35 < theDoc> !linnat 04:35 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 04:37 -!- theDoc [n=andelyx@116.197.252.9] has quit [Read error: 104 (Connection reset by peer)] 04:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:55 -!- nosSmS [n=marc@212.Red-80-32-237.staticIP.rima-tde.net] has joined ##openvpn 05:05 -!- theDoc [n=andelyx@bb116-15-188-180.singnet.com.sg] has joined ##openvpn 05:05 < theDoc> !linnat 05:05 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:06 < theDoc> !nat 05:07 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 05:12 < theDoc> Hmm. 05:12 < theDoc> This is very odd. 05:14 -!- albech_ [n=albech@119.42.79.196] has quit [Connection timed out] 05:16 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 05:34 -!- theDoc [n=andelyx@bb116-15-188-180.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:36 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##openvpn 05:36 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 05:37 -!- albech_ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 05:37 -!- krzie [i=krzee@joogot.noskills.net] has quit [Read error: 104 (Connection reset by peer)] 05:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 05:41 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 05:50 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:50 < theDoc> Anyone around? 05:50 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 05:51 -!- albech__ [n=albech@119.42.79.196] has joined ##openvpn 05:52 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 05:52 < alinuxskyper99> hi 05:53 < theDoc> 'sup? 05:53 < alinuxskyper99> I am on my local network and I want to access my office network using openvpn ...the problem is that the local network is 192.168.0.0/24 and the same goes for the office network 05:54 < theDoc> alinuxskyper99: I *think* that will be a problem, you have overlapping network addresses in a discontigious network. 05:54 < alinuxskyper99> theDoc, indeed 05:54 < alinuxskyper99> it is a problem 05:54 < alinuxskyper99> theDoc, anyway to solve this ? without having to chagne networks ? 05:54 < theDoc> Hm, I have a NAT problem at the moment. 05:54 < theDoc> alinuxskyper99: No, not that I'm aware of. 05:54 < theDoc> I'm wondering why my vpn traffic isn't being NAT'ed to the eth0 address. 05:54 < theDoc> :/ 05:55 < alinuxskyper99> theDoc, it works with my cisco client though... 05:55 < theDoc> [root@vpn1 openvpn]# iptables -t nat -A POSTROUTING -s 10.97.58.0/24 -o eth0 -j MASQUERADE 05:55 < alinuxskyper99> theDoc, and ipforwarding is set to 1 ? 05:55 < theDoc> alinuxskyper99: Which vpn solution are you using? 05:55 < alinuxskyper99> theDoc, CiscoVPN client and OpenVPN..OpenVPN with 64 bit cients 05:56 < theDoc> alinuxskyper99: I don't think openvpn and ciscovpn are compatible. That being said, I do not have any experience in dealing with Cisco's vpn solutions. 06:05 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:10 -!- albech_ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:10 -!- albech__ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:18 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:21 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 06:32 -!- nosSmS [n=marc@212.Red-80-32-237.staticIP.rima-tde.net] has left ##openvpn [] 06:36 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has joined ##openvpn 06:36 < sehh> hey people 06:37 < sehh> q: can OpenVPN as a client connect to a CISCO VPN? 06:40 < sehh> the remote CISCO device is a DSL modem/router running IOS 06:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:09 < Bushmills> sehh, if you convince cisco to use openvpn, it will be able to. 07:09 < sehh> :) 07:13 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Read error: 60 (Operation timed out)] 07:14 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has quit ["Fedora Condom Linux - "shinny, rubbery and roundish...""] 07:21 < feinoM> Are there any OpenVPN clients for Symbian? I haven't been able to find any, but maybe you guys know of one :) 07:23 < ecrist> I'm not aware of one. If you find one, please let us know so we know about it. 07:28 < feinoM> will do.. 07:29 < reiffert> feinoM: there has been something on the mailinglist some time ago... 07:30 < reiffert> IIRC a job offer for porting openvpn to symbian. 07:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:41 * ecrist just had one of the tastiest apples *ever* 07:41 < ecrist> crisp, just the right combination of sweet and tart. 07:53 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 08:11 -!- admin__ [n=admin@212.28.233.21] has joined ##openvpn 08:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 113 (No route to host)] 08:29 -!- xororand [n=xororand@unaffiliated/xororand] has joined ##openvpn 08:30 < xororand> Hello. Can OpenVPN 2.1.x forward IPv6 in server mode? Do I have to use tun or tap for that? 08:41 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco-, viric, `Ned 08:43 -!- Netsplit over, joins: viric, `Ned, disco- 08:46 < ecrist> xororand: 2.0.9 or 2.1, either can do IPv6 traffic with tap mode 08:46 < ecrist> 2.1, otherwise 08:46 < ecrist> specifics are discussed on the 2.1 man page 08:47 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:49 < KaiForce> what is a good verb level for troubleshooting client connection issues? 08:49 < ecrist> 6 08:49 < ecrist> it's what we ask for here 08:49 < ecrist> !logs 08:49 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:50 < KaiForce> ecrist: muchas gracias 08:50 < ecrist> no problem 08:51 < xororand> okay thanks, ecrist. i'll use tap then 08:55 < xororand> Are there any downsides with TAP? 08:56 < ecrist> it's a pain to setup, and you can't use Macs as a VPN server 09:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 09:06 < KaiForce> ok, the problem my client appears to be having is in adding the route after connecting. They are getting "The object already exists" when it tries to add the route. 09:07 < ecrist> sounds like you have IP address conflicts 09:07 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 09:17 -!- acton [n=tyler@li4-115.members.linode.com] has joined ##openvpn 09:18 < acton> hello; I've got a quick question. I'm looking at the static key howto, it is takling about establishing a tunnel with 10.0.0.x etc. I just want to connect, do I need to make a tunnle? 09:18 < acton> tunnel** 09:18 < ecrist> a VPN *is* a tunnel 09:19 < acton> do I need to do the tunnel from 10.0? or can I just connect after I follow the howto and set up my static key 09:20 < acton> o, got it. 09:20 < acton> I need to go look at the config to figure out what else I can do, but I've got the basic idea, I think 09:22 -!- clustermagnet [n=vasiliy@75.101.158.130] has joined ##openvpn 09:23 < KaiForce> ecrist - where should I look for the address conflict? the user has a unique VPN address, the client IP is on a different subnet than the host network, and he is the only one connecting from that public IP. 09:24 < KaiForce> is it possible that after a disconnection from the OpenVPN server, some residual route is being left and causing this? 09:24 < acton> I have multiple places where I will connect from. do I need the ifconfig x.x.x.x to x.x.x.x? 09:27 < acton> I'm trying to just let myself connect, through the pks. not sure if the ifconfig is really needed, though. 09:31 < acton> any ideas? 09:38 < acton> My vpn server's IP will be static, but my IP is dynamic. 09:38 < acton> so I can't use ifconfig x.x.x.x to x.x.x.x... is there another form of authentication? 09:38 < theDoc> Doesn't matter. 09:38 < theDoc> Use the pam module where you can login using a user/pass 09:40 < acton> nods, I'll see if I can figure out how to do that... thanks 09:42 < theDoc> <3 09:44 < acton> ... 09:44 < theDoc> According to the beatles, all you need is <3 09:44 -!- jeiworth [n=jeiworth@189.177.122.84] has joined ##openvpn 09:46 < acton> And we actually listen to them? they suck for a reason. 09:47 < theDoc> acton: I'm sure they do but they make plenty of $$ 09:49 < ecrist> all I need is less than three? 09:49 < acton> well, there's a point there. :p 09:50 < theDoc> ecrist: Maybe. 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 10:26 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 10:26 < BadSector> !howto for beginners 10:26 < vpnHelper> BadSector: Error: "howto" is not a valid command. 10:26 < BadSector> oops 10:28 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 10:29 < BadSector> I have created my client1.csr and my client1.key ... could someone tell me where to place those files in Ubuntu 9.04? I had thought I could put them in /etc/openvpn and then just terminal to /etc/openvpn and type in "openvpn client" ... but it doesn't seem to find the client.1crt... so i'm thinkint it doesn't see it? or I have wrong directory.. 10:32 < BadSector> nvm.. found it 10:48 -!- BadSector [n=BadSecto@mail.aidcoint.com] has left ##openvpn [] 11:03 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 11:09 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:18 * ecrist sings, 'Bat Fight! Takin' a chance! A game of skill, it's easy to do. Bat Fight! A gentleman's game, Bat Fight!" 11:18 < ecrist> http://www.funnyordie.com/videos/426608ab8c/bat-fight#player 11:18 < vpnHelper> Title: BAT FIGHT with Will Ferrell from Will Ferrell, Craig Robinson, and Jake (at www.funnyordie.com) 11:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:45 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco-, clustermagnet, viric, `Ned 11:47 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 11:50 -!- viric [n=viric@62.57.137.96.dyn.user.ono.com] has joined ##openvpn 11:53 < ecrist> Hey there little red riding hood, you sure are looking good! you're everything a big bad wolf could want... 11:53 < theDoc> o-o; 12:03 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 12:04 < ecrist> I told the witch doctor I was in love with you, and then the witch doctor told me what to do. He said OOO EEE OOO AHHH AHH Bing Bang WALLA WALLA BANG BANG 12:07 -!- jeiworth [n=jeiworth@189.177.122.84] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 12:14 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 12:27 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 12:33 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 12:35 < jeiworth> hi all, i am struggeling to install openvpn gui on a vista 64 bit machine, so far so good, installed as admin but it tries to install a 32bit tap device, which obviously wont run. i am googleing around but it seems to be a still unresolved problem, any ides? 12:37 < BadSector> I have managed to setup a OpenVPN and connect between 2 laptops using a patch cable to the nic. The server is an WinXP machine that is connected to the internet via wireless nic. How do I share that internet connection w/ the VPN connection? (When I try to bridge the two, I lose the Wifi conn. If I tried to share the wifi to the VPN conn. it changes the VPN conn. to 192.168.0.1) 12:42 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:43 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has joined ##openvpn 12:43 -!- gtlz [n=gtlz@unaffiliated/gtlz] has joined ##openvpn 12:44 < gtlz> i have a freebsd router/openvpn endpoint that I just set up at one of our new datacenters... there's only about 26ms of latency between my office and the DC. for some reason, openssh sessions over the openvpn tunnel have some extra latency. at another DC, i have pfsense set up in a similar manner and the ssh-over-vpn sessions there do not exhibit the same latency. any ideas? no altq or qos, very simple pf rules. 12:44 < gtlz> the configuration files are nearly identical 12:45 < svenx> how do you measure the ssh latency? 12:45 < gtlz> perceived keystrokes registering in the terminal 12:45 < gtlz> it "feels" like the freebsd box is 150ms away 12:45 < svenx> okay.. hm 12:46 < svenx> i'd go for some tcpdumping to see where the delay might be incurred 12:47 < gtlz> hm? you think i'm losing/dropping packets? 12:48 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 12:49 < BadSector1> was there any answer for my queston above? (got disconnected trying to change bridging) 12:49 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 12:50 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 12:51 < digii> hmm, what dist do u guys recomment if im going to set-u a openvpn sulotion for multi-users and cert-authentication 12:52 < ecrist> gtlz: same hardware and load between the systems? 12:52 < gtlz> ecrist: load yes, slightly different hardware. the freebsd system is a dual core 2.8ghz intel (non cely), 2GB ram, intel server gigabit nics 12:53 < ecrist> and the pf rules are the same between the boxes? 12:53 < ecrist> is pfsense doing any shaping? 12:55 < gtlz> no shaping, the rules on the pfsense box are more complex as its used in production 12:56 < gtlz> the freebsd box just has simple block rules and pass in quick rules for vpn traffic 12:57 < ecrist> it's hard to diagnose the latency issue. are your disks and RAM OK in the 'slow' box? 12:57 < gtlz> AFAIK yes 12:57 < gtlz> i was thinking maybe the pfsense team introduced some latency reducing tuning or changes, but the config files are the same, so unless they patched the source, idk what would be going on here 12:59 < ecrist> are you dropping packets on the slower box? is your ISP on that box shaping UDP traffic, to thwart P2P users? 13:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 13:00 < gtlz> no way, it's a legit datacenter. it's also a tcp tunnel. 13:00 < ecrist> that might be your problem 13:00 < ecrist> !tcp 13:00 < gtlz> let me check pflog, though i doubt it 13:00 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:00 < gtlz> i was having stability issues with udp tunnels 13:00 < gtlz> not at this DC, but at another 13:00 < ecrist> use UDP tunnels, unless you cannot for some reason (escpaing a draconian firewall) 13:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 13:03 < gtlz> well i guess it's time to try udp? :\ 13:03 < ecrist> I'd suggest it 13:10 < gtlz> ecrist: i wonder if it's the blowfish cipher? is AES or 3des less costly? 13:10 < ecrist> that question is above my pay-grade, sorry 13:11 < ecrist> I use blowfish, and we don't have any problems. 13:11 < gtlz> ah ok 13:11 < ecrist> where I work, we have staff connecting from T1, cable internet, DSL, ISDN, dial up, and cellular broadband. all have no complaints on VPN quality 13:13 < gtlz> well the pfsense tcp based ovpn tunnel is perfect... which is why i first asked the fbsd and pfs channels as i thought htere might be an OS discrepency or some code changes by either team 13:13 < gtlz> perfect as in no perceived latency, etc etc 13:14 < ecrist> pfsense is just freebsd + pf, with a bunch of scripts and a web gui 13:14 < ecrist> it's crappy, because they do so many tweaks to sysctls and configs, out of the norm 13:14 < ecrist> which is why I just use freebsd + pf 13:14 < ecrist> and carp, firewall redundancy with carp is the shit 13:15 < gtlz> well i totally agree 13:16 < gtlz> which is why i'm trying to avoid using pfsense at the new DC 13:16 < jeiworth> FYI to get openvpn client running on a vista 64bit box use: http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe 13:16 < ecrist> http://www.secure-computing.net/wiki/index.php/CARP 13:16 < vpnHelper> Title: CARP - Secure Computing Wiki (at www.secure-computing.net) 13:16 < gtlz> i vastly prefer the flexibility of fbsd 13:16 < gtlz> ecrist: i know all about it, thx tho. 13:17 < gtlz> i've deployed redundant firewalls/gateways a dozen times.. pfsync and carp = sweetness 13:17 < ecrist> :) 13:23 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 13:43 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 13:43 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 13:44 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 13:46 < BadSector> !redirect for sending inet traffic through server 13:46 < vpnHelper> BadSector: Error: "redirect" is not a valid command. 13:46 < BadSector> humm 13:51 < BadSector> can anyone tell me how to get to these help guides? Don't know where to find the info on "!redirect for sending inet traffic through server " 13:53 < ecrist> !redirect 13:53 < vpnHelper> ecrist: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:53 < ecrist> commands for bots are only one word, prepended by a ! 13:54 < BadSector> thanks 13:56 < BadSector> just not understanding this last point :( lol, finally got the two machines connected... but the client cannot reach the internet.. will keep reading :) 13:56 < BadSector> !def1 13:56 < vpnHelper> BadSector: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:57 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 13:59 < plaerzen> !dance 13:59 < vpnHelper> plaerzen: Error: "dance" is not a valid command. 13:59 * BadSector wiggles... 14:12 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:15 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:15 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:21 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:21 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:21 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:23 < BadSector1> blah, aggrivating lol... everytime I try to create a bridge I lose Internet Connection. I even tried to setup the Network Bridge TCP/IP properties to the same values that was in the Wireless NIC properties but still no internet while bridge is active... 14:23 < ecrist> rather than do bridge, do routed 14:24 -!- alinuxskyper99 [n=admin@212.28.233.21] has joined ##openvpn 14:24 < ecrist> I'm not a windows wiz, though 14:24 -!- admin__ [n=admin@212.28.233.21] has quit [Read error: 104 (Connection reset by peer)] 14:26 < BadSector1> yeah, i was trying routed at first, until i was reading and they said kinda easier to do w/ bridge because you don't need to put in the routes.. And I don't really know what kind of IP range I have avaliable here at work :( 14:32 < BadSector1> I think my problem is that I'm trying to connect the two laptop with the lan NIC's thru OpenVPN and share my Wireless NIC to the virutal tap... humm.. but I would think would still work... oh well.. 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has joined ##openvpn 14:38 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:39 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:40 < lepine> Hey guys, i'm trying to connect to a server which is behind NAT. 14:40 < chrisbdaemon> are there any alternatives to easy-rsa to handle my keys for openvpn? 14:40 < lepine> chrisbdaemon: tinyca 14:40 < chrisbdaemon> I remember I heard about one in here but I forget what its called 14:41 -!- admin__ [n=admin@193.227.191.90] has joined ##openvpn 14:41 < ecrist> ssl-admin 14:41 < ecrist> !ssl-admin 14:41 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:41 < lepine> the port forwarding on the router works, it's port 8080 ... and works fine when i bind apache to that port. 14:41 < chrisbdaemon> ssl-admin, thats what its called 14:41 < chrisbdaemon> thanks 14:41 < lepine> however, openvpn keeps sending ACKs for reasons unknown ... 14:41 < ecrist> lepine: make sure it's UDP you're forwarding, not just TCP 14:42 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit [Client Quit] 14:42 < lepine> ecrist: i set the server to use tcp 14:42 < ecrist> ick 14:42 < ecrist> !tcp 14:42 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:42 < lepine> here is a log, verb 9 ... http://pastebin.ca/1422951 14:42 < lepine> reading ... 14:43 < lepine> ecrist: Im not in the greatest position to edit that router 14:44 < lepine> hence, switch to udp 14:44 < ecrist> lepine: does it work, outside the NAT? 14:44 < lepine> haven't tried ... give me a minute 14:45 < lepine> should have done so beforehand 14:48 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:49 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:49 < gtlz> so ecrist, udp tunnels do not experience the same perceived keystroke lag... so now the question becomes, how is pfsense mitigating the tcp-induced latency? 14:50 < ecrist> my guess, is they're don't tcp window resizing in the firewal 14:50 < ecrist> OR, the client config on that end is configured for a smaller window size 14:50 < ecrist> !mss 14:50 < vpnHelper> ecrist: Error: "mss" is not a valid command. 14:50 < ecrist> !mss-fix 14:50 < vpnHelper> ecrist: Error: "mss-fix" is not a valid command. 14:50 < ecrist> !mssfix 14:50 < vpnHelper> ecrist: Error: "mssfix" is not a valid command. 14:51 < ecrist> !mtu 14:51 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 14:52 < gtlz> hrm, well tunnel mtu is set by default 14:52 < gtlz> at least according to the client connect output 14:53 < lepine> ecrist: it seems to work, when not going through NAT. 14:53 < gtlz> aand the link you sent me is using the dos cmd prompt, definitely not something i have access to (i'm proud to say) 14:53 < ecrist> lepine, I'm sorry to say your problem isn't OpenVPN, then. 14:53 < lepine> stupid csco router 14:54 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 110 (Connection timed out)] 14:54 < ecrist> gtlz: --mtu-test is your config will get you the answer, then. 14:54 < lepine> back to plan B, running a server on the net, and having a client share a subnet ... 14:56 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 110 (Connection timed out)] 14:58 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 14:58 -!- alinuxskyper99 [n=admin@212.28.233.21] has quit [Read error: 110 (Connection timed out)] 15:00 < gtlz> ecrist: 15:00 < gtlz> Thu May 14 12:59:45 2009 us=439144 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 15:00 < gtlz> ecrist: i'm going to follow some tcp tuning guides for freebsd and see what happens 15:01 < ecrist> okie 15:01 < gtlz> i don't have much to lose as i plan on scrapping this box in the next week or so anyway 15:01 < ecrist> I'd just switch to udp and be done with it, if it were me. 15:05 < gtlz> yeah but i want to make sure i can use tcp if i need to, 15:05 < gtlz> and i'm bored at work 15:05 < gtlz> so i might as well figure it out 15:07 < gtlz> also i want to make sure there are no tcp performance "issues" when i put freebsd live 15:08 < gtlz> or i definitely just borked it... methinks it should be online by now. 15:09 < gtlz> well, i was planning on going to the DC today anyway... i just sealed my fate. 15:14 < digii> Can someone tell my what i need to do when im setting up openvpn and im just using 1 nic? 15:14 < digii> or help me is a btter word 15:19 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has quit ["Leaving."] 15:27 < digii> if im using one nic do i hafto bridge that? 15:28 < ecrist> yeah, because there is still a virtual NIC 15:28 < digii> what? 15:28 < ecrist> tun or tap adapter 15:28 < digii> u mean i need to create a virtualnic? 15:29 < digii> or does openvpn creates a own virtualnix? 15:36 < ecrist> perhaps you should read how openvpn operates, first? 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:44 -!- jeiworth [n=jeiworth@189.177.136.65] has joined ##openvpn 16:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:30 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:33 -!- nico__ [n=tuxsmouf@37.218.81-79.rev.gaoland.net] has joined ##openvpn 16:34 -!- tuxsmouf [n=tuxsmouf@105.197.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 16:34 -!- tjz [n=tjz@bb121-6-114-207.singnet.com.sg] has quit [Connection timed out] 16:34 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 16:39 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 16:40 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 16:43 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: xororand, M06w, Typone 16:45 -!- Netsplit over, joins: xororand, M06w, Typone 16:48 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 16:48 -!- viric [n=viric@62.57.137.96.dyn.user.ono.com] has left ##openvpn [] 16:52 -!- admin__ [n=admin@193.227.191.90] has quit [Read error: 113 (No route to host)] 16:56 -!- BadSector [n=BadSecto@cpe-75-185-235-61.cinci.res.rr.com] has joined ##openvpn 17:03 < digii> when im bridging virtual-nic to my real nic to use for openbox, should my real-nic have static ip first? 17:04 < digii> or can it still be dhcp? or is that not such a good idea? 17:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:07 < jeiworth> digii: what os? i just installed openvpn on an ubuntu system and defined tap0 and br0 in /etc/networking/interfaces, tap0 and eth0 i gave static ip 0.0.0.0, br0 has the static ip of the server, and no problem since then 17:07 < digii> im using debian 17:07 < digii> so its probably the same 17:07 < jeiworth> digii: well then its actually exactly the same ;) 17:08 < digii> do u mind posting your interfaces file on some pastebin site? 17:09 < digii> i dont have tap u only got /dev/net/tun but i guess thats the same 17:09 < jeiworth> http://pastebin.ubuntu.com/172634/ 17:10 < jeiworth> in that case you are routing not bridging 17:10 < digii> what? 17:10 < digii> did u route? 17:11 < jeiworth> no, i bridge, bridge uses tap device, route uses tun device 17:11 < digii> how do i create tap then? 17:12 < digii> by creating br0 whit brctl? 17:12 < jeiworth> by defining it in /etc/network/interfaces 17:13 < jeiworth> i was using the scripts provided by the openvpn howto bridge-start and bridge-stop and am calling them within /etc/init.d/openvpn 17:13 < jeiworth> i dont know if that is necesary now, i was experimenting a lot during installation 17:14 < digii> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript 17:14 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:14 < digii> u mean that script? 17:14 < jeiworth> yup 17:15 < digii> u just changes the ip in eth_ip netmask and bcast? 17:15 < digii> and then just ran it? 17:15 < jeiworth> basically yes 17:15 < digii> ok =) 17:15 < digii> why is your eth0 ip set to 0.0.0.0? 17:16 < digii> doesent it hafto have a ip? :S 17:17 < jeiworth> because the server responds on the br0 interface, which is bridging the eth0 with tap0, so neither of the latter 2 need ip. actually, i read its a good thing to put them in promiscous mode (0.0.0.0) to catch _all_ traffic 17:17 < digii> ok =) 17:17 < digii> hmm still dont know how to get tap? 17:18 -!- tuxsmouf [n=tuxsmouf@139.170.81-79.rev.gaoland.net] has joined ##openvpn 17:19 < jeiworth> well, define it in /etc/network/interfaces or have the brdige-start-script create it or create it manually: 17:19 < jeiworth> sudo mkdir -p /dev/net 17:19 < jeiworth> sudo mknod /dev/net/tun c 10 200 17:19 < jeiworth> sudo chmod 600 /dev/net/tun 17:19 < jeiworth> well, using debian just do it as root without the sudo 17:19 < digii> ah ok =) 17:19 < jeiworth> ah wait, that was tun 17:19 < jeiworth> hmm 17:19 < digii> yea 17:20 < jeiworth> hmm then i suppose interfaces or the bridge-start script will suffize 17:21 < digii> i wounder if that actually creates tap :S 17:21 < digii> nothing in the script is saying it will 17:21 < jeiworth> bridge-start definitely does 17:21 -!- BadSector [n=BadSecto@cpe-75-185-235-61.cinci.res.rr.com] has left ##openvpn [] 17:22 < digii> oh ok 17:22 < jeiworth> just adjust it to your network topology, make it executable and try 17:22 < digii> network topology? u mean the ip adresses and stuff? 17:22 < jeiworth> yes 17:23 < jeiworth> your local network environment 17:23 < digii> ok =) 17:37 -!- tuxsmouf [n=tuxsmouf@139.170.81-79.rev.gaoland.net] has quit [Read error: 60 (Operation timed out)] 17:37 -!- tuxsmouf [n=tuxsmouf@60.210.81-79.rev.gaoland.net] has joined ##openvpn 17:37 -!- nico__ [n=tuxsmouf@37.218.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:40 -!- nico__ [n=tuxsmouf@93.4.117.153] has joined ##openvpn 17:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:52 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 17:59 -!- tuxsmouf [n=tuxsmouf@60.210.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:59 -!- tuxsmouf [n=tuxsmouf@79.81.207.105] has joined ##openvpn 18:04 < digii> someone here? 18:10 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:10 < jeiworth> here, drinking beer 18:10 < digii> the script didnt work creating tap 18:10 < jeiworth> hmm strange 18:11 < digii> is there a packade whit tap i need first? 18:11 < jeiworth> well, you need the package bridge-utils as discribed in the howto 18:11 < digii> yea, i got that :S 18:12 -!- nico__ [n=tuxsmouf@93.4.117.153] has quit [Read error: 110 (Connection timed out)] 18:12 < jeiworth> ok....do you get an error?? 18:12 -!- nico__ [n=tuxsmouf@39.58.204-77.rev.gaoland.net] has joined ##openvpn 18:12 < digii> im remote using ssh from server 18:12 < digii> so i dont know :/ 18:12 < digii> got thrown out 18:13 < jeiworth> that is bad 18:14 < digii> yea 18:14 < digii> might do it manualy 18:14 < jeiworth> did you adjust your /etc/network/interfaces file]? 18:14 < digii> tap is a virtual-nix right? 18:14 < digii> nic* 18:14 < jeiworth> i think so 18:14 < digii> and br0 is also that :S 18:14 < digii> hmm 18:14 < digii> why do u need 2 :S 18:15 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has joined ##openvpn 18:15 < jeiworth> well, as i understand it, openvpn communicated through tun/tap so to route the traffic to openvpn you need to make a brdige from the physical device, e.g. eth0, and route all that traffic to tap 18:16 < digii> if u copy your interfaces and change the if to my network and then try the script again, it might work 18:17 < digii> last time i just changed it myself :D might wrote something bad 18:17 < jeiworth> hehe 18:17 < jeiworth> actually there is a typo in the interfaces i posted you, on ..uhm... tap0 i think it says addressa instead of address 18:18 < digii> yea :D ok 18:18 < digii> change that 18:22 -!- tuxsmouf [n=tuxsmouf@79.81.207.105] has quit [Read error: 110 (Connection timed out)] 18:24 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:24 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:26 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 110 (Connection timed out)] 18:26 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 18:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:27 -!- smerz [n=daniel@smerz.demon.nl] has left ##openvpn ["Ex-Chat"] 18:29 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:36 < reiffert> moin 18:39 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:43 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 18:46 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit ["Lost terminal"] 18:46 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 18:48 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 19:07 -!- nico__ [n=tuxsmouf@39.58.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 19:08 -!- nico__ [n=tuxsmouf@238.146.204-77.rev.gaoland.net] has joined ##openvpn 19:28 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:28 < Dougy> ayooo 19:41 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 20:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:03 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:05 -!- tuxsmouf [n=tuxsmouf@35.172.81-79.rev.gaoland.net] has joined ##openvpn 20:06 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit ["Lost terminal"] 20:06 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:09 -!- nico__ [n=tuxsmouf@238.146.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 20:19 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:06 -!- nico__ [n=tuxsmouf@239.174.81-79.rev.gaoland.net] has joined ##openvpn 21:27 -!- tuxsmouf [n=tuxsmouf@35.172.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 21:41 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:55 -!- jeiworth [n=jeiworth@189.177.136.65] has quit [Connection timed out] 22:00 -!- tuxsmouf [n=tuxsmouf@103.179.81-79.rev.gaoland.net] has joined ##openvpn 22:10 < theDoc> How can ... a SSL browser connection be advertised as a vpn connection 22:10 < theDoc> >_> 22:10 < theDoc> Jesus. 22:11 < frankS2> it can? 22:11 < theDoc> frankS2: Sure, the interweb is plentiful of companies advertising browser based SSL vpns which aren't actually vpns :o 22:12 < frankS2> haha 22:12 < theDoc> Download moar activeX controls and you get super SSL security! 22:12 < frankS2> oh yay! I must get that 22:12 < theDoc> http://www.slickyproxy.com/Technical_Background.htm 22:12 < vpnHelper> Title: Techical Background of Proxies and SSL VPNs (at www.slickyproxy.com) 22:13 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 22:13 < theDoc> All that hype, no base. 22:17 < theDoc> lol@# 22:17 < theDoc> # Poor, intermittent and disrupted connections won't cause the VPN to fail. 22:17 < theDoc> Does that mean, if my interweb connection breaks down, I can still use the vpn? 22:17 < theDoc> Sorry, :) Couldn't resist that 22:20 -!- nico__ [n=tuxsmouf@239.174.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 22:44 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 22:48 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 22:54 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 22:57 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 23:05 -!- nico__ [n=tuxsmouf@24.236.204-77.rev.gaoland.net] has joined ##openvpn 23:07 -!- albech [n=albech@119.42.79.196] has quit [Read error: 60 (Operation timed out)] 23:07 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 23:09 -!- albech [n=albech@119.42.79.196] has quit [Client Quit] 23:27 -!- tuxsmouf [n=tuxsmouf@103.179.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 23:40 -!- Netsplit over, joins: disco- 23:44 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- --- Day changed Fri May 15 2009 00:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:18 -!- dan__t [n=dant@vpn.withparity.net] has left ##openvpn ["Leaving"] 01:26 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 01:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:36 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 01:47 -!- master_of_master [i=master_o@p549D470E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- tuxsmouf [n=tuxsmouf@127.168.81-79.rev.gaoland.net] has joined ##openvpn 01:50 -!- master_of_master [i=master_o@p549D31B2.dip.t-dialin.net] has joined ##openvpn 01:52 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:53 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 01:54 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 02:02 -!- Netsplit over, joins: disco- 02:10 -!- nico__ [n=tuxsmouf@24.236.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:11 -!- nico__ [n=tuxsmouf@88.141.4.192] has joined ##openvpn 02:14 -!- tuxsmouf [n=tuxsmouf@127.168.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:21 -!- tuxsmouf [n=tuxsmouf@195.170.81-79.rev.gaoland.net] has joined ##openvpn 02:46 -!- nico__ [n=tuxsmouf@88.141.4.192] has quit [Read error: 110 (Connection timed out)] 02:46 -!- nico__ [n=tuxsmouf@3.181.81-79.rev.gaoland.net] has joined ##openvpn 02:48 -!- tuxsmouf [n=tuxsmouf@195.170.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:54 -!- nico__ [n=tuxsmouf@3.181.81-79.rev.gaoland.net] has quit [Read error: 104 (Connection reset by peer)] 02:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:10 -!- nico__ [n=tuxsmouf@88.141.4.178] has joined ##openvpn 03:28 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has joined ##openvpn 03:52 -!- tuxsmouf [n=tuxsmouf@88.141.31.21] has joined ##openvpn 03:52 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 03:54 -!- nico__ [n=tuxsmouf@88.141.4.178] has quit [Read error: 110 (Connection timed out)] 04:04 < reiffert> moin 04:05 -!- nico__ [n=tuxsmouf@42.200.81-79.rev.gaoland.net] has joined ##openvpn 04:07 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 113 (No route to host)] 04:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:23 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:26 -!- tuxsmouf [n=tuxsmouf@88.141.31.21] has quit [Read error: 110 (Connection timed out)] 04:38 -!- nico__ [n=tuxsmouf@42.200.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 04:40 -!- tuxsmouf [n=tuxsmouf@210.59.204-77.rev.gaoland.net] has joined ##openvpn 04:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lepine, krzie_ 04:55 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:56 -!- Netsplit over, joins: lepine, krzie_ 04:56 < Bushmills> moiners 04:57 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:59 < gebura> hi 05:00 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lepine, krzie_ 05:03 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 05:05 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##openvpn 05:05 -!- albech_ [n=albech@119.42.76.61] has joined ##openvpn 05:06 -!- nico__ [n=tuxsmouf@144.180.81-79.rev.gaoland.net] has joined ##openvpn 05:06 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has joined ##openvpn 05:07 -!- tuxsmouf [n=tuxsmouf@210.59.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:08 -!- tuxsmouf [n=tuxsmouf@86.239.81-79.rev.gaoland.net] has joined ##openvpn 05:09 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has quit ["Leaving."] 05:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:20 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: xororand, M06w, Typone 05:21 -!- Netsplit over, joins: xororand, M06w, Typone 05:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 05:23 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 05:28 -!- nico__ [n=tuxsmouf@144.180.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:29 -!- nico__ [n=tuxsmouf@31.232.81-79.rev.gaoland.net] has joined ##openvpn 05:40 -!- znh [n=znh@unaffiliated/znh] has quit [Connection reset by peer] 05:44 -!- tuxsmouf [n=tuxsmouf@86.239.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:44 -!- tuxsmouf [n=tuxsmouf@21.225.81-79.rev.gaoland.net] has joined ##openvpn 05:55 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:59 -!- nico__ [n=tuxsmouf@31.232.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:01 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has joined ##openvpn 06:01 < Fallenou> hi 06:01 < Fallenou> i just created a point-to-point vpn 06:02 < Fallenou> each side can ping the other side 06:02 < Fallenou> but i cannot establish a TCP connection through the vpn 06:02 -!- nico__ [n=tuxsmouf@67.195.81-79.rev.gaoland.net] has joined ##openvpn 06:05 < Fallenou> ok nevermind it works now 06:05 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has left ##openvpn ["So long, and thanks for all the Fish !"] 06:26 -!- tuxsmouf [n=tuxsmouf@21.225.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:27 -!- nico__ [n=tuxsmouf@67.195.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:27 -!- nico__ [n=tuxsmouf@181.201.81-79.rev.gaoland.net] has joined ##openvpn 06:38 -!- tuxsmouf [n=tuxsmouf@79.81.229.65] has joined ##openvpn 06:57 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:00 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:00 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:02 -!- nico__ [n=tuxsmouf@181.201.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 07:02 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:03 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:04 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:04 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:09 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 07:10 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:50 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- albech_ [n=albech@119.42.76.61] has quit [Client Quit] 07:56 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 07:59 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:13 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has joined ##openvpn 08:15 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has joined ##openvpn 08:42 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:50 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:56 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 08:56 -!- tuxsmouf [n=tuxsmouf@79.81.229.65] has quit [Read error: 110 (Connection timed out)] 08:57 -!- tuxsmouf [n=tuxsmouf@79.81.229.205] has joined ##openvpn 09:00 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 09:01 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 09:02 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 09:03 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:23 -!- albech [n=albech@119.42.76.61] has quit [Connection timed out] 09:33 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:34 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has joined ##openvpn 09:35 -!- nico__ [n=tuxsmouf@131.202.81-79.rev.gaoland.net] has joined ##openvpn 09:36 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 09:37 -!- tuxsmouf [n=tuxsmouf@79.81.229.205] has quit [Read error: 110 (Connection timed out)] 09:46 < Fallenou> is it possible to redirect all traffic through a VPN ? 09:46 < Fallenou> i have 2 interfaces , tun0 (the vpn) and eth0, the actual internet connection 09:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 09:47 < Fallenou> i can add hosts that pass through the VPN doing route add -host ip_address gw 192.168.42.1, and it works well 09:47 < Fallenou> (192.168.42.1 is the VPN server ip, in the VPN) 09:48 < Fallenou> but i would like to make all my traffic goes into the VPN, not only several ip adress i have to add 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:50 < reiffert> Fallenou: yes, it's possible 09:50 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:51 < reiffert> !def1 09:51 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:51 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [SendQ exceeded] 09:52 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:53 -!- znh [n=znh@unaffiliated/znh] has quit [SendQ exceeded] 09:53 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:53 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [SendQ exceeded] 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [Success] 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:07 -!- Solver_ is now known as Solver 10:07 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 10:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:17 -!- tuxsmouf [n=tuxsmouf@94.169.81-79.rev.gaoland.net] has joined ##openvpn 10:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:35 -!- Lilarcor [n=Lilarcor@57.sub-97-164-229.myvzw.com] has joined ##openvpn 10:38 -!- nico__ [n=tuxsmouf@131.202.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 10:42 < Fallenou> ok good thanks reiffert :) 10:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 10:56 -!- tuxsmouf [n=tuxsmouf@94.169.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 10:56 -!- tuxsmouf [n=tuxsmouf@105.181.81-79.rev.gaoland.net] has joined ##openvpn 11:02 -!- rotty` [n=user@83-215-154-5.hage.dyn.salzburg-online.at] has joined ##openvpn 11:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:22 -!- Lilarcor [n=Lilarcor@57.sub-97-164-229.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 11:24 < rotty`> i have a little problem with my openvpn setup (bridge): I can access the internet and hosts in the LAN (including te ovpn server) from openvpn clients, but trying to ping or connect to other clients doesn't work. 11:25 < rotty`> the packets won't even show up with tcpdump on the 'tap0' device when I try to ping other clients... 11:29 < rotty`> any ideas of what might be the issue? 11:51 -!- nico__ [n=tuxsmouf@29.208.81-79.rev.gaoland.net] has joined ##openvpn 11:51 -!- tuxsmouf [n=tuxsmouf@105.181.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 11:54 -!- gtlz [n=gtlz@unaffiliated/gtlz] has left ##openvpn [] 12:10 * ecrist sings, "Boats and Hos" 12:21 < reiffert> !client-to-client 12:21 < vpnHelper> reiffert: Error: "client-to-client" is not a valid command. 12:21 < reiffert> --client-to-client 12:23 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:24 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:30 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 110 (Connection timed out)] 12:33 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:37 < ecrist> !learn client-to-client as To enable client-to-client communictions, add the client-to-client option to the server configuration. 12:37 < vpnHelper> ecrist: Joo got it. 12:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:52 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 13:17 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 13:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:09 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 14:13 < Fallenou> rotty` < reiffert answered you "client-to-client" (in case you didn't notice) 14:16 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has quit ["Leaving."] 14:25 < reiffert> In order to drive a car, get in an launch the motor? 14:26 < reiffert> learn client-to-client as When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:26 < reiffert> See !man for details 14:28 -!- jeiworth [n=jeiworth@189.177.136.65] has joined ##openvpn 14:29 < ecrist> !forget client-to-client 14:29 < vpnHelper> ecrist: Joo got it. 14:29 < ecrist> !learn client-to-client as When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:30 < vpnHelper> ecrist: Joo got it. 14:30 < ecrist> !client-to-client 14:30 < vpnHelper> ecrist: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:47 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:49 < chrisbdaemon> hey, I need some help. I'm trying to use ssl-admin to get my keys setup for openvpn on openbsd 4.5, I created the keys and everything and i copied them to the client computer and setup the config file but when I try to connect I get a "Authenticate/Decrypt packet error: packet HMAC authentication failed" 14:49 < chrisbdaemon> i've checked the md5's are the keys on the server and client are identical, the cipher in the configuration is the same 14:49 < chrisbdaemon> and the keys* 14:50 < chrisbdaemon> i'm using the ta.key feature as well and those match as well 14:50 < chrisbdaemon> any idea what else could have gone wrong or is there some way to manually verify the keys/certificates? 14:58 < ecrist> !logs 14:58 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:58 < ecrist> !config 14:58 < vpnHelper> ecrist: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:58 < ecrist> !configs 14:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:58 < chrisbdaemon> k, one sec 15:03 < chrisbdaemon> does it matter what i use for the ca's owner id? 15:04 < chrisbdaemon> i know the server key is supposed to using server as the common name doesn't it? 15:05 < ecrist> not really 15:06 < ecrist> there is a thread, found via google, which may help you 15:06 < ecrist> http://openvpn.net/archive/openvpn-users/2004-05/msg00289.html 15:06 < rotty`> ecrist: thanks! 15:06 < vpnHelper> Title: Re: [Openvpn-users] Authenticate/Decrypt packet error: packet HMAC authentication failed (at openvpn.net) 15:06 < ecrist> what did I do? 15:07 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:08 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:17 < chrisbdaemon> server log is at http://pastebin.com/d2d5e56ce client/server configs: http://pastebin.com/d95c1e56 15:18 < chrisbdaemon> do you need logs from the client machine also? 15:18 < ecrist> might, looking at server now 15:19 < chrisbdaemon> and i see the error opening the logfiles btw, that was my next step after getting the vpn working 15:20 < ecrist> yes, client logs, please 15:21 < chrisbdaemon> full logs or just errors/warnings? 15:22 < ecrist> full, at verb 6, please 15:22 < ecrist> your client config is set for verb 3 15:22 < chrisbdaemon> hmm, thats annoying, tunnelblick won't let me copy the logs from the log view window :\ 15:22 < ecrist> you can, you need to right=click and select copy 15:23 * krzie_ streaks across the channel 15:23 < chrisbdaemon> ah, hotkeys just didn't work 15:23 -!- krzie_ is now known as krzie 15:23 < ecrist> !learn logs as In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:23 < vpnHelper> ecrist: Joo got it. 15:24 < ecrist> at first, I thought you were a girl, but with the realization they were simply EXTREMELY small nuts, I knew it to be you, krzie 15:24 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:25 < chrisbdaemon> http://pastebin.com/d40a4fd22 15:26 < chrisbdaemon> thats not the exact same connection as the server logs btw, but it is the same problem 15:26 < chrisbdaemon> just incase that matters 15:27 < ecrist> the log looks truncated 15:27 < chrisbdaemon> it never finishes the connection, it just stops 15:27 < chrisbdaemon> waiting for server response 15:28 < chrisbdaemon> it gets to line 126 then repeats the errors at 128 over and over 15:32 < ecrist> try removing the tls-auth line in the client config 15:32 < chrisbdaemon> server also? 15:32 < ecrist> yeah 15:32 < ecrist> just for giggles 15:33 < chrisbdaemon> hmm, that worked it looks like 15:33 < chrisbdaemon> or not 15:33 < chrisbdaemon> let me paste new logs.. 15:40 < ecrist> I'm out for the night. 15:40 < chrisbdaemon> server: http://pastebin.com/da81c9c8 client: http://pastebin.com/d240531da 15:40 < chrisbdaemon> ah, ok 15:41 < chrisbdaemon> ah, i think i might have found it, one sec 15:42 < chrisbdaemon> bah, i had AES-256-CBC on the client and AES-128-CBC on the server :\ 15:42 < chrisbdaemon> thanks for the help :P 15:43 -!- nico__ [n=tuxsmouf@29.208.81-79.rev.gaoland.net] has quit [Remote closed the connection] 15:47 < krzie> ecrist, so you recognized me by my balls? 15:50 < krzie> i dont think even i could pick my balls out of a lineup 15:58 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has left ##openvpn ["Leaving"] 16:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:07 < gebura> !time 16:07 < vpnHelper> gebura: Error: "time" is not a valid command. 16:07 < gebura> urf 16:12 < gebura> !timezone 16:12 < vpnHelper> gebura: Error: "timezone" is not a valid command. 16:12 < gebura> i ve got this error: TLS Error: Unroutable control packet received from $ip1197 (si=3 op=P_CONTROL_V1) 16:13 < gebura> somebody tell me that i should change the timezone, is that the only was ? 16:14 < krzie> timezone does not matter at all 16:14 < krzie> that both are set to the correct time does 16:14 < krzie> ntpdate time.nist.gov 16:15 < krzie> times are compared in GMT, timezones dont come into effect 16:16 < gebura> thanks :) 16:16 < krzie> yw 16:47 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has quit ["So long, and thanks for all the Fish !"] 16:49 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 16:56 < krzie> hey ecrist, i gave you the new address to send that computer to right? 16:58 < ecrist> I got one address, initially from you. 16:58 < ecrist> plan on sending it tomorrow or monday 17:00 < krzie> lets make sure you have the right one, 1 sec 17:02 < krzie> i think you had his old address, thats his new one 17:02 < krzie> he just moved 17:45 -!- sprax [n=rob@65.127.188.10] has joined ##openvpn 17:46 < sprax> I have a satellite office with just 3 clients and a printer. Rather than setup a separate network with DHCP, DNS, etc, I would like to just "extend" my main office to this remote office. The remote clients would get their IP from DHCP at the main site, etc. Is this something openVPN can do? I'm not really sure what I need to google to find out. 17:49 < sprax> A layer-2 based ethernet TAP eh? Yay Wikipedia to the rescue! 17:55 < sprax> And the ethernet briding how-to 17:55 < sprax> lol, an exciting friday night awaits! 17:59 < feinoM> :) 18:01 < krzie> sprax 18:02 < krzie> you totally dont need layer2 18:02 < krzie> read the topic 18:02 < Bushmills> sprax, if dhcp is the only reason for a bridging configuration with tap interfaces, consider the alternative of a routing config, and running something like a dhcp forwarder on that gatewa 18:02 < Bushmills> y 18:02 < krzie> after that, type !route because it fits what yuou said 18:02 < krzie> he doesnt even need DHCP 18:02 < Bushmills> g'd evening 18:02 < krzie> he just wants to push DNS 18:02 < krzie> g'evening to you too =] 18:03 < Bushmills> well, no need for dhcp just for obtaining ip adresses. but dhcp can be used for more than just that. 18:04 < krzie> i understand why youd want to networks together, dont understand why youd want it for DHCP 18:04 < Bushmills> so i am not in the position that i can say "you don't need dhcp" 18:04 < krzie> since the other router can do DHCP itself, and point clients to DNS / WINS over the VPN 18:04 < krzie> etc etc 18:05 < krzie> as long as it has a route for clients to the vpn like in my writeup under the picture, it just works 18:05 < Bushmills> one could obtain for example the ntp server(s) to be used by client from dhcp 18:06 < reiffert> moin Bushmills 18:06 < Bushmills> ha. 18:06 < Bushmills> hi reiffert 18:07 < Bushmills> but one way or another, bridging is probably not needed 18:08 < reiffert> Downloading Google Earth from google.com + installation: 30 seconds 18:08 < reiffert> using the google way, called "google updater": 5 minutes 18:08 < reiffert> sigh. 18:10 < Bushmills> sounds like stress 18:10 < Bushmills> no time for a cup of tea 18:11 < sprax> actually 18:12 < sprax> the main reason is to be able to PXE boot machines at the satellite 18:12 < sprax> when the PXE on the NIC comes up it needs to lease an IP from my M$ DC running Windows Deployment Services 18:13 < sprax> then do the TFTP magic and finally a whole mess of CIFS 18:13 < sprax> add all that to the Active DNS/DHCP hassle from bill 18:14 < sprax> it makes my life easier if the clients are ignorant to the fact that there is some cable internet between them and the main office 18:15 < reiffert> does it make your life easier when the sattelite system is not able to work when the cable internet link is down? 18:16 < sprax> and I'm sorry for not discovering this on my own first. I'm not adverse to RTFM, but I didn't even know where to start. I was actually surprised to read the infomration on the FAQ. 18:17 < sprax> Well, if the cable goes down then remote users won't have access to files, databases or network applications regardless of which VPN/router magic I cast on them 18:19 -!- troy- [n=doc@216.185.67.154] has joined ##openvpn 18:19 < reiffert> They might contintue using their local net and internet instead of drinking coffee for hours. 18:19 < Bushmills> a replicating network files system which handles dis/reconnect elegantly might help. maybe something coda-like 18:20 < troy-> hello i have an openvpn tunnel setup between a windows laptop and a linux server without issue but i want the windows client vpn to connection share with another system via the ethernet port 18:20 < troy-> how can i somehow bridge the ethernet interface to the vpn? 18:21 < krzie> i agree with bushmills 18:21 < sprax> troy- http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 18:21 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:21 < krzie> you're going to be sending every ethernet broadcast over the bridge and every arp etc for 1 feature 18:21 < krzie> a dhcp-bridge over tun would work, but bushmills approach is what ild use 18:22 < reiffert> internet connections sharing does not require bridging. 18:22 < sprax> yeah, if i had the budget for a replicated file system, I could setup a DC on site with it's own DNS and DHCP 18:23 < troy-> sprax, does it matter that the windows machine is a client not the server? 18:23 < krzie> troy: you saying youd like the machine in same lan as windows client to access the vpn through the windows client? 18:23 < krzie> replicating stuff requires a budget? 18:23 < troy-> krzie, the device accessing the vpn via the windows client will be a cisco ip phone 18:23 < krzie> troy, totally doesnt matter 18:23 < krzie> see !route 18:23 < troy-> okay but is what i want doable? 18:24 < krzie> absolutely, and its in the topic where it says: 18:24 < krzie> "lans behind openvpn? see !route " 18:24 < krzie> !route 18:24 < sprax> krzie yep 18:24 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:24 < sprax> troy- what do you mean? 18:24 < Bushmills> more an issue of windows connection sharing, me seems 18:25 < krzie> he means he has a machine on the same lan as the client which he wants to access the VPN 18:25 < troy-> sprax, Cisco IP phone [ethernet] -> [ethernet] windows client [VPN] -> [VPN] linux server 18:25 < krzie> Bushmills, nah... no ICS needed since windows is the client and not server 18:25 < troy-> the phone and windows client are directly connected via an ethernet cable 18:25 < reiffert> krzie: sure sure. why not? 18:26 < krzie> because it doesnt need to be NAT'ed on the client side 18:26 < krzie> only on the server side if the vpn is its default gateway to the inet 18:26 < reiffert> right, just routing. 18:26 < krzie> ICS is the windows term for NAT 18:27 < sprax> troy- sorry man, I lost track of whats going on. No worries, I think I found what I need. It may not be the best solution in the world, but it's going to be one scope to rule them all, and for a couple of PCs I'm not too worried about it. 18:27 < sprax> Thanks to everyone! 18:27 < troy-> np 18:27 < Bushmills> probably depends on whether the other machine sits on the same network/interface as the vpn link does 18:30 < Bushmills> or you're doing a better job at second-guessing the actual intentions :D 18:31 < reiffert> gn8 18:32 < krzie> nah, that would be for ip forwarding bush 18:32 < krzie> it wouldnt need ICS to reach the vpn through the client 18:33 < krzie> just ip forwarding 18:33 < krzie> regardless of intentions 18:33 < troy-> krzie, i bridged the virtual and physical adapter on my windows client and added "dev tap & dev-node tap-bridge" 18:33 < troy-> to the config 18:34 < troy-> should my ethernet interface have an IP address now? 18:34 < krzie> oh you're bridging, i wont be of much help with that 18:34 < krzie> i would do it with routing 18:34 < troy-> well whats the best solution? 18:34 < krzie> i already said everything 18:34 < troy-> hmmm 18:35 < troy-> is it possible to route traffic from the virtual tun interface to the physical interface? 18:35 < troy-> without a bridge 18:35 < krzie> what do you mean... like is it possible to access a machine behind the client over the vpn and visa versa? 18:35 < troy-> correct 18:36 < krzie> yes, which i thought i said 18:36 < troy-> okay 18:36 < krzie> okay but is what i want doable? 18:36 < krzie> absolutely, and its in the topic where it says: 18:36 < krzie> "lans behind openvpn? see !route " 18:36 < krzie> !route 18:36 < troy-> !route 18:36 < vpnHelper> troy-: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:37 < krzie> basically it boils down to an iroute and !winipforward 18:37 < troy-> !winipforward 18:37 < vpnHelper> troy-: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 18:37 < krzie> will the voip phone be using the vpn endpoint as its pbx 18:37 < krzie> ? 18:37 < troy-> yes 18:37 < krzie> ya, simple then really 18:38 < krzie> the server gets a route entry for the phone 18:38 < krzie> a ccd in server for the client gets an iroute 18:38 < krzie> ip forwarding enabled on client machine 18:38 < troy-> alright, so first step is enable forwarding in windows? 18:38 < krzie> ...??? 18:38 < krzie> ...profit 18:38 < krzie> doesnt really matter which step is in which order 18:39 < krzie> until ??? and profit 18:39 < krzie> those are always the last 2 ;] 18:41 < troy-> alrite enabled that 18:50 < troy-> krzie, since the phone and windows client are directly connected do i make the default gateways eachother? 19:00 -!- troy__ [n=doc@216.185.67.154] has joined ##openvpn 19:00 -!- troy- [n=doc@216.185.67.154] has quit [Read error: 54 (Connection reset by peer)] 19:05 -!- troy__ is now known as troy- 19:06 -!- rotty` [n=user@83-215-154-5.hage.dyn.salzburg-online.at] has quit [Remote closed the connection] 19:09 < krzie> troy, the voip phone can just use the win machine as default gateway 19:09 < krzie> the windows machine does not require a change to that 19:26 -!- albech [n=albech@119.42.76.61] has quit [Read error: 104 (Connection reset by peer)] 19:37 < krzie> !ask 19:37 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 19:49 < krzie> (that wasnt @ anyone here, i just wanted a link from there) 19:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 20:00 -!- jeiworth [n=jeiworth@189.177.136.65] has quit [Read error: 104 (Connection reset by peer)] 20:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:19 -!- sprax [n=rob@65.127.188.10] has quit ["changing servers"] 20:30 -!- troy- [n=doc@216.185.67.154] has quit [Read error: 110 (Connection timed out)] 21:15 -!- qknight [n=joachim@serverkommune.de] has quit [Read error: 60 (Operation timed out)] 21:15 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 21:16 -!- gebura [n=nnnnnnnn@lescigales.org] has quit ["Getting off stoned server - dircproxy 1.2.0"] 21:17 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:18 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:19 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:20 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:21 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:22 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:24 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:25 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:26 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:27 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:28 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:29 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:30 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:31 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:32 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:34 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:36 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:37 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:38 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:39 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:42 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:44 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:45 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:46 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:47 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:48 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:50 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:51 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:08 -!- zrin [n=chatzill@chello062178201205.6.15.tuwien.teleweb.at] has joined ##openvpn 22:10 < zrin> I'd like to connect an otherwise unused local NIC (eth1) as a virtual NIC in a remote machine - is it possible for openvpny to use the local nic directly or is it necessary to create a local bridge 22:24 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 22:33 < zrin> Is it possible to configure simple p2p bridge with a static key? I'm looking for a configuration which would use an otherwise unused local NIC as a virtual NIC in a single remote machine. 22:53 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 22:55 < Vesayth> Hello! Is there anyone here who could possibly guide me in setting up a vpn server on my box? I'm running Ubuntu 8.10 64-bit. I've tried reading the guides that are out there but I think I'm just totally lost at this point. 22:55 < Vesayth> These guides appear to assume that I'm using my desktop as my network's router, whereas I'm using a Linksys router with DD-WRT firmware 23:23 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 23:30 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Read error: 60 (Operation timed out)] 23:31 -!- Dougy [i=doug@64.18.144.18] has joined ##openvpn --- Day changed Sat May 16 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:02 < Alagar> good morning all 00:10 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:46 -!- master_of_master [i=master_o@p549D31B2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D39CF.dip.t-dialin.net] has joined ##openvpn 02:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:49 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:55 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:57 -!- albech [n=albech@119.42.76.61] has quit [Read error: 54 (Connection reset by peer)] 03:08 -!- silents [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 03:09 < silents> Hello! Is there anyone here that can assist me in setting up a VPN server on Ubuntu 8.10 64-bit? 03:10 -!- silents [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 03:16 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 03:16 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 03:28 -!- alaif [n=alaif@dejvice.peering.junix.cz] has joined ##openvpn 03:35 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:35 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 04:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:28 -!- alaif [n=alaif@dejvice.peering.junix.cz] has left ##openvpn [] 04:33 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:35 -!- plaerzen [n=carpe@66.11.76.242] has quit [Read error: 110 (Connection timed out)] 05:22 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 05:23 -!- albech [n=albech@124.157.237.211] has joined ##openvpn 05:40 < APTX|> !topology 05:40 < vpnHelper> APTX|: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:45 -!- albech [n=albech@124.157.237.211] has quit [Read error: 110 (Connection timed out)] 05:45 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 06:00 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 06:16 -!- albech [n=albech@124.157.239.149] has joined ##openvpn 06:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:25 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 07:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:44 -!- BasketCase_EEE [n=kmk@140.207.27.24.cfl.res.rr.com] has joined ##openvpn 07:44 < BasketCase_EEE> anyone run NFS over OpenVPN over the internet? works but wondering if anyone already worked out optimal settings. 07:53 -!- albech [n=albech@124.157.239.149] has quit [Read error: 110 (Connection timed out)] 07:54 -!- zrin [n=chatzill@chello062178201205.6.15.tuwien.teleweb.at] has quit [Remote closed the connection] 07:55 < BasketCase_EEE> I appear to be doing about 160KB/sec 08:02 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 08:16 -!- c64zottel [n=hans@p5B17B6C6.dip0.t-ipconnect.de] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17B6C6.dip0.t-ipconnect.de] has quit ["Leaving."] 08:49 < reiffert> nfs via tcp or udp? 08:49 < reiffert> openvpn proto udp or tcp? 08:51 < BasketCase_EEE> I was trying it with openvpn tcp and nfs udp 08:51 < BasketCase_EEE> but my real question is if anyone has worked out what the best settings are 08:51 < reiffert> Sounds sane. You might wanna try upside down 08:52 < BasketCase_EEE> I just turned on comp-lzo. not sure why I didn't have that before 08:52 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 08:52 < reiffert> Client/Server directly connected via switch/media Gbit Link? 08:53 < BasketCase_EEE> the server end is gig-e. the client end is coffee shop wifi 08:54 < BasketCase_EEE> I get 210KB/sec with http, 180KB/sec with http over vpn, and 160KB/sec with nfs over vpn 08:55 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:06 < reiffert> BasketCase_EEE: would you please connect server and client via a cable to switch of media dependent influences (wifi), just for some testing. 09:07 < reiffert> s,of,off, 09:10 < BasketCase_EEE> NFS works nice and fast when I am at home and connected that way or through my wifi 09:10 < BasketCase_EEE> I don't have actual benchmarks but it is fast enough 09:11 < BasketCase_EEE> I just want to be able to optimize for a slower connection for when I am not at home 09:22 < reiffert> see, wifi is not a reliable media when it comes to bandwidth. 09:23 < BasketCase_EEE> I know. neither is the internet 09:24 < BasketCase_EEE> but if I was on my LAN I wouldn't need a VPN :P 09:25 -!- albech_ [n=albech@58.147.47.215] has joined ##openvpn 09:25 < reiffert> it would give you upper limits, that is you know about the optimization maximum. 09:26 < BasketCase_EEE> I just hoped to find someone who had tried the multitude of NFS setting to find the optimal balance for what I am doing. 09:28 < reiffert> try to get some bandwidth values for your wifi first. 09:29 < BasketCase_EEE> that would mostly depend on where I am but I believe the bottleneck right now is the upload speed of my cable modem which is capping me at about 210KB/sec 09:30 < BasketCase_EEE> that is pretty much the same speed I get from work without involving wifi 09:30 < reiffert> so 160KB/s look almost perfect then. 09:30 < BasketCase_EEE> 160 is a lot lower than 210 09:30 < reiffert> it's not. 09:32 < reiffert> try to get some ethernet statistics and have a look on fragmentation of your udp packets. 09:33 < reiffert> fragmentation in the tcp containers. 09:34 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:34 < BasketCase_EEE> yeah, I know how to optimize networking I just hoped someone in here had already done it because it is pretty tedious with NFS 09:35 < reiffert> if you already know how to optimize networking, why dont you just start by now? 09:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:36 < BasketCase_EEE> as I said, I hoped someone had already figured it out and I am working on something else right now 09:39 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 09:40 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 09:50 < Bushmills> a friend of mine has done so, and got an impressive gain of transfer speed 10:09 -!- Dougy [i=doug@64.18.144.18] has quit [Remote closed the connection] 11:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:04 -!- xororand [n=xororand@unaffiliated/xororand] has quit [] 11:10 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 11:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:54 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:00 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has quit [Connection timed out] 12:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 12:55 -!- BasketCase_EEE [n=kmk@140.207.27.24.cfl.res.rr.com] has quit ["Client exiting"] 12:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:39 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 13:41 -!- tjz [n=tjz@bb116-15-73-8.singnet.com.sg] has joined ##openvpn 14:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:25 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 14:43 -!- BasketCase_EEE [n=kmk@asylum.sanitarium.net] has joined ##openvpn 15:10 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:12 -!- troy__ is now known as troy- 16:38 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 16:38 < Vesayth> Hello! Is there anyone who can assist me in setting up an OpenVPN server on Ubuntu 8.10? 16:38 < krzie> what problem are you having... 16:38 < Vesayth> I've followed all the guides, and on some i have been able to connect with the client but I can't access anything on the network 16:39 < troy-> hello krzie 16:39 < krzie> by network you mean LAN or internet? 16:39 < krzie> sup troy 16:39 < Vesayth> LAN 16:39 < krzie> network behind the client? 16:39 < krzie> or behind the server 16:39 < Vesayth> For instance, I have a samba file server on this machine as well, and I want to be able to access it from outside of my local network 16:40 < troy-> krzie, messing with voip 16:40 < Vesayth> My machine is behind a Linksys router with DD-WRT firmware 16:40 < krzie> network behind the client? 16:40 < krzie> or behind the server 16:41 < Vesayth> let me start over, I want to be able to use my client machine (say, at my college campus) 16:41 < Vesayth> to be able to vpn in to my home network, and access the machines on it 16:41 < krzie> so the LAN is behind the server 16:41 < krzie> right...? 16:41 < Vesayth> yes 16:42 < krzie> ok, you using server config option in your config? 16:42 < Vesayth> I've used probably about 20 different configs floating around on guides, but they were all server configs yes 16:43 < krzie> just push a route 16:43 < krzie> whats the lan subnet behind the server? 16:44 < Vesayth> I think that's the part where I may be messing things up ^^ 16:44 < Vesayth> My gateway is 192.168.1.1, and my server's local ip is 192.168.1.1 16:44 < Vesayth> subnet mask is 255.255.255.0 16:44 < Vesayth> err sorry 16:44 < krzie> you should change the subnet 16:44 < Vesayth> server local ip is 192.168.1.50 16:45 < krzie> with 192.168.1.x you cant use the lan from any network with that same very very common subnet 16:45 < Vesayth> in my config file I am using this line 16:45 < Vesayth> server 10.8.0.0 255.255.255.0 16:46 < krzie> right 16:46 < krzie> with 192.168.1.x you cant use the lan from any network with that same 16:46 < krzie> very very common subnet 16:46 < krzie> the client cant add a route to the lan behind the server if it already has a route for that for the lan its on 16:46 < krzie> and if it could it would get knocked offline 16:47 < Vesayth> So you're saying change the subnet on the router and not in the config file? 16:47 < krzie> but for the sake of answering the question now instead of waiting for you to fix that... 16:47 < krzie> push "route 192.168.1.0 255.255.255.0" 16:47 < krzie> yes, that is what im saying 16:47 < krzie> change your whole network to be on an uncommon LAN 16:48 < Vesayth> alright, give me a few moments to do that, thanks for your help thus far ^^ 16:48 < krzie> yw 16:48 < Vesayth> should i change it to that 10.8.0.0 subnet? 16:49 < krzie> absolutely not 16:49 < krzie> just something less used 16:49 < krzie> like 192.168.74.x or something 16:50 < krzie> it must not be something that conflicts with a lan the client will or may connect from, it must also not be = to the VPN network 16:52 < krzie> then you tell the server to push a route to its lan to clients 16:53 -!- Vesayth1 [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 16:53 < Vesayth1> Alright I changed it to 192.168.10. 16:53 < Vesayth1> .0* 16:53 < Vesayth1> will that work? 16:54 < krzie> you tell me, i told you what you needed 16:54 < krzie> how could i know what lans you'll see 16:54 < krzie> i know seeing .1.x and .0.x is damn near garunteed 16:55 < Vesayth1> ok, well assuming I use 192.168.10.0 (192.168.10.1 is my gateway) 16:55 < Vesayth1> I should push "route 192.168.10.0 255.255.255.0" correct? 16:55 < krzie> yes 16:56 < Vesayth1> awesome, I will see what I can do with this setup, thanks again 16:56 -!- Vesayth1 [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 17:06 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:11 -!- alami [n=up@unaffiliated/alami] has joined ##openvpn 18:58 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 19:00 < Vesayth> Hello all. I finally got my VPN setup working (thanks krzie). I have one more small thing I want to do. Is it possible to access the samba server through the vpn using the Samba's netbios name? In other words, if I want to map a network drive, I want to be able to use \\servername\share instead of \\serverip\share 19:21 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:28 < krzie> yes 19:28 < krzie> you need a WINS server 19:28 < krzie> then the machine connecting needs to know to be using that WINS server (which can also be pushed to the client) 19:28 < krzie> !wins 19:28 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:28 < Vesayth> I have a wins server 19:29 < krzie> cool, use it ;] 19:29 < Vesayth> If I'm connecting the machine to my network at home (without the vpn) the netbios name resolves as normal 19:29 < Vesayth> it's just not doing it with this vpn connection ^^ 19:29 < krzie> because the client machine isnt using the wins server when connecting from remote 19:29 < krzie> its a dhcp-option 19:29 < krzie> !man 19:29 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:30 < Vesayth> I'll look into it! thanks ^^ 19:30 < krzie> --dhcp-option 19:33 < krzie> yw =] 19:34 < alami> krzie: any way to connect with pptp vpn server with openvpn? 19:34 < krzie> !notcompat 19:34 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 19:35 < alami> allright, thanks 19:35 < krzie> np 19:36 < alami> the manual in the man page is too big, can i have any small guide to configure openvpn? 19:37 < krzie> its big because theres a lot to it 19:37 < krzie> !sample 19:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:37 < krzie> for a very basic setup that should work out 19:37 < alami> thanks 19:39 < krzie> np 19:39 < krzie> !man 19:39 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:39 < krzie> i recommend reading about each of those options 19:41 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 20:08 -!- mRCUTEO [n=IRCLUNAT@118.100.168.105] has joined ##openvpn 20:17 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:26 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 20:35 -!- troy- [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 20:43 -!- mRCUTEO [n=IRCLUNAT@118.100.168.105] has quit [Read error: 110 (Connection timed out)] 20:47 -!- albech_ [n=albech@58.147.47.215] has quit [Remote closed the connection] 20:53 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 20:53 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 22:06 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 22:43 -!- BasketCase_EEE [n=kmk@asylum.sanitarium.net] has left ##openvpn ["Client exiting"] 22:51 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:52 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 23:13 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 23:31 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 23:39 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:39 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:45 -!- albech [n=albech@58.147.47.215] has joined ##openvpn --- Day changed Sun May 17 2009 00:19 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 00:20 < Digital7> If I create an OpenVPN server in Linux, do all of the client machines need to have OpenVPN installed, or can they simply use the built-in Windows VPN connection client? 00:29 < Digital7> Anyone? 00:35 -!- Digital71 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 00:38 -!- floyd_n_milan_ is now known as floyd_n_milan 00:52 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has quit [Read error: 110 (Connection timed out)] 01:00 -!- Digital71 [n=Owner@207-119-9-196.dyn.centurytel.net] has quit [Read error: 110 (Connection timed out)] 01:13 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 01:39 -!- ddpd2 [n=ddpd2@211.208.147.205] has joined ##openvpn 01:39 < ddpd2> !howto 01:39 < vpnHelper> ddpd2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:39 < ddpd2> Hi folks! 01:40 < ddpd2> Anyone here familiar with installing/configuring an OpenVPN server on OSX? 01:46 < ddpd2> Most specifically, configuring those darn certificate files. I just can't for the life find a way to configure these suckers 01:47 -!- master_of_master [i=master_o@p549D39CF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D394E.dip.t-dialin.net] has joined ##openvpn 02:07 -!- ddpd2 [n=ddpd2@211.208.147.205] has quit [Read error: 110 (Connection timed out)] 03:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:42 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 03:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:45 -!- gallatin [n=gallatin@dslb-092-073-113-033.pools.arcor-ip.net] has joined ##OpenVPN 03:47 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:25 -!- gallatin [n=gallatin@dslb-092-073-113-033.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 05:55 -!- simontwo [n=simon@cl-79.cph-01.dk.sixxs.net] has joined ##openvpn 05:57 < simontwo> hi. I get the error SIOCADDRT: File exists 05:58 < reiffert> means you try to add a route that already exists. 05:59 < simontwo> I had my LAN on 192.168.2.0/24, but I just moved that to .3. maybe my Linux is caching that? 05:59 < theDoc> Maybe:) 06:00 < simontwo> I restarted the box, though. hrm, *digs on* 06:01 < reiffert> bullshit. 06:02 < simontwo> huh? 06:06 < simontwo> $ route | grep 192.168.2 06:06 < simontwo> 192.168.2.5 * 255.255.255.255 UH 0 0 0 tun0 06:06 < simontwo> 192.168.2.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 06:44 -!- simontwo [n=simon@cl-79.cph-01.dk.sixxs.net] has quit ["If there's one thing you can say about mankind, there's nothing kind about man."] 06:57 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 07:01 -!- albech [n=albech@58.147.47.215] has quit ["Leaving"] 07:27 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 07:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 08:02 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:03 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:21 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:22 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:14 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:36 -!- eightfold [n=qwerty@85.249.223.23] has joined ##openvpn 09:37 < eightfold> is it possible to only go through a vpn in certain programs (like a traditional socks proxy), or is it always system wide. this is in windows xp, but also on os x. 09:37 < eightfold> ? 09:48 < reiffert> openvpn creates an interface. Normal firewalling and routing rules apply. 10:07 < Bushmills> means, if you can direct some traffic to one, and other to another ip address, some can go through openvpn, and some won't 10:09 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 10:10 < Bushmills> there isn't never a time for not no coffee 10:10 < reiffert> :) 10:20 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 10:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 10:25 < Bushmills> bots flying like dice 10:25 < Bushmills> ehm 10:26 < Bushmills> dieing like flies 10:36 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 10:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 60 (Operation timed out)] 10:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:52 -!- alami_ [n=up@p57A7595E.dip.t-dialin.net] has joined ##openvpn 11:52 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 11:52 < Digital7> If I create an OpenVPN server in Linux, do all of the client machines need to have OpenVPN installed, or can they simply use the built-in Windows VPN connection client? 11:58 < reiffert> OpenVPN requires OpenVPN. 12:03 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 110 (Connection timed out)] 12:08 < Digital7> reiffert: thanks 12:14 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 12:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:15 -!- troy__ [i=troy-wht@72.37.245.28] has joined ##openvpn 12:16 < Bushmills> Digital7, they don't need all openvpn installed 12:17 < Bushmills> one openvpn client machine on your local net which serves as gateway to a remote openvpn server would work.. 12:29 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:39 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 12:42 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:43 -!- troy__ is now known as troy- 13:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:23 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has joined ##openvpn 13:43 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 13:51 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has joined ##openvpn 13:54 < Digital7> Bushmills: interesting concept -- do you mean by sharing that network? 13:55 < pekster> Sure. You can have any system on a network act as a gateway to another network (or networks) by establishing a VPN and then having clients route through that local host 13:56 < Bushmills> i mean, on a gateway which sits on your LAN, and can be accessed by your local machines. what do you mean by "sharing"? 13:56 < pekster> It doesn't even need to be the gateway :) 13:56 < Bushmills> as gateway to vpn. 13:57 < pekster> Ah, yes, in that sense it is a gateway, but it could be different from the network's default gateway if it was desirable 13:57 < Bushmills> agree, you can have multiple gateways 13:57 < pekster> The advantage there is that you only need 1 VPN tunnel and can offer network access to any client machines set up with a route to that VPN gateway 14:14 -!- rio [n=rio@eta-ori.net] has joined ##openvpn 14:15 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 14:17 < rio> hi, my client and server configs are http://gist.github.com/113118 http://gist.github.com/113119 - my client gets some weird routes: http://gist.github.com/113122 14:17 < rio> what is this .5-adress? 14:18 < reiffert> !net30 14:19 < rio> the .5 doesnt respond to pings 14:19 < x29a> is some bot supposed to jump in on the net30 trigger? 14:20 < pekster> .5 won't respond to pings; it's part of a /30 subnet allocated for tun setups (that aren't using the "--topology subnet" directive) to maintain compatibility for Windows & *nix clients without newer ifconfig support 14:21 < pekster> .6 won't respond to pings either, but .1 will, which is the "real" IP of the VPN peer 14:21 < reiffert> x29a: the bot is called vpnhelper, and it looks like it's gone. On the other hand pekster acts as an replacement. 14:21 < rio> .6 is me, that responds of course 14:21 < pekster> If all your clients are going to be OpenVPN 2.1 series clients you might consider using the subnet topology since you don't waste a /30 for each connecting client 14:22 < pekster> (and the server, of course) 14:22 < rio> okay, now .1 responds fine, it wasnt responding, so it works now, thanks :) 14:22 < pekster> Of course, if you have the IP space to waste it really doesn't matter :P 14:23 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has quit ["Leaving."] 14:32 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 14:33 -!- Eragon [n=unix3@201.199.62.74] has joined ##openvpn 14:34 < Eragon> Hello.. I have setup a vpnserver, and a VPN client with redirect-gateway. It works perfect.. however when I try to browse the neighbor servers in the /24 network of my openvpnserver....... it seems packets get lost.. anybody know why? 14:35 < pekster> Eragon: What type of browsing are we talking about? Is this Windows file-sharing, aka NBNS or CIFS/SMB? 14:36 < Eragon> SOrry for not being specific, no filesharing. No windows specific protocols.. just a plain ping would fail 14:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:38 < pekster> Eragon: For packets to make it to the remote network and back you'll need a few things. 1) A route pushed to VPN clients for the remote network via the VPN server. 2) A return-route on the destination sytem on the remote network so the packets from VPN clients can be routed back. 3) All involved routers to be routing the traffic and have firewall rules to allow it 14:38 < pekster> In place of #2 you could also SNAT the packets from VPN clients on the LAN IP of the VPN peer on your remote network if setting up bi-directional routing is not desirable 14:40 < Eragon> I have #1 and #2.. everything works.. just that i cant send packets to the openvpnservers /24 public network 14:42 < pekster> Try tracing the flow of the packets then. If you tcpdump on the target system do you see the ICMP request? And then check for a reply and see if it's sent, and so on 14:46 < Eragon> pekster, ill do that... its the first time i use tcpdump.. is there a more practical way of filtering from a specific IP? 14:46 < Eragon> to much data 14:46 < pekster> If you want to check pings, try 'tcpdump -i $your_interface icmp' 14:48 -!- Gnoxter1 [n=gnoxter@252-236-dsl.kielnet.net] has joined ##openvpn 14:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 14:50 -!- rio [n=rio@eta-ori.net] has left ##openvpn [] 14:53 < Eragon> pekster, hmm... it seems that tcpdump doesnt register any ICMP packets when I ping a neighbor 14:53 < Eragon> when i ping yahoo it does though or anyuthing else 14:53 < pekster> Let's back up a step here. By "neighbor" are you referring to another host on the public Internet side of the vpn server? 14:54 < pekster> Or the private LAN side? 14:55 < Eragon> public side of the internet of the vpn server 14:55 < Eragon> if i do a traceroute to a neighbor, it says the packet reaches the endpoint (10.0.1.1) but then its lost 14:55 < pekster> You'll need to NAT the packets to the public IP of the vpn server then, so insure the rules are set up to do that from the VPN interface and/or IP range 14:56 < Eragon> yup, this is what i have: 14:56 < pekster> You might also consider using a proxy instead of redirect-gateway if it meets your needs since that's a bit simplier 14:56 < pekster> Well, simplier in the sense that not all traffic goes to the VPN server, only traffic configured to use the proxy 14:57 < Eragon> nat on re0 inet from 10.0.1.0/24 to any -> 78.46.79.226 14:57 < Eragon> for now id prefer to set this up correctly.. :) 14:57 < Eragon> i think the problem is exactly on that line hmm 14:57 < pekster> Are you also allowing the forwarded traffic in the firewall? (ipf, or whatever you're using) 14:58 < pekster> That line looks correct (with my rather limited knowledge of ipnat) assuming re0 is your public interface 14:58 < Eragon> correct 14:58 < Eragon> hmm 14:59 < pekster> If you dump packets on re0 (again, probably just icmp packets) do you see the request for google but not for the neighbor? 14:59 < Eragon> pekster, exactly 14:59 < pekster> Sounds like a firewall issue to me 14:59 -!- Gnoxter1 [n=gnoxter@252-236-dsl.kielnet.net] has left ##openvpn ["Leaving."] 14:59 < pekster> What about dumping on the tun interface? 14:59 < pekster> (on the sever) 14:59 < Eragon> good point, let me see 15:01 < Eragon> 22:02:10.680601 10.0.1.10 > 78.46.79.230: icmp: echo request 15:01 < Eragon> 22:02:10.680616 10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.211 unreachable 15:01 < Eragon> thats the prob.. 15:02 < pekster> The client should have displayed that message, assuming the client firewall (the one sending the pings) is inproperly blocking that 15:02 < pekster> It's a rather important message :) 15:02 < pekster> isn't improperly blocking, that is 15:02 < Eragon> yeah, again if i ping anything in else in the world.. 22:02:10.680601 10.0.1.10 > 78.46.79.230: icmp: echo request 15:02 < Eragon> 22:02:10.680616 10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.230 unreachable 15:03 < Eragon> err 15:03 < Eragon> 22:03:47.671673 10.0.1.10 > 143.166.224.244: icmp: echo request 15:03 < Eragon> 22:03:47.821372 143.166.224.244 > 10.0.1.10: icmp: echo reply (DF) [tos 0x20] 15:03 < Eragon> goes fine 15:03 < Eragon> so yes, someting in the firewall 15:03 < Eragon> i just dont know what 15:03 < pekster> That host-unreach message could mean that the host in question is offline and not responding to the ARP request since it's on the same subnet as your vpnserver 15:04 < Eragon> its online 15:04 < pekster> You can ping that same IP from the vpnserver directly? 15:04 < Eragon> doucle checknig.. 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:05 < Eragon> woah..!! i cannot 15:05 < pekster> So the host really is offline 15:05 < Eragon> offline to its neighbor.. 15:05 < Eragon> but me from a remote location it isnt 15:05 < Eragon> :) 15:07 < Eragon> so the problem is not on the openvpnserver/client.. its actually a firewall in the neighbots 15:07 < Eragon> neighbors 15:08 < Eragon> pekster, thank you for your kind help 15:09 < pekster> host-unreachable usually means that the last-hop router (ie: your vpn server) couldn't get an ARP reply from the host. Given that your server is on the same public-IP subnet, that probably shouldn't be happening if the host is really up, but at any rate it's not an OpenVPN problem 15:09 < pekster> Sure 15:09 < pekster> For clarification, I base my above statmenet on the fact that the host-unreach reply came from the vpn server's IP, not the host in question 15:13 < reiffert> !firewall 15:14 < Eragon> pekster, you mean from the vpnserver gateway 15:15 < Eragon> or router 15:15 < Eragon> :) 15:15 < pekster> The vpn server. The line '10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.230 unreachable' shows that 10.0.1.1 was unable to contact the specified host 15:16 < pekster> Technically a firewall on that box could also have sent a host-unreach reply, but you would have had to request that behavior and would probably remember doing so 15:16 < pekster> (it would be rather broken to do that in any normal configuration) 15:17 < Bushmills> pekster, was the specified host 10.0.1.10 or 78.46.79.230? 15:19 < Bushmills> also note that hetzner (your host) sets up a netmask of 255.255.255.255, not 255.255.255.0 15:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:20 < pekster> Specified host? He (or so I presume from the nick) is trying to ping the .230 address from the 10.0.1.10 VPN client 15:22 < Bushmills> do, on the vpn server machine, ifconfig eth0, and look for Mask 15:23 < pekster> It's re0 for the public side 15:24 < pekster> And the public netmask cannot be /32 because that would imply no routing access :). He can get to google, so it's a /30 at the very least 15:24 < Bushmills> freebsd? 15:24 < pekster> (if an ISP issued /30's to customers they ought to be shot as well) 15:24 < pekster> Some BSD I presume given re0 and the use of ipnat 15:25 < Bushmills> and it can be /32, with pointtopoint gateway configuration 15:26 < pekster> True, but then it would be highly unlikely to get a host-unreach back 15:26 < Bushmills> anyway, hetzner does usually not provide machines with /24. unless you have changed it, you probalby don't have a /24 neighbourhood 15:28 < reiffert> http://www.youtube.com/watch?v=N7IZmRnAo6s 15:31 < Bushmills> reiffert, look at the shadow on the wall, looks like this is not only the result of music 15:32 < Bushmills> starting at about 1:40 15:33 < Bushmills> at 2:15 it becomes very obvious 15:35 -!- Eragon [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 15:38 < reiffert> after all it's the bird that is dancing :) 15:54 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 16:09 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 16:10 -!- xororand [n=xororand@2001:5c0:1501:f900:0:0:0:1] has joined ##openvpn 16:13 < xororand> how can you push IPv6 addresses to the VPN clients? i'm using --server for IPv4. 16:15 < xororand> nevermind. i found http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en 16:30 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [" got rick rolled"] 16:40 -!- brzfw [n=qwerty@c213-89-114-114.bredband.comhem.se] has joined ##openvpn 16:41 -!- brzfw [n=qwerty@c213-89-114-114.bredband.comhem.se] has left ##openvpn [] 16:47 -!- eightfold [n=qwerty@85.249.223.23] has quit [Read error: 60 (Operation timed out)] 16:49 < x29a> hey there, i want to use openvpn on a nokia n810 with maemo running. the version is 2.0.1 and it claims it cant find the default gw so it can change it to the one i push. fine. compiling a new version is out of my scope so i want to manually add my routes, how would i get the ip of server running openvpn? its not $4 or $5 17:00 -!- x29a [n=x29a@unaffiliated/x29a] has quit ["tiuQ"] 17:22 -!- rio [n=rio@eta-ori.net] has joined ##openvpn 17:23 < rio> using redirect-gateway, openvpn can't find the default route when the route is using dev ppp0 17:23 < rio> is this a known problem? 17:24 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 17:25 < rio> hi 17:25 < x29a> hi 17:29 -!- troy- [i=troy-wht@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 17:29 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 17:43 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 17:54 -!- tin0x3cc [n=tin0x3cc@caiqin.tonghua.li] has joined ##openvpn 17:55 < tin0x3cc> hello 17:55 < tin0x3cc> I just setup an openvpn server on a Linode, but once I'm connected to it (using Viscosity on OSX), I get extremely slow transfer speeds. What could be the problem? 17:56 < tin0x3cc> an ssh tunnel gives me 600KB/s throughput, while the ovpn connection paimfully reaches a very unstable 90KB/s 17:57 < x29a> tin0x3cc: tun/tap? 17:57 < tin0x3cc> both 17:57 < tin0x3cc> oh sorry 17:57 < tin0x3cc> tun 17:57 < tin0x3cc> but both udp and tcp are slow 17:58 < tin0x3cc> tried a few different ciphers also, which had no effect at all. 17:58 < tin0x3cc> !redirect 18:00 < tin0x3cc> I also played with a few tun settings like tun-mtu, fragment, but that had extremely limited effect 18:00 < tin0x3cc> what could be the problem? 18:02 < x29a> what the cpu load on your "linode"? 18:04 < tin0x3cc> mostly idle really 18:06 < x29a> hm, dunno 18:06 < x29a> im actually new to openvpn and struggling myself 18:07 < tin0x3cc> the setup was pretty simple, really can't understand why the thing is so slow 18:08 < x29a> is the server dropping alot? 18:08 < x29a> do you have verbose mode on? 18:08 < tin0x3cc> i don't. let me try that 18:14 -!- tin0x3cc [n=tin0x3cc@caiqin.tonghua.li] has left ##openvpn [] 18:17 < Bushmills> x29a, you can let a connection script run, which can read the information you seek from environment variables 18:19 < x29a> Bushmills: yeah, thats what im doing, im using up/down scripts, but the problem is somewhere deeper as it seems 18:19 < x29a> Bushmills: im on a ppp0 (umts) connection 18:19 < x29a> research shows that thats a problematic setup 18:20 < Bushmills> x29a, that's ppp up/down scripts? or openvpn client connect scripts? 18:20 < x29a> i cant take the ppp0 default gw and replace it with tun since then the umts is not available and therefore no vpn is there 18:20 < x29a> Bushmills: openvpn 18:20 < x29a> up ./manual-routes.sh 18:20 < x29a> but the connection is over umts which makes a ppp0 device 18:21 < x29a> everything works fine when using wlan0 18:24 < x29a> when not assigning a new default route i can ping within the vpn but traffic goes "the normal way" 18:24 < Bushmills> x29a, did you try redirect-gateway in client config? 18:25 < Bushmills> (assuming you intended to run all your traffic through vpn server) 18:27 < Bushmills> seems more a ppp connection/client configuration problem, which doesn't add the gateway as default route, nothing openvpn specific, right? 18:29 < x29a> Bushmills: yes, but it says it cant find the gateway to replace 18:29 < x29a> Bushmills: no, it works perfectly fine without openvpn 18:30 < Bushmills> does your gateway happen to be 10.64.64.64? 18:30 < x29a> why? 18:30 < Bushmills> mine is, when connecting through umts 18:31 < Bushmills> to compare setups 18:31 < x29a> lemme check 18:31 < x29a> 10.6.6.6 18:31 < x29a> Bushmills: so you are running openvpn through umts? 18:32 < Bushmills> yes 18:32 < x29a> lemme paste my config 18:33 < Bushmills> doing nothing special. just pppd call connectscript for establishing config, and using redirect-gateway on vpn client 18:34 < Bushmills> but otoh, the gateway i use is added to route, as default, when connected 18:34 < x29a> how? 18:35 < Bushmills> using replacedefaultroute in connect script 18:35 < x29a> hm 18:35 < x29a> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 18:35 < Bushmills> i have these in script: 18:35 < Bushmills> replacedefaultroute 18:35 < Bushmills> defaultroute 18:36 < x29a> in your ppp script, right? 18:36 < Bushmills> actually, ppp config, not script. to avoid confusion with the chat script executed on connect 18:37 < Bushmills> in the config in /etc/ppp/peers/ 18:38 < x29a> im too tired now, thanks for your help, ill have to investigate later 18:38 < Bushmills> np 18:39 < x29a> i dont get it, its just openvpn refusing to replace my ppp0 default route properly 18:39 < Bushmills> it sounded as there wasn't any, therefore nothing to replace 18:39 < x29a> can you paste me your "ip r" or "route -n" whilst connected and in vpn-tunnel? 18:40 < x29a> since its only a routing issue, so i can compare and maybe set it up manually 18:40 < Bushmills> yes, but another time. right now i'm connected through cable 18:40 < x29a> yeahl, ill be around 18:40 < x29a> so thanks again, take care 18:40 < Bushmills> u2 18:57 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:14 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 19:14 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:14 -!- troy__ [i=troy-fre@72.37.245.28] has joined ##openvpn 19:22 -!- sond [n=sond@203-184-54-221.callplus.net.nz] has joined ##openvpn 19:30 < sond> anyone home ? 19:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:40 -!- sond [n=sond@203-184-54-221.callplus.net.nz] has quit ["Leaving"] 19:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:47 -!- epaphus [n=unix3@ip29-33-241-190.ct.co.cr] has joined ##openvpn 19:49 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:49 < Dougy> krzie 19:54 < Dougy> there? 20:00 -!- x29a_ [n=x29a@unaffiliated/x29a] has joined ##openvpn 20:06 < Dougy> nop 20:06 < Dougy> o sign of te foo 20:12 -!- epaphus [n=unix3@ip29-33-241-190.ct.co.cr] has quit ["Leaving"] 20:16 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 110 (Connection timed out)] 21:00 < Dougy> blah 21:00 < Dougy> ecrist: you still around ? 21:01 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:39 -!- ylon [n=ylon@rrcs-74-218-223-178.central.biz.rr.com] has joined ##openvpn 21:40 < ylon> just configured openvpn-bridge mode and am running into an error 21:40 < ylon> Cannot load private key file priv/key.pem 21:40 < ylon> ... 21:40 < ylon> Error: private key password verification failed 21:40 < ylon> and then it exits 21:40 < ylon> i need some assistance urgently on this issue if anyone around could advise 21:43 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:43 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:44 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:45 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:46 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:46 < ylon> hello? 21:47 < ylon> the contents of /etc/openvpn/bridge/priv/key.pem seem fine 21:47 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:48 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:49 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:50 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:52 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:54 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:58 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 21:59 < ylon> anyone? 22:00 < ylon> very desperate here on a timeframe 23:15 -!- Wofl [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 23:15 < Wofl> hey guys, i am somewhat confused when it comes to ethernet bridging 23:25 -!- ylon [n=ylon@rrcs-74-218-223-178.central.biz.rr.com] has quit [] 23:37 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 23:51 -!- albech [n=albech@119.42.76.61] has joined ##openvpn --- Day changed Mon May 18 2009 00:14 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:48 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 00:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:14 -!- Wofl [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [Remote closed the connection] 01:31 -!- troy__ [i=troy-fre@72.37.245.28] has quit ["Leaving"] 01:39 -!- endschranz [n=endschra@mail.htl-vil.ac.at] has joined ##openvpn 01:40 < endschranz> Hi, I am using openvpn with a bridged network, can I set two dns server , one for my home network, one for the other? 01:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D394E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D358C.dip.t-dialin.net] has joined ##openvpn 01:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:59 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 02:03 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 02:12 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:14 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:16 -!- albech [n=albech@119.42.76.61] has quit [Read error: 113 (No route to host)] 02:19 -!- celsiux [n=Nullesd@189.152.145.84] has joined ##openvpn 02:19 -!- celsiux [n=Nullesd@189.152.145.84] has left ##openvpn [] 02:34 < Bushmills> endschranz, just the same as if you used a wire instead of openvpn 02:46 < endschranz> Bushmills: ok thx 02:47 < endschranz> is there a tool to fast revoke client and add them again later? 02:48 < x29a_> Bushmills: hey there, good morning. could you lead me to understanding the routinglayout? 02:48 -!- x29a_ is now known as x29a 02:48 < Bushmills> i could try after a coffee 02:49 < x29a> sure, no rush, ill be around 02:51 < Bushmills> endschranz, mv client_key somewhere_else_to should do (unless already connected) 02:54 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 02:55 < endschranz> Bushmills: trying 02:59 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:08 -!- alami_ [n=up@unaffiliated/alami] has quit [] 03:10 < endschranz> Bushmills, doesn't seem to work 03:12 < Bushmills> what file did you move? 03:12 < endschranz> client.key to somewere 03:13 < Bushmills> that's the private key, which should only be on the client machine. 03:13 < Bushmills> try moving the associated .pem file 03:14 < Bushmills> # 03:14 < endschranz> is there a system which client is assoicated to a pem? 03:15 < Bushmills> yes, an index file 03:16 < Bushmills> index.txt in your keys directory (assuming easy-rsa) 03:17 < endschranz> Bushmills: thx works like a charm 03:17 < Bushmills> great 03:17 < endschranz> hm strange i could reconnect 03:18 < Bushmills> not so great 03:18 < endschranz> does i have to restart the daemon? 03:18 < Bushmills> i wouldn't have thought so 03:24 < endschranz> hm strange 03:24 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 03:26 < endschranz> i removed the pem the key and the crt 03:26 < endschranz> and i can still connect 03:26 < Bushmills> that's rather surprising 03:26 < mikeage> Are there any known issues using dev tap and a routed (server x.x.x.x) configuration instead of bridged? I'm having a lot of trouble getting routing from my openvpn clients to the internet via the openvpn server.... 03:27 < Bushmills> mikeage, http://scarydevilmonastery.net/masq 03:28 < mikeage> bushmills: I did that, but it's not helping. do you have a few minutes? 03:28 < Bushmills> mikeage, nobody knows when his time has come 03:29 < mikeage> lol. can I take that as a yes? 03:29 < Bushmills> just try. if i'm around, i might answer. 03:29 -!- albech [n=albech@119.42.76.165] has quit [Read error: 60 (Operation timed out)] 03:31 < mikeage> ok. I'm trying to set up a VPN between a bunch of random machines floating around on the internet and a server, which is a VPS hosted in the US. My server has one physical interface, eth0, with a public IP address. I'm using a routed config for openvpn, on the 192.168.2.x subnet. Originally, I was using dev tun, but I switched to tap since I found the allocation of a /30 to each machine to be a bit of a headache. My clients can connect to the server just f 03:32 < mikeage> however, I'm trying to forward certain packets (not all traffic) from the clients to it's final destination via the openvpn server, using iptables and ip route 03:33 < mikeage> the packets reach the server, and appear to be sent out to the internet, but they don't seem to be returned. furthermore, their source address ing not 192.168.2.x, but the actual IP they got in their own subnet (e.g., 192.168.1.100) 03:33 < reiffert> are you using openvpn 2.0.9 or 2.1_r15? 03:33 < Bushmills> "using a routed config" - "Originally, I was using tun" - "switched to tap" sounds a bit like a contradiction to me 03:33 < mikeage> 2.1_r15 03:34 < mikeage> well, I have a line in my config file "server 192.168.2.0 255.255.255.0" 03:34 < reiffert> mikeage: readup the manpage, especially --topology and change that behaviour. After that, switch back to dev tun. 03:34 < mikeage> not server-bridge 03:35 < mikeage> I have no real objection to dev tun, but I found that remembering which IP address (of the 4 on the /30) to use to be somewhat annoying 03:35 < Bushmills> "source address ing not 192.168.2.x, but the actual IP they got in their own subnet" indicates the packets are not NATted 03:35 < mikeage> do I need to NAT twice: once from 192.168.1.x to 192.168.2.x, and then once to the public IP? 03:35 < mikeage> s/2.x/2.1/ 03:36 < reiffert> mikeage: man page --topology 03:36 < mikeage> ok... if you said it twice, I probably should try :) here goes.... 03:36 < Bushmills> "remembering which IP address" that's what DNS are for. or look in ccd or openvpn-status.log 03:37 < Bushmills> moin reiffert 03:37 < reiffert> moin 03:37 < Bushmills> early 03:38 < reiffert> early? 03:38 < mikeage> bushmills -- I wasn't sure how to integrate the ip allocations from openvpn (either dynamic or via ipp) with DHCP, and I figured I'd tackle that one later. in the meantime, I'm going to try the topology options.... subnet looks promising 03:38 < Bushmills> i'm not used seeing you that early in the morning 03:39 < reiffert> Bushmills: although I'm up from 8 regulariliy 03:39 < reiffert> mikeage: man page --topology 03:39 < mikeage> thanks for the help; I'll be back 03:39 < Bushmills> mikeage, "DHCP" - use a different subnet for openvpn clients, no need for dhcp or avoiding conflicts with it 03:40 < Bushmills> ah. that's a leftover from bridged config 03:42 < Bushmills> reiffert, do you observe some kind of brain lag that early? 03:43 < reiffert> ? 03:43 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 03:43 < Bushmills> asking, because i do. it's quite funny actually, monitoring that. 03:44 < Bushmills> two separate phases detected as far. 03:44 < Bushmills> first is when words are converted to meaning. 03:46 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 03:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- floyd_n_milan_ is now known as floyd_n_milan 03:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:56 < endschranz> Bushmills: any idea why blocking doesn't work? 03:56 < Bushmills> not really, no. 03:57 < Bushmills> sounds a bit like "i changed the lock but i still can get in" 03:57 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 03:58 < endschranz> :) 03:58 < mazzachre> Will a "Hi/fn 7955" chip help the performance of openvpn? 04:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:02 -!- albech [n=albech@119.42.76.165] has quit ["Leaving"] 04:10 -!- mikeage1 [n=mmiller@mikeage.net] has joined ##openvpn 04:10 -!- mikeage [n=mmiller@mikeage.net] has quit [Nick collision from services.] 04:11 -!- mikeage1 is now known as mikeage 04:12 < mazzachre> Anybody who have a clue? As I am about to order some boxes, either with or without these chips... plz! 04:14 < krzee> no clue here 04:14 < krzee> you plan on having a ton of connections? 04:14 < mazzachre> No... probably 2... But on a 500MHz Geode processor 04:18 < Bushmills> mazzachre, openvpn uses ssl. so if ssl supports the 7955 (which seems it does), so should openvpn 04:18 < krzee> 500mhz is more than fine for 2 clients 04:18 < krzee> and what Bushmills said ;] 04:19 < mazzachre> OK... thx... I will check the load of the machines and add the card if nessecary... (only problem is that it is about 12hours in flight and car to get to one of the boxes...) 04:20 < endschranz> Is there a good method to temporary revoke a clients crt? 04:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:39 < mikeage> wow... that worked! 04:39 < mikeage> thanks a lot! 04:40 < krzee> endschranz, i believe its disable in a ccd 04:40 < krzee> something like that 04:40 < krzee> !man 04:40 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:40 < endschranz> krzee: trying 04:41 < reiffert> ah, vpnHelper is back 04:41 < krzee> ya the box went down 04:42 < krzee> --disable 04:42 < krzee> Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). 04:42 < krzee> This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script. 04:42 < krzee> nice, i was right 04:42 < krzee> !ccd 04:42 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 04:46 < Bushmills> krzee, openvpn config will need reload after changing options in ccd files, i reckon? 04:46 < krzee> negative 04:46 < Bushmills> ok 04:46 < krzee> ccd files are read on client connect 04:47 < Bushmills> " basically included into server.conf" was confusing 04:47 < krzee> could be a lang issue, makes perfect sense to me 04:48 < krzee> ild ask my girlfriend who is laying by me but her english isnt very good 04:48 < endschranz> krzee: and howto block a client with ccd? 04:49 < krzee> in its ccd entry put the word disable 04:49 < endschranz> --ccd-exclusive ? 04:49 < Bushmills> don't worry. if it was confusing me, that doesn't mean that it will confuse anybody else. 04:49 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:49 < krzee> Bushmills, if you come up with a way to word it better without losing meaning feel free to tell me and ill switch it 04:50 < krzee> endschranz, i even pasted the man entry 04:50 < endschranz> krzee: sry overread it 04:50 < krzee> -disable 04:50 < krzee> [05:42] Disable a particular client (based on the common name) from connecting. ... 04:50 < krzee> np =] 04:52 < Bushmills> !meta 04:52 < vpnHelper> Bushmills: Error: "meta" is not a valid command. 04:53 < Bushmills> !meta is 'is "is asking a metaquestion a metaquestion?" a metaquestion?' 04:53 < vpnHelper> Bushmills: Error: "meta" is not a valid command. 04:54 < Bushmills> hrmpf 04:54 < endschranz> krzee: thx works like expected 04:54 -!- endschranz [n=endschra@mail.htl-vil.ac.at] has quit [] 05:00 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has joined ##openvpn 05:16 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has joined ##openvpn 06:04 < tekk> hey guys, i have a quick question, whenever i connect a client to my vpn they are always assigned the same ip, so if i connect 2 clients to same server, the first one stops working when the second connects 06:04 < tekk> they are both using hte same client certificate, is that why? 06:05 < tekk> server 10.1.1.0 255.255.255.0 06:05 < tekk> they all get 10.1.1.6 06:05 < Bushmills> tekk, use different keys/certificate requests 06:06 < Bushmills> create on set for each client 06:06 < Bushmills> one 06:07 < tekk> ok thought so, thanks Bushmills 06:16 < krzee> reiffert, turns out my gigaswitch doesnt suck 06:16 < krzee> i get 60MB/s between my macbook pro and my hackintosh 06:16 < krzee> so i blame the realtek chipset and freebsd 8's support of it 06:30 < tekk> ok, i signed a new client cert using ./build-key client2 06:30 < tekk> but same problem still exists 06:34 < tekk> hmm, generataed another cert once again and problem solved 06:34 < Bushmills> have you moved those to client? 06:34 < tekk> seems if i generate a cert with same fields, it has same value 06:34 < tekk> yea using scp 06:35 < Bushmills> ah, right. the cn "common name" is needs to be client specific 06:37 < tekk> ah k 06:37 < tekk> thanks 06:56 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:58 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:04 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:05 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:06 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:07 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:08 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:09 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:10 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:11 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:12 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:13 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:14 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:30 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:00 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has quit [Read error: 60 (Operation timed out)] 08:13 < ecrist> good morning, folks. 08:17 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has quit ["Leaving."] 08:22 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 08:23 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 08:54 -!- mikeage [n=mmiller@mikeage.net] has quit [Nick collision from services.] 08:54 -!- mikeage1 [n=mmiller@mikeage.net] has joined ##openvpn 08:54 -!- mikeage1 is now known as mikeage 09:09 < rio> &wc 09:09 < rio> whoops 09:09 -!- rio [n=rio@eta-ori.net] has left ##openvpn [] 09:13 -!- jeiworth [n=jeiworth@189.234.36.231] has joined ##openvpn 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:22 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has joined ##openvpn 09:22 < w00ted> !redirect 09:22 < vpnHelper> w00ted: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:23 < w00ted> !ipforwad 09:23 < vpnHelper> w00ted: Error: "ipforwad" is not a valid command. 09:23 < w00ted> !ipforward 09:23 < vpnHelper> w00ted: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:23 < w00ted> !def1 09:23 < vpnHelper> w00ted: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:23 < mikeage> !nat 09:23 < vpnHelper> mikeage: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 09:24 < mikeage> !linnat 09:24 < vpnHelper> mikeage: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:24 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 09:24 < w00ted> 09:24 < w00ted> hello, a question for the pros openvpn 09:25 < w00ted> 09:25 < w00ted> I openvpn server creates a connection between the client and the server running 09:25 < w00ted> against by my access to internet why? 09:26 < Bushmills> pardon? 09:27 < w00ted> huhu 09:27 < w00ted> speak french ? 09:27 < Bushmills> happen to 09:28 < ecrist> w00ted: are you trying to route internet traffic through your VPN? 09:29 < w00ted> 09:29 < w00ted> ping vers vpn est bon 09:29 < w00ted> ping -> vpn is good 09:29 < Bushmills> not a lot of other folks will understand. try english again 09:29 < w00ted> vpn -> client is good 09:29 < mikeage> Does anyone know why I can't forward traffic over my vpn using "ip route" and iptables to mark certain packets? it works just fine it I use "route add ...." 09:30 < mikeage> log at http://pastebin.linode.com/2483 : I was trying to telnet to the remote site (74.125.45.100) on port 80 as a test, which is what the tcpdump shows 09:31 < ecrist> mikeage: what are you trying to forward, and how is it not working? 09:31 < mikeage> all port 80 traffic only 09:31 < mikeage> if I set up a route using route add -host etc, it works just fine 09:32 < mikeage> if I try and mark packets and then use ip route, it doesn't; I see a bunch of packets being sent from the remote site with the SYN flag set, but I don't see any ACK from my site 09:32 < mikeage> I suspect it's a NAT issue, not openvpn, but I'm not sure 09:32 < mikeage> the basic openvpn works just fine; I can access the server from the client w/o any problems 09:33 < ecrist> well, if you do this with policy-routing in the firewall, it should work. 09:33 < mikeage> in the log above, 192.168.2.x is the VPN, and 74.125.45.100 is a random site on the internet (google, actually) 09:33 < ecrist> not sure about all the 'marking' packet stuff 09:33 < mikeage> that's what I'm trying to do 09:33 < mikeage> how else do you do policy routing on linux? 09:33 < ecrist> firewall 09:33 < Bushmills> "can access the server from the client" .. that's no indication for NAT working fine 09:33 < mikeage> bushmills: right; it's an indication that openvpn is 09:34 < Bushmills> true 09:34 < mikeage> ecrist: what do you mean "firewall"? 09:34 < ecrist> um, firewall 09:35 < mikeage> right; firewalls don't just implement policy routing; you need some software... e.g., iptables, iproute2, etc 09:35 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 09:36 < ecrist> not sure what your point is. 09:36 < ecrist> if you're doing it with iptables, it should work 09:36 < ecrist> we do that exact thing with pf here. 09:37 < Bushmills> mikeage, eliminate problem potential. does it NAT without packet marking? 09:37 < mikeage> you suggested I should do policy routing in the firewall. that's what I'm doing, using iptables and iproute2. but it (or something else) is not working... hence the question. 09:38 < mikeage> on the server, yes. if I use a route designated by route add -host etc, the packet gets sent through the openvpn server to the internet, and responses get back 09:39 < mikeage> I'm _also_ using NAT on the client, though, to make sure that the packets have a source address of 192.168.2.5 (my VPN addr) and not 192.168.1.100 (the address of eth0) 09:39 < Bushmills> how are marking of packets and adding a route related to each other? 09:40 < mikeage> that seemed a little strange, but without it, the packets went out with the wrong source addr, and the openvpn server didn't seem to know what to do with them responses 09:40 < mikeage> the route is dependant on the markings 09:40 < Bushmills> does the vpn server have a route even when you don't add one? 09:41 < mikeage> the vpn routers aren't affect; the route is on the client, to tell it to go via the server, instead of via the default gateway (which is on the local network) 09:42 < Bushmills> describe your problem in a text file, and upload it. there are too many variables seemingly affecting operation and preventing your setup to have the desired outcome 09:44 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 09:47 < Bushmills> mikeage, my feeling is, your setup is more complicated than needed, and that is biting you now. 09:47 < mikeage> could be; I'm writing up a summary. I'd love to simplify, but I haven't found the right way yet 09:48 -!- mikeage [n=mmiller@mikeage.net] has left ##openvpn ["Leaving."] 09:48 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 09:50 < Bushmills> for most cases, openvpn can conceptionally be replaced against two NICs and a cable. what works with one, works with the other. 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:54 < mikeage> any suggestions for a good place to put it? 09:55 < Bushmills> http://pastebin.com 09:55 < mikeage> http://pastebin.com/d6f2f04f0 09:56 < mikeage> I actually have to sign off; I'm at work now, and about to leave. I'll try and sign back on when I get home (~ 1 hour). time flies when you're... well... not having fun, but really confused! 09:57 < Bushmills> why do you masquerade on the client? 09:57 < Bushmills> oh sorry. server that is. 09:57 < mikeage> I do both 09:58 < mikeage> without it, the source IPs on the outgoing packets are the local address (when using iproute2) 09:58 < mikeage> and the server doesn't forward them back properly 10:03 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: kala, carpe_ 10:04 -!- Netsplit over, joins: carpe_, kala 10:04 < Bushmills> mikeage, "I want to send web (port 80 and 443) traffic from the client to the internet via the openvpn server, but have all other traffic leave the client via the default route" - running a web proxy, such as squid, on the openvpn server machine, and tell your client to use openvpn server as proxy should simplify that 10:07 < Bushmills> making "If I set up a fixed route to an internet site, I can get to the internet via the vpn" unnecessary 10:09 < Bushmills> and "and just mark the packets intended for port 80, and port 443 (right now I'm just doing 80), and create a route just for them" that too 10:09 < Bushmills> and no NAT on client nor server needed 10:20 -!- mikeage [n=mmiller@mikeage.net] has quit [Remote closed the connection] 10:31 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 10:32 < Wofl__> hey, i got some questions about ethernet bridgeing 10:33 < ecrist> we got some answers 10:48 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:56 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has joined ##openvpn 11:15 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 11:21 < mikeage> hi bushmills 11:22 < Bushmills> mikeage, do you have logs? 11:22 < mikeage> what kind of logs? I have the tcpdump there 11:22 < mikeage> I can create any others, if you think it would help 11:22 < Bushmills> irc logs 11:22 < mikeage> yes 11:23 < Bushmills> ok 11:24 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has quit ["Leaving."] 11:27 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:12 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 12:14 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:24 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:54 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 13:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 13:21 < reiffert> http://www69.wolframalpha.com/input/?i=gang+bang 13:21 < vpnHelper> Title: gang bang - Wolfram|Alpha (at www69.wolframalpha.com) 13:35 < w00ted> iop all 13:35 < w00ted> just question 13:35 < w00ted> warnig potential route subnet conflict between local lan 192.168.1.0/255.255.255.0 and remote vpn 192.168.1.0/255.255.255.0 ???? 13:36 -!- throughnothing [n=will@74.205.24.229] has joined ##openvpn 13:36 < throughnothing> is there dhcp.leases file or similar for the dhcp program that openvpn runs to assign ips dynamically to clients? 13:37 < ecrist> there are a couple files 13:37 < ecrist> !ip-order 13:37 < vpnHelper> ecrist: Error: "ip-order" is not a valid command. 13:37 < jeiworth> w00ted: are you by any chance routing and have configured the same ip subnet for the vpn-clients that you are already using in your lan? 13:37 < ecrist> !search factiods ip 13:37 < vpnHelper> ecrist: (search ) -- Searches for in the current configuration variables. 13:37 < ecrist> !search ip 13:37 < vpnHelper> ecrist: supybot.commands.nested.pipeSyntax and supybot.externalIP 13:37 < ecrist> hrm 13:37 < ecrist> throughnothing: ipp, ccd 13:37 < throughnothing> ecrist: ? 13:37 < ecrist> if you're using tap, you can use a regular ol' dhcp, though 13:38 < throughnothing> im using tun 13:38 < ecrist> ok, ipp and cdd files 13:38 < Wofl__> ecrist: sorry, was gone for a while 13:38 < throughnothing> ecrist: sorry, but where are these files? 13:38 < ecrist> w00ted: you have conflicting address spaces, fix it 13:39 < throughnothing> ecrist: nm, thx 13:39 < ecrist> throughnothing: on the server 13:39 < Wofl__> anyways, so i want to bridge eth0 on the server with tap0 and have tap0 then be the vpn interface 13:39 < ecrist> sounds normal. 13:39 < throughnothing> ecrist: hmm, i have an /etc/openvpn/ipp.txt file but it is empty, i see no cdd file 13:39 < throughnothing> *ccd 13:39 < Wofl__> eth0 is configured to 192.168.2.123, vpn will be 10.x.x.x later on 13:40 < ecrist> ok 13:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:40 < Wofl__> when i create the bridge, eth0 loses its configuration, how do i set it all up then? 13:40 < ecrist> that's going to be somewhat based on what OS and kernel you're using 13:40 < ecrist> in FreeBSD, the config doesn't go away 13:41 < ecrist> in Linux, it might. 13:41 < Wofl__> gentoo linux, with 2.6.27 13:41 < ecrist> Wofl__: really, you should have a new bridge0 interface or something, I think, set the IP on that interface. 13:41 < Wofl__> set it to the old ip of the ethernet? 13:41 < ecrist> yep 13:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 13:41 < Wofl__> ok, hold on 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:44 < throughnothing> ecrist: any idea why it would be empty? 13:44 < Wofl__> still unable to ping router 13:44 < ecrist> throughnothing: nope, I'm not your VPN admin 13:45 < ecrist> Wofl__: what are you expecting to ping? 13:45 < ecrist> IOW, I've got a car, turned the key, but it won't start. I know it's the right key, though. 13:47 < Wofl__> the router the computer is connected via ethernet 13:48 < ecrist> you're not explaining, exactly, what you're trying to do. 13:49 < Wofl__> the router is connected to the server, and the server cannot ping the router. i think its the route messed up 13:50 < ecrist> ok, I'd look at the routing table, then. did the eth0 IP get removed at the same time tap0 was removed? 13:51 < ecrist> you're testing the ping from the server, right? 13:51 < ecrist> and when you bridged interfaces, you lost internet connectivity? 13:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 13:52 < Wofl__> yes, when i bridge, i lose the connection 13:52 < Wofl__> right now i am disabling them all, and then i will try to just bring up vr0 and have eth0 come up as a dependency 13:56 < Wofl__> it lists br0 as having the same ip as eth0 did before, but still no connection 13:56 < ecrist> firewall? 13:56 < ecrist> do you have ip_forward enabled? 13:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:59 < Wofl__> ah, got it working now, thanks 13:59 < Wofl__> was a combination of the ip_forward and the messed up route 13:59 < Wofl__> thanks again 13:59 < ecrist> np 14:02 < Wofl__> quick question, if i change smething in /proc, how do i make it permanent? 14:06 < Wofl__> ecrist: actually, i still have a little hiccup 14:06 < Wofl__> now i i run /etc/inint.d/net.br0 start, the first time it fails, but rerunning makes it work 14:07 < Wofl__> actually, let me ask in gentoo 14:12 < reiffert> Wofl__: /etc/sysctl.conf 14:17 < Wofl__> thanks, just drew a blank... 14:22 -!- jeiworth_ [n=jeiworth@189.177.27.178] has joined ##openvpn 14:23 -!- jeiworth [n=jeiworth@189.234.36.231] has quit [Read error: 110 (Connection timed out)] 14:29 -!- jeiworth_ [n=jeiworth@189.177.27.178] has quit [Read error: 104 (Connection reset by peer)] 14:35 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [" got rick rolled"] 14:48 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 15:00 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:00 -!- lazarus477 [n=lazarus@81-231-99-230-no47.tbcn.telia.com] has joined ##openvpn 15:00 < lazarus477> Is there an official OpenVPN Web based frontend available? 15:01 < krzie> official? no 15:01 < lazarus477> Ok 15:01 < krzie> i believe there is projects tho 15:02 < lazarus477> krzie: In the past I have managed it over a console but read a romour of an official web GUI suposed to come soon. 15:02 < krzie> ive heard nothing of the sort 15:02 < krzie> unless thats the thing they sell 15:02 < lazarus477> krzie: I have looked at all the 3rd party ones though. 15:02 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:02 < lazarus477> krzie: I think it is the thing they sell, typically enough. 15:03 < reiffert> I was close on hitting the reply button on the last recent openvpn announcement, asking when he is going to release 2.1 15:03 < reiffert> argueing that vendors and distributors only put 2.0.9 into place for stability reasons .. 15:03 < krzie> not exactly rapidly developed, i agree 15:04 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:04 < reiffert> development is fast, release cycles are not. 15:04 < lazarus477> Well I used OpenVPN for about two and a half years, worked like a dream. Ran it for a customer who loved it. 15:04 < krzie> but then again, it doesnt really require rapid devel 15:05 < krzie> its stable and has much functionality 15:05 < reiffert> lazarus477: check out openvpn web gui, it's the one you see on openvpn.net 15:05 < lazarus477> I once tried it out on a long train trip. Kept me hooked to my home office LAN the entire trip over mobile broadband. 15:05 < reiffert> main page, upper left 15:05 < lazarus477> reiffert: Thank you, I think that is the one I am seeking. 15:05 < krzie> reiffert, damn i never seen that, i guess that means there IS an official web gui 15:05 < krzie> i had no clu 15:05 < reiffert> krzie: guess what, there isnt even a link on openvpn.net to openvpn web gui. 15:06 < lazarus477> reiffert: This one: http://openvpn-web-gui.sourceforge.net/ 15:06 < vpnHelper> Title: OpenVPN Web GUI 0.3.x (at openvpn-web-gui.sourceforge.net) 15:06 < reiffert> http://openvpn.net/index.php/documentation/graphical-user-interface.html 15:06 < vpnHelper> Title: Graphical User Interface (at openvpn.net) 15:06 < reiffert> no link to openvpn-web-gui 15:06 < reiffert> lazarus477: correct link, yeah 15:07 < krzie> oh i thought you said there was 15:07 < lazarus477> reiffert: Thanks 15:07 < reiffert> lazarus477: be warned, you will protect your vpn by 128bit htpasswd password. 15:07 < lazarus477> Yea this is the Web-GUI I have been waiting to see 8-) 15:08 < lazarus477> reiffert: What are you warning me about, something bad or something good? 15:08 < reiffert> something really really bad. 15:08 < lazarus477> reiffert: Enlighten me. 15:08 < reiffert> I'd recommend to gain access to 127.0.0.1 only. 15:08 < lazarus477> reiffert: To low encryption strength? 15:09 < reiffert> yap 15:09 < lazarus477> reiffert: Well firefox over ssh works, hehe. 15:09 < lazarus477> reiffert: Gotcha 15:09 < krzie> openvpn has very very strong encryption options 15:09 < reiffert> krzie: but openvpn web gui doesnt. 15:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:09 < krzie> by running a web interface protected only by htpasswd means you compromise that 15:09 < reiffert> krzie: means, gain access to web gui == gain access to network 15:09 < krzie> weakest link scenerio 15:09 < krzie> reiffert i know im agreeing with you 15:10 < krzie> i also agree 127.0.0.1 access for gui 15:10 < lazarus477> reiffert: I get the point, thanks for pointing it out to me. 15:10 < krzie> (only) 15:10 < krzie> reiffert: Well firefox over ssh works, hehe. 15:10 < krzie> you arent configuring sshd by web ui 15:11 < krzie> just connecting to it, very different 15:11 < reiffert> firefox over ssh works but sucks due to bandwidth reasons. Be sure to keep it that way over a long period. 15:11 < lazarus477> krzie: I ment I can ssh to the openvpn server and run a remote firefox session. 15:11 < lazarus477> I am all about headless setups. 15:12 < krzie> ok 15:12 < krzie> i just script anything i need 15:12 < krzie> no reason for a web-ui for me 15:12 < reiffert> same for me. 15:12 < lazarus477> krzie: Script me a cup of coffee, please :-) 15:12 < krzie> sure, install netbsd on your coffee machine and gimme root 15:12 < reiffert> __ __ __ 15:12 < reiffert> ___ _ _ _ __ ___ / _| ___ ___ / _|/ _| ___ ___ 15:12 < reiffert> / __| | | | '_ \ / _ \| |_ / __/ _ \| |_| |_ / _ \/ _ \ 15:12 < reiffert> | (__| |_| | |_) | | (_) | _| | (_| (_) | _| _| __/ __/ 15:12 < reiffert> \___|\__,_| .__/ \___/|_| \___\___/|_| |_| \___|\___| 15:12 < reiffert> |_| 15:13 < krzie> install it on your toaster too while you're in there 15:14 < reiffert> _ _ 15:14 < reiffert> ___| | | | 15:14 < reiffert> / __| | | | 15:14 < reiffert> | (__| | | | 15:14 < reiffert> \___| |_____| | 15:14 < reiffert> |_|_____|_| 15:14 < reiffert> :p 15:14 < reiffert> /exec -o echo "c|_|" | figlet 15:15 < krzie> i still cant figure out why i cant do this: 15:16 < lazarus477> reiffert: lol, thanks. Love ASCI Art. 15:16 < krzie> ./exec echo "$RANDOM%2" | bc 15:16 < krzie> (standard_in) 1: syntax error 15:17 < lazarus477> I was at FSCONS 2008 held in Gothenburg Sweden. Two guys there demonstrated a nice public key infrastructure management software, web gui based. It works nicelly with OpenVPN for certificate management. 15:17 < krzie> !ssl-admin 15:17 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 15:17 < krzie> nice perl script to manage them as well 15:18 < lazarus477> Ah just found the guys website: http://www.ejbca.org/ 15:18 < vpnHelper> Title: EJBCA - The J2EE Certificate Authority - Home (at www.ejbca.org) 15:18 < reiffert> openssl x509 is all you really need. 15:18 < reiffert> j2ee? sigh. sigh. 15:18 < reiffert> sigh. 15:18 < lazarus477> vpnHelper: Yep thats the one. 15:18 < vpnHelper> lazarus477: Error: "Yep" is not a valid command. 15:18 < reiffert> most probably running on a virtual machine. 15:19 < reiffert> high performance. 15:19 < reiffert> sigh 15:20 < reiffert> EJBCA 3.7 contains support for CVC CAs used for EU EAC ePassports. This development was sponsored and contributed by the Swedish National Police Board. 15:20 < lazarus477> Hmm. Looks Java based, did not notice that before. 15:20 < reiffert> How many backdoors? 15:21 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 104 (Connection reset by peer)] 15:22 < lazarus477> It is my personal opinion that there is no such thing as a 100% secure system, haha. 15:22 < krzie> sure there is, the one with no NIC 15:22 < krzie> like my CA 15:22 < lazarus477> A lot of security comes from proper access restrictions. 15:22 < krzie> and physical security = gun 15:22 < lazarus477> krzie: Yea but even withou NIC you can still do local attacks, haha. 15:23 < krzie> yes, and hope to hell i dont walk in and shoot you 15:23 < lazarus477> krzie: Hahahaha 15:23 < krzie> not because you're at my computer, because you're in my house 15:24 < krzie> ;] 15:24 < lazarus477> krzie: I will wear my Linux BulletProof IP-Tables vest when you come to snuff me out :-) 15:24 < krzie> haha 15:24 < krzie> my house is linux resistant, should wear your pf-vest 15:24 < lazarus477> krzie: Perhaps I will simply drop by for coffee. 15:24 < Bushmills> krzie, echo $((RANDOM... 15:24 < Bushmills> )) 15:24 < krzie> Bushmills ahh 15:25 < lazarus477> krzie: Or perhaps I should do some KGB/CIA style remote wire listening on your electronic emissions, lol. 15:25 < krzie> ./exec echo $((RANDOM))%2|bc 15:25 < krzie> works =] 15:25 < Bushmills> krzie, what for do you pipe it to bc? 15:25 < krzie> lazarus477 good luck finding what country im in 15:25 < krzie> bc = bitcalc 15:26 < Bushmills> what for? 15:26 < krzie> %2 makes it output the remainder after /2 15:26 < krzie> so i get a 0 or 1 15:26 < Bushmills> you can just drop the |bc part for the same effect 15:26 < krzie> for making random unimportant decisions 15:26 < lazarus477> krzie: Looks around. I shall start searching in my local area and later expand my search outwards till I covered the whole globe or find you on the way. 15:26 < lazarus477> haha 15:26 < Bushmills> bash knows modulus (remainder) too 15:26 < krzie> Bushmills, try it 15:26 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:26 < krzie> 0%2 15:27 < Bushmills> krzie, try echo $((RANDOM%2)) 15:27 < krzie> krzee@hemp:~> echo $RANDOM%2 15:27 < krzie> 20446%2 15:27 < krzie> krzee@hemp:~> echo $((RANDOM%2)) 15:27 < krzie> 0 15:27 < krzie> heh no kidding 15:27 < krzie> i never seen using parens on shell vars 15:27 < Bushmills> that'S why i ask "why bc" 15:28 < krzie> gotchya, cause thats how i knew how to do it ;] 15:28 < krzie> your way is better 15:28 < Bushmills> between $(( )) is arithmetic expression 15:28 < krzie> time to read on parens on vars 15:28 < krzie> ohhh i gotchya 15:28 < krzie> thats coolness 15:28 < Bushmills> want to look at a very far out bash script? 15:29 < krzie> i seen that one you made to program roms 15:29 < krzie> it was nuttier than the professor 15:29 < Bushmills> ever seen a compiler and interpreter written in bash? 15:30 < krzie> lol 15:30 < krzie> shit no 15:30 < Bushmills> incremental compiler + interactive interpreter 15:30 < Bushmills> http://www.forthfreak.net/bashforth 15:30 < reiffert> Bushmills: good luck! 15:30 < Bushmills> :D 15:30 < reiffert> krzie: macports: ports install bashforth 15:30 < Bushmills> reiffert, no indoctrination 15:31 < Bushmills> reiffert, but that's just a one magnitude more complex bash script then most people call "complex" 15:31 < krzie> Bushmills, you're hardcore bro 15:32 < reiffert> krzie: it's pure fun, enjoy forth! 15:32 < Bushmills> though for running it i'd suggest the javascript version - faster and more standard compliant 15:33 < krzie> i thought i was dope with scripting in bash until i saw the last script Bushmills showed me 15:33 < Bushmills> that one can be intimidating 15:34 < krzie> reiffert i wont be on apple for awhile 15:34 < krzie> til night time 15:34 < reiffert> krzie: you own an ibook as well, do you? 15:34 < Bushmills> though i like the geekness factor of it. 15:34 < reiffert> Bushmills: whats the key combination again? 15:35 < Bushmills> apple? i think you need to push during start. apple-apple-f iirc 15:35 < Bushmills> or apple-apple-o 15:36 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has quit [] 15:36 < Bushmills> * Command-Option-O-F 15:39 < Bushmills> krzie, btw, reiffert knows that script - he introduced it to macports 15:40 < krzie> reiffert i have a macbookpro 15:41 < krzie> but my main box is now my hackintosh 15:41 < reiffert> http://trac.macports.org/browser/trunk/dports/lang/bashforth/Portfile 15:41 < vpnHelper> Title: /trunk/dports/lang/bashforth/Portfile – MacPorts (at trac.macports.org) 15:41 < krzie> quad core q9400 8gb ram 1.5TB hd 15:41 < krzie> running retail 10.5.7 15:41 < krzie> with all kexts etc in the hidden EFI partition for simple upgrading 15:42 < krzie> (guid spec says there should be a hidden EFI partition, which apple doesnt use but does respect) 15:43 < Bushmills> same CMD-OPT-O-F . the prompt is more or less compatible with that bash script :) 16:14 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 16:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 16:19 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 110 (Connection timed out)] 16:22 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Connection timed out] 16:23 -!- Kreg-Work [n=kreg@208.98.188.95] has joined ##openvpn 16:28 -!- jeiworth [n=jeiworth@189.177.221.191] has joined ##openvpn 16:48 -!- jeiworth_ [n=jeiworth@189.177.35.134] has joined ##openvpn 16:49 -!- jeiworth [n=jeiworth@189.177.221.191] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 17:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:06 < reiffert> http://www38.wolframalpha.com/input/?i=happy%2Fhappy 17:06 < vpnHelper> Title: happy/happy - Wolfram|Alpha (at www38.wolframalpha.com) 17:06 < reiffert> Dougy: Dougy Dougy Dougy Dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < Dougy> your server is online 17:10 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 17:13 -!- deception [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 17:14 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:14 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:15 < krzie> what paypal do i send at? 17:15 < Dougy> you didnt pm 17:27 < reiffert> want another root server in germany? 17:27 < krzie> im sure not against the idea 17:28 < reiffert> I can recommend hetzner.de 17:28 < Dougy> hetzner 17:28 < Dougy> blah 17:28 < Dougy> those buggers 17:28 < krzie> if you can find me a decent price in china im in 17:28 < krzie> hehe 17:28 < reiffert> :) 17:29 < reiffert> I like hetzner, they gimme all I need. 17:29 < Dougy> i love my work connection 17:29 < Dougy> i am such an asshole 17:29 < krzie> 2 in cali, 1 in NY, 1 in minn, 1 in chicago, soon 1 in reno 17:29 < Dougy> on my one box there 17:29 < xororand> hetzner is okay. i know several guys who have one or more servers there. noone ever complained. i'm content after 2 years as well 17:29 < Dougy> krzie 17:29 < Dougy> my box at work 17:29 < Dougy> i have a 1 gbit port.. i pay $0 17:30 < krzie> for someone who doesnt do any business with his servers i seem to be going overboard 17:30 < Dougy> im using 17:30 < Dougy> like 450 MBps 17:30 < Dougy> lol 17:30 < krzie> lol 17:31 < Dougy> krzie 17:31 < Dougy> http://www.upload3r.com/serve/180509/1242685902.png 17:31 < Dougy> lol 17:32 < Dougy> if only Ihad that in NYC 17:33 < reiffert> Dougy: wtf? 17:33 < Dougy> reiffert: ? 17:33 < reiffert> Dougy: 450MBps what for? 17:34 < Dougy> random shit 17:34 < Dougy> i gave all my friends access 17:34 < Dougy> they are abusing it 17:34 < Dougy> lol 17:34 < reiffert> send me some openvpn client certs then. 17:34 < krzie> shit ya 17:34 < Dougy> Naw, hahaha 17:35 < krzie> lemme run rtorrent on it 17:35 < Dougy> im considering adding two more gbit nics 17:35 < Dougy> in it 17:35 < reiffert> I'd watch some tv caps from fox.com or similar. 17:35 < krzie> send a couple TB and raise my ratio a bit 17:35 < reiffert> :p 17:37 < Dougy> haha 17:38 < reiffert> watching TV caps from fox.com is all I really like to do with a link to US 17:38 < Dougy> reiffert: get a free shell 17:38 < Dougy> and ssh tunnel 17:39 < reiffert> I'll try that, right 17:39 < Dougy> http://sdf.lonestar.org/ 17:39 < vpnHelper> Title: SDF Public Access UNIX System - Free Shell Account and Shell Access (at sdf.lonestar.org) 17:41 < reiffert> thanks 17:41 < Dougy> try that 17:43 < krzie> i cant believe prison break is over 17:44 < reiffert> How did it finish, all people alive or dead? in prison again? 17:44 < krzie> only 1 is dead from main group 17:44 < krzie> all free 17:44 < krzie> they took down the company 17:44 < krzie> (secret gov org gone kinda rouge) 17:44 < reiffert> I must admit that I never watched a single episode :) 17:45 < krzie> the leader of the company fries on the electric chair 17:46 < krzie> i got into it season 1 17:46 < krzie> saw every single episode 17:46 < Dougy> man 17:46 < Dougy> so glad to finally be getting clients live in NYC 17:46 < reiffert> 4] Kristin Dos Santos of E! has reported that there may be several extra episodes following the remaining six. Reilly has also confirmed that the series will end with a two-hour finale, rather than a rumored TV movie. Regarding the finale, Reilly says, "They have a really cool ending, actually. I know where they end, and it's a hell of an idea."[24] 17:47 < krzie> hrm, i think i found the name for the NY box 17:47 < krzie> it will be named kief 17:48 < Dougy> krzie: you're on solid hardware 17:48 < Dougy> sm chassis sm motherboard 17:48 < Dougy> hm 17:48 < Dougy> im gonna upgrade you to 7.2 now, k krzie? 17:51 < krzie> umm, sure =] 17:51 * Dougy wants to play with the freebsd-update tool 17:52 < krzie> are you joking!? 17:52 < krzie> nah ill update it 17:52 < Dougy> haha okay 17:52 < krzie> freebsd-update is binary 17:52 < Dougy> as opposed to doing by hand? 17:52 < krzie> cvsup the src, make buildworld, make buildkernel KERNCONF=config 17:52 < Dougy> btw, does anyone here need a server? renting out one 17:52 < krzie> etc 17:53 < Dougy> P4 3.0, 2gb ram, 120gb drive for $75 17:53 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 17:53 < krzie> yes, as opposed to compiled for my hardware after i play with make.conf 17:53 < krzie> you redhat user, lol 17:53 < Dougy> lol 17:54 < Dougy> its so much fun to be able to say i have my own colo 17:54 < Bushmills> Dougy, hetzner consideraby cheaper ... 17:54 < Dougy> Bushmills: ? 17:54 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 17:55 < Bushmills> Dougy, 65 $ for 2x400 gig 17:55 < Dougy> yes there is a difference 17:55 < Dougy> if i colocated in other places in the usa that it cost me $20 per server 17:55 < Dougy> then i could do a lot less 17:56 < Dougy> but this is right next to wall street in nyc 17:56 < Dougy> so its not so cheap 17:57 * Dougy makes about $2 on hardware on that p4 17:58 < Bushmills> 64 X2 5600+Dual Core, also 2 gig RAM there. 17:58 < Dougy> Bushmills: same thing applies 17:58 < Dougy> they get space cheaper 17:58 < Dougy> and bandwidth too 17:59 < Dougy> and im sure hw cheaper too 17:59 < reiffert> Bushmills: time to get some colo in NYC, eh? 18:00 < Bushmills> in fact, a box across the border can have its uses 18:00 < Dougy> krzee has colo in nyc 18:00 < reiffert> Bushmills: allright, then who is going to get some cheap machine with plenty of GIG and CPU for us? 18:01 < Dougy> what kind of box do you want 18:01 < Bushmills> cpu doesn't really need to be ultrafast 18:01 * Dougy can maybe find some old parts 18:01 < Bushmills> lots of ram makes more sense 18:01 < reiffert> Bushmills: dual core sounds nice, but single core will do of course. Preferrable Intel. 18:01 < reiffert> Lots of RAM .. lets say 4GB? 18:01 < Bushmills> how much effort/costs are involved when upgrading the box with larger hard disk later? 18:02 < Dougy> well 18:02 < Dougy> i have 3 pentium d 3.0 ghz 18:02 < Dougy> and 1 3.2 ghz 18:02 < Dougy> sitting here 18:02 < Dougy> i can build you a box with that 18:02 < reiffert> Bushmills: 2 x 1TB? 18:02 < Bushmills> need to check with reiffert - i'm not cgi-intense. 18:03 < reiffert> we are talking about 20$ per month, right? 18:03 < Dougy> lol 18:04 < Dougy> just the power that would dra 18:04 < Dougy> w 18:04 < Dougy> would be more than $20 for me 18:07 < Bushmills> luckily the CPU doesn't need to be power hungry :) 18:07 < Dougy> everyone in this channel is cheap 18:07 < Dougy> cant do prices you want 18:09 < Bushmills> i do run 4 server. paying more for smaller hardware or connection wouldn't make a lot of sense, would it? 18:09 < reiffert> Dougy: Would please sum up the monthly fee and the tech. specs like peerings and physical location for us .. 18:09 < reiffert> +you 18:11 < Bushmills> so we need to look where this can beat what we got. there's potentiall a: disk capacity, and b: different country. 18:11 < Dougy> reiffert: rented or colocated 18:12 < Bushmills> (of course 120 gb doesn't beat 2x400 gb) 18:12 < reiffert> Dougy: both please. 18:15 < Dougy> reiffert: colo is $20/u $25/amp $12/Mbps 18:15 < Dougy> right now its just Cogent's bandwidth but may become Level3/Cogent/Internap/Sprint/SAVVIS 18:16 < Dougy> servers vary a lot 18:16 < reiffert> $12 per Mbps per Month? 18:16 < Dougy> Megabit per second, 95% 18:16 < Dougy> should have said Mbit 18:16 < reiffert> so 450Mbps = 450 * 12 $US? 18:17 < Dougy> yes 18:17 < Dougy> lol 18:17 < reiffert> and you call that cheap. Intresting different opinions between old europe and western world ... 18:18 < Dougy> $12/Mbit is cheap especially for New york city 18:18 < Dougy> for anything less than 100 Mbit, if you get under $18 for any decent bandwidth, you are a lucky soul 18:18 < reiffert> hetzner: 100Mbps, 30TB incl per month 18:18 < Dougy> heh 18:18 < krzie> umm, how much reif? 18:18 < Dougy> i don't know how they sustain that 18:18 < Dougy> not a clue 18:18 < Bushmills> (only the first terabyte 100 mbit, per month) 18:19 < reiffert> Bushmills: first 30 TB per month IIRC. 18:19 < krzie> dougy, BW is diff outside the usa 18:19 < krzie> some places cheaper, some places more expensive 18:19 < reiffert> krzie: 5600 AMD X2, 2 x 400GB, about 80$US/month 18:19 < krzie> shit its normal to have 100mbit to the house in some places 18:19 < reiffert> 4GB RAM 18:19 < krzie> damn thats badass reif 18:19 < Dougy> krzie:yes i know 18:19 < Bushmills> oh, have they upgraded again? was last year that after 1 terabyte they throttled to 10 mbit/sec 18:20 < reiffert> 59EUR should be 80 $US atm 18:20 < Dougy> i would love to see you guys get boxes in australia 18:20 < Dougy> ;) 18:20 < Dougy> where 100GB sets you back over 100 18:20 < krzie> i was supposed to have one in AU 18:20 < krzie> but my boy fell through 18:20 < krzie> with MUCH better pricing than you speak of 18:20 < krzie> MUCH MUCH 18:20 < Bushmills> krzie: 5600 AMD X2, 2 x 400GB, about 80$US/month ... actually 65$/m 18:20 < Dougy> bandwidth in Australia, is absurd 18:21 < krzie> dougy, depends who you know i guess 18:21 < reiffert> Bushmills: 59 EUR = 80 $US 18:21 < Dougy> i know a whole lot of people there 18:21 < Bushmills> reiffert, but it's 49EUR only 18:21 < krzie> dougy, i was supposed to get a badass deal in the same building as the au stock exchange 18:21 < krzie> but my boys contact doesnt work there anymore 18:21 < krzie> its not quantity of who you know, its quality of who 18:21 < Dougy> meh 100gb for $100 was a bit of a stretch 18:21 < krzie> ;] 18:22 < Dougy> The specifications of this machine are: 18:22 < Dougy> - Intel Dual Xeon 2.4Ghz 18:22 < Dougy> - 4GB Ram 18:22 < Dougy> - 2x73GB SCSI drives (RAID1) 18:22 < Dougy> - Linux CentOS 5.2 18:22 < Dougy> - 50GB Data Per Month 18:22 < Dougy> - cPanel/WHM 11 18:22 < Dougy> - Virtualisation Layer 18:22 < Dougy> - Fully Managed Server including server monitoring and SMS notifications 18:22 < Dougy> - No Contract Terms 18:22 < Dougy> Cost Per Month: $199 inc GST FULLY MONITORED AND MANAGED 18:22 < Dougy> ^ 18:22 < krzie> you lost me at centos 18:22 < reiffert> Bushmills: u sure u owe a 5600X2 with 2 x 400GB? 18:22 < krzie> *gag* 18:22 < Dougy> krzie: look at cpu, drives, bw, and price 18:22 < Dougy> nothing else 18:22 < reiffert> Bushmills: ah, 2GB RAM 18:22 < Dougy> meh 18:22 < Dougy> i guess europe is cheap 18:23 < Bushmills> reiffert, 59 is 4 gig ram 18:23 < reiffert> http://www.hetzner.de/hosting/produktmatrix/rootserver-produktmatrix/ 18:23 < vpnHelper> Title: Hetzner Online AG: Root Server ProduktmatrixHetzner Online AG (at www.hetzner.de) 18:23 < Dougy> i pay $349 a month for 2.4 GHZ quadcore / 8 gb ram / 4x750gb in rai 10 18:23 < Dougy> raid 18:23 < reiffert> Bushmills: however, new pricing, new root servers from 1st of June 2009: http://www.hetzner.de/hosting/produkte_rootserver/ds5000/ 18:23 < vpnHelper> Title: Hetzner Online AG: DS 5000Hetzner Online AG (at www.hetzner.de) 18:23 < Bushmills> Dougy, that's 130$ here 18:24 < Bushmills> includes unlimited traffic 18:24 < Bushmills> oh. sorry. 2x750 gb only 18:24 < krzie> only thing is dougys customer base is from usa 18:24 < krzie> so he needs something low latency to them 18:25 < Bushmills> Dougy, what netmask on those? 18:25 < Bushmills> i.e. come with how many ip addresses? 18:25 < Dougy> i got a /26 18:26 < reiffert> backbone list: http://wiki.hetzner.de/index.php/Rechenzentren_und_Anbindung 18:26 < Bushmills> that's decent 18:26 < vpnHelper> Title: Rechenzentren und Anbindung – Hetzner DokuWiki (at wiki.hetzner.de) 18:26 < krzie> my buddy has direct fiber from LA to peru, like 5 hops from him to my SD boxes, unfortunately he doesnt wanna allow a colo =[ 18:26 < krzie> i want more foreign servers 18:26 < krzie> preferrably in countries that dont like talking to the usa like china 18:26 < krzie> im tired of usa sniffing * 18:27 < krzie> they think they own the internet 18:27 < Dougy> they invented it 18:27 < krzie> thank them for me 18:27 < krzie> and tell them its out of their hands now 18:27 < krzie> and btw colleges invented it, not the gov 18:28 < krzie> iirc the gov was happy with decnet 18:28 < Bushmills> hm. more like "put it to civil use" 18:28 < reiffert> krzie: gimme something to trace on ... 18:29 < krzie> ircpimps.org 18:29 < krzie> thats san diego, CA 18:29 < reiffert> 18 hops, 100ms between frankfurt and washington 18:29 < Dougy> wow 18:29 < Dougy> crpapy latency 18:30 < Dougy> level3 from here to there, getting 60 ms on an edge level3 router 18:30 < reiffert> but still no satellite connection involved, is it? 18:30 < Dougy> 13 * SUAVEMENTE.car1.SanDiego1.Level3.net (4.79.33.194) 66.408 ms !A * 18:30 < Dougy> 14 * SUAVEMENTE.car1.SanDiego1.Level3.net (4.79.33.194) 66.555 ms !A 18:30 < Dougy> keeps dying there 18:30 < Bushmills> a bit less even. 94 ms 18:31 < reiffert> http://snap.reifferscheid.org/3.txt 18:32 -!- lazarus477 [n=lazarus@81-231-99-230-no47.tbcn.telia.com] has quit ["leaving"] 18:32 < reiffert> Additional 40ms from Wash to Atlanta 18:32 < Dougy> http://rafb.net/p/3vDoZK31.html 18:32 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:32 < reiffert> nah, atlanta to dallas 18:32 < Bushmills> ae-4-4.car2.SanDiego1.Level3.net is very wobbly 18:33 < Dougy> yay 40GB rsync 18:33 < krzie> holy shit 18:33 < krzie> 66ms 18:33 < Dougy> krzie ? 18:33 < krzie> his trace 18:33 < Dougy> ah 18:33 < krzie> oh no that was you 18:33 < krzie> nm 18:34 < Dougy> lol 18:34 < reiffert> Bushmills: looks like hetzner <-> level3 is doable, if its in washington 18:36 < Bushmills> reiffert, but will cost 20 times more, 1200$ instead 65$ for 100 mbit. 18:37 < reiffert> Totally crazy, indeed. 18:37 < reiffert> 27.000 km's between Frankfurt and Washington 18:37 < Bushmills> plus, that's 50 gig traffic 18:37 < reiffert> let's see what google earth thinks about that distance 18:38 < reiffert> 27.000 when calculating with 90ms 18:38 < Bushmills> my ntp alone gets 10 gig/month 18:38 < reiffert> direct line is 7.000km 18:39 < reiffert> that would make 20.000km in house wiring? 18:39 < reiffert> allright, let's say some router cpu time ... 18:40 < Bushmills> probably repeater latency 18:40 < reiffert> which brings us down to 15.000 unknown kilometers... 18:40 < reiffert> cnn.com? 18:41 < reiffert> same wash.level3 18:41 < Bushmills> 109 ms 18:41 < Bushmills> total 18:42 < reiffert> hey guys, please name some big ISP's in .US 18:42 < Dougy> www.rr.com 18:42 < Dougy> www.comcast.net 18:42 < Dougy> im assuming you mean residential? 18:42 < Bushmills> reiffert, your box is 1 ms from mine 18:42 < reiffert> looks like hetzner got a fixed peering with level3 when it wants to get to .US 18:43 < Bushmills> and 300 microsecs from another :) 18:43 < Bushmills> 3 hops 18:43 < reiffert> we could bring up an additional phone link :) 18:43 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:44 < reiffert> (MULTIPLE) 18:45 < reiffert> would you please pastebin: mtr reifferscheid.org 18:45 < Bushmills> sell vpn access to chinese? 18:47 < Dougy> reiffert 18:47 < Dougy> who 18:48 < reiffert> Dougy: you and krzie 18:48 < Dougy> how many do u want me to run 18:48 < Dougy> how many times 18:48 < krzie> ok 18:48 < krzie> how many?! 1 should be fine 18:48 < Dougy> just one? 18:48 < Dougy> ok 18:48 < krzie> im installing it now 18:48 < Dougy> ill do 20 18:49 < Dougy> krzie: what box are you doing it from 18:49 < krzie> ircpimps 18:49 < Dougy> k ill do from NYC too then 18:49 < krzie> i guess i could do it from hash as well 18:50 < krzie> i dont even remember what hostname i gave to the box in minn 18:50 < krzie> hehe 18:50 < Dougy> http://rafb.net/p/bUvcLN61.html 18:50 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:51 < krzie> oh i see what you meant 18:51 < krzie> 1 per box is what i was saying, lol 18:52 < krzie> i thought you asked how many from 1 box, hehehe 18:52 < Dougy> nah lol 18:52 < Dougy> man 18:52 < Dougy> i am using a shit pile of bw atm 18:52 < Dougy> anohter 100 mbps spike 18:52 < Dougy> :X 18:52 < Dougy> another 18:53 < reiffert> Frankfurt is 50km next to me 18:53 < reiffert> Duesseldorf is 200km 18:53 < reiffert> and Berlin approx 450 18:53 < reiffert> thats insane. 18:54 < reiffert> nyc looks nice 18:54 < Dougy> ? 18:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 18:57 < krzie> im still compiling mtr + deps 18:57 < reiffert> Though I dont understand 87 ms before packets reach boston 18:58 < reiffert> 87 to 101 look like the atlantic... 18:59 < Bushmills> reiffert, i have latency history of several us sites. 19:00 < reiffert> since? 19:00 < Bushmills> M.I.T, Berkeley, Xerox and Indiana University 19:00 < Bushmills> 2 years 19:00 < Bushmills> http://ping.verhau.de/?target=NorthAmerica 19:00 < vpnHelper> Title: SmokePing Latency Page for North America (at ping.verhau.de) 19:00 < reiffert> how much did they increase over the years? 19:01 < Bushmills> click on any graph for details 19:02 < Bushmills> sorry, one year only 19:03 < reiffert> .. 19:03 < Bushmills> there are also european and asian sites 19:09 < reiffert> September 2008 looks like a bad month. 19:11 < Bushmills> wasn't that when - again - a few submarine cables had been damaged? 19:12 < Bushmills> a lot of asia was rerouted then, the other way around 19:17 < reiffert> time for bed, good night guys 19:39 -!- jeiworth_ is now known as jeiworth 19:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 20:00 -!- albech [n=albech@119.42.76.165] has quit [Remote closed the connection] 20:00 -!- x29a_ [n=x29a@unaffiliated/x29a] has joined ##openvpn 20:14 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:16 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 113 (No route to host)] 20:21 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has joined ##openvpn 20:22 < mRCUTEO> hey all 20:27 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has quit [] 20:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:34 < xororand> it's not possible to use DHCP over OpenVPN tun-devices, correct? 20:34 < xororand> DHCPv6 20:35 < krzie> correct 20:35 < krzie> tun is for layer3 20:35 < krzie> dhcp is layer2 20:36 -!- jeiworth [n=jeiworth@189.177.35.134] has quit [Read error: 110 (Connection timed out)] 20:36 < xororand> thanks for the confirmation :) 20:36 < krzie> np 20:37 < xororand> as --server is IPv4 only, i'm afraid that i have no choice but tap networking + DHCPv6 20:38 < krzie> theres some sort of ipv6 options, might be tun-ipv6 or something 20:38 < krzie> its in the man 20:38 < xororand> yes, --tun-ipv6 works 20:38 < krzie> you you *really* need dhcp? 20:38 < xororand> i have IPv6 working over OpenVPN + tun, but the server can't distribute IP adresses and routes, like it's possible with IPv4 20:39 < xororand> you can use a client-side "up" script, but that's platform dependent 20:40 < krzie> ahh 20:40 < xororand> i want it to work with linux, mac and windows client 20:40 < xororand> with one single config set 20:41 < krzie> didnt realize you couldnt push stuff 20:41 < krzie> like: 20:41 < krzie> !static 20:41 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 20:41 < krzie> but i dont use ipv6 so i believe you 20:41 < xororand> i'm not sure krzie 20:41 < xororand> at least --server doesn't work 20:41 < xororand> like "server 10.20.0.0 255.255.255.0" 20:41 < theDoc> Until the world decides that v4 is dead and gone, I honestly do not see alot of customers migrating to v6. 20:42 < theDoc> and hello folks. 20:43 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:43 < xororand> hello theDoc 20:43 < xororand> End users shouldn't have to notice the migration, theDoc 20:50 < krzie> Dougy, didnt you say this was gunna be that dual xeon? not that it matters to me much 20:51 < Dougy> someone rang 20:52 < Dougy> no i didn't lol 20:52 < krzie> oh ok 20:52 < Dougy> you paid me $175 to build you that celly box 20:52 < Dougy> 'member? 20:52 < krzie> OH right you sold that dual zeon 20:52 < krzie> xeon 20:52 < krzie> forgot bout that 20:52 < Dougy> nope i didnt 20:53 < Dougy> the buggers decided not to buy it 20:53 < krzie> yes 20:53 < Dougy> so its sitting under me 20:53 < Dougy> but you did buy the celly 20:53 < krzie> oh, lol 20:53 < krzie> yes, i did 20:53 < krzie> cause you said you had sold that dual xeon that you got cause you only wanted the case 20:53 < Dougy> yea then i found out its semi proprietary 20:53 < Dougy> so gotta keep it together 20:53 < krzie> remember you were gunna kick that down free at first cause you only got it for the case 20:53 < Dougy> yeah then i noticed the PSU was proprietary to a few select old mobos 20:54 < Dougy> so i was stuck with it 20:54 < krzie> doh! 20:54 < Dougy> that dual xeon thing drew 2 amps on post 20:54 < Dougy> first boot 20:54 < Dougy> lol 20:54 < Dougy> Bahahaha ,krzie, my provider just emailed me 20:54 < Dougy> Hi Douglas 20:54 < Dougy> We got a bandwidth alert but ignored it. After a second check shows that you're using 94.39Mbps right now. Is everything OK? 20:54 < krzie> reply: 20:54 < krzie> everything is great, thanx for the excellent bandwidth 20:54 < Dougy> bahahah 20:55 < Dougy> naw 20:55 < Dougy> i told him it was a short spike while i rsync'd like 30gb of data 20:55 < krzie> "sorry i was dos attacking some kid on irc" 20:55 < Dougy> lmfao 20:55 < Dougy> some skiddie tried to mess with me so i was blasting him 20:56 < krzie> "i was testing your response time, well done" 20:56 < Dougy> lmao 20:56 < krzie> and did you say rsync!? 20:56 < krzie> lulz 20:56 < Dougy> yes 20:56 < Dougy> i did 20:56 < Dougy> why? 20:57 < Dougy> krzie, this is what made them shit their pants: http://www.upload3r.com/serve/180509/1242698212.png 20:57 < krzie> they went poopy? 20:57 < Dougy> i guess 20:58 < krzie> doesnt rsync require its own daemon which has had a long long history of insecurities? 20:58 < krzie> i use scp 20:59 < Dougy> not that i know of 20:59 < Bushmills> xororand, there exist dhcp forwarders 20:59 < Dougy> it uses ssh 21:00 < krzie> oh ok 21:00 < krzie> i musta been thinkin of something else then 21:00 < Dougy> yeah 21:00 < Dougy> guess so 21:08 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 60 (Operation timed out)] 21:19 -!- sam_ [n=sam@222.66.224.108] has joined ##openvpn 21:23 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn 21:24 < sam_> Hi, all, my server only accept 1024 clients access, how to change the limit? 21:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 21:41 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:43 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 22:04 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:04 -!- sam_ [n=sam@222.66.224.108] has quit [Remote closed the connection] 22:05 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:38 -!- troy is now known as troy- 22:39 -!- troy- is now known as troy 22:44 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 110 (Connection timed out)] 23:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:18 < ecrist> sup, fuckers? 23:19 < theDoc> lmao. 23:19 < theDoc> New certification course for you guys, http://web.uct.ac.za/depts/commnetwork/networklab.html HCNE :) 23:19 < vpnHelper> Title: UCT Network Laboratory (at web.uct.ac.za) 23:19 < theDoc> cisco certified? juniper certified? extreme networks certified? 23:19 < theDoc> now get yourself certified by huawei. 23:19 < theDoc> xD 23:19 < theDoc> jesus christ. 23:22 * ecrist *was* a CCNA at one point. 23:22 < theDoc> was! 23:22 < theDoc> is too! 23:30 < theDoc> lmao 23:30 < theDoc> ecrist: http://forum.huawei.com/jive4/thread.jspa?threadID=320730&tstart=50&orderStr=9 23:30 < theDoc> epic win. 23:45 -!- mikeage [n=mmiller@mikeage.net] has quit [Remote closed the connection] --- Day changed Tue May 19 2009 00:02 -!- troy is now known as troy- 00:05 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:29 -!- troy- is now known as troy 01:47 -!- master_of_master [i=master_o@p549D358C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D33D7.dip.t-dialin.net] has joined ##openvpn 01:58 -!- x29a_ [n=x29a@unaffiliated/x29a] has quit ["tiuQ"] 03:18 -!- vho [i=viktor@holmlund.it] has joined ##openvpn 04:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["-galaxynet"] 04:26 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 04:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:40 -!- The_Faithful [n=Mak@wana-15-237-12-196.wanamaroc.com] has joined ##openvpn 05:40 < The_Faithful> Hi all 05:40 < The_Faithful> How can I block vpn connections from my LAN ? 05:43 < reiffert> variouses methods: --local , a firewall, or plug the cable. 05:43 < reiffert> unplug 05:48 < The_Faithful> I need to filter the data packets not just looking up ports or protocols.. so using a firewall it's not the best solution 05:49 < The_Faithful> I wanna just know if a solution exists for solving this problem ? 05:51 < reiffert> what is it you didnt understand in 05:51 < reiffert> 12:43 < reiffert> variouses methods: --local , a firewall, or plug the cable. 05:53 < The_Faithful> everything unless firewall :P 05:54 < reiffert> see manpage for the --local option 05:54 < reiffert> !man 05:54 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:55 < The_Faithful> thank you brotha 05:56 < reiffert> the 3rd option was: unplug the LAN cable. 05:57 < The_Faithful> ok that's the easiest 05:58 < reiffert> Running Linux? 06:01 < The_Faithful> of course yes 06:01 < The_Faithful> I think that I got another solution.. filtring packets with wireshark 06:02 < The_Faithful> and writing patterns protocols and block it with L7-filter 06:02 < reiffert> iptables -I INPUT -i laninterface -p udp --dport 1194 -j REJECT 06:02 < reiffert> laninterface eth0 or eth1 or similar 06:02 < reiffert> l7-filter? sigh sigh sigh. 06:03 < The_Faithful> right ! but blocking this thing by port is insufficient 06:03 < The_Faithful> the same for the protocols 06:03 < reiffert> dude: your question was: 06:04 < reiffert> 12:40 < The_Faithful> How can I block vpn connections from my LAN ? 06:04 < The_Faithful> yes I said for blocking that.. I have to look up the packets data 06:04 < reiffert> so what you want is to filter openvpn connections with source LAN to destination LAN-Router or destination world? 06:04 < The_Faithful> not just ports or protocls (udp/1194) 06:05 < The_Faithful> reiffert, the both I wanna block that from and to the internet 06:05 < reiffert> in short: you cant. 06:05 < reiffert> it even works with a http proxy. 06:06 < The_Faithful> ok 06:06 < The_Faithful> you mean squid for example ? 06:06 < reiffert> so what your l7 filter will see is a http request. 06:06 < reiffert> so people will setup a proxy on port 443 and there you are. 06:07 < reiffert> eg squid 06:08 < The_Faithful> ok 06:08 < The_Faithful> I see now 06:08 < The_Faithful> thank you 06:09 < Bushmills> moinmoin 06:09 * Bushmills visualizes The_Faithful with a jet of water squirting out of his head periodically 06:11 < The_Faithful> Bushmills, LOL 06:11 < The_Faithful> thank you it's useful :P 06:11 -!- digii [n=digii@153.205.181.62.in-addr.dgcsystems.net] has joined ##openvpn 06:12 < Bushmills> would definitely draw attention when walking in the street 06:12 < digii> hi, in in openvpn /easy-rsa/vars, when im changning export email, if im not using any email service, can i just put root@hostname? 06:14 < Bushmills> digii, the mail address is written for informal reasons into .crt file. if you can live with the older of the file not able to contact you by email, after obtaining the adress from that file, you can put any address you want there. 06:15 < digii> aah ok =) 06:15 < Bushmills> though putting a real address there probably makes most sense 06:15 < Bushmills> s/older/holder/ 06:15 < The_Faithful> reiffert, people in my LAN can make a vpn connection without caring my proxy ? or they can't ? 06:15 < digii> well its only for personal use, so u guess the email doesent matter then 06:16 < Bushmills> digii, if you don't forget your email address when you want to contact yourself by email, it's ok. 06:17 < digii> hehe ;) guess that is not a risk im going to email myself :D 06:17 < digii> but thx 06:18 < digii> btw, if im following a guide for ubuntu, but my system is debian, it will pretty much be the same coz ubuntu builds on debian? 06:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:35 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 06:37 < digii> hmm 06:37 < digii> i just did the config file to openvpn and tryed loading it 06:38 < digii> but got some errors about non existing files? 06:38 < digii> can i post the error here? its about 4-5 lines long 06:40 -!- roffe [n=rofe@83.221.146.177] has joined ##openvpn 06:41 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:43 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Client Quit] 06:43 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:47 -!- roffe is now known as rofe 07:05 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:33 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 07:34 < enriq_> hello 07:35 < enriq_> I need to make openvpn create the connection with 3 dns suffixes to append 07:35 < enriq_> is there any way to do that? 07:40 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 07:47 -!- digii [n=digii@153.205.181.62.in-addr.dgcsystems.net] has quit ["Lost terminal"] 08:21 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:28 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 08:41 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out] 08:57 < reiffert> Error when installing OpenVPN on Windows XP 08:58 < reiffert> The installer you are trying to is corrupted or incomplete 08:58 < reiffert> This could be the result of a damanged disk, a failed download or a virus 08:58 < reiffert> NSIS ERROR 08:58 < reiffert> Anyone 08:58 < reiffert> ? 09:01 < reiffert> ah, broken download, 1.1MB 09:01 -!- The_Faithful [n=Mak@wana-15-237-12-196.wanamaroc.com] has left ##openvpn ["Leaving"] 09:03 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [No route to host] 09:04 < ecrist> good morning folks. 09:05 < Bushmills> reiffert, i'd say it is a NSA enforced feature in windows to prevent installation of openvpn 09:07 < Bushmills> enriq_, client can execute script when connected 09:14 -!- onats_ is now known as onats 09:17 -!- flujan [n=flujan@189.111.254.251] has joined ##openvpn 09:17 < flujan> hello guys, I need to redirect a port let me say 8888 on my openvpn server to a cliente connected through the vpn 09:17 < flujan> 200.190.125.69:8888 to 172.27.7.14:80 09:17 < flujan> is it possible? 09:19 < enriq_> Bushmills: do you have a reference? 09:21 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has quit ["Leaving"] 09:26 * Bushmills will never understand why somebody asks a question, and then leaves. 09:28 < ecrist> flujan: yes, you need to use another piece of software for it, though. A firewall with policy routing would be the ticket. 09:28 < flujan> ecrist: iptables will do it? 09:29 < ecrist> should, I couldn't tell you how, I'm not a linux user 09:36 < flujan> ok thank you. 09:43 -!- jeansch [n=jeansch@216.252.79.95] has joined ##openvpn 09:43 < jeansch> !/30 09:43 < vpnHelper> jeansch: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:45 < jeansch> Hi, i have a question about openvpn scalability: can a server handle more that 500 clients at the same time, and if yes, with which requirments ? 09:46 < ecrist> jeansch: it depends on a lot of things 09:46 < ecrist> 1) what's the bandwidth utilization 09:46 < ecrist> 2) what's the hardware 09:46 < ecrist> 3) what's the OS 09:47 < jeansch> The bandwith will be not very huge, only one web page per client, time from time 09:47 < jeansch> the hardware, ... a xen vm 09:48 < jeansch> running debian gnu/linux 09:48 < jeansch> the vm will be setup depending of the usage 09:48 < ecrist> jeansch, that's not the hardware 09:48 < ecrist> that's a vm 09:48 < jeansch> ok 09:48 < ecrist> all I can tell you is try test, test, test 09:50 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 09:50 < jeansch> i guess that the hardware used on the vm host is 'good' as it's an hosting provider (gandi). Can i verify that throug the vm ? 09:51 < ecrist> lol 09:51 < ecrist> no, you can't. test it, see what happens. 09:51 < ecrist> if load becomes to great, you'll need to add another server 09:52 -!- enriq [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 09:52 < jeansch> ok, i understand. but is 500 client a 'common' case ? 09:53 < enriq> i need to create my openvpn connection including a search path of 3 dns suffixes... anyone knows how? 09:53 < ecrist> no, it's not 'common' but it's been done before 09:53 < ecrist> enriq: yep 09:54 < ecrist> everythign you need is covered in the man page or in the how to 09:54 < enriq> I found that adding dhcp-option DOMAIN could do the trick 09:55 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 09:55 < enriq> but i haven´t found how to specify many suffixes 09:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 < enriq> am i explaining myself ecrist ? 09:57 < ecrist> yes 10:02 < enriq> any clue? 10:03 < ecrist> enriq: DNS search list is DHCP option 119, you may be able to do a dhcp-option 119 "foo.com bar.org baz.net" 10:03 < ecrist> but not sure 10:04 < ecrist> even if you do, I'm not sure the client on the other end will know what to do with it. 10:04 < ecrist> for non-windows systems, it would appear a script is needed to apply the settings. 10:04 < ecrist> this is covered in the man pages. 10:05 < ecrist> see RFC 3397 for information on option 119 10:05 < enriq> I´m hacking this into the client side script... let me try I let you know 10:09 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 10:09 < enriq> i get ¨unknown option 119¨ 10:11 < ecrist> sounds like a question for the mailing list 10:12 < enriq> ok, i thought it was just that I´m newbie 10:12 < enriq> thanks 10:17 < vho> good evening 10:21 < vho> lets say I have 3 different OpenVPN servers. Users use the same cert and auth via username and passwor. How to prevent users to log in to three different instances of OpenVPN? 10:21 < vho> Set up a radius server? 10:22 < theDoc> vho: ccd is your friend. 10:24 < vho> theDoc, and then nfs share with the servers? 10:24 < theDoc> vho: I don't even know your setup but my best guess is ccd. 10:26 < vho> theDoc, ok, thanks, because simultaneous-use += 1 doesn't work in radius due to the radius plugin for openvpn. 10:26 < theDoc> vho: I'm not sure about RADIUS but yeah, if you say so ;) 10:28 < vho> theDoc, but does this ccd work, even if I use radius for only auth? 10:28 < vho> but use username as common name on the server side 10:28 < theDoc> vho: I have no idea. I'm not familiar with radius. 10:29 < vho> ok, thanks anyway :) 10:48 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 10:50 -!- enriq [n=enriq@33-138-235-201.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 11:38 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has quit [Remote closed the connection] 11:48 -!- jeansch [n=jeansch@216.252.79.95] has quit ["Ex-Chat"] 12:01 -!- flujan [n=flujan@189.111.254.251] has quit [] 12:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:15 -!- jeiworth [n=jeiworth@189.177.35.134] has joined ##openvpn 12:21 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 12:43 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit ["killed"] 12:44 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 13:00 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Kreg-Work, Gumbler, vho, throughnothing, Intensity, dmarkey 13:00 -!- vho\ [i=viktor@holmlund.it] has joined ##openvpn 13:00 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 13:00 -!- Netsplit over, joins: throughnothing 13:00 -!- Netsplit over, joins: Gumbler 13:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 13:21 -!- vho\ [i=viktor@holmlund.it] has left ##openvpn [] 13:22 -!- vho\ [i=viktor@holmlund.it] has joined ##openvpn 13:22 -!- vho\ is now known as vho 13:23 < krzie> ecrist here bud 13:23 < krzie> ? 13:24 < ecrist> yep 13:24 * ecrist wonders what his 'bud' wants. ;) 13:24 < krzie> aww, im not your bud? 13:25 < krzie> i want to pay you 13:25 < krzie> am i your bud now? lol 13:25 < krzie> ill msg 14:13 -!- Intensity [i=[MEAfCQR@panix1.panix.com] has joined ##openvpn 14:32 -!- carpe_ is now known as Plaerzen 14:33 < Plaerzen> do you guys think the online searchable knowledge bases for Linux are degrading due to the massive influx of idiots into the Linux-user demographic ? 14:34 < krzie> no clu personally, i dont use them 14:35 < krzie> but i wouldnt argue against the statement, sounds very plausible 14:40 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < Plaerzen> mostly I was referring to tldp and google. But I'm just frustrated. Anyway, maybe I'll blog about it 14:42 < bafman> hello, using secret option means that TSL will be enabled too (o SSL certificates 14:44 -!- bafman [n=none@81.90.250.239] has quit [Client Quit] 14:44 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:44 < krzie> --secret file [direction] 14:44 < krzie> Enable Static Key encryption mode (non-TLS). Use pre-shared se- 14:44 < krzie> cret file which was generated with --genkey. 14:44 < bafman> sorry had connection problem 14:46 < bafman> I have read the man page, but was not sure if they both can be used together 14:47 < krzie> why would they? 14:47 < krzie> use this for what you're thinking 14:47 < krzie> !hmac 14:47 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:47 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:48 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 14:49 < bafman> ok this is what I wanted, I have read this "additional signature" and thought that secret is the one. Thanks for your telepathy 14:49 < krzie> yw ;] 14:49 < endschranz> Hi, I have a bridged vpn. When I create a server (wc3) everyone 14:50 < endschranz> can see the server. But when a client opens a server only player outside of the vpn can see it. 14:50 < endschranz> Does anyone has an idea? 14:51 < krzie> i dont even have an idea what you meant 14:53 < endschranz> when a player in the LAN creates a server: everyone can see the game; when a vpn client creates a server: only people in the real lan can see the server other vpn-clients doesn't see the game 14:54 < bafman> bye 14:54 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 14:56 < Plaerzen> oh dear 14:57 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:57 < bafman> !hmac 14:57 < vpnHelper> bafman: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:57 < vpnHelper> bafman: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 15:11 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 15:14 -!- vho [i=viktor@holmlund.it] has left ##openvpn [] 15:14 < bafman> ok works as expected. thanks again and bye 15:14 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 15:16 < krzie> endschranz, have try enabling client-to-client 15:16 < endschranz> krzie: yes 15:16 < krzie> whoa my english was broken there, and its my native lang 15:16 < krzie> lol 15:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:27 < Dougy> heyo 15:27 -!- flokuehn [n=flokuehn@62.111.103.27] has quit [Remote closed the connection] 15:27 < Dougy> krzie: ping 15:27 < krzie> pong 15:27 < Dougy> everything is good with that box so far? 15:27 < krzie> aye, recompiling kernel now 15:27 < Dougy> good 15:27 < Dougy> dont break 15:27 < Dougy> it 15:28 < Dougy> i dont want to go to nyc this afternoon 15:28 < Dougy> lol 15:28 < krzie> lol 15:28 < krzie> hopefully i wont ;] 15:28 < Dougy> well if you do, you're sol 15:28 < Dougy> for a bit 15:28 < krzie> i only disabled raid stuff and wireless stuff (and cddl) 15:28 < krzie> oh and non 686 cpu stuff 15:28 < krzie> but that should all be rather safe 15:28 < Dougy> datacenter emailed me today 15:28 < Dougy> well last night 15:28 < Dougy> they thought one of my boxes got rooted, lol 15:29 < Dougy> i told you about that 15:29 < Dougy> but they emailed me today making sure i didnt get rooted 15:29 < krzie> the rsync? 15:29 < Dougy> yeah 15:29 < Dougy> haha 15:29 < Dougy> i said i was rsyncin and they were like are you sure you didn't get hacked? 15:29 < Dougy> i was like yes you dip shit 15:34 -!- flokuehn [n=flokuehn@62.111.103.27] has joined ##openvpn 15:42 < Dougy> Anyone need any hostings 15:57 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 15:57 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Read error: 54 (Connection reset by peer)] 16:05 < Dougy> krzie 16:05 < Dougy> i just bid on a server 16:05 < Dougy> dual amd opt 2.8 ghz dualc ore, 32gb ram, 2x320gb sata for $0.99 currently, bahaha 16:05 < krzie> you need to be sniping 16:05 < krzie> im tellin ya 16:05 < Dougy> my max bid is $275 atm 16:06 < krzie> 320 sata... 10k disks? 16:06 < Dougy> naw 16:06 < Dougy> 7200 16:07 -!- ralmar [n=john@200.25.129.80] has joined ##openvpn 16:07 < ralmar> Hey guys I installed the package to use Cisco vpns directly in the network manager but I need to import a certificate. How can I do this? Thanks. Im on 9.04 16:08 < krzie> !notopenvpn 16:08 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:08 < krzie> !notcompat 16:08 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:10 < Dougy> OMG 16:10 < Dougy> spamming bastards 16:10 < Dougy> FFFFFFFFFFF 16:14 < ralmar> Can anyone help me out please? 16:15 < Dougy> ralmar: we dont do cisco vpn here 16:15 < Dougy> #ubuntu 16:16 < ralmar> Sigh, I know Im sorry but I cant find anyone who can help on #ubuntu. I just want to use the network manager to edit a cisco vpn connection and import a .509 certificate 16:17 < ralmar> No one will even help me out in #cisco 16:17 < Dougy> I don't know jack about Ubuntu anymore or I would help you 16:40 < Dougy> http://www.amazon.com/gp/product/0345518764 16:40 < Dougy> hah 16:51 -!- ralmar [n=john@200.25.129.80] has quit ["Leaving"] 17:02 -!- eliasp_ is now known as eliasp 17:15 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 17:15 < xp_prg> hi all, I have the client connecting to the server 17:16 < xp_prg> it can't ping any of the ip's the server can ping though 17:16 < xp_prg> is that a route issue on the client? 17:16 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 17:16 < krzie> pls explain that better 17:16 < krzie> maybe add an example 17:17 < xp_prg> like the box the openvpn server is running can ping 10.5.5.118 17:17 < krzie> and where is 10.5.5.118 17:17 < xp_prg> if I try to ping that ip address from the client it can't 17:17 < krzie> i cant magically understand your network 17:17 < xp_prg> on the network that the server is on 17:18 < krzie> did you push a route to the clients? 17:18 < xp_prg> I don't think so, sorry I am a little new to this 17:18 < krzie> push "route 10.5.5.0 255.255.255.0" 17:18 < krzie> in server config 17:18 < krzie> then restart both ends 17:19 < xp_prg> krzie can I just to via the command line on the client right now? 17:19 < xp_prg> why do I have to restart everything? 17:19 < krzie> because you didnt set it up right! 17:19 < xp_prg> it can ping the server's ip 17:20 < krzie> listen or dont 17:20 < krzie> but i expect you came for help 17:20 < xp_prg> ok yes I did 17:20 < xp_prg> it is not clear to me what config file to add that line to 17:20 < krzie> in server config 17:25 < xp_prg> well I added that to the config file, client still can't ping that 17:25 < krzie> !configs 17:25 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:29 < xp_prg> sorry meeting, I will get that too you in like 30 - 60 minutes 17:42 -!- dupondje [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 17:42 < dupondje> !route 17:42 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:42 < krzie> holy balls this buildworld takes FOREVER 17:44 < dupondje> I did setup openVPN server on a dedicated server, setup a client on a dd-wrt router and one on my laptop, from the router i can ping the server, from my laptop I can ping the server, but can't connect from laptop to router 17:44 < dupondje> any id's ? :) 17:46 < krzie> the server needs a ccd entry with an iroute for the client with lan behind it 17:47 < krzie> the server also must push a route to that network 17:47 < krzie> which will only be pushed to the other client 17:47 < krzie> as fully explained in my routing writeup you saw at !route 17:47 < dupondje> push "route 192.168.3.0 255.255.255.0" 17:47 < dupondje> i have this on server config 17:47 < krzie> you also need an iroute 17:47 < krzie> !iroute 17:47 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:48 < dupondje> yea, the router (wich contains network 192.168.3.*) has an iroute 17:48 < krzie> in a ccd entry? 17:48 < dupondje> yep 17:48 < krzie> is there another 192.168.3.x network anywhere? 17:48 < dupondje> no 17:48 < krzie> !configs 17:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:50 < dupondje> http://pastebin.com/d4ad3dc36 17:51 < krzie> you dont need # 17:51 < krzie> route 10.10.0.0 255.255.255.0 17:51 < krzie> which is implied by --server 17:51 < krzie> gimme logs from all 3 17:51 < krzie> !logs 17:51 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:53 < krzie> also im assuming that the router is the default gateway for the machines you are trying to access behind it 17:53 < krzie> also, the file kot_router is in ccd/kot_router, right? 17:54 < dupondje> yes 17:54 < dupondje> http://pastebin.com/d24a27bd9 17:54 < dupondje> this is log from my laptop 17:55 < dupondje> Wed May 20 00:53:49 2009 us=870846 laptop/194.78.167.235:44588 MULTI: Learn: 192.168.3.1 -> kot_router/194.78.167.235:2049 17:55 < dupondje> get this on server, seems nice no ? :x 17:55 < krzie> i need the log from when it starts 17:55 < krzie> the log you gave meant nothing 17:55 < dupondje> there is restarted the connection ... :p 17:56 < krzie> from start 17:56 < krzie> kill it, start it, send log 17:57 < dupondje> http://pastebin.com/d7149d165 17:59 < krzie> interesting 18:00 < krzie> try sniffing at the router, server, and box you are trying to access, then ping the machine you are trying to access 18:00 < krzie> see where it stops 18:00 < krzie> sounds like a firewall 18:01 < dupondje> only 1 port needs to be open @ server right ? 18:03 < dupondje> brb going to connect to router 18:03 -!- |dupondje| [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:04 -!- dupondje [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 18:04 -!- _dupondje_ [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:05 < krzie> oh on boxen with openvpn sniff the tun dev 18:05 < krzie> forgot to mention that 18:10 -!- _dupond3 [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:11 -!- |dupondje| [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 113 (No route to host)] 18:13 -!- _dupond3 [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 18:27 -!- _dupondje_ [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 18:39 -!- sprax [n=rob@65.127.188.10] has joined ##openvpn 18:44 < sprax> so my client is connecting to the server and leasing an IP but it isn't getting any gateway. Is that what "push route" is for? 18:45 < krzie> it shouldnt have a gateway being set unless you use --redirect-gateway 18:45 < krzie> !push 18:45 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:45 < krzie> so pushing a route would just add a route on the machine(s) it is pushed to 18:46 < sprax> I ran this on my client "route add 192.168.0.0 mask 255.255.255.0 192.168.0.1" and I can now ping 192.168.0.1 18:46 < sprax> I'm trying to figure out the push route command but the two examples I'm looking at have different numbers of parameters 18:46 < krzie> i highly doubt you needed 192.168.0.1 in that command 18:47 < sprax> probably not 18:47 < sprax> I'm not a routing wizard, but the command syntax said specify a gateway for a network address so I did it 18:47 < krzie> you should be looking at the manual for how many params, not examples from the web 18:47 < krzie> !man 18:47 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:47 < krzie> shouldnt the gateway be the vpn itself... 18:48 < krzie> or do you actually want the route you add with your vpn to not go over the vpn 18:48 < sprax> thanks krzie no man pages in win32 18:50 < sprax> does push make the remote client execute the command which preceeds it? 18:50 < sprax> ok I think I bollocksed my grammar there... 18:50 < krzie> !push 18:50 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:51 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 18:53 < sprax> looks like route-gateway is my friend 18:55 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has left ##openvpn [] 18:57 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:59 < krzie> not likely 18:59 < krzie> whats your actual goal 19:00 < sprax> I'm following the ethernet bridging mini-howto 19:00 < sprax> I need to distant and separate networks to appear as one 19:01 < krzie> oh you're bridging 19:01 < sprax> but right now I would settle for being able to ping the remote VPN gateway without having to manually enter a route statement 19:01 < krzie> i cant be much help there 19:01 < sprax> no worries 19:02 < sprax> I think I've got it actually but I wont know for sure till I get to work tomorrow 19:02 < sprax> they ban IRC obviously and I'm still looking for a decent shell provider 19:02 < krzie> web irc 19:02 < sprax> web sense is satan 19:03 < sprax> (its a web content filtering service) 19:03 < krzie> by ip address 19:03 < sprax> denied 19:03 < sprax> proxied into oblivion 19:04 < sprax> anyway, worse things have happened. My own lame ISP has a monopoly over the building i'm in. They have me behind a giant NAT and wont even sell me a public IP 19:04 < sprax> otherwise I would just put my debian box up and that would be that 19:34 < krzie> gotchya 19:34 < krzie> weaksauce 19:38 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:43 -!- blkry [n=blkry@97.95.233.232] has joined ##openvpn 20:23 < krzie> ohhhh actually i have a US postal order for $130 20:23 < krzie> doh /q 20:25 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:27 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 20:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:28 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 20:32 < endschranz> Hi, again I have bridged VPN. I seems that a broadcast from one client doenst reach the other clients in the VPN. Does anyone has an idea? 20:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:48 -!- jeiworth [n=jeiworth@189.177.35.134] has quit [Read error: 54 (Connection reset by peer)] 21:00 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:48 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:59 -!- blkry [n=blkry@97.95.233.232] has left ##openvpn [] 22:44 -!- xororand [n=xororand@2001:5c0:1501:f900:0:0:0:1] has quit ["bbl"] 22:59 -!- troy is now known as troy- 23:00 -!- troy- is now known as troy 23:06 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has joined ##openvpn 23:08 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has left ##openvpn ["Leaving"] 23:12 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn --- Day changed Wed May 20 2009 00:04 -!- endschranz [n=Adium@195.16.244.188] has quit ["Leaving."] 00:12 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 00:20 -!- rofe [n=rofe@83.221.146.177] has quit ["Leaving"] 00:20 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 00:24 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 00:41 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 00:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:54 -!- sam_ [n=sam@222.66.224.110] has joined ##openvpn 01:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:33 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:35 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:37 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:37 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:39 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:39 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:41 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:43 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:45 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:46 -!- master_of_master [i=master_o@p549D33D7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D33E8.dip.t-dialin.net] has joined ##openvpn 02:21 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:23 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:25 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:25 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:27 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:27 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:29 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:29 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:31 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:31 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn --- Log opened Wed May 20 07:04:02 2009 07:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 07:04 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 07:04 -!- Irssi: Join to ##openvpn was synced in 17 secs 07:08 < ecrist> morning, fuckers 07:19 -!- ashley_ [n=ashley@91-115-23-91.adsl.highway.telekom.at] has quit ["Leaving"] 07:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:04 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:07 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 08:39 -!- troy is now known as troy- 09:01 -!- kyrix [n=ashley@91-115-23-91.adsl.highway.telekom.at] has joined ##openvpn 09:04 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 09:05 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:05 < Hydrant> hello all... I'm looking at setting up some static IP's for vpn clients... I saw that I have to use the ccd directory... but I want to use static IPs from the same IP pool that dynamic IPs are drawn from, namely 10.8.x... is openvpn smart enough to not give an IP if it's static in one of the ccd files? 09:14 < Bushmills> Hydrant, seems so. i haven't had collisions 09:15 < ecrist> Hydrant: it probably is, but it's just as easy to add another subnet for the static IPs 09:15 < Hydrant> it looks smart from the logs 09:15 < ecrist> I've got two /24 subnets at our office, one is for dynamic IPs and the other is used for the static IPs. 09:16 < Hydrant> I kinda want all VPN clients to be static 09:16 < Hydrant> so I might just go that route 09:16 < Hydrant> I have been pretty impressed by how reliable openvpn is so far 09:16 < Hydrant> I've been making changes to openvpn configs (carefully) remotely and reloading them, and things have recovered well 09:17 < Hydrant> I have noticed that TTL=61 for some packets going through the VPN 09:17 < Hydrant> I wonder if that's a cause for concern or not 09:17 < Hydrant> there shouldn't be that many hops :-( 09:30 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:33 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 09:49 -!- martinvw [n=mwittich@193.175.26.176] has joined ##openvpn 09:52 < martinvw> Regarding the float option: what does it do in a client config? Will it cause the client to ignore server IP changes, will it cause the server to ignore client IP changes, or won't do it anything at all? Config looks like this atm: http://pastie.org/private/bed2r7w9weilsjmyj5xxva 09:59 -!- martinvw [n=mwittich@193.175.26.176] has left ##openvpn [] 10:06 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 10:16 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Excess Flood] 10:17 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:32 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 10:37 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 10:38 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 10:39 -!- troy- is now known as troy 10:39 -!- kyrix [n=ashley@91-115-23-91.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:40 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has joined ##openvpn 10:43 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 11:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:10 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 54 (Connection reset by peer)] 11:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has left ##openvpn ["Brain damage."] 11:14 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 11:46 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 60 (Operation timed out)] 12:14 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 12:23 -!- jeiworth [n=jeiworth@189.234.82.72] has joined ##openvpn 12:25 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:28 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:29 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has joined ##openvpn 12:36 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 12:45 -!- troy is now known as troy- 12:47 -!- BoomerET [n=TheRealF@74.85.24.234] has joined ##openvpn 12:48 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 12:48 < BoomerET> I need to stop a user from using openvpn. The prior admin removed the .crt/csr/key files from easy-rsa/keys, but the user still gets in, how do I revoke this user? 12:59 < nate> http://openvpn.net/index.php/documentation/howto.html#revoke 13:00 < vpnHelper> Title: HOWTO (at openvpn.net) 13:00 < nate> been over that? 13:04 < reiffert> Landon Fuller was releasing an unpatched java exploit for OS X, jesus! 13:04 < reiffert> Hopefully we'll get a recent java on 10.4 now 13:04 < BoomerET> nate, thanks, but I get the error that the certificate can't be found, because it was deleted 13:05 < BoomerET> Yes, I'm on that page right now ( and have been for the past 20 mins or so) 13:05 < nate> mark it down as another "WTF" of ovpn.. 13:05 < nate> my list is getting quite large 13:10 < reiffert> BoomerET: check your backup for the deleted .crt and .key file. 13:10 < reiffert> nate: it's a matter of openssl and not a WTF ovpn question. 13:12 < BoomerET> Ahh 13:12 < BoomerET> Thank you 13:12 < reiffert> nate: while waiting for BoomerET's backup please tell me about your wtf list.. 13:13 < BoomerET> Ok, I found a few of the deleted files :) 13:14 < BoomerET> Hmm, there's a bunch of .pem files in the keys dir. 13:15 < BoomerET> Maybe I should learn more about this OpenVPN stuff :) 13:16 < reiffert> OpenSSL. 13:16 < BoomerET> Ok, I got most of them, but didn't have backups for certificates issued over 2 months ago 13:16 < BoomerET> Thanks 13:16 < reiffert> Especially the x509 part. 13:20 < reiffert> However, revoking a certificate where you dont have the crt file sounds quite impossible to me, but feel welcome to stay and await answers from people with more experience. 13:22 < reiffert> BoomerET: you might want to check /usr/share/doc/openvpn/examples/easy-rsa/**/keys/ as well 13:23 < ecrist> you don't need the CRT to revoke the certificate 13:27 -!- BadPtr [n=Mathieu@66-254-37.66.altaspectra.com] has joined ##openvpn 13:27 < BoomerET> Well, it's saying it's unable to load the certificate, so how do I revoke access without it? 13:27 < BadPtr> !configs 13:27 < vpnHelper> BadPtr: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:27 < ecrist> BoomerET: you need the CA certificate and the CA key 13:27 < ecrist> not the client certificate 13:28 < BoomerET> I have those of course 13:28 < reiffert> ecrist: from what I read you need the crt file: openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt 13:31 < BadPtr> is there any option to specify the DHCP range to push to clients? 13:31 < BadPtr> I have a few clients with their own CCDs but others are using a shared key and are getting issued already assigned IPs 13:31 < ecrist> reiffert: you're right, I was reading another part of my code. :( 13:31 < ecrist> BoomerET: pull the certificate out of backups and you're good to go 13:32 < BoomerET> ecrist, I don't have them all, only a couple 13:32 < BoomerET> This goes back to the admins before me. 13:32 < ecrist> ah, that would be a mistake on your part 13:32 < ecrist> or the other admins 13:32 < BoomerET> Both 13:33 < ecrist> in your case, you need to create a new CA, and reissue certificates 13:33 < ecrist> *or* also use a secondary authentication method 13:34 < BoomerET> not as easy as just create new certificate w/ same name, and revoke that :( 13:34 < ecrist> nope 13:34 < ecrist> well, you probably could do some fiddling with the index file, but you'd have to know the serial number of the certificate you wanted to revoke. 13:34 < BoomerET> I do 13:34 < ecrist> and I'm not sure that'll even work. 13:35 < ecrist> could give it a try 13:35 < ecrist> create a new certificate with the serial number in question, and revoke that. 13:36 < ecrist> the CRL really just tracks serial number and date revoked. 13:36 < BoomerET> The serial # is in the .pem files, and it also contains my user names 13:36 < ecrist> BoomerET: what OS? 13:36 < BoomerET> FreeBSD 13:37 < ecrist> there's an app some guy wrote that'll manage your keys for you 13:37 < ecrist> it's in ports, security/ssl-admin 13:37 < ecrist> it keeps all the certificates, keys, and will even zip them and a config up for your users. 13:38 < BoomerET> Thakns 13:39 < BoomerET> I'm not real strong on FreeBSD, more of a Redhat/Debian guy. 13:39 < ecrist> can't expect everyone to be perfect. :) 13:45 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 13:46 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 13:46 -!- bb_1 [n=Adium@195.16.244.188] has joined ##openvpn 13:47 < bb_1> Hi, can anyone help me redirecting 255.255.255.255 on the client to the vpn broadcast? 13:47 -!- c64zottel [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has joined ##openvpn 13:49 < bb_1> I need this because of some lan games. 13:57 < ecrist> bb_1 sure, use TAP 13:57 < ecrist> not TUN 13:57 < bb_1> ecrist: I am using tap 13:57 < bb_1> ecrist: when i ping 10.8.0.255 (vpn broadcast) the clients answer 13:58 < bb_1> when i ping 255.255.255.255 only the lan clients answer 13:58 < BoomerET> Ahhh, the XX.pem seems to be the .crt files I need!!! 13:58 < BoomerET> Success, thanks for the help. 13:58 -!- jackc [n=jackc@ma.us.nanog.net] has joined ##openvpn 13:59 -!- dazo_ [n=dazo@nat/redhat/x-df041390ac41a126] has joined ##openvpn 14:00 < jackc> what's the "right" way to setup the init scripts and confs on a debian box term'ing $several tunnels? 14:03 < ecrist> bb_1: what other clients are you expecting to answer? 14:03 < bb_1> all other clients in the vpn 14:03 < ecrist> do you have client-to-client on the server config? 14:04 < bb_1> yes 14:04 < ecrist> is the firewall allowing such traffic? 14:04 < bb_1> every client can ping every other client 14:04 < bb_1> ecrist yes 14:04 < BoomerET> ecrist, thanks so much, certs revoked, crl.pem copied to appropriate place, user not allowed in. 14:04 < ecrist> BoomerET: I'd still recommend that port, btw 14:04 < ecrist> glad you got it figured out 14:05 < BoomerET> I'll definately look into it, appreciate the help. 14:05 < ecrist> bb_1: something's blocking the traffic 14:06 < bb_1> ecrist: when i ping 10.8.0.255 everybody in the network answers 14:06 < bb_1> ecrist: but ping 255.255.255.255 fails 14:06 < bb_1> ecrist: or doenst effect the tap device 14:08 < ecrist> is your firewall completely disabled? 14:08 < bb_1> ecrist: yes 14:09 -!- dazo_ [n=dazo@nat/redhat/x-df041390ac41a126] has quit ["Leaving"] 14:09 -!- dazo_ [n=dazo@nat/redhat/x-642e619ee5b4898c] has joined ##openvpn 14:10 < ecrist> bb_1: either the kernel or the firewall would be blocking those packets, I think 14:10 < ecrist> !configs 14:10 < ecrist> !logs 14:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:10 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:11 -!- dazo_ [n=dazo@nat/redhat/x-642e619ee5b4898c] has quit [Client Quit] 14:11 -!- dazo_ [n=dazo@nat/redhat/x-0bac23b51de2d650] has joined ##openvpn 14:11 -!- kyrix [n=ashley@188-23-65-177.adsl.highway.telekom.at] has joined ##openvpn 14:11 < bb_1> server.conf 14:11 < bb_1> http://pastebin.com/m1b672300 14:11 -!- dazo [n=dazo@nat/redhat/x-1f91edc3c30070cd] has quit [Read error: 113 (No route to host)] 14:12 -!- troy- is now known as troy 14:12 < bb_1> client.conf http://pastebin.com/m19a03a06 14:14 -!- dazo_ is now known as dazo 14:14 -!- kyrix [n=ashley@188-23-65-177.adsl.highway.telekom.at] has quit [Client Quit] 14:16 < bb_1> openvpn.log http://pastebin.com/d5558566a 14:16 < ecrist> bb_1: can you give me the output for the tap device on the client, please 14:16 < bb_1> ecrist: one moment pls 14:17 < bb_1> ecrist: http://pastebin.com/d39837cf8 14:20 -!- bb_1 [n=Adium@195.16.244.188] has quit ["Leaving."] 14:20 -!- bb_2 [n=Adium@195.16.244.188] has joined ##openvpn 14:20 < bb_2> ecrist: any ideas? 14:21 -!- bb_2 [n=Adium@195.16.244.188] has left ##openvpn [] 14:21 -!- bb_2 [n=Adium@195.16.244.188] has joined ##openvpn 14:22 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:23 < xp_prg> hi all, I have a client that is connecting to a server, they can ping each other, yet the client can't ping 10.5.5.118 but the server can, I put push "route 10.5.5.0 255.255.255.0" in the server and route shows this on the client, I am confused what the issue is, any ideas? 14:23 < ecrist> bb_2: researching 14:23 -!- BoomerET [n=TheRealF@74.85.24.234] has left ##openvpn [] 14:25 < bb_2> bb_2: seem to be a client problme 14:27 < ecrist> bb_2: from the man page: 14:27 < ecrist> Don't use --server if you are ethernet bridging. Use --server-bridge instead. 14:28 < bb_2> ecrist: ok good to know, just did it for testing had server-bridge before 14:28 < ecrist> that might be your problem 14:29 < xp_prg> ecrist can you help me too? :> 14:29 < ecrist> xp_prg: I don't have nearly enough information about your config 14:29 < ecrist> what address range is your vpn using for clients? 14:29 < xp_prg> ok let me pastebin it, one sec 14:31 -!- bb_1 [n=Adium@195.16.244.188] has joined ##openvpn 14:31 -!- bb_2 [n=Adium@195.16.244.188] has quit [Read error: 104 (Connection reset by peer)] 14:31 < xp_prg> http://pastebin.com/d6c3ee8a5 14:32 < ecrist> xp_prg: you need to enable ip forwarding on the server, and make sure the traffic is allowed through the firewall 14:32 < xp_prg> ecrist how do I enable ip forwarding on the server, is that in the openvpn config? 14:33 < ecrist> no, it's an OS config 14:33 < ecrist> what OS are you using? 14:33 < xp_prg> centos/linux 14:33 < xp_prg> that is an iptables command right? 14:33 < ecrist> no 14:33 < xp_prg> is it a route command? 14:33 < ecrist> in /proc, enable ip_forwarding 14:33 < ecrist> !ipforward 14:33 < vpnHelper> ecrist: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:34 < ecrist> !linipforward 14:34 < vpnHelper> ecrist: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:34 < xp_prg> awsome, I will try that :> 14:34 < xp_prg> ecrist if I want my openvpn clients to use dhcp I need to use bridged mode right? 14:34 < ecrist> yes 14:34 < xp_prg> would I still need forwarding if I am doing that? 14:35 < ecrist> but simply for DHCP is a silly reason to use bridged vpn 14:35 < xp_prg> oh ok, brb, sorry 14:35 < ecrist> xp_prg: no, but bridged is harder to configure 14:47 < xp_prg> can non-bridged to dhcp? 14:48 < xp_prg> to = do 14:50 < xp_prg> well I added the 1 to ip_forward, still can't ping that server, I guess it is a firewall issue 15:13 < Bushmills> xp_prg, yes. if really necessary, check out dhcp3-relay 15:13 < xp_prg> Bushmills I am so lost with this network route stuff, can you assist? 15:14 < Bushmills> but ecrist did already. first of all, he recommended routed setup, not bridged setup. 15:14 < xp_prg> yes I am using routed setup 15:14 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:14 < Bushmills> oh, ok. i misread. 15:14 < xp_prg> I can ping the server from the client but not an external host that the server can ping 15:14 < Bushmills> !route 15:14 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:14 < xp_prg> I setup ip forwarding on the server as ecrist suggested 15:15 < xp_prg> ok 15:15 < Bushmills> http://scarydevilmonastery.net/masq 15:15 < bb_1> ecrist: thx for your help, i fixed the issue 15:19 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:36 -!- c64zottel [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has quit ["Leaving."] 15:47 -!- BadPtr [n=Mathieu@66-254-37.66.altaspectra.com] has left ##openvpn ["Quitte"] 16:01 -!- bb_1 [n=Adium@195.16.244.188] has left ##openvpn [] 16:14 < xp_prg> got it to work :> 16:14 < xp_prg> thanks all who helped :> 16:18 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:34 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 16:38 -!- jeiworth_ [n=jeiworth@189.177.124.10] has joined ##openvpn 16:38 -!- jeiworth [n=jeiworth@189.234.82.72] has quit [Read error: 54 (Connection reset by peer)] 16:45 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:56 -!- troy is now known as troy- 17:00 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc16 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 17:08 < krzie> whoaaa 17:08 < krzie> r16 is out... 17:08 < krzie> ill hafta checkout the changelog when i get a min 17:08 < krzie> was that today? 17:08 < reiffert> and the usual promise to get 2.1 out soon 17:08 < reiffert> 2 days ago IIRC 17:08 < krzie> nice 17:09 < krzie> thx for the headsup =] 17:09 < krzie> havnt read my email for a lil 17:11 < krzie> i pulled a straight dumbass manuever 17:11 < krzie> forgot my pw into one of my servers 17:12 < krzie> i set it up a couple months ago and hadnt logged in since... i really should be storing them encrypted somewhere 17:13 -!- jeiworth_ [n=jeiworth@189.177.124.10] has quit [Read error: 60 (Operation timed out)] 17:13 < krzie> for someone like me who would tease someone for that, thats pretty bad 17:13 -!- troy- is now known as troy 17:13 < krzie> so i feel a need to tease myself for it, lol 17:14 < reiffert> ssh agent 17:16 < reiffert> if such a thing occurs at one of my hetzner.de servers, I could reboot the machine, boot int a rescue system with a one time password and regain whatever it needs. 17:16 < reiffert> s,int,it into, 17:17 < krzie> right, im gunna need ecrist to do that for me now, but it sucks to be a pita 17:17 < krzie> cause hes local and my only ipkvm is in san diego 17:18 < reiffert> so he's installing kernel modules that grab all your tty strokes? 17:18 < krzie> and since im in no hurry im sure he wont be mad or anything, but still i dont like to pull lameness like that 17:18 < krzie> lol nah if i didnt trust him it wouldnt be there 17:18 < project2501a> hey guys 17:19 < krzie> sup project2501 17:19 < project2501a> just to confirm please: does a timeout count as a disconnect? 17:19 < project2501a> hey krzie 17:19 < krzie> what do you mean by timeout 17:19 < reiffert> project2501a: it does not. 17:19 < project2501a> damn 17:19 < krzie> reiffert, even when its caused by a keepalive? 17:19 < project2501a> reiffert, krzie : i wanna use the --connect-client and --disconnect-client options 17:19 < project2501a> to log connections and disconnections into a database 17:20 < reiffert> e.g. "Hey girl, bring me some coffee within the next 5 minutes" and she times out, that doesnt mean that my coffee is disconnected. 17:20 < krzie> lol! 17:20 < project2501a> heh 17:20 < project2501a> sexist comment :P 17:20 < krzie> ya we dont get many girls in here tho 17:20 < project2501a> my all-wise supervisor said that i should grep the log for connections and timeouts 17:20 < project2501a> "that is reliable" 17:20 < project2501a> i was like wtf 17:21 < reiffert> tell him to learn about the openvpn log. 17:21 < project2501a> he doesn't want to 17:21 < reiffert> and tell him further to get rid of his ancient 2.0.9 openvpn. 17:21 < krzie> thats why he pays people to do the work =] 17:21 < project2501a> hehehe 17:21 < project2501a> reiffert: abou to do a dist-upgrade 17:21 < reiffert> project2501a: 2.0.9 is stable since ... 4 years. 17:22 < reiffert> 3.5? 17:22 < project2501a> reiffert: apparently he says "you don't upgrade production machines, because they are stable!" 17:22 < project2501a> reiffert: 3.5 ? 17:22 < krzie> true for many things, not for openvpn 17:22 < krzie> 3.5 yrs 17:22 < project2501a> i have been trying to introduce a 6-month upgrade cycle 17:22 < reiffert> project2501a: hell yeah, I keep an ancient 3.5 year old software just because it's stable and I need to write all scripts around missing features! 17:22 < project2501a> reiffert: hehehehee, welcome where i work 17:23 < krzie> in openvpn the latest rc is stable (in my experience, rc16 is only out for 2 days so i cant speak on that yet) 17:23 < project2501a> the other excuse is "security reasons!" 17:23 < reiffert> project2501a: 3.5 years with no security update. 17:23 < reiffert> improvement 17:23 < krzie> run 3.5 yr old software for security reasons!? 17:23 < project2501a> ok, let me give you some intro 17:23 < reiffert> openssl was broken like hell these days. 17:24 < project2501a> basically he's wonder boy for the company 17:24 < project2501a> or at least that's what he projects 17:24 < reiffert> so am I. I'm using 2.1rc15. 17:24 < project2501a> kind of guy that says "losers try, winers take home the prom queen and fuck her" 17:24 < project2501a> etc etc etc 17:24 < project2501a> very showy 17:24 < krzie> i figure real winners take her the next day when the guy who took her home is at work 17:25 < project2501a> hehe :D 17:25 < project2501a> krzie: that's what i figure as well 17:25 < krzie> the "winner" can deal with her on a dialy basis, real winner just pops in on occasion ;] 17:25 < project2501a> the best description for this guy is "i am" 17:25 < project2501a> ego the size of jupiter 17:25 < krzie> hehe 17:25 < project2501a> exactly 17:25 < project2501a> i mean, ok, i undestand i'm not the best out there 17:26 < project2501a> and i try to learn 17:26 < project2501a> and i don't have an elite attitude 17:26 < project2501a> no reason to 17:26 < project2501a> anyway 17:26 < project2501a> --client-connect 17:26 < project2501a> if i add client-connect to the server will the timeout count as a disconnection? 17:26 * reiffert doesnt support 2.0.9 17:27 < krzie> i think reif answered your question 17:27 < krzie> reif, what would he use in latest RC? 17:27 < reiffert> "Hey boss, they dont support 2.0.9"? 17:29 < reiffert> krzie: didnt they add some env variables to connect disconnect scripts? "script security" they were... 17:29 < krzie> i believe they did 17:30 < project2501a> i'll have to upgrade the damn thing 17:30 < project2501a> but 17:30 < project2501a> in the meantime, can you please save my ass? :D 17:30 < krzie> reiffert, but didnt you say that the timeout wouldnt trigger disconnect? 17:30 < krzie> so those scripts wouldnt run 17:30 < reiffert> krzie: you call 911 and I'll get a new superman shirt. 17:30 < project2501a> LOL 17:31 < krzie> i dunno if 911 does anything here 17:31 < project2501a> can i have indiana jones instead? 17:31 * project2501a is dead tired after 2 hours of karate practice 17:31 < project2501a> *sigh* 17:31 < project2501a> i'll just go ahead and test them 17:31 < krzie> i just asked someone from here and he said "i think it is" 17:31 < krzie> lol 17:31 < krzie> then he said "not sure if it works tho" 17:31 < krzie> (referring to 911) 17:32 < reiffert> hehe 17:32 < krzie> ive only been here 2 yrs, and i am the type to grab a gun not call 911 17:32 < project2501a> me too 17:33 < project2501a> the place i work is a very "now now now" workplace 17:33 < project2501a> maintability is something they laugh at 17:33 < reiffert> ah, thats why Peter Tosh had to die, eh? 17:33 < project2501a> peter tosh? 17:33 < project2501a> did he die for my sins, as well? 17:34 < krzie> didnt he sing reggae? 17:34 < reiffert> read up his death, it's funny. 17:34 < project2501a> ah! steppin' razior! 17:35 < project2501a> http://www.youtube.com/watch?v=mQdui7PIgpo 17:35 < vpnHelper> Title: YouTube - Damian Marley ft Stephen Marley & Capleton - It Was Written (at www.youtube.com) 17:35 < project2501a> win 17:35 < reiffert> Legalize it ... 17:35 < reiffert> most famous Peter Tosh song ever 17:36 < reiffert> but now back to what I was about to do hours ago 17:36 < reiffert> get my last beer and smoke a cigarette and watch the sky. 17:37 < krzie> nice 17:37 * krzie switches the cig for a blunt 17:37 < krzie> in honor of the peter tosh song of course ;] 17:38 * reiffert raises the original LP 17:38 < krzie> you blaze reif? 17:39 * project2501a smoked a Cohiba Siglo II today 17:39 < project2501a> listening to righteous dub 17:39 < project2501a> no booze though 17:39 < project2501a> can't drink 17:39 < reiffert> my translator doesnt give me good explanation for to blaze? 17:39 < krzie> werd, i live in the caribbean so a cohiba is easy to get 17:39 < krzie> ahh, smoke weed 17:39 < project2501a> to toke 17:40 < krzie> its slang, i forget english isnt your first lang cause you speak it so well 17:40 < project2501a> hail mary 17:40 < project2501a> krzie: where are you from? 17:40 < reiffert> Let's say every odd year nowadays 17:40 < reiffert> +once 17:40 < krzie> california orig 17:40 < project2501a> <-- new jeruz 17:40 < krzie> ahh cool 17:40 < project2501a> newark <3 17:40 < krzie> reif, if i ever make it to .de we gotta blaze one ;] 17:41 < reiffert> sure we do! 17:41 < krzie> and drink some of Bushmills's homebrew 17:41 < krzie> !! 17:41 < vpnHelper> krzie: Error: "!" is not a valid command. 17:41 < krzie> ild like to make it to .de, its on the list 17:41 < project2501a> ich moochte Bushmill beir nicht 17:41 < project2501a> !-2 17:42 < vpnHelper> project2501a: Error: "-2" is not a valid command. 17:42 < krzie> whoa you speak german!? 17:42 < project2501a> I speak Greek, English, Spanish, Italian, German and some japanese 17:42 < krzie> damn, impressive 17:42 < project2501a> nah 17:42 < project2501a> just things i picked up 17:42 < project2501a> when you're a geek ;) 17:42 < project2501a> i call it lack of gf 17:42 < krzie> lol 17:43 < krzie> my gf is the main reason my spanish is so good 17:43 < project2501a> oy, papi 17:43 < krzie> then again she speaks spanish and we live in a spanish speaking area 17:44 < project2501a> i need some trinidad 17:44 < project2501a> especially the no 3 17:44 < project2501a> but i don't need any trinidadian women 17:44 < project2501a> away! 17:46 < reiffert> Bier, "Beir" is more like the "Bi" just like in "Bicycle" and would sound like "Bavarian" 17:47 < reiffert> "He is a real bavarian guy" - "Er ist ein Bayer" 17:47 < krzie> from what ive read german is the lang english most resembles 17:47 < krzie> in regards to sentance structure and whatnot 17:49 < reiffert> Oh should have seen Netherlands then! 17:49 < reiffert> It's a total mixture from both 17:49 < reiffert> Bushmills's talking netherlands perfectly. 17:49 < reiffert> almost 17:51 < krzie> that dude is smart as hell 17:51 < krzie> you guys met online orig? 17:51 < reiffert> jup 17:51 < project2501a> german is english + ancient greek 17:51 < project2501a> and very orthogonal. 17:51 < reiffert> when I was teaching myself programming microcontrollers, Bushmills was helping me quite a lot 17:52 -!- acton [n=tyler@li4-115.members.linode.com] has quit [Remote closed the connection] 17:53 < krzie> im careful not to say german is like english since i believe english took from german and nt the other way 17:53 < reiffert> uh, time for the beer and cig now 17:53 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:54 < krzie> enjoy 18:04 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:04 -!- project2501b [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:17 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Remote closed the connection] 18:25 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 18:39 < krzie> !route 18:39 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:44 < krzie> !tcp 18:44 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:44 < reiffert> !factoids search * 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < reiffert> !factoids search ** 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < reiffert> !factoids search % 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < krzie> =/ 18:44 < reiffert> !factoids search . 18:44 < vpnHelper> reiffert: "2.1-winpass-script" is http://article.gmane.org/gmane.network.openvpn.user/24575 18:44 < reiffert> hehe 18:45 < krzie> !factoids search win 18:45 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', and 'win_ipfail' 18:46 < reiffert> !factoids search a 18:46 < vpnHelper> reiffert: 'faq', 'sample', 'insanity', 'mail', 'ask', 'winpass', 'pastebin', 'lans', 'netman', 'path', 'ssl-admin', 'tls-auth', 'samba', 'betaman', 'download', 'tap', 'mac', 'win_noadmin', 'static', 'dynamicfirewall', 'nat', 'hmac', 'winipforward', 'fragment', '2.1-winpass-script', 'activedirectory', 'iptables', 'all', 'mactuntap', 'easy-rsa-unix', 'linipforward', 'linnat', 'man', 'wintaphide', 18:46 < vpnHelper> reiffert: 'firewall', 'solaris', 'lintrafaccnt', 'fbsdjail', 'local', 'tunortap', 'shorewall', 'broadcast-relay', 'password', 'authpass', 'firestarter', 'interface', 'allinfo', 'obsdtap', 'notcompat', 'fbsdnat', 'ipforward', 'fbsdipforward', 'eurephia', 'winnat', 'samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet', 'samesubnet', 'access-server', and 18:46 < vpnHelper> reiffert: 'win_ipfail' 18:46 < reiffert> we should transfer the factoid results to privmsg, shouldnt we? 18:47 < krzie> feel free to code it =] 18:47 < krzie> its running supybot with factoids plugin 18:47 < krzie> python 18:47 < krzie> but you can get them in msg 18:47 < krzie> just need to ask the bot in msg 18:48 < krzie> and its really made for outputting to channel in most cases 18:48 < krzie> since we most often use the commands to say something to others 18:48 * reiffert = no python 18:48 < reiffert> os.exec.system("/usr/bin/perl -wle 'do whatever it take'"); 18:49 < krzie> so really what you requested already exists 18:50 < krzie> you just have to use it the way you want it 18:50 < reiffert> 7topic please dont use !factoids search on the channel, use /msg vpnHelper !hi instead? 18:50 < krzie> [msg(vpnHelper)] factoids search ##openvpn win 18:50 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] 'winroute', 'winpass', 18:50 < krzie> 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 18:50 < krzie> 'wintaphide', 'wins', 'win7', 'winnat', and 'win_ipfail' 18:53 < krzie> nobody but us use factoids search anyways 18:53 < krzie> at least not that ive ever seen 18:54 * krzie expects a flood of randoms to use it once they read that 18:54 < krzie> lol 20:00 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:00 < Dougy> hey 20:06 < krzie> heyyyyyy 20:06 < krzie> hoooo 20:07 < krzie> heyyyyyy 20:07 < Dougy> :( 20:07 < krzie> hoooo 20:07 * krzie waves his arms in the air 20:07 < Dougy> i have the flu 20:07 < Dougy> :< 20:07 < krzie> swine flu? 20:07 < Dougy> i hope not 20:07 < krzie> you know it hit NY 20:07 < Dougy> nj too 20:07 < krzie> at least made it there 20:08 < Dougy> http://bergennow.com/index.php/20090520321/Fort-Lee/Fort-Lee-NJ-New-Jersey-swine-flu-school-closed-closing-Board-of-Education.html 20:08 < vpnHelper> Title: Fort Lee school shut due to swine flu to remain closed past Memorial Day | Fort Lee : Bergen County News : New Jersey : NJ : Bergen County Newspapers (at bergennow.com) 20:08 < Dougy> thats only a few mins away 20:08 < krzie> so THATS what bergen is 20:08 < Dougy> ?? 20:09 < krzie> bergenhosting 20:09 < krzie> i had no clue what bergen was 20:09 < Dougy> oh 20:09 < Dougy> you couldof asked 20:09 < Dougy> lol 20:09 < krzie> i also coulda googled 20:09 < krzie> but yanno, didnt matter 20:09 < Dougy> box still runnin? 20:09 < krzie> aye 20:09 < Dougy> good 20:09 < krzie> slowly installing my mailserver 20:09 < Dougy> decently quick ? 20:10 < krzie> its as good as it needs to be 20:10 < krzie> buildworld took like all day, but its not like that matters 20:10 < krzie> not exactly a daily activity 20:10 < Dougy> its an old celeron, what do you expect 20:10 < Dougy> lol 20:10 < krzie> right 20:10 < krzie> and honestly i could run the mailserver on a p1 and it would be fine 20:11 < Dougy> p1 lol 20:11 < Dougy> i think build world would break it 20:11 < krzie> umm, no 20:11 < krzie> i ran fbsd on p1 20:11 < krzie> works fine 20:11 < Dougy> oO 20:11 < Dougy> omg :( 20:11 < Dougy> i have this nasty cough that hurts like a mfoo 20:11 < Dougy> mofo 20:11 < krzie> hehe you're too young to remember when p1 was the best around 20:12 < Dougy> wasnt p1 befor eme 20:12 < Dougy> before me 20:12 < krzie> but it was once like "ooooo thats a pentium!" 20:12 < krzie> hrm, it very well may have been 20:12 < Dougy> there's a commodore 32 in my attic 20:35 -!- troy is now known as troy- 20:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:54 -!- troy- is now known as troy 20:55 -!- FirstSgt [n=chris@68-118-209-12.dhcp.omak.wa.charter.com] has joined ##openvpn 20:55 < FirstSgt> !howto 20:55 < vpnHelper> FirstSgt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:56 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 21:00 -!- mRCUTEO [i=IRCLUNAT@58.26.212.155] has joined ##openvpn 21:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 21:09 < mRCUTEO> hiya all 21:09 < mRCUTEO> tjz :D 21:09 < mRCUTEO> krzie 21:09 < mRCUTEO> L:D 21:11 -!- mRCUTEO [i=IRCLUNAT@58.26.212.155] has quit [] 21:13 < FirstSgt> i can't ping the tun0 (server's) ip. it says operation not permitted 21:18 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:53 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 23:28 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:29 -!- troy [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 23:31 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn --- Day changed Thu May 21 2009 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:17 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 00:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 00:49 -!- endra [n=endra@unaffiliated/endra] has joined ##openvpn 00:49 < endra> hey 00:49 < endra> !logs 00:49 < vpnHelper> endra: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 00:49 < endra> !configs 00:49 < vpnHelper> endra: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:50 < endra> !redirect 00:50 < vpnHelper> endra: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:50 < endra> !ipforward 00:50 < vpnHelper> endra: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 00:50 < endra> !linipforward 00:50 < vpnHelper> endra: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 00:50 < endra> mattafucka 00:50 < endra> i knew my config was right 00:50 < endra> this is the most helpful bot i've ever seen. 00:52 < endra> !nat 00:52 < vpnHelper> endra: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 00:52 < endra> !linnat 00:52 < vpnHelper> endra: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 00:53 < endra> sweet, trying now, brb 00:53 -!- endra [n=endra@unaffiliated/endra] has quit [Client Quit] 01:05 -!- endra [n=endra@unaffiliated/endra] has joined ##openvpn 01:05 < endra> hey 01:05 < endra> is anyone around at this time 01:05 < endra> someone once told me openvpn would work on port 53 (udp) wherever you are able to resolve hosts using a custom DNS server 01:06 < endra> like nslookup google.com 4.2.2.1 01:07 < endra> openvpn works great now but when I try it on this one specific wireless connection, which does allow such a dns lookup, I get these errors in client console: Authenticate/Decrypt packet error: missing authentication info 01:07 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 01:13 < dan__t> openvpn[26575]: client1/70.190.236.151:41501 MULTI: bad source address from client [192.168.143.128], packet dropped 01:13 < dan__t> hmmm 01:13 < dan__t> Yet I don't want to use redirect-gateway 01:13 < dan__t> I just want this one specific route through openvpn 01:24 < dan__t> Yep that blows. 01:30 < dan__t> What the FUCK. 01:30 < dan__t> Thank you, ambiguity. 01:31 -!- endra [n=endra@unaffiliated/endra] has quit [Read error: 110 (Connection timed out)] 01:36 < dan__t> krzzzzieieiziezieieiee wake up. 01:46 -!- master_of_master [i=master_o@p549D33E8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D3D3D.dip.t-dialin.net] has joined ##openvpn 02:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 02:22 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 02:31 < dan__t> Just read your article at http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing, krzie. Does not appear to help my particular situation. 02:31 < dan__t> Even when using iroute 02:32 < tjz> hey guys 02:34 < dan__t> Hi. 02:39 < dan__t> Fuckit. Bedtime. 02:39 < dan__t> Later. 02:45 < dan__t> Or not. God damnit. 02:47 < dan__t> So... 02:59 < tjz> lol 03:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 03:41 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has joined ##openvpn 03:42 < aditsu> hi, what is a "challenge password"? (when running build-key) 03:49 < dazo> aditsu: a password so difficult it will challenge you for the rest of your life whenever you need to remember it? :-P 03:52 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 03:54 < aditsu> har har 04:05 < aditsu> nobody knows? 04:05 < aditsu> another question: how can I delete a certificate? 04:32 < aditsu> what is the "database" that it updates everytime I build a new client key? 04:46 -!- c64zottel [n=hans@p5B17B1A8.dip0.t-ipconnect.de] has joined ##openvpn 04:46 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.16/2009040213]"] 04:46 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:48 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:19 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has joined ##openvpn 05:20 < aditsu> how can I add, change or remove a client password in linux? 05:26 -!- nemysis [n=ne