--- Day changed Thu Jan 01 2009 00:36 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:54 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 02:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:13 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 04:36 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 04:36 < gfather> haappy new yeaaaaaaaar :) 04:55 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 04:56 < mRCUTEO> happey new ya 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 05:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 06:28 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:05 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 07:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:28 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:56 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 09:08 < ecrist> fwiw, the named.root file has been updated (newest revision is 12/12/2008) in which they've added an AAAA record for L.ROOT-SERVERS.NET. 09:23 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Pagautas 09:24 -!- Netsplit over, joins: Pagautas 09:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:32 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 11:32 < Mahmoud> any freely available vpn setup that uses openvpn? 11:34 < Mahmoud> i recall one available, but can't get its correct name 11:38 < reiffert> "setup"? 11:38 < Mahmoud> a free vpn provider 11:39 < reiffert> "any freely available vpn a free vpn provider that uses openvpn"? 11:39 < reiffert> sorry, but I dont get you. 11:39 < Mahmoud> hmmmm 11:40 < Mahmoud> similar to free shared web hosting providers. there are some vpn providers 11:40 < Mahmoud> i want a vpn provider that uses openvpn's client to connect to it 11:40 < Mahmoud> there is one, pretty sure, but forgot its name 11:41 < reiffert> I have no idea which free shared web hosting provider offers vpn access. 11:41 < Mahmoud> aghh 11:41 < Mahmoud> this is not what i asked 11:41 < Mahmoud> what i want is only a free vpn provideer (i don't care about websites) 11:57 < reiffert> still no idea 12:58 < ebf0> Mahmoud: I get you, but I dont know of any 13:04 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has joined ##openvpn 13:04 < Balzac21> Hi. I have openvpn going and I've set my iptables right so that all traffic is properly in nat. On my end (vista) it still won't tunnel properly and won't connect to the internet 13:27 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has quit [Connection timed out] 14:38 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 15:13 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 15:55 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 16:26 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:19 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 17:24 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 18:15 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:35 -!- gfather [n=g@77.241.65.48] has quit [Read error: 110 (Connection timed out)] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 19:02 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:12 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 20:10 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:04 -!- solj [n=solj@layer9.ices.utexas.edu] has joined ##openvpn 21:04 < solj> !menu 21:04 < vpnHelper> solj: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 21:05 < solj> hi, i'm having some trouble with getting certain keys to work 21:06 < solj> i have some client keys working, but others that were generated the same way are not 21:06 < solj> i'm getting a generic TLS timeout message on the client 21:08 < krzie> !logs 21:08 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:08 < krzie> on one that doesnt work 21:14 < solj> krzie: k, i'll get back to you in a bit 21:14 -!- solj [n=solj@layer9.ices.utexas.edu] has left ##openvpn [] 21:19 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 21:37 < krzie> lol 22:05 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 22:11 < tjz> any malaysian on streamyx? 22:12 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:15 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:18 < Skiz> so I have a tunnel set up between my mac and a remote debian system running openvpn which I can connect to fine. My issue is the masquerading (I think..) I'm trying to set my default route so that all of my traffic is sent through the tunnel by default, but it seems that I can make connections to only the server itself and the nat doesnt work. http://pastie.org/private/thqkl7syh02xd3n7mpbyw is some configs and specs. Any ideas would be 22:26 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:29 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:29 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:32 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:33 < tjz> hey !!! 22:33 < mRCUTEO> hiya tjz 22:33 < mRCUTEO> hehe 22:33 < tjz> haha 22:33 < tjz> Happy new year 22:33 < tjz> :) 22:33 < mRCUTEO> happy new year to you too :D 22:35 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 22:45 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:47 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me. 22:47 < Skiz_> yet I'm still on irc :S 22:47 -!- Skiz_ is now known as Skiz 22:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:49 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:49 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me and everything starts getting dropped. 22:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 23:05 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 23:07 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 23:08 -!- ropetin_ is now known as ropetin 23:09 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:18 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, hiptobecubic, Skiz, bigjohnto, mepholic, smk, Solver, (+14 more, use /NETSPLIT to show all of them) 23:21 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:26 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, Skiz, mepholic, Solver, phlax, dogmeat, jabular, (+5 more, use /NETSPLIT to show all of them) 23:28 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:28 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 23:28 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has joined ##openvpn 23:28 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:28 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:28 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has joined ##openvpn 23:28 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 23:28 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 23:28 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 23:31 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 23:34 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:39 < tjz> omg 23:39 < tjz> what happen 23:39 < dvl> a net split. 23:40 < tjz> hmm 23:40 < dvl> followed by a rejoin 23:40 < tjz> do you know why i can't auto join #openvpn ? 23:40 < tjz> under "perform" 23:40 < tjz> in irc client 23:40 < dvl> I don't even know what IRC client you are using. 23:41 < dvl> Normally, there is a field for channels you want to join. 23:49 < Skiz_> try it with 2 #'s 23:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 23:56 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 131 (Connection reset by peer)] 23:56 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn --- Day changed Fri Jan 02 2009 00:10 < tjz> welcome back 00:10 < tjz> hehe 00:11 < tjz> let me try with 2 #'s 00:11 < tjz> brb 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 00:11 < tjz> doesn't auto join to openvpn 00:26 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:27 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 00:31 < krzee> tjz 00:32 < krzee> your client needs to auth to nickserv before joining 00:32 < krzee> mine can do that auto 00:32 < krzee> but im using xchat aqua for osx 00:41 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 00:51 < tjz> i have auto auth setup under "option" > "perform" for my mirc 00:51 < tjz> :( 00:51 < tjz> it works for another irc network 00:51 < tjz> not this 00:51 < tjz> :( 00:51 < tjz> :) 01:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:29 < tjz> welcome 01:50 < ropetin> Hi-de-ho all 01:51 < krzee> tjz 01:51 < krzee> just cause it auto-auths doesnt mean it waits for the auth to be successful to join channels 01:51 < krzee> wassup rope 01:52 < ropetin> Meh, just trying to get motivated for work krzee, how're you? 01:53 < tjz> lol rope 01:53 < tjz> doesn't make sense.. 01:53 < ropetin> tjz: what doesn't? 01:54 < tjz> i run the auth first before the auto join to openvpn channel 01:54 < ropetin> Which client? 01:54 < tjz> i am using mirc client 01:55 < ropetin> How're you doing the authentication? Do you have it configured in the server config or are you running it as a post connection command? (I may be confused, haven't used mIRC for long time) 01:57 < tjz> lol 01:57 < tjz> what i did is "/msg NickServ identify xxx" 01:57 < tjz> to auth 01:58 < tjz> under connect > option > perform 01:58 < tjz> when on connect 01:58 < tjz> hmm 01:58 < tjz> actually.. 01:59 < tjz> not really important 01:59 < tjz> just ranting 01:59 < tjz> :P 01:59 < ropetin> Hehhe, ok 01:59 < ropetin> I'd recommend using irssi, works like a champ :D 02:06 < tjz> x_x 02:06 < tjz> <- on windows xp 02:18 < tjz> :P 02:20 < ropetin> Luckily they have a version for Windows :) 02:21 < ropetin> Nicely packaged in an .exe, right on the home page 02:29 < ropetin> Meh, Mutt is driving me nuts 02:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:01 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has joined ##openvpn 03:01 < DigitallyStoned> !route 03:01 < vpnHelper> DigitallyStoned: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:02 < DigitallyStoned> ok i have a weird problem with routing 03:02 < DigitallyStoned> is anyone descent at it? 03:03 < ropetin> Depends what the problem is :) 03:03 < DigitallyStoned> ok i have pfsense with openvpn setup 03:03 < DigitallyStoned> it connects fine 03:03 < DigitallyStoned> my default lan is on a 10.0.0.0/16 and my VPN is on a 10.0.2.0/26 03:04 < DigitallyStoned> i can ping 10.0.0.1 *default gateway* and hit the box, i can hit 10.0.0.2 and get its interface 03:04 < DigitallyStoned> 10.0.0.3 thru 10.0.0.255 i cannot see 03:04 < DigitallyStoned> i have a push "route 10.0.0.0 255.255.0.0" setup for my vpn config 03:04 < DigitallyStoned> dns and all works 03:04 < DigitallyStoned> just cant access via telnet or http any device above 3 03:05 < DigitallyStoned> really weird 03:05 < ropetin> You have forwarding set up on the vpn server? 03:06 < DigitallyStoned> when you say forwarding youre talking about the local lan pool correct right? for a remote vpn connection? 03:07 < ropetin> Well let me take step back, what OS is your vpn server? 03:07 < DigitallyStoned> its running on pfsense 03:07 < DigitallyStoned> so openbsd 03:07 < DigitallyStoned> and i have my default lan rules set for any 03:07 < DigitallyStoned> so any tcp/udp connection is accepted 03:07 < DigitallyStoned> i can ping both 10.0.0.1 and 10.0.0.2 via vpn 03:08 < ropetin> Hmmm, no experience with any bsd, but on Linux if I want to connect to something 'beyond' the VPN server I have to set an iptables masquerade rule to forward the traffic, as well as make sure ip forwarding is enabled 03:08 < DigitallyStoned> yeah thats all enabled on the box 03:08 < DigitallyStoned> nat rules are in place 03:09 < ropetin> .1 and .2 are interfaces on the server? 03:09 < DigitallyStoned> no 03:09 < DigitallyStoned> .1 is the server 03:09 < DigitallyStoned> .2 is a remote power boot device connected to the switch at .3 03:09 < DigitallyStoned> its a cisco switch 03:09 < ropetin> Weird then that you can get to that but nothing else 03:09 < DigitallyStoned> yeah thats what i thought 03:09 < DigitallyStoned> the route locally on this machine shows 10.0.0.0 network 255.255.0.0 using interface 10.0.2.5 03:09 < ropetin> Hmmm, only thing I can say is double check your netmasks are correct, other than that, I'm stumped 03:09 < DigitallyStoned> which is right 03:10 < ropetin> Well one thing, your netmasks overlap, correct? 03:10 < ropetin> Is that intentional? 03:10 < DigitallyStoned> do they? 03:10 < DigitallyStoned> oh shit youre right 03:11 < DigitallyStoned> shoulda been 10.2 03:11 < DigitallyStoned> crap 03:11 < DigitallyStoned> let me change that 03:11 < DigitallyStoned> hold 1 03:11 < ropetin> :D 03:11 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:12 < DigitallyStoned> haha 03:12 < DigitallyStoned> holy shit 03:12 < DigitallyStoned> my fault 03:12 < DigitallyStoned> i screwed that one up 03:12 < ropetin> It worked? 03:13 < DigitallyStoned> yeah 03:13 < DigitallyStoned> i screwed that u 03:13 < DigitallyStoned> up 03:13 < DigitallyStoned> 10.2.0.0 was supposed to be the net not 10.0.2.0 03:14 < ropetin> Excellent 03:14 < DigitallyStoned> heh 03:14 < DigitallyStoned> thanks for pointing that out else idda been scratching my head all day 03:15 < ropetin> NP, I'm good at catching the easy sutff :) 03:15 < DigitallyStoned> its what i get for playing halo 2 all the time 03:15 < DigitallyStoned> youd like the setup i made here though 03:16 < DigitallyStoned> i had like 100 cat5 cables running all over my house to a few different routers 03:16 < DigitallyStoned> now its all meshed 03:16 < DigitallyStoned> on an A channel 03:16 < ropetin> Just for fun? 03:16 < DigitallyStoned> no i finally intergrated my hardware 03:16 < DigitallyStoned> i have 2 50mb circuits coming in 03:16 < DigitallyStoned> i used pfsense to multiwan them 03:17 < DigitallyStoned> i tried it on centos and it halfassed worked 03:17 < DigitallyStoned> pfsense is totally worth dedicating one old server to it 03:17 < ropetin> In your house? 03:17 < DigitallyStoned> yeah 03:17 < ropetin> You're either in Japan, Korea, or just really rich, right? 03:18 < DigitallyStoned> Alabama 03:18 < DigitallyStoned> and no not rich 03:19 < DigitallyStoned> can i set a secondary remote server in my ovpn file? 03:19 < ropetin> What service gives you 50mb? And what's the upstream rate like? 03:19 < ropetin> Secondary as a backup? Or just a second one? 03:19 < DigitallyStoned> as a backup 03:19 < DigitallyStoned> upstream is only 4mb 03:20 < ropetin> Never done that, but you have the option of multiple servers yes 03:21 < ropetin> But it will only connect to one at a time, unless you put them in their own config file 03:21 < DigitallyStoned> happen to know the syntax? 03:21 < DigitallyStoned> well i dont need more than 1 03:21 < DigitallyStoned> its the saem server, just 2 different IPs 03:22 < ropetin> I think it's the same format, you just put them below each other. It tries the first, if that fails, it tries the second 03:22 < ropetin> !man 03:22 < vpnHelper> ropetin: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:23 < DigitallyStoned> blah ill have to figure out how to make openvpn bind to the 2nd interface on the server 03:25 < ropetin> :D 03:27 < DigitallyStoned> i think i just need to add the port to the opt1 interface 03:27 < DigitallyStoned> we will see 03:28 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 03:30 < DigitallyStoned> yep 03:30 < DigitallyStoned> thats all i have to do 03:30 < DigitallyStoned> sweet 03:33 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has quit [] 03:53 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:57 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:34 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:34 < bsdbandit> can someone help me out 04:34 < reiffert> Moin! 04:44 < bsdbandit> what do you think it could be 04:44 < bsdbandit> ? 04:48 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has joined ##openvpn 04:48 < mRCUTEO> hey krzee u there ? :) 04:52 < krzee> hey 04:52 < krzee> moin reif 04:53 < krzee> !factoids search bsd 04:53 < vpnHelper> krzee: 'bsdnat', 'freebsd', 'fbsdbridge', and 'fbsdjail' 04:53 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:53 < mRCUTEO> can ou help me correct my english sentence just one :) . here it is: 04:53 < krzee> mRCUTEO, yes 04:53 < mRCUTEO> New students intake registration now until 8 January 2009 04:53 < krzee> bsdbandit, 04:53 < krzee> !configs 04:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < bsdbandit> !configs 04:54 < vpnHelper> bsdbandit: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < krzee> mRCUTEO, i need context, can you show me the surrounding text in pastebin? 04:54 < mRCUTEO> okay hold on 04:56 < mRCUTEO> its just 2 sentences actually 04:56 < mRCUTEO> an announcment 04:56 < mRCUTEO> http://pastebin.com/m4c8bca50 04:57 < mRCUTEO> the announcement looks a lil error 04:57 < mRCUTEO> frament(consider revising) error in ms word 04:57 < krzee> New students may begin intake registration now until 8 January 2009. 04:57 < krzee> ya, you needed a helping verb 04:57 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 60 (Operation timed out)] 04:58 < mRCUTEO> aha thats sounds better 04:58 < mRCUTEO> :) thanks 04:58 < krzee> np =] 05:01 < mRCUTEO> New students begin intake registration now until 8 January 2009 ? Will this sounds okay too krzee? 05:02 < ropetin> mRCUTEO: are you trying to say that new students CAN begin registration between now and 8th, or WILL? 05:02 < krzee> in other words you want to get rid of the word may 05:03 < krzee> may is another word for can, and i believe one of them belong in the sentence for the reason ropetin is saying 05:03 < krzee> may is more formal, which is why i chose it 05:04 < mRCUTEO> im trying to say the new student intake registration day is today until 8th 05:04 < krzee> you are trying to say they can register between now and the 8th 05:05 < mRCUTEO> yes 05:05 < mRCUTEO> the new intake student 05:05 < mRCUTEO> cn register now until 8th.. 05:05 < mRCUTEO> New student intake registration begins now until 8 January 2009 <-- how about this one 05:05 < mRCUTEO> is the student in plural or sinmgular 05:06 < krzee> if you dont want to use what i said, why ask me? 05:06 < krzee> singular in this tense 05:06 < mRCUTEO> no, u give me the ight word actually the word begin in the sentence 05:06 < mRCUTEO> *right 05:07 < mRCUTEO> but my sentence still jumble up 05:07 < reiffert> Register or die until Jan 8. 05:07 < mRCUTEO> :P 05:07 < krzee> New students must register between now and Jan 8 05:07 < krzee> is prolly more correct 05:07 < mRCUTEO> aha thats more like it 05:07 < reiffert> Dont register until Jan 8 and I have a nice time without you! 05:07 < mRCUTEO> yeah thats more simple 05:08 < mRCUTEO> New students must register between now and Jan 8 <-- this one better 05:08 < mRCUTEO> :) 05:08 < krzee> i like reif's 05:08 < mRCUTEO> thanks 05:08 < krzee> register or die 05:08 < krzee> lol 05:08 < mRCUTEO> :) 05:08 < reiffert> New students must register next door/floor, so I can bring my money home 05:08 < krzee> register by jan 8th or you will be a failure 05:08 < mRCUTEO> hehe 05:08 < reiffert> or fail 05:09 < krzee> epic fail for those who do not register by jan 8th 05:10 < mRCUTEO> english words are very tricky 05:10 < mRCUTEO> :) 05:10 < krzee> especially irc based 05:10 < krzee> haha 05:10 < mRCUTEO> haha :D 05:10 < krzee> irc has its own slang 05:11 < mRCUTEO> my oh my 05:11 < krzee> its lulz to say epid faily on irc 05:11 < krzee> epic fail 05:12 < krzee> if you say lulz or epid fail in real life, people will just look at you funny 05:12 < mRCUTEO> ehehe 05:12 < mRCUTEO> yeah very very tricky 05:12 * mRCUTEO dont even know how to speak fluent english in daily life 05:12 < mRCUTEO> lol.. 05:13 < krzee> you do fine on irc 05:13 * mRCUTEO too much billingual 05:13 < mRCUTEO> i speak mostly in chinese language and spanish.. so sometimes its hard to intereprate it in english 05:13 < krzee> my spanish is getting much better 05:14 < mRCUTEO> oh good :) 05:14 < krzee> ive been in a spanish speaking country going on 2 yrs 05:14 < reiffert> buenas nodches 05:14 < reiffert> buenas tardes 05:14 < krzee> quiero nochos 05:14 < krzee> nachos 05:14 < reiffert> commo estas? 05:14 < mRCUTEO> my spanish is philippine spanish 05:14 < krzee> but they speak tagalog 05:14 < mRCUTEO> yes mix with spanish 05:14 < mRCUTEO> tagalug and spanish mixing 05:14 < krzee> sip sippin mo yun titiko 05:15 < krzee> i only know how to say it, not spell it 05:15 < mRCUTEO> you know how to speak tagalug too? 05:15 < krzee> a friend taught me that yrs ago 05:15 < krzee> nope 05:15 < krzee> thats all i know 05:15 < mRCUTEO> oh.. 05:15 < mRCUTEO> :) 05:15 < krzee> did it seem right? 05:16 < krzee> all i know in german is plutz and moin 05:16 < mRCUTEO> it sounds like suloh 05:16 < mRCUTEO> *sulog 05:16 < krzee> oh and sitzen 05:16 < mRCUTEO> i dont know any german language hehe 05:16 < krzee> reif does 05:16 < mRCUTEO> but my language main is chinese 05:17 < reiffert> krzee: plutz? 05:17 < krzee> primary language 05:17 < krzee> plutz = lay down 05:17 < reiffert> krzee: platz 05:17 < krzee> my mom sometimes trains her dogs in german 05:17 < krzee> ahh 05:17 < reiffert> so your german neighbour got a dog? 05:17 < mRCUTEO> oh :) 05:17 < krzee> nope, its from mama 05:17 < krzee> she trains search and rescue dogs 05:17 < krzee> to find lost people 05:17 < mRCUTEO> :) 05:18 < reiffert> krzee: ah but why the german lang then? 05:18 < krzee> german commands are more harsh sounding 05:18 < mRCUTEO> your mum a german? 05:18 < krzee> plus nobody else giving commands to their dogs can confuse a new dog 05:18 < krzee> nope, mom is italian but from usa 05:18 < mRCUTEO> ic 05:18 < reiffert> A friend is lawyer, he's from czech republic. He's got a danish mastiff and all the boy knows is czech language.... 05:19 < mRCUTEO> hehe 05:19 < krzee> i think my german neighbor is moving out =/ 05:19 < krzee> which sucks cause hes cool 05:19 < mRCUTEO> :-) 05:20 < mRCUTEO> do you have chinese people living in your area? 05:20 < krzee> nope 05:20 < krzee> i seen like 5 asians the whole time i been here 05:20 < mRCUTEO> ic where they from? 05:20 < krzee> which sucks, i love asian women 05:20 < reiffert> I guess asian people are under 1% here. 05:20 < krzee> mRCUTEO, no idea, only saw them 05:21 < mRCUTEO> oh... 1% really in which area is that? 05:21 < krzee> under 1% here too 05:21 < krzee> caribbean 05:21 < mRCUTEO> ic 05:21 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:21 < reiffert> mRCUTEO: center of germany, mainz, next to frankfurt 05:22 * mRCUTEO checking google maps :D 05:22 < reiffert> http://maps.google.de/maps?f=q&hl=de&geocode=&q=mainz&sll=51.151786,10.415039&sspn=13.468074,28.300781&ie=UTF8&ll=50.035974,8.261719&spn=13.788082,28.300781&t=h&z=5 05:22 < vpnHelper> Title: Google Maps (at maps.google.de) 05:22 < mRCUTEO> aha 05:22 < mRCUTEO> :) 05:24 < mRCUTEO> very big city 05:24 < mRCUTEO> beautiful cities too.. 05:25 < mRCUTEO> in my country i can only see trees, hills, small buildings, ruins and jungles.. 05:25 < reiffert> I'm living countryside in a small village 05:25 < mRCUTEO> reiffert: u know where is borneo? 05:25 < reiffert> mRCUTEO: something with the apes? 05:26 < reiffert> next to Malaysia 05:26 < mRCUTEO> yes, just as i expected you're going to say that :) 05:26 < krzee> mRCUTEO, that sounds like a nice place 05:26 < mRCUTEO> thats my home 05:26 < mRCUTEO> i live here in borneo.. 05:27 < mRCUTEO> and nobody will believe if i said i'm now online using a T-1 line on a tree house.. 05:27 < mRCUTEO> :) 05:27 < krzee> hahahah 05:27 < reiffert> Ah, Borneo is the whole Island? 05:27 < mRCUTEO> ripleys believe it or not :) 05:27 < krzee> badass 05:27 < mRCUTEO> yes 05:27 < mRCUTEO> im in north borneo the most primitive among all the areas.. 05:28 < mRCUTEO> you see anaconda, beast, giant spider,, crocodiles.. 05:28 < reiffert> 16 inhabitants per square km 05:28 < mRCUTEO> but i get used to the environment alreeady.. 05:29 < mRCUTEO> tjz is my neighbour a sea away from borneo 05:30 < mRCUTEO> tjz from singapore which is more modernized country than borneo.. 05:30 < mRCUTEO> borneo is primitive and wild.. 05:31 < mRCUTEO> i wish i could go to europe someday... or USA maybe someday.. 05:33 < mRCUTEO> most people thought that the natives in borneo are cannibals.. yes our ancestors are cannibal and our friends are some cannibals too but we still surfing the net using ADSL or T-1 line or DS3 from the tree house :D 05:34 < mRCUTEO> ripleys believe it or not :) 05:34 < krzee> ever tried human? 05:34 < krzee> i prolly would if it were being served in a place i was at and it was normal there 05:34 < krzee> im curious how it is 05:35 < mRCUTEO> human meat taste like chicken actually... 05:35 < mRCUTEO> if you cook it well it taste like roasted lamb 05:35 < krzee> ahh 05:35 < mRCUTEO> my friend cook his half-dead neighbour once.. and serve to us .. 05:36 < mRCUTEO> well in borneo there is one tradition here 05:36 < mRCUTEO> when they serve you human flesh you must consume it.. 05:36 < mRCUTEO> otherwise you show unrespect to them .. 05:36 < krzee> ahh 05:36 < mRCUTEO> and they will cutthroat you.. 05:37 < krzee> but what if the serve you chicken? 05:37 < mRCUTEO> well tell them i prefer KFC 05:37 < mRCUTEO> lol.. 05:37 < mRCUTEO> and they will ask you buy them a barrel of roasted KFC 05:38 < mRCUTEO> ;lol.. 05:38 < krzee> hahah 05:38 < mRCUTEO> nah.. things are different already around here.. :) 05:38 < mRCUTEO> mostly head hunters are working executive nowadays 05:38 < mRCUTEO> they cannibals and cuthroat stuff is now a legend in borneo :) 05:40 < mRCUTEO> only those who live deep in the trackless forest i think still do cannibals stuff 05:40 < mRCUTEO> i dunno, im a stranger in my own country really :P 05:52 < mRCUTEO> krzee: is your mother tongue is english ? 05:56 * mRCUTEO brb 05:56 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has quit [] 05:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 06:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Read error: 60 (Operation timed out)] 08:12 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 09:33 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:46 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has joined ##openvpn 10:47 < ITguru> what can cause a client to keep dropping its connection, and restarting every 5 seconds 10:47 < ecrist> a bad network connection, a firewall not keeping 'state' on udp sessions. 10:50 * ITguru goes to check if it's udp .... 10:50 < ITguru> ecrist, no, it's tcp 10:50 < ecrist> !tcp 10:50 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:52 < ITguru> ecrist, about 50% of my clients are behind proxies/firewalls that prevent udp connections 10:56 < ITguru> and it is still working fine for other clients 10:58 < ecrist> so, just one client is having a problem? 11:01 < ITguru> yes - mine! 11:02 < ecrist> how many clients? 11:02 < ITguru> i've tried on three diffrent computers, one linux, one, mac, and one windows - the only thing they have in common is the wireless connection they use 11:03 < ITguru> and the connection keeps restarting one each platform 11:04 < ecrist> have you tried with the same computer on a different connection? 11:04 < ITguru> ecrist, no - i was just thinking that 11:04 < ecrist> I think you're running into the problem discussed in the link above. 11:06 < ITguru> i've used this connections for weeks, wierd that it's just started 11:06 < ITguru> but I'll try to check from a diffrent connection 11:31 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 11:32 < kim0> Hi .. I am an "openvpn client" to 2 different VPNs using openvpn same port 1194 .. it connects to one .. but the second says the port is busy !??! 11:32 < kim0> Why does a client need to open a server port 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 11:41 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has joined ##openvpn 11:42 < itguru> how can i get an openvpn client session to output stuff to a log file, so I can find the reason for the disconnections? 11:43 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 11:44 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has quit [Remote closed the connection] 11:44 < kim0> itguru: openvpn --config file.con 11:57 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 12:32 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:00 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:04 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Client Quit] 15:05 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:06 < heemboi> can anyone help with iptables? 15:06 < krzee> !iptables 15:06 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> !linfw 15:07 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> oh they are same, lol 15:08 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < heemboi> I want only two ips on my internal network to access the vpn 15:12 < krzee> heemboi, the vpn is outside the LAN, right? 15:12 < heemboi> right 15:12 < krzee> theres an easier way 15:12 < krzee> just break routing 15:12 < krzee> connect a client from inside the LAN 15:12 < krzee> then do NOT add the route back to vpn to the router 15:12 < krzee> only to the other machine in the lan 15:12 < krzee> other than that, follow !route 15:12 < krzee> !route 15:12 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:13 < krzee> where we deviate from the plan there is the FINAL step: "adding routes outside of openvpn" 15:13 < heemboi> i don't want any clients configured to connect to the vpn 15:13 < krzee> you will choose not to add it to the default gateway, but to the individual machines, so the vpn cannot access any machine you did not give a route back to 15:13 < heemboi> im using a router as a client 15:13 < krzee> welp, have fun with iptables then 15:13 < krzee> heh 15:13 < krzee> bbl, getting food 15:13 < heemboi> lol 15:14 < heemboi> i know, i've read a fre docs 15:14 < heemboi> and my head is hurting 15:14 < heemboi> few* 15:15 < heemboi> im using this script 15:15 < heemboi> http://www.dd-wrt.com/wiki/index.php/VPNC 15:15 < vpnHelper> Title: VPNC - DD-WRT Wiki (at www.dd-wrt.com) 15:16 < heemboi> iptables -A FORWARD -o tun0 -j ACCEPT 15:16 < heemboi> iptables -A FORWARD -i tun0 -j ACCEPT 15:16 < heemboi> iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 15:16 < heemboi> is what i added 15:16 < heemboi> now all the clients can access the vpn 15:17 < heemboi> i only want two ips to access the vpn 15:17 < heemboi> i bet iptables can do it, i just cant figure it out :\ 15:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 18:48 < mRCUTEO> hiya all 18:50 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 18:53 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 19:24 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Success] 19:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 20:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 20:35 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:36 -!- aia [n=aia@unaffiliated/aia] has quit [Client Quit] 20:37 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 20:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:43 * tjz swim in 20:52 < tjz> !help http proxy 20:52 < vpnHelper> tjz: Error: There is no command "http proxy". 20:52 < tjz> !help proxy 20:52 < vpnHelper> tjz: Error: There is no command "proxy". 20:52 < tjz> !proxy 20:52 < vpnHelper> tjz: Error: "proxy" is not a valid command. 20:52 < tjz> !http 20:52 < vpnHelper> tjz: Error: "http" is not a valid command. 20:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:57 < tjz> hmm 20:57 < tjz> i change from udp to tcp for my openvpn 20:57 < tjz> trying to get http proxy to work 21:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 21:08 < tjz> to use http proxy, we will just change protocal from "udp" to "tcp" on both server & client 21:08 < tjz> anything else need to add? 21:09 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:14 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Connection timed out] 21:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:21 < tjz> Hi rope~ 21:22 < ropetin> Evenin' 21:25 < tjz> Have you try using openvpn w/ http proxy? 21:26 < ropetin> No, in fact I've actively avoided it. Are you having problems? 21:26 < tjz> i haven't try configure one before 21:26 < tjz> i went to change protocol from udp to tcp 21:26 < tjz> that is what i change 21:27 < tjz> why do you avoid it? 21:29 < ropetin> Extra steps cause extra problems I guess 21:30 < tjz> x_x 21:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 22:21 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 22:49 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 23:13 < tjz> hey jeff --- Day changed Sat Jan 03 2009 00:03 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:28 -!- xs7 [n=xs7@84.255.141.67] has joined ##openvpn 02:29 < xs7> where to connect to use openvpn ? 02:38 < tjz> openvpn.net 02:38 < tjz> get a openvpn gui 02:54 < xs7> I have openvpn installed but donno where is it in the menus ? 03:12 < tjz> openvpn gui? 03:23 -!- xs7 [n=xs7@84.255.141.67] has quit [Read error: 110 (Connection timed out)] 04:39 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has joined ##openvpn 04:53 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has quit ["Leaving"] 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:10 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee, troy- 05:11 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 05:11 -!- Netsplit over, joins: troy- 05:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:45 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 05:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:17 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has quit ["Leaving."] 06:23 -!- xs7 [n=xs7@77.69.132.211] has joined ##openvpn 06:25 < xs7> vpn , how ? I need to create a vpn connection. 06:26 < xs7> Fedroa 10, need vpn to a free server. openvpn installed but donno how to access it !! 06:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 07:12 -!- xs7 [n=xs7@77.69.132.211] has quit ["Leaving"] 09:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 09:47 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 10:53 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 11:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 11:34 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 11:35 < mRCUTEO> !menu 11:35 < vpnHelper> mRCUTEO: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:35 < mRCUTEO> :D 11:35 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Client Quit] 12:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:48 -!- desrt [i=desrt@ubuntu/member/desrt] has left ##openvpn [] 14:14 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:15 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has joined ##openvpn 15:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:27 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:56 < reiffert> Moin 19:06 < krzie> moin 19:12 < reiffert> happy new year 19:15 < krzie> same to you 19:16 < reiffert> did hunting after presents for all of your girls work out? 19:16 < krzie> yup 19:16 < krzie> ogot them all my favc perfume/lotions 19:17 < krzie> got them all my fav perfume/lotions 19:17 < krzie> i figure theres a few benefits to that 19:17 < krzie> i cant forget who got what, and ill always smell the same no matter who im with 19:18 < reiffert> Allright, Lizzy s going to get Fannys perfume, Fanny's deserving Pam's lotion, Pam's going to get ... 19:18 < krzie> haha 19:18 < reiffert> hehe 19:18 < krzie> they all got victorias secret love spell 19:18 < reiffert> Hopefully they all love it "O) 19:18 < reiffert> :) 19:18 < krzie> hehe yup 19:18 < krzie> they should after they see what ill do to them when they wear it 19:18 < krzie> i LOVE that shit 19:19 < reiffert> hehe 19:21 < reiffert> I'm trunk, going to get some illuminations 19:21 < krzie> huh? 19:21 < reiffert> trunk -> bed 19:21 < reiffert> bed -> dreaming -> illumination 19:21 < krzie> ahhh 19:21 < reiffert> bed -> wakeup -> world domination 19:22 < krzie> hahah 19:22 < krzie> pinky and the brain style? 19:22 < reiffert> nahhh, more the insane way .. 19:23 < reiffert> inventing a wheel that everybody needs, saving me one cent per habitant 19:25 < krzie> ive always wondered why people say they dont want to re-invent the wheel 19:25 < krzie> the wheel has been re-invented many times 19:25 < krzie> improved upon and whatnot 19:28 < reiffert> profit doesnt sound too well for reinventing the wheel, does it? 19:29 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 19:29 < cj> moo 19:29 < reiffert> bar 19:29 < reiffert> and goodnight 19:30 < cj> how do I tell openvpn to keep trying to establish connection when it fails? 19:30 < cj> (windows, if that matters) 19:31 < cj> when the system starts, the wireless interface isn't reliable. it eventually comes up, but by then, openvpn has given up 19:32 < krzie> !man 19:32 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:32 < krzie> 1sec 19:32 < krzie> its something with retry in it 19:33 < reiffert> Set n to "infinite" to retry indefinitely. 19:33 < cj> thanks. I'll look through tfm, then 19:33 < krzie> --connect-retry n 19:33 < krzie> For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5). 19:33 < krzie> hopefully you arent using tcp tho 19:33 < krzie> By default, --resolv-retry infinite is enabled. You can disable by setting n=0. 19:33 < cj> no :) 19:33 < krzie> hopefully you didnt override that either 19:34 < krzie> you prolly want 19:35 < krzie> --persist-tun, --persist-key 19:35 < krzie> but it looks like for udp it should be retrying forever unless you overrode it 19:35 < krzie> !configs 19:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:36 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:37 < krzie> nite reif 19:38 < cj> krzie: it retries resolving the hostname, not establishing the link 19:38 < cj> but with no default route, it seems to not work 19:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 19:39 < krzie> !configs 19:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:50 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 19:50 < gleblanc> Howdy folks 19:50 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 19:51 < gleblanc> I've got the following trying to generate keys on my OpenVPN server 19:51 < gleblanc> http://geeks.pastebin.com/d2ea2d112 19:53 < gleblanc> I'm not sure where it's getting /usr/local/ssl/openssl.conf 19:53 < gleblanc> Nor what path it is that it's not finding 19:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:53 < krzie> you edited and loaded vars.bat right? 19:54 < krzie> looks like you're using unix scripts in windows 19:55 < gleblanc> Yes, I have 19:55 < gleblanc> They're .bat files 19:55 < gleblanc> Here's the contents of build-key 19:56 < gleblanc> http://geeks.pastebin.com/d6cc620f6 19:56 < gleblanc> If I do a wee bit of editing, I can do the following, which still seems not right 19:57 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\Athens.key -out %KEY_DIR%\Athens.csr -config %KEY_CONFIG% 19:57 < gleblanc> WARNING: can't open config file: /usr/local/ssl/openssl.cnf 19:57 < krzie> show me the contents of vars.bat 19:58 < gleblanc> http://geeks.pastebin.com/d7457fe92 19:58 < gleblanc> I changed some capitalization to make it easier to read 19:59 < krzie> type echo %KEY_CONFIG% 20:00 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %KEY_CONFIG% 20:00 < gleblanc> openssl.cnf 20:01 < krzie> weird 20:01 < krzie> echo %HOME% 20:02 < gleblanc> ooh, that's fuxed 20:02 < krzie> then check echo %ProgramFiles% 20:02 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %HOME% 20:02 < gleblanc> C:\Program Files\OpenVPN\easy-rsa 20:02 < gleblanc> I looked at it twice before, and just now caught it 20:02 < krzie> which is likely where your problem is 20:03 < krzie> so in vars.bat modify set HOME line 20:03 < gleblanc> Can I just hard-code it? 20:04 < krzie> yup 20:04 < krzie> with ""'s 20:04 < krzie> to handle the spaces 20:04 < krzie> so like 20:04 < krzie> %ProgramFiles% 20:04 < krzie> err 20:04 < krzie> set HOME=%ProgramFiles%\OpenVPN\easy-rsa 20:04 < krzie> should be 20:04 < gleblanc> Don't need to double-escape the \ or anything? 20:04 < krzie> set HOME="P:\Program Files (x86)\OpenVPN\easy-rsa" 20:05 < krzie> does vars.bat currently escape the \'s? 20:05 < krzie> theres your answer for that... 20:06 < gleblanc> That doesn't cut the mustard, apparently 20:06 < krzie> works for me... 20:06 < gleblanc> Well, I still get the warning about being unable to locate /usr/local/ssl/openssl.conf 20:06 < krzie> C:\Documents and Settings\Administrator>set HOME="P:\Program Files (x86)\OpenVPN 20:06 < krzie> \easy-rsa" 20:06 < krzie> C:\Documents and Settings\Administrator>echo %HOME% 20:06 < krzie> "P:\Program Files (x86)\OpenVPN\easy-rsa" 20:07 < krzie> you re-ran vars.bat, right? 20:08 < krzie> then checked that %HOME% looks right? 20:08 < gleblanc> yes 20:08 * gleblanc turns echo on 20:09 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 20:10 < gleblanc> Here's the command with echo on 20:10 < gleblanc> http://geeks.pastebin.com/d262fd81 20:11 < gleblanc> (sorry about the funky line-wraps, cmd.exe isn't very smart) 20:11 < krzie> ya 20:11 < krzie> justr make KEY_CONFIG a full path 20:12 < gleblanc> I'd not mind, but it also says "unable to write 'random state'" 20:12 < krzie> its not reading your openssl.conf so everything after that is irrelevant for now 20:13 < gleblanc> ah 20:14 < gleblanc> http://geeks.pastebin.com/d3866d28e 20:14 < gleblanc> Still behaves the same 20:15 < krzie> paste me the contents of openssl.conf 20:20 < gleblanc> http://geeks.pastebin.com/d3cec0b04 20:21 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:28 < krzie> i dunno man 20:28 < krzie> you even caught me at a random lucky time im actually on a windows machine 20:29 < krzie> but i have no clue where its getting /usr/local/ssl/openssl.cnf from 20:29 < gleblanc> Hooray for Windows Smoking Crack! 20:30 < gleblanc> Thanks for your help, I'm sure I'll beat it in to submission eventually 20:30 < krzie> if you have a unix box handy you may have an easier time 20:30 < krzie> np 20:30 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:31 < gleblanc> I might give it a try on a 32-bit windows box 20:32 < gleblanc> The linux box handy is so old I'm scared to change anything 20:39 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:39 < RoFLKOPTr> Windows 7? 20:40 < RoFLKOPTr> it refuses to load the TAP driver due to "known incompatibilities" 20:40 < RoFLKOPTr> The only info I can find about the error says to get a driver that's compatible with my OS. 20:41 < RoFLKOPTr> anybody know of any registry hacks or anything that work in Vista that I could try in 7? 20:47 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 20:47 < mepholic> guysd 20:47 < mepholic> how do you get openvpn to work on windows 7 pre-beta 20:47 < mepholic> help plz 20:47 < mepholic> >:3 20:55 < RoFLKOPTr> mepholic i already asked 20:55 < RoFLKOPTr> way 2 b late 20:56 < mepholic> o 20:56 < RoFLKOPTr> late 21:06 < krzie> ive never even heard of windows 7 21:06 < krzie> you should prolly take that one to the mail list 21:06 < krzie> !mail 21:06 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 21:07 < dvl> !crl 21:07 < vpnHelper> dvl: Error: "crl" is not a valid command. 21:07 < dvl> vpnHelper: what good are ya? 21:07 < vpnHelper> dvl: Error: "what" is not a valid command. 21:08 < dvl> !revoke 21:08 < RoFLKOPTr> lol 21:08 < vpnHelper> dvl: Error: "revoke" is not a valid command. 21:09 < dvl> slow too... 21:14 < ropetin> Windows 7? People are already expecting software to work with a pre-release OS?! 21:15 < ropetin> Try the Vista directions I guess 21:15 < ropetin> Evnin' by the way 21:18 < RoFLKOPTr> Well... it's not like I'm coming in here bitching about the fact that it's not working. 21:18 < ropetin> :D 21:19 < ropetin> Which is good 21:19 < ropetin> Are you running Windows 7 as your primary OS? 21:20 < RoFLKOPTr> I understand that this is a pre-release OS, but so far, anything that's worked for Vista (drivers or otherwise) have worked perfectly in 7... and I think the TAP drivers would, too, if it weren't for 7 being all "drr i refuse to load this driver due to known incompatibilities" 21:20 < RoFLKOPTr> yes, I am... I know it's not the best idea, lol, but 7 broke my Vista installation when I was trying to install it on my other hard drive 21:20 < ropetin> Ahh, so they explicitly deny you from using the driver now, rather than giving you the option? 21:21 < ropetin> Hehhe, ok 21:21 < RoFLKOPTr> only for the TAP driver 21:21 < RoFLKOPTr> for soem reason 21:21 < ropetin> Mean MS! 21:21 < RoFLKOPTr> all other drivers gave me the option 21:21 < RoFLKOPTr> but this one refuses to load 21:21 < ropetin> That sucks 21:21 < RoFLKOPTr> yeah 21:21 * ropetin offers to loan RoFLKOPTr an Ubuntu CD... 21:21 < ropetin> ;) 21:22 < ropetin> I hear it works out of the box in Linux... 21:22 < RoFLKOPTr> >:[ 21:22 < RoFLKOPTr> lol 21:22 < ropetin> But I say that as I type away on my Windows laptop 21:23 < ropetin> (although I am SSHd into my Linux server, so that makes up for it) 21:23 * RoFLKOPTr h8 linux for home use 21:23 < RoFLKOPTr> Wine and Cedega suck 21:23 < RoFLKOPTr> and I'm a gamer 21:23 < ropetin> RoFLKOPTr: I guess it depends what 'home use' is 21:23 < RoFLKOPTr> so, no Linux on my computer 21:23 < RoFLKOPTr> lol 21:23 < RoFLKOPTr> yeah 21:23 < ropetin> Yeah, if you like PC gaming, Windows is the way to go 21:23 < RoFLKOPTr> I guess 21:24 < ropetin> If Microsoft ever realease Flight Simulator for Linux I'd never use Windows again 21:24 < RoFLKOPTr> lmao 21:24 < RoFLKOPTr> which is why they will never do that 21:24 < ropetin> I'm only slightly into the game, but some of the people I've spoken to online are obsessed with it 21:25 < ropetin> Way worse than WoW players 21:25 < ropetin> It's scary some times 21:25 < RoFLKOPTr> lol 21:25 < RoFLKOPTr> I enjoy flight sims... don't see how they could be as obsessing as MMOs though... 21:25 < ropetin> They spend $10,000 on insane spec PCs, 3 huge monitors, real flight controls, just so they can pretend to fly a plane 21:26 < RoFLKOPTr> I HAVE AN IDEA 21:26 < RoFLKOPTr> GO BUY A PLANE 21:26 < ropetin> :D 21:26 < RoFLKOPTr> for the amount of time and money they put into those huge rigs, they might as well 21:26 < ropetin> Well it would certainly buy a few lessons, thats for sure 21:26 < RoFLKOPTr> lol 21:28 < RoFLKOPTr> a private license usually costs about $30k after it's all said and done 21:28 < RoFLKOPTr> with all the hours of instruction and soloing 21:28 < RoFLKOPTr> and then money for tests and such 21:28 < ropetin> Not too bad then 21:29 < ropetin> Considering 21:29 < RoFLKOPTr> considering you can make a real career that pays a lot of money out of it 21:29 < RoFLKOPTr> lol 21:29 < ropetin> I'll get my check book 21:30 < ropetin> My understanding is most (all?) commercial pilots get their training in the military, it's teh only way they can get enough flight hours in multi-engined jets 21:30 < RoFLKOPTr> though that $30k is for people who do it in 3 weeks and are flying for hours every day 21:31 < RoFLKOPTr> it costs an extra $10-20k if you only go for a few hours a week just because you don't get as much practice... ends up taking you longer to get a hold of it 21:31 < RoFLKOPTr> yeah, most commercial pilots came out of the military... free training on the best equipment in the world 21:31 < RoFLKOPTr> lol 21:32 < RoFLKOPTr> plus, if they've been flying military jets for a living for 10 years, that's all they know how to do anymore 21:35 < dvl> can the crl.pem file be empty? It seems not. 21:36 < ropetin> Nope, if you're using it, it needs something in it 21:37 < dvl> So you have to revoke something first. How odd. 21:48 < ecrist> dvl - yes and no 21:48 < krzee> just comment it out til you need something revoked 21:48 < krzee> kinda makes sense to me... 21:48 < ecrist> you can generate an empty file, but it has to be signed. 21:49 < ecrist> ssl-admin should be able to do it for you, otherwise let me find the command. 21:49 < krzee> ahh, that i didnt know =] 21:49 < dvl> ecrist: hold, not that important. I can get away without it until I need to do it. 21:51 < ecrist> openssl ca -gencrl -out crl.pem -config openssl_config 21:51 < ecrist> and, it *is* in the latest version of ssl-admin. ;) 21:51 * ecrist is out for the night. 21:52 < ecrist> going to write how-to for Mac OS X HFS+ disk quotas 21:53 < krzee> gnite ecrist 21:54 < tjz> nite ecrist 21:56 < dvl> trying 21:58 < dvl> can't find my openssl_config 22:01 < dvl> installing /usr/ports/security/ssl-admin 22:02 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has joined ##openvpn 22:02 < apo> Hi \o 22:02 < apo> !route 22:02 < vpnHelper> apo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:11 * apo stares. I think I won't bother... 22:13 < krzee> vpns are advanced networking, you're expected to know some about networking and be willing to read docs to set one up 22:17 < apo> krzee: But I don't think I can tell my cheap router to change its routing tables ;) 22:18 < krzee> how many computers on the lan behind the cheap router? 22:19 < apo> 10 or so. But since I'm pretty much just playing around here, I'm too lazy to add the routes to every box. 22:19 < krzee> cool *shrug* 22:19 < apo> Indeed 22:19 < krzee> up to you 22:22 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 22:26 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 23:17 < ecrist> dvl - the openssl.cnf you used with easy-rsa 23:18 < mepholic> ok 23:18 < mepholic> this is bad 23:18 < mepholic> i've resorted to pen and paper to keep teack of my vpn 23:19 < mepholic> any body know of ant good programs that you can easily make a map of a network with? 23:19 < ecrist> dia on linux/bsd 23:19 < ecrist> omnigraffle for mac 23:20 < mepholic> forgot about dia 23:20 < mepholic> :< 23:20 < mepholic> thanks 23:22 < ecrist> np 23:24 < mepholic> ahahhaha 23:24 < mepholic> this is perfect 23:24 < mepholic> thanks 23:30 < ecrist> np 23:32 < cj> srsly --- Day changed Sun Jan 04 2009 00:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 00:25 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 01:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:09 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:58 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 03:25 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:23 -!- mRCUTEO [n=info@124.82.101.32] has joined ##openvpn 04:24 -!- mRCUTEO [n=info@124.82.101.32] has quit [Client Quit] 04:25 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 04:28 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 04:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 05:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 05:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 05:48 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 07:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:51 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 09:31 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 09:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 09:42 < tjz> any reason why we should change from "tun" to "tap"? 09:43 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:44 < smerz> Can i throw a stuipid question out there: Is a dual core 2ghz cpu with 2 gb ram sufficient to move 100mbps? 09:48 < reiffert> The stupid answer is: maybe. 09:49 < smerz> :D 09:50 < smerz> if anyone has plenty of users on their openvpn server and would like to share cpu/mem usage compared to network throughput i'd appreciate it 09:50 < reiffert> plenty? 09:51 < smerz> well 09:51 < smerz> make it 10 for a small sized server and 400 for a big one 09:52 < smerz> im really just looking for hardware spec that can handle 100mb/s 09:52 < reiffert> Sounds interesting, I hope someone on that channel runs such a setup 09:53 < reiffert> You can try the mailing list as well 09:54 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 09:55 < smerz> i dropped a message out there already. i got a small detail mixed up :-) but hopefully someone can help me out yeh 10:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:28 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:42 < gleblanc> Can anybody build-key using 2.1rc15 on Windows? 10:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:45 < gleblanc> I can't get it to run properly, on any machine I've tried so far 10:49 < smerz> hmm it works sweet on linux 10:54 -!- smerz [n=daniel@smerz.demon.nl] has quit ["good night folks"] 10:55 < gleblanc> It complains that it can't find /usr/local/ssl/openssl.cnf 10:56 < gleblanc> Actually, it does that on any build-* script 11:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:40 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 12:00 < gleblanc> How about this error? 12:01 < gleblanc> 4088:error:0200107B:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:1 12:01 < gleblanc> 26:fopen('"c:\Program Files\OpenVPN\easy-rsa\openssl.cnf"','rb') 12:29 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 12:47 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:23 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:45 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit ["Caught sigterm, terminating..."] 13:50 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: mcp, cj, justdave, AndyML, disco-, hiptobecubic, pa, smk, Typone, Solver, (+14 more, use /NETSPLIT to show all of them) 13:52 -!- Netsplit over, joins: Determinist, roentgen, krzee, cj, ikevin, pa, troy-, smk, dvl, int (+14 more) 14:05 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 14:41 -!- Irssi: ##openvpn: Total of 39 nicks [0 ops, 0 halfops, 0 voices, 39 normal] 15:17 < mepholic> Is there a way I could do sort of like 15:17 < mepholic> eh 15:18 < mepholic> meshed routing with openvpn? 15:18 < mepholic> kind of complex 15:18 < mepholic> but so like 15:19 < mepholic> traffic in the vpn is peer to peer instead of going through the vpn server 15:19 < mepholic> so all the vpn server really does is sits there and kind of 15:19 < mepholic> holds everything togeather 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:34 -!- zigovr3 [n=zig@sju13-4-88-161-83-90.fbx.proxad.net] has quit ["Client exiting"] 15:40 < Tykling> you'll need a tunnel between the peers that should talk directly to eachother, I have a fully meshed openvpn net but it requires everyone to have tunnels to everyone else, and so there are as many vpn servers as there are peers 16:05 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 16:09 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 16:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:27 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 16:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Read error: 110 (Connection timed out)] 16:33 < mepholic> oh god lol 16:47 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 110 (Connection timed out)] 16:53 -!- hiptobecubic is now known as hiptobobcubic 16:55 -!- hiptobobcubic is now known as hiptobecubic 17:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:31 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 104 (Connection reset by peer)] 18:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:10 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 19:13 < krzie> !tcp 19:13 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:33 < hiptobecubic> mepholic, why? 19:35 < mepholic> hiptobecubic, lets say 19:35 < mepholic> we have some users that are in michigan 19:35 < mepholic> and some users that are in brazil 19:35 < mepholic> and some users that are in germany 19:35 < krzie> i missed the orig question 19:35 < mepholic> the vpn server is in chicago 19:36 < mepholic> germany to chicago to brazil isnt very practical 19:36 < hiptobecubic> mepholic, ah. 19:36 < mepholic> or brazil to chicago and back to brazil 19:36 < krzie> the best thing for that i can think of is to have a server in each location, and link them together to make 1 seemless vpn 19:36 < mepholic> thats about 500ms 19:36 < hiptobecubic> krzee, ++ 19:36 < hiptobecubic> krzie, 19:37 < krzie> (im both) 19:37 < mepholic> krzie, i'm getting an EU server soon 19:37 < mepholic> the ping between the eu server and the chicago server is like 19:37 < mepholic> 80ms i think 19:37 < mepholic> so nice and fast 19:38 < krzie> wow, thats amazing pin for intercontinental 19:38 < krzie> ping 19:38 < mepholic> yeah 19:45 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:14 < mepholic> ok, one of my users just formatted his computer and lost his key 20:15 < mepholic> i should revoke that certificate, correct? 20:15 < mepholic> also, can i use the same common name again? 20:16 < krzie> if it wasnt comprimised you dont need to revoke 20:17 < krzie> and yes you can reuse the cn 20:18 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:18 < RoFLKOPTr> why hello thar 20:19 < RoFLKOPTr> just thought I'd let you guys know that the problems I was having with Windows 7 is due to my idiocy 20:19 < mepholic> lol'd 20:19 < RoFLKOPTr> I was trying to install the old (like, 1.x something) beta GUI from that third-party site 20:19 < mepholic> ok RoFLKOPTr we're good 20:19 < RoFLKOPTr> so it had V8 TAP drivers instead of V9 20:20 < mepholic> use the samne cn 20:20 < RoFLKOPTr> k 20:21 < RoFLKOPTr> anyways, if anybody else comes in here asking about a "This version of OpenVPN does not work with Windows." error from the beta installer, tell them to run it as admin and in compatibility mode for Vista. 20:32 < krzie> ahh thx 20:33 < RoFLKOPTr> lol 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has joined ##openvpn 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has left ##openvpn [] 21:03 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:05 < Jason404> if there is no Vista support Windows 7? 21:07 < RoFLKOPTr> o wait 21:07 < Jason404> no, Windows Server 2008 21:07 < RoFLKOPTr> 2008 server 21:07 < RoFLKOPTr> yeah 21:07 < RoFLKOPTr> k 21:08 < Jason404> i suppose if it works on Vista, it will work on 2008? 21:08 < Jason404> like drivers 21:08 < RoFLKOPTr> well, I'm using 2.1rc15 on Windows 7... just had to run the installer in compatibility mode for Vista 21:08 < RoFLKOPTr> so 21:08 < Jason404> same new TCP/IP stack etc 21:08 < RoFLKOPTr> theoretically, it should work on 2008 the same way 21:09 < Jason404> ah cool. thanks RoFLKOPTr 21:09 < Jason404> is that RC15 very stable? 21:09 < Jason404> any idea when final comes out? 21:09 < RoFLKOPTr> well... I've only been using it today, lol. Haven't really put it through anything rigorous 21:09 < RoFLKOPTr> but it's working so far 21:09 < Jason404> ok 21:09 < RoFLKOPTr> and nobody I know of has had any issues 21:11 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:26 < krzie> AW_BOT exit 21:26 < krzie> !exit 21:26 < vpnHelper> krzie: Error: "exit" is not a valid command. 21:35 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:39 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:56 < krzie> !sample 21:56 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:56 < krzie> ok... 21:58 < onats> hello 21:58 < onats> happy new year 22:03 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:27 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has joined ##openvpn 22:27 < lzhang> hello 22:27 < lzhang> right now my vpn is connecting via 2 interfaces, I just need it to connect on tun0 22:28 < lzhang> I don't have much knowledge of networking, can someone give me a hint on how to disable vpn on one of the interfaces? 22:48 < lzhang> nvm I got it working thanks guys 22:48 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has left ##openvpn [] --- Day changed Mon Jan 05 2009 00:13 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:27 < reiffert> snow. tons of snow. 02:50 < mepholic> Mon Jan 05 02:52:53 2009 us=234000 Cannot load certificate file xt0rt.crt: error:0906B06B:PEM routines:PEM_get_EVP_CIPHER_INFO:not proc type: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 02:50 < mepholic> uh what 02:50 < mepholic> this is windows btw 02:52 < krzee> !configs 02:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:52 < mepholic> this same config has worked with 12 other clients 02:53 < krzee> check time/date on both machines 02:53 < mepholic> why ._. 02:55 < mepholic> -xt0rt- TIME Mon Jan 05 02:57:50 02:55 < mepholic> Mon Jan 5 02:55:01 CST 2009 02:55 < mepholic> him vs server time 02:55 < mepholic> its not like this is kerberos 02:55 < mepholic> :< 02:55 < krzee> time matters 02:55 < mepholic> how much? 02:55 < mepholic> also, wh 02:55 < mepholic> y 02:56 < krzee> im watching a movie 02:56 < krzee> google that 02:56 < krzee> !configs 02:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:56 < krzee> bbl, will check back to see the configs 03:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 -!- xs7 [n=xs7@84.255.188.196] has joined ##openvpn 03:20 < xs7> I installed openvpn, but donno if there is any GUI for it ? where ? 03:21 -!- krzee is now known as AW_BOT 03:24 -!- AW_BOT is now known as krzee 03:26 < reiffert> :) 03:29 < simplechat> xs7, there is 03:29 < xs7> simplechat: cannot find it in KDE 03:29 < krzee> xs7, what do you want from an openvpn gui? 03:29 < simplechat> its probably not in kde 03:30 < xs7> let me explain, I need to get around my ISP who blocks some of the sites for political and relgious reasons 03:30 < krzee> and how would a gui help that? 03:30 < xs7> so I need a vpn connection to somewhere where I can browse the web !! 03:31 < xs7> krzee: how would I activate the vpn and use it anyway ? 03:31 < krzee> well, if you wanted a single click solution... 03:32 < krzee> you could make a shell script which simply is a 1 liner that runs openvpn 03:32 < krzee> the make it a clickable script 03:32 < krzee> and put it on the desktop 03:32 < krzee> you click it, vpn starts, close the window, it closes 03:32 < krzee> since thats all a gui could do, it led me to ask exactly what you would want from a gui 03:32 < krzee> thats what i do in osx even tho there IS a gui available 03:32 < krzee> using the gui just never made sense to me 03:33 * krzee heads back to the movie 03:35 < xs7> krzee: I need a clickable solution as you said to make it easy for me 03:35 < krzee> welp, thats how 03:36 < xs7> krzee: how would I use vpn for certain activities ie accessing the web without making it active and directed to certain vpn server 03:36 < krzee> you lost me at: "without making it active and directed to certain vpn server" 03:37 < xs7> krzee: how can I start using vpn ? 03:37 < krzee> are you saying "how do i run openvpn?" 03:37 < xs7> krzee: yes 03:37 < krzee> wow 03:37 < krzee> read the docs 03:37 < krzee> !howto 03:38 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:38 < krzee> !sample 03:38 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:38 < krzee> !def1 03:38 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:38 < krzee> !nat 03:38 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 03:38 < krzee> thats everything you need to know 03:38 < krzee> if you do the reading 03:41 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 03:43 < reiffert> I'd start using the howto. 03:43 < krzee> i agree 03:43 < krzee> use the order i provided 03:43 < krzee> the order was no accident 03:46 < reiffert> .oO Howto looks too complicated, I use the next link 03:47 < krzee> lol 03:47 < krzee> reiffert, the people who say that might as well go do something else... vpns are advanced networking 03:48 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 03:48 < krzee> but ya, sadly thats so common 03:48 < kaii> nice topic, hehe :) 03:49 < reiffert> krzee: Windows got some nice one klick solutions ... 03:49 < Jason404> would openvpn make connections like RDP any slower, compared to direct connection? 03:49 < krzee> yes 03:49 < krzee> but not from openvpn 03:49 < krzee> from the fact you're on the inet 03:49 < Jason404> ?? 03:49 < krzee> vs direct connection 03:50 < Jason404> i meant directasin without vpn, with RDP port forwarded 03:50 < kaii> shortly after a "TLS: soft reset" (which is re-keying, happening every hour "uper connection) i getthe "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" 03:50 < Jason404> i did not mean direct as in LAN kreg 03:50 < Jason404> oops krzee 03:51 < reiffert> krzee: well actually the one click windows solution worked so well, it made me switch to openvpn :) 03:51 < krzee> well no, it wont be much different then 03:51 < Jason404> Hamanchi? 03:51 < krzee> reiffert, lol 03:51 < Jason404> really,same speed?? 03:51 < Jason404> cool 03:51 < krzee> reiffert, i click a shell script, it runs in a window 03:51 < krzee> i close the window, closes the connection 03:51 < krzee> how much more 1 click does it get? 03:52 < krzee> i forget exactly how to make the clickable script in X, but in osX you just name the script .command 03:52 < krzee> like openvpn.comman 03:52 < krzee> d 03:52 < reiffert> krzee: it's the 3 millions clicks before it starts running 03:53 < reiffert> krzee: not for me, but it looks as for the guy who was asking 03:54 < krzee> werd 03:54 < krzee> to me its just like.. 03:54 < krzee> a gui to start and stop a program 03:54 < krzee> bleh 03:54 < reiffert> same here, copy config from host a to b, adjust a line, done 03:54 < krzee> gui should be for stuff where you need options, no? 03:54 < krzee> like what would you even make that gui look like? 03:55 < krzee> design the look for that one, lol 03:55 < reiffert> krzee: look, I totally agree to your position. I run fvwm2 with no clickable icon on the screen. 03:55 < krzee> yup, my only box running X runs hackedbox 03:55 < krzee> the lightest X i could find 03:55 < krzee> with just 2 terminal windows and some stats 03:56 < reiffert> I stopped somewhere between comfortable and fast, twm has had chances .. years ago. 03:57 < reiffert> Someone told me to have a look on Ion .. 03:57 < krzee> dunno what that is but if its cool tell me about it sometime 03:57 < krzee> im headed back the my movie 03:57 < krzee> bluerayrips for the win 04:00 < reiffert> some porn I guess :) 04:03 < reiffert> Ah, Fbsd 7.1 came out tonight .. so unixporn on blueray 04:04 < krzee> ooo 04:04 < krzee> ill hafta update the box after watching mission impossible 2 04:04 < krzee> (sorry, not porn) 04:04 < krzee> im only still here cause i had to get a link for someone 04:04 < krzee> http://best.online.docus.googlepages.com/ 04:04 < vpnHelper> Title: best.online.docus - Best Online Documentaries (at best.online.docus.googlepages.com) 04:04 < krzee> you may like it to 04:04 < krzee> too 04:05 < krzee> grabbed it for him for this: 04:05 < krzee> [06:05] technology - other - missing secrets of nikoli tesla 04:06 < reiffert> Last one I saw was "bbc - planet earth" 04:06 < krzee> LOVE THAT 04:06 < krzee> i have that HDrip here 04:06 < krzee> RULES 04:06 < krzee> shit im still here 04:07 < reiffert> Ow, online! 04:07 * krzee puts down the laptop 04:08 < reiffert> good luck :) 04:18 -!- xs7 [n=xs7@84.255.188.196] has quit ["Leaving"] 04:31 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 04:37 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has joined ##openvpn 04:38 < stefanlsd> Hi. Would anyone be able to point me in the right direction with openssl. I have followed the openvpn howto from the wiki. The certificates were valid for 365 days, and I would like to renew them. The command I have requires the CA's private key (.pem) - which I dont seem to have (although i must somewhere) - any ideas? 04:53 < reiffert> The ca private key is named ca.key 04:54 < kaii> stefanlsd: there is no way to re-sign (re-new) your certificates without the CA's private key (ca.key) 04:54 < reiffert> When referring to the howto, did you mean 04:54 < reiffert> !howto 04:54 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:54 < reiffert> ? 04:54 < kaii> stefanlsd: only other option is to create a new CA and new keys/certificates for your clients (a complete new set) 04:55 < stefanlsd> reiffert: yeah. i was using that howto to gen the keys the first time. 04:55 < stefanlsd> reiffert, kaii - i do have the ca.key file... 04:55 < stefanlsd> im using this command to try renew 04:56 < stefanlsd> openssl ca -extensions client_cert -cert ca.key -keyfile server.key -out server.crt -days 365 -infiles server.csr 04:56 < stefanlsd> i did gen a new csr 04:57 < kaii> you dont need -keyfile server.key if you already have a CSR 04:59 < stefanlsd> kaii: aah. k. thanks. seems to be working better now. if i can just remember the passphrase i'll be set 05:02 < reiffert> Try the empty password. 05:03 < stefanlsd> Enter pass phrase for ./demoCA/private/cakey.pem: 05:03 < stefanlsd> 3349:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters 05:03 < stefanlsd> is this asking for the right key? 05:03 < stefanlsd> this isnt my pem im guessing... (or does openssl just use this one by default)? 05:03 < reiffert> have a look into your openssl.cnf file 05:06 < stefanlsd> reiffert: yeah. openssl.cnf points there... isnt ca.key the private key it should be using? 05:07 < reiffert> I'd hand the openssl.cnf file to the openssl command. The openssl.cnf file that you were using when following the howto. 05:09 < stefanlsd> yeah. i think i just ran ./build-ca (i suspect it would of used /etc/openssl.cnf) 05:10 < stefanlsd> reiffert: ooh. that uses pkitool which uses the openssl.cnf in the easy-rsa dir 05:27 < stefanlsd> last one - :Expecting: TRUSTED CERTIFICATE. failing this, im just gonna redo it. hopefully with some more understanding what im doing 05:44 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 06:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 06:04 -!- mepholic [n=mepholic@209.17.190.90] has quit [Read error: 60 (Operation timed out)] 06:09 < krzee> !learn ask as http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:09 < vpnHelper> krzee: Joo got it. 06:10 < reiffert> krzee: short night eh? :p 06:10 < krzee> haha 06:10 < krzee> just finished tonights movie 06:10 < krzee> gunna passout soon since its 8am 06:10 < krzee> hows the snow treatin ya? 06:11 < reiffert> http://www.taunus.info/de/neues/webcam/ 06:11 < vpnHelper> Title: www.taunus.info: Webcam (at www.taunus.info) 06:11 < reiffert> Press Zoom 06:11 < krzee> damn 06:11 < krzee> serious snow 06:11 < krzee> go out ans wave to the cam 06:12 < krzee> s/ans/and/ 06:13 < reiffert> That webcam's sitting on the highest mountain around ... love to ride my bike there in summer 06:14 < reiffert> still looking for a webcam next to me 06:15 < reiffert> http://biebrich.fuhs.de/rheincam.shtml 06:15 < vpnHelper> Title: Biebrich am Rhein - RheinCam Webcam - Foto-CD Reihe von Howard Fuhs (at biebrich.fuhs.de) 06:15 < reiffert> http://www.hr-online.de/website/fernsehen/sendungen/webcam_popup.jsp?number=3 06:16 < vpnHelper> Title: hr-online: Webcam (at www.hr-online.de) 06:32 < stefanlsd> i gave up btw. just redid the keys 06:32 < krzee> you use *nix stefanlsd ? 06:32 < stefanlsd> krzee: yeah 06:32 < krzee> check out ssl-admin and you should be able to avoid that in the future 06:33 < krzee> !ssl-admin 06:33 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 06:33 < krzee> it may be in gentoo now too 06:33 < krzee> it was submitted awhile back to portage 06:34 < stefanlsd> krzee: mm. using ubuntu. dont see it in my repo. i can probably work on getting it into universe if u like... 06:34 < krzee> check it out from svn 06:35 < krzee> if it works good, that would be cool 06:35 < stefanlsd> yeah. option 6 is exactly what i wanted :) 06:35 < krzee> if it does not, let me know 06:35 < stefanlsd> krzee: kk. thanks. will check it out 06:35 < krzee> i did the porting of the install to linux, i did a crappy job (used a ./configure script instead of a proper Makefile) but it should work nicely 06:36 < krzee> right on =] 06:36 < krzee> oh and if im not here let ecrist know, hes the real author 06:37 < krzee> we both use freebsd but i like his tool so much i figured it would be cool to wrap up an install for the linux folks 06:37 < krzee> since theres more of you guys and all ;) 06:37 < reiffert> any webcam from your place around? 06:37 < krzee> reiffert, nah man im just glad theres actually internet here 06:37 < krzee> but its a sunny morning 06:37 < reiffert> stefanlsd: so some debian maintainer has to catch it first so it finally makes it into ubuntu, eh? :p 06:38 < reiffert> krzee: gimme a google maps of your place 06:38 < krzee> oh i didnt catch your spoof, you're a member of the ubuntu team 06:38 < krzee> coolness 06:38 < krzee> google hasnt mapped my area 06:38 < krzee> at all 06:38 < stefanlsd> reiffert: heh. we could get it into ubuntu first via revu.ubuntuwire.com 06:39 < stefanlsd> but actually yeah, preferred is it goes into debian first 06:39 < reiffert> krzee: just do it 06:39 < krzee> do what? map out the island for google? 06:40 < reiffert> yeah 06:40 < krzee> hah 06:40 < reiffert> So I can fetch a webcam for myself then 06:40 < krzee> if you have skype i can put my cam out the window for ya 06:40 < krzee> but ill hafta put on pants first 06:41 < krzee> bleh, after a reboot that is 06:41 < krzee> my macbook likes to pretend it doesnt have a webcam anymore 06:41 < reiffert> no skype around 06:42 < krzee> convince me sometime that isnt 9am and ill use my sony cam to vid outside for ya 06:42 < krzee> and avi it up 06:42 < reiffert> :) 06:42 < krzee> 9am + no sleep = not getting up for that 06:42 < reiffert> I guess any day will do for your weather, eh? 06:42 < krzee> basically 06:42 < krzee> this is tourist season 06:42 < krzee> middle of sumer is known to have some hurricanes 06:43 < krzee> but from now til like late march is sweet 06:43 < reiffert> Ah, that sounds more like smth for me 06:43 < krzee> in feb in heading down to brazil / peru... it'll be the middle of summer there 06:43 < krzee> one day ill be a seasonal bum 06:43 < krzee> moving with the summer 06:44 < krzee> (maybe not bum, but yanno what i mean) 06:45 < reiffert> crazy man 06:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:51 < krzee> !random 06:51 < vpnHelper> krzee: "tcp": Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html; "tls-verify": seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600; "iporder": OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client- 06:51 < vpnHelper> krzee: connect script generated file for static IP (first choice). 06:52 < krzee> heh random is going 2 at a time 06:52 < krzee> my bot takes after me ;] 06:52 < krzee> !ask 06:52 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:55 < krzee> (stealing that factoid for a new bot i made for another channel) 06:56 < krzee> !search bsd 06:56 < vpnHelper> krzee: There were no matching configuration variables. 07:02 < krzee> !factoids search --regexp m/^bsd/ 07:02 < vpnHelper> krzee: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 07:02 < krzee> hehe cool 07:12 < ecrist> good morning, folks 07:12 < krzee> mornin ecrist 07:12 < krzee> stefanlsd is checking out ssl-admin and if it loads up fine on his ubuntu hes gunna submit it to their package system 07:12 < ecrist> sweet 07:13 < krzee> yup 07:13 < krzee> seems had he been using it from the start he could have avoided the problem he ran into to (option 6) 07:19 < ecrist> what is option 6? 07:19 < krzee> he wanted to renew his certs which expired after his 365 days 07:20 < krzee> i think he may have been missing his ca.key or something 07:20 < krzee> i came in too late 07:20 < krzee> he decided to generate new certs by the time i came in, which is how he learned of ssl-admin 07:21 < ecrist> ah 07:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:21 < ecrist> renewing/resigning is not much different from creating new, anyways. simply the benefit of not needing to generate the CSR/key pair is all. 07:24 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 07:28 < stefanlsd> ecrist: after resigning (like renew) - do u still need to copy the keys to the client? 07:28 < krzee> yes 07:28 < krzee> err no not the keys 07:29 < ecrist> not the keys, but the certificates, yes 07:29 < krzee> in fact the keys dont ever need to leave the client 07:29 < krzee> but the certs 07:29 < krzee> its entirely possible for a client to make a key / csr themselves 07:29 < stefanlsd> mm. k. wanted to avoid having to copy anything to clients. (laptops running around) 07:29 < krzee> then they send you the csr, you sign it and give them the cert 07:29 < ecrist> in reality, that should be done by the client, but it's not practical for a VPN setup 07:30 < stefanlsd> yeah. i got lots of non technical users 07:30 < ecrist> stefanlsd: use CRLs and give your keys a 3650 day expiry 07:30 < ecrist> that way, you're only renewing every 10 years. 07:30 < stefanlsd> so then i would just publish keys i want to revoke. 07:30 < ecrist> and you can still revoke old/bad/lost certificates. 07:31 < krzee> agreed 07:32 < krzee> early expiration is useful for temps or consultants (if you dont feel like adding them all to the CRL) 07:32 < stefanlsd> kk. thanks. will look into it 07:32 < krzee> but otherwise a nice long expiration date is useful 07:41 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:59 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has joined ##openvpn 08:00 < geaaru> how can i drop by client side push with default gw param when i connect to a vpn server? 08:00 < geaaru> thanks in advance 08:06 < ecrist> sure 08:06 < ecrist> your server needs to have proper support for it, though (NAT/routing) 08:08 < krzee> !def1 08:08 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:08 < krzee> !nat 08:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:25 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 08:30 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 08:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:37 < c64zottel> what could cause an running connection to aboard suddenly? i can see how the connection get established, making and ssh connection, and watch just: watch ls 08:38 < c64zottel> is it for functioning necessary to use time-synconisation? 08:39 < c64zottel> the fw on the openvpn server, doesn't respond pings, may that be the problem? 08:39 * ecrist reads 08:40 < c64zottel> http://pastebin.com/m584afd10 08:40 < ecrist> so, you're able to connect, but the session ins terminated at some point? 08:40 < c64zottel> this is the output with verb 3 08:40 < c64zottel> ecrist: jepp 08:41 < c64zottel> maybe, one minute later 08:41 < ecrist> tcp or upd? 08:41 < ecrist> udp 08:41 < c64zottel> udp 08:41 < c64zottel> http://pastebin.com/m775410e1 08:42 < c64zottel> the client config 08:42 < c64zottel> can it caused by the router? 08:42 < c64zottel> i forwarded 1194 08:45 < ecrist> what's your keepalive on your server config? 08:45 < c64zottel> i guess the default 08:46 < ecrist> don't guess, please 08:46 < c64zottel> ok 08:46 < c64zottel> i try to find out 08:47 < c64zottel> be back in a min. 08:49 < c64zottel> ok 08:49 < c64zottel> http://pastebin.com/m46dd44fa 08:49 < c64zottel> eepalive 10 60 08:50 < c64zottel> is that the problem? 08:51 < ecrist> try 10 120 08:51 < c64zottel> ok 08:54 < geaaru> i'm back... but --redirect-gateway is a flag for server side? 08:56 < ecrist> generally, yes 08:56 < geaaru> ah ok, because i want leave redirect-gateway flag on server side ... but from client i want ignoring command. how can i do that? 08:57 < ecrist> I don't know of an ignoring command. 08:57 < geaaru> :'( however, thanks for reply 08:58 < ecrist> you could have an up script which deletes the 0.0.0.0/1 route 08:59 < geaaru> ah ok... 09:02 < geaaru> thank you very much 09:08 < ecrist> np 09:10 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 09:11 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 09:11 < c64zottel> changed nothing 09:11 < c64zottel> i tried also 600 1200 09:12 < c64zottel> and restarted via /etc/init.d/openvpn restart 09:12 < c64zottel> but, is it a normal icmp ping? because the server drops ping 09:30 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has quit ["Leaving"] 09:43 < geaaru> i tried to insert up command on my conf file but i have this error: 09:43 < geaaru> openvpn_execve: external program may not be called due to setting of --script-security level 09:43 < geaaru> Mon Jan 5 16:25:46 2009 script failed: external program fork failed 09:58 < dvl> geaaru: what's the output of ls -l of that script? 09:58 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["GG. X_X"] 09:59 < geaaru> maybe i have understand ... i need add to openvpn command line param --script-security 2 09:59 < geaaru> (script is executable however :) ) 10:05 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:17 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:18 < geaaru> and i also founded that must be use route-up command to rewrite routing rules because up command is called before routing command called by server vpn rules 10:18 < geaaru> thanks at all for support 10:22 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:22 < plaerzen> morning irc 10:27 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:46 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 11:01 < ecrist> good morning plaerzen 11:07 < plaerzen> hey ecris 11:07 < plaerzen> ecrist, 11:07 < plaerzen> hi 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:04 < plaerzen> ecrist, how was your christmas / new year ? 12:18 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:33 < ecrist> plaerzen: good. went to a nice little new years party - we played some rock band and drank a lot. 12:33 < ecrist> you? 12:34 < plaerzen> amazing, some old friends from school came down to visit and we didn't drink that much - but we did other things. 12:34 < plaerzen> partied, etc. 12:35 < plaerzen> Re-united with this girl I used to date (to the climbing gym.... we both rock climb) a while back and went for ethiopian this past weekend. 12:35 < plaerzen> (she actually works there) 12:35 < plaerzen> (the gym) 12:35 < plaerzen> overall, amazing 2 weeks. 12:42 < ecrist> cool 12:56 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 13:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:56 -!- acidchild [i=ash@208.92.235.204] has joined ##openvpn 13:56 < acidchild> root@dubstep:~# openvpn /etc/openvpn/openvpn.conf 13:56 < acidchild> File size limit exceeded 13:56 < acidchild> root@dubstep:~# 13:56 < acidchild> my OpenVPN just started doing this :-( 13:57 < acidchild> worked fine before the reboot, i raised the file limit using ulimit to 4096 from 1024. still no luck. 13:57 < acidchild> very little on Google :-( 13:58 < acidchild> OpenVPN 2.0.9 i486-slackware-linux [SSL] [LZO] [EPOLL] built on Jun 11 2007 14:03 < acidchild> I've worked it out, thank you, my log file was full :-) 14:03 < ecrist> was going to say - check your log file. 14:03 < ecrist> ;) 14:04 * acidchild sets up a log rotation. 14:04 < acidchild> open("/var/log/openvpn.log", O_WRONLY|O_CREAT|O_APPEND, 0600) = 4 14:04 < acidchild> open("/etc/localtime", O_RDONLY) = 3 14:04 < acidchild> --- SIGXFSZ (File size limit exceeded) @ 0 (0) --- 14:04 < acidchild> that gave it away :-P 14:09 < acidchild> ecrist: lol turning down the verbos level might help :P 14:09 < acidchild> root@dubstep:/etc/openvpn# cat /var/log/openvpn.log |wc -l 14:09 < acidchild> 48728 14:09 < acidchild> since i deleted it two minutes ago 14:17 < ecrist> a little? 14:21 < acidchild> just a lil bit :-P 14:28 -!- mRCUTEO [n=info@124.82.101.3] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:44 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 14:45 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has quit [Connection timed out] 14:53 -!- mRCUTEO [n=info@124.82.101.3] has quit [] 14:53 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has joined ##openvpn 15:02 -!- acidchild [i=ash@208.92.235.204] has quit ["BRB"] 15:16 < Keizer> Anyone here use OpenVPN on OpenBSD? 15:17 < Keizer> crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 15:32 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 15:34 < Plecebo> I have openvpn server installed on my Windows Server box and I am able to connect via Terminal Services Client on my Ubuntu box. The trouble is that the connection only lasts for 30 seconds or so before it stops and I have to disconnect/reconnect. Any ideas where to start troubleshooting or what the problem might be? 15:38 < xattack> openvpn on openbsd here! 15:45 < Plecebo> would I be better off setting up openvpn on my ubuntu firewall then using remoting into the server for admin duties? 15:47 -!- xattack [i=xattack@132.248.108.239] has quit [] 16:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 16:32 < krzie> Anyone here use OpenVPN on OpenBSD? 16:32 < krzie> it shouldnt really be diff than openvpn on other os, whats the problem... 17:07 * ecrist thinks someone's building an IPSEC tunnel on Cisco hardware 17:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:44 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has quit ["Leaving"] 18:11 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 18:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:21 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 20:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:36 -!- Solver [n=robert@CPE00a0c96b79ba-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit ["Lost terminal"] 21:17 < krzie> http://msdn.microsoft.com/en-us/library/ms972827.aspx 21:17 < krzie> look at the referenced directory in one of the dialog boxes 21:17 < krzie> lol 21:17 < vpnHelper> Title: Browsing the Web and Reading E-mail Safely as an Administrator (at msdn.microsoft.com) 21:31 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 22:37 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:54 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 22:55 < Plecebo> when you are connected to a server do you need to use a special code to close the connection? 22:57 < krzee> no, you just close the openvpn process 22:57 < krzee> trust me, it will disconnect 22:57 < krzee> hehe 22:57 < Plecebo> LOL well that is good to know 22:58 < Plecebo> if I do that and attempt to re-connect it will not let me... any reason you can think of why 22:58 < krzee> persist-tun 22:58 < krzee> persist-key 22:58 < krzee> something like that maybe 22:58 < krzee> something like that maybe 22:58 < Plecebo> it tries to connect, and it doesn't give an error but it gets part of the way and just sits there 22:58 < krzee> !sample 22:58 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:58 < krzee> check those out 22:59 < reiffert> resolv.conf 22:59 < reiffert> and moin 23:00 < Plecebo> I do have the persist options present in my config, and server I think (cant actually connect at the moment) 23:00 < reiffert> Plecebo: change the remote host line into remote ip and try again 23:00 < krzee> omin reif 23:01 < Plecebo> reiffert: ok i'll give that a try 23:01 < reiffert> YAJ! -22 C 23:02 < reiffert> (-7.6 F) 23:05 < Plecebo> putting the IP in the config gives the same result :( Here is the output from my client http://pastebin.com/m40a627c8 23:07 < reiffert> increase verbosity to level 6 23:10 < Plecebo> here it is at verbosity 6 http://pastebin.com/m5682c3c1 23:12 < reiffert> beats me, never seen that 23:13 < Plecebo> LOL OK 23:13 < Plecebo> well thanks for trying :) 23:16 < krzee> show server log 23:20 < reiffert> ah, is it still alive? 23:20 < reiffert> I'm still sleeping ... 23:28 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn --- Day changed Tue Jan 06 2009 00:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:46 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 01:58 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 02:08 -!- gfather [n=user@94.249.23.94] has joined ##openvpn 02:08 < gfather> hello guys 02:19 < gfather> krzee , hay man , can you send me the ur pae about routing ? 02:20 < gfather> can you send me your url about routing 02:29 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 02:58 -!- gfather is now known as gfather[a] 03:47 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:44 < krzee> gfather[a], just type !route 04:45 < krzee> (as seen in the topic) 04:45 < gfather[a]> !route 04:45 < vpnHelper> gfather[a]: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:45 < gfather[a]> thanks ;) 04:46 < krzee> np =] 04:47 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has quit [Read error: 110 (Connection timed out)] 04:52 < gfather[a]> krzee one thing i dont understand is the iroute 04:52 < gfather[a]> should i do iroute for every client ? 04:54 < gfather[a]> ah or only the client should tell whats the lan behind him with i route 04:54 < gfather[a]> right 05:34 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 05:40 < krzee> !iroute 05:40 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:02 < gfather[a]> cools ., 06:02 < gfather[a]> ill do some testign and stuff :) 06:03 < gfather[a]> make sure i understand every thing , 06:03 < gfather[a]> and by the way , the pic is very good for explaining 06:04 < krzee> thx =] 06:05 < gfather[a]> :D 06:08 < gfather[a]> krzee how stuff gonna work whith ipv6 and that nat is gonna be gone ? 06:09 < krzee> that wouldnt change anything other than no nat 06:09 < gfather[a]> lool 06:09 < gfather[a]> so is the latest build of openvpn compatable with ipv6 06:10 < krzee> no 06:10 < gfather[a]> i see 07:10 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:11 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 07:12 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:31 < ecrist> good morning, folks 07:37 < gfather[a]> hello ecrist 07:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 07:40 < disposable> i've installed openvpn on a linux server and two windows clients. i can ping the server from each client, each client from the server but a client cannot ping the other one. i don't seem to have any errors in logs. what am i missing? 07:45 < disposable> this is how my server is configured http://pastebin.com/d1a1b8bb 07:58 < disposable> !route 07:58 < vpnHelper> disposable: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:58 < disposable> !menu 07:58 < vpnHelper> disposable: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 07:58 -!- Tykling [i=tykling@gibfest.dk] has quit [Read error: 110 (Connection timed out)] 08:04 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:16 < ecrist> disposable: do you have client-to-client enabled in your config? 08:17 < disposable> ecrist: i was just about to try that :) from the !route hint 08:19 < disposable> and now it works :) 08:21 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 08:21 < nardul> oi 08:22 < nardul> Does anyone know anything about openvpn-gui under windows? I'm trying to start it as a service, but i can't make it start the connections. 08:24 < tjz> it is an application used to connect to your vpn server 08:25 < disposable> nardul: i am testing it at the moment. 08:25 < nardul> disposable, Thanks. I can't seem to make it run. It's a virtual machine running some backup stuff. And i want it to run without logging in. 08:26 < disposable> control panel, admin tools, services, openvpn - rightclick and make it start automatically. that's what i did 08:27 < nardul> disposable, But the tunnel doesn't start. Atleast i can't make it. 08:27 < ecrist> nardul: do you have the config and certficates? 08:27 < disposable> it takes windows a minute or so to initialise the LANs if you don't log in. what does your log say? (use pastebin) 08:27 < nardul> Yers 08:27 -!- gfather[a] [n=user@94.249.23.94] has quit [Read error: 110 (Connection timed out)] 08:27 < nardul> yes* 08:28 < disposable> check the server's log as well to see if it's even trying to communicate 08:28 < nardul> disposable, Checkign 08:31 < nardul> This is a windows server 2003, i don't know if that matters. 08:31 < nardul> Anyways i can't check right now, my boss wants it to work _right now_ 08:31 < nardul> So i'll just run manually untill i have time to check 08:31 * nardul curses 08:32 < disposable> :) 08:32 < disposable> wow you have a benevolent boss... mine wants things to work yesterday 08:34 < nardul> I have about a 1000 things running at once. 08:34 < nardul> It's awesome (frowney face) 08:34 < nardul> It would be sooo much easier with ini scripts. 08:34 < nardul> inint* 08:34 < nardul> init* 09:08 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 09:08 < chairuou> !route 09:08 < vpnHelper> chairuou: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:09 < chairuou> !menu 09:09 < vpnHelper> chairuou: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 09:09 < chairuou> !menu * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:09 < chairuou> !menu search * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:14 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:41 < ropetin> !factoids search * 09:41 < vpnHelper> ropetin: More than 100 keys matched that query; please narrow your query. 09:41 < ropetin> try that chairuou 09:41 < chairuou> ropetin, thanks 09:42 < chairuou> !factoids search revoke client certificate 09:42 < vpnHelper> chairuou: No keys matched that query. 09:42 < chairuou> !factoids search revoke 09:42 < vpnHelper> chairuou: No keys matched that query. 09:59 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 10:00 < mRCUTEO> hiya all 10:00 < mRCUTEO> hiya kreg 10:00 < mRCUTEO> kreg 10:00 < mRCUTEO> hiya krzee 10:00 < mRCUTEO> :P 10:03 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 10:06 < ecrist> chairuou: you need a CRL 10:06 < ecrist> that can be done with openssl, through easy-rsa or the more elite ssl-admin 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 10:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:09 < chairuou> ecrist, can you explain more 10:13 < ecrist> you need to use openssl to generate a CRL with the revoked certificates 10:13 < ecrist> read the howto - I believe it's mentioned in there. 10:15 < chairuou> ah ok 10:15 < chairuou> got the point 10:16 < chairuou> thanks 10:30 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:04 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 12:05 < Max007> !route 12:05 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:05 < Max007> Hi can someone help me with this problem: http://ubuntuforums.org/showthread.php?p=6504733#post6504733 12:05 < vpnHelper> Title: [ubuntu] Problem with OpenVPN / Route - Ubuntu Forums (at ubuntuforums.org) 12:09 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit [Read error: 110 (Connection timed out)] 12:23 < Max007> no one ? :( 12:32 < dvl> Max007: yes. Exactly. We all hate Ubuntu. ;) 12:33 < dvl> sounds like firewall rules not letting in the ping or the reply, or both. That's my guess without looking at it closely. 12:45 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:31 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:37 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 13:37 < rorx> is it possible for VPN clients to talk to each other when the server uses a multiclient tun setup? 13:38 < rorx> !menu 13:38 < vpnHelper> rorx: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 13:39 < rorx> !route 13:39 < vpnHelper> rorx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:42 < ecrist> rorx: yes 13:44 < rorx> ecrist: hmm, should it do it by default, or is that a question of additional routing? I noticed that the client was not routing the request for a fellow VPN client through the VPN interface, so I manually added a network route of the network which all the VPN clients use, and I can see the request getting the the servers tun0 interface, but no response.. so I think I either need to add more routes on the server or the VPN server config needs some chang 13:44 < rorx> es? 13:46 < rorx> for example, the server does not have a network route for the network that the VPN clients use, so maybe that's what I'm missing? I just see a host route to one of the addresses in the tun0 interface. 13:47 < rorx> so far I've only been using this VPN setup to allow VPN clients to reach a LAN that the VPN server is attached to, and that works fine. Even LAN nodes can reach any VPN client.. and now I have a reason to try and connect to another VPN client instead, and that's what's failing. 13:52 < ecrist> client-to-client 13:52 < ecrist> in your config 13:52 < ecrist> it's in the howto 13:52 < rorx> ecrist: ah, I see, so by default it doesn't allow this eh? 13:53 < rorx> thank you. 13:53 < rorx> indeed, that seems to be the case. 13:55 < ecrist> it's in the howto and man pages. 13:56 < rorx> sure is, I missed it earlier. 14:00 -!- Determinist_ [n=lior@unaffiliated/determinist] has joined ##openvpn 14:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:11 -!- Determinist_ [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 14:28 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 < Keizer> Does anyone know if there is a document on how to create a subnet to subnet vpn tunnel on OpenBSD 15:06 < ecrist> !route 15:06 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:07 < ecrist> Keizer: ^^^^ 15:09 < Keizer> I looked at that doc 15:09 < Keizer> I need the getting started doc 15:10 < Keizer> I looked at that page 15:10 < Keizer> I'm trying to find the one that tells me to setup the Key Infrastructure 15:11 < Keizer> And I don't have iroute on OpenBSD 15:14 < reiffert> !howto 15:14 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:15 < dvl> probably safe for most work places: http://www.cbsnews.com/video/watch/?id=4632991n 15:15 < vpnHelper> Title: A Meal To Die For Video - CBSNews.com (at www.cbsnews.com) 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:01 < ecrist> oh 16:01 < ecrist> !freebsd 16:01 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:10 < ecrist> I want that restaurant here. 16:10 < ecrist> Keizer: ^^^^ 16:13 < Keizer> !openbsd 16:13 < vpnHelper> Keizer: Error: "openbsd" is not a valid command. 16:35 < ecrist> Keizer: read the freebsd page, it should apply to openbsd 16:40 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:41 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 17:12 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:21 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 17:46 < dvl> Anything on the website /etc about the rash of idiocy regarding MD5 collisions and certificates? 18:02 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 18:36 < krzie> idiocy? 18:40 < dvl> krzie : people over-reacting, wondering how to protect themselves, what to do, without really understanding the attack. 18:40 < krzie> ahh 18:40 < dvl> It's still pretty damn hard to achieve, if not impossible. 18:40 < krzie> nope nothing that i know of on the site 18:41 < krzie> thats true, even the people who did it with a huge cluster of game systems said it takes them like 6months 18:41 < dvl> Might help doubters understand the possible risks with OpenVPN. 18:41 < dvl> Using a priviate CA, I can't see any attack vector. 18:41 < krzie> and targetting a vpn would be insane cause you need to target the CA 18:42 < dvl> Easier to send in a burglar to steal the computer. 18:42 < krzie> lol, much easier 19:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:39 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 20:39 * tjz swim in 22:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 22:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Wed Jan 07 2009 00:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 00:07 < muh2000> hi 00:07 < muh2000> :( @ "openvpn[5978]: ******* WARNING *******: '(null)' is a known vulnerable key. See 'man openvpn-vulnkey' for details." 00:07 < muh2000> but i checked the keys with openvpn-vulnkey and it said all fine. 02:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:33 < simplechat> hey 02:33 < simplechat> any bsd users around? 02:33 < simplechat> muh2000, i'd regen 02:33 < simplechat> to be saf 02:33 < simplechat> *safe 02:34 < muh2000> hmmm ok. :) 02:35 < reiffert> simplechat: plenty of bsd users here. 02:35 < simplechat> reiffert, any with any advice as to how to install openvpn on a bsd? 02:36 < simplechat> atm i have a natted bsd host and i'd like to join it onto an existing openvpn net 02:36 < reiffert> !howto 02:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:36 < simplechat> does it have one for the bsds? 02:36 < reiffert> yep. 02:36 < simplechat> also any advice you'd give for an openbsd user? 02:37 < reiffert> such as? 02:37 < simplechat> i don't know, tutorials that will fail 02:38 < simplechat> things to watch out for, common mistakes & that 02:38 < simplechat> things that might trip up a noob 02:38 < reiffert> You seem to refuse the help I was giving you, so what should I help you any further? 02:38 < simplechat> explain? 02:38 < simplechat> i'm reading through that tutorial now 02:39 < simplechat> i was just wondering if there was anything else i should look out for 02:50 < simplechat> reiffert, not to sound too much like a noob, but after installing openvpn 2.1 there is no /etc/openvpn directory. Shouldn't there be one? 03:10 < muh2000> open vpn doc is one of the better docs for oss. (for a basic working setup) 03:50 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 04:49 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 05:25 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: rorx, disco-, jabular, dogmeat, cj 05:26 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 05:26 -!- Netsplit over, joins: cj 05:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 05:26 -!- Netsplit over, joins: jabular, disco- 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 06:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:42 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 06:42 < jrgp> is it possible to tunnel windows filesharing through openvpn? 07:16 < cpm> http://openssl.org/news/secadv_20090107.txt 07:27 < reiffert> jrgp: yes. 07:28 < simplechat> jrgp, yep 07:28 < simplechat> just make sure that you allow ports 139 through your vpn 07:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:30 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has joined ##openvpn 07:31 < reiffert> simplechat is on BSD and wonders why there is no /etc/openvpn instead of /usr/local/etc/openvpn? sigh. 07:31 < reiffert> How fast did I learn, lemme estimate, within the first 30 seconds? 07:31 < ecrist> lol 07:33 < ecrist> msg chanserv help set 07:33 < ecrist> grr 07:33 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 07:34 -!- mode/##openvpn [+o ecrist] by ChanServ 07:35 -!- ecrist changed the topic of ##openvpn to: Potential server verification exploit. See http://openssl.org/news/secadv_20090107.txt for more information. || HowTo: http://openvpn.net/howto 07:35 -!- mode/##openvpn [-o ecrist] by ecrist 07:45 < dazo> anyone know if OpenVPN really is vulnerable to the latest OpenSSL CVE? 07:46 < dazo> according to the recommendations from OpenSSL: "Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled." 07:47 < dazo> I can't find any part in the OpenVPN code using this function at all ... well, there are 2 in debug/valgrind-supress ... but that's not relevant :) 08:09 < dazo> I've skimmed quickly through the code a little bit better now .... I see that SSL_CTX_set_verify is used, which calls a callback ... OpenVPN do not directly use EVP_VerifyFinal() 08:10 < dazo> From my point of view OpenVPN seems to be safe from this bug ... BUT! It might be that there are parts which is called internally in OpenSSL which is buggy, so OpenVPN might be indirectly hit ... but upgrading OpenSSL should solve this 08:12 < dazo> I also had a quick look in the OpenSSL code ... but it wasn't easy to catch when the verify_callback() function in OpenVPN would be called, as SSL_CTX_set_verify() just prepares the callback ... and might be called at any later point 08:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 08:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 < reiffert> ecrist: Would someone mind setting the channel -t so that all users can change the topic (until it gets exploited)? 09:13 < ecrist> I supposed. 09:13 < ecrist> suppose* 09:14 -!- mode/##openvpn [+o ecrist] by ChanServ 09:14 -!- mode/##openvpn [-t] by ecrist 09:14 -!- mode/##openvpn [-o ecrist] by ecrist 09:15 < ecrist> there ya go, reiffert 09:19 < kaii> i'm confused with the Ports system ... i have an openbsd 4.3 based appliance, which has python2.4 on disk. 09:21 < ecrist> ok... 09:22 < reiffert> Thanks 09:22 < reiffert> dazo: isn't the openssl cve about the md5 issue? 09:23 < reiffert> dazo: eeks, it is not. 09:23 < dazo> reiffert: nope :) I was thinking about the one announced today .... but not completely official 09:26 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 09:26 < kaii> can somebody please tell me where the value of the variable "MODPY_VERSION" comes from when i build for example "py-mysql" from ports? 09:27 < kaii> it wants to build for 2.5, but i have 2.4 and really want to stick with that. 09:27 < ecrist> kaii, this isn't #openbsd 09:27 < kaii> oh darn. 09:27 < kaii> ^^ 09:27 < kaii> lol 09:27 < kaii> was just a window away 09:28 * ecrist cries. 09:28 < ecrist> I lost over 4GB of pr0n. :( 09:29 < dazo> reiffert: from what I could see OpenVPN should not be vulnerable .... the only thing which could be done is to make things even tighter is in ssl.c:654 - change if (!preverify_ok) to if (preverify_ok != 1) .... but the docs for SSL_CTX_set_verify says that only 0 or 1 is to be expected, so unless OpenSSL returns something wrong, this is not needed 09:34 < ecrist> reiffert: do you want me to lose the +r, too? 09:34 < ecrist> it's been discussed before 09:34 < reiffert> ecrist: +r is for registered users only, is it? 09:35 < reiffert> ecrist: what was the intentional event that was happening for setting the channel +r? 09:36 < ecrist> reiffert: nothing specific, when I built the chan, just threw it in to keep spam down 09:36 < ecrist> I'm not opposed to dropping it, though 09:40 < reiffert> so why ask me in the first placeß 09:40 < ecrist> well, you had an opinion on the +t... 09:46 < reiffert> on IRCnet we keep spam low setting the channel to be secret, +s 09:46 < reiffert> What's +c about? 09:47 < ecrist> prevents CTCP to the channel 09:48 < reiffert> Ah well .. then keep it like it is, until next time I ask :) 09:48 < reiffert> Why did we give up #openvpn btw? 09:49 < ecrist> spam and lack of mgmt - network ops wouldn't give me the channel, but they were willing to forward it for me, to here. 09:49 < ecrist> that was back in August of last year, though 09:51 < ecrist> no ops and lots of channel flooding going on 10:01 < reiffert> Intresting, totally missed that. 10:01 < reiffert> that period of time 10:42 < ecrist> it was an experience. 10:43 < ecrist> if you wouldn't/couldn't help someone, they'd just flood the channel for an hour 10:47 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 10:48 < Max007> Hi 10:48 < Max007> where can I find a good documentation on how to join 2 networks with openvpn ? 10:51 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 10:51 < nardul> Evening 10:51 < nardul> I was here a few days ago about the openvpn service not starting tunnels on windows server 2003 10:51 < nardul> can anyone help me with that? 10:53 < dazo> Max007: are you familiar with OpenVPN at all? 10:54 * dazo just want to avoid giving some clues which is far too basic :) 10:56 < ecrist> Max007: the howto 10:56 < ecrist> or see the following 10:56 < ecrist> !route 10:56 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:01 < nardul> So noone knows about windows server 2003 and openvpn? 11:06 < ecrist> not I - we have a couple clients running windows XP, but that's all we use windows for 11:06 < ecrist> and even those are going away in the next 6 months 11:08 < nardul> Good lord i wish i could say the same. 11:08 < nardul> Apparently it works in windows xp, but not on server 2003 11:08 < ecrist> going all mac for our client work stations, all our servers (ALL) run FreeBSD 11:08 < nardul> Which i sort of need it to do 11:09 < nardul> We run a bit of everything. 11:09 < nardul> Some clients want windows though. 11:09 < nardul> And blackberry requires windows 11:09 < ecrist> ah, see our *clients* are staff - they use what we tell them to use. 11:10 < ecrist> we're telling them to use macs. :) Tunnelblick FTW 11:10 < ecrist> nardul: what do you mean, blackberry requires windows? 11:10 < nardul> ecrist, blackberry enterprise server 11:11 < ecrist> I don't know what BES has to do with OpenVPN 11:12 < ecrist> nardul: I've no experience with OpenVPN running under Windows Server 2003, sorry. 11:12 < nardul> Nothing per se. But domino needing a connection to another domino does. 11:12 < ecrist> ah, see that's information I didn't have. 11:13 < ecrist> what problem are you running in to? 11:13 < nardul> I know :) 11:14 < ecrist> what problem are you running in to? 11:14 < ecrist> what problem are you running in to? 11:14 < nardul> My server runs BES and a Domino replicator. The BES is supposed to connect to the domino replicator, and the replicator copies mails over openvpn. I can make openvpn run, no problem, the only problem is, i have to log in to make it run. 11:15 < nardul> I can't make the openvpn service start the connections 11:17 < Max007> dazo: yes i am 11:17 < Max007> My vpn is up 11:18 < Max007> the client can ping the server 11:18 < dazo> Max007: which OS? 11:18 < Max007> but the server can't ping the client 11:18 < Max007> dazo: linux, ubunut 11:18 < dazo> Max007: okey ... have you set up routing properly on both sides of the network? 11:18 < Max007> yes.. i guess 11:19 < Max007> look 11:19 < Max007> routing table for the client 11:19 < Max007> 192.168.0.0 10.10.10.5 255.255.255.128 UG 0 0 0 tun0 11:19 < Max007> 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 11:19 < Max007> for the server: 11:19 < Max007> 192.168.0.0 * 255.255.255.128 U 0 0 0 eth0 11:19 < Max007> 192.168.2.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0 11:19 < Max007> client's lan is 192.168.0.0/24 11:20 < ecrist> Max007: did you see the link I pointed you to? 11:20 < Max007> nop 11:20 < Max007> client's lan is 192.168.0.0/24 11:20 < Max007> ecrist: yes 11:21 < dazo> Max007: if you do: cat /proc/sys/net/ipv4/ip_forward .... do you get "1" as result? ... if yes, then it is only firewalling (iptables) to check in addition the link ecrist sent 11:21 < dazo> Max007: whats your VPN network addresses? 11:21 < Max007> server's lan is 192.168.0.0/255.255.255.128 11:21 < Max007> dazo: vpn network is 10.10.10.0/24 11:22 < Max007> there's no iptables rules 11:22 < Max007> # cat /proc/sys/net/ipv4/ip_forward 11:22 < Max007> 1 11:22 < dazo> Max007: I presume you use 192.168.2.0/24 for client and 192.168.0.0/24 for server 11:22 < Max007> 192.168.0.0/25 for the server 11:22 < dazo> actually, /25 I mean :-P 11:23 < Max007> # iptables -L 11:23 < Max007> Chain INPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain FORWARD (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> # iptables -t nat -L 11:23 < Max007> Chain PREROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain POSTROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < ecrist> Max007: stop 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < dazo> Max007: seems very good 11:23 < Max007> on both the client and the server 11:23 < ecrist> don't paste more than 5 lines in here, please 11:23 < ecrist> use pastebin.com 11:24 < Max007> ecrist: sorry :/ 11:24 < dazo> Max007: the server eth0 is 192.168.0.1? 11:24 < Max007> .125 11:24 < ecrist> nardul: do you get errors when trying to run as a service? 11:24 < dazo> Max007: okey ... if you ping that IP on the client, do you get any answer? 11:24 < Max007> yes 11:25 < nardul> ecrist, Logs say nothing at all 11:25 < dazo> Max007: and vice versa ... can you on the server ping the eth0 interface of the client? 11:25 < ecrist> and it just doesn't start up? 11:26 < ecrist> but you can start it manually? 11:26 < Max007> dazo: nop I can't ping 192.168.2.19 from the server 11:26 < dazo> Max007: .19 is the eth0 of the client? ... okey, then you have some routing issues ... do you have tcpdump available? 11:26 < nardul> ecrist, It doesn't start, and yes, i can start it manually. I've got to go no. I got off 2.5 hours agop 11:27 < nardul> I'll be back tomorrow 11:27 < nardul> laters 11:27 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 11:27 < dazo> Max007: Run tcpdump -n -i tun0 on the server ... and then run ping on the server in another session 11:27 < Max007> dazo: yes 192.168.2.19 is eth0 on the client 11:28 < Max007> i ping the client from the server ? 11:28 < dazo> Max007: yes 11:28 < Max007> http://pastebin.com/m5c7185de 11:28 < dazo> Max007: another nice to know thing .... tun0 ip address of client is 10.10.10.2 ... and 10.10.10.5 on the server? 11:29 < Max007> tcpdump run on the server 11:29 < Max007> server: 11:29 < Max007> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255 11:29 < Max007> client: 11:29 < Max007> inet addr:10.10.10.6 P-t-P:10.10.10.5 Mask:255.255.255.255 11:30 < dazo> Max007: as I thought .... okey ... traffic from the server hits the VPN tunnel, but never comes back ... so it gets stuck somewhere 11:31 < dazo> Max007: what confuses me though is that you seem to have two different p-t-p links .... and these two do not talk together, 11:31 < ecrist> pardon me for interrupting, Max007, are you having a problem getting two VPN clients to talk? 11:31 < dazo> Max007: I usually use tap devices instead of tun devices ... but the theory behind should be pretty much the same when it comes to TCP/IP routing 11:31 < Max007> ecrist: the client can talk to the server but the server can't talk to the client 11:32 < ecrist> that doesn't even make sense. 11:32 < ecrist> what's your test? 11:33 < Max007> ping, ssh connection 11:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:33 < Max007> client to server everything is ok 11:33 < dazo> Max007: ecrist: I believe it is a routing issue since he have two link layers here .... 10.10.10.1-10.10.10.2 on the server .... and :10.10.10.6-10.10.10.5 on the client 11:33 < ecrist> to the VPN client IP? 11:33 < Max007> lan ip 11:34 < ecrist> so, not the IP the vpn server gave the client? 11:34 < dazo> ecrist: does VPN server give IP on tun-connections? (not tap) 11:34 < ecrist> yes 11:35 < dazo> oki ... didn't know :) 11:35 < ecrist> Max007: pastbin.com your configs, please 11:35 < ecrist> both server and client 11:35 < dazo> Max007: what's your ifconfig lines in the config files you are using? 11:35 < dazo> (openvpn) 11:36 < Max007> dazo, ecrist: hold on 11:37 < dazo> Max007: do we stress you? :-P 11:37 < Max007> dazo: not at all :P 11:37 < Max007> I was on the phone 11:37 < dazo> Max007: :) 11:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:37 < rubydiamond> Hi people getting error 11:37 < rubydiamond> Error parsing PKCS#12 11:37 < rubydiamond> dont know why 11:38 < dazo> rubydiamond: to you have openssl command available? 11:38 < rubydiamond> what is that 11:38 < Max007> http://pastebin.com/m268ce9c5 11:38 < dazo> rubydiamond: which OS are you on? 11:38 < rubydiamond> dazo: MacOSX leopard 11:38 < rubydiamond> OpenSSL> exit 11:38 < rubydiamond> it is 11:38 < ecrist> rubydiamond: pastebin your logs, please 11:39 < rubydiamond> ok 11:39 < dazo> rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 11:39 < ecrist> Max007: a couple notes on your config: 11:39 < ecrist> 1) your push of 192.68.0.0/25 is going to break remote LANs 11:40 < Max007> ecrist: why is that &? 11:40 < ecrist> 2) you generally don't need IPP and client-config-dir in the same config, but it won't hurt anything. 11:40 < rubydiamond> ecrist: http://pastie.org/private/t4mlfqyhjstmhudtqqvwa 11:41 < ecrist> Max007: because, for example, my LAN at home is 192.168.0.0/24 - if I were to connect to your VPN, I couldn't route to my LAN, which is going to drop my connection to the VPN. 11:41 < ecrist> viscious cycle 11:41 < dazo> rubydiamond: "Error: private key password verification failed" ... did you use the correct password? 11:42 < rubydiamond> dazo: yes.. looks like 11:42 < Max007> ecrist: remote lan and local lan are not the same 11:42 < Max007> ecrist: on the server's side it's 192.168.0.0/25 and on the client's side it's 192.168.2.0/24 11:42 < ecrist> so, you don't have users connecting to this VPN from home? 11:42 < dazo> ecrist: I don't follow you now .... for me this seems sensible 11:43 < rubydiamond> smk: what is the solution 11:43 < Max007> ecrist: it's not a roadwarrior vpn. I only want to join both networks together 11:43 < ecrist> ok, just be aware if that changes down the road. 11:44 < dazo> rubydiamond: what did you get when using the openssl pkcs12 -in ? ... did you get a certificate out ... or an error? 11:44 < ecrist> what is the LAN subnet for the remote (client) end? 11:44 < Max007> 192.168.2.0/24 11:44 < rubydiamond> dazo http://pasternak.superalloy.nl/pastes/1218 11:45 < dazo> rubydiamond: you need to get the correct password for you certificate file .... with the password you use now, you cannot decrypt the certficate inside the pkcs12 file 11:45 < ecrist> ok, so you need a couple things. You need an iroute in a client-config for the VPN client, for the 192.168.2.0/24 networks 11:45 < ecrist> s/s$// 11:46 < dazo> rubydiamond: and if not, then the file is corrupt and you need to get a new pkcs12 file 11:46 < ecrist> second, you need your lan machines on either end to be pointing the appropriate subnet to the respective OpenVPN system 11:46 < rubydiamond> dazo: okay trying 11:47 < Max007> ecrist: I'm not sure I understand 11:47 < dazo> Max007: is the OpenVPN server and client also the default gw for you computers? 11:47 < ecrist> Max007: see below: 11:47 < ecrist> !iroute 11:47 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:47 < Max007> dazo: yes 11:48 < ecrist> if you read !route, you'll get a better idea 11:48 < dazo> ecrist: since openvpn sits on the default gw .... isn't it enough that the computers in the network points at their local default gw? 11:48 < ecrist> yep 11:49 * dazo thought so as well 11:49 < ecrist> that's plenty - but that's not the case in all circumstances. 11:49 < ecrist> our network at my office, for example, as our OpenVPN server on a different host than the default gateways 11:49 < Max007> right now there's no computer on the LANs .. it's a test environement 11:49 < Max007> there's only the server and the client 11:49 < dazo> ecrist: yeah! and that makes sense 11:50 < ecrist> Max007: you need to setup the iroute on the server side in the client-config-dir, and all should be well, barring firewall problems. 11:50 * dazo catches -SIGWIFE ... need to go .... good luck Max007 ... I'm sure you'll solve it soon :) 11:51 * dazo might catch up later today 11:51 < Max007> dazo: bye, thanks for your help 11:51 < dazo> dazo: no prob :) 11:51 < Max007> !ccd 11:51 < vpnHelper> Max007: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:52 < Max007> !route 11:52 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:52 < ecrist> Max007: about half way down that page, you'll find the iroute bits 11:54 < Max007> # cat /etc/openvpn/ccd/testeux 11:54 < Max007> iroute 192.168.2.0 255.255.255.0 11:55 < Max007> like that &? 11:55 < ecrist> yep 11:55 < Max007> ok 11:55 < Max007> let's testing it 11:56 < Max007> YES 11:56 < Max007> it works 11:56 < Max007> but I don't understand why 11:56 < Max007> lol 11:57 < ecrist> because the openvpn process intercepts routing for the kernel to the tap/tun device 11:57 < ecrist> without the iroute, openvpn isn't aware of how to route the subnet for your testeux client, so it drops the packets. 11:57 < rubydiamond> WARNING: file 'Anil.p12' is group or others accessible 11:57 < Max007> ok 11:58 < Max007> thank a lot dude ! 11:58 < rubydiamond> I see this for my certificate file 11:58 < ecrist> np 11:58 < Max007> i'm on this problem since before xmas 11:58 < ecrist> rubydiamond: fix your permissions. 11:58 < Max007> -=4~-^-^,< 11:58 < Max007> oops 11:58 < ecrist> Max007: you finally found the right place. 11:58 < rubydiamond> ecrist: dazo... what should be the permissions 11:58 < Max007> yep 11:58 < ecrist> rubydiamond: chmod 600 Anil.p12 11:58 < ecrist> erm 11:58 < ecrist> no 11:59 < ecrist> chmod 500 Anil.p12 11:59 < ecrist> nope, 600 was right 11:59 < ecrist> that's the same as chmod u=rw,go= 12:03 < rubydiamond> hmm 12:03 < rubydiamond> http://pastie.org/private/hbo0u2hc2xmtufe1sbfkg 12:05 < rubydiamond> ecrist: is file permissions correct now 12:05 < ecrist> yep 12:05 < rubydiamond> but now. its asking me username and password. 12:05 < rubydiamond> it was asking me paraphrase still 12:05 < rubydiamond> till now 12:06 < ecrist> your Anil-TO-IPCop.ovpn file should be chown anildigital:staff 12:06 < Max007> gotta go 12:06 < Max007> thanks again ecrist 12:06 < ecrist> np 12:06 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 12:07 < rubydiamond> ecrist: it started askin me username and password 12:08 < rubydiamond> it was asking me paraphrase before 12:08 < rubydiamond> how do I use command line for it 12:08 < rubydiamond> http://pasternak.superalloy.nl/pastes/1220 12:09 < ecrist> what are you trying to do? 12:10 < rubydiamond> ecrist: I want to connect to openvpn 12:10 < rubydiamond> I am using mac.. tunnelblick 12:10 < rubydiamond> I used to connect before using tiger. 12:11 < rubydiamond> now I am trying to setyp my leopard with openvpn 12:12 < rubydiamond> ecrist: any idea.. why is it failing 12:16 < ecrist> ok, why are you running openssl command? 12:20 < rubydiamond> dazo: rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 12:20 < rubydiamond> ecrist: I figured out .. 12:20 < rubydiamond> that I was entering wrong password 12:21 < rubydiamond> but my openvpn client is asking me for username and passowrd 12:21 < rubydiamond> instead of paraphrase 12:21 < rubydiamond> how to I connect using command line 12:22 < ecrist> sudo openvpn --config 12:26 < rubydiamond> dazo: and ecrist I can do openssl pkcs12 -in Anil.p12 12:26 < rubydiamond> with my password 12:26 < rubydiamond> but .. I am not able to validate with openvpn with my password 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:28 < rubydiamond> okay restaring my machine 12:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:35 < rubydiamond> $ sudo openvpn --config Anil-TO-IPCop.ovpn 12:35 < rubydiamond> Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:3: client 12:36 < ecrist> did you post your client config? 12:37 < rubydiamond> hi 12:37 < rubydiamond> help 12:37 < ecrist> did you post your client config? 12:49 < rubydiamond> friends Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:6: pkcs12 12:49 < rubydiamond> ecrist: okay 12:50 < rubydiamond> ecrist: https://gist.github.com/e814278a78e160b97c14 12:50 < vpnHelper> Title: gist: e814278a78e160b97c14 GitHub (at gist.github.com) 12:51 < rubydiamond> ecrist: what is wrong.. 12:51 < ecrist> did you follow some howto to set this up? 12:51 < rubydiamond> the same file previously used to work correctly 12:52 < rubydiamond> ecrist: I just want to connect to my office vpn nw 12:53 < rubydiamond> I used to do that earlier 12:54 < ecrist> can you pastebin your entire log, please? 12:56 < ecrist> nm - i'm outta time. bbl 12:56 < rubydiamond> hmm okie 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has joined ##openvpn 13:18 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:21 < dvl> !ca 13:21 < vpnHelper> dvl: Error: "ca" is not a valid command. 13:23 < rubydiamond> the current --script-security setting may allow this configuration to call user-defined scripts 13:23 < rubydiamond> getting this error 13:24 < rubydiamond> vpnHelper: getting this error 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> rubydiamond: Error: "getting" is not a valid command. 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:24 < rubydiamond> dazo: you there? 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:29 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 13:29 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 13:38 < krzee> !mitm 13:38 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 13:39 < krzee> !servercert 13:39 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 13:39 < krzee> lol @ my typo 13:39 < krzee> !forget servercert 2 13:39 < vpnHelper> krzee: Joo got it. 13:39 < krzee> !learn servercert as this will help with !mitm 13:39 < vpnHelper> krzee: Joo got it. 13:40 < krzee> what is Anil.p12 ? 13:45 < rubydiamond> krzee: where do you got it 13:45 < rubydiamond> its mine 13:45 < rubydiamond> krzee: hey 13:45 < rubydiamond> how do I check which comps are running in my nw 13:45 < rubydiamond> 192.168.104.* 13:46 < krzee> nw? 13:46 < krzee> i didnt say who owns the fi;e Anil.p12 13:46 < krzee> i said what is it 13:46 < rubydiamond> krzee: its certificate 13:46 < rubydiamond> name 13:46 < krzee> i know whose it is 13:46 < rubydiamond> mine 13:47 < krzee> check its file permissions / location 14:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:17 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 14:18 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 14:22 * ecrist considers registering for an openvpn group/cloak 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 < Keizer> Can I do a 3des encr with md5 hash subnet to subnet vpn tunnel with OpenVPN? 15:01 < ecrist> that sounds like IPsec, so no 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:33 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:57 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit [Remote closed the connection] 16:02 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:11 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:33 -!- AndyML is now known as AwayML 16:35 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:37 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:40 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:51 -!- AwayML is now known as AndyML 17:07 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:14 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:41 -!- DamZ [n=damz@drupal.org/user/22211/view] has joined ##openvpn 17:42 -!- DamZ [n=damz@drupal.org/user/22211/view] has left ##openvpn [] 20:33 -!- rorx [n=rory@cypher.TrueStep.com] has quit ["Signing off.."] 21:15 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 21:49 < krzie> http://politicalticker.blogs.cnn.com/2009/01/07/porn-industry-seeks-federal-bailout/ 21:49 < vpnHelper> Title: CNN Political Ticker: All politics, all the time Blog Archive - Porn industry seeks federal bailout « - Blogs from CNN.com (at politicalticker.blogs.cnn.com) 21:51 < ecrist> way too funny 21:53 < ecrist> g'night 21:54 < krzie> nite 22:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has left ##openvpn ["Konversation terminated!"] 22:16 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has joined ##openvpn 22:19 < tjz> Use of OpenSSL as an SSL/TLS client when connecting to a server whose 22:19 < tjz> certificate uses an RSA key is NOT affected. 22:19 < tjz> hmm... 22:20 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:00 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 23:23 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] --- Day changed Thu Jan 08 2009 00:57 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 01:05 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:38 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 01:38 < nardul> Morning 01:42 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 01:45 < reiffert> moin 01:46 < krzee> moin 02:07 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:09 < nardul> Moin ??? Are you from germany or denmark? 02:11 < tjz> hey jeff 02:11 < tjz> hey everyone 02:11 < tjz> morning, everyone 02:13 < nardul> Morning 02:13 < nardul> Would anyone happen to know anythin about the openvpn service on windows server 2003? In short, it doesn't start the tunnels, i have to log in to make them run. 02:26 < krzee> sure the service starts it as admin? 02:27 < krzee> (i have never used openvpn on windows as a service) 02:47 < tjz> Rockets from Lebanon strike Israel 02:47 < tjz> OMG!! 02:48 < tjz> http://edition.cnn.com/2009/WORLD/meast/01/08/israel.rockets/index.html 02:48 < vpnHelper> Title: 'Unknown group' in Lebanon launches rockets at Israel - CNN.com (at edition.cnn.com) 03:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:11 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 03:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 03:47 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:56 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has quit ["Leaving"] 04:16 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has joined ##openvpn 04:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 04:45 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has joined ##openvpn 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 05:28 -!- stmaher [n=stephen@mateus.province5.tv] has joined ##openvpn 05:28 < stmaher> Hello everyone.. 05:28 < stmaher> I have a linux server and client.. 05:29 < stmaher> I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them again? 05:29 < stmaher> many thanks 05:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:32 < stmaher> Hi roentgen 05:33 < roentgen> Hi 05:33 -!- trifler [i=trifler@farva.bsnet.se] has joined ##openvpn 05:34 < stmaher> roentgen I know you just arrived but was wondering if you could answer my question plase 05:34 < stmaher> I have a linux server and client.. I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them 05:34 < stmaher> again? 05:47 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 06:01 < dazo> stmaher: It would not make sense to regenerate ta.key ... that's a static key, and therefore needs to be identical on all places 06:02 < dazo> stmaher: when copying this key, you should make sure it is copied over a secure channel .... ie. encrypted transfer over the net (ftps, scp, sftp) or via a physical medium which you can observe (flash memory or similar) 06:02 < stmaher> thanks dazo! 06:02 < dazo> stmaher: the ca.crt is nothing secret, and can be globally available, even as a download from a web site if you want 06:03 < stmaher> cool thanks 06:03 < dazo> stmaher: just be sure not to share the ca.key anywhere ;-) 06:03 < dazo> stmaher: np! 06:08 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has quit ["Leaving"] 06:08 -!- dazo [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has joined ##openvpn 06:34 < krzee> !factoids search 06:34 < vpnHelper> krzee: (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 06:34 < krzee> !factoids search --values [ 06:34 < vpnHelper> krzee: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:34 < krzee> !factoids search --values "[" 06:34 < vpnHelper> krzee: No keys matched that query. 06:34 < krzee> !factoids search --values "*[*" 06:35 < vpnHelper> krzee: No keys matched that query. 06:35 < krzee> !factoids search --values " 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values """ 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values "" 06:35 < vpnHelper> krzee: More than 100 keys matched that query; please narrow your query. 06:36 < krzee> !factoids search --values "'" 06:36 < vpnHelper> krzee: 'bridge', 'ask', 'push-reset', 'tap', 'iporder', 'menu', 'chooseip', 'iroute', 'noenc', 'all', 'fbsdbridge', 'bridge-fw', 'configs', and 'pushdns' 06:36 < krzee> cat pushdns 06:36 < krzee> !pushdns 06:36 < vpnHelper> krzee: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 06:36 < ecrist> morning, folks 06:36 < krzee> mornin eric 06:38 < krzee> yanno what i love 06:39 < krzee> still being up in time for mcdonalds breakfast 06:40 < ecrist> lol 07:25 < tjz> lol 07:26 < tjz> do they have this mega mcmuffin over there? 07:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 07:33 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:02 < krzee> neg 08:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:18 -!- lilalinux is now known as lilaunix 08:35 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 08:46 < tjz> lol 09:42 -!- stmaher [n=stephen@mateus.province5.tv] has quit ["My damn controlling terminal disappeared!"] 09:57 -!- resc [n=tgs@galileo.psych.indiana.edu] has joined ##openvpn 09:58 < resc> hi, i was wondering if the windows version of OpenVPN uses OpenSSL (which has a new man in the middle attack) 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 10:01 < resc> ah, yeah, it does 10:03 < ecrist> resc, there was a user in here yesterday who looked into the code and said the exploitable function isn't used with openvpn 10:03 < resc> oh, nice 10:04 < resc> thank you 10:04 < ecrist> np 10:05 < dazo> ecrist: resc: I think I'm that guilty user :-P ... Another person also asked about in the mailing list, so I responded with my point of view there as well 10:06 < resc> cool, i'll look that up 10:06 < dazo> resc: The CVE mentions explicit EVP_VerifyFinal() ... which OpenVPN do not use at all 10:06 < resc> yeah 10:07 < dazo> resc: but of course, it uses some other techniques and uses some other OpenSSL library functions with callbacks to OpenVPN functions ... but I didn't manage to see any obvious things even here 10:08 < resc> sounds good 10:08 < resc> thanks for looking 10:09 < dazo> resc: np! :) 10:09 < ecrist> dazo, would you mind writing something up, somewhere, that I can link to? 10:09 < ecrist> if you need a place, secure-computing.net/wiki/ 10:10 < dazo> ecrist: not all, would be a pleasure ... I believe you mostly can copy-paste from the mail to the mailing list ... I'll find the link to it 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:11 < dazo> ecrist: https://sourceforge.net/mailarchive/message.php?msg_name=4965B51E.5080409%40topphemmelig.net 10:11 < vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net) 10:12 < ecrist> tx 10:12 < dazo> ecrist: I see I was more brief than I thought I was ... I'll give you some more from the chat yesterday if you want/need it 10:13 < ecrist> I've got logs. 10:13 < ecrist> !irclogs 10:13 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 10:13 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:14 < dazo> ecrist: cool! :) no worries then! :) ... If you need more details, don't hesitate to ping me 10:14 < ecrist> sure 10:40 -!- resc [n=tgs@galileo.psych.indiana.edu] has quit ["Leaving"] 11:03 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has quit ["I want to sleep."] 12:07 -!- lilaunix is now known as lilalinux 12:10 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:11 -!- cj [n=cjac@66.152.65.2] has quit [Read error: 110 (Connection timed out)] 12:14 < ponyofdeath> hi, im getting "http://pastebin.com/m275a4f2f" those errors after a tunnel times out and tries to reconnect? 12:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:01 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:02 -!- lilalinux is now known as lilaunix 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Joo got it. 13:17 < krzee> !foo 13:17 < vpnHelper> krzee: "foo" is bar "baz [qux]" 13:17 < krzee> !forget foo 13:17 < vpnHelper> krzee: Joo got it. 13:18 < krzee> !forget pushdns * 13:18 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is push "dhcp-option DNS a.b.c.d" (remove the 's) to push dns to the client 13:19 < krzee> hah! 13:19 < krzee> !forget pushdns * 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:21 < krzee> !ssl-admin 13:21 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:24 < krzee> hrm 13:24 < krzee> no sed -i in NetBSD 13:34 < ecrist> ack 13:41 < krzee> [15:41] basically sed -i is everywhere but here 13:41 < krzee> [15:41] so i will file the PR 13:41 < krzee> [15:42] * ober has quit (Remote closed the connection) 13:41 < krzee> [15:42] i remember i once discovered the same 13:41 < krzee> [15:42] * ober (i=ober@mauthesis.com) has joined #netbsd 13:41 < krzee> [15:42] being told the same i'm telling krzee atm 13:41 < krzee> [15:42] :-) 13:41 < krzee> [15:43] what, to write it out to a temp file and delete it? 13:41 < krzee> [15:43] s/discovered/reported/ 13:41 < krzee> [15:43] yes 13:41 < krzee> [15:43] * syamajala has quit ("Leaving...") 13:41 < krzee> [15:43] well, thats ugly and unacceptable as an answer 13:41 < krzee> [15:43] since the rest of the world got it right 13:42 < krzee> [15:44] hey, there's no sed in windows so rest of the world doesn't even have a clue 13:42 < krzee> [15:44] lol touche 13:42 < krzee> [15:44] i havnt used windows in a long time 13:42 < krzee> [15:44] Nodsu: good point! 13:42 < krzee> [15:45] should i look for ipconfig instead of ifconfig as well? ;] 13:42 < krzee> [15:45] yes 13:49 < krzee> bleh, i need to look into making the Makefile correctly 13:50 < krzee> that will undo the need for that bs 13:59 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 113 (No route to host)] 14:00 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 14:10 < krzee> cat Makefile | sed -ne 's+VARETC+/usr/local/etc+g;wMakefile' 14:10 < krzee> booya 14:17 < krzee> bleh except for SEDCMD 14:17 < krzee> i could hack around that in shell script too, but its losing its point 14:17 < krzee> easier to learn howto use a proper Makefile at this point 14:17 < krzee> or at least cleaner 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 15:05 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:09 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 17:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 17:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["Changing server"] 17:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:01 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:07 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 18:24 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:37 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:53 -!- lilaunix is now known as lilalinux 19:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 19:23 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 19:26 -!- alami [i=alami@unaffiliated/alami] has joined ##openvpn 19:28 < alami> i have openbsd and i want to create vpn server (PPTP) 19:28 < alami> to allow windows user to connect to my openbsd box 19:29 < alami> and the other side to connect from open bsd to a windows vnp server 19:29 < alami> is that possible with openvpn? 19:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 19:49 < dvl> alami: a VPN server running PPTP? 19:50 < dvl> this help? http://openvpn.net/archive/openvpn-users/2007-10/msg00077.html 19:50 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN over PPTP on Vista (at openvpn.net) 20:02 < alami> thanks 20:03 < alami> i will see if i can do it 20:03 < alami> because i don't know wich one i will use :) 20:06 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 20:09 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 20:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 20:34 * tjz swim in 22:09 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:14 < krzee> !forum 22:14 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:39 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 22:42 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:32 < krzee> !factoids search win 23:32 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 23:32 < krzee> !win_noadmin 23:32 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 23:33 < krzee> !learn ipv6 as http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 23:33 < vpnHelper> krzee: Joo got it. 23:38 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has joined ##openvpn --- Day changed Fri Jan 09 2009 00:01 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has quit [Remote closed the connection] 00:47 -!- mRCUTEO [n=info@58.26.212.3] has joined ##openvpn 00:53 -!- mRCUTEO [n=info@58.26.212.3] has quit [] 01:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 01:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:56 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:11 < krzee> !configs 02:11 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:11 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: reiffert, mcp, kaii, Typone 02:11 -!- Netsplit over, joins: kaii, mcp, reiffert, Typone 02:13 -!- disposable [i=disposab@blackhole.sk] has quit [Remote closed the connection] 02:13 -!- jabular [n=jabular@82-32-104-27.cable.ubr02.hawk.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 02:19 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:42 < dazo> alami: I just saw your question regarding VPN server and PPTP 02:43 < dazo> alami: not sure if I understood you correctly, but it looked somehow like you want to setup a PPTP server for Windows clients, is that correct? 02:44 < dazo> alami: if that is correct, then you'll need another server than OpenVPN, unfortunately. PPTP uses a different protocol than OpenVPN 02:47 < dazo> alami: if you really want PPTP, you'll need to implement pptp-server, poptop or something like that .... I'm not a PPTP user at all, so I don't know much about it 02:48 < dazo> alami: but I would rather recommend you to implement OpenVPN on the client side too, the OpenVPN GUI for Windows is pretty good and easy for people who barely understand Word and Outlook 02:49 < dazo> alami: for the other way around ... you'll need to find a PPTP client for your BSD distro ... that's probably easier to set up :) 03:01 -!- lilalinux is now known as lilaunix 03:18 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has joined ##openvpn 03:41 -!- lilaunix is now known as lilalinux 03:42 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 03:50 < krzee> dazo, good advice 03:58 < dazo> krzee: well, of course, being in the openvpn channel, it was just my brief objective point of view :-P 03:58 < krzee> ;] 04:15 < tjz> bring alami to the pptp irc channel 04:15 < tjz> :P 04:17 < krzee> openvpn > pptp 04:17 < dazo> nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 04:19 < krzee> ild rather trust my encryption to openssl with hmac sigs than to a ms proprietary protocol 04:19 < krzee> which has been known to have security issues 04:20 < dazo> ahh ... well, I meant to convert people from pptp > openvpn .... not running openvpn inside a pptp tunnel ... 04:20 < krzee> nope, completely diff protocols 04:20 < dazo> I'd prefer pptp inside a openvpn tunnel, if I'd have to do it like that 04:20 < dazo> yeah 04:20 < krzee> pptp cant hook up to ipsec cant hook up to openvpn 04:21 < dazo> but if you establish a openvpn tunnel between to endpoints (net-to-net)... and then clients on each side establish a pptp tunnel, over the openvpn tunnel ... 04:22 < dazo> :s/over/through/ 04:23 < dazo> but it basically do not give you much more security at all ... pptp is still full of MS errors and security weaknesses 04:23 < dazo> you only limit the chance for other people to snap up the pptp from the outside 04:23 < krzee> ? 04:23 < krzee> why setup a pptp tunnel over a openvpn tunnel? 04:24 < krzee> what goal would that achieve? 04:24 < dazo> just for fun? :-P 04:24 < krzee> *shrug* ok 04:25 < dazo> well, it might be some systems insists on sending data through pptp ... or that some management level persons in a bigger company insists on pptp between sites 04:25 < krzee> #1, like what 04:25 < krzee> #2, then your solution goes against that 04:27 < dazo> well, the management level can see that "Hey, we're using pptp" ... and you won't get kicked when somebody tries to crack public pptp traffic, as it is already secured ... sometimes, sys-admins have to do such dirty tricks to make protect her/himself against wacky management 04:28 < dazo> but I'm not a windows guy .... I don't know much about it which apps/systems who really would insist on pptp ... but in the Windows world, you'll never which traps you'll find 04:30 < krzee> openvpn works based on routing 04:30 < krzee> andthing that works using tcpip works fine 04:30 < krzee> when using tap, anything that travels over ethernet works fine 04:31 < krzee> if you have management that doesnt care about security, thats another thing 04:31 < dazo> true ... but what if the software insists on a specific feature found in the pptp device? 04:31 < krzee> i wouldnt work in a place like that 04:31 < krzee> dazo, show me the software or it doesnt exist 04:32 < krzee> both are methods of tunneling IP traffic 04:34 < dazo> krzee: as I mentioned, I'm not a windows guy, neither a pptp user (even though I tested it once from Linux against a dd-wrt router, and switched to openvpn) ... I'm just in general pessimist when it comes to expect things from software developers, especially closed source software, as you never really know what kind of crazy expectations and assumptions they can make 04:34 < krzee> they send to an ip 04:34 < krzee> pptp or openvpn handles the dirty stuff behind the scenes 04:35 < krzee> that is the nature of a vpn, nothing to do with who codes what 3rd party software 04:35 < krzee> ! 04:35 < krzee> !vpn 04:35 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 04:35 < dazo> yeah, if it is cleanly written software ... but badly written software might even want to talk directly through a specific interface, and not bind to a specific IP address 04:35 < krzee> *shrug* 04:36 < krzee> this conversation is pointless 04:36 < dazo> :) 04:36 < krzee> software doesnt point to a device to send traffic to 04:36 < krzee> the kernel does via routing table 04:36 < krzee> im gunna do something productive, bbl 04:36 < dazo> sure! 04:38 < dazo> but I'm thinking about a listening service ... that can be bound to a particular interface, independent of what the IP address is ... promisc mode of the interface, is one approach (which tcpdump uses btw) 04:38 < dazo> it's more ways to set up a connection and also a listening service with socket bind ... and someone might even go deeper in the stack, wanting to talk directly to the interface 04:40 < dazo> a far fetch example from this discussion, but one I know a little bit more about ... Infiniband interfaces are completely different than normal eth interfaces, and it even needs an additional tcp/ip stack to work with ip addresses ... and applications may access this hardware more directly to achieve higher throughput, but they need then to cover of the OSI layers to make this work 04:42 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:42 < dazo> but if you configure a IB device with the tcp/ip stack, it works almost like a normal eth interface ... and some software use both tcp/ip and some direct hardware access to achieve a simpler implementation, but still have some of the powers of IB, like RDMA 04:51 < krzee> you have ventured far from anything using pptp or openvpn, and i have a feeling you need to learn more on the topic 04:58 < dazo> I think the main difference in our arguments are that you take it for granted that everything works through kernel API which then talks to the hardware interface, in a standardised way - true, this is the case for mostly used software ... but I take nothing for granted, it will always be an exception somewhere, somehow ... but it do not need to be a mainstream application 04:59 < dazo> but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:03 < krzee> ok so stay with pptp in case you one day encounter that exception 05:04 < krzee> [07:02] but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:04 < krzee> your argument is that there might be a program that breaks the standardised way of performing communication 05:04 < krzee> so you will use pptp instead of something better 05:05 < krzee> and i say, go for it 05:05 < krzee> doesnt matter to me what you use 05:05 < krzee> but that SURE doesnt make pptp > openvpn 05:05 < dazo> agreed! 05:06 < krzee> didnt this start from: 05:06 < krzee> [06:20] nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 05:06 < dazo> the thing I see now, is that I misunderstood your '> ... I thought you meant '>' as through ... not better than 05:06 < krzee> > is greater than 05:06 < krzee> < is less than 05:06 < krzee> ahh 05:07 < dazo> yeah, in this setting I completely agrees with you ... openvpn is superior than pptp! that's no discussion! :) 05:08 < krzee> werd 05:16 < krzee> lol reiffert 05:16 < krzee> yes i should sleep 05:16 < krzee> but im migrating my mailserver to netbsd 05:16 < krzee> and its my first time using netbsd 05:16 < krzee> pretty nice os tho, and not very diff than freebsd 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 07:31 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 07:31 < kungfupanda> Oh! 07:31 < kungfupanda> There is a channel for it! 07:31 < ecrist> ? 07:31 < kungfupanda> For OpenVPN. 07:32 < kungfupanda> My main question is this: If I make some company set up a box that I point my domain name to, will my server that receives all the traffic think that it's actually hosting clients directly? 07:32 < kungfupanda> As in: Will Apache etc. see many different IP addresses or just one (the proxy)? 07:38 < reiffert> Both is possible. 07:40 < kungfupanda> Ah. 07:40 < kungfupanda> Does it depend on my setup or their setup? 07:41 < kungfupanda> Please, for the love of God, tell me it depends on MY setup... 07:41 < kungfupanda> Because I want it to be 100% transparent. To trick my server into thinking that it's public. 07:41 * ecrist doesn't understand the question 07:42 < kungfupanda> I mean... 07:42 < kungfupanda> How can I put it any simpler? :S 07:42 < reiffert> It depends on routing on your client and on your server. 07:45 < kungfupanda> "my client"? 07:45 < kungfupanda> Does that mean the "proxy"? 07:45 < reiffert> "I have no idea about your setup" 07:45 < dazo> kungfupanda: do you want SSL encryption to your Apache server (https) ... or do you want VPN (encrypted network tunnel) connection between two site's network? 07:45 < kungfupanda> Cloude -> SomeBox -> My server. 07:46 < kungfupanda> dazo: My Web site has both HTTP and HTTPS traffic. I want this to work transparently. 07:46 < kungfupanda> And I want encryption between the proxy and the server. 07:47 < dazo> kungfupanda: its unclear for me, maybe the others as well, what you try to solve .... where is the proxy located? 07:49 < dazo> how to rephrase the question ..... 07:49 < dazo> kungfupanda: Are you providing some services a customer wants, and you want that network traffic to be encrypted via a VPN network? 07:50 * dazo is doing things stupidly simply now, to see if I understand things better ... 07:52 < kungfupanda> Well... 07:52 < kungfupanda> I am trying to find somebody who can provide DDoS protection. 07:52 < kungfupanda> And NOT use a Web proxy due to many problems associated with those. 07:52 < kungfupanda> Unfortunately, these "real" tunnels seem to be much more expensive. 07:54 < reiffert> ? 07:54 < kungfupanda> What is unclear? 07:54 < dazo> your task you want to solve 07:54 < reiffert> Everything after "Well..." 07:55 < reiffert> brb, postal office 07:55 < dazo> Let's start really basic ... 07:55 < kungfupanda> Trying to keep a Web server from going down due to DDoS, by having a "proxy" that washes the traffic and tunnels back and forth only "good" packets. 07:56 < dazo> aha ... now it is a little bit clearer 07:56 < dazo> so you will have a proxy server, being public somewhere else, which you want to contact your own web server? 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:56 < kungfupanda> Yes. 07:56 < kungfupanda> Exactly. 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 07:57 < dazo> And this proxy server is remote, and you have your web server locally? 07:57 < kungfupanda> Yes. 07:57 < dazo> Now, things are clearer :) 07:57 < kungfupanda> Good! :) 07:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:57 < kungfupanda> Unfortunately, it costs a fortune from misc. companies. 07:58 < dazo> first of all ... the proxy server will need to have it's own SSL certificates for providing https traffic to your encrypted traffic in the public 07:58 < kungfupanda> Why is that, if every bit of data goes through me? 07:58 < kungfupanda> Won't the people see their server as mine? 07:58 < dazo> You can simply divide this in to two parts ... you have the front/public part of the proxy ... and the backend of the proxy 07:59 < dazo> the frontend of the proxy will be the one receiving all http/https requests and answering them as a normal web server does 07:59 < kungfupanda> Well, of course. 07:59 < dazo> the backend of the proxy will act a client towards your webserver 08:00 < dazo> which means that the proxy will break the end-to-end encryption between the browser and your web server 08:00 < kungfupanda> If it's a tunnel, it won't communicate with Apache... but with my server on some special tunnel port... 08:00 < dazo> aha, I thought you wanted to have a proxy server which browsers hit first 08:01 < kungfupanda> Nope. 08:01 < kungfupanda> 100% transparent. 08:01 < kungfupanda> A dumb A <-> B tunnel except they have some sort of firewall which drops (most) bad packets. 08:01 < dazo> okey, you just want a redirect from another IP address from to your own network 08:01 < kungfupanda> So they never see the "secret" server (because then they would DDoS it directly). 08:01 < dazo> but this will not provide any better DDoS protection ... 08:02 < kungfupanda> It will if they do sort out the identified bad packets. 08:02 < kungfupanda> Which I cannot do technically because my pipe is too narrow. 08:02 < dazo> because if they then do a new host lookup and find the new IP address of your webserver, they will hit that one ... and you will just get the attack via the VPN instead, or not? 08:03 < kungfupanda> What are you talking about? 08:03 < kungfupanda> The domain name points to their IP address. 08:03 < kungfupanda> Not mine. 08:03 < kungfupanda> And that box communicates with my box via OpenVPN... 08:03 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 08:03 < kungfupanda> So nobody ever sees it. 08:04 < mRCUTEO> hey hey :D 08:04 < dazo> exactly ... and since you want it transparent, the traffic will go from that site from the public Internet and into the VPN and then hit your web server again 08:04 < kungfupanda> Not sure what your point is... 08:05 < dazo> Okay ... say that www.example.com is the hostname of your web server 08:06 < kungfupanda> It has no hostname... 08:06 < dazo> www.example.com have for example 1.1.1.1 as IP address today 08:06 < kungfupanda> Only an IP address. 08:06 < kungfupanda> Well, it has right now. 08:06 < kungfupanda> But it won't have. 08:06 < kungfupanda> And if it has a hostname, it will be non-public. 08:07 < dazo> how will people surf your web server then? Are you distributing an IP address to all those you want to see your contents? 08:07 < kungfupanda> WTF?! 08:07 < kungfupanda> The domain name points to the IP address by the person/company that hosts the proxy. 08:07 < kungfupanda> It washes the traffic. 08:07 < kungfupanda> Sends it back and forth between my server in a tunnel. 08:07 < kungfupanda> What is unclear about this set-up? 08:08 < dazo> because already here, you have a proxy server, which you said you didn't have .... 08:08 < kungfupanda> No... that's the imagined setup... 08:08 < kungfupanda> That I am talking about. 08:08 < kungfupanda> Right now, it's just a Web server directly. Which is down due to DDoS. 08:09 < dazo> Exactly ... let's start from this point, shall we? 08:09 < kungfupanda> Okay? 08:10 < dazo> and your webserver have a hostname (hostname + domainname ... whereas 'www' is a hostname + domain name, f.ex. 'example.com' => www.example.com) ... or am I wrong now? 08:10 < kungfupanda> No, you're not wrong. 08:10 < dazo> good 08:10 < kungfupanda> I just don't see the point of talking about this current, bad setup. 08:11 < dazo> Because I want to get things clear the whole way through ... I've lost you several times already ... 08:12 * dazo is thinking 08:13 < dazo> okey ... your hostname will point at your new proxy server ... 08:13 < kungfupanda> Yes... 08:14 < dazo> you will, correctly assumed, need to establish a VPN between the proxy and your web server .... but to make things work, the proxy need then to use route the traffic via the VPN tunnel 08:14 < kungfupanda> I don't see what else it would do. 08:14 < dazo> this routing will need to be done on the proxy server 08:14 < kungfupanda> Since it's a proxy. 08:15 < dazo> but the thing is ... where you put your openvpn server .... will you run that on your web server? 08:15 < dazo> (this will make things a little bit simpler, regarding to routing) 08:15 < kungfupanda> The same box runs the OpenVPN server, of course. 08:15 < kungfupanda> It's just one box. 08:16 < kungfupanda> Web server. 08:16 < dazo> very good! 08:16 < kungfupanda> Now with OpenVPN. 08:16 < dazo> yes 08:16 < dazo> perfect 08:16 < kungfupanda> I have never used a tunnel which is why I am asking. I have only used a Web proxy which had many problems. 08:16 < kungfupanda> Such as no encryption, no way to detect HTTPS, etc. 08:16 < dazo> so when openvpn is running on both sides, you will have a VPN IP address, the proxy server will need to use your VPN IP address of your server side, being the web server 08:17 < kungfupanda> I suppose so. 08:17 < dazo> but since you have a proxy server which does in fact do the filtering of DDoS and so on ... this proxy server will do the decryption, and the traffic will again be encrypted from the proxy and to your web server 08:18 < kungfupanda> Why would it do the decryption? 08:18 < kungfupanda> You mean it cannot tell what kind of traffic is SSL traffic? 08:18 < dazo> because the proxy server will answer your queries 08:18 < dazo> Well, I've only experience with mod_proxy in Apache, and this is how that one works 08:19 < kungfupanda> Urgh... 08:19 < dazo> but again, this can also add encryption on the public side (https) on traffic which is not encrypted on the back side (http) 08:19 < kungfupanda> That sounds like a Web proxy. 08:20 < dazo> yeah 08:20 < kungfupanda> Which is what I don't want... 08:22 < dazo> The "proxy" as you call it which you want to use ... I presume it's a company providing this ... is this a public service of this company? 08:23 < kungfupanda> I won't be able to afford it from a big company, so I am asking random people if they can do this for me. 08:23 < dazo> will you provide that box? 08:23 < kungfupanda> ... what? 08:24 < dazo> sorry ... that came out too quickly 08:25 < dazo> you will have a box somewhere which will be the entry point for the traffic .... where the DDoS protection will be .... or how do you imagine this to work? 08:25 < dazo> I'm only interested in knowing about the remote side now ... 08:25 < kungfupanda> Yes! That's the proxy! 08:25 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 08:26 < kungfupanda> Which will only be a dumb slave, except for its firewall capabilities. 08:26 < dazo> who will set up that box? who will provide it? you? 08:26 < kungfupanda> If I did it, why would I need to do this? 08:26 < kungfupanda> Somebody else will provide it. 08:26 < kungfupanda> Or a company, but I can't afford from them. 08:27 < dazo> which means you will need to do quite some configuration in firewall rules on that box to make things as transparent as you want 08:27 < kungfupanda> Eh... 08:27 < kungfupanda> Why? 08:28 < dazo> since you want a port forwarding and not a proxy ... this is in Linux (and most probably BSD as well, others may correct me if I'm wrong) done by the kernel .... in Linux iptables' NAT setup 08:29 < kungfupanda> I use FreeBSD. 08:29 < kungfupanda> I get worried when you say "port forwarding". 08:30 -!- lilalinux is now known as LilaMac 08:30 < dazo> so you will need to provide a config file for a openvpn client ... then tell them to redirect all traffic from your new public IP address to the VPN IP address of your openvpn server 08:30 < dazo> well, redirect is the wrong term 08:31 < dazo> you must ask for port forwarding, with NAT from the public IP address to your VPN server side IP on the ports you want to make public available from that IP address .... so far, I've understood you need port 80 and port 443 08:32 < dazo> the other solution, is to use a web proxy, which you do not want ... but then you will avoid playing with NAT and port forwarding 08:33 < ecrist> kungfupanda: what's wrong with port forwarding on FreeBSD? 08:34 < dazo> ecrist: he will not be in charge of the box which needs to do the port forwarding 08:34 < ecrist> lol 08:34 * ecrist wonders where people come up with these crazy network setups 08:34 < ecrist> and it dawns on my why some websites are so fragile 08:35 < dazo> yep 08:37 < kungfupanda> What? 08:39 < dazo> the more complex the setup is to reach a web server, the more fragile it is .... if one part of the chain fails, the web server is unavailable 08:39 < kungfupanda> This isn't complex... 08:39 < kungfupanda> Or shouldn't be... 08:40 < dazo> it is much more complex than to have a box inside a DMZ locally 08:40 < dazo> because here you have a remote site receiving traffic and sending it to your web server via a VPN tunnel ... that is considerably much more complex 08:40 < kungfupanda> If I had the fat pipe and firewall, I wouldn't need this. 08:41 < dazo> but why not just setup a firewall in front of your web server? what kind of DDoS attack are you having issues with now? 08:42 < kungfupanda> BECAUSE MY PIPE IS VERY LIMITED AND I DO NOT HAVE A FIREWALL! GAAAAAAH! 08:42 < ecrist> RAAWWR! 08:42 < dazo> but why not just setup a firewall in front of your web server? ... you can set up this one! 08:42 < ecrist> LOUD NOISES 08:43 < dazo> lol 08:43 < kungfupanda> What the hell? 08:43 < dazo> I ask this question, being completely serious! 08:43 < ecrist> kungfupanda: unless you're running a warez site, or something simliar, I don't know what sort of DDoS you're expecting. 08:46 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 08:47 < dazo> heh 08:47 < dazo> touche? 08:47 < ecrist> lol 08:47 < dazo> or just too tough question? 08:47 < ecrist> /mode +b stupid_fuckers@* 08:47 < dazo> heh 08:47 * dazo wasted too much time on this nonsense 08:51 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 08:53 < dazo> hmmmm 08:54 * dazo notices kungfupanda's ID .... 08:55 < dazo> I know bredbandbolaget.se didn't provide less than 100Mbit when they did setups in Norway .... and his "PIPE IS VERY LIMITED" .... oh man! That gotta be a popular blog! 08:57 < ecrist> I've run a moderately used site for over 10 years with no DDoS problems. 08:58 < dazo> I've experienced one DDoS attack since I began working with such things back in 98 08:59 < dazo> and the service which got DDoSed was a payment site ... so that was pretty heavy ... but except for that, it's been smooth :) 08:59 < ecrist> heh, I was the first 768k/768k DSL customer in Minneapolis back in August of 1998 - it was *really* easy for me to DoS dial-up users. 09:00 < ecrist> that was back when a simple ping flood would work 09:00 < reiffert> glad I stopped reading after 3 lines. 09:00 < dazo> heh 09:01 < dazo> reiffert: you didn't loose much .... except for the last 10 lines of entertainment, perhaps :-P 09:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:35 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 09:49 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 09:50 < kungfupanda> Does anyone in here run an ISP or work at one? I would really need somebody for remote DDoS protection through an OpenVPN tunnel for my Web server. 09:52 < ecrist> kungfupanda: are you seriously running into DDoS problems? 09:52 < ecrist> why not get a $5/mo hosted website from godaddy or something? 09:53 < kungfupanda> ... 09:53 < kungfupanda> Quiet, troll. 09:53 < ecrist> fuck off 09:53 < dvl> OpenVPN will not protect you from DDoS. 09:53 < dvl> kungfupanda: well, that's one way to get advice. piss people off. 09:54 -!- mode/##openvpn [+o ecrist] by ChanServ 09:54 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 09:54 < dvl> thank you. 09:54 < dazo> dvl: he wants to have a box beside another network which can take the DDoS traffic ... and filter it ... so that he can sit and enjoy only the "proper" traffic ... 09:54 < dazo> :s/beside/behind/ 09:54 -!- mode/##openvpn [+b *!*@*.cust.bredbandsbolaget.se] by ecrist 09:55 -!- mode/##openvpn [-o ecrist] by ecrist 09:55 * dazo makes a note ... don't make ecrist angry ..... 09:55 < dvl> dazo: Yep, I understand that bit 09:55 < ecrist> nah, I'm a gentle teddy bear 09:55 < dazo> heh :) 09:56 < ecrist> just remember bears have big fangs. ;) 09:56 < dazo> dvl: well, probably a script kiddie which pissed some other people off .... and it's payback time 09:56 < ecrist> not as if this is the worst room to get a +b for. ~40 users 09:56 < ecrist> not like ##freebsd or #ubuntu 09:57 < dazo> hehe ... true enough :) 09:57 < ecrist> dazo: that's kind of what I was thinking. 09:57 < ecrist> our banlist is short, though 09:59 -!- alami [i=alami@unaffiliated/alami] has quit [Remote closed the connection] 10:19 -!- LilaMac is now known as lilalinux 10:21 -!- lilalinux is now known as LilaMac 11:06 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has joined ##openvpn 11:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- dazo is now known as dazoafk 11:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:33 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 11:50 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has quit ["Ex-Chat"] 11:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:55 < rubydiamond> How to run openvpn daemon 11:55 < rubydiamond> specially on gentoo machine 11:58 < ecrist> rubydiamond: read the howto 11:58 < ecrist> for the 100th time 11:58 < dvl> !howto 11:58 < vpnHelper> dvl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:58 < dvl> rubydiamond: see above line 11:58 < rubydiamond> okie 11:58 < dvl> *pat* *pat* 11:58 < rubydiamond> but .. what is the command to run daemon.. 11:58 < rubydiamond> I just wanted that urgently 11:59 < dvl> rubydiamond: No idea 11:59 < rubydiamond> is informing my boss at office 11:59 < dvl> rubydiamond: I'd have to read the howto.... 11:59 < rubydiamond> I am at home 11:59 < dvl> rubydiamond: great. I'm at work. 11:59 * dvl waves 11:59 * rubydiamond need to solve a production issue 12:00 < dvl> Great. Still can't help you. I've never used Gentoo. 12:00 < dvl> On FreeBSD, it's /usr/local/etc/rc.d/openvpn start 12:00 < dvl> or perhaps forcestart depending on how you have /etc/rc.conf configured. 12:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < Keizer> Damn I wish ipsec had an irc channel 12:11 < rubydiamond> Hi people 12:11 < rubydiamond> getting this error 12:11 < rubydiamond> https://gist.github.com/6d021d4b50951babb534 12:11 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:13 < rubydiamond> ecrist: do you know what is this error 12:15 < rubydiamond> ecrist: help 12:18 < rubydiamond> can anybody here tell 12:18 < rubydiamond> what is the error https://gist.github.com/6d021d4b50951babb534 12:18 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:44 < dvl> I see no error. 12:44 < dvl> I see warnings. 12:45 < rubydiamond> dvl: ? 12:49 < rubydiamond> ecrist: ? 12:49 < rubydiamond> dazoafk: ? 12:50 < rubydiamond> is this channel living? 12:51 < rubydiamond> dvl: ? 12:57 < reiffert> rubydiamond: STOP THIS! 12:57 < rubydiamond> reiffert: i am asking quesions for last some days 12:58 < reiffert> no, you are spamming. 12:58 < rubydiamond> this channel is not that much active 12:58 < reiffert> while asking questions try to read the answers. 13:03 < dvl> rubydiamond: there are no errors at that URL. There are warnings. Do you have a question? 13:03 < rubydiamond> dvl: but I am not able to connect.. 13:03 < rubydiamond> it keeps in connecting status 13:05 < reiffert> !logs 13:05 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:05 < reiffert> !configs 13:05 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:20 < ecrist> ? 13:26 < reiffert> ! 13:27 < ecrist> Keizer: I'd try to help you here, but I'm on my way out. 13:28 * ecrist fairly OK at IPsec on cisco hardware 13:30 -!- LilaMac is now known as LilaLinux 13:41 < Keizer> Sauce 13:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:42 < reiffert> why didnt he give us more details? 13:53 < dvl> reiffert: he sounds newb, quite. 14:06 < krzee> he asked for help days ago 14:06 < krzee> never posted his configs 14:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:06 < krzee> or his server log 14:06 < krzee> *shrug* 14:10 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Client Quit] 14:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:14 -!- Determinist [n=lior@unaffiliated/determinist] has left ##openvpn ["Leaving..."] 14:15 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 14:52 -!- dazo [n=David@r10ln174.net.upc.cz] has quit [Read error: 60 (Operation timed out)] 14:53 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 16:31 < dazo> Does anyone here know how it is with the Posix compliance in openbsd? ... I'm especially interested in Posix Message Queue and Posix Semaphores ... 16:31 -!- chris_hat_irc [n=chris@v1465.vanager.de] has joined ##openvpn 16:34 < chris_hat_irc> hi all. I am trying to use ekiga (sip client for gnome) through my own vpn. When I start the client, I can connect but can not telephone. I get the following error and they recommend, that I do port forwarding (http://wiki.ekiga.org/index.php/Enable_port_forwarding_manually). My question is, whether the problem was caused by the vpn and how I can forward these ports? iptables? 16:34 < vpnHelper> Title: Enable port forwarding manually - Ekiga (at wiki.ekiga.org) 16:35 < chris_hat_irc> I configured my vpn like recommended in the official openvpn wiki: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways using TCP 16:36 < vpnHelper> Title: Konfiguration eines Internetgateways - OpenVPN Wiki (at wiki.openvpn.eu) 16:36 * dazo notices he was on the wrong open* channel ..... 16:37 < chris_hat_irc> ah sry, not the offical openvpn wiki, but here you find my configuration 16:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:21 -!- chris_hat_irc [n=chris@v1465.vanager.de] has quit [Read error: 113 (No route to host)] 17:57 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has joined ##openvpn 18:11 < zzattack> i'm trying to find out if it's really necessary to change my entire network to use a different ip range, both locations i plan om working from work on a 192.168.1.0/24 range, will this definitely result in problems? 18:17 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has quit [Nick collision from services.] 18:17 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 18:17 -!- dazo [n=David@r10ln174.net.upc.cz] has quit ["Leaving"] 18:35 < krzee> zzattack, yes and no 18:35 < krzee> theres another way, but its NOT the right way 18:36 < krzee> its setting up a ugly NAT 18:37 < krzee> just change the netblock 18:43 -!- LilaLinux is now known as lilalinux 18:43 < zzattack> can you tell me more about tihs ugly way? 18:44 < zzattack> it's quite a hassle changing the netblock 18:56 -!- worch [n=worch@battletoad.com] has joined ##openvpn 19:09 < dvl> zzattack: how many hosts in each location? 19:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:10 < zzattack> about 15 19:10 < worch> I want to connect a couple LANs together with openvpn such that from any lan I'm able to access any other device via its hostname. How should go about this? Can this be done without using ethernet bridging? The only way I see how to do this is to bridge everything to create a single ethernet, and then have a single DHCP and DNS server. Is it possible to do this with routing? 19:12 < worch> If the vpn uses routing, can the hostnames to ip mappings be pushed to other lans somehow? 19:12 < worch> to the lans' dns servers, that is 19:16 < dvl> zzattack: do the ip addresses collide? 19:16 < dvl> distinct? 19:18 < Tykling> worch if you decide on an internal dns structure like host1.site1.mylan.local etc. then you make a fully routed vpn and setup dns servers on each lan to slave the others zones 19:19 < dvl> Tykling: that sounds relatively simple. 19:19 < Tykling> it is 19:19 < dvl> I mean, even *I* understood it. 19:21 < Tykling> I am using it with five mates to setup a vpn between all of us, works like a charm 19:22 -!- ropetin_ is now known as ropetin 19:23 < dvl> Tykling: so everyone trusts every I take it? 19:23 < Tykling> yes, all personal friends :) 19:24 < Tykling> a few of us with fat links at home so we can stream movies from eachother and so on, very cool 19:24 < dvl> My use of OpenVPN stemmed from frustration with a dynamic IP address. I have servers out there which I need to check on (nagios, etc) and having my address at home change periodically, made that and things like backups more difficult. The VPN solves all that. 19:25 < Tykling> right, clever 19:25 < dvl> And here, at the GFs, I have complete access to all the boxes at home, directly, with ssh gateway, ssh next box, etc. 19:28 < Tykling> :) 19:32 < dvl> I no longer have to run stunnel. Don't have to update my firewall rules on three servers for any IP address change at home. 19:35 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 19:43 < worch> what dns daemons do you guys use or recommend to set up the dns structure as you mentioned, Tykling? I haven't had any experience setting up dns server outside of basic stuff on cheap routers. 19:43 < dvl> worch: I use bind 19:44 < Tykling> I use bind 19:44 < Tykling> :) 19:44 < worch> thanks :] 20:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:24 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has quit ["Client exiting"] 20:47 < tjz> anyone around 22:30 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:34 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:35 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? --- Day changed Sat Jan 10 2009 00:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has left ##openvpn ["Leaving..."] 00:14 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has quit [] 00:31 < simplechat> tjz, i'm sure somebody has 00:32 < tjz> need to find out how is it going 00:51 < reiffert> !local 00:51 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 00:51 < reiffert> forget that 00:52 < reiffert> --local host 00:53 < reiffert> Local host name or IP address for bind. If specified, OpenVPN 00:53 < reiffert> will bind to this address only. If unspecified, OpenVPN will 00:53 < reiffert> bind to all interfaces. 00:55 < tjz> cool 00:56 < tjz> is that setup in server.conf ? 00:56 < reiffert> Yes. 00:57 < tjz> hmm 00:58 < tjz> is this this? 00:58 < tjz> # Which local IP address should OpenVPN 00:58 < tjz> # listen on? (optional) 01:02 < reiffert> I see 2 lines of comments, so I guess not. 01:02 < tjz> and.. 01:02 < tjz> ;local a.b.c.d 01:03 < reiffert> Looks more like it 01:03 < tjz> cool 01:10 < ecrist> grr 01:10 < ecrist> what do I need to change Fn+Down-arrow to to equal pg-down 01:10 * ecrist is too lazy to pull out his own machine, where it's all re-mapped 01:10 < tjz> sound complicated .. 01:10 < tjz> lol 01:11 < ecrist> naw 01:11 < ecrist> just can't remember 01:11 < ecrist> ok, got it 01:12 < ecrist> got it 01:13 < ecrist> page-up should be mapped to [esc]5~ and page-dwon should be [esc]6~ ([esc] shows up as \033) 01:13 * ecrist puts it in the SCN wiki 01:13 < reiffert> ecrist: within X app's, Console, xterm ... where? 01:15 < ecrist> Terminal.app 01:15 < ecrist> 10.5 Terminal.app > iTerm 01:16 < reiffert> well, fn+up/down arrows is page up/down by default for me 01:16 < ecrist> 10.[1234] Terminal.app < * 01:16 < tjz> reiffert: doesn't work. it still show the server public ip 01:16 < tjz> not another unique IP i assign to the server.conf file 01:16 < reiffert> !configs 01:16 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:16 < ecrist> hrm, no, not in irssi and some other Terminal apps. 01:17 < ecrist> I guess, not as transmitted across an ssh session. 01:17 < reiffert> ecrist: then it's shift+fn + up/down 01:17 < reiffert> ecrist: that got nothing to do with ssh but with terminal settings :) 01:17 < reiffert> terminal as in tty 01:20 < ecrist> reiffert: reiffert the shift+fn+up/down does work, that shouldn't really be the way it works 01:21 < ecrist> adding shift to key combo is too much, imho. 01:21 < ecrist> my powerbook G4 show up/down as secondary pg_up/pg_dwn, so I map thing accordingly. 01:21 < ecrist> only makes sense. 01:22 < ecrist> if you have use, http://www.secure-computing.net/wiki/index.php/Mac_OS_X --feel free to add things my retarded ass could use. ;) 01:22 < vpnHelper> Title: Mac OS X - Secure Computing Wiki (at www.secure-computing.net) 01:25 < ecrist> tjz: what're you having problems with tonight? 01:26 < reiffert> Going to help a girl setting up the kitchen, bbl 01:26 < ecrist> l8r reiffert 01:43 * ecrist gloats 01:44 < ecrist> I like seeing folks like McGraw-Hill use my website as a reference. 01:44 < ecrist> I think i've probably got one of the most complete OpenLDAP authentication HowTo's on the Net. 01:52 < ecrist> ping krzee 01:53 < ecrist> can you email me information for the folks who are building various linux packages for ssl-admin? 01:53 < ecrist> it's about time I make the package a bit more official and create a real page for it and market it as such. 02:07 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 02:18 -!- lilalinux is now known as LilaLinux 02:23 < tjz> ecrist:.. 02:23 < tjz> have you tried tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:50 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:54 < ecrist> tjz: yes 03:54 < ecrist> and it works fine. 03:55 < tjz> hmmm 03:55 < tjz> care to guide me.. 03:55 < tjz> what extra steps to configure.. 03:56 < ecrist> well, I'd need to know what you have/haven't done 03:57 < tjz> i got a working openvpn 03:57 < tjz> now...trying to setup another instance of openvpn having it's own unique IP public 03:57 < tjz> :) 03:57 < ecrist> ok 03:58 < tjz> wonder how to configure the 2nd instance to use the new unique public IP 03:59 < ecrist> need to know if the current is grabbing all addresses (*.*) or specific? 04:00 < tjz> hmmm... 04:00 < tjz> current one is grabbing all address 04:00 < ecrist> first, fix that 04:01 < tjz> ok.. 04:01 < tjz> how to we configure the 1st instance to use a specific ip? 04:01 < tjz> is it under "local a.b.c.d" 04:01 < ecrist> yes 04:02 < ecrist> and that's all you need for the second, as well (aside from certificates/etc) 04:03 < tjz> i actually did an experiment 04:05 < tjz> a.b.c.d is my public IP.. 1.2.3.4 is the secondary IP that i recently added to the server.. 04:05 < tjz> i try configure my 1st instance to use the secondary IP.. 04:05 < tjz> local 1.2.3.4 04:06 < ecrist> ok... 04:07 < tjz> when i conntacted to my openvpn.. 04:07 < tjz> my public IP shown up as a.b.c.d 04:07 < ecrist> that's different. 04:08 < tjz> any idea what i did wrong? 04:08 < ecrist> when you connect to OpenVPN, any connection from that machine out to the internet will show the IP of the primary interface. You can change this using policy-based routing, through iptables/pf/etc. 04:08 < tjz> ok.. 04:08 < ecrist> lemme draw a diagram 04:09 < tjz> we don't have to setup "local" afterall... 04:09 < ecrist> um, for different instances of openvpn, you do. 04:10 < tjz> i think we can just change the udp port for different instances.. 04:14 < ecrist> that's another option... 04:15 < ecrist> my example was http://skitch.com/ecrist/by2pq/untitled 04:15 < vpnHelper> Title: Skitch.com > ecrist > Untitled (at skitch.com) 04:16 < ecrist> in that, although there are three IPs to the internet, only the default will really be used, unless a source address is explicitly used, or policy-based routing is used. 04:33 < tjz> wow 04:33 < tjz> did you draw that ? 04:33 < ecrist> yes - OmniGraffle Pro FTW 04:34 < tjz> OMG!!! 04:34 < tjz> very nicely drawn 04:34 < ecrist> if by draw you mean drag/drop. ;) 04:34 < tjz> LOL 04:34 < tjz> so easy? 04:34 < tjz> lol 04:34 < ecrist> yeah 04:34 < ecrist> you can download trial 04:35 < ecrist> like $199 for Pro version. 04:35 < ecrist> I've got 1 or 2 versions old at this point. 04:36 < tjz> ok 04:36 < tjz> about your drawing.. 04:36 < tjz> the route is start from "client" 04:36 < tjz> right? 04:36 < tjz> or from "internet"? 04:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:37 < ecrist> well, client connects to firewall via OpenVPN - gets private/vpn IP address. 04:37 < ecrist> NAT on firewall applies IP address to private IP on outgoing connections. 04:37 < ecrist> by default, vpn client will get default IP address. 04:37 < ecrist> *but* that can be fixed with proper rules on firewall 04:38 < tjz> ah 04:38 < tjz> yayyyayaya 04:38 < tjz> is that the correct way to distiribute the ip.. 04:38 < ecrist> yes 04:40 < tjz> ok.. 04:40 < tjz> do you know how? 04:40 < tjz> hehe 04:41 < ecrist> of course 04:41 < tjz> OmniGraffle Pro is for mac.. 04:41 < tjz> x_x 04:41 < ecrist> and I'm willing to point you in the right direction so you can learn how 04:41 < ecrist> yep 04:41 < ecrist> Mac, FTW 04:41 < tjz> <-- win xp 04:41 < tjz> same as jeff 04:41 < tjz> jeff is using mac too 04:41 < ecrist> yep 04:41 < tjz> x_x 04:41 < tjz> two mac fans here 04:41 < tjz> hehehe 04:41 < ecrist> I don't even have a system I own using windows 04:42 < ecrist> 100% of work/home machines are Mac (5%) and FreeBSD (95%) 04:42 < ecrist> Mac = pretty FreeBSD 04:42 < ecrist> ;) 04:42 < tjz> lol 04:44 < tjz> teach me how to route using iptables.. 04:44 < tjz> x_x 04:46 < ecrist> cant' do that, unfortunately. not a linux guy 04:46 < tjz> lol 04:47 < ecrist> switch to FreeBSD and I can work circles. I've never even seen a man page for iptables. 04:49 < tjz> lol 04:49 < tjz> x_x 04:49 < tjz> i gonna have a quick dinner 04:49 < tjz> brb 04:50 < ecrist> I'm gonna have a quick night of sleep. 04:50 < ecrist> g'night. 04:50 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:06 < tjz> nite ecrist 05:23 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:24 < mRCUTEO> hiya all 05:24 < mRCUTEO> hiya krzee :D 05:25 < tjz> yoooooooooooooooooooooooooooo 05:25 < tjz> LOL 05:25 < mRCUTEO> y0 tjz 05:25 < mRCUTEO> howya doin dude :D 05:25 < mRCUTEO> happy new ya man 05:26 < tjz> hehe 05:26 < tjz> happy new year 05:27 < mRCUTEO> :D 05:27 < tjz> Have you run two instances of openvpn on the same server (each with own public IP) before? 05:27 < mRCUTEO> yes thousand of times :) 05:27 < mRCUTEO> i play with NATs too 05:27 < mRCUTEO> :D 05:28 < mRCUTEO> i even run multiple clients in 1 server 05:28 < mRCUTEO> openvpn = everything possible :D 05:28 < mRCUTEO> thats why i like openvpn more than PPTP 05:28 < mRCUTEO> :D 05:28 < tjz> wa 05:28 < tjz> power 05:29 < tjz> how to configure each openvpn instance to use specific IP? 05:29 < mRCUTEO> the client or server? 05:29 < tjz> the server 05:29 < tjz> two instances of openvpn with their own unique public IP 05:30 < mRCUTEO> yerp 05:30 < mRCUTEO> you have to compile it on different folder 05:31 < mRCUTEO> and set the local IP to be different one 05:31 < mRCUTEO> you can also use SNAT at the iptables 05:31 < tjz> i tried using the "local a.b.c.d" 05:31 < tjz> a.b.c.d is the secondary ip 05:32 < tjz> but it still show the primary server ip.. 05:32 < mRCUTEO> do you have two differnet folders compiled? 05:32 < tjz> hmm 05:32 < tjz> i actually did an experiment 05:32 < mRCUTEO> do you have two differnet folders compiled? eth0:2 ? 05:32 < tjz> hmm 05:32 < tjz> where to include the eth0:2.. 05:32 < mRCUTEO> if you run the from the same folder then you have to SNAT 05:33 < tjz> the secondary ip is using eth0:2 05:33 < tjz> from what i see 05:33 < mRCUTEO> create a new tap 05:33 < mRCUTEO> dev tap2 05:33 < mRCUTEO> set to config --: dev tap2 05:33 < tjz> ok 05:33 < mRCUTEO> and then set NAT to SNAT the tap local ip to a unique public IP 05:34 < mRCUTEO> iptables -t nat -A POSTROUTING -s -j SNAT --to-source 05:34 < mRCUTEO> save firewall and restart 05:34 < mRCUTEO> you're done :) 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D 05:35 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 05:35 < mRCUTEO> but i prefered to create another folder so it doesnt get mix up.. 05:35 < tjz> ya 05:35 < tjz> i want to create another folder.. 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D (must have 2 differnt config file) 05:35 < tjz> not so confusing 05:35 < mRCUTEO> or for convinient use 2 different config server file 05:36 < mRCUTEO> create server.conf and server2.conf 05:36 < mRCUTEO> one set to: dev tap 05:36 < error404notfound> I have openvpn configured on one machine and I copied the same config to another to get it on vpn as well. But the buddy who owns the server said that its not a good approach, atleast I should change the key on second client. any idea what that is ? :p 05:36 < mRCUTEO> and 2nd server set to :dev tap2 05:36 < tjz> i think it is better to create another folder 05:36 < tjz> won't get confuse.. 05:37 < mRCUTEO> okie tjz :) 05:37 < tjz> x_x 05:37 < tjz> hehe 05:37 < tjz> do we still need iptables -t nat -A POSTROUTING -s -j SNAT --to-source ? 05:37 < mRCUTEO> error404notfound it doesnt make any different actually .. the same key is copied to the new machine with same security 05:38 < mRCUTEO> yes tjz 05:38 < mRCUTEO> the new server will be using tap2 05:38 < tjz> ok.. 05:38 < tjz> i will try 05:38 < mRCUTEO> so you have to configure an IP for tap2 05:38 < tjz> err 05:38 < mRCUTEO> and then use SNAT to source it to oublic ip 05:38 < error404notfound> mRCUTEO: so what do I change regarding certificates that nothing needs to be changed on server and both clients work? coz right now vpn works on only one client... 05:39 < tjz> how to configure an Ip for tap2? 05:39 < mRCUTEO> tjzL: server 10.8.0.0 255.255.255.0 05:40 < tjz> ohh 05:40 < tjz> you mean confifgure the lan ip.. 05:40 < tjz> hehe 05:40 < mRCUTEO> ah yes the key 05:40 < tjz> ok, let me try 05:40 < mRCUTEO> error404notfound: you need to create a new key if you change client 05:41 < error404notfound> mRCUTEO: hmmm, is this available on openvpn howto? 05:41 < tjz> talking about the key.. how to stop the previous client to use your openvpn again? 05:41 < mRCUTEO> tjz: try to kill it :) 05:42 < tjz> let's say we are using "client1".. , we go to re-generate a new ca for "client1"? 05:42 < mRCUTEO> tjz: since its using a new dev tap2 it will not interfere the the another client 05:42 < tjz> on the server side.. 05:42 < mRCUTEO> ic 05:42 < mRCUTEO> yes u may generate or just use the same ca.. from my experience it works both 05:43 < tjz> ok 05:43 < tjz> i will try also 05:43 < tjz> hehe 05:43 < mRCUTEO> :D 05:45 < mRCUTEO> error404notfound: try build-key csr file from the NEW client, upload it to the server .. build a key again in the server and get the .crt file and .ca from the server and copy it to your client. 05:45 < mRCUTEO> configured your .conf according to created key and crt file.. 05:46 < mRCUTEO> im sure there is a howto from the website 05:46 < error404notfound> mRCUTEO: if you could provide me a link I would be really greatful, I don't know this black magic stuff :P 05:46 < mRCUTEO> hold on let me google a little 05:46 < mRCUTEO> :) 05:47 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:47 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:49 < mRCUTEO> error404notfound: http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation-and-configuration-guide/ 05:49 < vpnHelper> Title: OpenVPN and CentOS 5 Installation and Configuration Guide | Throx Blog (at www.throx.net) 05:49 < mRCUTEO> :) 05:49 < mRCUTEO> hope this help 05:49 < mRCUTEO> where u from error404notfound? 05:49 < tjz> .pk is from pakistan? 05:49 < error404notfound> mRCUTEO: thaaaaaaaaaaanks :D 05:50 < error404notfound> tjz: yup 05:50 < error404notfound> mRCUTEO: as tjz said... 05:50 < mRCUTEO> ic :) 05:50 < tjz> ^_^ 05:50 < error404notfound> tjz knows /whois :P 05:51 < mRCUTEO> hehe haha huhu :D 05:51 < tjz> LOL 05:52 < error404notfound> okay guys, thanks, I will be doing some reading then... 05:52 < mRCUTEO> okay dokay enjoy reading 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:00 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl, tjz 06:00 -!- Netsplit over, joins: tjz, dvl, smk 06:01 < tjz> my a$$ got split 06:02 < tjz> LOL 06:02 < mRCUTEO> haha 06:02 < tjz> if i set: server 10.8.0.0 255.255.255.0 06:02 < tjz> i will get a random lan IP for my openvpn.. 06:02 < tjz> am i right? 06:02 < mRCUTEO> yerp 06:03 < mRCUTEO> use a /29 06:03 < mRCUTEO> opps 06:03 < mRCUTEO> use /24 on the SNAT 06:03 < mRCUTEO> so it will source all the /24 IPs to the public IP 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 64.235.47.2 06:04 < mRCUTEO> something like this 06:04 < mRCUTEO> and 1st openvp ip 10.8.0.0 255.255.255.0 06:04 < tjz> ok 06:04 < mRCUTEO> and 2nd openvp ip 10.9.0.0 255.255.255.0 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to-source 64.235.47.3 06:04 < mRCUTEO> something like this 06:04 < tjz> ok 06:04 < tjz> got it 06:04 < mRCUTEO> :D 06:04 < tjz> i will try now 06:06 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:06 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:22 < tjz> mRCUTEO : do you know what is the command to flush all the iptables rules? 06:23 < mRCUTEO> yerp 06:23 < mRCUTEO> iptables -t filter -F; iptables -t nat -F; iptables -t mangle -F 06:25 < tjz> thx 06:26 < tjz> hmm 06:26 < tjz> do you know what is the reason for this problem? 06:26 < tjz> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 06:27 < mRCUTEO> hmm maybe port colission 06:27 < mRCUTEO> not sure 06:27 < mRCUTEO> its from the server? 06:27 < tjz> ah 06:27 < tjz> i found out 06:27 < mRCUTEO> whats the prob? 06:32 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:32 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:39 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 06:41 -!- LilaLinux is now known as lilalinux 06:46 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit [Connection timed out] 06:48 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 07:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:21 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 08:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 08:29 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:32 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 131 (Connection reset by peer)] 08:36 -!- lilalinux is now known as LilaLinux 08:43 -!- mode/##openvpn [-r] by ChanServ 09:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:11 -!- bootlaces [n=david@83.228.22.19] has joined ##openvpn 10:13 * bootlaces humbly asks for some help to do with routing, I'm trying to sort it out, but need some last bits of the puzzle 10:13 < bootlaces> I've read the FAQs (as far as I can understand), but still can't seem to ping into the network I'm joining via the vpn 10:14 < bootlaces> If someone can spare some moments to help, I would appreciate it. 10:17 < krzee> !route 10:17 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:17 < krzee> check that out, should answer any questions about joining LANs 10:18 * bootlaces thanks krzee from the bottom of his cockles :) 10:18 < krzee> hehe np 10:19 < ecrist> I gave my wife something this morning from the bottom of my cockles... 10:20 < krzee> how is the wifey 10:21 < ecrist> doing great - starting to get out of the whole morning-sickness thing 10:21 < krzee> nice 10:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:24 < bootlaces> Hmm, still no joy. 10:25 < bootlaces> Can I paste in my routes from the client and server and the server.conf to pastebin for someone to have a look? 10:25 < krzee> !configs 10:25 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:25 < krzee> !logs 10:25 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:26 < krzee> disclaimer, if the answer is clearly spelled in !route i may simply just say that 10:26 < krzee> cause people often skim over it instead of reading to understand 10:40 < bootlaces> Okay, I've done it : http://www.pastebin.ca/1305195 10:40 < bootlaces> If I've omitted anything, please do say 10:41 < bootlaces> and yes, if I've missed it from !route, then please do just say that and I'll scratch my "cockles" for some more :) 10:42 < krzee> ahh 10:42 < krzee> your problem is they are on the same network 10:42 < krzee> both on 192.168.1.X 10:42 < krzee> one side must be changes 10:42 < krzee> changed 10:42 < bootlaces> which "they" are on the same network? 10:42 < bootlaces> the openvpn box and the rest of the network? 10:43 < bootlaces> (not the client, surely (don't call me surely...))? 10:43 < krzee> server and client are using ips on same networks 10:43 < krzee> as in, both use 192.168.1.x locally 10:43 -!- AndyML is now known as AwayML 10:43 < krzee> right? 10:43 < bootlaces> looking and thinking 10:44 < krzee> oh sorry, im wrong there 10:44 < bootlaces> How come the client has an ip address of 172....x 10:44 < krzee> 1 Client on subnet 172.16.167.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> 10:44 < krzee> 1 Server on subnet 192.168.1.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> i missed that 10:44 < krzee> hehe 10:44 < bootlaces> *phew* :) 10:45 < bootlaces> If I look at the client route when vpn'ed 10:45 < krzee> ohh 10:45 < krzee> is the server the router for its network? 10:45 < bootlaces> it seems to tell me that all traffic for 192.168.1.x goes to 10.0.0.5 10:45 < bootlaces> no, the server is just a box on a network 10:45 < bootlaces> the router is an adsl router 10:46 < krzee> see the bottom of !route 10:46 < krzee> below the picture 10:46 < bootlaces> looking 10:46 < bootlaces> reading 10:49 < bootlaces> Don't follow. The openvpn server has an ip of 192.168.1.2, the df gw is 192.168.1.1 (the adsl router). The openvpn isn't on any other subnet (192.168.2.x) so, surely the openvpn server should "know" about other 192.168.1.x machines on its work? 10:50 < bootlaces> In the example below the picture, the server is on a different subnet 10:51 < bootlaces> s/work/network 10:53 < krzee> umm 10:53 < krzee> in both examples the server is on lan 192.168.2.x 10:53 < krzee> it is .2.10 in bottom 10:53 < krzee> anyways 10:53 < krzee> do you want a lan behind client, or just client to connect to server lan? 10:54 < bootlaces> just want my client to connect into the remote lan and see all the machines in there. 10:55 < krzee> then the remote lan must have a route to the VPN network 10:55 < krzee> easiest added to the router if supported 10:55 < bootlaces> ah, are you saying the remote lan (the 192.168.1.x) must be able to route back to 10.0.0.x? 10:56 < krzee> yes 10:56 < bootlaces> I see 10:56 < bootlaces> yes, that makes sense now 10:56 < krzee> for the reason explained at bottom of !route 10:57 < bootlaces> Can't do it in the router, so will have to use iroute on the openvpn server to do this? 10:58 < krzee> you totally did not read !route 10:58 < krzee> !iroute 10:58 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:58 < bootlaces> You are right, I skimmed over it 10:58 < bootlaces> I should pay more attention in future 10:58 < bootlaces> You are right to chastise me 10:58 < krzee> why do people always do that!? 10:58 < krzee> you arent alone 10:58 < bootlaces> laziness 10:59 < krzee> most people skim it then ask the questions that it explained 10:59 < bootlaces> people (including myself) are inherently lazy 10:59 < krzee> you dont realize that to understand something is MUCH lazier than asking everytime you need to do something? 11:00 < bootlaces> Part of human nature I think. Perhaps we like to ask a real person from time to time rather than reading a technical document. Sometimes we can arrive at an answer quicker 11:00 < krzee> not in the long run 11:00 < bootlaces> (unless you are some type of AI) :) 11:00 < bootlaces> Well, I do *appreciate* your effort and I'm very sorry for upsetting you. It must be very fustrating for you 11:00 < krzee> and you will find that in most help channels, when you are pointed to a doc with your answer, and you fail to read it, that you will have a hard time getting further help 11:01 < krzee> im not upset 11:01 < krzee> and you're welcome =] 11:01 < krzee> here on the internet we do prefer to help those who are willing to help themselves tho 11:01 < krzee> im always willing to just set stuff up for people, but i would have to charge for that 11:03 < bootlaces> Naturally 11:03 < bootlaces> Time is a precious commodity 11:03 < bootlaces> and you have wasters like me taking your time 11:03 < krzee> haha no worries man 11:03 < krzee> where are you from? i like how you talk 11:04 < bootlaces> I'm from a lot of places. I've been coloured by my adventures in life. I wouldn't like to say I'm from "one" place, for that is very limiting. 11:05 < bootlaces> I'm a person of the world if you like. 11:05 < krzee> right on 11:05 < krzee> anyways 11:05 < krzee> you asked for the alternative way 11:06 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:06 < krzee> no its not iroute 11:06 < krzee> its the 2nd to last line in !route 11:06 < bootlaces> krzee, I'll try to figure the rest out now - for it's better to waste my time than yours :) I'll let you know (eventually) when I figure it out 11:06 < krzee> when you read docs, think about how long they took to write 11:06 < troy-> how long will an openvpn client retry connection for? 11:07 < krzee> troy-, forever unless you tell it otherwise 11:07 < bootlaces> Your time + the accumulative time of those who have come before you. 11:07 < troy-> krzee, i wish it was still trying :/ 11:07 < troy-> gotz no packets on interface tun0 11:07 < krzee> the time spent reading docs is NOTHING compared to the time spent writing them 11:08 < krzee> packets dont happen on tun0 till a connection is made 11:08 * bootlaces has been suitabily slapped on the wrists (but bring more on if you want) and will now go into the corner and sob quietly 11:08 < bootlaces> *sob *sob *sob 11:09 < krzee> lol 11:09 < krzee> troy-, 11:09 < krzee> !configs 11:09 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < krzee> !logs 11:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:10 < troy-> krzee, i cant access the client, its behind nat 11:10 < troy-> there is nothing wrong with the running-config 11:10 < krzee> welp, this isnt the right time to ask for help then 11:10 < troy-> yeah.. i need someone to console it and reinitialize 11:23 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 11:29 < bootlaces> In the router, I can define static routes. I've put this in (destination ip) 10.0.0.0 (netmask) 255.0.0.0 (gateway ip) 192.168.1.2 [<-- ip of the openvpn server] and lastly 0 (metric) 11:30 < bootlaces> so, I'm telling my adsl router that if it gets an ip request from 10.0.0.0/8, it should pass them to 192.168.1.2 11:30 < bootlaces> sounds about route? 11:30 < bootlaces> tee hee (right) 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 < krzee> you need to tell your router: 11:38 < krzee> that if it gets a request FOR 10.0.0.0 255.255.255.0 11:38 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 11:38 < krzee> (no reason for /8, your vpn is only /24) 11:38 < krzee> to pass it to .1.2 (like you said) 11:39 < krzee> main difference being, you said from, but hopefully meant for 11:39 < krzee> since its its truely from, you should just let the packets go to their destination 11:40 < krzee> if its 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:11 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has joined ##openvpn 13:12 < bmolloy> Hey guys, 13:12 < bmolloy> Has anyone seen a problem with the ovpn service crashing on xp pro due to msvcrt.dll? 13:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:51 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 13:52 -!- Netsplit over, joins: dvl, smk 14:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:07 -!- bootlaces [n=david@83.228.22.19] has quit [] 14:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:26 -!- Keizer [n=keizer@216.45.246.60] has quit [Read error: 110 (Connection timed out)] 15:38 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:06 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has left ##openvpn [] 16:17 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:17 -!- smerz_ [n=daniel@smerz.demon.nl] has joined ##openvpn 16:18 -!- smerz_ [n=daniel@smerz.demon.nl] has quit [Client Quit] 16:29 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:43 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 104 (Connection reset by peer)] 17:04 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:34 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:49 -!- AwayML is now known as AndyML 19:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 19:26 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has left ##openvpn ["openvpn"] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 < sauce> hey everyone, can anyone point me in the right direction on traffic shaping vpn traffic ? 19:43 < sauce> err, shaping vpn traffic sounds better 19:43 -!- sauce is now known as samoshit 19:48 < dvl> I would shape the traffic using third party tools, not OpenVPN. 20:15 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has joined ##openvpn 20:20 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 20:38 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:51 < Solarbaby> I guess im not asking an easy question to answer 20:51 < Solarbaby> Im pretty confused myself 20:58 < dvl> Solarbaby: it is Saturday night.... few people around. Try the mailing list. 20:58 < Solarbaby> good advice 20:58 < Solarbaby> i dont have a life 20:58 < Solarbaby> im so close but so far 21:07 < simplechat> dvl, its sunday morning 21:07 < simplechat> lol 21:07 < simplechat> Solarbaby, whats the issue? 21:07 < Solarbaby> Hello Simplechat 21:07 < Solarbaby> Thanks for getting back to me 21:07 < simplechat> hey 21:07 < simplechat> ? 21:07 < simplechat> sorry 21:07 < simplechat> i've been stuck with my own issues for awhile 21:08 < simplechat> whatsup :) 21:08 < Solarbaby> Im going to try to restate the question, did you read what I alredy asked up top? 21:08 < simplechat> nah, i wasn't there 21:08 < Solarbaby> ok 21:08 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 21:10 < Solarbaby> so its setting up a virtual network for the tap interface 21:10 < Solarbaby> I have no idea how to do that with out that Linksys firmware 21:16 < simplechat> hmmm. 21:17 < simplechat> so atm your on Openwrt and your not sure how to set up a vpn? 21:17 < simplechat> is that the issue? 21:18 < Solarbaby> Yes and No.. I have setup OpenVPN on the same router.. and it seems to work.. But I am also setting up OpenVPN on a Nslu2, which is inside the home network under the router 21:19 < Solarbaby> I need to make sure that my install on the Nslu2 is working properly.. and to do that I need the router to not only forward the port, which I've asked it to do.. but it also has to create that virtual network cause thats the way things are setup to work 21:19 < Solarbaby> I can show you the document I followed for the Linksys firmware if that helps 21:22 < Solarbaby> http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 21:22 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 21:22 < Solarbaby> down where it sez configuring the router 21:41 < Solarbaby> tuff one isn't it? 21:41 < Solarbaby> sorry 21:48 < simplechat> sorry, back 21:48 < simplechat> Solarbaby, i've never done that 21:52 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 21:58 < Solarbaby> yeah its a bit specific 22:44 < samoshit> anyone have any docs on shaping VPN traffic ? 22:48 < krzee> its the same as shaping any other traffic if you use firewall 22:48 < krzee> or you can play with --shaper in 2.1, which is pretty new 22:52 < samoshit> awesome 23:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:01 -!- Solarbab1 [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 23:10 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has quit [Read error: 145 (Connection timed out)] 23:10 -!- Solarbab1 is now known as Solarbaby 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:18 -!- samoshit [i=sauce@ool-18be2518.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 23:34 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 23:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:41 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn --- Day changed Sun Jan 11 2009 00:01 < ropetin> Hey guys, whats up in here tonight? 00:04 < Solarbaby> ropetin: one of thee days intead of being the guy who has always tried to make openvpn work, i'll actually get to use it 00:04 < Solarbaby> ropetin: i must be pretty close by now 00:04 < ropetin> Hehehe, what's your issue now? 00:04 * ropetin just reinstalled earlier and had it working in about 20 minutes... 00:05 < Solarbaby> I sorta had it working before I rebooted my client 00:06 < Solarbaby> it connected.. it said it had a hard time establishing a security of some sort, and defaulted to using ssl something rather 00:06 < Solarbaby> anyways after a reboot of the client it just reads UDPv4 [ECONNREFUSED]; connection refused (code=111) 00:09 < Solarbaby> I'm not sure there will ever be a day that im done trying to make this work, and get to use it.. haha 00:09 < Solarbaby> i feel like an idiot 00:09 < Solarbaby> they just need to make this work for people like me 00:10 < ropetin> Not at all! 00:10 < ropetin> It's all a learning experience isn't it? 00:11 < ropetin> What does teh server say? 00:12 < Solarbaby> the openvpn-status.log is no help at all.. it never gets updated 00:14 < ropetin> And you've restarted the service on teh server? 00:15 < Solarbaby> i'll double check now 00:16 < Solarbaby> yes same exact error 00:16 < Solarbaby> you got yours working in 20 min huh? I envy you 00:16 < ropetin> Presumably if nothing is even getting to the server, it's a firewall or connectivity issue? 00:16 < Solarbaby> even a reinstall in 20 min would be a blessing 00:16 < ropetin> Heheheh 00:17 < ropetin> If it makes you feel any better the server I reinstalled has now died on me, for a totally unrelated hardware reason 00:17 < Solarbaby> not at all 00:17 < Solarbaby> you have no idea how hard i've worked 00:18 < Solarbaby> i just dont understand this.. im going to post my configs on pastebin.ca 00:19 < ropetin> OK 00:28 < krzee> --log file 00:29 < Solarbaby> http://pastebin.ca/1305759 00:29 < Solarbaby> ropetin: sorry about that wait 00:29 < ropetin> No wories :D 00:30 < ropetin> worries even 00:31 < Solarbaby> OpenVPN is setup on a device inside my under the firewall 00:31 < ropetin> Which makes me think it's a connectivity issue or firewall issue 00:32 < ropetin> Do you have the appropriate port forwarded, NATd or whatever? 00:32 < Solarbaby> I've asked the router to foward port 1194 and I executed route add -net 192.168.10.0 netmask 255.255.255.252 gw 192.168.1.1 dev br0 on my openwrt router 00:33 < Solarbaby> maybe theres a firewall problem on the server.. its also running openwrt 00:34 < krzee> why dev tap? 00:34 < Solarbaby> I can't answer that 00:34 < Solarbaby> I dont understand anything 00:34 < krzee> use dev tun 00:34 < krzee> (on both) 00:34 < Solarbaby> Ok 00:34 < ropetin> Also, did you port forward udp or just tcp? 00:35 < krzee> tap encapsulates using ethernet frames, tun with IP traffic 00:37 < krzee> know that your server will need ip forwarding enabled, and NAT setup too 00:37 < krzee> are those 2 boxes on the same LAN? 00:37 < Solarbaby> yes 00:37 < krzee> k 00:37 < krzee> the pushing dns thing... 00:37 < krzee> !pushdns 00:38 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 00:38 < Solarbaby> Thanks 00:38 < krzee> np 00:38 < krzee> !logs 00:38 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:39 < Solarbaby> for one thing.. the servers firewall was accepting tcp 1194 00:39 < krzee> ahh good call ropetin 00:40 < Solarbaby> problem is still the same error 00:40 < ropetin> :D 00:40 < Solarbaby> hmmmm 00:40 < krzee> !logs 00:40 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:41 < Solarbaby> Ok 00:41 < Solarbaby> the server never makes a log file though.. 00:41 < krzee> sure it does 00:41 < Solarbaby> verb 6 00:41 < Solarbaby> syslog 00:41 < krzee> you told it to goto syslog 00:42 < krzee> check /var/log/messages 00:42 < Solarbaby> in var i have lastlog but not syslog 00:42 < krzee> syslog is the app that handles system logging 00:42 < Solarbaby> OpenWrt is so fucking crazy I can't find any syslog 00:42 < krzee> which you told openvpn to send its logs to 00:42 < krzee> ohh 00:43 < krzee> !router 00:43 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 00:43 < Solarbaby> thanks but I knew that 00:43 < krzee> unless ropetin happens to know how, you need to find out how to turn on logging 00:43 < Solarbaby> it logs other stuff.. 00:43 < krzee> #openwrt would know im sure 00:44 < krzee> 2 other easy ways actually 00:44 < krzee> remove syslog line 00:44 < Solarbaby> ok 00:44 < krzee> replace it with log 00:44 < krzee> other way is just start openvpn in the foreground 00:45 < krzee> dont forget to turn logging off when we're done 00:45 < krzee> cause your router cant log long before running out of filesystem 00:47 < ropetin> Sorry, I was getting annoyed by someone in anothe room. What'd I miss? 00:47 < ropetin> Not logging to syslog? 00:47 < krzee> hes on openwrt 00:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:49 < Solarbaby> just a few minutes 00:49 < krzee> on route 00:50 < krzee> whats vpn_gateway 3 00:50 -!- ropetin is now known as mclovin 00:50 -!- mclovin is now known as ropetin 00:50 < krzee> it should route through the vpn gateway without that 00:50 < krzee> kclovin! 00:51 < krzee> mclovin! 00:51 < ropetin> :D 00:51 < ropetin> Was checking if it's registered ;D 00:51 < krzee> also feel free to remove cipher BF-CBC 00:52 < krzee> since thats blowfish, the default 00:52 < Solarbaby> alright 00:59 < Solarbaby> http://pastebin.ca/1305774 00:59 < Solarbaby> that was from my client 01:00 < krzee> !learn mail http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Invalid arguments for learn. 01:00 < krzee> !learn mail as http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Joo got it. 01:01 < Solarbaby> the server doesn't seem to be logging anything 01:04 < Solarbaby> Oh I found the server.log it was in /etc/init.d 01:04 < Solarbaby> weird 01:04 < ropetin> :D 01:06 < Solarbaby> http://pastebin.ca/1305779 01:07 < Solarbaby> thats the server log.. there isn't much to it though cause for some reason the client isn't scrolling the screen with information like it used too 01:07 < Solarbaby> rebooting the client 01:15 < Solarbaby> maybe now that im using tun instead of tap.. it might be kicking me off the wireless network 01:15 < Solarbaby> or maybe its because I added the log file in the client 01:15 < Solarbaby> im just not sure 01:17 < krzee> the wifi is a lower level 01:18 < krzee> ya i want the log to include the client trying to connect.. 01:21 < Solarbaby> I dont know why the client just sits there now.. it used to actually do things 01:21 < Solarbaby> im changing back to tap 01:21 < krzee> post the new config 01:22 < krzee> tap is for tunneling ethernet frames 01:22 < krzee> you only need to tunnel ip if you're just securing your wireless 01:23 < krzee> unless you are using a protocol that needs that over the vpn, it is a waste of overhead 01:24 < krzee> and when using routed with tap the only reason ive seen could be for broadcasts 01:27 < krzee> because ethernet frames work based on mac address, so without using routed you would use bridged, then youd be bridging the layer2 (talks by MACs) from each side to other 01:27 < krzee> aka, you dont want tap ;] 01:27 < Solarbaby> my ip changed 01:27 < Solarbaby> my internet ip changed 01:27 < krzee> that'll do it 01:27 < krzee> use dyndns for that if you like 01:27 < krzee> then you can connect based on hostname 01:27 < Solarbaby> i just need to get the script working 01:30 < krzee> what script... 01:30 < Solarbaby> dyndns script 01:30 < krzee> o 01:33 < Solarbaby> its still just sitting there 01:33 < Solarbaby> somehow i broke it 01:33 < krzee> look at logs... 01:34 < krzee> just sits trying to connect? 01:34 < Solarbaby> the server log looks identical as what I posted you 20 min ago 01:34 < Solarbaby> yeah 01:34 < krzee> if so, either firewall or port forwarding problem 01:34 < Solarbaby> well not idental it sez tun0 opened 01:35 < Solarbaby> ok 01:35 < Solarbaby> Firewall 01:35 < krzee> client is trying to connect i assume... 01:37 < Solarbaby> i think so but it used to scroll the screen with stuff 01:37 < Solarbaby> now it doesn't say a damn thing at all 01:37 < Solarbaby> this is a huge nightmare.. Im so very lost 01:44 < Solarbaby> Im sorry.. I just dont know what to do anymore 01:44 < Solarbaby> I broke it 01:51 < Solarbaby> im sorry.. i can't get any further 01:51 < Solarbaby> this sucks.. this current config took me 2 weeks to get this far.. only to completely die 01:54 < krzee> have you read the howto or just googled? 01:55 < Solarbaby> I dont understand alot of what I read 01:56 < Solarbaby> the mini howtos seemed easier because they know you haven't gone to school to learn networking 01:56 < Solarbaby> which of course I am in that category.. everything is another language 01:56 < krzee> so you're setting up an advanced networking component hoping to find a page that will let you follow their steps instead of trying to learn the topic 01:58 < Solarbaby> 2 weeks.. I didn't try for a single second.. come on.. I've been bleeding this 01:58 < krzee> mini-howto's arent the way 01:59 < Solarbaby> you sometimes forget what that howto looks to someone who doesn't understand how to read it 01:59 < krzee> try bridging instead maybe 01:59 < krzee> no i remember 01:59 < krzee> thing is, vpns are advanced networking, so to learn them you need to learn about the stuff around them too 01:59 < krzee> for exampe 02:00 < krzee> example 02:00 < krzee> you'll need NAT configured 02:00 < krzee> so client is a wifi client, server is the wireless router, you are securing the wireless over openvpn and not allowing inet over the standard wireless? 02:02 < Solarbaby> I think something happend on my client 02:02 < krzee> check its connecting to the right ip / port / proto 02:20 < Solarbaby> what should I type on the client to make it log? 02:21 < Solarbaby> log client.log just makes it choke 02:33 < Solarbaby> forget it 02:36 < Solarbaby> 4 1/2 hours later I think i've repaired the damage up until the point that we started talking.. so now all I have to do is get back to the original problem I had before all this 02:36 < Solarbaby> yay 02:36 < Solarbaby> and thats why it took me 2 weeks to get this far 02:36 < Solarbaby> im talking 8 hours a day 2 weeks 02:36 < Solarbaby> yeah im some kinda idiot 02:44 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 02:44 < krzee> no you're just learning a lot at once 02:45 < krzee> what did you change to 'repair the damage'? 02:48 < Solarbaby> I think i corrupted the client.conf by adding the log 02:49 < krzee> !man 02:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:49 < krzee> use a full path 02:49 < Solarbaby> ok 02:49 < krzee> reference for commands: manpage 02:52 < Solarbaby> so now i gotta figure out why im getting the connection refused 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 03:04 < Solarbaby> rebooted my router 03:05 < krzee> ya you wont need to add any routes to it 03:05 < Solarbaby> ok 03:06 < Solarbaby> well im plagued with connection refused code 111 03:06 < krzee> firewall 03:06 < Solarbaby> i tried 03:06 < Solarbaby> i added a port forward 03:06 < krzee> well 03:07 < krzee> on same lan shouldnt need port forward 03:07 < krzee> that was unknown back when we said that 03:07 < krzee> (vpn is much more common on seperate lans) 03:07 < Solarbaby> as far as I know.. if its going to penetrate my routers firewall and then go to the nslu2 which has openvpn installed to it.. it needs a port forward 03:08 < krzee> isnt the server on the router? 03:08 < Solarbaby> no 03:08 < Solarbaby> it was 03:08 < Solarbaby> it is.. but that one is disabled 03:08 < krzee> but dude 03:08 < krzee> thats the problem 03:08 < krzee> you have 2 seperate lans 03:09 < krzee> your traffic wont just simply jump across them 03:09 < krzee> or does it normally? 03:09 < krzee> can you ping the vpn server box...? 03:09 < Solarbaby> i could try 03:10 < krzee> why are you using openvpn...? 03:10 < krzee> i figured to secure your wifi 03:10 < Solarbaby> ping 192.168.10.0 Destintion unreachable 03:10 < krzee> but if its not going to router... thats not it 03:10 < krzee> ya man, thats your problem 03:11 < krzee> you're trying to connect to something you cant connect to 03:11 < krzee> (part of networking unrelated to a vpn) 03:12 < Solarbaby> ok my router is 192.168.1.1 255.255.255.0 right? then i created a route Destination LAN Ip 192.168.10.0 255.255.255.252 with a default gateway of 192.168.1.1 03:12 < Solarbaby> and I think I have to keep on typing in route everytime i reboot my router 03:13 < Solarbaby> i'll create a script for that 03:13 < krzee> isnt 192.168.10.0 the vpn network? 03:13 < Solarbaby> YEs 03:13 < krzee> what good will that route do you? you cant even make the connection 03:13 < krzee> those ips dont exist til the vpn is running 03:14 < Solarbaby> oh 03:14 < Solarbaby> that makes sense 03:14 < krzee> and those packets will be encapsulated over traffic flowing same as your ping did 03:14 < krzee> !vpn 03:14 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:14 < krzee> that is the idea of what a vpn is 03:15 < krzee> what is your real goal? 03:15 < Solarbaby> file sharing and the ability to be able to goto a coffee shop and use their unsecure wifi to connect to my secure network and do private web and network stuff 03:16 < Solarbaby> i want to use samba over my vpn 03:17 < krzee> hehe 03:18 < krzee> we shoulda started with that 03:18 < Solarbaby> sorry 03:18 < krzee> ok the port forwarding will be correct 03:18 < krzee> but not for what you're doing now 03:18 < krzee> for now, get yourself on the same lan 03:19 < Solarbaby> alright 03:19 < krzee> so if router is 192.168.1.1, be on that network 03:19 < krzee> that is why you have the local flag 03:19 < krzee> when you go remote, you must remove local from redirect-gateway 03:19 < krzee> !local 03:19 < Solarbaby> so i should just tell my router to accept port 1194 and do nothing with it? 03:19 < vpnHelper> krzee: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 03:19 < krzee> you tell your router to send it to the openvpn server 03:20 < Solarbaby> thats what I did 03:20 < krzee> but that wouldnt solve your old problem 03:20 < krzee> thats for when you goto the coffee shop 03:20 < krzee> for now (testing im guessing) 03:20 < krzee> get on the same lan 03:20 < Solarbaby> it was forwarding port 1194 to the real network address of the openvpn server 03:21 < krzee> the ONLY thing you change to go out in the wild when done testing is remove local from redirect-gateway 03:21 < krzee> but you must get on same network if you wanna be working with 1 router 03:21 < krzee> you mentioned samba 03:22 < krzee> you mean windows filesharing or samba running on linux/bsd? 03:23 < Solarbaby> mostly i'll have samba running on the same device as the openvpn 03:23 < krzee> nice 03:23 < Solarbaby> on the other side in the wild sometimes samba will connect sometimes windows xp 03:24 < krzee> k, well if you can handle doing it by ip you save yourself some trouble 03:24 < krzee> other option is to run wins 03:24 < krzee> which is a 1-liner in samba 03:24 < Solarbaby> cool 03:24 < krzee> well with that few machines, 3rd option exists 03:24 < krzee> windows has a hostfile, as does linux 03:25 < krzee> you just enter it in there, host -> ip 03:25 < krzee> then you dont need to bother bridging 03:25 < Solarbaby> i removed push dredirect-gateway local def1 but i still get the same error 03:25 < krzee> no no 03:25 < krzee> whyd you remove that? 03:25 < Solarbaby> I thought you told me too 03:25 < krzee> take the client machine 03:26 < krzee> put it on the 192.168.1.x network 03:26 < krzee> if that means plugging it in, do that 03:26 < krzee> until you are on that network, everything else is pointless 03:26 < Solarbaby> ok 03:26 < Solarbaby> i'll setup the client on a computer thats plugged in 03:28 < krzee> k 03:38 < Solarbaby> okay everything is setup on a computer locally 03:39 < Solarbaby> same error 03:40 < krzee> it can ping now...? 03:40 < Solarbaby> what address shall I ping? 03:41 < krzee> what address is the computer running the server on? 03:41 < krzee> LAN address 03:41 < Solarbaby> 192.168.1.77 03:41 < krzee> ping that 03:41 < Solarbaby> that pings 03:42 < krzee> change your remote statement in the config 03:43 < Solarbaby> same error 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294530 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294561 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1 03:44 < krzee> show me the configs now 03:44 < Solarbaby> ok 03:47 < Solarbaby> http://pastebin.ca/1305826 03:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:49 < krzee> comment out the route 03:49 < krzee> and delete the #route 192.168.10.0 line 03:50 < krzee> what is the ip of the client machine? 03:53 < Solarbaby> 192.168.1.179 03:55 < Solarbaby> same error 04:01 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 60 (Operation timed out)] 04:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:17 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:05 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 05:05 < Solarbaby> krzee: it took me about an hour to figure out why after a reboot I couldn't get back onto the internet 05:05 < Solarbaby> krzee: i had to uninsall openvpn to do it 05:06 < krzee> you were connected? 05:06 < Solarbaby> krzee: i dunno how much patience I have left, but i surely appreciate yours 05:07 < Solarbaby> yeah 05:07 < krzee> cause that is what should happen when you got connected 05:07 < krzee> until you setup NAT 05:07 < Solarbaby> i was connected with no internet 05:07 < krzee> yup 05:07 < krzee> your router does NAT for 192.168.1.1 05:07 < krzee> so you have inet from that ip 05:07 < krzee> but when you come in from starbucks, or test like this 05:07 < krzee> you are using 192.168.10.x 05:08 < Solarbaby> ok 05:08 < krzee> and that network needs a NAT just like .1.x has 05:08 < krzee> !nat 05:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 05:08 < krzee> #1 and #3 05:09 < Solarbaby> ok i reinsalled openvpn 05:09 < Solarbaby> i still have the same config file 05:09 < Solarbaby> lets go to town 05:09 < krzee> you didnt have to uninstall 05:09 < krzee> you just had to kill the process 05:09 < krzee> lol 05:10 < Solarbaby> I didn't know how to boot up.. deleted most of my networking 05:10 < Solarbaby> i tar'd the stuff i deleted though 05:10 < krzee> haha 05:10 < Solarbaby> seriously i need some real hand holding here 05:12 < Solarbaby> where are we at? 05:13 < krzee> you're teaching yourself how to setup a NAT in linux 05:13 < krzee> !linnat 05:13 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:13 < Solarbaby> You are about to delve into the fascinating (and sometimes horrid) world of NAT: Network Address Translation, and 05:14 < Solarbaby> do you realise it sez welcome and horrid 05:14 < Solarbaby> thats scary 05:14 < Solarbaby> *cry* 05:14 < krzee> bbl 05:14 < krzee> happy reading 05:14 < Solarbaby> thanks for everything 05:14 < Solarbaby> ok 05:14 < krzee> np 05:23 < Solarbaby> this is too complex 05:23 < Solarbaby> i'll never understand nat 05:23 < Solarbaby> i just want to make this work 05:24 < Solarbaby> i curse technolagy 05:25 < Solarbaby> fuck this is only pissing me off 05:26 < Solarbaby> i dont want to mangle packets I want a vpn 05:27 < Solarbaby> i guess i'll look for more walkthoughs 05:27 < Solarbaby> this sucks 05:28 < Solarbaby> krzee: this shit doesn't make sense to me 05:33 < Solarbaby> i dont understand 05:35 < Solarbaby> ropetin: i've moved like 2 minutes in 8 hours, but are you still here? 05:35 < Solarbaby> ropetin: now that i've deleted whta i want to do with openvpn it connects.. but now what? 06:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 06:15 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 06:16 < mlaci> hey guys! i've created an openvpn tunnel and it seems to work. the log says: "Initialization Sequence Completed", but i cannot ping through the tunnel. what could be the problem? 06:19 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 06:24 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Client Quit] 06:51 < reiffert> !def 06:51 < vpnHelper> reiffert: Error: "def" is not a valid command. 06:51 < reiffert> !def1 06:51 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 06:51 < reiffert> !logs 06:51 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:51 < reiffert> !confgs 06:51 < vpnHelper> reiffert: Error: "confgs" is not a valid command. 06:51 < reiffert> !configs 06:51 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:51 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 08:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:45 < ecrist> reiffert: something specific you're looking for? 08:48 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 08:49 < ecrist> you're early. ;) 08:49 < my_math_stinks> Making sure things worked as expected 08:51 < my_math_stinks> Thanks for taking the time to do this! 08:51 < ecrist> np 08:51 < ecrist> pw? 08:52 < my_math_stinks> Hope you will understand that as a ... seasoned? ... couputer user I am pretty darn security conscious; and since our friendship is brand new, I will take president Reagan's advice from the nuclear disarmament treaty with the USSR: "Trust but Verify". 08:52 < my_math_stinks> So that I will have a record, and be able to learn something from watching what you do, could you please do: script ~/eric_ssh.txt immediately after you log in to your home directory? I will tail -f that file. 08:52 < ecrist> certainly 08:53 < my_math_stinks> is this a private enough channel to give you the login info AND pw? 08:53 < ecrist> no. I've login info - just need pw 08:53 < ecrist> this is a public room. 08:53 < my_math_stinks> OK, ip has not changed, password: ericcrist 08:54 < ecrist> my_math_stinks: there is no script in ~/eric_ssh.txt 08:55 < ecrist> is that script in *your* home dir? 08:55 < my_math_stinks> run the command "script eric_ssh.txt" that will create the file. 08:57 < ecrist> ok, 1 sec 08:57 < my_math_stinks> OK, I see you ran it and then exited. Don't exit till you're done. I'll see everything you do that way. 08:58 < my_math_stinks> Why do you need to connect to kenny.secure-computing.net 08:58 < ecrist> getting my .cshrc file for my environment 08:58 < my_math_stinks> ok, allowed 08:59 < ecrist> ok, got all that 09:00 < ecrist> no, refresh my memory, what user's directory are you looking at? 09:00 < ecrist> randi? 09:00 < my_math_stinks> yes, and why do you need to be logged in to 2 terminal sessions? :) 09:01 < ecrist> never used script, also doing a tail -f (I'm learning, too) :) 09:01 < ecrist> looks similar to the old 'watch' command, but not quite as powerful. 09:02 < my_math_stinks> it's useful in this situation so that I can watch in real time, and have a hard record. 09:02 < my_math_stinks> I can also see as you log in and out. 09:04 < ecrist> ok. looks like there's a difference of about 300MB between du -kd1 and repquota 09:04 < my_math_stinks> hmmm.2.34 and 2.37 interestingly close? 09:04 < ecrist> hrm. let's take this to a private room 09:04 < my_math_stinks> invite me 09:05 < my_math_stinks> need a "room key"? 09:06 < my_math_stinks> room is password protected 09:06 < ecrist> look at my command history - sent you message there. 09:06 < my_math_stinks> got it, invite again 09:37 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has quit [] 09:42 < mlaci> hi guys! i got this: "bad source address from client [10.8.0.2], packet dropped". i'm in pretty desperate and need some help 09:42 < ecrist> if you google "OpenVPN 'bad source address from client' 09:42 < ecrist> " 09:42 < ecrist> you'll get a ton of hits... 09:42 < ecrist> try reading 09:42 < ecrist> !route 09:42 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:42 < ecrist> that link ^^^ 09:43 < ecrist> you'll find an explaination of that error there. 09:44 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto 09:44 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 09:48 < mlaci> ecrist, i'm reading for more than two hours, but cannot figure out the exact solution 09:49 < ecrist> did you read the link vpnHelper posted above? 09:49 < mlaci> ecrist, i'm just reading it, sorry. give me some minutes 10:12 -!- AndyML is now known as AwayML 10:27 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 10:27 < phretor> hi 10:29 < phretor> I get tons of errors when I use easy-rsa scripts - http://pastie.org/358032 - could you please give help me on this? 10:36 < ecrist> phretor: what OS? 10:36 < phretor> ecrist: ubuntu server 10:37 < ecrist> what shell? 10:37 < phretor> ecrist: bash 10:40 < ecrist> well, easy-rsa sucks 10:40 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has joined ##openvpn 10:42 < wormdrink> hi 10:42 < wormdrink> im having some trouble connecting to vpn from behind firewall 10:42 < wormdrink> behind http proxy rather 10:42 < wormdrink> keep getting: Sun Jan 11 18:44:02 2009 us=959388 TCPv4_CLIENT link local: [undef] Sun Jan 11 18:44:02 2009 us=959473 TCPv4_CLIENT link remote: 153.88.253.11:8080 Sun Jan 11 18:44:53 2009 us=33897 Connection reset, restarting [0] Sun Jan 11 18:44:53 2009 us=34254 TCP/UDP: Closing socket Sun Jan 11 18:44:53 2009 us=34439 SIGUSR1[soft,connection-reset] received, process restarting Sun Jan 11 18:44:53 2009 us=34532 Restart 10:42 < ecrist> phretor: I don't have packages for ubuntu yet, but with a little effort, you can use ssl-admin 10:42 < ecrist> !ssl-admin 10:42 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 10:43 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 10:44 < ecrist> wormdrink: I don't know how you're going to use an http proxy to connect. I don't think it's supported 10:45 < wormdrink> im pretty sure it is 10:46 < wormdrink> # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] 10:46 < ecrist> have you looked at http://openvpn.net/index.php/documentation/howto.html#http 10:46 < vpnHelper> Title: HOWTO (at openvpn.net) 11:11 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 131 (Connection reset by peer)] 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:15 < zzattack> phretor: did you try using the 1.0 scripts? 11:15 < phretor> zzattack: why should I? 11:15 < zzattack> are you using that debian etch guide? 11:23 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has joined ##openvpn 11:24 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:24 < Semmi> hello, i have problem. i can't create a server key 11:29 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 11:29 < Semmi> i want to generate a certificate & key for a server, but i only got a message 11:30 < Semmi> that i "Finally, you can run this tool (pkitool) to build certificates/keys." 11:30 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 11:39 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has left ##openvpn [] 11:43 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 60 (Operation timed out)] 12:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:21 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 12:22 < mlaci> ecrist, thank you very much for the pointer to the wiki article about the setting up iroutes, it's working like a charm. i'd like to configure my server to forward packets to its lan. how can i do it? 12:26 < mlaci> /proc/sys/net/ipv4/ip_forward is set to 1 and forwarding doesn't work 12:35 < mlaci> looks like the server tries to forward the packets, but the server resides in a bigger network interconnected by routers and there's no answer coming back 12:35 < mlaci> am i missing something? 12:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:37 < mlaci> ah, i think i should masquerade the packets, or something like that 12:46 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has quit ["http://www.mibbit.com ajax IRC Client"] 12:59 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:02 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has quit [Read error: 54 (Connection reset by peer)] 13:08 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 13:08 < eliasp> hi 13:10 < eliasp> how do i change the IP of the server node? by default it gets 10.8.0.1/24 assigned (server 10.8.0.0 255.255.255.0) ... i want it to be 10.8.0.2/24 ... tried 'ifconfig 10.8.0.2 255.255.255.0' but it seems i was wrong... still got 10.8.0.1/24 ... 13:13 < krzee> why .2? 13:13 < krzee> and see this: 13:13 < krzee> !/30 13:13 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:14 < krzee> AND 13:14 < eliasp> because the usage of .1 would require heavy changes of the client configs due to network restructuring... just something i want to prevent ATM 13:14 < krzee> server statement expands to have ifconfig already in it 13:14 < krzee> see !man for details 13:15 < krzee> the avoidance of .1 would require heavy changes as well 13:15 < eliasp> but just on the server.... 13:15 < krzee> and you need to use an address from a /30 unless you use !topology 13:15 < eliasp> there's nowhere a reference to 10.8.0.1 in the client-config... 13:16 < eliasp> uhm, i don't really understand why this shouldn't be easily possible... will read the link above for some clarification.. thx ... seems i have to find a completely different way for this... 13:17 < krzee> ya that link will show why no server or client can use .2 13:17 < krzee> unless you use: 13:17 < krzee> !topology 13:17 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:17 < eliasp> ok, it doesnt need to be .2 .. could be anything else, just not .1 ;-) 13:17 < eliasp> k, thx 13:17 < krzee> see: 13:17 < krzee> !man 13:17 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:17 < krzee> and rebuild the server statement 13:18 < krzee> server expands to be a bunch of other statements 13:18 < krzee> rebuild it replacing ifconfig with what you want 13:19 < eliasp> yeah, read this part of the manpage already about the expanded 'server' option... going to re-read it... 13:59 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 14:04 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has quit [Read error: 113 (No route to host)] 14:35 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:39 -!- AwayML is now known as AndyML 15:10 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has joined ##openvpn 15:11 -!- LilaLinux is now known as lilalinux 15:13 < laggo> i've set up the vpn with close to default configs and i can ping the server across the tunnel. i'm having trouble with routing all client traffic through the server with redirect-gateway and iptables masquerade. is there some linux tool to diagnose whats happening with the packets (are they being received/forwarded by the server etc) 15:24 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 15:27 < disposable> ls 15:27 < disposable> oops 15:42 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:09 < disposable> i have a network 192.168.3.0/24 on which i have an openvpn server with tap device providing network 192.168.111.0/24. the server is configured like this: http://pastebin.com/d29031923 Problem is that I can ping the server from the client using both 192.168.111.1 and 192.168.3.118 address, but nothing else on the 192.168.3.0 network. what am i missing? 16:10 < disposable> i have issued "echo 1 > /proc/sys/net/ipv4/ip_forward" on te server, but it did not help 16:22 < disposable> pretty please? 16:29 < laggo> blah 16:29 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 16:40 < mlaci> guys, what's the best way to implement some hostname resolution mechanism that work with openvpn? 16:47 < krzie> huh? 16:47 < krzie> i dont get the question 16:49 < krzie> disposable: 3 things, 16:49 < krzie> # 16:49 < krzie> push "route 192.168.3.0 255.255.255.0" 16:49 < krzie> # 16:49 < krzie> route 192.168.3.0 255.255.255.0 16:49 < krzie> that never makes sense 16:49 < krzie> see !route 16:50 < krzie> odds are you are missing the routes outside of openvpn 16:50 < krzie> 2) you are using tcp, unless you have a reason to you should not be 16:50 < krzie> see this: 16:50 < krzie> !tcp 16:50 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:57 < disposable> krzie: thanks 17:06 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:07 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:11 < krzie> 3) you are using tap, but not bridging... there are few reasons to do this and unless you know why you are doing it you prolly want dev tun 17:12 < krzie> also, if you are using user/group you want some persist options 17:12 < bsdbandit> im running openvpn 2.0.9 on openbsd 4.4 but when trying to start openvpn it just hangs before trying to open up the tun0 interface how would i go about solving this issue 17:12 < bsdbandit> ? 17:12 < krzie> persist-key 17:12 < krzie> persist-tun 17:13 < disposable> krzie: looks like i have much more reading to do than i thought 17:13 < krzie> bsdbandit, sure you have tuntap in the kernel? 17:55 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 17:55 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 18:25 < reiffert> Hah, migrating a web n mailserver to my system within 30 minutes onthefly. 18:29 < krzie> nice 18:30 < krzie> i grabbed a fbsd vps for $84/yr last night 18:30 < krzie> was too good to pass up 18:31 < reiffert> how much hdd? 18:34 < reiffert> Need 100GB Backup Space with ssh+rsync and cryptfs. 18:35 < krzie> for the 84/yr only 5gb 18:37 < reiffert> good night, job's done here 18:37 < krzie> more than i need tho 18:37 < krzie> gnite reif 18:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 18:55 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:03 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 19:03 -!- Netsplit over, joins: dvl, smk 20:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 20:16 < Solarbaby> krzee: Hello 20:29 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Network is unreachable] 20:32 < krzie> hey 20:39 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 20:43 < Solarbaby> krzie: I ended up having a shitfit after you left... i guess my temper got the best of me 20:43 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 20:43 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:45 < krzie> lol 20:46 < Solarbaby> fortunately nobody was around to comment on any of it 20:46 < krzie> dont expect to read some walkthrough and magically understand networking 20:47 < Solarbaby> Im not sure I want to understand it, I want it to work 20:47 < Solarbaby> my network can't be so different then a few hundred million other networks 20:47 < krzie> what you ere trying when you started was impossible 20:47 < Solarbaby> its 2 config files.. and a few entries into your firewall and router 20:48 < Solarbaby> I appreciate you clearing that up 20:48 < Solarbaby> thanks 20:48 < krzie> yes, but what goes in those entries and configs differs based on your goal, and requires some knowledge of networking 20:48 < Solarbaby> nod 20:48 < Solarbaby> would you mind walking me through the rest of it? 20:49 < krzie> walking through, prolly 20:49 < krzie> but ill point to what to read if i know what you need to read 20:49 < krzie> last i saw you got it to connect fine 20:49 < Solarbaby> a little hand holding is required with my limited knowledge.. but im alot less impatient after a good nights sleep 20:49 < krzie> comment out the redirect-gateway line for now 20:49 < Solarbaby> ok 20:49 < Solarbaby> shall I re post the configs? 20:49 < krzie> ill help, but wont do it for you, if yanno what i mean 20:50 < krzie> well first comment the redirect-gateway line 20:50 < Solarbaby> Yeah.. I preffer you do it for me.. heeh.. 20:50 < Solarbaby> but any help is good 20:50 < krzie> (put a # in front of it) 20:50 < krzie> sure ill do it for you 20:50 < krzie> but ill charge $ for that 20:50 < Solarbaby> im tempted to pay 20:50 < Solarbaby> not that i have any money 20:50 < krzie> its better to learn 20:51 < Solarbaby> i agree.. i always prefer seeing something that works, then breaking it 20:51 < Solarbaby> see why it worked 20:51 < krzie> you learn more from breaking stuff and fixing it 20:51 < krzie> than from following some walkthrough off google 20:51 < Solarbaby> yeah 20:51 < Solarbaby> thats true.. apprently i've learned very little all this time 20:52 < krzie> to understand basically everything about ANY line in an openvpn config 20:52 < krzie> all you need is this: 20:52 < krzie> !man 20:52 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:52 < krzie> so anyways... 20:52 < krzie> comment the line i said to 20:52 < krzie> then stop both instances of openvpn 20:52 < krzie> then start the server 20:53 < krzie> then start the client 20:53 < krzie> tell me if it connects... 20:54 < Solarbaby> ok 20:55 < Solarbaby> it didn't stay connected 20:55 < Solarbaby> ill post the logs 20:58 < Solarbaby> http://pastebin.ca/1306234 21:02 < Solarbaby> http://pastebin.ca/1306238 21:11 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:12 < tjz> Hello everyone~ 21:13 -!- steveoooooooo [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 21:13 < Solarbaby> Hello tjz 21:14 < tjz> hey solarbaby 21:14 < tjz> did you manage to get your openvpn working? 21:14 < Solarbaby> tjz: not yet.. krzie has been helping me but its slow going 21:15 < steveoooooooo> im trying to setup a bridged openvpn setup, what interface do I bridge? the vpn is accepting connections on the internet, but the VPN should operate on 192.168 or 10. network... do I need to add a local net first, and bridge that? 21:15 < tjz> are you running a server or vps? 21:15 < Solarbaby> he managed to fix some issues that he told me will not work because they were totally wrong 21:15 < Solarbaby> im running openvpn on a linksys nslu2 21:15 < Solarbaby> running openwrt as an operating system 21:15 < Solarbaby> and the client is running on ubuntu 21:16 < steveoooooooo> Solarbaby, how does openwrt work? 21:16 < Solarbaby> steveoooooooo: it may just be the single most fustrating project i've ever taken on 21:17 < steveoooooooo> : ) 21:17 < Solarbaby> openwrt itself comes pretty close.. 21:17 < tjz> never use openwrt OS before 21:17 < steveoooooooo> im trying to get openvpn to work 21:17 < tjz> x_x 21:17 < steveoooooooo> im not sure how Im supose to bridge my adapters 21:18 < Solarbaby> its not bad if you dont want to play with it much.. but I had to get usb working and samba, and some other things.. including openvpn which is still unsolved 21:18 < ecrist> evening, bitches 21:18 < Solarbaby> Hello ecrist 21:18 < steveoooooooo> eth0 is the internet, so what do I bridge br0 to? 21:18 < ecrist> eth0 and tap0 21:19 < ecrist> erm 21:19 < ecrist> tap0 and whatever interface is your LAN 21:19 < ecrist> usually 21:20 < steveoooooooo> so if the only adapter I have in the machine is for the inet, I need to craete a vitual 10.* network first, then bridge tap0 to that? 21:20 < ecrist> wait 21:20 < ecrist> why are you doing a bridge network? 21:20 < ecrist> you're just trying to tunnel internet traffic? 21:21 < steveoooooooo> maybe I dont need one. I have a server, I'd like to be able to connect to it so it acts like a machine on my local net so I can use samba 21:21 < steveoooooooo> maybe I just need openvpn on the server and no bridge 21:22 < ecrist> samba... can be done over bridge or tun. I would recommend tun (easier to set up) 21:23 < ecrist> you'd have to access the share via IP or hostname, and it wouldn't be browsable, though. 21:23 < Solarbaby> good advice 21:23 < steveoooooooo> ecrist, no problem there 21:23 < Solarbaby> thats no fun 21:23 < ecrist> tun also makes things a tad easier to firewall, should the need arise. 21:23 < steveoooooooo> so if the server is running openvpn and I connect, the server will have a local net ip? 21:24 < Solarbaby> krzie: did my log files do you in? 21:25 < ecrist> the server will have a VPN-local net IP. 21:25 < ecrist> and as long as samba is listening to IN_ADDR_ANY, you're good to go 21:26 < Solarbaby> ecrist: you seem like the chief of the channel 21:26 < ecrist> ?? 21:26 < ecrist> lol 21:26 < ecrist> thanks. 21:26 < Solarbaby> ecrist: you just really sound like you know whats going on 21:27 < Solarbaby> ecrist: i might very well be the worst uneducated fool to setup openvpn yet 21:27 < Solarbaby> North and South here 21:27 < Solarbaby> hehe 21:28 < ecrist> steveoooooooo: if you follow the howto, or read through !freebsd (ignore OS-specific parts) you should be on the right path. 21:28 < ecrist> Solarbaby: what's your issue, before I go pay my wife some attention? 21:29 < Solarbaby> ecrist: It could take you all night.. im a beginner to neworking so just getting a basic vpn that shares my internet connection when im away from home, and my samba file shares is what i need.. 21:30 < ecrist> Solarbaby: read !freebsd, and !route 21:30 < Solarbaby> the samba server and the openvpn server are on the same openwrt device 21:30 < ecrist> that should get you down the right path. 21:30 < ecrist> if you're still having problems, hit me up between 0700 and 1500 CST 21:30 < Solarbaby> is it possibly over my head? 21:30 < ecrist> naw 21:30 < Solarbaby> I'll behere 21:30 < ecrist> !freebsd 21:30 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 21:30 < ecrist> !route 21:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:30 < Solarbaby> Thank You! 21:30 < Solarbaby> I'll look it over and see if i can figure anything out 21:31 < ecrist> I wrote OpenVPN Server and krzee wrote Routing - ask us if you don't understandsomething. 21:31 < ecrist> g'night 21:31 < Solarbaby> G'night 21:56 < Solarbaby> I dont understand why ecrist didn't include a client.conf to go with his server.conf 21:56 < Solarbaby> in his howto 22:04 < Solarbaby> he's gotta push route in his server.conf and I dont have one.. I have no idea if I need that 22:19 < dvl> Solarbaby: http://www.freebsddiary.org (my stuff) may have client conf. 22:19 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 22:19 < Solarbaby> Thanks! 22:20 < dvl> np 22:20 < dvl> using it here and now 22:20 < Solarbaby> I've been trying to make this work for weeks 22:20 < Solarbaby> its really really sad 22:22 < dvl> http://www.freebsddiary.org/openvpn-routed.php 22:22 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 22:23 < dvl> Now, what I'd do differently is have openvpn run not as nobody, but as a specialized user. 22:23 < Solarbaby> I liked that you gave credit to ecrist and krzie 22:23 < dvl> This would be a nice exercise I think. 22:23 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:23 < dvl> Thanks 22:24 < Ricoshady> do I need to create the tap interface dev, or is that created for me? 22:24 < Solarbaby> you need to have the library 22:24 < dvl> For you I think. You'll see. What OS are you using? 22:24 < dvl> For FreeBSD: kldload if_tap.ko 22:24 -!- AndyML is now known as AwayML 22:25 < dvl> or if_tap_load="YES" in /boot/loader.conf 22:27 < Ricoshady> what library? im using debian 22:27 < Solarbaby> I dont know what im talking about 22:28 < dvl> Solarbaby: try it without doing anything special, then you'll know. 22:28 < Solarbaby> dvl: maybe I should just use the config files you posted in here 22:28 < dvl> Solarbaby: if you're doing the same thing I am... 22:28 < Solarbaby> you've got things like client to client I dont have that in mine 22:28 < Solarbaby> your cetificates are in a different directory but thats easy to fix 22:29 < dvl> Yep. 22:29 < Solarbaby> you know i've read that generating the certs was the hardest part, but for me that was the easiest.. I did that in 1 day.. and everythign else in 2 weeks and I got not even a inch further 22:29 < Solarbaby> hehe 22:30 < Solarbaby> its really really sad 22:30 < Ricoshady> does anyone know how to create the tap device in linux? 22:30 < Ricoshady> debian 22:31 < dvl> Solarbaby: I've followed those directions for a few client machines now. 22:31 < dvl> Ricoshady: my sympathies. Sorry about Debian. ;) 22:50 < Ricoshady> what is the difference between tap and tun devices? 22:54 < Solarbaby> dvl: i dont have a group nobody on this openwrt system 22:54 < Solarbaby> Ricoshady: tun is better for alot of things.. like samba 22:54 < dvl> Solarbaby: interesting dilema 22:54 < dvl> and spelling. 22:54 < Solarbaby> Ricoshady: also Tun is more secure 22:55 < Solarbaby> dvl: hey look at me.. I answered a question right 22:56 < Solarbaby> TLS Error: cannot locate HMAC in incoming packet from 192.168.1.220:33078 22:56 < Solarbaby> how do you like that bag of worms? 22:57 < Solarbaby> as far as the nobody group.. I just edited that out.. 22:57 < Solarbaby> i'll work more on that part later 23:02 < Solarbaby> dvl: I still get the same errors with yours as I was getting with mine.. read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 23:05 < Solarbaby> dvl: i didn't notice any sections in your writing about firewalls or port forward 23:10 < dvl> Solarbaby: Sounds like there is nothing listening on that port. 23:17 < Solarbaby> Hmmm 23:19 < Solarbaby> it looks like its not making it through my routers firewall 23:19 < Solarbaby> OpenWrt is my router and firewall 23:20 < Solarbaby> I thought I knew what I was doing.. but obviously not 23:37 < Ricoshady> ive got a VPN up and running, the VPN stays open, but I loose ssh connections, any idea 23:37 < Ricoshady> they connect, just disconnects quickly there after 23:38 < Ricoshady> and does the client require the dos window? 23:38 < Ricoshady> id rather not have to keep that going 23:39 < Ricoshady> actually it looks like for whatever reason, the VPN closed the connetion and reopened 23:40 < Ricoshady> every few minutes the VPN resets 23:47 < Ricoshady> I even got samba to work over the VPN, but they VPN still resets every 2-5 minutes, killing all open connections 23:56 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Jan 12 2009 00:04 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has joined ##openvpn 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:07 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:34 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 00:34 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:17 < gdfgdfgdfgdfg> anyone know why the VPN cuts out every so often, seemingly randonly? it comes back up, but stuff like ssh dies out because the connection is dropped 01:34 < krzee> have a keep-alive? 01:34 < krzee> using tcp? 01:34 < gdfgdfgdfgdfg> what kind of keep-alive? 01:34 < krzee> any abnormal links involved? 01:34 < krzee> !man 01:34 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:34 < krzee> see --keepalive 01:35 < gdfgdfgdfgdfg> no abnoral links that I know of, one tun connection 01:35 < krzee> i mean like satelite or anything like that 01:35 < gdfgdfgdfgdfg> ohh, no cable 01:36 < gdfgdfgdfgdfg> other than this issue, the VPN is working GREAT! 01:37 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:40 < krzee> --keepalive n m 01:40 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 01:40 < krzee> For example, --keepalive 10 60 expands as follows: 01:40 < krzee> 01:40 < krzee> if mode server: 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 120 01:40 < krzee> push "ping 10" 01:40 < krzee> push "ping-restart 60" 01:40 < krzee> else 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 60 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 02:35 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:39 -!- dazoafk is now known as dazo 02:45 < krzee> !ssl-admin 02:45 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:46 < krzee> ecrist, 02:46 < krzee> [root@nfs /usr/ports/security/ssl-admin]# make 02:46 < krzee> ===> Vulnerability check disabled, database not found 02:46 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 02:46 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 02:46 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 02:52 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 03:02 < krzee> the file doesnt exist in that dir 03:04 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 145 (Connection timed out)] 03:35 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 03:41 < krzee> also ecrist, the svn ssl-admin is spitting errors at my freebsd 7 03:41 < krzee> with perl 5.8.8_1 03:41 < krzee> [root@nfs ~]# ssl-admin 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 366. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 409. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 477. 03:41 < krzee> syntax error at /usr/local/bin/ssl-admin line 199, near "$? else" 03:41 < krzee> Execution of /usr/local/bin/ssl-admin aborted due to compilation errors. 03:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:48 -!- krzee changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto manual: http://openvpn.net/man || LANs behind openvpn? see !route || Don't ask to ask, just ask, then wait. 04:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn --- Log closed Mon Jan 12 05:01:43 2009 --- Log opened Mon Jan 12 08:09:20 2009 08:09 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 08:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 08:09 -!- Irssi: Join to ##openvpn was synced in 17 secs 08:09 < ecrist> user-keys, yes 08:09 < ecrist> ssl-admin 08:09 < ecrist> !ssl-admin 08:09 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:09 -!- ecrist [n=r00t@mtka.claimlynx.com] has quit ["Leaving"] 08:10 -!- You're now known as ecrist 08:15 < krzee> ecrist, umm, but its not working 08:15 < krzee> the link takes you to trac, svn gives a broken version, ports doesnt have it 08:19 -!- zheng [n=zheng@58.33.126.221] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 08:23 < harpal> Hey is it Ok, to use certificates generated without openvpn's certificate generation method? Does it accepts it? 08:24 < krzee> openvpn's cert generation method? 08:24 < krzee> it just uses openssl to make certs 08:24 < krzee> easy-rsa and ssl-admin are both just frontends for running a series of openssl commands 08:25 < harpal> krzee: Ya, But I have created certificates in OpenSwan an IPSEC VPN. 08:25 < harpal> In that I have use Opelssl 08:25 < harpal> *openssl 08:25 < krzee> ipsec uses normal ssl certs for connecting? 08:26 < krzee> im thinking no 08:26 < harpal> krzee: no, It has CA authority and certs with password 08:26 < harpal> also selft-signed certs available 08:26 < krzee> sounds like thats normal ssl certs 08:26 < krzee> *shrug* maybe then 08:27 < krzee> i can garuntee that the clients / server will not interconnect to openvpn tho 08:27 < krzee> whether or not you can re-use the certs, i have no idea 08:27 < krzee> i dont use ipsec 08:28 < harpal> krzee: I think I have to test it and Lets see what happen :D 08:28 < krzee> you doing that so you dont need to re-deploy certs to all your clients? 08:30 < harpal> krzee: nope, dont re-create certs seperately for IPSEC and openvpn 08:30 < ecrist> oh, expect svn to be broken at any given time 08:30 < krzee> ecrist, but theres no tgz download 08:30 < ecrist> that's why I'm hoping, this week, to have a few various bundled releases. 08:30 < krzee> ahh 08:30 < ecrist> for the tgz 08:31 < krzee> new mods? 08:31 < ecrist> krzee - side affect of me having a day job, starting a small business, baby on the way, and remodeling my house. 08:31 < krzee> wow bro 08:31 < krzee> busy man 08:32 < ecrist> oh, and I'm still a reserve sheriff's deputy on the side of all that. 08:32 < ecrist> damn, I think I need to cut back. 08:32 < krzee> your biz all in person or you do anything online? 08:32 < ecrist> biz is all in person. security systems, cameras, that sort of thing 08:32 < ecrist> that's really my 'trade' is low-voltage wiring. 08:33 < krzee> werd 08:33 < ecrist> I managed to sucker my current employer into thinking I knew what I was doing behind a keyboard. 08:33 < krzee> we woulda done good as a team 08:33 < ecrist> aye 08:33 < krzee> i did phone systems and networks, never did the cabling or phys security 08:34 < krzee> although im fully capable of re-keying locks 08:34 < krzee> with a master key for the building 08:34 < krzee> and a grand-master for multiple buildings 08:34 < krzee> (i taught a locksmith some unix, he taught me how to key locks) 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 08:35 < ecrist> ah, I did that for a while - you familiar with Best locks? 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 08:35 < krzee> neg 08:36 < ecrist> I worked for them in their electronic access control division (worked for IR, too (owns Schlage)) - learned how to pin and combinate locks there 08:36 < krzee> ahh nice 08:36 < ecrist> learned how to pick and defeat locks there, too. 08:36 < krzee> schlage is good 08:36 < krzee> ya i taught myself that one 08:36 < krzee> i keep picks with me 08:37 < ecrist> taught my father-in-law over christmas how to defeat most padlocks with a piece of aluminum cut from a pop can. 08:37 < ecrist> he was stunned. 08:37 < krzee> http://www.lockpicks.com/browseproducts/Dyno-KWIK-Pick.html 08:37 < vpnHelper> Title: Dyno KWIK Pick (at www.lockpicks.com) 08:37 < ecrist> took me longer to cut the aluminum than to defeat the lock. 08:37 < krzee> thats what i keep on me 08:37 < krzee> ya 08:37 < krzee> done that 08:37 < krzee> but i actually bought pre-made picks of the same nature 08:38 < ecrist> it looks more bad-ass to mcguyver it. ;) 08:38 < krzee> the kind you just push in through the top, same method 08:38 < ecrist> yep 08:39 < krzee> haha thats true 08:39 < krzee> i had to pick my old house with paper clips 2x 08:39 < ecrist> doesn't work on the 'American' locks I was issued in the Army, or my 'Best' locks. 08:39 < krzee> locked myself out and didnt have my kwik pick yet 08:39 < krzee> so my picks were in the house 08:39 < krzee> schlage is pick resistant too cause of the bottom 08:39 < krzee> but you can bump it easy enough 08:39 < ecrist> lol 08:40 < krzee> bumping looks pretty mcguyverish too 08:40 < krzee> you know the technique im referring to? 08:41 < ecrist> when I worked for IR, I made a couple 040404 and 4040404 keys - our mech guy didn't realize why for a few minutes 08:41 < krzee> lol 08:41 < krzee> ok ya you know it 08:41 < krzee> lol 08:41 < ecrist> I've never been able to pick a Medecco lock, though 08:43 < krzee> well ya 08:43 < krzee> youd need to hack the rfid too 08:43 < krzee> which can and has been done 08:43 < krzee> but shit, it aint easy 08:43 < krzee> its more of POC 08:44 < krzee> whoa 08:44 < krzee> http://blog.wired.com/27bstroke6/2008/08/medeco-locks-cr.html 08:44 < vpnHelper> Title: Researchers Crack Medeco High-Security Locks With Plastic Keys | Threat Level from Wired.com (at blog.wired.com) 08:45 < ecrist> hrm 08:45 < ecrist> now, EAC systems I can crack. 08:46 < ecrist> ah, see, that still doesn't work on the Schlage high-security locks. 08:47 < ecrist> they have a second set of pins set at a 45* angle - keys have to be laser-cut. 08:47 < ecrist> |/ - like so 08:47 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:00 < krzee> always 45 degrees? 09:01 < krzee> sounds still bumpable if always 45 09:03 -!- kyrix [n=ashley@93-82-5-0.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:03 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 09:06 < ecrist> krzee: if you're on a freebsd system, why are you using the svn version, rather than ports? 09:07 < krzee> [10:18] the link takes you to trac, svn gives a broken version, ports doesnt have it 09:07 < krzee> [04:49] => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:07 < krzee> [04:49] => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:07 < krzee> [04:49] fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:07 < krzee> because ports cant get it 09:07 < krzee> and i cant put the tgz in distfiles, cause theres no tgz 09:09 < ecrist> oh, ports can get it now... 09:10 < ecrist> my FTP was broken, cause of my internet bill not being paid (truck seat gobbled it up last week) 09:10 < ecrist> it's paid now, after a friendly reminder from the disconnect fairy 09:10 < krzee> ahh nice 09:11 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:11 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:11 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:11 < krzee> => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. 09:11 < krzee> fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ssl-admin-1.0.tar.gz: File unavailable (e.g., file not found, no access) 09:11 < krzee> => Couldn't fetch it - please try to retrieve this 09:12 < krzee> => port manually into /usr/ports/distfiles/ and try again. 09:12 < krzee> btw, i was able to get into your ftp manually last night 09:12 < krzee> the file wasnt there 09:12 < krzee> well i think it was yours, it was late 09:12 < ecrist> fuck 09:12 < ecrist> lemme look 09:12 < krzee> oh no wasnt yours 09:13 < krzee> i still cant get in your ftp 09:13 < krzee> it was fbsd.org that didnt have it 09:14 < ecrist> there 09:14 < krzee> just tested your ftp from chicago and san diego 09:14 < krzee> no dice 09:15 < krzee> oh 09:15 < krzee> there it goes 09:15 < ecrist> my ftp daemon was listening to the old IP address 09:15 < krzee> ahh 09:15 < ecrist> must have missed it a couple weeks ago when I had to change ip space 09:15 < krzee> hehe done that before 09:17 < krzee> cool, bbiaf 09:17 < krzee> headed to the dentist 09:17 < krzee> while it generates my 4096bit keys 09:20 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 09:20 < krzee> Generating a 4096 bit RSA private key 09:20 < krzee> ....................................................++ 09:20 < krzee> ....................................................++ 09:20 < krzee> writing new private key to 'hash.key' 09:20 < krzee> that does NOT feel right 09:24 < ecrist> let me look at the source 09:24 < ecrist> that's not me. 09:24 < ecrist> that openssl - so if there's an error, it there. 09:26 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 131 (Connection reset by peer)] 09:29 -!- harpal [n=Harpal@122.169.108.195] has quit [Read error: 104 (Connection reset by peer)] 09:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:31 < ecrist> morning, plaerzen 09:31 < plaerzen> morning ecrist and the rest of ovpn 09:45 < tjz> tjz.ovpn enabled 09:45 < tjz> what's up? 09:45 * tjz connected... 09:46 < tjz> yes sir.. 09:48 < ecrist> sup? 09:51 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 10:00 < krzee> ya 10:00 < krzee> thats definatly openssl 10:00 < krzee> but i disagree about the no error thing 10:01 < krzee> there is no way this weak-ass box made a 4096 key that fast 10:04 < krzee> mornin plaerzen 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:10 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:20 < rubydiamond> Hi people 10:20 < rubydiamond> dazo: 10:20 < rubydiamond> Mon 01/12/09 09:53 PM: expected peer address: 61.8.142.106:11668 (allow this incoming source address/port by removing --remote or adding --float) 10:20 < rubydiamond> getting above error 10:20 < rubydiamond> ecrist: ^ 10:20 < krzee> same address, right? 10:21 < krzee> the peer really is at 61.8.142.106...? 10:21 < rubydiamond> hmm 10:21 < rubydiamond> krzee: dont know 10:21 < krzee> how dont you know? 10:21 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:21 < rubydiamond> krzee: oslo.mangospring.net 10:21 < rubydiamond> its this 10:22 < krzee> ok ya thats same ip 10:22 < krzee> add float 10:22 < krzee> !man 10:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:22 < krzee> --float 10:22 < krzee> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address s 10:22 < krzee> uch as a dial-in user or DHCP client. 10:22 < krzee> Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. 10:23 < rubydiamond> krzee: what exact line should I add? 10:23 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:23 < krzee> float 10:24 < rubydiamond> krzee: check pm 10:24 < krzee> why pm? 10:24 < krzee> add the word float 10:25 < rubydiamond> okay 10:25 < krzee> [12:28] *!rubydiam@unaffiliated/rubydiamond* added to ignore list. 10:25 < krzee> dont do that again 10:25 < krzee> !pastebin 10:25 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:25 < krzee> if you need to paste your config, do it that way 10:26 < rubydiamond> hmm 10:26 < rubydiamond> okay 10:27 < ecrist> you've been told that before, iirc 10:27 < rubydiamond> krzee: https://gist.github.com/768317f51404e11d5cf9 10:27 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:27 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:28 < krzee> [12:26] krzee: what exact line should I add? 10:28 < rubydiamond> krzee: nothing happens.. it stops there 10:28 < krzee> [12:27] float 10:28 < rubydiamond> sorry krzee 10:29 < krzee> hrm 10:29 < krzee> odd that youd get that error now 10:29 < krzee> did you kill openvpn and start it again? 10:29 < rubydiamond> krzee: on server? 10:29 < krzee> maybe forgot to put 1 side back up 10:30 < krzee> put float in whatever config was complaining 10:30 < krzee> kill both sides 10:30 < krzee> start server 10:30 < krzee> start client 10:30 < rubydiamond> krzee: I cannot kill the server side 10:30 < rubydiamond> its in my office 10:30 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:30 < krzee> it was client complaining? 10:31 < rubydiamond> krzee: yes 10:31 < krzee> ok 10:31 < krzee> add float 10:31 < krzee> kill client start client 10:31 < krzee> oh, do you have redirect-gateway in your config? 10:32 < rubydiamond> krzee: it stops here https://gist.github.com/768317f51404e11d5cf9 10:32 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:32 < krzee> no it doesnt 10:32 < krzee> it pauses there 10:32 < krzee> [12:34] oh, do you have redirect-gateway in your config? 10:33 < rubydiamond> krzee: here is my config https://gist.github.com/6d4cf59a469f1b6d47cd 10:33 < vpnHelper> Title: gist: 6d4cf59a469f1b6d47cd GitHub (at gist.github.com) 10:33 < rubydiamond> krzee: is there any redirect-gateway? 10:35 < rubydiamond> krzee: ? 10:35 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 10:36 < suprsonic> can I specify a subnet when creating a site to site vpn with ifconfig ? 10:38 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 10:38 < rubydiamond> krzee: could you please help 10:40 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:41 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:41 < krzee> rubydiamond, it would be in the server config 10:42 < krzee> suprsonic, a subnet? 10:42 < rubydiamond> krzee: oh sad 10:42 < suprsonic> yes 10:42 < krzee> for what use suprsonic 10:42 < suprsonic> site to site vpn 10:42 < suprsonic> right now I have two tunnel devices 10:42 < krzee> the subnet would be for what use 10:42 < suprsonic> each assigned a /24 range from what I can tell 10:43 < suprsonic> so like tun0 = 192.168.1.0/24 and tun1 = 192.168.2.0/24 10:43 < krzee> no, and what would be the point? 10:43 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:43 -!- AwayML is now known as AndyML 10:43 < suprsonic> so I don't blow a whole /24 subnet 10:43 < krzee> umm, i dont get it 10:44 < suprsonic> would prefer to subnet into /30 subnets 10:44 < krzee> you're talkin bout blowing 2 of them 10:44 < krzee> a site to site only uses 2 ips 10:44 < krzee> nothing but the 2 ips 10:44 < krzee> the /30 stuff is for server/client 10:45 < krzee> you're talkin point to point, only 2 ips, no /24's 10:45 < suprsonic> okay 10:45 < suprsonic> so ar eyou saying I can do this 10:45 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:45 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:46 < krzee> # 10.1.0.1 is our local VPN endpoint 10:46 < krzee> # 10.1.0.2 is our remote VPN endpoint 10:46 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:46 < krzee> (from the manual) 10:46 < krzee> (also in openvpn.net/examples.html 10:46 < krzee> ) 10:47 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:47 < suprsonic> are you saying I can do that? 10:47 < krzee> 2 tuns on same machine? 10:47 < suprsonic> yes 10:47 < krzee> lets say tun0 connects to box1 10:48 < krzee> tun0 would be 0.1 10:48 < suprsonic> agreed 10:48 < krzee> box1 would have a tun with 0.2 10:48 < krzee> lets say tun1 connects to box2 10:48 < suprsonic> agreed 10:48 < krzee> tun0 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < krzee> oops 10:48 < suprsonic> oh 10:48 < krzee> tun1 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < suprsonic> yeah 10:48 < suprsonic> okay 10:49 < krzee> dev tun 10:49 < krzee> remote mypeer.mydomain 10:49 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:49 < krzee> secret static.key 10:49 < krzee> thats an entire config 10:50 < suprsonic> keepalive? 10:50 < suprsonic> hehehhe 10:50 < krzee> other side would be the same, but remote to other box and ifconfig reversed 10:50 < krzee> ya keepalive is a good thing to add 10:50 < krzee> im just giving you the simplest example from the manual 10:50 < krzee> On may: 10:50 < krzee> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key 10:50 < krzee> On june: 10:50 < krzee> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key 10:51 < suprsonic> thanks for the help! 10:51 < krzee> yw 10:57 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:58 < krzee> !servercert 10:58 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 11:11 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 11:11 < suprsonic> krzee so can ospf be used between links? 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 11:20 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:22 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 11:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:36 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit [Connection timed out] 11:36 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has joined ##openvpn 11:45 < kyrix> inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 that does the p-t-p address stand for? 11:45 < kyrix> is that the server ip, or the client ip in the tunnel? 11:47 < kyrix> and when i set push route ... to allow access to the servers network, its set the gw to 10.8.142.5, but the server is 10.8.142.1, any ideas where i am messing up? 11:48 * dazo thought p-t-p links had 255.255.255.252 as netmask .... maybe he remembers wrong 11:51 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:52 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 11:56 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:56 -!- Netsplit over, joins: mcp, Typone 11:57 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:58 -!- Netsplit over, joins: mcp 11:59 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 12:07 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:11 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:11 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:12 < vladi> hi, i have multiple openvpn clients on the same machine whats the proper way to enable the management interface? 12:14 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:19 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:21 -!- dazo is now known as dazoafk 12:23 < xattack> hello guys , does any buddy has been succesfull to compile openvpn in windows , since rc13 and with the prebuilds ? 12:25 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has left ##openvpn [] 12:30 -!- AndyML is now known as AwayML 12:40 -!- jeiworth_ [n=jeiworth@189.163.173.75] has joined ##openvpn 12:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:42 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 12:44 < jeiworth_> hi @ll, i am currently implementing openvpn on ubuntu as testsystem for a company and so far everything seems to be working ok :-) anyway, it might be that i will have to traing somebody to manage the sevrer (primarily creating and distributing client-keys and installing and configuring openvpn on windows xp and vista boxes) so i am looking for a decent gui for the openvpn server. i am a bit worried about the links provided on the openvpn site since 12:44 < jeiworth_> they all seem to be quite old and no longer maintained, the webmin plugin might be a solution but webmin is no longer in the official repos of ubuntu, but then again neither are any of the guis... anyone got any tipps or recommendations? 12:45 -!- jeiworth_ is now known as jeiworth 12:48 -!- int [n=quassel@wikia/int] has joined ##openvpn 12:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:49 < jeiworth> !route 12:49 < vpnHelper> jeiworth: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:13 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 13:31 < reiffert> xattack: at least one guy ... 13:32 < reiffert> jeiworth: see that pic on openvpn.net? http://openvpn.net/images/webgui-screenshot.png 13:34 < jeiworth> hi reiffert, yep 13:36 < jeiworth> which one is that? 13:37 < reiffert> openvpn web gui 13:41 < jeiworth> reiffert: ok, is that built in? on openvpn.net i only find information about how to set up the management interface and when i go to the gui-link it only lists me external tools 13:41 < jeiworth> :-/ 13:43 < reiffert> it's not built in. 13:49 < jeiworth> well, thats what i thought, i already found it and latest version is 0.3 beta from september 2005 13:50 < reiffert> It's working quite well. 13:51 < reiffert> so why should one develop a working thing? 13:51 < reiffert> rename it to 1.0.0.0.__FINAL__.0.0.0? 13:52 < reiffert> after all the whole PKI stuff is some shell scripts, building and signing and key deployment is a three step thing. 13:52 < jeiworth> hehe ok, my concern here is more in the direction wether the webgui from 2005 supports all features of openvpn 2.1, that is all ;) 13:53 < xattack> reiffert : thks man , and do you know if he has some feedback about this work , or in this "system" ( I mean ms WIN) 13:54 < xattack> ;) 13:55 < reiffert> jeiworth: it supports PKI, thats all. 13:56 < reiffert> xattack: all I know is one can download the binary images from openvpn.net, did you try the mailinglist/author yet? 13:58 < xattack> not yet tried that , i have the binary prebuilds and the mingw environment , and when i tried to compile it , just fail !! 13:58 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:58 < phretor> hello 13:59 < phretor> I am having troubles using bridge-start/stop scripts 13:59 < xattack> well , not like that , something in the cryptoapi.c and wincrypt.h points an derror , but just in Win systems in all *nixes this works fine 14:00 < reiffert> Last time I tried myself on win32, I stopped after 2 hours with winsuck() switching to cygwin where everything looks fine again. 14:01 < jeiworth> reiffert: kk thanks, will give it a try 14:03 < phretor> this is my network scheme: Internet <---> DSL <----> [WAN:router:LAN 192.168.1.0/24] <---> [eth0(192.168.1.55):openvpn-server:tap0,br0] and this is the server config file: http://pastie.org/358935 14:03 < xattack> reiffert: thanks , jajaja im gonna still try this , I were succesfull to compile version 2.1_rc7 with MSVC express but not 2.1_rc13 with mingw and prebuilds 14:05 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:05 < phretor> here is the bridge-start http://pastie.org/358936 script 14:06 < phretor> is it correct that the script attempt to assign eth0's address to br0? 14:06 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 14:08 < phretor> any suggestion? 14:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:16 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has quit [] 14:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:17 < reiffert> xattack: rite, msvc express, should have mentioned that before 14:17 < xattack> ? 14:18 < reiffert> xattack: it exists, downloadable at m$.com 14:19 < xattack> yes , i have it installed in this computer , but as far as i have read the new compiling method is just with mingw , not msvc or any other , am I right ? 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:39 < reiffert> xattack: I have no idea. 14:49 < xattack> reiffert : ok thanks , im still looking for the solution for this , see ya later 14:49 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:35 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 15:44 < krzie> sup reif 15:59 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 17:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:51 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 17:51 < Ricoshady> are there any special things I can do to help optimize, stablize openvpn and samba? 17:53 < krzie> well 17:54 < krzie> if using tun, wins server helps 17:54 < krzie> if using tap, switching to tun and running wins 17:54 < krzie> (to have less overhead) 17:55 < krzie> if using tcp, going to udp will help big time 17:55 < krzie> and checking your MTU could help if its not optimal 17:56 < krzie> if you wanna know how or why for any of those, say so 18:36 < Ricoshady> what does the wins server do? basically, its a little choppy, its comes up, but if the vpn fails, and restarts, the share doesnt always pop back up right away 18:36 < Ricoshady> im on udp 18:37 < Ricoshady> using tun 18:37 < Ricoshady> not sure abut MTU, set to default whatever that would be 18:40 < krzie> Ricoshady wins is not part of openvpn 18:40 < krzie> but it may help you a bunch 18:40 < krzie> you could think of it as DNS for netbios 18:41 < krzie> and since samba is made to be a layer2 protocol, when you use it as layer3 you should run samba 18:41 < krzie> it should help them pop back up 18:41 < krzie> !mtu 18:41 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:41 < krzie> #2 is easiest way 18:46 < Ricoshady> dont mind giving it a try, what wins server do you recomend, linux? 18:46 < Ricoshady> do I need to configure samba to use the wins server? or how does it work? 18:46 < krzie> its a 1 line addition to your samba config 18:46 < krzie> samba is the wins server 18:47 < Ricoshady> wait, so i dont need to install anything? how do I turn on the wins server? 18:47 < krzie> nothing extra to install 18:48 < krzie> by adding a line to samba config 18:48 < Ricoshady> whats the line 18:48 < krzie> http://oreilly.com/catalog/samba/chapter/book/ch07_03.html 18:48 < vpnHelper> Title: [Chapter 7] 7.3 Name Resolution with Samba (at oreilly.com) 18:48 < krzie> ive never used samba 18:48 < krzie> but thats all you should need to know 18:49 < krzie> you cant use bcast 18:49 < krzie> but the other 3 methods should be fine 18:49 < krzie> lmhosts / hosts are static files 18:50 < krzie> wins option is dynamic 18:50 < Ricoshady> trying it out 18:50 < krzie> 7.3.3 Setting Up Samba as a WINS Server 19:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:52 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:58 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 19:58 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:05 -!- tjz [n=tjz@121.7.98.165] has joined ##openvpn 20:06 < tjz> wow 20:06 < tjz> my auto join works for openvpn channel now 20:06 < tjz> no idea what kind of changes is make on the irc server.. 20:11 < ecrist> evening, bitches 20:11 < krzie> tjz, all depends if your nickserv auths before trying to join 20:12 < krzie> may get lucky somtimes if your client doesnt have the option to wait 20:12 < ecrist> I removed the +r from the channel 20:12 < krzie> ahhh 20:12 < krzie> that woulkd do it too 20:12 < krzie> hehe 20:14 < tjz> eric!! 20:14 < tjz> no wonder it works now! 20:14 < tjz> hahahaha 20:15 < ecrist> we don't like you though, so.... 20:15 < krzie> lol 20:15 < tjz> x_x 20:15 < tjz> :( 20:15 -!- mode/##openvpn [+r] by ChanServ 20:15 < tjz> oh no 20:15 < krzie> poor tjz 20:15 < tjz> :P 20:15 < tjz> i have to do extra work 20:15 < tjz> like eg. type /join openvpn manually 20:15 < tjz> hehehehe 20:16 -!- mode/##openvpn [+o ecrist] by ChanServ 20:16 -!- mode/##openvpn [-r] by ecrist 20:16 -!- mode/##openvpn [-o ecrist] by ecrist 20:17 -!- mode/##openvpn [+o tjz] by ChanServ 20:17 -!- mode/##openvpn [+o krzie] by ChanServ 20:17 <@tjz> x_x 20:17 -!- mode/##openvpn [-o tjz] by krzie 20:17 < tjz> op is abusing the channel bot 20:17 -!- mode/##openvpn [-o krzie] by krzie 20:17 < krzie> hehe 20:17 < tjz> lol 20:18 < krzie> <-- bored 20:18 -!- mode/##openvpn [+o ecrist] by ChanServ 20:18 -!- krzie was kicked from ##openvpn by ecrist [ecrist] 20:18 -!- mode/##openvpn [-o ecrist] by ecrist 20:19 < ecrist> lol 20:19 < simplechat> what? 20:20 -!- simple_bot [n=betabot@betacorp.net] has joined ##openvpn 20:20 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 20:20 < tjz> oh man 20:21 < ecrist> <-- bored 20:21 < tjz> lol 20:21 < tjz> not another one 20:21 < tjz> lol 20:21 < tjz> <-- i'm alittle bored 20:21 < tjz> LOL 20:21 < ecrist> why is there another bot in here? 20:21 < krzie> another bot? 20:22 < tjz> don't think we have another bot.. 20:22 < tjz> chanserv is the only one around.. 20:22 < tjz> oh 20:22 < krzie> not true tjz 20:22 < tjz> we have brother vpnHelper 20:22 < tjz> ehhehe 20:22 < krzie> yup 20:22 < tjz> !help sex 20:22 < vpnHelper> tjz: Error: There is no command "sex". 20:22 < tjz> lol 20:22 < krzie> oh simple_bot 20:22 < krzie> hrm 20:23 < krzie> ... CTCP VERSION reply from simple_bot: xchat 2.8.4 Linux 2.6.27.9-73.fc9.i686 20:23 < krzie> [i686/2.39GHz/SMP] 20:23 < krzie> seems to just be the name 20:23 < simple_bot> what are you doing? 20:23 < simple_bot> krzee, ? 20:23 < krzie> trying to figure out if you were a bot, lol 20:24 < tjz> LOL 20:24 < simple_bot> of cource i'm not a bot 20:24 < tjz> omg 20:24 < simplechat> i'm just bounced 20:24 < ecrist> your nick would imply otherwise 20:24 -!- simple_bot is now known as simple_not_a_bot 20:24 < krzie> im sure you can see how the name would throw me off 20:24 < simple_not_a_bot> better? 20:24 < krzie> hahaha 20:24 < ecrist> much better 20:24 < tjz> sexual abuse the simple_bot 20:24 < tjz> hehehehe 20:24 < simple_not_a_bot> tjz, computer says no 20:24 < tjz> LOL 20:24 < simple_not_a_bot> :) 20:25 < simple_not_a_bot> ..... 20:25 -!- simple_not_a_bot [n=betabot@betacorp.net] has left ##openvpn ["Leaving"] 20:25 < ecrist> aw 20:25 < ecrist> he must not have liked my /ctcp simple_not_a_bot in_teh_butt 20:59 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit ["Ex-Chat"] 20:59 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:04 < krzie> sq 4595 21:04 < krzie> #4595: * krzee penetrates tdc's network * tdc is scared of krzee 21:04 < krzie> krzee stop haxing tdc haxing!? im 21:04 < krzie> having sexual relations with his network 21:04 < tjz> LOL!!! 21:04 * tjz rolling around.. LOL 21:04 < krzie> hehehe 22:41 -!- hackmykack2345 [n=neil@122.169.104.151] has joined ##openvpn 22:42 < hackmykack2345> hi Guys 22:43 < hackmykack2345> needed some help trying to connect to an openvpn server from multiple clients using the same key 22:43 < hackmykack2345> was wondering if that is even possible 22:44 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:49 < dvl> Why would you want duplicate keys? 22:49 < dvl> What is the problem? 22:49 < hackmykack2345> dvl: Hey dvl .. thnx for replying !!! 22:49 -!- tjz [n=tjz@121.7.98.165] has quit [Read error: 110 (Connection timed out)] 22:50 < hackmykack2345> dvl: i wanted multiple people to connect to my openvpn server 22:51 < hackmykack2345> dvl: should I just start multiple instances of openvpn with separate conf and key files? 22:51 < hackmykack2345> dvl: or is there an easier method ? 23:00 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has joined ##openvpn 23:00 < dvl> hackmykack2345: create one openvpn server, to which multiple clients can connect. 23:00 < Solarbaby> dvl: ready for round 2? 23:00 < dvl> http://www.freebsddiary.org has how I did it. 23:00 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 23:00 < dvl> Solarbaby: no, I'm ready for bed. 23:00 < Solarbaby> heheh I dont blame ya 23:00 < Solarbaby> I changed my router since the last time we spoke 23:01 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:01 < Solarbaby> dvl: thanks for the help the other day 23:03 < hackmykack2345> dvl: so the CA way is the way to go then ? 23:03 < hackmykack2345> dvl: shall read up on your link .. thnx so much for the help 23:04 < hackmykack2345> dvl: have a great evening / night 23:17 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 148 (No route to host)] 23:33 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Tue Jan 13 2009 00:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:11 -!- hackmykack2345 [n=neil@122.169.104.151] has left ##openvpn ["Leaving"] 00:30 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 00:32 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:33 < Ricoshady> in examples I read, after the vpn is up, they add a route... im not sure what this is for... the example added a route or 10.0.1.0, but I change the ip address to 10.108.42.1, so what route should I add and what is its purpose? 00:40 < Ricoshady> also, when I build the keys after a make-clean, are the keys going to be different if I put in same values when building te certs? 00:44 < krzee> same values for what 00:49 < Ricoshady> the cert values, common name, etc 00:49 < Ricoshady> or does build-dh create unique keys each time 00:50 < Ricoshady> im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 00:53 < Ricoshady> also, what if I want to create new client keys after I went thru the whole process 01:05 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has joined ##openvpn 01:05 < Jorj> !route 01:05 < vpnHelper> Jorj: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:10 < Jorj> I'm just starting to learn some things about openvpn and have a small question, the most configs I have seen seem to assume a local ip of the server. But I'm trying to configure the setup: internet on client is provided via cisco vpn, but I want to use an openvpn tunnel to access internet locations via a VPS, where the openvpn server should be hosted. 01:12 < krzee> the cisco vpn is totally seperate? 01:12 < Jorj> My VPS doesn't have a local ip though, only an external one, setting one in the config doesn't work. But I have I can already connect to the openVPN on the VPS. But I can't ping the virtual ip of the server (10.10.10.1 according to the ifconfig), neither can I access internet locations only accessable via the VPS. I know this is probably some firewall/routing problem, but I would appreciate any general guidelines. 01:12 < krzee> or you are hoping to hook openvpn up to cisco? 01:13 < Jorj> It should be configured such that all the internet is then routed via the openvpn. 01:13 < Jorj> Yes, I'm in a local network where the internet is provided through VPN. 01:13 < krzee> ok 01:13 < Jorj> (that cisco vpn). 01:13 < krzee> on the vps 01:13 < krzee> you put the ip it has 01:13 < krzee> if that is inet routable, so be it 01:14 < Ricoshady> does anyone ave suggestions on the server/client keys? what if after I've run build-dh I need more client keys? 01:14 < krzee> whatever local address it can bind to 01:14 < krzee> Ricoshady, make them...? 01:14 < krzee> [02:54] im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 01:15 < Jorj> krzee: Do you mean setting the local var in the server.conf, to the internet ip? 01:15 < Jorj> I'm not really experienced, sorry. :-) 01:15 < krzee> if that is the ip in ifconfig, yes 01:15 < Jorj> Well, I tried that, but I couldn't start the server. 01:16 < krzee> then you prolly have another problem, are you looking at your logs? 01:16 < Jorj> And I couldn't find an error. 01:16 < Jorj> Hm yeah, I tried looking in messages, where I could see other openvpn related error messages, but none showed up. 01:17 < krzee> Ricoshady, you would add the compromised keys to your CRL 01:17 < krzee> and build more keys 01:17 < krzee> as long as the ca.key is not compromised, your vpn is safe 01:17 < krzee> Jorj, 01:17 < krzee> !logs 01:17 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:17 < Jorj> Found the error. :P 01:17 < krzee> !configs 01:17 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:17 < krzee> ahh 01:17 < krzee> ill bbiad 01:17 < krzee> ill bbiaf 01:18 < krzee> getting smokes 01:18 < Jorj> Thanks for the help already. :-) 01:18 < Ricoshady> so I can continue to create more client keys without runnng build-dh? 01:18 < Ricoshady> im not sure what he CRL is 01:23 < Ricoshady> how do I put client keys in the CRL? 01:26 < Jorj> krzee: I have restarted the VPS openvpn-server with the local parameter set to the external/internet ip. The ip address of the tun adapter is 10.10.10.1 and the ip of the connected client is 10.10.10.6. I still can't ping the 10.10.10.1 (VPS virtual ip) from the client (or the other way around). I think I have to get this figured out before I have to add the route parameters, right? Since the routing will go through the virtual ip? : 01:27 < Jorj> 10.10.10.6 -> 10.10.10.1 -> "local": internet ip 01:33 < dazoafk> Ricoshady: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) ... that will create the CRL file for you 01:33 -!- dazoafk is now known as dazo 01:34 < dazo> Ricoshady: CRL = Certificate Revocation List ... contains certificates which has been revoked, and if a client tries to connect with a certificate which has been revoked (listed in the CRL), the user will be denied access immediately 01:34 -!- rodpod [i=rod@hick.org] has joined ##openvpn 01:37 < krzee> Jorj, if you have no errors, your problem could be that you have your inet over a vpn 01:38 < krzee> having not tested that myself, i cant say 01:39 < Jorj> Well, it's annoying that I don't have another connection to test, bleh. But in theory it should work I think. 01:41 < Jorj> It's so weird that I can't ping the connected client from the VPS... 01:41 < Jorj> client-to-client is enabled too. 01:44 < krzee> client-to-client has nothing to do with that 01:44 < krzee> if its not your firewall, its your vpn breaking the routing 01:44 < krzee> in fact it makes sense that the vpn would break the routing 01:45 < krzee> since openvpn reaches the vpn via routing table, which would break your cisco vpn connection even if it worked 01:45 < krzee> which would keep it from working even then 01:45 < krzee> since you have no inet without that 01:45 < krzee> so ya, my vote says it wont happen 01:46 < Jorj> Ha, yeah, could be. :P Problem is, my inet is filtered by the cisco vpn. I even had to run the openvpn at tcp instead of udp, because the cisco firewall blocks most udp connections. 01:47 < Jorj> But it also blocks certain websites and in general most ports, disabling online gaming and other uses the internet was intented for (;)). :P 01:48 < Jorj> I thought, I'll tunnel all that traffic so I can play a game, or just access unrestricted internet. 01:48 < krzee> socks 01:48 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:48 < krzee> or ssh tunnels 01:48 < Jorj> Yeah, but not for games, unless using a special program to let the game use the proxy? 01:49 < Jorj> Because I can't config socks/proxy for most games. 01:49 < krzee> i use proxifier to tunnel anything that uses tcp/ip through socks 01:49 < Jorj> Oh really, I tried proxifier actually. 01:49 < Jorj> I'll set up a simple socks proxy via ssh and try that, thanks. 01:49 < krzee> np 01:49 < krzee> note, this isnt a help channel for that, so i wish you good luck with it 01:50 < Jorj> Yes, I know, but you helped anyway. Thanks. :-) 01:51 < krzee> np 01:52 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 01:52 < krzee> also 01:52 < krzee> if those games communicate over lan normally (layer2) socks wont help you 01:52 < Ricoshady> dazo, thanks... so after I create the CRL, do I need to put something in the config? and copy the CRL somewhere? 01:53 < krzee> !man 01:53 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:53 < dazo> Ricoshady: 10 points! 01:53 < dazo> !crl 01:53 < vpnHelper> dazo: Error: "crl" is not a valid command. 01:53 < dazo> darn 01:53 * dazo wanted to be clever :-P 01:53 < krzee> --crl-verify crl 01:53 < krzee> Check peer certificate against the file crl in PEM format. 01:53 < krzee> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 01:53 < krzee> Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. 01:53 < krzee> The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:53 < krzee> dazo, good call tho 01:54 < dazo> :) 01:54 < krzee> !learn crl as --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:54 < vpnHelper> krzee: Joo got it. 01:55 < krzee> !learn crl as you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 01:55 < vpnHelper> krzee: Joo got it. 01:56 < Ricoshady> so revoke-full it will add to the CRL file, and I just make sure openvpn knows about it 01:56 < Ricoshady> knows where the current CRL file is I mean 01:56 < reiffert> !local 01:56 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:56 < krzee> rup reif 01:57 < reiffert> moin 01:57 < Ricoshady> I assume I need all the original key information as well 01:57 < dazo> Ricoshady: yup ... no more magic than that 01:57 < reiffert> But local is something different, --local 01:57 < Jorj> krzee: (this is somewhat ontopic) I still can't really comprehend why the traffic would still be blocked. I mean, I can setup a SSH connection, route encrypted/non-filtered traffic through there, so in theory it should be perfectly possible to route all traffic from a game through the tunnel and back, no? 01:57 < krzee> !forget local 01:57 < vpnHelper> krzee: Joo got it. 01:57 < dazo> Ricoshady: it's the CA which will create the CRL ... so the CA knows about the cert, yes 01:57 < krzee> reiffert, but nobody has ever had a question about --local before 01:57 < krzee> before tonight 01:57 < krzee> much more useful as is 01:58 < krzee> !learn local as a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:58 < vpnHelper> krzee: Joo got it. 01:58 < krzee> but without my typo ;] 01:58 < Ricoshady> will the easy-rsa directory work anywhere? would rather move it from the examples directory 01:58 < reiffert> yep 01:58 < Jorj> Ricoshady: yeah. 01:59 < krzee> --local is the ip to bind to, the only way to be confused by that is if you bypass ALL docs and just try walkthroughs 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 < dazo> Ricoshady: Have a look in the vars file inside the easy-rsa directory ... you can change the EASY_RSA variable to wherever your would like it ... and the same goes for the KEY_DIR as well 02:03 < dazo> you'll need to source this file (source ./vars) anyway whenever you call any of the scripts in this directory 02:04 < dazo> Ricoshady: you can also try to write "make" in that dir ... and you'll get a simple install instructions 02:05 < krzee> hah i never noticed there was a Makefile 02:05 < Ricoshady> thanks guys, seems to be working well, cool stuff... 02:05 < krzee> dazo, ever tried ssl-admin? 02:06 < dazo> krzee: nope ... I've been using tinyca one place where I wanted to be gui-lazy, though :-P 02:06 < krzee> haha werd 02:06 < krzee> this is the in-between 02:06 < dazo> krzee: ssl-admin .... any url? ... sounds interesting 02:06 < Ricoshady> can I route my vpn server address 10.? to the local net 192.? 02:07 < krzee> menu driven text based interface 02:07 < krzee> !ssl-admin 02:07 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:07 < Ricoshady> so I can ping other pcs 02:07 < dazo> TUI :-P 02:07 < krzee> there was an issue in svn this morning with r35 02:07 < krzee> but ports version worked fine 02:07 < krzee> but i told ecrist and he may have fixed it 02:08 < krzee> Ricoshady, 02:08 < krzee> !route 02:08 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:09 < krzee> ssl-admin is written in perl, and is the lazy text-based cert manager 02:10 < dazo> krzee: :) ... I'll have a look into that one, seems better ... 02:10 < krzee> right on 02:10 < krzee> what os do you use? 02:10 * dazo this reminds me to set up a proper off-line box for a proper CA 02:10 < dazo> krzee: Linux .... mostly Gentoo and Fedora 02:11 * dazo is scrapping Ubuntu soooon 02:11 < krzee> ahh cool, lemme know if ssl-admin is in emerge yet 02:11 * dazo is looking fwd to dhat 02:11 * dazo checks portage 02:11 < dazo> krzee: can't say I see ssl-admin in any obvious places, though :( 02:12 < dazo> emerge/portage - that is 02:12 < krzee> emerge --search ssl-admin 02:13 < dazo> as I said, not in any obvious places ;-) 02:13 < dazo> anyone volunteered for putting it into portage? 02:13 < Ricoshady> pretty impressed so far with openvpn! its cool 02:14 < dazo> Ricoshady: you can have a look at http://www.eurephia.net/ ... and you'll see even cooler things you can do with openvpn :-P 02:14 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 02:14 < krzee> dazo, well someone submitted it for me 02:15 < Ricoshady> cool I was wondering about username/passwords actually 02:15 < dazo> krzee: ahh ... goodie, then it'll show up at some point for sure :) 02:15 < krzee> cause I wrote the ./configure script that would setup the Makefile to install it for linux 02:15 < Ricoshady> is there a windows client that doesnt just open a dos window? 02:15 < Jorj> Openvpn gui. 02:15 < Jorj> www.openvpn.net 02:15 < krzee> but they didnt like that i used a configure script because it is better done by a proper Makefile 02:16 < dazo> Ricoshady: yeah ... you're using openvpn server on Windows? ... hmmm ... not sure how well eurephia will play then :( 02:16 < krzee> which is true, i just havnt gotten to it 02:16 < dazo> Jorj: Ricoshady: ... if you'll take the official openvpn from http://openvpn.net/ for windows, openvpn gui is included here, at least for the 2.1RC releases 02:16 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 02:17 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 145 (Connection timed out)] 02:18 < Ricoshady> i have openvpn gui, but it just opens little icon in the tray that doesnt have any options when I right click, like "about" 02:18 < dazo> krzee: http://bugs.gentoo.org/250611 02:18 < vpnHelper> Title: Gentoo Bug 250611 - [NEW EBUILD] net-misc/ssl-admin (at bugs.gentoo.org) 02:19 < Jorj> You have to paste the configuration files in the openvpn/config folder. 02:19 < dazo> Ricoshady: you haven't configured openvpn-gui correctly ... you'll need to place config files in a special folder and using the .ovpn extension 02:20 < Ricoshady> yea, i just found the readme, sorry for the dumb question 02:20 < dazo> Ricoshady: you'll also find the config folder via the Start menu as well .... start -> Programs -> openvpn ...something, don't remember now 02:21 < Ricoshady> any performance difference between dos window and gui? 02:23 < Ricoshady> damn eurephia looks cool 02:24 < Ricoshady> how easy to get going? 02:24 < dazo> Ricoshady: shouldn't be ... it's different processes, and I don't expect writing to log pipe from openvpn should make openvpn lag ... that'd be pretty lame 02:25 < dazo> Ricoshady: well, it's only tested on linux, that can be a downside .... I've never heard anyone trying it on Windows ... but if you have a linux box being a openvpn server, it shouldn't be too difficult 02:26 < dazo> Ricoshady: but be aware, it's beta still ... and the security regarding password hashing is pretty lame at the moment .... but I'm working on improving that nowadays 02:26 < Ricoshady> my vpnserver box is debian 02:27 < dazo> Ricoshady: have a look at the wiki, and you'll have the hard way to set it up ... the admin utils are able to help you out with some simple things when you first have added the first user manually into the database 02:27 < dazo> Ricoshady: debian should be no prob 02:28 < Ricoshady> the custom firewall rules are cool 02:28 * dazo hopes nobody here minds the eurephia discussion on ##openvpn .... 02:28 < dazo> Ricoshady: yeah, I'm using that pretty much as well, and it works like a charm :) 02:29 < Ricoshady> one other question on openvpn... in the server config config I use "ifconfig sip cip" what if I have multiple clients? 02:29 < dazo> Ricoshady: I have a setup with 3 different network segments ... and my users get only access to computers on the segment they are authorised for 02:29 < dazo> Ricoshady: you should probably use server-pool ... if I remember correctly 02:29 * dazo checks a config file 02:30 < dazo> Ricoshady: I'm using dev-type tap ... so I'm not using tun, first of all .... and then I'm using "ifconfig-pool" to have a fake DHCP server for the openvpn connections 02:32 < Ricoshady> does tun only allow one connection? 02:32 < Ricoshady> can I see your config? 02:32 < dazo> Ricoshady: Probably not, but I think it is more config work ... 02:32 < dazo> Ricoshady: sure .... just a sec 02:33 < Ricoshady> and why did you pick tap? does it require any extra work to use tap? 02:35 < dazo> Ricoshady: http://pastebin.com/d68527bbc 02:36 < dazo> Ricoshady: just because I like to be low-level on the interface .... I was also playing with some bridging, and it's just become my "default" setup, kind of 02:37 < dazo> Ricoshady: what this config do not do, is to prepare the vpn0 interface (I've also renamed the tap interface) .... so that's done via my distro's own network startup script ... but that could most probably also set up by using --server 02:41 < Ricoshady> i wonder tho, my tun0 device states both ips, the sip and cip, makes me think it only handle one connection 02:47 * dazo don't remember the gory details now ... too long ago since last time he tried tun devices 02:48 < dazo> Ricoshady: ahh! I think I also used tap to enable Windows clients ... I believe that it was some issues with Windows and tun devices ... but don't remember if this was just misinterpretation or if it was as reality 02:48 * dazo got it working with tap, and didn't think more about it 02:49 < Ricoshady> i like the keepaline and push statements in your config, im using em now 02:50 < Ricoshady> man this is the shit 02:51 * dazo wonders if shit == gold in this context :-P 02:53 * Ricoshady nods 02:55 < Ricoshady> if you put up a VPN on a port like 80, and routed inet traffic on the client thru the VPN, you could circumvent outgoing restictions in office firewalls huh? 02:56 < Ricoshady> assuming they didnt block my VPN 02:56 < Jorj> If you read some of my questions, I was trying the same thing. 02:56 < Ricoshady> i think its possible 02:56 < dazo> Ricoshady: yup, that is possible .... 02:56 < Jorj> Here: udp mostly blocked, all >1024 ports and I'm trying to play a game via my own openvpn on my vps. 02:57 * dazo is considering to test that to avoid his mobile company to overcharge non-port-80 traffic ..... 02:57 < Jorj> But for some weird reason I couldn't get the client and server to see eachother, but I also think it should be possible. Thing is, I'm also in a VPN with those restrictions. 02:57 < dazo> Ricoshady: for that to work ... you'll need 80/tcp .... 02:58 < Ricoshady> yea 03:00 < Ricoshady> does openvpn gui need to be installed? or does it just execute in its directory? I was think i could put it and the client keys on a USB drive. 03:00 < Ricoshady> actually thats probably a bad idea 03:00 * dazo dunno 03:00 < Ricoshady> i wouldnt want to run it on any random computer 03:00 < dazo> Ricoshady: if the USB is encrypted somehow ... or if you use pkcs12 with passwords, you'll be safer though 03:00 < reiffert> Ricoshady: or protect the keys with a password. 03:01 < Ricoshady> reiffert, how does that work? 03:01 < reiffert> !howto 03:01 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:01 < dazo> Ricoshady: I use pkcs12 mostly ... because in one file you'll find all certificates and needed keys ... and they are password encrypted 03:02 < reiffert> Ricoshady: If you would like to password-protect your client keys, substitute the build-key-pass script. 03:02 < dazo> Ricoshady: which I consider safe enough, as I'll have time to revoke certificates and blacklist them in eurephia if they are lost 03:02 < Ricoshady> reiffert, then what happens, when the vpn connects it asks for a password? 03:03 < reiffert> Ricoshady: yeah 03:03 < dazo> Ricoshady: but some of my other users are not too happy ... having username and 2 passwords (user account + certificate) to remember .... but they usually get over it after a little while 03:03 < dazo> Ricoshady: yeah, even before bringing up the connection to your server 03:03 < reiffert> You protect the use of the client key by a password 03:04 < reiffert> it's an openssl thing 03:04 < Ricoshady> what about reconnects? 03:05 < reiffert> What about them? 03:05 < Ricoshady> will it ask for the password again? 03:05 < reiffert> no. 03:05 < Ricoshady> just when you initally start the vpn 03:05 < dazo> Ricoshady: yeah 03:05 < Ricoshady> let me try 03:06 < reiffert> .oO It's all in the howto 03:08 < Jorj> Ricoshady: do you use a vps as your openvpn server? Just out of interest. 03:11 < Ricoshady> vps? 03:11 < Ricoshady> hell yea, password worked just fine 03:11 < Jorj> Virtual private server, but nvm. :-) 03:11 < Ricoshady> the I build the dh file, sometimes it takes forever, other it barely craetes a line of computing 03:13 < Ricoshady> you know what I mean? it says... this will take a long time... somettimes it does, other its really quick, should I be worried if its quick? 03:13 < dazo> Ricoshady: depends on how much random data which needs to be collected ... sometimes it takes a while to seed the RNG ... doing some disk access (find /, f.ex) may help 03:13 < dazo> Ricoshady: if the RNG is full of random data ... it can go quicker ... but if it needs to collect data, it'll go slower 03:14 < Ricoshady> man this is working great 03:14 < Ricoshady> better than I expected 03:15 < dazo> Ricoshady: nah ... you're using open source product, not microsoft product .... of course it works better than expected :-P 03:15 < thewolf> Hey, evening people 03:16 < Ricoshady> im all about opensource 03:16 < dazo> :) 03:16 < thewolf> I've got a problem: I can't ping my server (10.1.0.1) from my client (10.1.0.2), are there any common causes for this other than user (my) stupidity? 03:17 < reiffert> firewall, firewall, firewall. 03:17 < thewolf> This is my server config: http://pastie.org/359420 03:17 < thewolf> hmm 03:18 < thewolf> firewalls suck 03:18 < reiffert> and topology 03:19 < reiffert> http://netzdeponie.de/download/fun/movies/BegehbarerSchrank.avi 03:21 < dazo> :D 03:24 < Ricoshady> what does the gui change password feature do? 03:24 < reiffert> Guess. 03:25 < thewolf> reiffert: since I can't change my local firewall atm, would it be safe to run it on another port that I know is open? 03:25 < Ricoshady> reiffert, funny but what password? the cert password? 03:25 < Ricoshady> i dont have any other password 03:25 < krzee> lol reiffert 03:25 < krzee> Ricoshady, it changes the password you could set on your cert when making the cert 03:25 < krzee> as opposed to any password you could have on the vpn 03:26 < Ricoshady> oh, it changes the cert password, ok 03:26 < Ricoshady> sorry 03:27 < dazo> Ricoshady: yeah, only cert passwords ... it's not possible to change any other passwords from the client, afaik (like user-auth passwords) 03:40 -!- l11 [n=l@verhau.de] has joined ##openvpn 03:41 < Ricoshady> can I make a key only last so long? 03:42 < reiffert> || so long or | | so long? 03:47 < Ricoshady> can I make it so a cert expires 03:47 < l11> reiffert: hi 03:47 < reiffert> Yes, you can 03:47 < reiffert> l11: ! 03:48 < l11> reiffert: fritzbox firmware updaten :) or your mac will be slowed by it. 03:48 < reiffert> wtf? 03:49 < dazo> Ricoshady: expiry is set when creating the certs 04:12 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has quit [] 04:13 < reiffert> http://research.microsoft.com/en-us/um/redmond/projects/songsmith/videos/EveryoneHasASongInside.mov 04:13 < reiffert> ms using a macbook? 04:17 < l11> part 1 of embrace and extend 04:27 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 04:35 < dazo> reiffert: you know these new Intel based boxes now runs Vista .... we're soon to enter phase 2 of the EEE ... 04:52 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:53 -!- prxtien [n=pro@115.131.201.161] has joined ##openvpn 04:53 < prxtien> hey all 04:54 < prxtien> im looking at increased key sizes, does anyone know the performance impact on going from 1024 > 2048 > 4096bit certificates, and also performance decrease by increased dh key strength 04:54 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:03 < reiffert> I remember one guy unable to create a 4096 dh 05:04 < reiffert> some weeks ago. 05:04 < reiffert> prxtien: If you find something out, please let me know, sounds intresting. 05:04 < prxtien> well dh i was thinking of going from 1024 to 2048... and moving to maybe 2048 or 4096bit rsa certificates 05:05 < prxtien> dh 2048 took about 15 minutes on a tiny via c7 based server 05:05 < prxtien> on anything gutsy, less than 5 minutes youd think 05:31 -!- worch [n=worch@battletoad.com] has quit [Read error: 131 (Connection reset by peer)] 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:50 -!- worch [i=worch@battletoad.com] has joined ##openvpn 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 06:24 -!- prxtien [n=pro@115.131.201.161] has quit [Read error: 60 (Operation timed out)] 06:51 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:06 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 07:27 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:47 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 60 (Operation timed out)] 07:56 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:57 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 08:00 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 08:13 -!- worch [i=worch@battletoad.com] has quit [Read error: 113 (No route to host)] 08:32 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 08:42 < ecrist> who told me what? 08:45 < ecrist> oh, krzee, haven't fixed it yet. won't get to it until later this week. 09:13 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit ["Leaving"] 09:41 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:41 < plaerzen> morning ovpn'ers 09:44 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Connection reset by peer] 09:44 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 09:48 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 09:52 < ecrist> howdy plaerzen 09:54 < plaerzen> ecrist, how you doing ? 10:12 < ecrist> good, so far. it's early yet 10:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:23 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:23 < c64zottel> \ufeffmay i get trouble when i open a OpenVPN net with 10.10.254.0/24 when the whole network has 10.10.0.0/16? 10:26 < ecrist> yes 10:26 < ecrist> not even 'may,' you 'will' get in trouble 10:26 < c64zottel> ecrist: hm 10:27 < c64zottel> i knew it 10:27 < c64zottel> cause, i can't differentiate between them, when they get routed? right? 10:27 < dazo> c64zottel: does the VPN net really have to be within the 10.10.0/16? 10:28 < c64zottel> the server hast 2 nic's, one local net 10.10/16 and the internet 10:28 < dazo> c64zottel: well, it's almost impossible to get correct routing with overlapping nets ... even though, in theory it might work, but I think that will require much more work on all clients 10:28 < c64zottel> and i want connect from the net, sure 10:28 < ecrist> c64zottel: see !1918 10:28 < c64zottel> hm, but, how can i understand? 10:28 < ecrist> choose another range 10:29 < c64zottel> !1918 10:29 < vpnHelper> c64zottel: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 10:29 < dazo> c64zottel: yeah ... but I meant the VPN config .... 10:29 < dazo> c64zottel: choose an available segment listed above 10:30 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:30 < c64zottel> dazo: i will, but why do i get trouble? 10:31 < c64zottel> ecrist: thanks 10:31 < c64zottel> i read that, but i can't get a clue why it is so important 10:31 < dazo> c64zottel: because the routing from clients will get confused where the traffic should go 10:32 < c64zottel> dazo: but it's clear, in both cases it's routed to the ovpn, i could see the incoming icmp's over the tun0 10:33 < dazo> c64zottel: make it easier for your self, and avoid overlapping network segments .... and the really big troubles will come the day when a computer on your LAN grabs an IP in the 10.10.254.0/24 range ... then traffic from this box will go fine out of your network, but when going in, it will be routed to the VPN interface instead 10:33 < dazo> c64zottel: if you want to make the network transparent over the VPN .... you're probably looking for bridging 10:34 < ecrist> c64zottel: if it works for you, then why are you asking questions? 10:34 < c64zottel> dazo: i appreciate you advice, and i will follow, but i like to know what why .) 10:34 < c64zottel> maybe i need just more experiece 10:35 < c64zottel> ecrist: first, 6 sense, and second, there was a case with two routes, 10.10.254/24 and 10.10/16 wish made trouble, just with the route 10.10/16 it worked 10:35 < dazo> c64zottel: it's just kind of an unwritten rule .... keep your network segments clean, don't overlap segments, avoid several segments on the same physical network ... all to avoid network errors, even though it might work fine, but that's not given 10:36 < c64zottel> dazo: i read about bridging and so on... 10:36 < c64zottel> dazo: ecrist: thank you 10:37 < dazo> c64zottel: if you do not have a route for 10.10.254/24 sending traffic to your VPN tunnel .... I'm not sure your tunnel will work properly ... maybe it will work until the openvpn server, but most probably not beyond that box 10:39 < c64zottel> dazo, it will use the 10.10/16 route 10:39 < ecrist> c64zottel: if it works for you, fine, but, the odds are it's *not* going to work due to the overlapping route, unless your LAN is /16, but is further subnetted from there. 10:39 < c64zottel> ecrist: i got it, thanks 10:40 < dazo> c64zottel: say you have this on your openvpn box: eth0 on 10.10.0.1/16 ..... you have your tun0/tap0 on 10.10.254.1/24 .... (more to come) 10:41 < dazo> c64zottel: one VPN client, say 10.10.254.10 tries to connect to 10.10.0.40, which is on the eth0 side .... the packet goes fine all the way and reaches the server 10:43 < dazo> c64zottel: the server responds back to 10.10.254.10 ... but since that IP address is within the 10.10.0.0/16 network ... the result package from server will never leave the 10.10.0/16 network .... and it gets lost, since nobody is answering it ... but this packet should have been routed through the 10.10.0.1 gateway 10:44 < dazo> c64zottel: so it will work, if all boxes on the 10.10.0.0/16 has a route which says .... 10.10.254.0/24 must use the gateway 10.10.0.1 ... but unless that route exists, it will not work 10:46 < c64zottel> dazo that was great! 10:46 < c64zottel> thank you very much 10:46 < jeiworth> dazo: that is interesting and might as well solve a problem i have, but where do i need to set that oute? only on the openvpn-server or on all clients? 10:46 < dazo> c64zottel: but of course, I have now not touched much what happens if you then in your LAN gets a computer with the 10.10.254/24 address .... then the chaos is complete, because all boxes which have the route via 10.10.0.1 will go out on the VPN tunnel instead 10:46 * cpm boggles, , , but but but, 10.10.254/25 can't see 10.10.0.1 10:47 < cpm> 10.10.254/24 rather 10:47 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:47 < dazo> jeiworth: all clients would need to have this route ... default gateway will not work, since the networks overlap, you must explicit set the route on all boxes 10:48 < dazo> cpm: that's very true! But I thought that if a client computer on the LAN got an address which is in the 10.10.254/24 range, but with the /16 mask ... then it will see the 10.10.0.1 10:49 * dazo was thinking a scenario with a DHCP server with a /16 netmask on the dynamic IPs ... then this can happen more easily 10:51 < c64zottel> cpm: why? if the client has a route like 10.10/16? 10:51 < dazo> but as I said earlier ... such a topology is not even worth to consider ... because it will definitely create more troubles than what it solves in reality ... and it is a ticking bomb to have overlapping networks on different segments 10:52 < dazo> c64zottel: I think cpm was seeing a problem if the client on LAN had an IP address in 10.10.254/24 segment with a /24 netmask ... in this scenario, the client would not be able to see 10.10.0.1 at all 10:52 < c64zottel> dazo: is it not possible to avoid that via NAT? 10:53 < ecrist> c64zottel: just change your damn ip range 10:53 < ecrist> christ 10:53 < c64zottel> dazo true 10:53 < c64zottel> ecrist: i do, i promise .) 10:53 < c64zottel> but it's intressting 10:53 < ecrist> no, it's not, really 10:54 < dazo> c64zottel: I don't think so ... change the IP range ... that's my advice, don't try to hack around overlapping ranges ... it will for sure stop working some how one day ... and it will not be too easy to correct it later on with routing setup everywhere 10:54 < c64zottel> as i said, i do 10:54 * dazo is happy :) 10:54 < c64zottel> thanks a lot 10:54 < c64zottel> me too :D 10:54 < dazo> you're very welcome! 10:54 < c64zottel> thx 11:05 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit ["Leaving."] 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:16 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:22 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has joined ##openvpn 11:24 < kyrix> hi, i am trying to set up a routerd site to site vpn using debian etch/lenny. the vpn is working, but still can't ping the other networks 11:24 < kyrix> files: network data:http://pastebin.com/m302adf57 11:24 < kyrix> server.conf: http://pastebin.com/d7954076a 11:24 < kyrix> client conf: http://pastebin.com/d16c72eec 11:25 < kyrix> and i have set up iroute.168.7.0 255.255.255.0 file in ccd 11:26 < kyrix> ip fowarding is activated on both machines 11:27 < kyrix> but still no luck. anybody have any ideas? 11:29 < kyrix> !route 11:30 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:42 < kyrix> !configs 11:42 < vpnHelper> kyrix: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:44 < ecrist> kyrix: read the route entry above. 11:44 < kyrix> i did 11:45 < kyrix> i had already done everything 11:45 < ecrist> including iroute? 11:45 < kyrix> yup, that in the ccd file right? 11:45 < ecrist> and reconfiguring the gateways to redirect for the new VPN subnet? 11:45 < kyrix> yup 11:45 < ecrist> they you should ahve a working setup 11:45 < kyrix> hopefully correctly. 11:46 < kyrix> is there anything else i have to do on a linux box besides enabling ip foward? 11:47 < kyrix> i can ping 192.168.1.7 (the ip of my server) from the client. when i use push route. but no other machine. hold on, ill check the router 11:48 < kyrix> network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 11:49 < kyrix> this is what i need on the router right? 12:07 < krzee> [13:29] and i have set up iroute.168.7.0 255.255.255.0 file in ccd 12:07 < krzee> the line doesnt look like that, right...? 12:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < kyrix> iroute 192.168.7.0 255.255.255.0 12:09 < krzee> ok 12:11 < krzee> so .7.0 is behind client 12:11 < krzee> .1.0 is behind server 12:11 < krzee> [13:52] network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 12:12 < krzee> netmask should be 255.255.255.0 12:12 < krzee> also, you should have another entry for 192.168.7.0 12:12 < krzee> then on client side, entries for 192.168.1.0 and 10.8.142.0 12:15 < kyrix> i have the the 192.168.7.0, but dont understand the 255.255.255.0 12:15 < krzee> thats a netmask 12:15 < kyrix> if i ifconfig tun0 i have inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 12:15 < krzee> an ip means nothing without the netmask 12:16 < krzee> that is true, but you may have clients in server 10.8.142.0 255.255.255.0 12:16 < kyrix> oh 12:16 < krzee> you want to have a route to all of them 12:17 < kyrix> i need both then? 12:17 < kyrix> ah it works 12:18 < kyrix> that was it..... thx 12:18 < krzee> np 12:18 < kyrix> i was taking the value from ifconfig instead of the config file. 12:18 < krzee> its not really the value from either 12:18 < krzee> its just knowing what you need routed 12:19 < kyrix> well, it works in one direction well now. ill play with that on the other side for a while 12:20 < kyrix> its taken me two weeks to get to here :/ 12:20 < kyrix> thanks again! 12:20 < krzee> np 12:20 < krzee> ya 1 direction cause you only added on 1 router 12:20 < krzee> gotta go do this: 12:20 < krzee> on client side, entries for 192.168.1.0 and 10.8.142.0 in its router 12:20 < krzee> both with 255.255.255.0 12:29 -!- Dryanta [i=dryanta@66.252.23.192] has joined ##openvpn 12:30 < Dryanta> ok guys openvpn problem AGAIN 12:30 < Dryanta> another situation where nothing changed and it broke 12:31 < Dryanta> process is running on both machines and i cant ping from one side of the tunnel to the other 12:31 < krzee> !logs 12:31 < krzee> ... 12:31 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:32 < krzee> and by 1 side to other 12:32 < krzee> you mean like client cant ping 10.8.0.1 12:32 < krzee> and server cant ping 10.8.0.6 12:32 < krzee> or from 1 lan to other 12:32 < Dryanta> again i run peer to peer 12:32 < krzee> o 12:32 < krzee> i wont be memorizing that 12:32 < Dryanta> and cant ping 10.0.0.1/2 12:32 < krzee> you'll hafta say it every time :-p 12:32 < Dryanta> its only come up liek 20 times :P 12:33 < krzee> could a machine have rebooted and reset firewall rules? 12:33 < krzee> it will come up another 20 if you dont mention it when you have a new question :-p 12:33 < Dryanta> the machine rebooted, firewall rules are the same 12:35 < Dryanta> does log really have to be at 6? 12:36 < krzee> i you want it to be useful for me 12:37 < dazo> krzee: if he sets log level to 0 ... you can just say that logs look good, and there are no problems :-P 12:37 < krzee> hahah 12:37 < krzee> tru 12:42 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 12:43 < Dryanta> http://pastebin.ca/1307418 12:50 < Dryanta> well? lol 13:01 * ecrist punches someone's mother in the boob 13:03 < dvl> why? 13:04 < Dryanta> no love i guess 13:04 < Dryanta> /topic #openvpn post logs, we wont look at them.... kthxbai 13:08 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 13:09 < ecrist> dvl: because I'm bored, and I was hoping, like a 5 year-old child, to get a rise out of people. 13:10 < dazo> ecrist: your attack was not controversial enough 13:10 < Dryanta> lol 13:12 < krzee> ./topic #openvpn post logs, we will look at them when we feel like it.... kthxbai 13:13 < krzee> Dryanta, log from other side... 13:14 < krzee> we've done this enough times that if i come back 30min after asking for logs from both sides, there should prolly be logs from both sides 13:15 * krzee goes away for another X minutes 13:16 < Dryanta> http://pastebin.ca/1307441 13:16 < krzee> you stopped it too soon 13:16 < krzee> 1 second of logfile isnt very useful 13:16 < krzee> not a single entry past 11:12:46 13:17 < krzee> see how the first had like 2 minutes of logfile, error came 1.5 minutes into it 13:17 < krzee> that was useful 13:18 < ecrist> /mode Dryanta +douche_bag 13:18 * krzee wonders out loud if its harder to help a tech or a noob 13:19 < Dryanta> http://pastebin.ca/1307445 13:19 * ecrist elaborates that it's hardest to teach a noob that thinks their a tech. 13:19 < krzee> lol 13:19 < krzee> touche 13:20 < ecrist> s/their/they are/ 13:21 < krzee> ok, now ping from .1 to .2, show me logs from both sides at verb 6] 13:22 * ecrist punches dazo's mom in the dick 13:22 < ecrist> controversial enough? 13:22 < ecrist> :P 13:22 < krzee> hah 13:22 * dazo saw the attempt ... and that he missed big time and hurt his arm in broken window 13:23 < krzee> he missed your moms dick? 13:23 * krzee ponders 13:24 < krzee> both sides are writing to the tunnel, but barely reading 13:24 < krzee> but there is SOME reading 13:24 < krzee> which leads me away from firewall 13:24 < dazo> krzee: I think ecrist is just sexually frustrated .... 13:25 < krzee> dazo, i dont think so, his wife is pregnant and i hear preg women get seriously needy in that dept 13:25 < krzee> i think hes just bored 13:25 < dazo> krzee: well, I rest my case .... if he got a pregnant wife and bored at the same time .... it's not much she wants from him :-P 13:26 < Dryanta> is it this? Tue Jan 13 11:16:48 2009 us=504956 Inactivity timeout (--ping-restart), restarting 13:26 < krzee> dazo, work 13:26 < krzee> lol 13:26 < krzee> Dryanta, no, its whats causing that 13:27 < krzee> its something outside of openvpn 13:27 * dazo tries too :-P 13:27 < krzee> dazo, i mean hes at work 13:27 < krzee> hence, bored 13:27 < Dryanta> what do you mean outside of openvpn? 13:27 < krzee> umm 13:27 < krzee> like the link or something to do with the server 13:27 < dazo> krzee: don't you guys use openvpn and have home office? .... man! I thought you were serious about openvpn ..... :-P 13:27 < krzee> hows their ping/traceroute outside of ovpn 13:28 < Dryanta> what do you mean? 13:28 < krzee> dazo, im sure hes linked to his home network right now 13:28 < Dryanta> form pub ip to pub ip? 13:28 < krzee> Dryanta, yes 13:28 < dazo> krzee: hah! Accepted ;-) 13:30 < Dryanta> i cant traceroute because a router in between does not wantt to cooperate 13:30 < Dryanta> but ping is fine 13:30 < krzee> no packet loss on a large amount of pings? 13:30 < krzee> no large jitter? 13:31 < Dryanta> nope 13:31 < krzee> then im not sure what it is 13:31 < krzee> but i know its not part of openvpn thats the problem 13:31 < krzee> as long as the other config is = just ips reversed like you said 13:32 < krzee> you using a stateful firewall? 13:32 < krzee> one that keeps UDP state? 13:32 < krzee> (attempts to) 13:32 < Dryanta> ya it keeps state 13:32 < krzee> bypass that by just allowing * from each side to other 13:32 < krzee> see if that helps ya 13:33 < Dryanta> they both allow * to each other 13:34 < krzee> before any statefulness? 13:34 < krzee> packets ARE getting through 13:34 < krzee> but not all packets 13:34 < krzee> some are being dropped somewhere 13:34 < Dryanta> the hwole firewall ruleset is keep state 13:34 < krzee> well, over-ride that 13:34 < krzee> or dont 13:34 < krzee> *shrug* 13:35 < krzee> im just grasping at what it could be 13:35 < krzee> SOMETHING is stopping some but not all packets from getting through 13:35 < krzee> it could have just been a lucky guess you have a stateful firewall, that i will admit to 13:35 < krzee> i dunno what the problem is, but it could be that 13:36 < krzee> UDP keepstate is not perfect 13:36 < krzee> dont believe me, see if it works on tcp 13:36 < krzee> without changing a thing in the firewall 13:36 < krzee> but remember if you keep it there you have this problem: 13:36 < krzee> !tcp 13:36 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:38 < Dryanta> it didnt work with tcp last time i tried i think 13:40 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Connection timed out] 13:46 -!- aaasdasdasd [n=guest@195.24.76.252] has joined ##openvpn 13:47 < aaasdasdasd> hello world! How to configure openvpn so it will start script before starting tunnel? 13:47 < krzee> --up 13:48 < krzee> runs right after opening tunnel 13:48 < krzee> before connecting iirc 13:48 < krzee> !man 13:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:48 < krzee> lets see 13:48 < krzee> by opening tunnel i meant interface 13:48 -!- aaasdasdasd is now known as NinetendoWee 13:49 < krzee> NinetendoWee, what would your script do? 13:49 < NinetendoWee> And how about BEFORE tunnel? Because i have special route for my vpn server that deletes when vpn disconnects :( 13:50 < krzee> before would be a wrapper script 13:50 < krzee> a script that runs your command, then starts openvpn 13:50 < krzee> which you run to start openvpn 13:51 < NinetendoWee> it become inconsistent :(( some scripts are events from vpn client, some - wrappers. 13:51 < krzee> huh? 13:51 < NinetendoWee> if route is down - it just tryes to connect server forewer. what to do? 13:51 < krzee> you are saying you need to make a special route to reach the vpn server, right? 13:52 < krzee> and manually you add the route then start openvpn, and it works...? 13:52 < NinetendoWee> yes 13:52 < krzee> but you want to automate it 13:52 < krzee> #!/bin/sh 13:52 < NinetendoWee> yes, because when vpn disconnects accidentally - it removes this route automatically 13:52 < krzee> route command 13:52 < krzee> openvpn command 13:53 < NinetendoWee> so then i have to use up script because i have to set right default route 13:54 < NinetendoWee> how to make it exit on disconnect? 13:55 * ecrist cheers 13:55 < krzee> --ping-exit n 13:55 < krzee> should do that 13:55 < ecrist> I've got my FreeBSD file server running pam_ldap for authentication, and sudo, samba, afp all using ldap, too 13:56 < NinetendoWee> thank you for help 13:56 -!- NinetendoWee [n=guest@195.24.76.252] has quit ["Ex-Chat"] 13:58 < krzee> nice ecrist 14:01 < ecrist> someday, I might know what I'm doing 14:16 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Remote closed the connection] 14:18 -!- jeiworth [n=jeiworth@189.163.173.75] has joined ##openvpn 14:21 < ecrist> krzee: if you have the need: http://www.secure-computing.net/wiki/index.php/Apple_File_Sharing 14:21 < vpnHelper> Title: Apple File Sharing - Secure Computing Wiki (at www.secure-computing.net) 14:27 -!- psai` [n=Psai@91.91.252.105] has joined ##openvpn 14:27 < psai`> hi 14:27 < ecrist> hi 14:28 < psai`> is there a way to push redirect gateway only for some clients and not for all ? 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < ecrist> you bet 14:33 < ecrist> you need to set up client-config-dirs 14:33 < ecrist> read the man page or howto on that 14:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:34 < psai`> ok that's all i wanted to know :) 14:34 < ecrist> :D 14:34 < psai`> thank you i'll try this 14:56 -!- dazo is now known as dazoafk 15:10 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has joined ##openvpn 15:16 < FarrisG> Having an odd issue. I've done tons of openvpn setups, but have always done it with an internal and external nic. Trying to do it with one NIC, and it's working fine, except that after a couple of hours of being up, suddenly both my eth0 and br0 have the same IP address and the OpenVPN box can't access the outside world, only internal addresses. Confs are here: http://pastebin.ca/1307528 15:16 < FarrisG> !route 15:16 < vpnHelper> FarrisG: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:16 -!- psai` [n=Psai@91.91.252.105] has quit ["thanks !"] 15:18 < FarrisG> Any idea what could be causing it? 16:01 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 16:07 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 16:09 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Client Quit] 16:31 < jeiworth> FarrisG: this is my first openvpn installation and many thanks to your bridge script i finally found my error after half a day search :) 16:55 < ecrist> which bridge script? 16:57 < krzie> to both of you 16:57 < krzie> what exactly do you need that requires bridging? 16:57 * krzie grins at ecrist 17:12 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has quit [Remote closed the connection] 17:41 < krzie> !servercret 17:41 < vpnHelper> krzie: Error: "servercret" is not a valid command. 17:41 < krzie> !servercert 17:41 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 18:23 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:52 < ecrist> why are you grinning at me? 20:57 < ecrist> o.O 20:57 < ecrist> 39 hits today on my site from nat-pool-brq.redhat.com 21:08 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:10 * ecrist loves getting IPv6 hits to his sites 21:13 < ecrist> meh, so many hostnames in awstats - hard to know which are IPv6. don't want to write regex for IPv6 addresses 21:14 < tjz> hmmm 21:14 < ecrist> wouldn't bee *too* difficult 21:14 < tjz> they are switching to IPv6 because we are running out of ip for IPv4? 21:15 < ecrist> that and a few more features which are a bit more low-level 21:15 < ecrist> I've been supporting IPv6 on my network for about 3 years 21:16 < tjz> hmm 21:16 < tjz> why IPv6.. 21:17 < tjz> will the IP address look any different? 21:17 < ecrist> what do you mean? 21:17 < ecrist> you really don't know? 21:17 < tjz> never go and read up 21:17 < tjz> hehe 21:17 < ecrist> you should 21:17 < ecrist> like the DTV transition, it *is* eventually coming 21:18 < ecrist> DTV was supposed to come back in 2000 21:18 < ecrist> only 9 years late 21:18 < ecrist> 21:19 < ecrist> I've had about 15 or 20 hits to my main site this month from IPv6 addresses 21:20 < ecrist> 23 users have downloaded ssl-admin via IPv6 21:20 < ecrist> just this month 21:23 < ecrist> grr 21:24 < tjz> hmm 21:24 < ecrist> lots of latency on my wireless tonight 21:24 < tjz> what is sl-admin? 21:24 < tjz> ssl-admin.. 21:24 < ecrist> ssl-admin 21:24 < tjz> hehe 21:24 < ecrist> it's a script I wrote in perl because easy-rsa sucks some serious donkey balls 21:24 < tjz> lol 21:24 < tjz> haha 21:24 < ecrist> it's a menu-driven text-based SSL certificate manager 21:26 < tjz> cool 21:26 < tjz> will the IP address of IPv6 look any different ? 21:27 < ecrist> right now, it's strictly menu-driven, but if I either 1) find time or 2) get some *rich* interested parties, I'm going to build command line options, bulk generation, and LDAP certificate support 21:27 < ecrist> yes 21:27 < ecrist> IPv4 is 32-bit, in dotted-decimal notation 21:27 < tjz> how different.. 21:28 < ecrist> IPv6 is 128-bit, in quad-hexidecimal notation 21:28 < tjz> omg 21:28 < tjz> enough to support more IP 21:28 < tjz> how does quad-hexidecimal notation look like? 21:28 < tjz> eg. ? 21:28 < ecrist> for example, my website, www.secure-computing.net has the following two address (IPv4 and IPv6) 21:28 < ecrist> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:28 < ecrist> kenny.secure-computing.net has address 173.8.118.210 21:28 < ecrist> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:29 < tjz> coooooooooooooooool 21:30 < tjz> any web-tool to check the IPv6 address of kenny.secure-computing.net ? 21:30 < tjz> or linux command to do that? 21:30 < ecrist> read http://www.secure-computing.net/wiki/index.php/IPv6 and see if it helps at all 21:30 < vpnHelper> Title: IPv6 on FreeBSD 6.2 - Secure Computing Wiki (at www.secure-computing.net) 21:30 < ecrist> tjz, what do you mean? 21:30 < krzie> if your linux is ipv6 enabled host will tell you 21:30 < tjz> you know a noob asking noob question 21:31 < tjz> bear with me 21:31 < tjz> :P 21:31 < krzie> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:31 < krzie> kenny.secure-computing.net has address 173.8.118.210 21:31 < krzie> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:31 < krzie> that was /exec -o host www.secure-computing.net 21:32 < ecrist> IPv6 addresses are stored in DNS as AAAA records, whereas IPv4 records are stored as A records 21:32 < tjz> cool 21:32 < ecrist> you can check (whether your host is IPv6-enabled or not) for an IPv6 record with the dig command 21:32 < ecrist> dig -t AAAA 21:33 < ecrist> running both IPv4 and IPv6 is known as dual-stack 21:33 < krzie> ya i was actually wrong 21:33 < krzie> this box isnt ipv6 enabled 21:33 < krzie> its in the kernel, but i dont have an ipv6 tgunnel 21:33 < krzie> tunnel 21:34 < ecrist> until last month, I had native IPv6 to my ISP 21:34 < tjz> cool 21:34 < krzie> ya i had native long ago too 21:34 < ecrist> then I realized my ISP was run by a bunch of douche-bags 21:34 < krzie> a nice small dsl company in the bay area, CA 21:35 < ecrist> like my old ISP (a nice, small, ISP in Minneapolis, MN 21:35 < tjz> nothing wrong with a small isp 21:35 < ecrist> unless they're jewish 21:35 < tjz> as long as they are on the ball 21:35 < tjz> lol 21:36 < ecrist> I dropped ipHouse when they gave my colo (2 full racks) a $400/mo *surcharge* in the middle of a contract 21:36 < ecrist> they got around the contract by calling it a surcharge 21:36 < ecrist> that's pretty bullshit, IMHO 21:36 < krzie> umm 21:36 < krzie> illegal sounding 21:37 < tjz> why the subcharge? 21:37 < tjz> is it bandwidth overage? 21:37 < krzie> cause they needed $ im sure 21:38 < ecrist> I think you're on the 'money', krzie 21:38 < ecrist> but, they called it an electrical surcharge 21:38 < ecrist> it would cost us more to litigate than to pay to the end of our contract 21:58 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has joined ##openvpn 22:02 -!- AwayML is now known as AndyML 22:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:16 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 22:20 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 23:01 -!- mepholic [n=mepholic@star.emokid.nu] has joined ##openvpn 23:01 < mepholic> ok 23:01 < mepholic> openvpn on an ircd shell 23:01 < mepholic> possible? 23:05 -!- mepholic [n=mepholic@star.emokid.nu] has quit [Remote closed the connection] 23:06 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 23:19 < Solarbab1> mepholic: you want to run a irc client or server on openwrt? 23:30 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 23:33 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has quit [Remote closed the connection] --- Day changed Wed Jan 14 2009 00:00 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 00:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 00:02 < hiptobecubic> I'm trying to setup a vpn with ethernet bridging. I'm not able to physically access the machine that is going to be the server, but when i bridge eth0 and tap0, i can no longer use ssh, effectively orphaning the server. 00:02 < hiptobecubic> what can i do? 00:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:16 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:24 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has left ##openvpn [] 00:25 < hiptobecubic> If anyone is around, i'd love a hint here. 00:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:05 -!- dazoafk is now known as dazo 01:35 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:35 < steveoooo> if I change the password on a cert that I did not enter a passphrase in, will it enable a password? or does the cert have to have a passphrase frmo the beginning 01:36 < dazo> steveoooo: not sure ... but I believe you would enable the password actually 01:37 < dazo> hiptobecubic: how have you configured your bridge? 01:37 < steveoooo> can you explain the difference between tun and tap? 01:39 < dazo> steveoooo: oh .... well, tun is using point-to-point tunnelling, which means that it is bound to TCP/IP traffic .... while tap is going lower down in the OSI stack, so it is actually more a virtual network interface where all traffic is to the interface is routed via openvpn 01:40 < dazo> steveoooo: so, if you want to do bridging, use IPv6 or IPX or other non-TCP/IP (IPv4) traffic, you simply must use tap 01:40 * dazo looks for a better explanation 01:42 < dazo> http://en.wikipedia.org/wiki/TUN/TAP ... 01:42 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 01:43 < dazo> steveoooo: if you just google "tun or tap" ... you'll get more info, but the wikipedia actually says the same as all the google findings 01:43 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 01:45 < dazo> steveoooo: you can also have a look here: http://openvpn.net/index.php/documentation/faq.html#bridge2 01:45 < vpnHelper> Title: FAQ (at openvpn.net) 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 < steveoooo> ill take a look 01:48 < steveoooo> does tap require any extra configuration outside the openvpn configs? 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:53 < dazo> steveoooo: No, not really ... well, I'm not sure on the server side. I've only used Gentoo on the server side lately and I have preconfigured the tap0 interface before starting openvpn in some network scripts there 01:53 < dazo> steveoooo: but I think that the device needs to be setup before starting the openvpn daemon .... just remembered that I also do bridging on my openwrt based router 01:54 < steveoooo> what are you running openwrt on? 01:55 < steveoooo> (how do you like it?) 01:55 < dazo> steveoooo: but that could be to setup the bridge before starting openvpn, not sure .... anyway, you can create the tap device by calling: openvpn --mktun --dev tap0 --dev-type tap ... 01:55 < dazo> steveoooo: I'm running it on a Linksys WRT54GL ... nice little box, even though I'd like more flash on the box :-P 01:56 < steveoooo> thats funny, same exact one I have, but running the default software... which sucks... I was running ddwrt but I found some weird firewall rules in the iptables so I dumped it. 01:56 < steveoooo> I have the same exact one I mean 01:57 < dazo> steveoooo: that was exactly the same reason I scrapped ddwrt as well .... and I made some noise about it in the forums ... but they didn't seem to take my point regarding being open about it and tell clearly what to do to remove these rules 01:58 < dazo> steveoooo: I'm using the X-Wrt version of openwrt ... which gives you a simple but powerful webgui as well, which makes configuration a lot easier .... highly recommended! 01:58 < steveoooo> yea, i didnt post anything, but after that I dropped it. it was weird tho, is some versions they werent there, but in the openvpn version it was, so I couldnt trust it 01:59 < steveoooo> do you have a link? 01:59 * dazo looks it up 01:59 < dazo> http://x-wrt.org/ 01:59 < vpnHelper> Title: Web interface for OpenWrt and more - X-Wrt.org (at x-wrt.org) 01:59 < steveoooo> I remember going to frys in order to find the right linksys to fuck up 02:01 < dazo> steveoooo: what's neat about this one, is that it's not much applications installed by default ... but you can install the needed pieces on the fly via a click in the webgui, so when you want to configure software which is not installed, you can click install ... it gets installed and you can continue the configuration 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 < steveoooo> nice 02:05 < steveoooo> maybe ill flash it right now 02:05 < steveoooo> if you trusted ddwrt, which would you use 02:06 < dazo> I'm running the 0.9 (whiterussian) release .... but I see that they've started stabilising the Kamikaze versions (devel versions), so it might come a new x-wrt soon 02:07 < dazo> well .... ddwrt is easy to configure and gives a lot of things without even needing to think about going into a shell on the box ... so ddwrt is probably more easy to setup and configure 02:07 < krzee> !security 02:07 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 02:07 < krzee> (for something else) 02:08 < dazo> while x-wrt is more kind of detailed in configuration ... and you have much more power to safely do changes via the shell and web, as the web will not freak out or overwrite changes done via shell 02:09 < dazo> so I feel that x-wrt is much more flexible than ddwrt 02:09 < steveoooo> cool 02:10 < dazo> and another thing .... the iptables setup in x-wrt is really basic and easy to understand immediately, no strange chains or strange loops ... it's really transparent compared to ddwrt 02:10 < steveoooo> hmm, i dont see a pre built image for my router wrt54gl1.1 02:10 < dazo> huh? strange .... 02:10 < dazo> I'm pretty sure I also have the gl1.1 02:11 < steveoooo> whiterussian? or kamakaze 02:12 < dazo> I'm using whiterussian now 02:12 < dazo> http://downloads.x-wrt.org/xwrt/firmware_images/whiterussian/0.9/milestone-3-rc2/default/openwrt-wrt54g-squashfs.bin 02:12 < steveoooo> (have you used any cellphone wireless computer cards ?) 02:12 < steveoooo> thanks 02:13 < steveoooo> rc2 hrm. 02:14 < dazo> steveoooo: nope ... not cards ... I've only used USB and Bluetooth to my SE-K800i ... and that works like a charm for me (using UMTS or GPRS) 02:15 < dazo> steveoooo: that rc2 is the latest one of whiterussian ... and it was released august 2007, so it's getting old .... but on the other hand ... it's very stable .... 02:16 < dazo> steveoooo: and there are update functionality via the web-gui as well .... so they have released some updates which I could install after installing it 02:17 < dazo> oh, that was just updating of the webgui, I see now 02:17 < dazo> but you have some ipkg tools as well 02:20 < steveoooo> cool 02:20 < steveoooo> im going to flash it right now 02:21 < dazo> :) 02:21 < steveoooo> is a lot smaller than wwdrt 02:21 < dazo> yeah, but when you install openvpn and other goodies and needed parts .... it's easy to fill it up :-P 02:23 < steveoooo> ill be back, hopefully 02:23 < dazo> heh ... good luck! 02:23 < steveoooo> I have another router in the closet if anything goes wrong 02:23 < steveoooo> heh 02:24 < steveoooo> id be intereted on how the .bin files are compiled to work on the linksys routers 02:26 < dazo> steveoooo: quite simple ... cross compiled for the CPU platform ... and then things are put into a filesystem file (mounted as a loopback file probably) and then a this filesystem is "converted" to the proper format the device needs it ... then this file is written directly to the flash 02:27 < steveoooo> im a coder but ive never compiled for a hardware device other than pic chips 02:27 < steveoooo> and this little linux based computer I have 02:27 < dazo> I think I remember I read a little bit about it on the openwrt wiki .... 02:31 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 02:36 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:36 < steveoooo> should I reset to default settings? 02:37 < steveoooo> dazo, are you running the openvpn on the router? 02:37 < dazo> steveoooo: yup 02:37 < steveoooo> hmm, cool and build all the keys on the server? 02:37 < steveoooo> built 02:38 < steveoooo> thru ssh? 02:38 < dazo> steveoooo: yes ... You need to have the keys prepared somewhere else 02:39 < steveoooo> i c 02:39 < dazo> steveoooo: I'm using certificates in addition to static.key .... so I created the needed certs and keys on another box and used ssh and scp to get them into the router 02:39 < steveoooo> got it 02:39 < steveoooo> im using certs too 02:39 < steveoooo> not a static.key tho 02:40 < dazo> steveoooo: I use all security features available, as a default in my setups :) 02:40 < steveoooo> i dont even know what im not securing : ) 02:40 < steveoooo> ingorance is bliss 02:40 < dazo> Actually, I've stored config files, cert files and so on the nvram of the router ... not on the "filesystem" 02:41 < steveoooo> nvram? 02:41 < Dryanta> non volatile ram 02:41 < steveoooo> is it a mounted device? 02:41 < dazo> yeah .... kind of the "config" memory ... you'll have a nvram command ... 02:41 < dazo> nvram show .... will give you a lot of config settings 02:42 < dazo> and I used such hack as: nvram set ="`cat `" ... to store a file here .... 02:42 < dazo> but you must remember to do nvram commit .... to really save it nvram 02:43 < dazo> (I would not try this on a binary file though ........) 02:43 < steveoooo> nice, like how it shows that changes are being made! 02:43 < dazo> so I have my own openvpn_start.sh script .... which then pulls down all needed files from nvram and saves them under /tmp/openvpn .... and then openvpn is started from here 02:44 < steveoooo> i c, does the router do most of that for you? 02:45 < dazo> steveoooo: http://pastebin.com/d3e502198 02:45 < dazo> steveoooo: nope ... I hacked this myself .... as the webif only supports openvpn client, not server 02:46 < steveoooo> i c 02:47 < dazo> the pastbin contents, I've saved under /etc/openvpn_start.sh .... and then if you do this, nvram set ="`cat `" ... for all your openvpn files .... this should work pretty quickly for you 02:47 < steveoooo> ill get that going tomorrow 02:47 < dazo> :) 02:47 < steveoooo> pretty damn cool tho 02:47 < steveoooo> and your vpn network is in the same subnet as lan? 02:48 < steveoooo> with the brige? 02:48 < dazo> just one remark .... no not use nvram commit to much .... as such writes will exhaust the nvram over time ..... but if you do it once a day, somebody calculated that the nvram would last at least 5 years 02:48 < dazo> yes, I did it this way 02:48 < dazo> I 02:48 < dazo> I've also separated wlan and lan ... so that they have different network segments as well .... and vpn is on the lan range, not wlan 02:51 < steveoooo> why use nvram 02:52 < dazo> to avoid using space on the jffs2 filesystem, which is used by applications and ipkg .... and /tmp is a ram disk, so only temporarily 02:53 < dazo> and it was a lot of space available in nvram for these config files 02:53 < krzee> steveoooo, leaves less trace 02:53 < dazo> with my current config ... I have used about 9kb out of 32kb available in nvram 02:54 < steveoooo> backup your router and let me see it : ) 02:54 < steveoooo> just kidding 02:54 < dazo> heh ... sorry, don't trust you that much yet ;-) 02:56 < steveoooo> geez man all paranoid and shit 02:56 < steveoooo> heh 02:56 * dazo wonders if it would be possible to encrypt the openvpn config stored in nvram .... yeah, I know you would need to enter a password when starting openvpn 02:57 < krzee> instead of encrypting the config encrypt the cert keys 02:57 < dazo> btw! It's really easy to fill up your filesystem ... so be careful! really careful! or else you might in worst case need to reflash the device again 02:57 < dazo> krzee: yeah, I meant that .... for me keys are an important part of the config ;-) 02:57 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 02:58 < krzee> when making the certs you can set a pass on them, easy-rsa its something like make-cert-pass 02:58 < krzee> ssl-admin asks when you make any keys 02:59 < dazo> krzee: that's true ... 02:59 * dazo haven't woken up yet today ... 02:59 < dazo> maybe I could even use pkcs12 certs .... to have all in one file as well 03:31 -!- Dryanta [i=dryanta@66.252.23.192] has quit ["Changing server"] 03:33 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 04:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:26 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:29 < steveoooo> dazo, help me out tomorrow configuring all this shit 04:29 < steveoooo> that would be cool 04:30 < dazo> steveoooo: I'll try .... I'll be travelling somewhat tomorrow, leaving the office around 13:00 UTC ... so I might have it hectic, but in the evening it might be more easy again 04:30 < steveoooo> what do you do? 04:40 < steveoooo> night 05:32 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 05:58 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 06:00 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:15 -!- zug_|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 06:22 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 60 (Operation timed out)] 06:51 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has joined ##openvpn 06:53 < Naicamine> how can i get to my VPN server if it is on a dynamic address? 06:55 < Naicamine> is there a way i can get a free domain name and a free service that will point a domain name to a dynamic ip? 07:08 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has quit ["Leaving."] 07:38 -!- AukeF [n=folkerts@fury.science.uva.nl] has joined ##openvpn 07:39 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 07:41 < AukeF> Hi! I have an openvpn tap device (openvpn --mktun --dev tap0) bridged with my physical device (eth0). The tap device is used a the stub for Qemu's virtual network card, and has no IP on my host OS. This setup works; however, tcpdumping shows that not all traffic present on the eth0 device is also visible on my tap device. I think this is odd, given that they are bridged. Am I missing something? 07:41 < AukeF> (also, if this is not the right channel, my apologies, and please point me in the right direction) 07:42 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:44 < reiffert> AukeF: a bridge doesnt mean that all traffic passes both interfaces. 07:44 < reiffert> AukeF: routing still works and delivers packets to what interface matches best 07:44 < AukeF> aha 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 < reiffert> AukeF: a bridge allows to have broadcast/multicast packets to appear on both interfaces. 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:45 < AukeF> my understanding was that a packet that arrives on port1 is automagically duplicated on port2 07:45 < reiffert> AukeF: please check your understanding. 07:45 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:45 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:46 < reiffert> http://en.wikipedia.org/wiki/Network_bridge 07:46 < vpnHelper> Title: Network bridge - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:46 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:46 < reiffert> dvl: mind fixing your irc client please? 07:47 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:47 < reiffert> ecrist: r u around? 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:49 < reiffert> krzee: r u around? 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 < reiffert> dvl: 07:52 < AukeF> hm. it looks like /proc/sys/net/bridge/bridge-nf-* are getting in the way 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:55 < reiffert> sigh 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 < reiffert> dvl: 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 08:00 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:00 < dazo> dvl you got probs! 08:00 < dazo> dvl: please correct your client 08:01 < reiffert> Doubt he's reading that 08:01 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 08:01 < dazo> well ... on my screen, I saw you managed to catch him right after he "quit" ... so I hoped I could be quick enough now 08:02 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:03 < reiffert> brb kochen 08:06 < reiffert> dvl: u there? 08:27 < ecrist> reiffert: I'm around 08:27 < ecrist> what's up? 08:29 < reiffert> ecrist: how can I ban dvl so that he can fix his client meanwhile? 08:29 < ecrist> you just frustrated with the join/quits? 08:29 < ecrist> you can ignore those event from him, if you'd like 08:29 < ecrist> /ignore dvn JOINS PARTS QUIT 08:30 < reiffert> rite. 08:30 < reiffert> so everybody please type this, whatever your client understands. 08:31 < ecrist> if it starts up again, I can ban him, too 08:31 < ecrist> s/dvn/dvl/ 08:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 08:33 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has joined ##openvpn 08:34 < nn> hello all, i'm leaving tomorrow to a place i must connect home from, through a horribly draconian firewall which limits my usage to ports 80 (inspected to actually be HTTP) and 443, the network i want to connect to uses 10.0.0.0/8 - is there a way to make openvpn clients fall within 10.0.0.0 or should i just use 192.168.0.0/16 and bridging of eth1 (internal lan) and the openvpn interface? 08:35 < nn> it would be much simpler for my life if i could make the vpn fall under the 10.0.0.0/8 but not too sure how the routing would work out for that 08:35 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 08:36 < dazo> nn: don't try to overlap network segments ... don't think about it ... it'll backfire sooner or later and you'll just be frustrated about how it almost works 08:37 < dazo> !1918 08:37 < vpnHelper> dazo: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:38 < dazo> nn: you also don't need to bridge anything, routing is usually more than enough, as long as your network and firewall at your server side have a sensible firewall setup 08:38 < brewmaster_> this might be a silly question, but can an openvpn server share samba folders over the vpn? or do I need to run a separate openvpn client process? 08:39 < nn> dazo: im just wondering if it might be better off to adjust the routing on the router to use smaller subnets for the wireless, servers, vpn, etc then have the actual clients refer to the wider /8 subnet 08:39 < brewmaster_> using bridged network btw 08:39 < nn> dazo: ive got quite a few machines on the home side that will not play happy with 192.168.0.0/16 *and* 10.0.0.0/8 addresses trying to talk to them 08:40 < dazo> brewmaster_: if you use tap device, samba should not be any problems at all .... if you do bridging, it'll save you for some routing issues connected to browsing shares and servers 08:40 < nikk^> Hi! Could you please help me to "translate" this route into "linux": route add 192.168.2.0 mask 255.255.255.0 10.8.0.14 metric 1 ? 08:40 < nikk^> 192.168.2.0 is the Remote Lan, 10.8.0.14 is the VPN-IP of the Remote Client 08:41 < dazo> nn: as long as you have a default gateway at "home" ...which will have a route to your VPN segment, your VPN segment can have whatever IP address you want 08:41 < brewmaster_> dazo, ok. i'm running the server on a debian machine, i connected to the network from an xp box and an ubuntu box, they can both see each other but not the debian machine 08:41 < brewmaster_> i can't even ping the debian server 08:41 < dazo> brewmaster_: does the debian box also have samba running? 08:41 < brewmaster_> yes 08:42 < dazo> brewmaster_: ahh ... check your iptables on debian ... that might be the issue here 08:42 < nn> dazo: for example: networking kit on 10.1.0.0/16, servers on 10.2.0.0/16, 100mbit clients on 10.3.0.0/16, wlan on 10.4.0.0/16, and vpn say 10.5.0.0/16 08:42 < dazo> nikk^: route add -n 192.167.2.0 netmask 255.255.255.0 gw 10.8.0.14 metric 1 ... just a wild guess 08:42 < nn> since ive got about 500 machines on the network 08:43 < brewmaster_> dazo, just to be clear: i don't need to run a separate client process on the server? 08:44 < brewmaster_> dazo, yeah, i think i gotta open up the tap device in iptables 08:44 < dazo> brewmaster_: no, that's usually not needed .... you might want to explore DNS options in openvpn config .... to push correct WINS server to VPN clients ... that way they will know where to look up for window machines 08:44 < dazo> brewmaster_: that's most probably right 08:46 < dazo> brewmaster_: in some very few settings, it might be that you want to have a "resolver" running on the gateway for sending netbios broadcasts between the net-segments ... but that was usually not needed after WINS came ... so if you have a WINS server, point all your clients to that one, and it should be working 08:47 < dazo> nn: yeah, that sounds sensible ... and your openvpn server needs to have routes to all these networks ... and also correct firewall settings, and then it should work pretty easy 08:47 < nikk^> thanks dazo. will this route use 10.8.0.14 as gateway? 08:47 < nn> dazo: thanks 08:47 < nn> thankfully i have access to some wifi not on my network to test with, back in a bit :) 08:48 < dazo> nikk^: it will route the 192.168.2.0/24 network through that gateway 08:48 < dazo> nikk^: even though, this doesn't sound like the right way to do it .... but I might be wrong 08:49 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Read error: 104 (Connection reset by peer)] 08:50 < dazo> nikk^: it just depends on where you set this route ... if it is on a client, it is correct ... if it is on a gateway/router ... then it should be another IP address of the gateway, most likely 08:50 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 08:51 < nikk^> hm, problem is: ping remote client -> server lan = possible, ping from server lan -> vpnip remote client = possible, server lan -> client lan ip doesn't work 08:52 < nikk^> ping vpn server -> client lan ip also doesn't work 08:52 < dazo> nikk^: do you have access to tcpdump on your openvpn server? and default gateways (if it is not the same as openvpn server)? 08:53 < nikk^> it is the same, wrt router, but no tcpdump 08:53 < dazo> nikk^: I suggest using tcpdump on openvpn server on the different network interfaces .... and then do a ping ... then you'll see where the traffic goes ... if you see only echo request and not echo response, the package went in another direction 08:54 < dazo> aha 08:54 < dazo> which firmware? 08:54 < brewmaster_> dazo, not sure if i need to change my iptables: i don't have a firewall and am behind a router 08:55 < nikk^> it is dd wrt, but with optware openvpn server 08:56 < nikk^> DD-WRT v24-sp1 (08/19/08) std 08:57 < dazo> nikk^: Yeah, I know that one .... okey ... ddwrt uses bridging as default, as far as I remember 08:57 < nikk^> i use routing atm 08:57 < dazo> nikk^: can you post config ? (pastebin) 08:57 < nikk^> one moment please 08:58 < dazo> brewmaster_: are you running openvpn on your default gateway? 08:58 < dazo> brewmaster_: if you are, you need to make sure that nothing is blocking the traffic .... try to use tcpdump ... it'll help you see where the traffic goes or not 08:59 < dazo> nikk^: you are using that ddwrt box as a gateway to your giant 500+ computers network? 08:59 < dazo> s/to/for/ 09:01 < nikk^> 3 clients atm :) 09:01 < nikk^> http://pastebin.com/m2487b3a1 09:01 < dazo> nikk^: then I must have misunderstood you ... the gigant network you talked about .... how does this fit into the picture? 09:02 < nikk^> gigant network? 09:02 < dazo> nikk^: sorry! I mixed you with nn ..... to many chats in parallel :-P 09:02 < brewmaster_> dazo, not sure, what do you mean by default gateway? 09:02 < nn> heh 09:03 < nikk^> no problem dazo :) 09:03 < nn> rearranging and terrorizing my network presently 09:03 < nn> I is scared 09:03 < dazo> brewmaster_: default gateway is the box which sends all traffic which is not local (ie. Internet traffic) to larger networks 09:04 < dazo> nikk^: you have some things which don't match .... have a look here: http://pastebin.com/m6c3cb0f2 ... those highlighted lines must speak to the same network ranges 09:05 < dazo> nikk^: one of the routes needs to be your LAN/WLAN at home ... and the other one is the VPN 09:06 < dazo> nikk^: what's your IP range "at home"? 09:06 < nikk^> 192.168.88.0 09:06 < nikk^> remote site 192.168.2.0 09:07 < dazo> remote site is where you connect from? 09:08 * dazo begins to think if iroute might be the correct solution here 09:08 < dazo> !iroute 09:08 < vpnHelper> dazo: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:08 < dazo> nikk^: ^^^ 09:10 < brewmaster_> dazo, that would be my d-link router 09:11 < nikk^> i am on the lan site behind the vpn server/ wrt, remote site is a friend of mine which can connect into vpn network and into lan, behind the vpn server 09:11 < brewmaster_> dazo, openvpn is running on my debian machine behind that router 09:11 < nikk^> he can connect to an ftp behind the vpn server 09:11 < dazo> brewmaster_: so your openvpn server is just a "client" on the inside of the openvpn server? (dlink doing portforwarding for you) 09:12 < nikk^> i can not ping his lan adress, not from client and not from server 09:12 < brewmaster_> dazo, i think so 09:12 < dazo> yeah, that sounds like this issue with iroute, iirc .... krzee or ecrist might now more about this actually .... 09:13 * dazo does a try 09:13 < dazo> !route 09:13 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:13 < dazo> nikk^: ^^ 09:17 < dazo> brewmaster_: okey ... then I'm guessing you need to setup something in either the DHCP server config which adds a route to your VPN network going via the IP address of the debian box (the physical interface, not the VPN interface) 09:17 < dazo> brewmaster_: or you will need to go on all your clients in your internal network and add this route manually 09:18 < brewmaster_> dazo, yeah, i think i have that part working: i can connect from the outside world to the openvpn server without any issues, i just can't ping / access shared folders on the server once connected. 09:18 < brewmaster_> client to clients works for pinging / sharing files 09:19 < brewmaster_> here's my ifconfig output on the server: http://pastebin.ca/1308074 09:19 < dazo> brewmaster_: clients, here I meant those boxes internally on your network, controlled by your d-link box 09:19 < dazo> brewmaster_: only here ... I would say you can try with that box with the SMB shares first 09:23 < brewmaster_> dazo, shouldn't the server list the openvpn address (which should be 10.8.0.4) when i run ifconfig? 09:26 < dazo> brewmaster_: the openvpn box (debian) needs to have the route for both your VPN net and the physical network 09:26 < nikk^> thanks dazo 09:27 < dazo> brewmaster_: but you clients on the d-link network needs to know that they must contact your openvpn server to reach the VPN net .... or else the traffic will go to the default gw (your d-link router) and out on the internet 09:27 < dazo> nikk^: np! 09:29 < dazo> brewmaster_: so that's why I said this about the routing ... when the clients contact your openvpn (debian) box, this box will then know the rest of the route 09:37 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:43 < brewmaster> dazo, ok, thanks for the help, so how do i tell, say, a linux client to send all 10.8.0.0/24 traffic to my debian machine (192.168.0.103)? 09:43 < dazo> brewmaster: route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.103 09:45 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has quit [Read error: 145 (Connection timed out)] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:45 < ecrist> dazo, you should stick around, then I can just watch. :) 09:46 < dazo> ecrist: heh .... well, I'll step down when you get bored then :-P 09:46 < dazo> s/when/before/ 09:46 < brewmaster> dazo, thanks, what about the openvpn server? how will it know the rest of the route? 09:47 < dazo> brewmaster: you can check the route table on that box .... (/sbin/route -n) .... here it should list up all routes and you can see if it has your local network and your VPN network ... if that's done ... it should be set 09:49 < brewmaster> hmm, no mention of tap0 or 10.8.x.x ... 09:52 < dazo> brewmaster: then it is time to dig into you openvpn config files 09:56 < brewmaster> dazo, what about "clients" that aren't on the LAN? do I need to have a route command? 09:56 < brewmaster> i'm SSH to an outside box, and it has "10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0" in the route -n 09:57 < brewmaster> which looks correct (though I know nothing ;) 09:58 < dazo> brewmaster: hmmm .... all clients on "your" network (inside the d-link) which you want to have access to your VPN (or which you want to connect to via the VPN) must know about this route 09:58 -!- rarn [n=rarn@38.104.189.110] has joined ##openvpn 09:58 < brewmaster> dazo, yeah, that's no problem, but what about the outside world? 09:58 < dazo> brewmaster: that "outside box" .... if that is not inside your d-link network, it should not be needed at all 09:59 < brewmaster> ok 09:59 < dazo> but for that box to reach your d-link network ... you would need to setup an OpenVPN tunnel ... and then the correct route should appear here 09:59 < dazo> brewmaster: I think you might find a better description here on routing .... 09:59 < dazo> !route 09:59 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:00 * dazo needs to run ... back in some hours 10:01 -!- dazo is now known as dazoafk 10:04 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 10:04 < orbisvicis> to start a client: i do sudo openvpn client.opvn and to kill a client ^C 10:05 < orbisvicis> is there a softer/better way to shutdown openvpn ? 10:05 < l11> orbisvicis: you'd usually use the scripts in /etc/init.d 10:06 < l11> like /etc/init.d/openvpn start and /etc/init.d/openvpn stop 10:06 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has quit ["—I-n-v-i-s-i-o-n— 3.0 (March '08)"] 10:07 < l11> (assuming the client config has been put where it can be found w/o extra arguments) 10:09 < nn> next round of network hell and overhaul comes in rebuilding my lost setup of ldap and kerberos... meh 10:17 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit ["leaving"] 10:17 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and !logs || HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man || LANs behind OpenVPN? See !route || Don't ask to ask, just ask; then wait. 10:24 -!- rarn [n=rarn@38.104.189.110] has quit [] 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit [Client Quit] 10:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:31 < nn> oops 10:31 < nn> well.. for some reason, things are mostly working, except im getting the wrong IP 10:52 < orbisvicis> eh i guess its not a big deal ... i dont have any openvpn init scripts, but I took a look at one at one and it stops openvpnv by killing 10:54 < nn> probably with SIGTERM, no? 10:55 < ecrist> nn - that's how programs get killed in the unix world 10:57 < nn> ecrist: yes i know 10:57 * nn looks at iptables with the we about to fight look... 10:58 * ecrist looks at chanserv with the 'me about to win' look... 10:58 < ecrist> :P 10:59 < ecrist> regardless, the comment should have been directed to orbisvicis, not you, nn 11:03 < orbisvicis> what sigterm is ^C, 15 ? 11:05 < orbisvicis> or 9 11:05 < nn> im thinking SIGINT or SIGQUIT 11:06 < ecrist> SIGINT, iirc 11:09 < ecrist> --- Log closed Wed Jan 14 11:09:22 2009 --- Log opened Wed Jan 14 12:09:05 2009 12:09 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 12:09 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 12:09 -!- Irssi: Join to ##openvpn was synced in 1 secs 12:09 < ecrist> ugh 12:13 < reiffert> mahdi_ja: hi 12:13 < reiffert> mahdi_ja: You can have openvpn play the role of a vpn server, yes. 12:13 < reiffert> mahdi_ja: it has nothing to do with a domain controller, nor will openvpn replace a windows domain controller. 12:14 -!- jaysonsantos [n=jayson@189.102.240.246] has joined ##openvpn 12:18 < mahdi_ja> reiffert: in my company at this time use domain controller and i want use vpn server for operating independent reason. 12:19 < jaysonsantos> !route 12:19 < vpnHelper> jaysonsantos: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:19 < reiffert> mahdi_ja: sorry, I dont understand you. 12:20 < jaysonsantos> Hello people, I'm trying to connect via ssh from client to the vpn server and when (i think) i receive binary data, my connection stay frozed 12:20 < jaysonsantos> Maybe that is a route config ? 12:21 < mahdi_ja> reiffert: i am sorry my english is weak.i want know i can do task of windows domain controller with open vpn(create vpn server). 12:22 < reiffert> Who was that guy from that man-eating ape-island? 12:22 < reiffert> mahdi_ja: If I understand you right, a Windows Domain Controller can act as a VPN Server? 12:22 < mahdi_ja> reiffert: yes. 12:23 < reiffert> mahdi_ja: I see. Well Windows VPN is using L2TP or PPTP, right? 12:25 < mahdi_ja> yes this is true.i can use pptp in linux same windows. 12:26 < reiffert> mahdi_ja: openvpn is totally different and not compatible with l2tp not pptp. 12:26 < reiffert> mahdi_ja: but(!) openvpn runs on windows as well. 12:30 < mahdi_ja> yes,i know it.in a lot of company for restrict user to use a special application use domain controller. for example a user member of office1 domain can use office1 application an printer shared in this office an so on.i want know i can do this limitation with create a vpn server . 12:31 < reiffert> "this" as in share permissions and rights with the help of openvpn among domain users? 12:33 < mahdi_ja> reiffert: no,i want replace domain server and use openvpn for do task of domain controller. 12:34 < reiffert> mahdi_ja: sorry, but openvpn is a vpn server and not a domain controller. 12:34 < reiffert> !howto 12:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:37 < mahdi_ja> reiffert: thank you. 12:38 < reiffert> welcome 12:43 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 12:43 < meshuga> !route 12:43 < vpnHelper> meshuga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:51 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:21 -!- mahdi_ja [n=mahdi@80.191.138.7] has left ##openvpn [] 13:23 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 13:23 < Toinou_> hello 13:23 < ecrist> howdy 13:23 < Toinou_> Someone speak french or not? 13:24 < ecrist> probably not 13:24 < meshuga> so i'm having a problem where openvpn is only routing traffic to a few machines over the vpn. i am using /24's and only a few machines route 13:24 < ecrist> I understand and can speak very little, but we can try 13:24 < meshuga> all machines are pingable from each respective openvpn machine 13:24 < Toinou_> ecrist: ok thank 13:24 < ecrist> meshuga: see the channel topic 13:24 < meshuga> and i have turned off all firewalls and whatnot 13:25 < meshuga> ecrist: ya, i'm just doing static keys, and ccd shouldnt matter cuz some do pass 13:25 < Toinou_> I have problem to connect a client to my server 13:25 < ecrist> both of you, !configs and !logs 13:25 < ecrist> !configs 13:25 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:25 < ecrist> !logs 13:25 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:28 < Toinou_> Someone to help me to understand the error? 13:29 < ecrist> Toinou_: I need to see your log files, please? 13:30 < ecrist> we need to know what's not working and what your configuration is 13:30 < Toinou_> ecrist: which log files? 13:30 < meshuga> http://pastebin.com/m31f953f7 13:31 < meshuga> ecrist: there, I got the logs and the config in there 13:31 < meshuga> what i am doing is super simple 13:31 < meshuga> just trying to do a simple bi directional routed vpn 13:37 < ecrist> meshuga: you can't put a push "route" statement in a client config 13:37 < ecrist> you need to create a ccd, iirc 13:37 < ecrist> and set an iroute 13:37 -!- nn [n=irc@white.powder.nn2.us] has joined ##openvpn 13:37 < nn> how would i create a place-holder crl? 13:38 < ecrist> nn, let me get you the command 13:38 < ecrist> openssl ca -gencrl -out $crl -config $config 13:39 < nn> ahh thanks 13:39 < ecrist> $crl is the file name for the crl and $config is the openssl.conf file 13:39 < nn> i searched around the howto but windows is being hatefu 13:39 < nn> gotcha, thanks 13:39 < ecrist> that's not in the howto, iirc 13:39 < nn> next experiment will be making openvpn feed off ldap for certs ;) 13:40 < ecrist> let me know how that goes, and what you end up doing. 13:43 < nn> will do 13:43 < nn> i heavily use ldap+pkcs11 stuff here ;) 13:44 < meshuga> ecrist: well, then i cant use static keys and need to do tls and stuff like that. i've done this before with static keys 13:44 < meshuga> years ago 13:44 < meshuga> i dont care if i manually have to setup route lines 13:44 < meshuga> the odd part is, its only routing half of the traffic 13:45 < ecrist> I'm looking into the docs, but I'm sure it's the client lan that's not being routed, right? 13:45 < ecrist> oh, you can put iroute in the server conf, since static keys only have one client 13:46 < meshuga> here i'll go back to my config using just linux boxes (instead of the routers, which i ultimately want it to go on) 13:46 < meshuga> basically i have 192.168.0.x that has a dozen machines on it, and i can only ping like 4 of them thru the tunnel 13:47 < ecrist> ok, tcpdump may tell you where things are being dropped 13:47 < ecrist> if you can ping some machines, then the vpn portion is working 13:48 < nn> oie. windows 7 is having issues :( 13:49 < nn> it does not like the route stuff 13:50 < ecrist> windows 7 is in beta - expect spotty results 13:50 < Toinou_> ecrist: sorry to disturb you but i did know which files log you need to help me? 13:50 < nn> its working well except not liking the route set stuff ;) 13:50 < meshuga> http://pastebin.com/m7fe8195 13:50 < nn> it appears i may have remote the route push stuff and manually caress the routing table 13:50 < ecrist> Toinou_: are you running openvpn via the command line, or via init.d? 13:51 < meshuga> i ran 'arp' on the machine which .0.1 is connected too running openvpn, and then tried to ping the hosts from the other side of the tunnel 13:51 < nn> remove 13:51 < meshuga> and only half of them respond. no firewalls or anything blocking it 13:51 < meshuga> pasting in tcpdump now 13:51 < Toinou_> ecrist: command line 13:52 < ecrist> ok, I need to see all the output that comes on the command line. 13:52 < ecrist> first, though, I need to know your problem. 13:52 < Toinou_> ecrist: I can't connect to the server!! 13:52 < meshuga> tcpdump doesnt say where anything is dropped 13:52 < meshuga> i just pasted that into the same pastebin, at the top 13:53 < ecrist> Toinou_: ok 13:53 < ecrist> is it a server you made, or a company server? 13:53 < meshuga> its like .0.1 isnt responding for certain machines to forward traffic from 13:53 < meshuga> which doesnt make sense 13:53 < Toinou_> ecrist: it a server i made, it for a project 13:54 < ecrist> Toinou_: read the following link, and let me know if everything is setup correctly: 13:54 < ecrist> !freebsd 13:54 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:55 < Toinou_> ecrist: toinou@toinou-portable:/etc/openvpn$ cd /etc/openvpn && sudo openvpn client.conf 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_C 13:55 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 13:55 < ecrist> Toinou_: don't paste here, please 13:55 < ecrist> pastebin.com 13:55 < ecrist> ok, did you make a certificate? 13:55 < ecrist> meshuga: looks like some clients may not know how to route back to the vPN 13:56 < Toinou_> ecrist: sorry, i'm a noob!!! 13:56 < ecrist> ok!!!!1!1!! 13:58 < meshuga> ecrist: shouldnt the default gateway handle all of that? 13:58 < Toinou_> ecrist: I do 3 certificate : 1 it's the CA, 1 it's the server certificate and the last is the client certificate 13:58 < meshuga> oh, so i should change the subnet mask for them to 255.255.0.0 13:59 < ecrist> sorry folks, I've gotta get back to work. 13:59 < meshuga> thanks for your help man 14:00 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 14:21 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:38 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Ex-Chat"] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:07 -!- imbezol [i=imbezol@igloo.bigfiber.net] has left ##openvpn [] 15:17 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 15:20 < j_bsdxinu> hi, using FreeBSD VPN installed, when i run build-ca i get error: you must define KEY_DIR 15:32 < ecrist> j_bsdxinu: use ssl-admin instead 15:33 < ecrist> /usr/ports/security/ssl-admin 15:33 < ecrist> easy-rsa blows balls 15:33 < j_bsdxinu> i will try that 15:37 < j_bsdxinu> thanks 15:37 < ecrist> if you have questions, I"m the author 15:40 -!- andrer [n=andrer@200.130.18.1] has joined ##openvpn 15:40 < andrer> is there a way to use those usb security dongles (rsa keys) with openvpn? 15:41 < ecrist> yes and no 15:41 < andrer> ecrist: i can choose which answer I want? :) jk 15:41 < ecrist> you can write secondary authentication scripts for OpenVPN, usually for LDAP/etc. Just write one of those. 15:42 < andrer> but there is nothing built in... ok 15:45 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has joined ##openvpn 15:46 < El_Presidente> hello, i want to allow my cousin to surf over my box, so i established a server on my pc the vpn tunnel gets up but we cant set the default route 15:46 < El_Presidente> because his pc says the following 15:46 < El_Presidente> unable to redirect default gateway -- Cannot read current default gateway from system 15:47 < El_Presidente> he is online with an umts stick 15:48 < ecrist> google that error 15:50 < El_Presidente> i did ... 15:51 < El_Presidente> but i didnt find any suitable information for a windows pc ... 15:51 < El_Presidente> since my cousin uses windows 15:52 < ecrist> sorry, I've no idea 15:52 < El_Presidente> okay 16:04 < j_bsdxinu> ecrist, you are the author of ssl-admin? 16:04 < reiffert> El_Presidente: 16:04 < reiffert> !defl 16:04 < vpnHelper> reiffert: Error: "defl" is not a valid command. 16:04 < reiffert> !def1 16:04 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:05 < ecrist> j_bsdxinu: yes 16:05 < j_bsdxinu> ohh ok, thanks 16:06 < El_Presidente> reiffert, aha 16:06 < reiffert> !man 16:06 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:06 < reiffert> !howto 16:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < reiffert> also check 16:06 < reiffert> !topology 16:06 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:07 < reiffert> some intresting thing about windows and /30 subnet. 16:07 < El_Presidente> reiffert, i know ty ;) 16:07 < reiffert> however, adding def1 should fix the thing 16:07 < El_Presidente> you mean redirect-gateway def1 ... 16:07 < El_Presidente> ? 16:08 < reiffert> El_Presidente: I mean ... RTFM! 16:08 < El_Presidente> :D 16:08 -!- andrer [n=andrer@200.130.18.1] has quit ["Lost terminal"] 16:22 < krzie> lol 16:23 < El_Presidente> cu 16:23 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has quit ["Verlassend"] 16:27 < reiffert> You give em a hand, you point them to the right paragraph in the docs and all you get is "cu". And that's "lol"? Well. 16:28 < krzie> haha 16:28 < krzie> my lol was that he knew def1 goes with redirect-gateway and he couldnt just look at in in in the manual which you had linked him to 16:31 < j_bsdxinu> ecrist, i am kind of new what is this for? S) Create new Signed Server certificate. 16:31 < krzie> umm 16:32 < krzie> its for creating a new server cert, and signing it 16:32 < krzie> i dont know how to say it better 16:32 < reiffert> Add "Self-" in front of Signed. 16:33 < ecrist> no 16:33 < ecrist> reiffert: it's not a CA certificate, it's a server certificate 16:33 < j_bsdxinu> so for openVPN i create one? 16:33 < krzie> doesnt have to be self-signed 16:33 < reiffert> Oh, rite! 16:33 < reiffert> it's ca signed 16:34 < reiffert> krzie: remember that guy from korea with the T1 flat on a tree? 16:34 < krzie> tjz, right? 16:34 < krzie> or mrcuteo...? 16:34 < reiffert> Well .. I dont remember his nick ... 16:34 < krzie> i think twas tjz 16:34 < krzie> but ya 16:35 < reiffert> Which is what I'm looking for :) 16:35 < reiffert> l11: u there? 16:35 < krzie> ahh 16:35 < krzie> i think its tjz, but COULD be mrcuteo 16:35 < l11> reiffert: pong 16:35 < reiffert> May I introduce you? 16:35 < l11> female? 16:35 < l11> :D 16:36 < reiffert> Channel, say hi to l11, he's lesbian :) 16:36 < krzie> lol no 16:36 < krzie> sup l11 16:36 < krzie> im a dike trapped in a mans body 16:36 < l11> quoting marvin? 16:37 < l11> i suppose reiffert has a reason to introduce us. we just need to find out why 16:37 < reiffert> Hm, the no special reason reason! 16:38 < l11> he says that all the time 16:38 < krzie> 1lgot any problems with your vpn? 16:38 < l11> ehm .. no, not in particular. 16:39 < l11> doesn't run in the most efficient way but that's not the fault of openvpn 16:40 < l11> reiffert and you are online buddies? 16:41 < reiffert> I am online buddies? if so, how many? 16:41 < reiffert> body count! 16:43 < l11> he's dangerous. i remember when i happened to be in the same place, he almost subjected me to a radioactive particle beam. luckily there was 30 inches of lead in between :) 16:44 < reiffert> That was me, u sure? Maybe ran out of alc that time? 16:45 < l11> maybe it was because you *didn't* :P 16:46 < reiffert> Well, maybe that big electron beam which is everything but a radioactive particle beam and we may start discussing "particle" here :) 16:47 < reiffert> l11 is dangerous as well, dont get to him too close, he probably will ocnvert you into another forth zombie! 16:47 < reiffert> dont get too close to him sounds more english than vice versa 16:47 < l11> well, if throwing in a detector hamster fills the air with stench of roast meet it doesn't really matter whether it's electron beam or not (or the nature of particles) 16:47 < l11> meat 16:48 < l11> *fizzle* 17:04 < reiffert> krzie: did you record some movie of your naked girls yet^w^w^w^w beach sunrise yet? 17:04 < krzie> nah man im down to one girl for now 17:08 < reiffert> Lemme guess, wrong (=no) christmas presents? 17:09 < krzie> nah i think i fucked up by actually getting them gifts 17:10 < reiffert> which of them did you keep? 17:11 < krzie> my favorite 17:11 < krzie> #1 17:16 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 17:19 < reiffert> Good night (Gute Nacht in German) 17:19 < reiffert> Spoken like Goote Nucht 17:20 < reiffert> l11: krzie like to learn some german words for impressing his german neighbour 17:23 < l11> me too 17:26 -!- l11 is now known as Bushmills 17:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:05 < cylix> So I setup a vpn and it really isn't working. Yes there is no firewall and it does connect with no errors on log lvl 3. Configs here: http://solace.info/dump 18:05 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:06 < cylix> oops flood apparently 18:06 < cylix> sorry 18:06 < cylix> Anyway. I was just saying I setup a vpn. 18:06 < cylix> client and server connect. 18:07 < cylix> no errors in logs. 18:07 < cylix> yet I can only ping local devices. 18:07 < cylix> configs and logs at http://solace.info/dump 18:07 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:09 < cylix> every thing is exactly like the example configs except the remote ip of course and tcp not udp. Though I did try udp. 18:11 < cylix> Ah the server is on a one to one nat I should mention also. So it does have an external ip. 18:12 * cylix quits talking to himself... 18:12 < ecrist> give me a couple minuts to look, sheesh 18:12 < cylix> ecrist, thanks so much. 18:12 < cylix> :-) 18:14 < cylix> ah just renamed all files on webserver so they pull with correct mime type. Please reload directory. 18:15 < ecrist> ok, no errors in logs, as you said. what do you mean, you can only ping local devices? 18:16 < cylix> so the tun device on the client has the ip 10.254.1.6 18:16 < cylix> that I can ping from the client 18:16 < cylix> same with server. I can ping 10.254.1.1 18:16 < cylix> nothing else. 18:16 < ecrist> can you ping, from the client, to 10.254.1.1? 18:16 < cylix> no 18:16 < cylix> only from server. 18:16 < cylix> nothing is crossing the bridge. 18:17 < ecrist> sounds like a firewall issue. 18:17 < cylix> let me ask this then. does the client need an external ip? 18:18 < cylix> because I run and have tested the firewalls on bothsides and that is not an issue. 18:18 -!- AukeF [n=folkerts@fury.science.uva.nl] has quit [Read error: 145 (Connection timed out)] 18:18 < ecrist> no, the client doesn't need an external IP 18:18 < ecrist> what are you trying to ping from the client, the internet? 18:19 < cylix> I just want to ping the server over the bridge. so 10.254.1.1 18:19 < cylix> That would prove it was working. 18:19 < ecrist> ok, still sounds like a firewall issue 18:20 < cylix> would you like to look at my firewall also? :-) 18:20 < ecrist> nope 18:20 < cylix> There is none except on the cisco 2811 I have doing a 1 to 1 nat for the server. 18:20 < ecrist> I would recommend you take down your firewall for testing 18:20 < cylix> ok I'll try that. 18:21 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 18:22 < cylix> I was just supprised it could still be a firewall issue after the initial connection succeeds. 18:23 < ecrist> firewall on the server, as all vpn traffic will be encrypted and encapsulation 18:23 < ecrist> encapsulated* 18:23 < cylix> There is no firewall on the server. 100% disabled. 18:24 < ecrist> traceroute 10.254.1.1 from the client 18:27 < cylix> ok now thats weird. 18:27 < cylix> traceroute: unknown host 10.254.1.1 18:27 < ecrist> o.O 18:27 < cylix> routing table is just what I uploaded though. 18:27 < cylix> so it should at least get to the ppp tunnel. 18:27 < cylix> or at least the tun device. 18:30 < cylix> ok so with log lvl 5 started on the terminal. I at least see WR apear for every ping I send. 18:31 < ecrist> log level 6 show anything more? 18:31 < ecrist> tcpdump show the packets hitting the server? 18:31 < cylix> So it is getting to the tunnel at somepoint. Not getting anthing back though. 18:31 < cylix> I will check that now. lvl 6 then dump 18:34 < cylix> ok so it sends the ping then I get "TUN READ [84]" but no ping responce. setuping dump now. 18:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:46 < cylix> wow ok getting wireshark for windows. 18:47 < cylix> from the dump taken on the tun device on the client side though. It looks like all pings go out but none come back. 18:47 < ecrist> what do you see from a dump on the server side? 18:48 < cylix> I still working on that. just finished my wireshark download. one min. 18:52 < cylix> hmm well they are coming in on the server side but not going out. 18:52 < cylix> I guess this means the problem is on the server somewere. 18:53 < cylix> yes interesting. when I ping from the server it doesn't go accross the link. 18:53 < cylix> when I ping from the client it goes accross the link but the server isn't sending back. 18:54 < cylix> got to be a server config issue now what could it be... lol. Your right I would say firewall if I had one... 18:54 < ecrist> you're sure there's no firewall on the server? 18:57 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 18:57 < cylix> Well I'm checking again. :-) 19:00 < ecrist> I'm out for the night, I think. 19:01 < cylix> Well I do want to say a big thank you for your help. :-) 19:01 < cylix> Good night. 19:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:26 -!- jaysonsantos [n=jayson@189.102.240.246] has quit [Remote closed the connection] 19:49 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 19:52 < cylix> akk got it!!! 19:54 < cylix> Well if anyone else was reading and has had this problem please turn OFF the windows "routing and remote acess". 19:57 * cylix Dances a little jig 20:00 < krzie> where do they turn it off? 20:00 < krzie> in services? 20:01 < cylix> well you could. I just went to the administrative tools and disabled it on the server from there. It does shut down the service though. 20:01 < krzie> where in administrative tools? 20:02 < cylix> routing and remote access. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < cylix> Thats the name of the menu entry. 20:02 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < vpnHelper> krzie: Joo got it. 20:02 < krzie> thanx 20:04 < cylix> so did you log it for a faq or something whats that vpnHelper about? 20:04 < krzie> !winroute 20:04 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 20:05 < cylix> Ah I see cool. 20:05 < krzie> !factoids search win 20:05 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 20:05 < krzie> !wintaphide 20:05 < vpnHelper> krzie: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 20:05 < krzie> all kinds of info on that bot 20:05 < krzie> so us helpers can be lazy ;] 20:05 < krzie> also has stuff like this: 20:05 < krzie> !pastebin 20:05 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:05 < krzie> !logs 20:05 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:05 < krzie> !configs 20:05 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:06 < krzie> or my personal favorite... 20:06 < krzie> !insanity 20:06 < vpnHelper> krzie: "insanity" is doing the same thing over and over expecting different results 20:06 < cylix> LOL 20:06 < cylix> Being lazy is always a good plan when possible. :-) 20:09 < krzie> efficiently lazy as i like to call it =] 20:10 < cylix> Seems like your way is straight out of some unix books I read. 20:10 * cylix Likes unix. 20:10 < krzie> ya 20:10 < krzie> its how i thought before i got into unix 20:10 < krzie> but its a reason me and unix get along well ;] 20:13 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 20:46 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["got to run"] 21:16 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:16 < error404notfound> while creating certificates for openvpn using openssl, should I set passphrases on keys? 21:16 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:26 -!- bender[a] [n=OWinNOW@64.208.90.82] has joined ##openvpn 21:26 -!- bender[a] is now known as bender183 21:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 110 (Connection timed out)] 21:31 < ecrist> evening, bitches 21:31 < ecrist> error404notfound: personal preference 21:32 < ecrist> there's an added security to having a passphrase on the certificate key, but it's usually lost as people put the passphrase into a text file for automating startup/shutdown of the tunnel 21:33 < meshuga> msg drmctchr hey whats up? 21:33 < meshuga> er 21:38 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 21:38 < ecrist> wow, nmap 4.76 is really fast compared to older version 21:38 < ecrist> s 21:45 < krzie> agreed 21:46 < ecrist> I'm considering adwords for my wiki 21:47 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:47 < ecrist> ~88 unique ips/day, with ~466 page loads/day 21:48 < ecrist> 91039 page loads last year. not too high, but enough to maybe get me a hit. 21:49 < krzie> good idea 21:49 < krzie> but maybe you could leave it off the openvpn wiki 21:50 < krzie> since we're basically making it the unofficial (possibly official if that dude ever responds again) wiki 21:52 < ecrist> not a for sure thing at this point, but if I did it, I think it would be site-wide 21:53 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 104 (Connection reset by peer)] 21:54 < ecrist> I could pull a dick move and advertise my site with google for OpenVPN. lol 22:00 < krzie> haha 22:05 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:09 < ecrist> what is your objection to ads on the openvpn pages? 22:10 < ecrist> I don't think we're going to hear back from francis 22:11 < ecrist> 2.5% of my hits this month came from a search engine query 'openvpn routing' 22:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:25 < krzie> nice! 22:26 < krzie> people hitting my writeup 22:26 < krzie> =] 22:26 < ecrist> yep 22:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:26 < krzie> i guess if they were small an unobtrusive i dont have an objection, but i just like the idea of giving help without advertisements 22:27 < krzie> plus ads would take away some of the posibility of getting random others contributing i think 22:27 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 22:27 < krzie> but so far it seems to be us contributing to that and the forum anyways 22:28 < ecrist> yep 22:28 < ecrist> I haven't seen him in a while 22:28 < krzie> him? 22:28 < ecrist> guy doing the forum 22:29 < krzie> oh dougy 22:29 < krzie> ya hes MIA 22:30 < ecrist> !tcp 22:30 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:35 < ecrist> ~319 page loads/day for ovpnforum.com 22:35 < ecrist> 40 unique visitors/day 22:35 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Remote closed the connection] 22:36 < ecrist> don't have logging turned up on that domain, will have to do so tonight 22:36 < ecrist> I'm out - l8r krzie 22:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:50 < krzie> later 23:13 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 23:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 23:38 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:55 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn --- Day changed Thu Jan 15 2009 00:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:54 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:59 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:57 -!- dazoafk is now known as dazo 02:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:49 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 02:50 < metbsd> when i create server.crt, it's all empty 02:50 < metbsd> help needed 02:50 < reiffert> !howto 02:51 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:51 < reiffert> it? all in there 02:51 < metbsd> i used that howto, but the files index.txt, client.crt server.crt, are all empty with 0 size 02:51 < metbsd> is it normal? 02:56 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: dogmeat, disposable, disco-, zug_|work 02:56 -!- Netsplit over, joins: disposable 02:56 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 02:57 -!- Netsplit over, joins: disco- 02:57 < metbsd> where do i define common name? 02:57 < metbsd> in vars 02:57 < metbsd> i\u1e3f doing stuff all wrong 02:57 < metbsd> cuz i don know where to specify common name in vars 02:58 < reiffert> quoting the howto: 02:58 < reiffert> Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". 02:58 < metbsd> oh explicitly entered! 02:58 < reiffert> oh, it? all in the howto! 03:00 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 03:28 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 03:38 -!- zug_|work [n=zug_work@88.211.97.126] has joined ##openvpn 03:46 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 03:56 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 03:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 03:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 60 (Operation timed out)] 04:06 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 04:07 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 04:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 04:51 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 04:57 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 05:01 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [""I'll see you on the dark side of the moon...""] 05:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:37 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:48 -!- zug_|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 06:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 07:24 * ecrist wants to punch someone 07:26 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 07:27 < robert_> !route 07:27 < vpnHelper> robert_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:30 -!- dazo is now known as dazoafk 07:40 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 07:49 -!- dazoafk [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has quit ["Leaving"] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 08:15 -!- c64zottel [n=hans@62.12.218.111] has quit [Read error: 60 (Operation timed out)] 08:16 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 08:27 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 08:27 < mndo> !route 08:27 < vpnHelper> mndo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:30 < c64zottel> !water 08:30 < vpnHelper> c64zottel: Error: "water" is not a valid command. 08:32 < ecrist> what are you hoping to find with !water? 08:35 < tjz> lol 08:41 -!- fialar [n=v@spoon.pkl.net] has joined ##openvpn 08:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:00 < aar0n> !route 09:00 < vpnHelper> aar0n: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:04 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has joined ##openvpn 09:18 -!- c64zottel [n=hans@62.12.218.111] has left ##openvpn [] 09:20 < mart_ian> hi folks. i have a situation that's got me scratching my head. i have a server (A) and a remote client (B) that is behind a firewall. i havea two more clients (C & D laptops) that come and go. i want laptop C to be able to connect to any box on A's local net and B's local net. I want laptop D to only connect to A's local net. right now, i have everything going, except, i can't seem to prevent D from seeing B (and ... 09:20 < mart_ian> ... its local net). i have tried a variety of iptables rules on A and B, but nothing seems to reliably block D from B without blocking C (and A). any ideas on how to do this? 09:21 < fialar> A doesn't see traffic between B and C? 09:22 < ecrist> mart_ian: you need to set this up in one of two ways: 09:22 < mart_ian> i can't seem to get tcpdump/tshark to admit anything's going on. 09:22 < mart_ian> (on server A) 09:23 < ecrist> assign C an IP in a range that can see both networks via a push for each subnet or 09:23 < ecrist> use a firewall on the OpenVPN machine to restrict the access for specific clients 09:23 < fialar> ecrist: I think he's trying the latter 09:23 < fialar> machine A is the server, right? 09:23 < mart_ian> right. 09:23 < fialar> tcpdump running on machine A doesn't see traffic between B and C? 09:24 < mart_ian> correct. 09:24 < fialar> weird. 09:24 < fialar> does tcpdump not listen on tun0 properly in linux? 09:24 < mart_ian> ecrist: i was attempting your second idea, but can't seem to find the right foo to make it work. 09:26 < ecrist> do it in a couple steps. 09:26 < ecrist> 1) does the connection between A and B work flawlessly? 09:26 < mart_ian> yes 09:27 < ecrist> 2) does the connection between A, B, and C work flawlessly? 09:27 < mart_ian> yes 09:27 < ecrist> ok, so you must have client-to-client enabled within your server config, good. 09:27 < mart_ian> yes. 09:27 < ecrist> now, what OS are you running on the server? 09:28 < mart_ian> linux on all 09:28 < ecrist> the clients don't matter 09:28 < mart_ian> ok 09:28 < ecrist> I'm not going to be able to help you with firewall specifics, but you need to assign static IPs to your VPN clients (IPP is OK) and create a rule to block traffic on tun0 from D to B 09:29 < mart_ian> that's what i (thought i) did. 09:29 < ecrist> OpenVPN was written to allow kernel hooks into the tun driver, which would allow firewalls to operate correctly. 09:29 < mart_ian> but it didn't seem to block anything. 09:30 < mart_ian> when i run tcpdump on A, it doesn't seem to notice the traffic from D to B, even though it necessarily should be going through tun0 09:30 < ecrist> what interface are you watching traffic on? 09:30 < mart_ian> i've tried them all. 09:30 < fialar> tcpdump -i tun0 -n 09:30 < mart_ian> as well as tcpdump -n 09:33 < fialar> ecrist: OpenVPN uses star topography right? All traffic between clients has to pass through the server? 09:37 < ecrist> yes 09:40 < fialar> hmm tcpdump on openbsd works listening to tun1 (what I have openvpn running on) 09:40 < fialar> ecrist: what IPs would mart_ian have to block? 09:41 < fialar> because each client has its own /30 09:42 < ecrist> the client IPs - the rest don't matter 09:42 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 145 (Connection timed out)] 09:42 < fialar> not the P-t-Ps? 09:42 < fialar> ok 09:42 < fialar> mart_ian: might want to turn logging on those FORWARD rules 09:45 < fialar> I'd test here but can only connect one client to the openvpn server here 09:46 < mart_ian> i have FORWARD policy set to DROP with no exceptions. it's still passing through. 09:47 < fialar> I connected a client, then pinged .1 and got: 15:50:00.861173 10.0.51.6 > 10.0.51.1: icmp: echo request (DF) 09:47 < fialar> so that works 09:47 < fialar> that's tcpdump listening on tun1 09:50 < fialar> mart_ian: if you ping .1, does tcpdump on server A see it? 09:51 < mart_ian> from D? 09:52 < mart_ian> from D, it sees it on tun0 09:53 < mart_ian> that is, pinging from D, watching on A:tun0 09:54 < fialar> D pinging A (A= .1) 09:54 < fialar> ah ok 10:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 10:41 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:44 < ecrist> mart_ian: I think I figured out your problem 10:45 < ecrist> you're using linux 10:45 < mart_ian> that's usually my solution... 10:45 < ecrist> FreeBSD FTW 10:45 < mart_ian> not really an option. 10:48 < ecrist> why not? 10:49 < ecrist> I'm not actually suggesting you need to change your OS, keep in mind. 10:49 < ecrist> just making at dig at Linux's fail 10:49 < mart_ian> O_o 11:01 < ecrist> o.O 11:01 < ecrist> \o/ 11:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:30 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 11:33 < error404notfound> can someone tell me what's going wrong here: http://pastebin.com/m409260be 11:33 < ecrist> it's not able to verify the certificate 11:35 -!- nicon [i=n@tiberium.net.pl] has joined ##openvpn 11:35 < error404notfound> ecrist: both certificates were generated using the same ca 11:35 < nicon> Hi all 11:36 < nicon> I've got problem. I have server (on debian => openvpn) in one place and client (wrt54gl with tomato) in second place 11:36 < nicon> Everythings works almost fine... 11:37 < nicon> The problem is that I can't see computers in group at windowses in second place. 11:37 < nicon> I can "join" 'em only by typing the name of server by hand (for eg: \\name-of-computer) 11:37 < ecrist> error404notfound: probably a problem with the certificate generation or file format 11:38 < nicon> What did I make bad? 11:38 < ecrist> nicon, you need bridging rather than routed, and it's more complicated to set up 11:38 < error404notfound> anyone know of an easy method to this all openssl stuff? 11:38 < nicon> ecrist: it is seted to bridge 11:38 < nicon> not to route. 11:39 < ecrist> you local LAN and remote LAN need to use the same IP space 11:39 < nicon> ecrist: and yes, it use the same IP space (192.168.10.*) 11:39 < nicon> the srv is 192.168.10.1, the client is 192.168.10.2 11:40 < nicon> And it's in the same work group. 11:41 < nicon> I want computers from first place be viewed in second place and in retreat 11:41 < nicon> (in work group computers) 11:57 < nicon> Any idea? 12:08 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:11 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:11 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:14 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:15 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:20 < fialar> hey ecrist 12:20 < fialar> guess what? 12:20 < ecrist> what? 12:20 < fialar> openvpn bypasses iptables firewall on linux 12:20 < fialar> I just did some tests 12:20 < ecrist> lol 12:20 < fialar> my FORWARD policy is set to DROP 12:20 < fialar> yet vpn traffic is passed 12:20 < fialar> weird 12:20 < fialar> this doesnt happen on openbsd 12:20 < fialar> pf stops that stuff cold 12:20 < ecrist> or freebsd 12:20 < fialar> unless you let it in 12:21 * mart_ian whacks openvpn with a bsd slice 12:21 < mart_ian> *sigh* 12:21 < ecrist> must be how the linux kernel orders filtering 12:21 < fialar> wow.. talk about gaping network security hole 12:29 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Success] 12:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:34 < ecrist> wonder if it's something that changed in the linux kernel recently 12:34 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 12:36 < fialar> ecrist: with the insane kernel development model they got going these days, I wouldn't be surprised 12:36 * fialar preferred 2.4/2.5 separate branch type development.. at least back then things were more stable 12:36 < fialar> biggest mistake Linus ever did was merge stable and development (or -stable/-release and -current) 12:46 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:56 < ecrist> that, among other things, is why I'm not a linux user 12:58 < fialar> I'd run openbsd on this asus eee, but no support for wireless yet. 12:58 < fialar> damn atheros chipset 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 < nicon> no1 will help me? :P 13:16 -!- rodpod [i=rod@hick.org] has quit [Read error: 113 (No route to host)] 13:23 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has joined ##openvpn 13:23 -!- nicon [i=n@tiberium.net.pl] has left ##openvpn [] 13:25 < silver_hook> Hullo. I'm wondering what supposedly makes Hamachi superior to OpenVPN. 13:37 < cpm> didn't know it was. 13:38 < cpm> hamachi, closed ransomware, openvpn, , well, , , open. 13:38 < cpm> wasn't aware there was a comparison. 14:01 < silver_hook> Avahi/Zero-conf? 14:01 < silver_hook> P2P? 14:02 < silver_hook> I'm new to VPN, but I'd rather not use a closed-source application to handle such things... 14:05 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 14:14 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has joined ##openvpn 14:15 < nemo> Say folks. Does anyone know if it is feasible to setup Aventail w/ openvpn? 14:22 < nemo> hm. my bet is "no" on openvpn, from reading. 14:25 < ecrist> I don't know what Aventail is 14:27 < nemo> VPN solution, owned by SonicWall 14:27 < nemo> to their credit, they have a linux client 14:28 < nemo> I'd just like to integrate it with NetworkManager instead of using their client 14:28 < nemo> so far, haven't had much like w/ either nm-vpnc or nm-openvpn - just poking at various config params. 14:36 < ecrist> oh, no, OpenVPN is only compatible with OpenVPN 14:39 < nemo> got that impression from fact that it seemed to require a cert :) 14:39 < nemo> thnx. 14:39 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has left ##openvpn [] 14:40 < silver_hook> Alright. I'm still trying to figure out what added value of Hamachi should be over OpenVPN... Could it be the P2P and Zero-conf/Avahi support? 14:42 < ecrist> silver_hook: the advantage is marketing 14:42 < ecrist> that's all 14:42 < silver_hook> ecrist: Makes sense ;) Just as Skype over SIP :P 14:42 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has left ##openvpn [] 14:42 < ecrist> right 14:43 < silver_hook> Is there a HOWTO somewhere where how I can make a tunnel for filesharing with some other box? 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:03 < Bushmills> silver_hook: when you have setup openvpn to connect with another box, you *have* a tunnel. what kind of services you run over the tunnel, the tunnel doesn't care. 15:04 < Bushmills> i suppose you want to look into some sort of routing-howto 15:04 < silver_hook> Bushmills: So, basically the VPN just makes a tunnel and both boxes still need to run appropriate daemons and services? 15:05 < silver_hook> And VPN only makes sense, when one box is otherwise not directly accessible? 15:06 < Bushmills> silver_hook: that is correct 15:06 < Bushmills> first statement is. 15:06 < Bushmills> second is debatable 15:06 -!- Bausparfuchs [n=jochen@88.134.230.128] has joined ##openvpn 15:08 < silver_hook> Bushmills: What would say for for using VPN even when both boxen can communicate directly? 15:09 < Bushmills> elimination of man in the middle 15:10 < Bushmills> imagine using plaintext password on one machine from the other. 15:11 < silver_hook> Mhm... 15:11 < silver_hook> Where does then Avahi and P2P come in then? 15:12 < Bushmills> no idea. you tell me. 15:13 < Bausparfuchs> hi @all have a problem to set up a vpn cnnection via openvpn (actually with the networkmanager-vpn plugin of gnome) The problem is to undestand the different "connection types" and the files i have to create or specify in the gui. The only information that i got from my university for the vpn are a group passwort, a server address, a group name and a username + password. Additionally the connection is a "ipsec over tcp" connection. The TCP 15:13 < Bausparfuchs> Connection i can switch on in the options, but now i dont know which connection tyoe i have to choose and which file(s) i have to write 15:15 < Bushmills> Bausparfuchs: are you supposed to connect to an openvpn server? 15:16 < Bausparfuchs> Bushmills: no, i dont think so, the university provides only the cisco client for windows but the linux-version makes some trouble on my pc so i decided to try openvpn 15:17 < Bushmills> if there's no openvpn on the other end, you can't connect to it with openvpn on your box. 15:17 < silver_hook> Bushmills: I dunno. That's what I wonder about Hamachi ...it's supposed to be a Zeroconfig VPN and with some P2P stuff in between. 15:18 < Bushmills> try to connect with wolfenstein castle 15:18 < Bushmills> i guess the chances of success are comparable 15:19 < silver_hook> But, if I understand correctly so far ...it's just a VPN. Although I have no idea what Zeroconfig/Avahi and P2P have to do with VPN... 15:20 < Bushmills> silver_hook: "VPN" is a generic name. like "computer", but you appreciate that there are different kinds of (incompatible) computers? same with VPNs 15:21 < silver_hook> OK ...makes sense so far. 15:21 < silver_hook> Like with P2P there's many networks or with IP telehones, right? 15:21 < Bausparfuchs> Bushmills: oh so ovenvpn only works with openvpn. that was new to me. thanks 15:22 < Bausparfuchs> then i have to fall back with vpnc and hope it will work 15:22 < Bushmills> silver_hook: there's probably more types of VPN than there are of ip phones... 15:22 < silver_hook> And they're mostly incompatible? 15:23 < Bushmills> yes. that's more the rules than the exception. 15:23 < Bushmills> rule 15:24 -!- Bausparfuchs [n=jochen@88.134.230.128] has left ##openvpn ["Konversation terminated!"] 15:26 < silver_hook> OK. So far I understood that it's practical to have a tunnel when the other box is behind NAT or there are proxies in between. But what other middle man are you talking about? 15:27 < Bushmills> silver_hook: middle man as in eavesdropper 15:31 < silver_hook> Bushmills: Aha. What about TOR then in such cases? 15:33 < Bushmills> tor uses a different architecture. it has a different purpose too, that is, hiding the relation between origin and destination. 15:34 < Bushmills> openvpn doesn't hide the relation between server and client. but it obscures the nature and contents of traffic 15:35 < silver_hook> I know what TOR is for, but wonder why I'd use (Open)VPN instead for more security. 15:36 < silver_hook> Bushmills: Well, I think I understand things a lot better now, thanks :) 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:37 < Bushmills> you might have control over both ends of the connection, but not over the the path in between. that's where openvpn is more suited than tor. 15:39 < Bushmills> other uses are, you might want to connect to a mobile device, not matter where it connected. with openvpn, you can reach that device on a static ip address. 15:40 < silver_hook> Bushmills: Mhm, makes sense all of it so far.. 15:40 < Bushmills> and many folks love that connections over openvpn stay alive even if the physical connection was dis- and reconnected 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:52 < silver_hook> That also sounds pretty cool :] 15:53 < silver_hook> I think I'm packed with info for now ;) 15:57 < silver_hook> Thanks, Bushmills! Right now I don't seem to have dire need of VPN, but at least now I know enough to know when I will and where to look at then :) 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:22 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has quit ["studying law..."] 16:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 16:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 19:35 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 19:41 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 19:44 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:45 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 19:52 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 19:55 < ecrist> what's with all the dropped connections? sheesh 19:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:09 -!- rodpod [i=rod@hick.org] has joined ##openvpn 20:09 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has joined ##openvpn 20:12 < deltaray2> I am deploying some servers on different networks, but would like to have them use a private and secure network of their own to talk to each other in addition to having public IPs. Is openvpn the right solution for that or should I be looking at something else? 20:21 < reiffert> openvpn is your thing 20:21 < reiffert> !howto 20:21 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:22 < deltaray2> thank you 20:22 < deltaray2> I guess I think of VPN as something that home clients use to connect to work, but I suppose that's not much different than a server connecting into a larger network. 20:24 < reiffert> You can have a bridged and a routed setup 20:25 < deltaray2> Ok, so openvpn does either one? I thought it only did routing. 20:25 < deltaray2> I'm still reading through the FAQ 20:25 < reiffert> Welcome! 20:25 < reiffert> I'm off to bed, it's 03:30 here 20:31 < ecrist> deltaray2: what OS? 20:32 < ecrist> deltaray2: I suppose, regardless of OS, check out the following: 20:32 < ecrist> !freebsd 20:32 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:44 < cylix> Weird, Well I just found the source of my problems from yesterday. 20:44 < cylix> On windows 2003. when I get the vpn up it doesn't work. 20:44 < ecrist> firewall? 20:45 < cylix> nope 20:45 < cylix> it was routing 20:45 < cylix> the table was http://solace.info/dump/server.route.txt 20:45 < cylix> it needed one more entry 20:45 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 20:46 < cylix> that being 10.254.1.0 dest network 255.255.255.0 gateway 10.254.1.2 20:46 < cylix> I'm not sure why it wasn't put there by open vpn if its needed. 20:47 < cylix> windows routing put it there when I started it BUT didn't put it back after a reboot so it quit working. :-( 20:47 < cylix> It had me running circles. 20:49 < cylix> adding it as a static route seems to fix it with the reboot problem though. 20:50 < j_bsdxinu> ecrist, i installed openVPN and ssl-admin, i figure how to create client/signed certs, But how do a create a Server cert/signed? 20:53 < ecrist> there should be a menu option 21:09 < cylix> so is there an official mailing list for openvpn anymore? 21:10 < j_bsdxinu> ecrist, i get an error when selecting S) 21:10 < j_bsdxinu> Error Loading extension section server 21:15 < deltaray2> ecrist, CentOS Linux among others 21:17 < deltaray2> Actually, that howto will be useful because I do have one customer that uses FreeBSD. 21:17 < deltaray2> thanks 21:18 < j_bsdxinu> I am using FreeBSD 21:20 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 4. 21:25 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 21:25 < metbsd> hi need help about openvpn 21:25 < metbsd> if i want to connect two clients from two diff networks, what to put in server? 21:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 21:32 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 21:34 < j_bsdxinu> ecrist, this is what i get :( when using S) ... Error Loading extension section server 21:35 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 2 21:40 < ecrist> j_bsdxinu: I'll look into the error tomorrow. I'll let you know what comes of it. 21:40 < ecrist> cylix: yes, there is. 21:40 < ecrist> it's farily active, as I understand. 21:40 < ecrist> there's also a fairly new forum, ovpnforum.com 21:41 < ecrist> metbsd: client-to-client 21:41 < ecrist> g'night all 21:42 < j_bsdxinu> ok, thanks 21:48 < metbsd> vpn is so damn complicated 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 22:10 < metbsd> where do i put key file in windows openvpn? 22:15 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0, metbsd 22:15 -!- Netsplit over, joins: rodpod, pa, ebf0 22:16 -!- Netsplit over, joins: metbsd 22:17 < cylix> metbsd, where ever you have specified in the server or client config. 22:17 < cylix> se the ca, key, and cert options in your config. 22:20 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0 22:21 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: metbsd 22:22 -!- Netsplit over, joins: rodpod, pa, ebf0 22:46 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has left ##openvpn ["Leaving"] 23:31 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit [Remote closed the connection] --- Day changed Fri Jan 16 2009 00:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:55 < ricoshady> im using openvpn in openwrt and im having a cocnnection problem. the client hooks up to the server but then the handshake fails. 00:58 < ricoshady> http://pastebin.com/m33e95fd7 00:58 < ricoshady> client config 00:59 < ricoshady> i mean the first is the server config 01:01 < ricoshady> client config: http://pastebin.com/m57f3c4ff 01:03 < ricoshady> server error output http://pastebin.com/m1530bd2a 01:14 < ricoshady> any ideas? im using keys built and test on another server/client pair 01:14 < ricoshady> cause I cant build them on my server 01:46 < ricoshady> very similar to what this person is experiencing 01:46 < ricoshady> http://forum.openwrt.org/viewtopic.php?id=4925 01:47 < vpnHelper> Title: OpenWrt / OpenVPN Problem (at forum.openwrt.org) 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:00 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:00 < joelsolanki> Hi room 03:01 < joelsolanki> when i start openvpn service on my server it gets IP 10.8.0.1 with subnet 255.255.255.252 03:01 < joelsolanki> and on client machine it gets ip 10.8.0.6 with subnet 255.255.255.252 03:01 < joelsolanki> so when i ping from client to server or vice versa i cant ping 03:01 < joelsolanki> is this subnet mask problem ? 03:03 < joelsolanki> by the way this is on windows machines 03:28 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 03:34 -!- fialar [n=v@spoon.pkl.net] has left ##openvpn [] 04:13 < Bushmills> joelsolanki, yes. try 255.255.255.248 04:25 -!- worch [i=worch@battletoad.com] has joined ##openvpn 04:25 < worch> !route 04:25 < vpnHelper> worch: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:46 < worch> to my vpn server, two clients connect, which are my laptop and my home router. I've the router's subnet routed so that I can connect to other clients in my router's LAN from my laptop or server. Now when I'm home, my laptop is _also_ a client on my router's LAN in addition to my vpn. This is causing some problems, which I'm unsure how to resolve. For example, when I'm at home and I try to ping my laptop (as a client on the router via the ip on the router's 04:47 < worch> The result is that the server receives a packet from the laptop with a source ip that it does not expect, so it is dropped. How should I fix this? 04:48 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 04:48 < worch> It took me about half a day to figure out why things were acting so strangely :p 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 06:54 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 08:11 < ecrist> good morning, bitches 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 08:14 * j_bsdxinu celebrates as ecrist is here :) 08:14 < ecrist> uh oh 08:17 * j_bsdxinu is now disappointed uh oh does not sound good 08:27 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 08:31 -!- ebf0- [n=ebf0@87.238.45.168] has joined ##openvpn 08:40 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Read error: 113 (No route to host)] 08:40 -!- ebf0- is now known as ebf0 09:04 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 09:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 09:11 < S7> Hello, I can't get the openvpn client connect to the server, getting: us=21651 TLS Error: Unroutable control packet received from 84.108.127.43:1194 (si=3 op=P_CONTROL_V1) repeatadly 09:11 < S7> server: http://pastebin.com/m5759f6f7 (OpenVPN 2.1_rc15 amd64-portbld-freebsd7.1 [SSL] [LZO2] built on Jan 16 2009) client: http://pastebin.com/m59afd697(OpenVPN GUI 1.0.3) clocks seemes to be synched, openssl returns cert is ok 09:19 < ecrist> j_bsdxinu: why're you excited I'm here? 09:20 < ecrist> S7: what does google tell you about the error? 09:20 < S7> sync the clock. 09:20 < S7> it synced ;\ 09:24 < ecrist> S7: read this thread: http://osdir.com/ml/network.openvpn.user/2003-09/msg00010.html 09:25 < vpnHelper> Title: Re: TLS handshake failed?: msg#00010 network.openvpn.user (at osdir.com) 09:39 < j_bsdxinu> ecrist, im having problems creating a Server cert with ssl-admin :( -- i get this when sel menu S) 09:39 < j_bsdxinu> Error Loading extension section server 09:39 < j_bsdxinu> There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 3. 09:39 < ecrist> ok, let me look into it now. 09:40 < S7> ecrist, thanks 09:40 < S7> but it wasn't that 09:40 < S7> i've added 09:40 < S7> duplicate-cn and now it works 09:40 < ecrist> ah, see you left out important details. 09:40 < ecrist> mainly, you've got multiple clients sharing the same certificate 09:41 < nn> uhoh 09:41 < S7> well, i have one client 09:41 < S7> and one server 09:41 < S7> i don't know how it related 09:41 < S7> i've also had the server cert 09:41 < S7> as a client cert 09:41 < S7> fixed that now too 09:42 < S7> actualy that was the main problem 09:42 < S7> but just when i've added duplicate-cn i've seen the real error 09:42 < S7> before that just had that Unrouted stuff 09:42 < S7> after i've added duplicate-cn it told me the cert is wrong 09:43 < ecrist> my guess is your certificate setup is borked. 09:43 < ecrist> but, glad you got it working 09:44 < S7> i had troubles with the scripts, since they in bash, so i've made them manualy, maybe got something broken in the way 09:45 < ecrist> you on linux? 09:45 < S7> fbsd 09:45 < ecrist> ah, use ssl-admin 09:45 < S7> or i just could've install bash and save me the troubles =) 09:45 < ecrist> /usr/ports/security/ssl-admin 09:46 < ecrist> there's a problem with it, as j_bsdxinu has alluded to, which I'm working on now 09:46 < S7> i'll try that out, making certs by hand is kinda annoying 09:46 < ecrist> aye 09:47 < ecrist> I wrote ssl-admin - features/problems, let me know 09:49 < j_bsdxinu> yes i am using FreeBSD too. S7 even after i installed bash in fbsd then try their ez cert, it still did not work thats why i use ssl-admin 09:49 < ecrist> that's why I wrote ssl-adin 09:52 < ecrist> one of these days, I need to re-write this script. 09:52 < S7> j_bsdxinu, u can for now use sh 09:52 < ecrist> it currently uses system function to call the openssl program directly, whereas is should be using the perl SSL library 09:54 < S7> cd ~/easy-rsa/2.0/ ; mkdir ./keys/ ; touch ./keys/index.txt ; echo 01 > ./keys/serial ; sh ; . vars ; ./pkitool --initca ; ./pkitool --server server 09:55 < S7> it's very akward, but somehow worked at the end 09:57 < ecrist> ah, openssl.cnf is missing some things in the current port 09:58 < ecrist> I'll make available an updated version shortly and submit a pr to get the port updated. 10:00 < j_bsdxinu> S7, so thats how you can make it work with 'sh' 10:01 < ecrist> q 10:03 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 10:05 < ecrist> j_bsdxinu: fixed the problem. 10:06 < ecrist> I'll submit the PR shortly (takes a few days to update a port in freebsd repo), but you can download the one file that needs to be fixed at ftp://ftp.secure-computing.net/pub/ssl-admin/openssl.conf 10:06 < ecrist> put that file in /usr/local/etc/ssl-admin 10:06 < j_bsdxinu> ok, great thank you so much 10:07 < ecrist> np 10:15 < ecrist> krzie: hit me when you're around. I'm going to be working on some ssl-admin things today. Namely, build scripts for various OSes and some generic packaging. 10:32 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 10:42 -!- S7 [n=yury@84.108.50.0] has quit [] 10:52 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 10:52 < ashley_> !route 10:52 < vpnHelper> ashley_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:08 < ecrist> krzie: your Makefile breaks in freebsd ports build 11:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:43 < j_bsdxinu> ecrist, http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/index.html 11:43 < vpnHelper> Title: FreeBSD Porter's Handbook (at www.freebsd.org) 11:43 < j_bsdxinu> may be of some interest to you 11:45 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has left ##openvpn [] 11:53 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 12:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:04 < ecrist> j_bsdxinu: yeah, been there many times. 12:09 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:10 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 12:11 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 12:11 < kpoman> hello to all guys ! 12:12 < kpoman> I am having a very strange problem on a particular linux box openvpn client, but with exactly the same conf on windows it works out of the box. 12:12 < kpoman> On linux, it tries many times to connect, giving TLS HMAC authentication errors (a random amount of times) then connects 12:12 < kpoman> and stays connected 12:15 < kpoman> I get this: TLS Error: incoming packet authentication failed from 12:15 < kpoman> then Fatal TLS error (check_tls_errors_co), restarting 12:15 < kpoman> and this: SIGUSR1[soft,tls-error] received, client-instance restarting 12:16 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 12:16 < bigjohnto> can you have openvpn gui execute a batch script after it completes the connection to a vpn process? 12:17 < kpoman> can someone help me please ? I recompiled openssl, openvpn, both sides, same version of all, and still get it. The problem is sometimes it connects really fast (first try) and others it tries during more than one hour 12:19 < ecrist> bigjohnto: that's a function of OpenVPN, yes. 12:19 < ecrist> the GUI isn't what does it, it's the main binary 12:19 < ecrist> this is defined with --up and --down in your config file 12:20 < ecrist> see the howto for more information 12:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:30 < bigjohnto> ecrist thanks :) 12:30 < tjz> any idea beside port 1194 udp ..what other port should i open in my firewall? 12:32 < j_bsdxinu> ecrist, i created a serv cert thanks, by the way at first i try to change all indexes to 01 so it will restart the count but fail each time. once i deleted and re-installed ssl-admin it worked correctly 12:32 < ecrist> um, you don't want to re-start the index counter. 12:33 < j_bsdxinu> yes, i figure that the hard way :( 12:33 < ecrist> if you do that, and re-use the same certificate, you have duplicate certificate IDs out there, and it's impossible to discretely revoke them. 12:35 < j_bsdxinu> ok, good thing i had only created two which are now deleted from clients then recreated with the new install ;) 12:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:44 < ecrist> j_bsdxinu: it's going to be a bit before I send fbsd pr. 12:44 < ecrist> I've got some major ports building fun to read up on 12:47 < kpoman> any idea about my problem ? 12:47 < kpoman> thank you ! 13:02 < ecrist> kpoman: I need logs, please 13:07 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 13:08 < Kobaz> okay, so what's the proper subnetting for routed (tun) clients 13:08 < Kobaz> i see in the faq that each client gets a /30 13:09 < Kobaz> but with all my setups so far i've only left space for 2 ips per client (the client ip and the server endpoint ip) 13:10 < Kobaz> like 10.1.2.1 is the server, and then i would do "ifconfig-push 10.1.2.3 10.1.2.4" on each client 13:10 < Kobaz> is that proper 13:11 < ecrist> no 13:11 < ecrist> a /30 has 4 ips, not 2 13:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@123.236.183.158] has joined ##openvpn 13:22 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:22 < El_Presidente> hello 13:22 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit ["Spare me some sleep, please."] 13:24 < El_Presidente> i have a problem setting up my vpn properly i have my pc 192.168.178.23 my router 192.168.178.1 and my cousins pc that should be allowed to surf on my internet, my pc should be the vpn server since i use a fritzbox and dont want to flash it with an openvpn firmware 13:24 < El_Presidente> this is my server config 13:24 < El_Presidente> http://pastebin.ca/1310252 13:25 < El_Presidente> and here comes my client config 13:25 < El_Presidente> http://pastebin.ca/1310273 13:25 < El_Presidente> the vpn connection builds up 13:25 < El_Presidente> but i cant ping him or he cant ping me nor surf 13:25 < El_Presidente> any suggestions? 13:25 < ecrist> 1) do you have client-to-client? 13:26 < El_Presidente> do i need that if my local pc is just the server ? 13:26 < El_Presidente> and there is just one client 13:26 < ecrist> if you want VPN clients to ping eachother, you need it 13:26 < ecrist> and, for the vpn clients to get access to the internet, you need to have a properly configured NAT 13:27 < El_Presidente> okay ... 13:27 < El_Presidente> 1. to client-to-client 13:27 < El_Presidente> server config? 13:28 < ecrist> yep 13:28 < El_Presidente> okay done 13:28 < El_Presidente> so now to the nat 13:28 < El_Presidente> what do i need to do there 13:29 < El_Presidente> i openend port 10000 on my router for my pc to enable the vpn connection 13:29 < El_Presidente> what else do i need 13:29 < ecrist> openvpn doesn't do NAT. for that, you need another piece of software. your gateway may be able to handle that for you. 13:30 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:30 < ecrist> if I were you, i'd setup a bridged VPN, rather than routed, and assign IPs from your lan subnet 13:30 < El_Presidente> what gateway? 13:30 < ecrist> then your NAT setup is already done 13:30 < El_Presidente> isnt my config bridged? 13:30 < El_Presidente> because it says that i bridge tap0 with eth0 13:30 < ecrist> oh, yeah it is. 13:31 < ecrist> why are you 'push route 0.0.0.0 0.0.0.0 192.168.178.1'? 13:31 < El_Presidente> dont i need that? 13:31 < ecrist> for what? 13:31 < El_Presidente> 192.168.178.1 is my router to get my pc to internet 13:32 < ecrist> does your setup work? 13:32 < El_Presidente> what setup? 13:32 < ecrist> nevermind 13:32 * ecrist goes away 13:32 < El_Presidente> :( 13:32 < El_Presidente> well my pc is 192.168.178.23 13:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:35 < reiffert> El_Presidente: 13:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:35 < reiffert> server.config. remove # 13:35 < reiffert> push "route 0.0.0.0 0.0.0.0 192.168.178.1" 13:35 < El_Presidente> i did that now 13:36 < reiffert> El_Presidente: please show us the script that set's up your bridge 13:36 < El_Presidente> you mean myroute.cmd ? 13:37 < reiffert> You are using dev tap which is for using a bridged setup. Show us how the bridge get's setup on the server side please. 13:37 < El_Presidente> you want the server config? 13:37 < El_Presidente> http://pastebin.ca/1310252 13:37 < reiffert> Your server config is at http://pastebin.ca/1310252 13:38 < El_Presidente> yes ... 13:38 < reiffert> Why are you using "dev tap"? 13:38 < El_Presidente> well i thought its right 13:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:39 < reiffert> El_Presidente: please step back to http://openvpn.net/index.php/documentation/howto.html and reread the parts that are talking about tun vs. tap 13:39 < vpnHelper> Title: HOWTO (at openvpn.net) 13:39 < El_Presidente> kk 13:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:40 < reiffert> El_Presidente: and if you still think that ethernet bridging is best for you, follow the "Ethernet bridging" link 13:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:40 < reiffert> Also check out http://openvpn.net/index.php/documentation/faq.html#bridge1 13:40 < vpnHelper> Title: FAQ (at openvpn.net) 13:41 < reiffert> That faq brings up the differences between routing and bridging. 13:48 -!- Nucular [n=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:55 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit [Nick collision from services.] 13:55 -!- Nucular is now known as El_Presidente 13:55 < El_Presidente> ok back 13:56 < El_Presidente> reiffert, you were right i forgot to bridge both connections on my pc 13:56 < El_Presidente> now i did 13:57 < El_Presidente> but now i get an error when i try to start the server 13:57 < El_Presidente> Fri Jan 16 20:58:22 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 13:57 < El_Presidente> 65-8ACD-6DAB95ECC17C} 13:58 < reiffert> the bridging takes place on the server side. 13:59 < El_Presidente> yes 14:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:01 < El_Presidente> i bridged my tap0 with my lan connection to my router 14:01 < El_Presidente> thats right reiffert ? 14:02 < reiffert> Was it explained like this in the howto? 14:02 < El_Presidente> yes 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:02 < reiffert> sounds like windows, try a reboot. 14:03 < El_Presidente> kk 14:03 < reiffert> and remove the redirect-gateway for a while from the server config. 14:04 < reiffert> You can add that later 14:06 < El_Presidente> ok 14:07 < El_Presidente> its really strange that the tap device doesnt go up 14:07 < El_Presidente> brb 14:07 -!- El_Presidente [n=Martin@p5798F5A5.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 14:10 < kpoman> hey guys 14:10 < kpoman> someone knows about HMAC tls problems authenticating ? 14:11 < kpoman> please, need help, is been 1 week trying to diagnose 14:11 < kpoman> recompiling tls, etc... 14:12 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 14:12 < El_Presidente> reiffert, same error 14:13 < reiffert> once again pls 14:14 < kpoman> I have the same bug as this guy had: http://openvpn.net/archive/openvpn-users/2005-04/msg00455.html 14:14 < krzee> !hmac 14:14 < vpnHelper> Title: [Openvpn-users] Just another "Authenticate/Decrypt packet error: packet HMAC authentication failed" (at openvpn.net) 14:14 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:14 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:14 < kpoman> please need somehelp 14:14 < krzee> comment tls-auth to prove it is the real problem or not 14:15 < El_Presidente> reiffert, what once again? 14:15 < reiffert> Paste the error message, maybe someone else already knows about it 14:17 < El_Presidente> ok 14:17 < El_Presidente> it seems openvpn doesnt find the tap device 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 TAP-WIN32 device [tap-bridge] opened: \\.\Global\{D0A9B 14:17 < El_Presidente> A3A-874F-4865-8ACD-6DAB95ECC17C}.tap 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 14:17 < El_Presidente> 65-8ACD-6DAB95ECC17C} 14:19 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 14:19 < reiffert> give that a try: Delete the bridge, remove all tap adapters with the help of those shell scripts that came with openvpn (delinterface.bat or similar, have a look in the bin directory), uninstall openvpn and install openvpn once again. 14:19 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit ["Leaving"] 14:20 < El_Presidente> reiffert, i think its because the tap device is not in my "ipconfig" anymore 14:20 < El_Presidente> it just shows the bridge 14:21 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 14:21 < kpoman> krzie: thanks ! I commented tls-auth etc... it works well without tls-auth. However it works well on windows with tls-auth, but not on linux 14:22 < kpoman> I mean the client 14:22 < kpoman> i got all the time HMAC auth errors 14:34 < ecrist> hrm, krzee, you done any upgrades from fbsd 6.3 to 7.1? 14:34 < ecrist> I've got one system now, out of 7 upgraded, that coredumps sshd after the upgrade. 14:43 < krzee> nope 14:44 < krzee> i never upgrade across major versions 14:44 < krzee> ever since fbsd4 14:44 < krzee> i still have that stuck in my head 14:44 < krzee> even tho its much easier than it was from 4 to 5 14:44 < ecrist> 4 to 5 was easy, imho. it was 5 to 6 that blew 14:45 < krzee> either way, nope, i just reinstall 14:46 < krzee> same with osx / windows even 14:46 < krzee> major version upgrades are my excuse for a format 14:48 < bigjohnto> ok something really weird, i have a batch script that runs when openvpn connects, this batch script finds the vpn ip and then sets a variable with that ip address.... what is weird is that whether from the cmd prompt or from the batch script, if the vpn is up and running, the setx command hangs..... once i disconnect the vpn session and the lan connection for the vpn shows as "cable disconnected" the setx command works perfectly.. 14:49 < El_Presidente> reiffert, i think the problem is gone now 14:49 < reiffert> El_Presidente: how is that? 14:49 < El_Presidente> i told the tap adapter that its always connected 14:50 < El_Presidente> now i get the connection up 14:50 < reiffert> Ah, so back to ...? 14:50 < El_Presidente> but my cousin has to leave now so i will continue tommorrow 14:50 < reiffert> :) 14:50 < El_Presidente> did you found any other errors i should know? 14:51 < reiffert> Not that I know of any.. 14:52 < El_Presidente> ok ty 14:53 < reiffert> welcome 15:28 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 15:28 < bigjohnto> ok why does my batch script run before the connection is up? 15:29 < bigjohnto> i have at the end of the config file up script.bat 15:30 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:30 < rawDawg> is it possible to use a linksys router as a site to site endpoint with this server? 15:37 < reiffert> Yes it is possible, but you will have to exchange the default linksys firmware by openwrt 15:37 < reiffert> #openwrt 15:39 < ecrist> yes 15:39 < ecrist> DD-WRT 15:40 < ecrist> like reiffert said 15:45 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 15:48 < heirrook> I have been stumbling over a problem for some time now and am looking for advice. I have an openvpn server setup that is on a seperate server behind my wan gateway. The wan gateway controls the 192.168.22.0/24 subnet. My machine my vpn server is on has an ip of 192.168.22.138. The vpn server uses 192.168.10.0/24 for its subnet. 15:49 < heirrook> Currently I am sitting at an ip from subnet of 24.158.0.0/255.255.0.0. 15:49 < heirrook> I can connect just fine to my vpn, I can ping machines fine on 192.168.22.0/24. I can browse the internet fine. 15:50 < heirrook> BUT, I am trying to make it so the hosts.allow config file on a machine on the 192.168.22.0/24 only allows machines from 192.168.10.0/24 15:51 < heirrook> The only thing the hosts.allow will accept, is my current location ip (24.158.) even though i am on my vpn. 15:52 < heirrook> It seems routing is fine because I can ping the 192.168.22.0/24 machines 15:58 < heirrook> I know when I at least browse the internet throught the vpn and go to "whatismyip.com" I get the ip I should the wan gateway on the 192.168.22.0/24 has. Here is my server config file http://pastebin.com/d40840316 16:09 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has quit ["Leaving"] 16:13 < El_Presidente> reiffert, still here? 16:14 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 16:15 < reiffert> El_Presidente: no 16:15 < El_Presidente> ;) 16:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:19 < El_Presidente> im trying with an other pc right now 16:19 < El_Presidente> the bridge seems to work 16:19 < El_Presidente> iam able to ping to the pc 16:19 < El_Presidente> but internet isnt routed over my pc 16:20 < reiffert> !def1 16:20 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:21 < El_Presidente> thats what i have reiffert 16:21 < reiffert> !configs 16:21 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:21 < reiffert> please add ipconfig /all from both, server and client 16:21 < El_Presidente> okay 16:21 < reiffert> as well as route -n print 16:21 < El_Presidente> ok 16:21 < reiffert> (or netstat -nr) 16:23 < El_Presidente> http://pastebin.ca/1310402 server.config 16:24 < reiffert> # 16:24 < reiffert> proto tcp-server 16:24 < El_Presidente> yes ... 16:24 < reiffert> wtf? 16:24 < El_Presidente> shall i use udp? 16:25 < reiffert> either udp or tcp, but not tcp-server 16:25 < El_Presidente> true 16:25 < El_Presidente> i mixed up the line 16:26 < El_Presidente> http://pastebin.ca/1310406 16:26 < El_Presidente> client 16:26 < reiffert> just remove "-server" 16:26 < El_Presidente> yes 16:27 < reiffert> I have no idea how "local" will influence what you are trying to achieve. 16:27 < El_Presidente> i just tested that 16:27 < El_Presidente> if it helps 16:29 < El_Presidente> im getting the routes on my friends pc 16:30 < reiffert> Then be sure to remove local. 16:30 < El_Presidente> i did 16:33 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 16:36 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 16:38 < El_Presidente> okay here is the route 16:38 < El_Presidente> http://pastebin.ca/1310415 16:38 < El_Presidente> he cant surf right now 16:39 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 16:39 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 16:40 < El_Presidente> but it seems he is routed to my pc 16:42 < El_Presidente> reiffert, what else do you need? 16:43 < reiffert> get wireshark, let it run on your PC's and have some pinging 16:44 < reiffert> off to bed, n8 16:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 16:45 < El_Presidente> n8n8 17:09 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 17:10 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 17:13 -!- rodpod [i=rod@hick.org] has joined ##openvpn 17:25 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit ["Verlassend"] 17:38 -!- mndo [n=mndo@81.84.221.128] has joined ##openvpn 17:41 * ecrist ponders +b for El_presidente 18:09 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 18:11 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 18:12 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 18:32 < rawDawg> reiffert or ecrist: i have dd-wrt vpn installed 18:33 < rawDawg> how do i configure a site to site vpn between openvpn and dd-wrt? 19:10 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 19:14 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 19:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:22 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 21:32 < rawDawg> bbl 21:33 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 22:07 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 22:11 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 23:13 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn --- Day changed Sat Jan 17 2009 00:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 00:11 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 01:00 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:33 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:03 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 03:34 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has joined ##OpenVPN 04:03 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:15 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 06:06 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 145 (Connection timed out)] 06:18 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has quit ["Client exiting"] 06:35 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 07:12 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 07:12 -!- Netsplit over, joins: troy- 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 07:56 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 08:20 -!- mndo [n=mndo@81.84.221.128] has quit [Connection timed out] 08:40 -!- S7 [n=yury@84.108.50.0] has quit [] 08:47 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 10:40 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 10:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:00 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:11 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 11:24 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has joined ##openvpn 11:28 < rawDawg> i want to set up multiple site to site vpns, one end point being openvpn server, the others will all be dd-wrt routers 11:28 < ecrist> sounds fun 11:28 < rawDawg> possible? 11:33 < ecrist> sure, why not? 12:02 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has joined ##openvpn 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has left ##openvpn [] 12:08 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 12:18 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 12:37 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 12:43 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:04 -!- robert_ [n=hellspaw@objectx/robert] has quit [Remote closed the connection] 13:07 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:13 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 13:19 < pkemx> hello 13:20 < pkemx> I'm trying to install OpenVPN on Fedora but am having trouble understanding all the different terminology 13:20 < pkemx> Currently I'm getting the error: 13:20 < pkemx> Cannot load certificate file /etc/openvpn/keys/mfed.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:23 < pkemx> when using `service openvpn start` 13:30 < pkemx> !route 13:30 < vpnHelper> pkemx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:31 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has joined ##openvpn 13:47 -!- nn [n=irc@white.powder.nn2.us] has left ##openvpn [] 13:55 -!- pkemx [n=pkemx@62.24.239.184] has quit [Read error: 60 (Operation timed out)] 14:02 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 14:09 -!- pkemx [n=pkemx@62.24.239.184] has quit [] 14:42 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has joined ##openvpn 14:43 < hiptobecubic> Can someone explain to me the theory behind the last routing step on the openvpn static key mini howto? I don't understand what's going on there. 14:43 < hiptobecubic> !route 14:43 < vpnHelper> hiptobecubic: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:09 < hiptobecubic> but does that work with a static vpn? i just tried 'pushing' and i didn't see a change in my routing table on the client 15:50 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 16:46 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 17:03 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 17:03 -!- Netsplit over, joins: troy-, troy- 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 17:07 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has joined ##openvpn 17:10 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 17:43 -!- Maguila [n=Tu_Padre@189.173.115.160] has joined ##openvpn 17:49 -!- Maguila [n=Tu_Padre@189.173.115.160] has left ##openvpn [] 17:50 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 17:59 < reiffert> moin 18:04 < ecrist> hey, reiffert 18:05 < ecrist> freebsd is kicking my ass today 18:05 < ecrist> lost my entire saturday to system upgrade problems 18:05 * ecrist is standing in a data center as he types this. 18:05 < ecrist> :( 18:08 < reiffert> Moin ecrist, how r u? 18:09 < reiffert> FBSD Upgrade problems? How's that? 18:10 < ecrist> have a host that didn't upgrade right, about ready to punt and reinstall the whole thing 18:11 < ecrist> it won't even boot 18:11 < ecrist> and this isn't my first rodeo 18:13 < reiffert> "didnt upgrade right" .. ? 18:15 < ecrist> did a source upgrade for a system, jails won't start, PAM stack is fubar. 18:15 < ecrist> I've done 10 out of 35 upgrades so far. 8 went smooth. the last two, PAM stack won't use LDAP correctly, and one of the two, just flat out won't boot into multi-user. 18:20 < [aaron]> eww! bsd! 18:21 < reiffert> PAM foobar sounds nice 18:22 < reiffert> what about it? 18:22 < ecrist> /mode +b [aaron] 18:23 < [aaron]> :) 18:24 < [aaron]> what version are you running? 18:28 < ecrist> 6.3 on some servers, 7.0 or 7.1 on most 18:28 < ecrist> couple old ones around on 4.11 18:31 < [aaron]> :/ 18:31 < [aaron]> best of luck with the upgrades mang. 18:34 < [aaron]> not a bsd person, but i know that i hate upgrades of any sort. 18:36 < reiffert> I like Debian for Upgrade just working! 18:40 < [aaron]> heh, I AM a deb guy :) 18:40 < [aaron]> and it works perdy well 19:06 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:13 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 19:13 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 19:41 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:47 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 20:13 -!- Alien_Freak [n=user@38.106.150.41] has joined ##openvpn 21:19 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 21:21 -!- Alien_Freak [n=user@38.106.150.41] has left ##openvpn [] 22:20 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 22:20 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 22:20 -!- tarbo2 is now known as Guest64229 22:21 -!- Guest64229 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has quit [Client Quit] 22:22 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 23:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sun Jan 18 2009 00:11 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has quit ["Leaving"] 00:31 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has joined ##openvpn 00:49 < kreg_lt> trying to get a hang of push "dhcp-option DNS x.x.x.x" 00:49 < kreg_lt> when my windows clients connect (tap) they conenct fine with all the routes 00:49 < kreg_lt> they even get the dns ip assigned 00:50 < kreg_lt> but their initial dns query uses the primary dns they already had. 00:51 < kreg_lt> names don't resolve with the internal intranet 01:20 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has quit ["Leaving"] 01:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:52 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 02:28 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 02:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:08 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 04:13 < krzee> !factoids search win 04:13 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 04:16 < krzee> !/30 04:16 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:16 < krzee> !topology 04:16 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:30 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 06:09 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 06:29 < reiffert> ![!] 06:29 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![[!]] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![][][][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![!][!][!][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![?][!][!][!] 06:30 < vpnHelper> reiffert: Error: "?" is not a valid command. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: You've attempted more nesting than is currently allowed on this bot. 06:31 < reiffert> !"[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" 06:31 < vpnHelper> reiffert: Error: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" is not a valid command. 07:25 < tjz> .... 07:27 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:13 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 08:15 < ecrist> reiffert: wtf? 08:18 < tjz> lol 08:19 < tjz> he screw up the bot 08:19 < tjz> actually.. 08:19 < tjz> sexually abuse the bot 08:19 < tjz> :P 08:19 < tjz> lol 08:53 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 08:56 -!- hiptobecubic^ [n=john@nateres205.tel.miami.edu] has joined ##openvpn 08:57 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 11:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 12:18 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:58 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 13:29 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 13:29 < Dougy> hey kids 13:29 < Dougy> !form 13:29 < vpnHelper> Dougy: Error: "form" is not a valid command. 13:29 < Dougy> !forum 13:29 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 13:32 < krzee> lol reiffert 13:47 < Dougy> hey hey 13:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 13:56 < reiffert> ![[[ 13:56 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 14:01 < Dougy> sup reiffert 14:01 < reiffert> ![!] 14:01 < vpnHelper> reiffert: Error: "!" is not a valid command. 14:01 < reiffert> ![form] 14:01 < vpnHelper> reiffert: Error: "form" is not a valid command. 14:01 < reiffert> ![forum] 14:01 < vpnHelper> reiffert: Error: ""forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com" is not a valid command. 14:02 < reiffert> "is not a valid command"? 14:07 < krzee> hehe 14:07 < krzee> well 14:07 < krzee> the output of !forum is what went in to the new command 14:07 < krzee> example: 14:07 < krzee> !learn test1 as this is a test 14:07 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !learn test2 as [test1] for reiffert 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !test2 14:08 < vpnHelper> krzee: "test2" is "test1" is this is a test for reiffert 14:08 < krzee> !forget test1 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !forget test2 14:08 < vpnHelper> krzee: Joo got it. 14:20 < Dougy> hmm 14:20 < Dougy> freebsd is pissin me off today 14:39 < reiffert> ![freebsd] 14:39 < vpnHelper> reiffert: Error: ""freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server" is not a valid command. 15:09 -!- hiptobecubic^ is now known as hiptobecubic 16:00 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 16:03 < lonel> hi,is it possible to have openvpn configured without certificate authentication? 16:03 < lonel> like user/pass? 16:05 * plaerzen 's office is a sauna 16:21 < Bushmills> strange place to pick for an office. imagine one wants to hip to the kitchen for a tea - will you have to dress first? 16:21 < lonel> hey 16:22 < lonel> you guys aware of any metods to avoid cert authentication in the client? 16:22 < lonel> *methods 16:22 < Bushmills> hm.. not connecting to the server is one. 16:31 < Dougy> lol 16:55 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:16 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:17 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 17:24 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has joined ##openvpn 17:25 < andrew867> hi all, I'm having a bit of trouble configuring openvpn. I want to create a bidirectional VPN, right now I have it setup and it is working like this: 17:26 < andrew867> my machine/network (server 192.168.0.0/24) ---- NAT --- INTERNET ---- NAT ---- other machine/network (client, 10.0.0.0/24) 17:26 < andrew867> he can ping and access anything on my network but how would we be able to set it up so I can access his network too 17:26 < andrew867> just then I though maybe the client-client setup might work 17:27 -!- thewolf is now known as Groktopus 17:30 -!- Groktopus is now known as thewofle 17:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:31 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:35 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:35 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 17:50 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has quit ["Leaving"] 18:06 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:32 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:45 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:47 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:50 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 18:51 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 19:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:05 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 19:22 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 21:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 22:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 22:41 < cylix> so does anyone know. Is is reasonable to assume a deticated openvpn server could serve 100 clients at an average of 30Mbits/sec per client. 22:41 < cylix> oh wow that was so wrong. 22:41 < cylix> I mean 3Kbits/sec 22:41 < cylix> Aak, 30Kbits/sec 23:09 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 23:12 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 23:54 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn --- Day changed Mon Jan 19 2009 00:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:12 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:25 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:26 -!- cyberjames [n=james@unaffiliated/cyberjames] has joined ##openvpn 00:42 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:43 < cyberjames> Hi everyone. I have this kind of network setup {http://rootshell.be/~james/network/networksetup.jpg}. Is it possible to make openVPN to run on different network segment like 192.168.2.0/24 under in one ethernet interface card only and all connected clients be able to reach the 192.168.1.0/24? 00:44 < cyberjames> !route 00:44 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:44 < cyberjames> !configs 00:44 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:57 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["good night"] 01:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:32 -!- Phase [n=Phase@unaffiliated/phase] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 01:33 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 01:34 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:38 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 02:17 < lonel> hi 02:17 < lonel> is it possible to asetup openvpn without certificates in the client side? 02:19 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:20 < hiptobecubic> lonel, static key? 02:20 < hiptobecubic> but then you can only have one client i think 02:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 02:22 < lonel> hiptobecubic: so multiple clients are not possible with ovpn 02:22 < lonel> using simple user/pass? 02:23 < hiptobecubic> lonel, no. but it's pretty easy to set up. 02:23 < hiptobecubic> !static-key 02:23 < vpnHelper> hiptobecubic: Error: "static-key" is not a valid command. 02:23 < hiptobecubic> !static 02:23 < vpnHelper> hiptobecubic: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 02:23 < hiptobecubic> hmmm 02:23 < hiptobecubic> !howto 02:23 < vpnHelper> hiptobecubic: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:24 < hiptobecubic> lonel, http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 02:24 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 02:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:07 < c64zottel> hello 03:07 < c64zottel> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 03:07 < c64zottel> inet addr:10.23.0.1 P-t-P:10.23.0.2 Mask:255.255.255.255 03:07 < c64zottel> what is the meaning of P-t-P:10.23.0.1 ? 03:07 < c64zottel> aehm: 10.23.0.2 03:07 < c64zottel> i know, 0.1 is my server 03:07 < c64zottel> when i connect, via ovpn, i get a random ip-address from a pool, so what does P-t-P:10.23.0.2 stand for? 03:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:36 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:52 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:55 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:01 < c64zottel> dumdidum 04:11 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:15 -!- dazo [n=dazo@nat/redhat/x-b537f1a7f630183a] has joined ##openvpn 04:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:27 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 04:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 05:07 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has joined ##openvpn 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:09 < svoop> is it possible to use openvpn to connect to a sonicwall vpn (ipsec/ike)? i'd go for opens/wan, but the hosting provider doesn't allow anything but userspace tools. 05:10 < dazo> svoop: nope ... openvpn can only talk to openvpn :( 05:10 < svoop> dazo: hmmm, too bad 05:11 < dazo> svoop: I know ... but it's using it's own protocol ... but that's why it's easier to implement and use compared to ipsec/openswan/etc 05:12 < svoop> dazo: ic. well, the only alternative i see is vpnc, maybe i have more luck there :-) 05:13 < dazo> svoop: hmmm ... I think you will hit the same with vpnc, just that's using Cisco's proprietary protocol .... but here I might be wrong, as I don't know much about vpnc 05:15 < svoop> dazo: gosh, i start to hate these virtuozzo servers. it's so limiting if you can't even use kernel modules on guest servers - and many providers are reluctant to help. on my gentoo box, i'd have the vpn up and running with opens/wan in minutes :-( 05:17 < dazo> svoop: Well, the biggest difference between ipsec/openswan ... is that it requires kernel modules, as that implementation needs to do things in kernel space to work .... while openvpn use user space only, which is (IMHO) why openvpn is safer and simpler ... and when you chroot and make openvpn run as a unprivileged user, you'll have a very different security layer, compared to those products depending on running code in kernel space 05:19 < svoop> dazo: it seems like quite a difference, though, that opens/wan does talk to hardware vpn endpoints while openvpn doesn't 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 < dazo> svoop: I don't know all the gory details about ipsec ... except that it really need to have parts in kernel space .... which freaks me out, as if a bug appears or a security breach ... you'll be in a pretty bad shape ... that's why I do like that openvpn can rely on user space (even though it do need the tun/tap module to create the virtual interface) 05:22 * dazo needs to go for lunch .... back in an hour 05:39 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:40 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 05:53 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:59 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 06:05 * dazo is back 06:08 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 07:10 < ecrist> morning, bitches 07:10 < c64zotte2> ecrist: nice to here that from e-crist 07:11 < ecrist> don't know what that means. 07:12 < c64zotte2> ah, i am thinking alway on christ, when i read your name 07:14 < reiffert> moin ecrist little suck0r! 07:17 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has left ##openvpn [] 07:28 < ecrist> I'm a nice guy, c64zotte2, but I'm not *that* nice 07:31 < c64zotte2> damn, i thought i could ask you a favor... like lottery numbers for next week 07:32 < ecrist> sure 3, 6, 422 07:32 < ecrist> good luck 07:34 < c64zotte2> ok, now i believe it, cause lottery has 6 numbers plus a special one 07:55 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 07:55 -!- kaii [n=kai@ciphron.de] has quit [Read error: 104 (Connection reset by peer)] 08:07 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:47 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 08:48 < robert_> can I override my settings in my server's openvpn.conf by specifying a client configuration file? 08:49 < ecrist> um, maybe 08:49 < ecrist> what are you trying to override? 08:49 < robert_> the address it assigns you 08:49 < ecrist> no 08:49 < ecrist> you can't do that 08:50 < robert_> yeah, it's assigning me a 10.2 address when it should be assigning me a 10.4 address 08:50 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 08:50 < ecrist> well, fix it on the server 08:51 < doke> hello people 08:51 < ecrist> hello other people 08:51 < robert_> that was why I asked "can you override the address openvpn assigns you when you connect by specifying said override inside the client-specific config?" 08:51 < doke> Any howto on authenticating openvpn client via username / password? I can't use ca authentication no more because some of my client can not adjust their time via ntp... therefore ca doesn't work 08:52 < robert_> okay 08:52 < ecrist> robert_: ah, you mean from on the server - yes, you can do whatever you want. though, it needs to be routable 08:52 < robert_> yeah 08:52 < robert_> can I assign you different dhcp subnets by specifying said proper configuration parameters? 08:53 < robert_> e.g. two people connect to my server 08:53 < robert_> one gets a 10.3 address, and the other, a 10.4 address 08:53 < ecrist> doke, you are *required* to use ssl certs with OpenVPN if you have more than a server and one client 08:53 < ecrist> robert_: sure 08:53 < ecrist> it's covered in the howto 08:53 < ecrist> !hotwo 08:53 < vpnHelper> ecrist: Error: "hotwo" is not a valid command. 08:53 < ecrist> !howto 08:53 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:53 < doke> thanks a lot ecrist 08:53 < robert_> I'm triyng, but it's not working 08:53 < robert_> oh 08:54 < robert_> can I "ifconfig-push 10.8.1.1 10.8.1.0" ? 08:55 < ecrist> um, no 08:56 < robert_> how do I make the server assign two people different dhcp subnets? 08:56 < dazo> doke: you might want to have a look at http://www.eurephia.net/ as well 08:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 08:56 < ecrist> robert_: look at the howto 08:56 < ecrist> what you're asking is covered there. 08:58 < ecrist> dazo: nice link 08:58 < dazo> ecrist: my little side project ... a work in progress :) 08:59 < robert_> ecrist, "Configuring client-specific rules and access policies" only covers static addresses, and "Pushing DHCP options to clients" doesn't cover dhcp ip assignment from openvpn itself 08:59 < ecrist> dazo: LDAP support? 09:00 < ecrist> what you're asking, if I understand correctly, cannot be done 09:00 < robert_> for him, or for me? 09:00 < ecrist> you'd have to run multiple OpenVPN servers, varying the port 09:00 < dazo> ecrist: hmmm ... not at the moment ... but I see why not, I have had that thought as well ... but I'm not big friends with LDAP yet 09:00 < ecrist> you, robert_ 09:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:01 < ecrist> dazo: I'm a friend of LDAP, if you need some input 09:01 < robert_> so it's static or nothing 09:01 < ecrist> robert_: in your case, probably, unless you went bridged and did something with a DHCP server on the host system 09:02 < ecrist> dazo: added a link to http://www.secure-computing.net/wiki/index.php/OpenVPN 09:02 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 09:02 < dazo> ecrist: I'm not sure how big difference it will be to "twist" the SQL queries over to LDAP queries ... that's probably the biggest challenge 09:02 < ecrist> dazo: LDAP != SQL, they are very different beasts 09:03 < dazo> ecrist: thanks for the link! .... but eurephia is spelled with "small e" ;-) 09:03 < robert_> heh 09:03 < robert_> euphoria's a strange language :P 09:03 < ecrist> dazo, fixed 09:04 < dazo> ecrist: I know ... that's why it needs quite some tuning here ... but as the db-driver in eurephia do not take queries but rather "commands" of what to check, it should be possible to write a separate LDAP driver 09:04 < dazo> ecrist: thanks! :) 09:06 < ecrist> why'd you have to patch OpenVPN? 09:07 < dazo> ecrist: because I map user accounts (username / passwords) against a specific SSL certificate .... and to do that in a safe manner, I use the SHA1 fingerprint in the certificate ... and that's not provided as default 09:07 < ecrist> why can't you use the CN? 09:08 < dazo> ecrist: actually, it uses CN, O, emailAddr and fingerprint .... 09:08 < ecrist> !static 09:08 < vpnHelper> ecrist: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 09:08 < ecrist> !static-key 09:08 < vpnHelper> ecrist: Error: "static-key" is not a valid command. 09:09 < ecrist> !lears static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: "lears" is not a valid command. 09:09 < ecrist> !learn static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:09 < ecrist> GRR 09:09 < ecrist> krzee: fix my access to the bot, please 09:09 < reiffert> ![greee] 09:09 < vpnHelper> reiffert: Error: "greee" is not a valid command. 09:09 < reiffert> ![static] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:09 < reiffert> !["static"] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:10 < reiffert> ![!static] 09:10 < vpnHelper> reiffert: Error: "!static" is not a valid command. 09:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 09:19 < plaerzen> morning irc 09:19 < ecrist> heya, plaerzen 09:19 < plaerzen> how was the weekend? 09:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:20 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 09:20 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 09:24 < ecrist> dazo: looking briefly at the code in 2.0.6, it appears as though the key fingerprint, and other data, is available for client certificates upon connection. 09:25 < dazo> ecrist: In 2.0.6? .... yeah, it is there ... but not passed over to the plugin .... so my patch takes the fingerprint and passes it over to the plugin via environment variable 09:26 < dazo> ecrist: I've seen there's been some changes lately to the environment variables in rc15 ... but I have not dug to deep here yet ... if it has come in, this patch will not be needed 09:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:27 < dazo> ecrist: anyway, I've done this now strictly 2.1 .... as the names on some env. variables have changed since 2.0 09:28 * dazo hopes there are no old references to 2.0 left 09:36 -!- Phase [n=Phase@unaffiliated/phase] has quit [] 09:38 < krzie> !man 09:38 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:38 < krzie> ecrist lazier link to the manuals ;] 09:38 < krzie> and good morning 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:45 < reiffert> reiffert: !man 09:48 < plaerzen> g'morning krzie 09:49 < reiffert> vpnHelper: !man 09:49 < vpnHelper> reiffert: Error: "!man" is not a valid command. 09:49 < reiffert> That bot's driving me crazy!# 09:49 < reiffert> !learn bot as vpnHelper sucks0rs! 09:49 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:49 < reiffert> !factoids.learn foo as bar 09:49 < vpnHelper> reiffert: Error: "factoids.learn" is not a valid command. 09:50 < krzie> vpnHelper man 09:50 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:50 < krzie> dont need ! when you adress him by name 09:50 < reiffert> vpnHelper: [man] 09:50 < vpnHelper> reiffert: Error: ""man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!" is not a valid command. 09:50 < reiffert> :p 09:51 < krzie> !learn reiffert as wo[man] 09:51 < vpnHelper> krzie: Joo got it. 09:51 < krzie> !rei 09:51 < vpnHelper> krzie: Error: "rei" is not a valid command. 09:51 < krzie> !reiffert 09:51 < vpnHelper> krzie: "reiffert" is wo "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:51 < krzie> lol 09:52 < krzie> !forget reiffert 09:52 < vpnHelper> krzie: Joo got it. 09:53 < reiffert> Allright, so how's that grep command using []'s again? 09:53 < reiffert> !configs 09:53 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:54 < krzie> its not 09:54 < krzie> i got around that 09:54 < reiffert> grep -vE '^[#;]' 09:54 < reiffert> jay, how's that? 09:54 < krzie> right 09:54 < krzie> by making the regex not use [] 09:55 < krzie> it can to simplify it, but doesnt need to 09:55 -!- W0rmFood [n=wormfood@219.134.136.50] has joined ##openvpn 09:56 < reiffert> Ah well, but using []'s would make so much fun if the bot would allow so. 09:56 < W0rmFood> it is openvpn, or x-wrt that is making it a god damn pain in my ass to forward ports? 09:56 < krzie> openvpn cant have anything to do with that 09:56 < reiffert> W0rmFood: this is #openwrt, so please go to #x-wrt or #dd-wrt 09:56 < W0rmFood> I don't run dd-wrt 09:56 < reiffert> Well then it's your fault. 09:57 < krzie> this is #openwrt? 09:57 < dazo> reiffert: is this #openwrt .... I need to rejoin #openvpn 09:57 < reiffert> krzie: it's not? 09:57 < W0rmFood> god damn. wrong channel 09:57 < W0rmFood> I do use openvpn 09:57 < W0rmFood> but I don't have problems with it ;) 09:57 < reiffert> and your openvpn question is? 09:57 < krzie> he was asking if it was openvpn's fault 09:58 < krzie> right answer is no 09:58 < W0rmFood> no 09:58 < W0rmFood> I said wrong channel 09:58 < reiffert> Yeah, this is #openwrt! 09:58 < reiffert> Like I said, wrong channel. 09:58 < krzie> if this is #openwrt i need to reconfigure my bot 09:58 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jpalmer 09:58 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:58 * dazo is getting confused 09:59 < reiffert> The plan starts working... 09:59 < plaerzen> SA's aren't too bright. 09:59 * dazo wonders who that one was aimed at ...... 09:59 < reiffert> bright SAturdays? 09:59 * plaerzen nods. 10:00 < reiffert> Well, it's Wednesday! 10:00 < krzie> lol 10:00 < krzie> if its wednesday i need to reconfigure my calendar 10:00 < plaerzen> I thought it was hanukah 10:00 * krzie reconfigures his life 10:00 < reiffert> A Hanumag? 10:01 < plaerzen> Is the hanumag responsible for my routing of bad packets? 10:01 < reiffert> plaerzen: doh!!! It's already march, hanukah is over! 10:02 < reiffert> http://en.wikipedia.org/wiki/Hanomag 10:02 < vpnHelper> Title: Hanomag - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:02 * dazo wonder if my clock is correct? 10:03 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:03 < reiffert> W0rmFood: it's all pegasos-rider's fault! 10:04 < plaerzen> lol. Silliness, back to troubleshooting groupware. 10:04 < reiffert> egroupware? 10:04 < plaerzen> communigate 10:04 < W0rmFood> no, it is my fault 10:04 < W0rmFood> I'm a fuckup 10:05 < reiffert> plaerzen: use their support? 10:06 < plaerzen> reiffert, I could. But it's a simple problem. Someone just isnt receiving mail from a whitelisted (mailwatch) sender. Probably just accidentally deleted it or something 10:06 < reiffert> Ignore him. 10:06 < reiffert> Problem solved. 10:07 < ecrist> building PR now for ssl-admin updates 10:07 < plaerzen> just uninstall outlook. Problem solved. 10:07 < reiffert> And implement and reinvent the shared file folders of egroupware and/or horde for me. 10:08 < reiffert> Ah, a brand new porsche museum in Stuttgart! 10:09 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Excess Flood] 10:10 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:11 < lonel> hi i asked this before 10:12 < reiffert> And our previous answer was? 10:12 < lonel> like ovpn can accept client logings using user/pass except for certificates 10:12 < lonel> reiffert: :) 10:12 < lonel> answer was kind of no 10:12 < lonel> reiffert: is that possible? 10:12 < reiffert> lonel: Your questions does not parse, please explain. 10:13 < ecrist> lonel: you where in here as someone else, right? 10:13 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 10:13 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 10:13 < lonel> reiffert: normally what we do is ,issue the client cert to clients to login ,instead of that using user/pass 10:13 < lonel> ecrist: aah ok,let em look that 10:13 < lonel> ecrist: no i didnt 10:13 < lonel> same nick only 10:14 < pegasos-rider> Could somebody prompt if message digest algorithm change has affect before TLS handshare is done? 10:14 < reiffert> ecrist: intresting mind you have ... parsing stopped for me after the 2nd word. 10:14 < dazo> lonel: you want to only have username/password auth without SSL certs? 10:15 < lonel> exactly 10:16 < dazo> lonel: you can use static key ... and probably the auth-pam module .... that should give you that feature ... 10:16 < lonel> dazo: cool,so can i use ldap as well 10:16 < lonel> ? 10:17 < dazo> lonel: if you find a ldap auth-plugin for openvpn, yes 10:17 < ecrist> there's one in freebsd ports 10:17 < lonel> oh cool 10:17 < lonel> this world is nice 10:17 < lonel> :) 10:17 < ecrist> there's an auth-pam module you can use, part of the openvpn distribution in sample-scripts directory - if your ldap is authenticated through PAM 10:17 < reiffert> Gimme that drugs! 10:18 < dazo> lonel: but on the other side ..... I would recommend you to reconsider not using SSL key/certs ... 10:18 < lonel> dazo: i use it myself for years,and i never bothered to look for any other authentications 10:18 < lonel> but this client wants that :) 10:19 < dazo> lonel: well, it's more prune for getting hacked if the static key file gets "stolen" 10:19 < lonel> yeah :( 10:21 < dazo> lonel: and if noticed ... it'll be quite a job to distribute new static keys .... Well, if you're client only have 2 users it's not so risky, as its easy to have the overview .... but if he got 30-40 users or more, it'll be a nightmare 10:22 < reiffert> dazo: Take a look at openvpn web gui, I can klick and get a working config, all required keys together in a zip file and there you go 10:23 * dazo do not use Windoze .......... 10:23 < reiffert> That zip and config part got to be implemented yourself, but it's worth it. 10:23 < reiffert> dazo: tar or whatever you like 10:24 < dazo> reiffert: I don't follow you at all .... are you talking about redistributing keys? 10:25 < reiffert> dazo: yep 10:25 < dazo> reiffert: if you are .... anyway, it'll just be more hassle than to just revoke one SSL certificate and create a new one 10:25 -!- W0rmFood is now known as WormFood 10:25 < reiffert> when you click "revoke" the cert is added to the crl (cert revoke list) automatically 10:26 < reiffert> dazo: when you click "new cert" you enter some details like common name, after that you can click "zip" and get a working config file together with all the required keys that a client will need 10:26 < dazo> reiffert: the VPN connection will be useless for all other users in the time before get distributed new static.key to all users 10:26 < ecrist> reiffert: that's the kind of stuff ssl-admin does. 10:26 < reiffert> ecrist: have a look at openvpn web gui 10:27 < reiffert> dazo: pardon, one static key for 40 users? 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:27 < reiffert> ecrist: it would be nice to combine ssl admin with openvpnwebgui 10:27 < dazo> reiffert: that was what lonel was asking about (but he didn't mention # of users) 10:28 < reiffert> Allright! 10:29 < dazo> reiffert: I'm paranoid enough .... I'm using openvpn over udp with static key, SSL certs and user/pwd authentication 10:36 -!- W0rmF00d [n=wormfood@219.133.100.202] has joined ##openvpn 10:41 < krzie> reiffert, agreed 10:41 < krzie> a nice lil lan-only web based gui with all ssl-admin features would be pretty cool 10:42 < dazo> krzee: ssl-admin is perl, isn't it? .... embedded web server in Perl maybe? 10:44 < reiffert> php 10:44 < reiffert> at least what openvpn web gui need 10:44 < reiffert> s 10:51 -!- WormFood [n=wormfood@219.134.136.50] has quit [Read error: 110 (Connection timed out)] 10:55 -!- W0rmF00d [n=wormfood@219.133.100.202] has quit [Read error: 113 (No route to host)] 11:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Connection timed out] 11:05 < reiffert> Anyone living in the .us who can give me a fast proxy for http://www.fox.com/fod/play.php?sh=twentyfour 11:05 < vpnHelper> Title: FOX on Demand (at www.fox.com) 11:05 < reiffert> ? 11:07 < ecrist> sorry, not I 11:09 < cyberjames> strange, the client is not properly assigned subnet mask and default gateway under windows xp... 11:09 < cyberjames> !route 11:09 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:21 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 11:21 < assasukasse> hello everyone, i am having some issues in starting openvpn 11:21 < assasukasse> i get this error: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 11:23 < krzie> dazo, yup its perl 11:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:26 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 11:26 < bigjohnto> anyone know how to stop a batch script from popping up the cmd window when starting openvpn connection? myconn_up.bat 11:26 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 11:27 -!- dazo is now known as dazo_gone 11:38 < SgtPepperKSU> Is there any word on whether there will be a 2.1rc16? Or is 2.1 final expected next? 11:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:38 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:39 < ecrist> I don't know, sorry. 11:39 < ecrist> assasukasse: looks like your SSL certificate doesn't exist. 11:39 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:46 < reiffert> SgtPepperKSU: check the mailinglist archives for that ... 11:47 < reiffert> SgtPepperKSU: (there will be another rc) 11:50 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 11:51 < assasukasse> ecrist: i fixed i dunno why it was not generated the first time..strange 11:54 < bigjohnto> anyone on that cmd window issue? 11:55 < ecrist> bigjohnto: google that. 11:56 < ecrist> it's not really an openvpn question, more a windows scripting question 11:57 < cyberjames> !config 11:57 < vpnHelper> cyberjames: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 11:57 < cyberjames> !config server.conf 11:57 < vpnHelper> cyberjames: Error: 'supybot.server.conf' is not a valid configuration variable. 11:57 < cyberjames> !config server 11:57 < vpnHelper> cyberjames: Error: 'supybot.server' is not a valid configuration variable. 11:58 < ecrist> !configs 11:58 < cyberjames> !configs 11:58 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < bigjohnto> ecrist alright, thanks anywho 12:06 < reiffert> !config time 12:06 < vpnHelper> reiffert: Error: 'supybot.time' is not a valid configuration variable. 12:06 < reiffert> !config autoreconnect 12:06 < vpnHelper> reiffert: Error: 'supybot.autoreconnect' is not a valid configuration variable. 12:06 < reiffert> !config auto* 12:06 < vpnHelper> reiffert: Error: 'supybot.auto*' is not a valid configuration variable. 12:07 < reiffert> vpnHelper: help supybot 12:07 < vpnHelper> reiffert: Error: There is no command "supybot". 12:09 < lonel> whu user/pass type auth using open vpn is vulnerable,?ssh is also user/pass? 12:09 < lonel> *why 12:10 < reiffert> lonel: says who? 12:12 < lonel> reiffert: 12:12 < lonel> < dazo> lonel: and if noticed ... it'll be quite a job to distribute new 12:12 < lonel> static keys .... Well, if you're client only have 2 users it's 12:12 < lonel> not so risky, as its easy to have the overview .... but if he got 12:12 < lonel> 30-40 users or more, it'll be a nightmare 12:12 < lonel> sorry for that 12:14 < reiffert> dazo_gone: ? 12:15 < lonel> hehe 12:16 < lonel> actually what hemeant? 12:16 < lonel> *he meant 12:16 < lonel> in open vpn are we not going to use a user/pass manually..rather it is stored ina key file 12:16 < lonel> ? 12:16 < reiffert> no 12:16 < lonel> i am talking about --client-cert-not-required 12:17 < lonel> reiffert: ? 12:17 < reiffert> I have no idea bout that, sorry 12:21 < bigjohnto> alright, i specify --route-up "C:\program files\mydir\script.bat" 12:21 < bigjohnto> but it only tries to execute c:\program, and leaves the rest how come? 12:23 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has left ##openvpn ["I \u2665 Debian"] 12:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 12:45 < ecrist> lonel: what's your question about that options? 12:45 < ecrist> bigjohnto: you need to escpape the space in program files 12:46 < ecrist> so, do C:\\program\ files\\mydir\\script.bat" 12:46 < ecrist> or, "C:\PROGRAM~1\mydir\script.bat" 12:46 < ecrist> again, non-openvpn stuff 12:47 < lonel> ecrist: why it is unsecure if i am using login/pass..its pretty same with that of ssh if it uses keybd auth? 12:49 < ecrist> it's less secure than user/pass+certs 12:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:02 < lonel> cwhich one 13:10 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 13:13 < ecrist> lonel: just user/pass authentication is less secure than user/pass with certs 13:30 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 13:40 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 110 (Connection timed out)] 14:10 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 14:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:11 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 14:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:16 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:17 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:19 < suprsonic> push "route " should push a route to the client correct? 14:22 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:49 -!- kaii_ [n=kai@ciphron.de] has left ##openvpn [] 14:49 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 14:52 < kaii> what could be the reason for a random failure in key RE-negotation (Symptom: key negotiation failed to occur within 60 seconds)? 14:52 < kaii> it fails 1/3 or 1/2 of the time .. (default: 3600 sec re-neg time) 14:52 < kaii> the tunnel works fine for an hour or two, then key re-neg fails and a SOFT RESET occurs 14:53 < kaii> OpenVPN 2.0.9 i386-unknown-openbsd4.3 14:53 < kaii> ^^ 14:56 < ecrist> krzie/others: I've submitted a PR for freebsd/ssl-admin 14:56 < ecrist> update to current version in SVN 15:26 -!- test [n=test@h697179-171.picriverisp.net] has joined ##openvpn 15:26 < test> anyone know if you can push a metric value with openvpn to a windows machine? 15:27 < reiffert> You cant. What you can do is have a client connect batch file do whatever it takes on the client side. 15:27 < test> k 15:28 < suprsonic> what about pushing a route? 15:28 < test> when mobile machine connects to internal network the metric forces the traffic through vpn.. it's still quick but a lot of encryption and forwarding for nothing 15:28 < reiffert> suprsonic: what about it? 15:28 < suprsonic> link is up, but server didn't put a route to the client 15:28 < suprsonic> push 15:28 < test> openvpn rocks 15:29 < test> but what stops someone from stealing the certs off the computer and throwing it on another? 15:29 < reiffert> suprsonic: are your sentences related to test? 15:29 < suprsonic> nah, new one 15:29 < reiffert> test: the cert password. 15:29 < suprsonic> push "route " should push a route to the client correct? 15:29 < reiffert> test: 15:29 < reiffert> !howto 15:29 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:29 < test> i tried that but how do you auto vpn with openvpn service? 15:30 < reiffert> suprsonic: amazingly yeah! 15:30 < suprsonic> netstat -r on the client system doesn't yield a new route. 15:30 < reiffert> test: what is it you want, security or encryption or both? 15:30 < test> for domain machines I like to have openvpn running when the system boots.. 15:30 < suprsonic> its a tunnel 15:31 < reiffert> suprsonic: have fun: 15:31 < reiffert> !configs 15:31 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:31 < reiffert> !logs 15:31 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:31 < reiffert> I'm off for TV 15:32 < test> encryption is security for me.. just need to be aware that stolen certs might occur 15:35 < test> the traffic is layer 2 and have mac addresses in the frames? 15:35 < test> even though you can spoof a mac can you build an acl based on mac addresses? 15:40 < suprsonic> oddly enough the documentation is correct, but my scenerio is still wrong. 15:43 < test> what are you trying to do 15:44 < test> are you bridging? 15:44 < suprsonic> just a simple tunnel between server and client 15:45 < suprsonic> client connection isn't applying the push route from the server. 15:48 < test> check the log to make sure the connection was successful 15:49 < suprsonic> oh its sucessuful, I can ping the other side 15:49 < suprsonic> can ssh too 15:49 < test> and if you add the route manually it works? 15:49 < suprsonic> yes 15:49 < test> check your versions 15:49 < test> the windows version is the same as the linux version? 15:49 < suprsonic> all freebsd 15:49 < test> oh 15:49 < suprsonic> freebsd to freebsd 15:50 < test> the route command maybe differs than 15:50 < suprsonic> ah 15:50 < test> google "openvpn push freebsd problem" 15:50 < test> or something 15:51 < test> might be a problem because of that if-up scripting architecture in linux distro's 15:52 < test> when the interface goes up a bunch of scripts run in linux 15:55 < suprsonic> I can add the route to the client config 15:55 < suprsonic> but apparently I can't push it from the server 15:55 < suprsonic> odd 16:09 < test> not enough of a pro to tell you why 16:09 < test> just started using openvpn the other day between debian and windows 16:09 < test> gotta go 16:09 -!- test [n=test@h697179-171.picriverisp.net] has left ##openvpn [] 16:32 < dvl> suprsonic: http://www.freebsddiary.org has the docs I wrote for getting my stuff running. Sample configurations. 16:32 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 16:32 -!- thewofle is now known as thewolf 16:33 < suprsonic> you the owner of freebsddiary.org? 16:35 < dvl> Yes 16:37 < suprsonic> well, I personally want to thank you for providing me with a wealth of information on FreeBSD. You've been a great resource for me. 16:37 < dvl> Thank you. Send $. Thanks. ;) 16:38 < dvl> Some of it is getting dated (for older versions), but I still use some of the articles on a regular basis, such as /makeworld-script.php 16:38 < suprsonic> have you seen growth in the community based off of hits on the website? 16:39 < dvl> http://www.freebsddiary.org/stats/ 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - Last 12 Months (at www.freebsddiary.org) 16:39 < dvl> I'm not sure if I have stats for previous years easily to hand. 16:39 < dvl> Oh yes: http://www.freebsddiary.org/stats/usage_200201.html 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - January 2002 (at www.freebsddiary.org) 16:40 < dvl> hits per day in 2002 was 9127 16:40 < dvl> in 2009, it's 23515 16:40 < suprsonic> awesome 16:40 < suprsonic> donations coming in? 16:41 < dvl> freshports.org 114475 in 2009 16:41 < suprsonic> oh you host freshports also? 16:42 < suprsonic> I looked at your openvpn post and its exactly what Im doing, but apparently Im still doing something wrong. 16:42 < dvl> In 2003 for freshports, it was 40258 16:42 < suprsonic> cause the route isn't showing up. 16:42 < dvl> suprsonic: Yes, I wrote FreshPorts. 16:42 < dvl> Few donations come in. :) 16:43 < dvl> The ad revenue generates enough cash to pay for gasoline. 16:43 < suprsonic> rofl 16:44 < suprsonic> I even placed the push at the end of the config like you have it in case that was the cause. 16:44 < dvl> restarted? 16:44 < suprsonic> yup 16:44 < dvl> Dunno 16:47 < suprsonic> it must have to do with it being a point to point tunnel 16:47 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 16:53 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:59 < dvl> Try my entire config. 17:05 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 17:22 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has quit [] 17:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:53 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 131 (Connection reset by peer)] 17:55 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 17:58 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:01 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 18:02 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:14 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:15 < test> anyone else get bad source ip address errors with just a peer to peer setup? 18:28 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has left ##openvpn [] 18:39 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has joined ##openvpn 18:40 < d0wNsYs> can anyone answer a quick question? 18:41 < d0wNsYs> Options error: --server and --secret cannot be used together (you must use SSL/TLS keys) 18:41 < d0wNsYs> get that when trying to start openvpn 18:46 < krzie> !sample 18:46 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:48 < krzie> thats how you use --server 18:49 < krzie> --secret is for a ptp setup where you use ifconfig on both sides 19:07 < d0wNsYs> so when i make the shared.key i shouldnt use the --secret option 19:28 -!- tomfmason [n=tom@unaffiliated/tomfmason] has joined ##openvpn 19:35 < tomfmason> I am trying to forward all client connections through the server and am having some issues. My configs are http://pastebin.com/m7672da21 . I can connect to the vpn server fine but if I try to change the default gateway on the client I lose my main connection. 19:49 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 20:22 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 20:23 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has joined ##openvpn 20:24 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has left ##openvpn [] 20:43 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has quit ["Leaving"] 20:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:15 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 21:26 * cyberjames strange... After restarting the openvpn service, the host xen can't able to reach from the guest system. 21:31 < cyberjames> !logs 21:31 < vpnHelper> cyberjames: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:40 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has joined ##openvpn 21:41 < lfaraone> Hi, I built a open VPN tunnel and am able to connect, now how cna I route all of my outbound traffic throug the tunnel rather than unencrypted via the normal eth0? 21:43 < tomfmason> ifarone: push "redirect-gateway def1" 21:44 < tomfmason> on the server and redirect-gateway on the client 21:45 < tomfmason> I am a complete newb so I would keep that in mind if you follow any of my advice :P 21:46 < tomfmason> I am trying to do the same thing and the issue I am having now is DNS not being pushed to clients 21:49 < lfaraone> tomfmason: I'm thinking this is a routes problem. Maybe I should respeficy: I'm trying to create a route to do that. 21:53 -!- rodpod [i=rod@hick.org] has joined ##openvpn 21:54 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:56 < tomfmason> lfaraone not sure if it will help any but here is my simple client/server config http://pastebin.com/m1748ea66 . It connects to the vpn fine and sets the default gateway/route but I still haven't quite figured out how to get dns working 21:58 < tomfmason> figure out, even 22:00 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 22:01 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 22:18 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 22:23 < tomfmason> anyone awake that can give a few suggestions as to what I may be doing wrong? My config is http://pastebin.com/m5d7b50fe. I am not seeing any errors anywhere but I am not able to resolve anything. I have the output from tcpdump in that paste as well. 22:23 < krzie> !pushdns 22:23 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 22:27 < tomfmason> krzie: I have push "dhcp-option DNS 205.234.170.215" on the server but ipconfig /all on the windows box doesn't show the dns address. Would clearing the cache solve that? 22:27 < krzie> see the link in #2 22:33 < ecrist> evening, bitches 22:33 < krzie> sup man 22:33 < krzie> <-- tired 22:33 < ecrist> me too. going to bed soon 22:33 < ecrist> http://www.freebsd.org/cgi/query-pr.cgi?pr=130754 22:33 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 22:36 < krzie> nice 22:36 < tomfmason> I don't get it. It appears that the request(when looking at tcpdump) is being sent but I never get a reply to my pings on the client. 22:36 < krzie> and does the client see pings coming in? 22:36 < tomfmason> That link suggests that I need to clear the cache. I did that but stil no change 22:37 < krzie> (tcpdump or R's if using verb 6) 22:37 < krzie> also, first part of topic is a strong possibility 22:37 < krzie> do the pings work by ip? 22:38 < tomfmason> I can't ping the client from the server but I can ping the server from the client. All other pings from the client time out 22:39 < krzie> firewall 22:41 < krzie> (on the client it sounds like) 23:07 < tomfmason> krzie: you were correct. Well, that was part of the problem. I had the incorrect subnet mask in iptables on the server as well. 23:07 < tomfmason> It is still not setting the dns on the client but I did it manually and it works fine 23:10 < tomfmason> is just push "dhcp-option DNS 205.234.170.215" on the server enough or do I need something on the client side as well? 23:51 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 23:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:57 < lonel> hi got a doubt 23:57 < lonel> my internal network is in the range 192.168.1.0/24 23:57 < lonel> got ovpn server inside 23:58 < lonel> so when a client connects from outside..does he will be assigned by an ip in the range 192.168.1.0/24? 23:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Tue Jan 20 2009 00:04 < lonel> krzee: any idea about tun/bridge interface? 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:24 < krzee> lonel, tun isnt bridge 00:24 < krzee> tun is for routed 00:31 < lonel> krzee: thanks 00:31 < lonel> thsi is my question 00:31 < lonel> my internal network is in the range 192.168.1.0/24 00:32 < lonel> so when a client connects from outside..does he will be assigned an ip in 192.168.1.0/24? 00:32 < lonel> i am using tun interface? 00:50 -!- WormFood [n=wormfood@58.60.118.83] has joined ##openvpn 00:50 < krzee> !howto 00:50 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:51 < krzee> im really tired so im not gunna walk you through it much 00:51 < krzee> but reading the howto will greatly help you 00:51 < krzee> !man 00:51 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:51 < krzee> manual is GREAT reference 00:52 < krzee> short answer, client should get a lan ip private to the vpn (sample configs use 10.8.0.0/24) 00:52 < krzee> !sample 00:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:52 < krzee> theres some samples from me 00:52 < krzee> and if you plan on connecting a lan on any side of the vpn to communicate through the vpn see this: 00:52 < krzee> !route 00:52 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:52 < krzee> goodnight =] 00:56 < reiffert> Moin moin 01:03 < lonel> krzee: thanks 01:03 < lonel> let em read all those 01:08 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:33 -!- WormFood [n=wormfood@58.60.118.83] has left ##openvpn ["Leaving"] 01:33 < lonel> hi 01:33 < lonel> my internal network ,which is running ovpn server is 192.168.64.0/24 01:40 < lonel> and the clients network is in 192.168.1.0/24 01:40 < lonel> and this is my ovpn config 01:40 < lonel> server 192.168.0.0 255.255.255.0 01:40 < lonel> push "route 192.168.64.0 255.255.255.0" 01:40 < lonel> push "route 192.168.1.0 255.255.255.0" 01:40 < lonel> route 192.168.1.0 255.255.255.0 01:41 < krzee> !route 01:42 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:42 < krzee> i made a detailed writeup with everything you need to know for that goal 01:42 < krzee> reiffert, moin 01:42 < lonel> krzee: yeah i tried the same 01:42 < lonel> let em check 01:42 < krzee> also 01:43 < krzee> you dont wanna use 192.168.0.0 most likely 01:43 < krzee> unless there will never be mobile clients 01:43 < krzee> cause thats such a common subnet 01:44 -!- dazo_gone is now known as dazo 01:45 < lonel> krzee: do i need to mention iroute in client config 01:45 < lonel> ? 01:45 < krzee> dont skim my writeup 01:45 < krzee> read it fully 01:46 < krzee> !forget route 01:46 < vpnHelper> krzee: Joo got it. 01:46 < krzee> !learn route as http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:46 < vpnHelper> krzee: Joo got it. 01:51 < lonel> krzee: working on it 01:56 < lonel> krzee: 01:56 < lonel> Tue Jan 20 08:58:08 2009 vais/69.93.37.142:2807 SENT CONTROL [vais]: 'PUSH_REPLY,route 192.168.64.0 255.255.255.0,route 192.168.1.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 01:56 < lonel> looks like the route added 01:56 < krzee> you wont have users connecting from other lans? 01:57 < krzee> like possibly a laptop? 01:57 < krzee> (out roaming around for example...) 01:57 < lonel> yes the server i am working on is a remote one 01:57 < krzee> i see you are connecting 2 lans... 01:57 < lonel> oh my bad 01:57 < krzee> will you also connect from outside of them? 01:58 < krzee> or just connecting them 01:58 < lonel> krzee: sec,i will be back 01:58 < krzee> [03:46] also 01:58 < krzee> [03:46] you dont wanna use 192.168.0.0 most likely 01:58 < krzee> [03:47] unless there will never be mobile clients 01:58 < krzee> [03:47] cause thats such a common subnet 01:59 < lonel> sure i will change it 01:59 < krzee> if you ever try to connect from a lan using 192.168.0.0 you will not be able to connect to the vpn right 01:59 < krzee> it would break routing 01:59 < lonel> i will look into it,and i made a mistake in push,my server subnet is not 192.168.64.0/24 01:59 < lonel> it is 192.168.168.0/24 01:59 < lonel> i am changing it,and gonna connect again 02:02 < lonel> MULTI: bad source address from client [192.168.1.2], packet dropped 02:02 < lonel> i guess i am on the track now 02:02 < lonel> :) 02:02 < krzee> ya except i think you didnt fully read my doc still 02:02 < lonel> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:02 < lonel> where is that? 02:03 < krzee> whereever you make it... 02:03 < lonel> in the client or server? 02:03 < lonel> let me figure it :) 02:03 < krzee> IT SAS 02:03 < krzee> SAYS 02:03 < krzee> second sentance 02:04 < krzee> well, first sentence rather 02:05 < lonel> client-config-dir 02:05 < lonel> what is ccd then? 02:05 < krzee> !man 02:05 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:05 < krzee> look at --client-config-dir 02:06 < lonel> sec 02:09 < lonel> oh in the server di i need to create a directory,in that it should contain a file with cn as that of the client? 02:09 < lonel> and need to specify iroute their? 02:09 < lonel> do i* 02:09 < krzee> right 02:12 < lonel> krzee: i got an issue here.i am using pam auth here 02:12 < lonel> not certificates 02:12 < lonel> so how should i know the name of the client network 02:12 < krzee> in manual see --username-as-commonname 02:12 < lonel> or it dosent matter 02:13 < lonel> ok already got that in my config)copied from somewhere) ;) 02:14 < lonel> krzee: one mre question 02:14 < lonel> my user is lonel 02:14 < lonel> i created a directory lonel 02:14 < lonel> and i created a file called lonel.conf 02:14 < lonel> and put iroute 192.168.1.0 255.255.255.0 02:14 < krzee> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:14 < krzee> In this example lets assume the client owning the network 192.168.1.0 has a common-name of client1. In ccd/client1 He should have the following: 02:15 < lonel> ok :) 02:15 < krzee> i took a lot of time making that doc nice, i hate when people just skim it 02:16 < krzee> instead of reading to understand 02:17 < lonel> krzee: true 02:17 < lonel> sorry for that 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 < lonel> krzee: still cant ping 02:19 < lonel> but no errors 02:20 < lonel> SENT CONTROL [lonel]: 'PUSH_REPLY,route 192.168.168.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 02:20 < krzee> what cant you ping 02:20 < lonel> got a web server 02:20 < lonel> in 192.168.168.0/24 02:20 < lonel> on .90 02:20 < krzee> READ MY WHOLE DOC 02:20 < krzee> im leaving 02:20 < krzee> goodnight 02:21 < lonel> so that will help me? 02:21 < krzee> nothing can help you if you are unwilling to read 02:21 < krzee> pay someone to set it up for you maybe 02:22 < lonel> ok got it 02:22 < lonel> ROUTES TO ADD OUTSIDE OF OPENVPN 02:22 < lonel> :)p 02:24 < lonel> krzee: 02:24 < lonel> If this needs clarification ask me about it and I will update this page after discovering how to make it clearer. 02:24 < lonel> :) 02:24 < lonel> help me 02:24 < lonel> b/w changing the ip from 192.168.0.0 02:28 < lonel> krzee: the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work. 02:29 < lonel> soif i add a route to default gateway,,that would work? 02:49 < lonel> ok i need to add a route in the router 02:49 < lonel> to the tunnel's ip 02:56 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 04:04 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 04:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:25 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 04:25 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 113 (No route to host)] 04:26 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:20 < assasukasse> anyone? 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 06:13 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has joined ##openvpn 06:13 < SURFkees> Anyone know what's the cause of this: "WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576" 06:20 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 06:32 < pegasos-rider> assasukasse: use client-config-dir to specify directory of client-specific configurations, and specify ifconfig-push client_IP peer_IP for each client there 06:32 < assasukasse> pegasos-rider: do u have a guide for that? 06:33 < pegasos-rider> Indeed I do, it's openvpn(8) manual page :) 06:51 < assasukasse> pegasos-rider: i can't find on the website how to get the manual (page 8) 06:56 < pegasos-rider> If you're on some POSIX system, man 8 openvpn will help you :) Otherwise check web site one more time :) 06:57 < pegasos-rider> And by the way, 8 means section of the manual page, not page of some manual, search for client-config-dir and ifconfig-push there instead 06:58 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 06:58 < dazo> assasukasse: google: man openvpn .... it usually gives a clear hit 07:18 < ecrist> SURFkees: look into the howto and/or man pages and read up on MTU 07:18 < ecrist> oh, and good morning, bitches 07:40 < assasukasse> well i found i have to make a ccd directory and put a file with the name of the machine i want to edit.. 07:40 < assasukasse> is not very clear in the examples i found 07:41 < ecrist> have you read the howto? 07:41 < assasukasse> ecrist: yesser 07:41 < ecrist> it states *exactly* what you have to do. 07:41 < assasukasse> i configurated everything tru the howto 07:41 < ecrist> so this isn't any 'not very clear' if you read that 07:42 < assasukasse> ecrist: i was reading this part Expanding the scope of the VPN to include additional machines on either the client or server subnet. 07:44 < assasukasse> however i can't find exactly what i need, i found alot about connecting to networks behind the client and such 07:49 < ecrist> :\ 07:49 < ecrist> search the how to for the section called "Configuring client-specific rules and access policies" 07:50 < ecrist> don't know how much more obvious it needs to be 07:52 < assasukasse> ecrist: assuming i have to give the client 1 always the same ip 10.8.0.2. i create a dir /etc/openvpn/ccd and a file inside the dir called client1 and put ifconfig-push 10.8.0.2 10.8.0.1 (where 10.8.0.1 is my server virtual ip?) 07:52 < ecrist> assasukasse: did you read the section I mentioned? 07:52 < assasukasse> ecrist: yes 07:52 < assasukasse> that's why i am questioning u 07:52 < ecrist> ok, then you know the answer to your question is no 07:53 < assasukasse> cuz it says: Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. 07:53 < ecrist> correct 07:53 < ecrist> but the addresses you mention aren't correct 07:53 < ecrist> they list out a bunch of examples. 07:53 < ecrist> right in that section 07:54 < ecrist> each /30 uses 4 IPs, not just two 07:57 < lonel> hey 07:57 < assasukasse> oh i got..so i put ifconfig-push 10.8.0.1 10.8.0.2 and this causes client 1 to take ip 10.8.0.2 07:58 < lonel> hey any one know the name of bridge module in the linux? 07:58 < lonel> add bridge failed: Package not installed 07:58 < assasukasse> and ifconfig-push 10.8.0.5 10.8.0.6 would cause client1 to take ip 10.8.0.5? and what about server. from the client side will still be 10.8.0.1? 07:58 < lonel> i guess in my machine bridge is compiled as module 07:58 < ecrist> lonel, sorry, no, I use a *real* OS. ;) 07:58 < lonel> which one? 07:59 < lonel> :) 07:59 < ecrist> FreeBSD, lonel 07:59 < ecrist> assasukasse: the 'server' end of the ip addressing is only virtual. the server's IP really remains at .1, but for a /30, you need an endpoint for the PPP connection. 08:00 < assasukasse> ecrist: thanks, i just should first learn what is a /30 :D i will try to find smth on the net 08:01 < ecrist> good luck 08:02 < assasukasse> ecrist: so openvpn is a ppp vpn? is not smth like the ones integrated in the routers (cisco, zyxel)? 08:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:04 < ecrist> assasukasse: no 08:06 < SURFkees> ecrist, I took a look at the tun-mtu option and defined it at both my client and server the same way. Still no luck 08:06 < ecrist> krzee is the expert here, ask him 08:06 < assasukasse> thanks ecrist one last question, is it possible to route all my port 110 25 and 119 tru my server to make it look like it was originating from it? so i can check email from the client wherever i am 08:10 < SURFkees> krzee, any idea? 08:19 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:23 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has left ##openvpn [] 08:26 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Remote closed the connection] 08:39 < ecrist> assasukasse: sure 08:49 < dazo> lonel: I thing the bridging tool is called bridge-utils-*.tar.gz .... and the kernel module I believe is bridge.ko 08:52 < dazo> s/thing/think/ 08:57 < lonel> dazo: worked :) 08:57 < lonel> dazo: when i am starting vridge-start script through ssh console 08:57 < lonel> everything is locked up 08:58 < lonel> and need to reboot teh machine again to make it access thru ssh 08:58 < dazo> lonel: whoops 08:58 < lonel> iptables permissions? 08:59 < dazo> dazo: well ... if I do a wild guess ... I believe it could be that kernel gets confused reg. to the routing between the interfaces and which interfaces sshd is listening to ... but I've never tried to start up bridging via ssh 08:59 * dazo goes to a meeting now ... back in an hour 08:59 < lonel> ok 08:59 < lonel> :) 09:03 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 09:03 < MMN-o> !route 09:03 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:04 < dazo> lonel: not sure if you've seen this one ... but you might find this one interesting .... http://www.linux.com/base/ldp/howto/BRIDGE-STP-HOWTO/index.html (now I'm really going for meeting) 09:04 < vpnHelper> Title: Linux.com :: Everything Linux and Open Source (at www.linux.com) 09:05 < lonel> dazo: thx 09:25 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 09:31 < MMN-o> I'm having a curious problem with iptables (I think). I'm forwarding traffic from two external IPs to each internal VPN network on two separate physical machines 09:32 < MMN-o> from what I can tell the two separate machines (arti and gurk) have the same configurations with same openvpn version - but one is Debian (testing) and one is Ubuntu (intrepid server) 09:32 < MMN-o> Urr. gurk is debian lenny, and arti is ubuntu intrepid. 09:33 < MMN-o> [gateway] -> OpenVPN -> arti, gurk 09:34 < MMN-o> arti works fine, with iptables rerouting gateway:8080 to arti-on-vpn:80 09:34 < ecrist> I'd help, if I could, but not a linux guy, sorry. 09:35 < MMN-o> gurk doesn't. Traffic seems to stop at the gateway, but I can access it _from_ the gateway (using vpn IP) 09:36 < MMN-o> ip_forward is off on both arti and gurk, and neither have iptables rules, and they both listen (lighttpd) on 0.0.0:80 and 0.0.0.0:8080 respectively 09:37 < dazo> MMN-o: hold on about an hour, and I'll see if can help you out (I'm in a phone meeting now) 09:37 < MMN-o> the gateway has identical setups (ordinary NAT) with iptables for them, except the external IP. (which are eth0 aliases eth:2 and eth:3 respectively) 09:37 < MMN-o> dazo: Sure. 09:38 < MMN-o> TUN interfaces by the way 09:38 < MMN-o> Either gurk doesn't accept the traffic through tun0, or gateway doesn't forward correctly. I'm gonna check (again) for overlapping iptables rules 09:44 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 09:48 < MMN-o> Hm, I found a legacy change that caused gurk not to function. redirect-gateway wasn't activated 09:49 < MMN-o> I'm curious over which route settings I'd have to set to enable this without redirect-gateway 09:50 < MMN-o> Right now I have to move myself physically to another computer which abruptly got disconnected. (openvpn client seems to stop/crash when server is stopped?) 09:55 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has joined ##openvpn 10:08 < dazo> MMN-o: would you mind showing your iptables rules on pastebin (or PM if really needed) ... you replace your public IP addresses with something else (public_1, public_2, etc) 10:08 < dazo> MMN-o: and the same with the route -n 10:09 < dazo> MMN-o: please dump the iptables via the iptables-save command ... easier to parse for me 10:24 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 10:26 < krzee> [10:10] krzee is the expert here, ask him 10:26 < krzee> lol 10:26 < krzee> ecrist, tired? 10:30 < SURFkees> :) 10:31 < krzee> whats the question? 10:32 < SURFkees> MTU problems 10:32 < krzee> lonel, why are you using bridge now? 10:33 < SURFkees> I'll show you a snippet of the logs 10:33 < krzee> SURFkees, did you try --mtutest? 10:33 < krzee> !mtu 10:33 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:33 < krzee> --mtu-test i mean 10:34 < SURFkees> I'll give that a shot. The thing is, I've never had problems with MTU's on this line 10:34 < krzee> then why are you changing it? 10:35 < SURFkees> I'm receiving this error on my client: 10:35 < SURFkees> WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576 10:35 < SURFkees> which then suggests it has something to do with the MTU 10:35 < krzee> !configs 10:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < krzee> put mtu-test in the client config 10:36 < krzee> then connect 10:36 < krzee> then post configs 10:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:46 < SURFkees> is mtu-test still useful if I'm running a tcp-server/tcp-client config? 10:48 < krzee> yes, but why would you use tcp? 10:48 < krzee> !tcp 10:48 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:48 < krzee> if you're talking about playing with mtu, you should first use --mtu-test 10:48 < krzee> http://www.latimes.com/news/nationworld/nation/la-na-airline-felonies20-2009jan20,0,5468299.story 10:48 < vpnHelper> Title: In-flight confrontations can lead to terrorism charges - Los Angeles Times (at www.latimes.com) 10:49 < SURFkees> DEBUG /usr/sbin/openvpn --config /var/lib/surfids/openvpn.conf --mtu-test --dev tap0 --writepid /var/lib/surfids/tunnel.pid 10:49 < SURFkees> ERROR /usr/sbin/openvpn died with error code 1, see log for details 10:49 < krzee> omg you're using tap AND tcp? 10:49 < krzee> lol 10:50 < krzee> you hate a good connection or something? 10:50 < krzee> !factoids search tun 10:50 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers 10:50 < krzee> hrm 10:50 < krzee> !factoids search bridge 10:50 < vpnHelper> krzee: 'bridge', 'bridge-dhcp', 'fbsdbridge', and 'bridge-fw' 10:51 < SURFkees> Well, I know I need to use tcp, but what's wrong with tap? 10:52 < krzee> !learn tunortap as you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 10:52 < vpnHelper> krzee: Joo got it. 10:52 < krzee> tap encapsulates ethernet frames over ip 10:52 < SURFkees> Yep, which is what I want 10:52 < krzee> you have a reason for doing that? 10:52 < SURFkees> analyzing layer 2 attacks 10:53 < krzee> gimme an idea of your goal...? 10:53 < SURFkees> we use openvpn to connect our sensors to our server where the detection stuff is located 10:53 < krzee> you plan on detecting arp poisoning from remote instead of locally? 10:53 < SURFkees> basically, a distributed honeypot, in short 10:54 < ecrist> krzee: aye. getting support-burnout, I think 10:54 < SURFkees> yea 10:54 < krzee> haha 10:54 < krzee> ecrist, understandable 10:54 < ecrist> considering ##openvpn hiatus 10:54 < krzee> i was DEFINATELY there yesterday 10:54 < krzee> im gunna be on online hiatus for a little 10:55 < krzee> im headed to usa, brazil, peru 10:56 < krzee> SURFkees, ok so you do want tap 10:56 < krzee> likely not tcp 10:56 < lonel> krzee: hi,i dont have the passowrd for the router to add a ststic route to it 10:56 < krzee> and have you done mtu-test yet, and posted configs to me yet? 10:56 < krzee> lonel, LOL 10:57 < lonel> :) 10:57 < krzee> reset it 10:57 < SURFkees> it doesn't want to let me do the mtu-test 10:57 < SURFkees> Options error: --mtu-test only makes sense with --proto udp 10:57 < lonel> krzee: so no other go? 10:57 < krzee> SURFkees, didnt i already say you should be using udp? 10:57 < lonel> else need to manually add routing table as per the doc :) 10:57 < SURFkees> http://pastebin.com/m58192235 10:57 < krzee> good job lonel, you actually read the doc this time 10:58 < krzee> i noticed that after i stopped answering questions you started answering them yourself, i thought that could have been from actually reading that doc i spent so much time on 10:58 < lonel> thanks lol :) 10:58 < lonel> krzee: need help 10:59 < krzee> reset your routers pw 10:59 < krzee> and do it the right way instead of trying to use a bridge cause you dont know your routers password 11:00 < krzee> you were finished with the openvpn setup, but decided to start over because of a missing router pw 11:00 < krzee> LOL 11:00 < lonel> hehe :( 11:00 < krzee> go back to how it was after i helped you last night 11:00 < krzee> then reset the router pw (and write it down this time) 11:01 < lonel> because 70 people are working under it 11:01 < lonel> its arouter/modem 11:01 < lonel> dont know teh isp pss as well 11:01 < krzee> theres no way you're the head tech at a company with ~70 people 11:02 < lonel> i am a fighter 11:02 < lonel> :) 11:02 < krzee> like boxing? 11:02 < lonel> kind of..boxing with nterwebs 11:02 < krzee> umm 11:02 < lonel> i know a lot of things,but dont know nothing 11:02 < krzee> whatever thats supposed to mean 11:03 < lonel> i hate reading rtfm 11:03 < plaerzen> ... 11:03 < lonel> oaabama 11:03 < lonel> well krzee 11:03 < lonel> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript 11:03 < krzee> good luck lonel 11:03 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 11:03 < lonel> thanks 11:03 < krzee> you ran out of krzee-help last night 11:04 < krzee> wassup plaerzen 11:04 < lonel> when i execute bridge-start..all my network goes down? 11:04 < lonel> need to reboot he machine to make it right 11:04 < krzee> you shouldnt be bridging anyways 11:04 < plaerzen> krzee, the usual. Trying to see if we should use CX4 or glass for our new backbone. 11:04 < krzee> mmmmm glass 11:05 < plaerzen> it's only a 10M run though, glass might be overkill 11:05 < krzee> oh 11:05 < ecrist> but, once it's in, you can upgrade speed easy 11:05 < krzee> how much bw? chance of needing more bw in future? 11:05 < plaerzen> yeah. I've heard some people have had issues with CX4 too. 11:05 < krzee> doh ecrist stole my train of thought ;] 11:06 < plaerzen> 10gbit 11:07 < plaerzen> and it's like a 3G price difference... 11:07 < krzee> thats all? 11:07 < plaerzen> roughly 11:07 < krzee> even after the endpoints for the fiber? 11:08 < plaerzen> they're just modules in our procurves 11:08 < krzee> then dude 11:08 < krzee> worth it! 11:08 < plaerzen> lol I need some more measurable metrics to justify it 11:09 < plaerzen> "krzee off IRC said do it!" 11:09 < krzee> copper you may need to dig it up one day to replace with faster 11:09 < krzee> fiber once its there its there forever 11:09 < plaerzen> I am leaning towards glass though too, for that reason. 11:09 < krzee> (assuming we're talking dark) 11:10 < ecrist> krzee: copper doesn't get 'faster' 11:10 < krzee> when you say krzee said 11:10 < krzee> your boss might say OMG YOU KNOW HIM!? 11:10 < plaerzen> lol 11:10 < krzee> ecrist, ok, to put in more copper 11:10 < ecrist> the only thing that may need to occur is putting heavier-guage wiring in, whereas fibre is fibre 11:11 < ecrist> where copper is < fibre is in throughput capabilities over a distance 11:11 < plaerzen> yeah, I know that part. But it's only 10m between two procurves 11:11 < ecrist> you can push high bandwidth over fibre for hundreds of KM before repeaters are needed, copper not so much 11:11 < krzee> fiber has other benefits 11:11 < plaerzen> even if we buy another floor, we can use one of the procurves as a bridge 11:11 < krzee> but you already know them 11:12 < ecrist> plaerzen: 10 meters? 11:12 < krzee> miles 11:12 < plaerzen> meters 11:12 < ecrist> oh, do fiber 11:12 < krzee> WHAT!? 11:12 < krzee> lol 11:12 < plaerzen> :P 11:12 < plaerzen> yep 11:12 < ecrist> meters? do copper 11:12 < krzee> ya i was way off 11:13 < krzee> 3g price diff for a 10 meter run 11:13 < krzee> screw that 11:13 < ecrist> don't mess with fibre unless you're going between places in a large building, or between buildings 11:13 < ecrist> and, there's nothing to 'dig up' 11:13 < ecrist> lol 11:13 < krzee> totally 11:13 < plaerzen> yeah we have a core drilled in the cement in our new building between the two server rooms 11:14 < ecrist> distance? 11:14 < plaerzen> on top of each other 11:14 < ecrist> wire-run distance, not crow-fly distance 11:14 < plaerzen> 10meters, tops 11:14 * krzee dumps the core 11:14 < ecrist> oh, copper 11:14 < ecrist> don't fuck with fibre for that 11:14 < krzee> i now agree, coper 11:14 < krzee> copper 11:14 < krzee> i totally thought that was 10 miles 11:14 < plaerzen> yeah, sorry 11:14 < krzee> ie: digging and whatnot 11:15 < krzee> and the other side benefit i like of fiber is lost too 11:15 < ecrist> anymore more than a few hundred yards, you need to do fibre for real connectivity 11:15 < lonel> krzee: any idea why my network goes down..when i start the bridge interface? 11:15 < krzee> (cant tap a fiber line) 11:15 * plaerzen nods. 11:15 < krzee> lonel, 11:15 < krzee> [13:07] you ran out of krzee-help last night 11:15 < lonel> one more chance lol 11:16 < krzee> you're not even doing it right 11:16 < krzee> you shouldnt even be bridging 11:16 < krzee> which i said 2 or 3 times already 11:16 < plaerzen> Well, I need to do a little more digging. I have heard people have connectivity issues with CX4 on even short distances. (not as short as ours, but we have to have 100% confidence it will be ok here) 11:17 < SURFkees> Thanks for the help so far, krzee. I'll look into it some more myself tomorrow :) 11:17 < krzee> SURFkees, np, you prolly wanna lose all mtu related stuff in the config 11:17 < krzee> and frag stuff 11:17 < krzee> but since you still didnt post configs i can help more 11:17 < ecrist> plaerzen: any *real* switch can do port trunking, just run 2 or 3 of those connections and trunk the ports 11:18 < krzee> SURFkees, plus you want udp 11:18 < SURFkees> I did krzee, but my time is up now. I'll check again tomorrow 11:18 < plaerzen> ecrist, oh, we have some real switches. 11:18 < krzee> right on SURFkees 11:18 < lonel> why udb? 11:18 * krzee pictures plaerzen in a low rider with hydrolics when he says that 11:18 < ecrist> !tcp 11:18 < lonel> udp even 11:18 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:19 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has quit ["Leaving"] 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:19 < lonel> ecrist: krzee: any idea why my network goes down..when i start the 11:19 < lonel> bridge interface? 11:19 < lonel> :P 11:19 -!- mode/##openvpn [+o lonel] by ChanServ 11:19 < krzee> oh surfkees did post his configs 11:19 < krzee> i missed it 11:19 <@lonel> thanks 11:20 < ecrist> bastard 11:20 < krzee> oh noes 11:20 < krzee> dont ban me! 11:20 <@lonel> more powers more responsibility 11:20 <@lonel> i know that 11:20 <@lonel> hehe 11:20 < ecrist> /kick lonel 11:20 < ecrist> 11:20 -!- ##openvpn You need to be a channel operator to do that 11:20 < ecrist> :( 11:20 -!- mode/##openvpn [+o ecrist] by lonel 11:20 < krzee> hehe 11:21 <@ecrist> /kick lonel muahahah! 11:21 -!- mode/##openvpn [-o ecrist] by ecrist 11:21 -!- mode/##openvpn [-o lonel] by ChanServ 11:21 < lonel> /mode +v krzee 11:22 < krzee> /devoice krzee 11:22 < ecrist> hah, I was getting +o and you only got +V 11:22 * ecrist > krzee 11:22 < krzee> lol 11:22 * ecrist does a dance. 11:22 < krzee> good point! 11:22 < ecrist> back to work for me. 11:23 < krzee> ecrist, how long til the 3 wise men visit? 11:23 < ecrist> o.O 11:23 < lonel> !help bridgekillsinterface 11:23 < vpnHelper> lonel: Error: There is no command "bridgekillsinterface". 11:23 < lonel> :) 11:24 < krzee> !dontusebridgeforthe5thtime 11:24 < vpnHelper> krzee: Error: "dontusebridgeforthe5thtime" is not a valid command. 11:24 < lonel> ok let me do some googling 11:24 < lonel> thank :P 11:24 < lonel> s 11:24 < krzee> google this: 11:24 < krzee> DONT USE BRIDGE 11:27 < lonel> hehe ok 11:30 < lonel> krzee: why router vpn >> bridged? 11:30 < lonel> s/router/routed 11:30 < krzee> less overhead, easier to setup 11:30 < lonel> apart from that? 11:30 < krzee> you're talking about using ethernet frames over ip just because you forgot the password to your router 11:31 < krzee> you should have the password anyways 11:31 < krzee> fix the real problem 11:31 < krzee> you will have a faster vpn with tun 11:31 < lonel> i see 11:32 < lonel> i will look towards it 11:32 < krzee> !tunortap 11:32 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:34 < lonel> oh tap is under layer 2,and tun is using layer3 11:34 < krzee> someone skipped the howto that i linked him to 11:34 < krzee> (shocking) 11:35 < lonel> o_o 11:36 < krzee> but yes 11:36 < krzee> tap is layer2 tun is 3 11:36 < lonel> so ip over ip is tehbest? 11:36 < lonel> the best 11:36 < lonel> tahn frames over ip? 11:36 < krzee> better than ethernet over ip when you arent tunneling layer2 protocols 11:36 < krzee> for obvious reasons 11:37 < lonel> alright 11:38 < lonel> i will do the stuff related with it using the router after office time 11:38 < lonel> krzee: thanks very much for your time :) 11:38 < lonel> laters 11:38 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 11:39 < krzee> for the record, i started off nice to him 11:47 < assasukasse> is there any GUI for controlling openvpn? like adding or removing clients and settings options 11:47 < dazo> assasukasse: which OS? 11:47 < assasukasse> linux 11:47 < dazo> assasukasse: Do you use NetworkManager? 11:47 < krzee> !ubuntu 11:47 < vpnHelper> krzee: "ubuntu" is dont use network manager! 11:47 < krzee> hehe 11:47 < dazo> assasukasse: there are some plugins for that 11:48 < assasukasse> no i don't use ubuntu nor network manager 11:48 < krzee> theres some php web based gui app 11:48 < krzee> and theres ssl-admin 11:48 < dazo> krzee: Ubuntu used NetworkManager since 7.10 (Gutsy Gibbon) at least .... but I uninstalled it because it was crappy 11:48 < krzee> as for settings, i dont think so 11:48 < assasukasse> im on debian lenny 11:49 < krzee> adding clients = ssl certs 11:49 < assasukasse> uhm... 11:49 < krzee> ssl-admin is nice 11:49 < assasukasse> only for adding clients.. 11:49 < krzee> !ssl-admin 11:49 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:49 < bigjohnto> any way to see currently connected VPN users? 11:49 < krzee> management interface 11:50 < krzee> i have no idea how, but it can 11:50 < dazo> bigjohnto: krzee: If you have configured management interface in OpenVPN ... you can basically telnet to the address:port you set up .... and call the "help" command .... I believe connections is found by the "status" command 11:51 < krzee> right on 11:51 < krzee> ill play with that some day 11:51 < assasukasse> oh yea i tried the telnet one 11:52 < assasukasse> well, in short openvpn works really well, but i find it not really easy to configure..might be cuz i am not strong in routing stuff 11:52 < dazo> assasukasse: routing can be tricky ... but you can't blame that on OpenVPN unfortunately ;-) 11:52 < krzee> having a problem configuring something specific? 11:54 < assasukasse> actually yes, i am using ssh to tunnel my email and smtp and nntp connection from work to my home server..and it works..but is bothersome, i wish i could simply do with openvpn (just set up a rule on my client to forward port 25 110 119) 11:54 < assasukasse> i fiddled a couple of hours in the config 11:54 < assasukasse> but i am missing smth 11:54 < bigjohnto> krzee, dazo, maybe i should i wrote a script and logged openvpn connections but i would like something more clean 11:54 < krzee> bigjohnto, you could make a web interface to the management interface 11:55 < krzee> in fact the management interface was designed to be used by scripts / external apps 11:55 < bigjohnto> right on 11:55 < krzee> less designed to be used by hand 11:55 < bigjohnto> i guess i got myself a project 11:55 < krzee> assasukasse, im thankful openvpn doesnt handle that stuff 11:55 < dazo> bigjohnto: what's your requirements regarding the security? ... if you want to use both SSL certs and username/password ... you can use the eurephia auth module, which do session logging also to a database (SQLite for the moment) 11:55 < krzee> it lets the os handle things that belong to the os 11:56 < bigjohnto> dazo, can you customize it? add to it? 11:56 < krzee> and port based routing doesnt really exist, but can be hacked up through firewall rules prolly 11:56 < dazo> bigjohnto: http://www.eurephia.net/ 11:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 11:56 < bigjohnto> thanks you have been wonderful 11:56 < dazo> bigjohnto: depends on what you mean with customize 11:56 < krzee> assasukasse, email/smtp/nntp are on the same box? 11:56 < bigjohnto> dazo, own scripts etc.. etc.. 11:57 < bigjohnto> nothing major 11:57 < bigjohnto> i'll play around with it, guess thats the best way to find out 11:57 < assasukasse> krzee: my email provider is pretty bothersome..if i don't connect from my home dsl it doesn't let me send or check email... 11:57 < assasukasse> if i want to check from work i need to tunnel the connection to home 11:57 < krzee> assasukasse, just add routes 11:58 < krzee> route ip netmask 11:58 < krzee> in the config that is on the machine that needs the route added 11:58 < assasukasse> krzee: but route can be limited for ports? 11:58 < krzee> no 11:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:58 < krzee> for ips 11:58 < krzee> it just adds a route the the kernel routing table 11:58 < krzee> you gunna connect to the mail server for something other than mail? 11:58 < assasukasse> nop 11:59 < assasukasse> sending and fetching 11:59 < krzee> then why do you care about the port? 11:59 < krzee> just route to the ip over the vpn 11:59 < dazo> bigjohnto: no, the eurephia do not add anything like that .... sounds more like you just want to investigate the --tls-verify or similar hooks 11:59 < dazo> bigjohnto: --learn-address is another hook 12:01 < bigjohnto> dazo thanks :) 12:01 < dazo> bigjohnto: np 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:12 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has joined ##openvpn 12:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < gnashi> hello... I have my VPN running just fine - bridging server, linux client - unfortunately it seems that my client's default gateway is being overridden on connect by default. Config is http://pastebin.com/d42806d9c 12:17 < gnashi> I just want the client to have a route to the VPN subnet and to use the VPN's DNS. 12:24 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has joined ##openvpn 12:25 < thx2000> Can anyone recomend a download for an OpenVPN GUI that works w/ Vista x64? I've tried just about every version I can find, and they all try to install v8 of the TAP-Win32 driver which I can't get working. 12:27 < gnashi> thx2000: I've had the same problem. No solution yet that I've found. 12:31 < thx2000> I've got it working on one machine...but I installed it a year ago and can't remember what the heck I did 12:31 < thx2000> Definitely don't remember it being this tricky 12:32 < gnashi> hmm. 12:35 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has quit ["Ex-Chat"] 12:54 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 13:05 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has left ##openvpn [] 13:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 14:06 -!- Netsplit over, joins: kaii 14:17 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 14:18 < fbond> Hi. With certificate-based auth, the OpenVPN server does not allow the same client to connect twice. Will it allow this if I use username & password auth? 14:18 < fbond> I'd like to use the same credentials from multiple machines. 14:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:25 < ecrist> fbond: read the how to 14:25 < ecrist> you *can* allow multiple connections from a single certificate with the duplicate-cn option, but it's not recommended for security reasons. 14:26 < fbond> ecrist: Ah, okay, thanks. 14:28 < fbond> ecrist: That topic doesn't seem to be covered in the howto, but I assume I can simply turn that on and continue using cert-based auth, right? Does this break ifconfig-pool-persist? 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < fbond> Nevermind, I see http://openvpn.net/archive/openvpn-users/2005-02/msg00231.html. 14:34 < fbond> Thanks! 14:49 < bigjohnto> :) finished my perl script to email FAILED and Initiated vpn access sessions :) w00t w00t :P 14:59 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < reiffert> Using status file_ 15:11 < reiffert> ? 15:12 < ecrist> fbond: yes, it will break ifconfig-pool-persist 15:16 < bigjohnto> reiffert, nope just regular old open handlers and regular expressions 15:25 < reiffert> handler on what file? 15:25 < reiffert> syslog? 15:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:26 < bigjohnto> reiffert, openvpn.log 15:26 < bigjohnto> i have it doing the logging for openvpn service 15:27 < reiffert> Ah, great! 15:27 < bigjohnto> this is in in ther server.conf file --> log-append /var/log/openvpn.log 15:28 < bigjohnto> so basically the crond perl script checks every week and then sends of an email and rotates it, 4 rotations 15:29 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has quit ["I \u2665 Debian"] 15:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:32 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 15:43 < ecrist> bigjohnto: why not do it more often than once per week? do it real time. 15:50 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 145 (Connection timed out)] 16:53 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has quit [Remote closed the connection] 17:07 < bigjohnto> ecrist, ????? via cron? 17:14 < ecrist> what we do at my office is have a perl script which is tail -f the log file, sends notices for failures and keeps a small web applet we've got updated with current connections, etc. for the web applet, we compare current/incoming connection information against the status file to flush out any stale connection data 17:16 < bigjohnto> ah 17:16 < bigjohnto> yea thats a good idea too 17:16 < ecrist> krzee: PR13075 (http://www.freebsd.org/cgi/query-pr.cgi?pr=130754) committed 17:16 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 17:16 < bigjohnto> but there are only 3 people who vpn here, so that would be overkill :) 17:16 < ecrist> we only have 12 17:17 < bigjohnto> heh guess security would be awesome with that 17:17 < bigjohnto> well thanks, I really appreciate that 17:18 < bigjohnto> I will modify my script to do that, not to many people share ideas these days 17:18 < bigjohnto> maybe make a perlmodule or something for people to use for it 17:18 < ecrist> there you go 17:19 < ecrist> I"m out - time for some beer. 17:19 < bigjohnto> thanks, and have fun 17:27 < krzie> Severity:serious 17:27 < krzie> it was a good update, but serious? 17:42 -!- Bushmills1 [n=nl@verhau.de] has joined ##openvpn 17:48 -!- Bushmills [n=l@verhau.de] has quit [Nick collision from services.] 17:48 -!- Bushmills1 is now known as Bushmills 18:00 -!- jrk [n=jrk@unaffiliated/jrk] has joined ##openvpn 18:00 < jrk> hi 18:01 < jrk> if I want to have certificate usable only by clients connecting using openvpn I assume that following certificate parameters should be enough to enforce it? 18:01 < jrk> X509v3 Basic Constraints: critical 18:01 < jrk> CA:FALSE 18:01 < jrk> X509v3 Key Usage: critical 18:01 < jrk> Digital Signature 18:01 < jrk> X509v3 Extended Key Usage: critical 18:01 < jrk> TLS Web Client Authentication 18:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:06 -!- thewolf is now known as Supotcog 18:07 -!- Supotcog is now known as elongatednipple 18:08 -!- elongatednipple is now known as friedtoe 18:08 -!- friedtoe is now known as sorryiamaknob 18:11 -!- sorryiamaknob is now known as thewolf 18:25 < krzie> anyone here use facebook? 18:25 < krzie> looking to get 5 people to install a FB app my friend made so it can get approved 18:25 < krzie> jrk no idea 19:32 < ecrist> i do 19:33 < ecrist> krzie: just create 5 accounts with throw-away emails 19:49 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:53 < krzie> http://apps.facebook.com/my_files/ 19:53 < vpnHelper> Title: Login | Facebook (at apps.facebook.com) 19:58 < ecrist> what personal data does it pull? 19:58 < ecrist> who is patrick boden? 19:58 < ecrist> sounds familiar 20:13 < krzie> not sure, for all i know it could be my friends name 20:13 < ecrist> lol. requires signup on their site, so I opted out 20:15 < krzie> lol 20:17 < ecrist> krzie: ssl-admin is at 1.0.1 in ports tree now 20:18 < krzie> ya i saw =] 20:19 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:20 -!- DPA [n=DPA@89.124.68.18] has joined ##openvpn 20:21 < ecrist> my next big commit I think is going to be to migrate to ssl perl library 20:21 < ecrist> get rid of some of the system calls 20:22 < krzie> ahh nice 20:23 < krzie> why do you depend on zip? 20:37 < ecrist> because of the zip function 20:38 < krzie> lol, right 20:38 < krzie> but how bout tar for no DEPs? 20:38 < ecrist> because windows doesn't do tar 20:38 < ecrist> and, like it or not, there are lots of windows clients out there 20:38 < krzie> oh ya windows 20:38 < krzie> does it do zip by default? 20:38 < ecrist> yep 20:39 < krzie> (i guess so or you wouldnt have said anything bout tar) 20:39 < ecrist> 'splorer can do that 20:39 < krzie> ahh 20:39 < ecrist> it can't zip file up, but it can unzip them, like I unzipped your mom last night. 20:39 < krzie> heh 20:39 < krzie> dude my moms kinda old 20:39 < ecrist> old == experienced 20:40 < ecrist> ;) 20:40 < ecrist> I've had a few. can ya tell 20:40 < krzie> so it was good? 20:40 < ecrist> oh yeah. 20:40 < krzie> lol ya 20:40 < krzie> but its all in fun ;] 20:41 < krzie> besides i was with mrs crist while you were with my mom, so i figure its a fair trade 20:41 < krzie> kinda like swinging, but a lil diff 20:41 < ecrist> of course. gonna read the kid a story and wrestle with my dogs for a bit. 20:41 < ecrist> krzie: did she wear the gimp ball for ya? 20:41 < ecrist> sheh said she was gonna. 20:41 < krzie> nah but she liked the new vibe cockring 20:42 < ecrist> oh, and your ma said that it's OK with her if the four of us get together, she mentioned something about 'my boy's been in there once before, so nothing too new' or something like that 20:42 < krzie> ya i was in there for like 9mo 20:42 < ecrist> seriously, my ol' lady *LOVES* the vibe cock rings 20:43 < krzie> ya my #1 loves it too 20:43 < krzie> is it wrong i use it with others too? 20:43 < ecrist> of course not 20:43 < krzie> werd 20:43 < ecrist> we share here, so why shouldn't others? 20:44 < ecrist> well, I'm off. tomorrow, man. going to work some serious on ssl-admin in the next couple weeks. 20:44 < krzie> right on, gnite 20:44 < ecrist> a php/perl front end (html) has been suggested. 20:44 < krzie> ooo 20:44 < krzie> would be dope 20:44 < krzie> dunno if ild use it, but it would be liked by many 20:44 < ecrist> gonna get rid of the system() calls, first 20:45 < ecrist> then, maybe for 2.0 20:45 < ecrist> it would be nice to implement a secure certificate file transfer via the ssl-admin package 20:45 < krzie> hrm, its doable 20:45 < ecrist> but, dunno 20:45 < ecrist> more to talk about. 20:45 < ecrist> l8r 20:45 < krzie> peace 20:52 -!- DPA [n=DPA@89.124.68.18] has quit ["Leaving"] 21:01 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 21:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:53 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 23:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Jan 21 2009 00:17 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 104 (Connection reset by peer)] 00:17 -!- robert__ [n=hellspaw@r-butler.net] has joined ##openvpn 00:55 < reiffert> Moin 00:57 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 00:58 < lonel> hi 00:58 < lonel> any one around? 00:59 < lonel> looking for some one to test the ovpn setup i ahd here 00:59 < lonel> no burden of certicicate based login 00:59 < lonel> just user/pass 01:11 -!- robert__ [n=hellspaw@r-butler.net] has quit [Client Quit] 01:18 -!- neeku [n=neeku@89.165.69.15] has joined ##openvpn 01:31 -!- neeku_ [n=neeku@89.165.65.9] has joined ##openvpn 01:39 < neeku_> hi 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:40 < neeku_> i want to use openvpn as a client, so that i can connect to a specified server. what should i do in suse 11.1 for this? 01:40 -!- neeku [n=neeku@89.165.69.15] has quit [Nick collision from services.] 01:40 -!- neeku_ is now known as neeku 01:42 < dazo> neeku: First a really dumb question - You do know you need openvpn on both sides? One on your client side and one on your your network/server you want to connect to 01:44 < neeku> dazo: i'm not an expert. in windows i just created a connection, a vpn connection to do this, but in linux i don't know how to do that 01:44 < dazo> neeku: aha ... so you already got a working connection in Windows, is that correctly understood? 01:44 < neeku> dazo: the server is a vpn one and i have the IP and username and password to connect to that 01:45 < dazo> neeku: and you used OpenVPN in Windows as well? 01:45 < neeku> dazo: no, because i could do it just with creating a connection from the network manager 01:45 < dazo> openvpn clients will only work against openvpn servers 01:46 < dazo> neeku: usually you need more than just a username/pwd and IP to get openvpn working ... you usually need some kind of static encryption key and/or SSL certificates in addition to config 01:47 < dazo> neeku: what kind of VPN server are you connecting to? 01:47 < neeku> dazo: well... then let me ask another question. i've got a VPN account (as i mentioned the username , password and the IP). now what should i do in order to connect to that? 01:47 < neeku> dazo: um... i don't really know! just use it to change the IP 01:48 < dazo> neeku: well, I need to know what kind of VPN server you are connecting to ... because if the server you are connecting to is not an OpenVPN server .... the openvpn client will not work, that's guaranteed 01:49 < neeku> oh... 01:49 < dazo> neeku: but if you did create a connection in Windows without installing any programs, just doing network setup with VPN ... I'm guessing you'll need to use the PPTP protocol .... and there are some other Linux clients (which I don't know much about) which supports the PPTP protocol .... 01:49 < neeku> then i should ask this from my friend. i really can't understand these VPN issues... :-S 01:50 < neeku> dazo: don't you know the names? 01:50 < dazo> neeku: http://pptpclient.sourceforge.net/ ... this is a simple PPTP client which I would guess is available via the Yast2 software install 01:50 < vpnHelper> Title: PPTP Client (at pptpclient.sourceforge.net) 01:52 < neeku> thanks dazo :) i hope i can do this 01:53 < dazo> neeku: I don't know much about PPTP ... I've tried it once ... and that was 4-5 years ago ... PPTP is not as good or secure as openvpn, and I've been controlling both server and client side, so I could therefor decide what I wanted to use ... but if you only are a client user, go ahead and try this, it might work for you then :) 01:53 < reiffert> neeku: in Windows, did you choose "Automatic", "L2TP" or "PPTP"? 01:54 * dazo didn't think about IPsec ... doesn't that also require certificates to be installed? 01:54 < neeku> reiffert: let me check it in vbox and tell you 01:54 < neeku> i think automatic 01:55 * neeku is checking... 01:57 < neeku> reiffert: there's no such a thing. i go to new connection creation part, then create a VPN account, i enter the IP and then the username and password. that's it! 01:57 < neeku> oh yes, that's automatic in ptions tab i checked reiffert 01:58 < dazo> sounds like pptp to me ... but I can be pretty much wrong 01:59 < neeku> ok, then let me confirm it with my friend tonight and then come back here 02:05 < dazo> neeku: well, you can try to install pptpclient in your SuSE distro and try to configure it ... if it works, it'll work most probably almost out of the box immediately 02:06 < dazo> neeku: which suse version are you running? 02:06 < neeku> hmm... ok, i'll try that 02:06 < neeku> 11.1 02:08 < dazo> neeku: http://www.l4l.be/docs/server/network/pptpclient.php (in Dutch, but you might manage to catch the different commands being run here and see the screen shots) 02:08 < vpnHelper> Title: PPtP client onder OpenSUSE 11.1 (at www.l4l.be) 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:09 < dazo> neeku: even better ... google translated: http://translate.google.cz/translate?hl=en&sl=nl&u=http://www.l4l.be/docs/server/network/pptpclient.php&sa=X&oi=translate&resnum=10&ct=result&prev=/search%3Fq%3Dpptpclient%2Bopensuse%2B11.1%26num%3D100%26hl%3Den%26sa%3DG 02:09 < vpnHelper> Title: Translated version of http://www.l4l.be/docs/server/network/pptpclient.php (at translate.google.cz) 02:09 < neeku> oh thanks a lot dazo :) 02:09 < dazo> what you can't find on google isn't worth finding ;-) 02:42 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:42 < joelsolanki> Hi friends 02:42 < joelsolanki> i have a running vpn server. and clients are also connecting. 02:42 < joelsolanki> but on one machine which is out of my physical and remote reach is creating problem. 02:43 < joelsolanki> it says TLS Error: TLS object -> incoming plaintext read error on the client machine. 02:43 < joelsolanki> the same vpn clients files is working on my test linux machine which any problem. it is connecting vpn server 02:43 < joelsolanki> what could be the problem ? 02:43 < joelsolanki> unfortunately i dont have physical or remote access to this machine:( 02:45 < joelsolanki> any hints plz 02:46 < joelsolanki> on server side it give below message 02:46 < joelsolanki> Jan 21 08:49:27 lake ovpn-lake[29693]: 59.180.149.206:50707 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity 02:48 -!- jrk [n=jrk@unaffiliated/jrk] has left ##openvpn [] 02:51 < joelsolanki> anybody please ? 02:51 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:55 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:34 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 04:37 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:48 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 05:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 05:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:54 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:03 -!- neeku [n=neeku@89.165.65.9] has quit [Read error: 104 (Connection reset by peer)] 06:05 < MMN-o> dazo: Regarding my problem yesterday. 'redirect-gateway def1' on gurk enables through-VPN service routing, but disables anything incoming from the LAN 06:06 < MMN-o> dazo: While 'redirect-gateway' only on gurk acts the same as before but also kills existing connections (of course) 06:07 < MMN-o> dazo: And leaving it out alltogether simply leaves me with (what I suspect) trying to route the intra-VPN connection through my default (LAN) gateway on gurk. 06:08 < MMN-o> Just mentioning that it's probably not the existing iptables rules at least. However, maybe that's what I have to use to have both VPN and LAN services enabled, or a smart 'route' line. 06:09 < MMN-o> Though I'll most likely be off for the rest of today. 06:11 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 06:11 < dazo> MMN-o: hmmm ... have you also looked into the use of iroute? ... that might be what you need as well 06:12 < dazo> instead of a route option to the client 06:12 < dazo> IIRC ... krzee knows much more about such routing issues 06:26 < MMN-o> I thought iroute was to specify which subnets a client routes to. 06:26 < MMN-o> But perhaps 'iroute [gurk LAN]' and then have the gateway --to-destination [gurk LAN IP]? 06:26 < MMN-o> Hm, I'll look into it and experiment. 06:28 < dazo> MMN-o: you are right ... and I might not have the complete overview over your network setup .... this might my problem now 07:20 < ecrist> good morning, bitches 07:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:05 -!- MMN-o [n=mmn@barjack.com] has quit ["leaving"] 08:05 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 09:00 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:00 < nadley_> hi 09:01 < nadley_> I would like to know how to connect multiple client to a vpn server with a static key share 09:02 < nadley_> actualy I can connect 1 client to the vpn server 09:02 < nadley_> but If i want to connect another client I can 09:03 < nadley_> can't 09:08 < dazo> nadley_: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html ... this should get you started 09:08 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 09:19 < nadley_> dazo: thx for the link but I have use it and it explain just how to connect 1 client to the server 09:19 < nadley_> I don't know how to configure the server to allow multiple connection 09:21 < dazo> nadley_: that's easy .... replace the ifconfig in the server config with ifconfig-pool .... and remove the ifconfig from the client config ... that should be all 09:22 < nadley_> oki oki 09:22 < nadley_> thanks 09:22 < dazo> nadley_: np! 09:22 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:23 < nadley_> juste for precision : in client config i have to add "pull" ? 09:23 < dazo> nadley_: no, not at all nothing at all ... just take away the ifconfig line 09:24 < nadley_> oki thx 09:24 < dazo> nadley_: the client will then get the IP automatically from the openvpn server 09:24 < nadley_> oki I try it know 09:24 < dazo> nadley_: On second thought .... you will still need the ifconfig in the server config as well ... my fault 09:25 < nadley_> could you give me an example please 09:25 < nadley_> because I'm a little bit lost now 09:26 < dazo> nadley_: ifconfig 10.8.0.1 255.255.255.0 09:26 < dazo> nadley_: ifconfig-pool 10.8.0.10 10.8.0.100 255.255.255.0 09:26 < dazo> nadley_: as an example for your server config 09:27 < nadley_> oki thx 09:28 < dazo> np 09:28 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 09:29 < ecrist> dazo: you plan on hanging out in this chan often? 09:30 < dazo> ecrist: it's not carved into stone .... but I see no reason why not to hang out here, not at least as long as I'm actively developing eurephia 09:30 < dazo> ecrist: am I too noisy? ;-) 09:30 < ecrist> pm? 09:33 < nadley_> dazo: when I do the modification and restart the server it failed 09:34 < dazo> nadley_: can you add verb 4 to your config and have a look here? And then maybe put the log data to pastebin? 09:34 < dazo> !pastebin 09:34 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 09:36 < nadley_> dazo : I can't pastbin but I have look on the log file and the error is : ifconfig-pool require mode server 09:37 < nadley_> but when I add mode server another error occurs : " mode server require tls" 09:37 < dazo> nadley_: ahh ... sorry .... just add that into your server config .... mode server 09:37 * dazo is surprised .... 09:37 < dazo> nadley_: I honestly thought it was possible to configure server mode without tls .... 09:37 < nadley_> I hope so 09:38 < ecrist> I don't believe it is possible. 09:39 < dazo> nadley_: I'm sorry, but I think you then need to bite into the TLS apple :( 09:39 < dazo> nadley_: it's not that hard .... and ecrist / krzee have this perl script called ssl-admin which can help you out doing that more easily 09:40 < nadley_> is it just a tls key or a with certificat ? 09:41 < ecrist> nadley_: see http://openvpn.net/archive/openvpn-users/2006-11/msg00030.html for more information 09:41 < vpnHelper> Title: [Openvpn-users] static key mini howto works, but client/server doesn't. version 2.0.9 (at openvpn.net) 09:41 < dazo> nadley_: you'll need 3 files .... a CA certificate, a server key and a server certificate .... the server certificate must be signed by the same CA which signed the CA certificate 09:42 < nadley_> and with a share key there is no other solution 09:44 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:45 < dazo> nadley_: nope, seems so :( 09:46 < nadley_> oki so what I have to do ? 09:51 < dazo> ecrist: is ssl-admin available as a package for download? 09:52 < nadley_> dazo: with a tls server each client needs his own certificate and key ? 09:53 < dazo> nadley_: for the best security, yes ... but it's not a must ... you can use the same certs and key files on all clients 09:53 < dazo> nadley_: it basically runs down to the wanted security level you want 09:54 < ecrist> dazo, not at this time. I don't have any linux systems to test/build packages. 09:54 < dazo> ecrist: pitty ... okey ... then entering SVN mode :-P 09:55 < nadley_> oki dazo i'll test it 09:55 < dazo> nadley_: you'll need SVN installed now .... and then you can run: svn co https://www.secure-computing.net/svn 09:55 < vpnHelper> Title: svn - Revision 38: / (at www.secure-computing.net) 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:00 < ecrist> dazo, it is in freebsd ports tree 10:01 < dazo> ecrist: hmm ... didn't know ... I'm Linux :-P .... and I believe nadley_ is too? 10:01 < ecrist> yeah, i'll work on it 10:02 < dazo> ecrist: too bad it wasn't just to copy ssl-admin out into bin ... bec of the sed'ing 10:03 < dazo> ecrist: there's a typo in the Makefile ..... SEDCMD -> $SEDCMD ? 10:06 < ecrist> lemme look into it, but I don't think so. 10:06 < ecrist> a lot of what's in svn right now is setup for programatic builds 10:06 < ecrist> dazo: Makefile in the root? 10:07 * dazo double checks 10:07 < dazo> ecrist: yes 10:10 < dazo> ecrist: are some more issues as well :-P 10:11 < dazo> nadley_: The good util ssl-admin .... is not in the very best shape right now unfortunately .... 10:12 < ecrist> dazo: it's in great shape, just needs to be configured for linux 10:12 < nadley_> dazo: I'm using the tools include with openvpn 10:13 < dazo> ecrist: you'll need to check in this fix ;-) http://pastebin.com/d55f92f02 10:15 < ecrist> dazo: a bit embarrassing, but svn isn't always current. that fix is already due to be committed. 10:15 < dazo> ecrist: :) 10:15 < ecrist> done. 10:16 < ecrist> re: Makefile - you're seeing an artifact from the FreeBSD ports build process, which hasn't cleanly been merged with our attempts at making the install process more linux friendly. 10:16 < ecrist> a lot of big changes coming for ssl-admin in the next couple weeks. 10:17 < ecrist> I'm going to 1) build a tarball which can be configured, made, and make installed on linux systems 10:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:18 < ecrist> depend management is where I'm uncertain, so I'm going to simply look for perl, and look in common places for the Crypt:SSLeay library. 10:18 < ecrist> not using SSLeay yet, but that's the second big change. getting rid of all the backticks and system() calls, in favor of better perl built-ins 10:19 < ecrist> so, now that I'm at 1.0.1, I'm working on cleaning things up for install, will still be 1.0.x, and 1.1 is going to eliminate those other nasties 10:20 < dazo> ecrist: I oversaw the ./configure script ... when I ran that ... it was very fine! 10:20 < ecrist> that's all krzee's handy work. 10:20 < dazo> heh :) 10:20 < ecrist> oh, last I heard, gentoo was working on a package for ssl-admin, too 10:20 < ecrist> be back in a while 10:20 < dazo> yeah, I've heard that ... I'd love that, as my servers are Gentoo based 10:21 * dazo needs to go shopping and then home .... might get online a little bit later 10:38 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 10:40 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Client Quit] 10:59 < plaerzen> morning folks 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:24 < nadley_> dazo: I have configure my openvpn server to use TLS but when I connect an other client it disconnect the other 11:47 -!- NK` [i=niko@minithins.net] has joined ##openvpn 11:47 < NK`> hi 11:47 < NK`> is it possible to have several client using the same crt ? 11:54 < cpm> think about it. 11:54 < cpm> in other words, sure, kinda defeats the purpose, but you can, just not at the same time. 11:55 < cpm> certificates identify hosts 11:55 < cpm> that's their job. 11:55 < cpm> folks do it though, or at least, that's what I've read. 12:00 < NK`> ok fine that the answer I'll like to heard :) 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:35 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 12:46 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 12:50 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 12:50 < ozirus> is it possible to limit openvpn connection with a time period? i'm trying integrate openvpn to a rezarvation system. people will book the remote 'lan' and vpn to it. vpn disconnect when time exceeds 12:52 -!- ozirus1 [n=caliskan@81.214.150.105] has joined ##openvpn 12:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:02 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:04 -!- ozirus7 [n=caliskan@81.214.150.105] has left ##openvpn [] 13:05 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:10 -!- ozirus7 [n=caliskan@81.214.150.105] has quit [] 13:13 * plaerzen just got a new server. 13:13 * plaerzen dances. 14:03 < ecrist> plaerzen: gratz 14:07 < plaerzen> ah, thanks. 14:12 < ecrist> what kind of server, and for what? 14:15 < plaerzen> hp DL380: 1(2)P quad core 2.66 ghz, 4(8)dimm 6 gb, 3x72G 15k sas raid 5, 4 gig-e ports - windows 2008 server and communigate groupware 14:16 < plaerzen> esx server with 1 initial guest vm (for win2k8 server) 14:16 < ecrist> sweet 14:17 < ecrist> ozirus1: yes, simply build an SSL certificate, which will expire at the time required, and write a script which checks for connected clients and reboots them at their expiry 14:18 < plaerzen> yeah, it's a cool little machine. downloading esx server right now. 14:23 < ecrist> we got a new server back in November for our backups. I love that box. 14:24 < ecrist> uber fast, lots of storage 14:34 < ecrist> plaerzen: you prefer HP to Dell? 14:34 < plaerzen> So far, it seems ok. All our other servers are dell and they seem meh. 14:34 < ecrist> meh? 14:34 < plaerzen> One of them even randomly pops a drive out of raid on reboot 14:35 < ecrist> weird 14:35 < plaerzen> They're OK. But we haven't ran this hp server yet. The front panel is more informative, that's for sure. 14:35 < ecrist> I've got lots of Dell, love them. We explored HP for this last purchase, but their online pricing sucks, so I didn't bother. 14:35 < plaerzen> We just have a vendor we use. 14:36 < ecrist> ah 14:36 < plaerzen> I call them and say "Get us a quote on a HP DL380 with the following specs - blah blah - But use your judgement, if something has a better price point, get that instead" 14:36 < plaerzen> And we get decent deals. 14:53 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:36 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 15:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:45 -!- ozirus1 [n=caliskan@81.214.150.105] has quit [] 16:45 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 16:52 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has left ##openvpn [] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:05 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has joined ##openvpn 17:10 < SanityInAnarchy> It typically takes anywhere from 10 to 30 minutes to establish a connection. Usually hangs after "Initial packet from ", then retries after tls-timeout, until I get lucky and it works. 17:11 < SanityInAnarchy> What settings should I look at? I know this particular network is slow and unreliable, however, this is the norm, even over very fast connections. 17:13 < krzie> check out #2 17:13 < krzie> !mtutest 17:13 < vpnHelper> krzie: Error: "mtutest" is not a valid command. 17:13 < krzie> err 17:13 < krzie> !mtu 17:13 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 17:14 < SanityInAnarchy> MTU on which interface? I know the VPN itself is using 1500. 17:16 < SanityInAnarchy> I'm not on Windows. 17:16 < krzie> #2 17:16 < krzie> (#2) 17:16 < krzie> you can just use --mtu-test on the client as well 17:17 < SanityInAnarchy> If this is the issue, would the actual connection be slower? 17:18 < krzie> wanna argue or test it? 17:18 < krzie> seems like a waste of time to talk about it instead of trying it 17:18 < SanityInAnarchy> No, I want to understand it. 17:18 < krzie> well test it, then understand based on results of test 17:19 < krzie> im not saying it IS your problem 17:19 < krzie> im saying test it 17:19 < krzie> and since testing it requires 1 line addition to 1 config, i dont see why you wouldnt 17:20 < SanityInAnarchy> Probably worth testing anyway -- I just found something 17:20 < SanityInAnarchy> I'd set tls-timeout absurdly high. 17:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 < SanityInAnarchy> Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 17:26 < krzie> ok so thats good 17:26 < krzie> did the thing you found help you? 17:26 < krzie> if not, 17:26 < krzie> !configs 17:26 < SanityInAnarchy> Yes. 17:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:26 < krzie> oh ok cool 17:26 < SanityInAnarchy> I had tls-timeout 120 17:26 < SanityInAnarchy> I'm not really sure what I was thinking 17:27 < SanityInAnarchy> The MTU test looks useful, though. Is the idea that the tunnel MTU should be <= the actual MTU? 17:34 < krzie> its for settings internal to openvpn 17:35 < krzie> --mtu / --fragment stuff 17:35 < krzie> but with yours dont adjust that 17:35 < SanityInAnarchy> Ah. 17:35 < krzie> becomes useful over ppp / sat links and whatnot 17:35 < SanityInAnarchy> That's probably why I had this setting, actually -- I had borrowed a satellite connection 17:36 < krzie> i dont think the tls-timeout woulda helped much on the sat connection, mtu and frag woulda prolly been more useful 17:36 < krzie> but *think* is the main word there 17:38 < SanityInAnarchy> Well, I think the idea was that 2 seconds was nowhere near enough time to complete the tls auth 17:38 < SanityInAnarchy> Nor the default 60 seconds enough time for the handshake 17:38 < SanityInAnarchy> In both cases, it worked, more or less, once I had a connection 17:41 < krzie> well the important part is problem solved ;] 17:43 < SanityInAnarchy> Yep. Actually switched over to it already... 17:43 < SanityInAnarchy> I like to run a screen'd irssi on the server 17:48 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has quit ["leaving"] 18:03 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 18:34 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy-, pa, dazo, ebf0, jpalmer, kaii 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: smk, dogmeat, Bushmills 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: intralanman, krzie, vpnHelper, cyberjames, Pagautas, tarbo2, ikevin, o[80, trifler 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, tomfmason, worch, thewolf, eliasp, kala, reiffert, (+4 more, use /NETSPLIT to show all of them) 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: MMN-o, justdave, disco-, disposable, Typone, lonel, krzee 18:50 -!- Netsplit over, joins: smk 18:50 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:50 -!- Netsplit over, joins: troy-, MMN-o, krzee, disco- 18:51 -!- Netsplit over, joins: dazo, ebf0, pa 18:51 -!- Netsplit over, joins: kaii, reiffert 18:51 -!- Netsplit over, joins: intralanman, vpnHelper, ikevin, Bushmills, fbond, o[80, tomfmason, eliasp, cyberjames, tarbo2 (+10 more) 18:51 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 18:51 -!- Netsplit over, joins: lilalinux, kala 18:51 -!- Netsplit over, joins: disposable 18:53 < reiffert> Wow, I was on ##openvpn when not beeing identified to the nickservice... 18:55 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 18:59 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 18:59 < Bushmills> 'morning reiffert 19:00 < reiffert> hello Bushmills ! 19:05 < ecrist> good evening, bitches 19:06 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 19:20 < dvl> openvpn++ 19:24 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 19:24 < test> is there a way to have a different cipher for clients? 19:24 < test> client1 has blowfish, client2 is cipher none? 19:36 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 19:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit [Client Quit] 19:39 < dvl> test: well, where is cipher chosen? 19:42 < krzee> i dont think its possible 19:43 < krzee> but --client-config-dir shows that --config can be used in a ccd entry 19:43 < krzee> so thats your only chance, to have a seperate config to include for diff clients, not use --cipher in server.conf, and use --cipher in the --config file thats in the ccd entry 19:44 < krzee> never tried it, if you make it work report that back 19:46 < test> cipher doesn't work in the client directive 19:46 < test> bummer 19:49 < dvl> ouch 19:51 < lonel> hi 19:59 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:15 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [] 20:41 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 20:47 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has joined ##openvpn 20:48 < NBrepresent> hey, how can i tell whether a connection from the openvpn cli client to the server is successful? I'm trying to ping boxes on my work network but not getting anything. The status messages after I ran the command to connect all sounded pretty positive... " Initialization Sequence Completed" etc. 20:49 < dvl> NBrepresent: follow the logs 20:50 < NBrepresent> where is the logs dir? i looked in /etc/openvpn 20:51 < dvl> on decent systems, /var/log 20:52 < NBrepresent> no openvpn log in /var/log 20:57 < krzee> i didnt say in the ccd file 20:57 < krzee> i said in the included --config that you put in the ccd entry 20:58 < krzee> but prolly same deal 20:59 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 21:03 < NBrepresent> It looks like this is the problem: http://paste2.org/p/133706 . Permissions? 21:29 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has joined ##openvpn 21:30 < phobik> i'm having trouble on my openvpn 2.0 setup that when connecting as a client from windows my route works fine but when using linux or mac my servers do not know how to route back to my client machine 21:43 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 21:49 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has left ##openvpn [] 23:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:31 -!- thewolf is now known as ehtwolf 23:31 -!- ehtwolf is now known as thewolf 23:58 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:59 < mRCUTEO> hiya ecrist --- Day changed Thu Jan 22 2009 00:05 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:01 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 01:17 -!- nsar [n=nsar@121.1.18.241] has joined ##openvpn 01:18 < nsar> hello 01:18 < nsar> what do you mean We prefer to help those who help themselves? 01:18 < nsar> to help my self? 01:24 < krzee> like when someone says "hey read this" 01:25 < krzee> then 2 minutes later you ask another question that was clearly explained in the link you were given 01:25 < krzee> thats a good example of not helping yourself 01:26 < nsar> ok 01:27 < nsar> what i want to ask is that the provider had closed completly access as a server to my machine if i put for example an ftp server no body will be able to reach it so the solution is as a client to connect to openvpn server ? 01:29 -!- luck00 [n=luck00@86.122.10.202] has joined ##openvpn 01:30 < krzee> if you can reach the openvpn server, you can default route over the vpn server to reach anything the vpn server can 01:30 < krzee> but the vpn server will need to NAT the internal vpn ips to its external ip 01:30 < krzee> using iptables or whatever your OS uses 01:33 < luck00> hi all 01:33 < luck00> i have a little problem 01:33 < luck00> i try to make a vpn tunel site to site over two routers 01:34 < luck00> on one router i have vpn ip-s 10.8.0.1 10.8.0.2 and on the other one 10.8.0.6 10.8.0.5 01:34 < luck00> is that ok? 01:35 < luck00> or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:35 < luck00> i can ping computers behind server but cannot ping computers behind client 01:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:41 -!- o[80 is now known as oc80z 01:43 < nsar> luck00 did you setup the route correctly ? 01:44 < luck00> i have ping over peer to peer connection on both ways 01:44 < luck00> so the tunnel it is ok 01:44 < nsar> me i had this problem and somehow i solve it with routing software 01:44 < luck00> i think the problem it is on the server 01:45 < luck00> the packets are not routed right 01:45 < nsar> pass a route thru a point-to-point connection /32 mask? 01:46 < nsar> linux is the os? 01:47 < nsar> sorry on the clients what is the os? 01:49 < krzee> [03:39] or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:49 < krzee> correct 01:49 < krzee> [03:39] i can ping computers behind server but cannot ping computers behind client 01:49 < krzee> either ipforwarding or firewall 01:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:50 < luck00> linux on both sides 02:08 < reiffert> oin 02:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:23 -!- nsar [n=nsar@121.1.18.241] has left ##openvpn [] 02:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:45 < lolipop> !route 02:45 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:46 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 02:46 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < ykut_johny> hi 02:50 < ykut_johny> having problem to establish connection from this scenario pcA(10.0.9.1)->openvpn-clientA(10.99.99.10) --->openvpn-server(10.99.99.1)---pcB(10.0.7.5). pcA can ping pcB, but pcB can't ping pcA. 02:52 < lolipop> !route 02:52 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:00 < ykut_johny> lolipop: indeed i read it before.. 03:01 < lolipop> lol.....i just want to get the url.... sorry 03:01 < ykut_johny> lolipop: i have configure my ccd/myclient1 (on openvpn server ) to have iroute .. 03:01 < ykut_johny> lolipop: no worries man..:) 03:02 < lolipop> u ping by using eth0 ip or tap or tun ip ? 03:02 < ykut_johny> lolipop: it used to works this morning, and i just change the server vpn to client-vpn by just copying the whole config from server vpn..and somehow, it's not working..:(... 03:03 < lolipop> check firewall ? 03:03 < lolipop> maybe ur firewall is blocking ur ICMP request 03:03 < ykut_johny> lolipop: i did check firewall..and on pf i pass in/out all for tun0..and nothing about block rules 03:04 < lolipop> now ur openvpn-server cant ping openvpn client? 03:04 < lolipop> but they r connected? 03:05 < ykut_johny> lolipop: if from pcA i can ping to pcB..so firewall is not blocking any icmp...:) 03:05 < ykut_johny> lolipop: seem like openvpn server didn't know how to forward the traffic back 03:05 < lolipop> when pcB ping on pcA, firewall on pcA might block :P 03:05 < lolipop> oh 03:06 < lolipop> u r trying to ping the lan behind openvpn server? 03:06 < ykut_johny> lolipop: yupe...openvpn-serber can't ping openvp client.. 03:06 < ykut_johny> lolipop: from openvpn client to openvpn server it just working 03:06 < ykut_johny> lolipop: i'm suspecting something todo with routing table on openvpn's server..but didnt have any clues.. 03:07 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 03:07 < ykut_johny> lolipop: from client behind openvpn client, i managed to ping client behind openvpn server... 03:07 -!- Netsplit over, joins: kaii 03:08 < lolipop> oh, i'm not pro in openvpn, but maybe u can show me your config 03:10 < ykut_johny> lolipop: but, from openvpn server i just can't ping client behind openvpn client 03:10 < ykut_johny> lolipop: which config do want.?..server eh..? 03:20 < dazo> ykut_johny: you most probably need to have a look at the "iroute" statement .... please read this link _carefully_ 03:20 < dazo> !route 03:20 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:21 < dazo> ykut_johny: you will find more info about iroute here ... and in the man pages of openvpn 03:21 < ykut_johny> dazo: indeed...the iroute was configure correclly.. 03:21 < ykut_johny> dazo: i was reading it before...:)..and thanks for the pointer.:) 03:22 < dazo> ykut_johny: what kind of OS is on the client? Firewall allows traffic in that direction? 03:22 < ykut_johny> openbsd 3.9 for openvpn server and openbsd 4.2 for openvpn client 03:22 < ykut_johny> and firewall is PF for both end 03:23 < dazo> ykut_johny: okey ... I'm not familiar with *bsd ... but I believe ecrist and krzee knows much more about that platform 03:23 * dazo is Linux user 03:24 < ykut_johny> dazo: :)..kewl 03:24 < dazo> ykut_johny: just a few checks .... can you ping the VPN interface on the client from your server? And if yes, can you ping the eth interface on the client from the server? 03:25 < ykut_johny> dazo: i can see traffic is coming from siteA to siteB on openvpn server machine..but i notice that openvpn server didn't know how to forward the packet to siteB 03:26 < dazo> ykut_johny: sounds like you're also missing a route on the server side then .... do you have a "normal" route defining the clients network on your VPN server? 03:27 < ykut_johny> dazo: yes..since from siteA to openvpn server i got reply from openvpn server 03:28 < dazo> ykut_johny: I'm suggesting this the other way around .... that you are on the server .... and try to ping the client ... to see if the packages gets lost or comes back 03:29 < dazo> ykut_johny: have you tried tcpdump on the client (siteB, afaiu) ... to see if the ping traffic goes back to the VPN tunnel? 03:29 < dazo> tcpdump -n -i 03:33 < ykut_johny> dazo: nothing.. 03:33 < dazo> ykut_johny: you did not see any traffic whatsoever on the client when pinging it from the server? 03:34 < ykut_johny> dazo: seem like openvpn server didn't know how to forward the traffic... 03:34 < dazo> ykut_johny: check the routing table on the server .... I'm sure it's just a minor mistake in the routing on the server side 03:34 < ykut_johny> dazo: but if i ping the ip addresses given by vpn network , it reached to the client 03:35 < dazo> ykut_johny: that means that the server know the route for the VPN tunnel .... but not the clients network behind the VPN tunnel 03:35 < ykut_johny> dazo: seem like it... 03:37 < dazo> ykut_johny: I'm pretty sure it's in either the routing or firewall rules on the server ... that's usually the biggest bummers which is easy to commit ... if struggling, please pastebin your configs and routing table .... it'll be easier to look at it then 03:38 < ykut_johny> dazo:indeed..i'm thinking maybe some routing or my dumbass skill on firewalling is the issues..:) 03:39 < dazo> ykut_johny: is it an option for you to take down/turn off/open up completely the firewalling for a few minutes and try the ping test again? 03:40 < dazo> just to get indication if it is firewall and/or routing issue 03:40 < ykut_johny> dazo: yeah..will try to..:).but prefer not to for now..:) 03:40 < dazo> np! :) 03:41 < lolipop> last time my case is cant ping from lan behind client to lan behind server, but i used NAT masquerade to solve it 03:41 < lolipop> kakaka 03:42 -!- luck00 [n=luck00@86.122.10.202] has quit ["Leaving"] 03:43 < ykut_johny> lolipop: hehe..:D.. 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has joined ##openvpn 04:06 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 04:09 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 04:36 < ykut_johny> MULTI: bad source address from client [10.0.11.102], packet dropped ...either than problem with iroute, what is the other posibilities that can cause this problem..? 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:08 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has joined ##openvpn 05:11 < _markh_> I'm setting up a VPN server. How can I get the server to allow some 'clients' to connect using certificates only and others to require certificates AND a user password. I know how to do both but not how to specify for each cleint. I've tried placing the line 05:11 < _markh_> plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn 05:11 < _markh_> in /etc/ccd/openvpn/mark (where 'mark' is the name of the user's pv) but it seems to be ignored... 05:13 < dazo> _markh_: I don't think this is possible ... you'll need to have two different openvpn processes running with a different config file and ports 05:15 < _markh_> dazo: I'd already figured that was a solution, but it adds complexity beacuse of ipaddresses/routes etc. 05:17 < dazo> _markh_: yeah, I know ... but I haven't seen anything in the config docs that it is possible to have different authentication schemes for user connections 05:17 < dazo> :( 05:19 < _markh_> Shame because I have a couple of servers that need to connect, plus a bunch of users. The users will auth using one time passwords but the servers can't ... :( 05:19 < _markh_> Oh well... 05:41 -!- NK` [i=niko@minithins.net] has left ##openvpn [] 05:59 < krzee> [05:38] dazo: but if i ping the ip addresses given by vpn network , it reached to the client 05:59 < krzee> just realized 05:59 < krzee> thats right 05:59 < krzee> actually wait, i may be wrong 05:59 < krzee> was thinking it could have to do with it being ptp 05:59 < krzee> but im not sure 05:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:02 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:02 < joelsolanki> Hi all. 06:03 < joelsolanki> i have setup vpn on windows xp. and enabled the ipenablerouter to 1 with regedit in winxp 06:04 < joelsolanki> but i am not able to access the lan. 06:04 < joelsolanki> any hints plz ? 06:04 < joelsolanki> this configuration was working but change is of just a vpn server hardware thats it. 06:05 < joelsolanki> problem is xp is not forwarding it. 06:11 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 06:13 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 < dazo> krzie: yeah, the whole ptp thing confuses me ... because his end-points on both sides had completely different IP addresses (.1/.2 on server and .9/.10 on client) ... and server could ping client end point and vice versa ... 06:53 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:53 < joelsolanki> !route 06:53 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:04 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:06 < joelsolanki> !configs 07:06 < vpnHelper> joelsolanki: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:06 < joelsolanki> Hi all. i have below config 07:07 < joelsolanki> winxp-vpnclient --> openvpn-server ---> lan 07:07 < joelsolanki> i want have winxp communicate with my lan. 07:08 < joelsolanki> so winxp(10.8.0.6) -> openvpn-server(10.8.0.1) --> lan ip range is 192.168.0.0/24 07:08 < joelsolanki> i read the http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:08 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 07:08 < joelsolanki> so i just need to add this line to openserver server.conf push "route 192.168.1.0 255.255.255.0" 07:09 < joelsolanki> sorry " route 192.168.0.0 255.255.255.0 " 07:09 < joelsolanki> is this correct ? 07:09 < joelsolanki> that should make the trick ? 07:10 -!- Gray9Mar_ [i=surf___@gateway/tor/session] has joined ##openvpn 07:13 < joelsolanki> anybody please? 07:14 < ecrist> good morning, bitches 07:15 < Gray9Mar_> hi. i have lots of "ERROR: Random number generator cannot obtain entropy for PRNG" lines in my openvpn log. openvpn seems to work anyways. but shows no log lines except the prng error. does anyone have an idea whats wrong here? 07:15 < ecrist> joelsolanki: yes, that's correct. 07:15 < ecrist> ***BUT, you're probably going to run in to problems, if the LAN where the winxp system is uses the same IP range as the remote VPN LAN 07:16 < joelsolanki> ok cool. let me test it then :) 07:16 < ecrist> Gray9Mar_: what does google say about the error? 07:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 07:18 < Gray9Mar_> 4 links to crypto.c from openvpn source 07:18 < Gray9Mar_> which i doesnt understand 07:18 < ecrist> what version are you running? 07:19 < Gray9Mar_> OpenVPN 2.0.7 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 11 2008 07:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:19 < ecrist> ok, run something more current, first. 2.0.9 is out for 2.0, and 2.1 is up to RC15 07:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 07:22 < Gray9Mar_> k, will try that right now 07:22 < Gray9Mar_> btw i wonder why 2.0.7 is gentoo default 07:23 < ecrist> no idea 07:46 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 08:45 < dazo> Gray9Mar_: I'm running 2.1_rc15 without any problems on Gentoo 08:45 < dazo> that is - rc15 in production 08:46 < dazo> Gray9Mar_: I don't think Gentoo maintainers give openvpn too much love and care ..... or they are just too picky about getting things QAed first 08:47 * dazo might be able to dig up a openvpn-2.1_rc15 ebuild file .... if Gray9Mar_ is interested 08:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:08 < _markh_> I have two openvpn servers running on a host - one implememnting 10.8.0.0/24 and the other 10.9.0.0/24 . How do I allow systems authenticated to 10.8.0.0 to communicate with systems authenticated to 10.9.0.0/24 ? 09:13 < MMN-o> I'd probably use "push route 10.8.0.0/24" (in server config) to the 10.9 net, and vice versa 09:13 < MMN-o> I'd also check: 09:13 < MMN-o> !route 09:13 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:14 < MMN-o> which cleared stuff up for me at least. 09:14 < ecrist> _markh_: you need to push the routing. 09:15 < MMN-o> _markh_: Syntax error on my push line, look up the quoting. 09:26 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has joined ##openvpn 09:27 < patrik> Hi, I'm having some trouble with my tun tunnel. client can ping server, server can ping client, but client cant ping computers on the servers subnet. ip_forward is set to 1. 09:28 < patrik> the subnet lan computers receive data from the vpn client but whey the try to respond they get unreachable host. 09:30 < ecrist> !route 09:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:30 < ecrist> read that, patrik 09:30 < ecrist> your lan is missing the route to your vpn subnet 09:30 < patrik> ok, thanks 09:41 < patrik> ecrist: I have the client on the same subnet as the servers subnet, is this a bad thing? Since I only want to have one vpn client I didn't wanna make a complete subnet for it. 09:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:47 < ecrist> patrik: yes, it's bad 09:48 < patrik> ecrist: ok I'll put it on a separate subnet then 09:52 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has quit ["Leaving"] 09:58 < plaerzen> morning irc 10:11 < ecrist> heya plaerzen 10:20 < plaerzen> ecrist, So. Tell me a story? 10:20 < ecrist> o.O 10:22 < plaerzen> ok, fine. 10:48 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 10:55 -!- mk101mx [n=mgarciav@148.233.37.38] has joined ##openvpn 10:56 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:10 < patrik> ecrist: Cool, I got it working, thanks! 11:11 < ecrist> no problem 11:11 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has quit ["Ex-Chat"] 11:40 < _markh_> still struggling with the routing for 2 openvpn servers on my host implementing 10.1.0.0/24 and 10.2.0.0/24. I've pushed 10.1.0.0./24 onto the client that connects to 10.2.0.0/24 and vice-versa. the routing tables on the clients look good - http://pastebin.com/d5cfb0436. And the routing table on the server looks OK too - http://pastebin.com/m4309f153 11:40 < _markh_> Do I need to tell the server to link the two (I have client-to-client set). !route isn;t quite discussing my scenario I think so I don;'t think I need iroutes ??? 11:41 < dazo> _markh_: are the network on your server side accessing the network behind your openvpn client? 11:43 < _markh_> dazo: No 11:43 < _markh_> Just the openvpn client itself 11:43 < dazo> _markh_: then you are right, iroute is not needed .... and the client should be able to see both ways 11:44 < dazo> _markh_: are you using ptp (tun interface) or tap devices? 11:44 < _markh_> dazo: tun 11:45 * dazo wonders why everyone using tun ends up with routing issues .... ;-) 11:46 < dazo> _markh_: I'm not so strong at tun, unfortunately .... most of the networks I've setup have used tap ... but of course you'll need to choose what's right for you 11:46 * dazo needs to setup a test network with tun to get more experience here 11:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:47 < _markh_> dazo: but tap isn't so good for WAN's I think as there's more traffic? 11:48 < _markh_> Summarizing I have A (10.1.0.6) <-> (10.1.0.1) OVPN (10.2.0.1) <-> B(10.2.0.6) 11:48 < _markh_> And I need a to talk to B 11:48 < dazo> _markh_: maybe ... I'm using it over GPRS without any big problems .... but true, I haven't tried tun yet 11:50 < _markh_> dazo: I'll enable some debugging and see what I can learn... 11:50 < dazo> _markh_: good luck :) 11:51 * dazo needs to go home and get some dinner 11:52 -!- rubydiam_ [n=rubydiam@123.236.183.184] has joined ##openvpn 11:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- rubydiam_ is now known as rubydiamond 12:05 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 12:06 < lclimber> hello guys, is there an existing stable project installing a opnvpn client on a pda? 12:11 < lclimber> sorry, let me refraze, is there an existing stable project for installing a opnvpn client on a pda? 12:24 < _markh_> dazo: Needed the following 12:24 < _markh_> # echo 1 > /proc/sys/net/ipv4/ip_forward 12:24 < _markh_> # iptables -A FORWARD -i tun+ -j ACCEPT 12:24 < _markh_> # iptables -A INPUT -i tun+ -j ACCEPT 12:24 < _markh_> All in the HOWTO ... ;) 12:27 -!- rodpod [i=rod@hick.org] has joined ##openvpn 12:37 -!- rodpod [i=rod@hick.org] has quit [Success] 12:39 < reiffert> lclimber: to help you rephrase: Did anyone port openvpn for PDA which has the following Processor architecure: 12:39 < reiffert> lclimber: you may want to ask that on the mailinglists. 12:40 < lclimber> well thanx reiffert, i am looking on the mail archives 12:40 < reiffert> Looking is ok .. asking is better :) 12:43 < lclimber> you are right, i found some posts of people with the solution, thanx for your advices 12:58 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 13:28 -!- joelsolanki [i=joelsola@123.237.172.68] has joined ##openvpn 13:28 < joelsolanki> Hi friends 13:29 < ecrist> howdy 13:29 < joelsolanki> i have a working vpn server 13:29 < joelsolanki> :) 13:29 < ecrist> congrats 13:29 < joelsolanki> there are 2 clients connected to it. 13:29 < joelsolanki> i can ping client1(10.8.0.6) and client2(10.8.0.10) from vpn server 13:30 < joelsolanki> but client1 cant ping client2 and vice versa 13:30 < ecrist> in the server, add client-to-client 13:30 < joelsolanki> hmm. let me do that 13:36 < joelsolanki> that worked :) 13:36 < joelsolanki> tahnks ecrist 13:36 < joelsolanki> thanks 13:37 -!- joelsolanki [i=joelsola@123.237.172.68] has quit [] 13:42 -!- mk101mx [n=mgarciav@148.233.37.38] has left ##openvpn [] 13:54 -!- rubydiamond [n=rubydiam@123.236.183.184] has quit [Read error: 104 (Connection reset by peer)] 13:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:05 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:09 -!- aar0n is now known as aar0n_ 14:09 -!- aar0n_ is now known as aar0n_sleeping 14:32 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:54 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 15:54 < bigjohnto> how does openvpn know to give the same ip address to a specific user each time they log in? ipp.txt has different ip's for that user so i know its not ipp.txt 15:56 < bigjohnto> even though i have ipconfig-per on and shows file as ipp.txt 16:00 < ecrist> bigjohnto: ipp.txt, or client configs 16:01 < bigjohnto> nothing in the client side configs 16:01 < bigjohnto> and ipp.txt has a complete different ip then what i am getting 16:01 < ecrist> why does it matter? 16:01 < bigjohnto> ecrist just curious really, how it shows one thing in ipp.txt but gives something different 16:01 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 16:01 < ecrist> I'm guessing you have two clients connected with the same certificate 16:02 < bigjohnto> nope, each client has their own cert 16:02 < bigjohnto> and i for sure am using my own cert 16:02 < bigjohnto> my ip .15 ipp.txt shows .8 16:02 < bigjohnto> weird :) 16:05 < grendal_prime> I have an openvpn server setup works great..but i need for one box to connect witha static ip address. I was told that i can setup the client to just use a specific address when it connects...i cant find an example of a static ip client config though? 16:05 < ecrist> grendal_prime: there are lots of examples out there. 16:06 < ecrist> try the openvpn howto 16:06 < ecrist> !howto 16:06 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < grendal_prime> im looking at it now.. 16:06 < ecrist> trust me, it's there. 16:06 * bigjohnto sees ipp.txt was last accessed with last vpn'd user but still wonders why ip's are wrong.... 16:07 * ecrist goes out to shovel his driveway. 16:09 < grendal_prime> i still cant find anything 16:10 < ecrist> if I find it, can I ask a chan op to ban you? 16:12 < grendal_prime> ? 16:12 < grendal_prime> wtf 16:12 < grendal_prime> ? 16:12 < ecrist> ? 16:12 < grendal_prime> sure ask one...i mean i would hope they wouldnt do it.. 16:12 < grendal_prime> now im affraid to ask anything. 16:13 < bigjohnto> ifconfig-push 10.8.2.1 10.8.2.2 16:13 < bigjohnto> i think 16:13 < ecrist> what you want is at http://openvpn.net/howto.html#policy 16:13 < grendal_prime> by the way ive looked for some time before i camehere... 16:13 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:13 < bigjohnto> change to what you want 16:13 < grendal_prime> thats to push one from the server.. 16:13 < bigjohnto> ah 16:13 < ecrist> grendal_prime: it's a bad idea to statically assign yourself an IP from the client side. 16:14 < ecrist> 1) your math will be off and you'll clobber the tunnel server endpoint, or similar 16:14 < ecrist> 2) the OpenVPN server may clobber you while assigning an IP to another client 16:15 < grendal_prime> hmm so i do need to push it from the server then. 16:15 * ecrist really goes and really shovels his driveway now. 16:15 < bigjohnto> or ipp.txt for that users cert 16:15 < bigjohnto> ecrist shouldn't that work? 16:16 < grendal_prime> well that was my other question can i just reserve an ip for a certain cert? 16:16 < bigjohnto> in ipp.txt 16:16 < bigjohnto> certname,ip 16:16 < bigjohnto> its "supposed" to work, but isn't for me anyways 16:17 < grendal_prime> well...thats for a disconnect...and reconnect i think... 16:17 < bigjohnto> grendal yea, but it sitll is completely wrong :) 16:18 < bigjohnto> for me that is 16:18 < grendal_prime> i mean...it seems to me that iti does get the same ipaddress assigend..but my thinking is that is not written in stone, and i dont want there to be a problem 16:18 < grendal_prime> I just wish there was a reservaction file somewhere. 16:22 < bigjohnto> & my ipp.txt for some reason has multiple ip's for the same cert "user" 16:22 < bigjohnto> how dumb 16:29 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:32 < grendal_prime> thats ok i just looked in mine...there is nothing listed in it 16:33 < grendal_prime> what does it normally look like...syntax wize... certname=10.8.0.5 something like that? 16:33 < ecrist> grendal_prime: I pointed you to the link in the howto 16:33 < grendal_prime> yes ecrist thank you 16:33 < ecrist> the reservation is with the client config 16:34 < bigjohnto> certname,10.8.0.5 16:34 < bigjohnto> ecrist, if i have bob,10.8.0.5 and on the next line bob,10.8.0.10 .... what would cause that? 16:35 < bigjohnto> openvpn service maintains the ipp.txt file 16:36 < ecrist> bigjohnto: see http://openvpn.net/howto.html#policy - the IPs your assigning in ipp.txt don't line up with proper /30 subnets 16:36 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:36 < grendal_prime> i just thought it was odd that the ipp.txt file on my server...has nothing in it..and im pretty sure the server.conf specifys that it is to keep track of that info.. and yes im quite certain that there are clients connected 16:37 < grendal_prime> ecrist...there is no ccd dir on my openvpn installation, I can create that and point the server to that correct? 16:37 < ecrist> yes 16:38 < grendal_prime> and then i just create the files withen there just the same way it is illustrated there..i dont have to worry about setting up iptables rules in my case..not that i can see anyway. 16:38 < grendal_prime> ill test in in the vm test enviro first.. 16:49 -!- Plouj [n=Plouj@red.cs.yorku.ca] has joined ##openvpn 16:49 < Plouj> hi 16:50 < Plouj> can you guys recommend to me any easy to use and maintain Free/OpenSource Software storage+vpn complete "solutions"? I'm looking for something like opennas or freenas but with vpn manageability built in. 17:00 < grendal_prime> ya i keep getting assigend something else 17:00 < grendal_prime> following the #policy 17:01 < grendal_prime> well actually im following the config in the test server enviro that i have. It actually had some comments that explained how to do this (the production server didnt) 17:02 -!- Hyphenex [n=scott@203.219.38.207] has joined ##openvpn 17:02 < grendal_prime> but the match up with the howto.html file.. but i still cant get it to assign a specific ip address. Im using the common name of the client. I tried the cert name as well and got nothing with it. 17:02 < Hyphenex> Hey, is there a way to set up 'quota' limits for users? 17:02 < ecrist> for bandwidth? 17:06 < Hyphenex> yeah 17:06 < Hyphenex> say, if we were to create a VPN on a uni network for peeps on campus to join 17:06 < Hyphenex> but we don't want them stealing all our downloads 17:06 < Hyphenex> so we set up a 'quota' 17:06 < reiffert> Hyphenex: the manpage knows it all. 17:07 < reiffert> Hyphenex: for openvpn-2.1 17:09 < Hyphenex> reiffert: is that speed or amount limit? 17:11 < reiffert> Hyphenex: the very first 4 words explain it. 17:12 < Hyphenex> reiffert: I'm lost, where exactly am I looking? 17:13 < reiffert> Hyphenex: at a computer monitor, maybe a LCD. 17:13 < reiffert> !man 17:13 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:16 < Hyphenex> reiffert: yeah, I mean where abouts in the manual 17:17 < dvl> Hyphenex: look for shaper 17:17 < reiffert> DOH! 17:17 < dvl> Hyphenex: FWIW, I searched for bandwidth 17:17 < reiffert> dvl: I was about to teach him that easy step, now you told him for nothing. 17:17 < dvl> reiffert: if you want to teach, you have to give hints. 17:18 < dvl> My hint was what to search for: bandwidth. Yeah, I know I gave him the keyword. 17:18 < reiffert> dvl: he already knows for what he is searching, namely: bandwidth. 17:18 < Hyphenex> Shaper is kind of what I want, but not exactly, I mean, in Australia we buy 20GB of data, we want to split that up between users 17:19 < dvl> Hyphenex: well, perhaps you need to do this outside of OpenVPN 17:19 < Plouj> is there any package/application/whatever that can simplify my OpenVPN setup/maintenance if I'm only planning to have 1 or 2 clients? 17:19 < reiffert> Hyphenex: the status log also records the amount of bytes transferred on a per user basis. 17:19 < Hyphenex> oahh, have the OS do it? any hints dvl? 17:19 < Hyphenex> reiffert: I think there is a webmin module 17:20 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 17:20 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 17:20 < Plouj> I'm on a tight budget, so paying a professional would probably cost more than buying some proprietary user-friendly solution. 17:20 < reiffert> Hyphenex: you can easily read that file on a regular basis and calculate if a particular user is allowed to transfer another byte. 17:20 < Plouj> dvl: the things is I don't know much about iptables, nor about the details of tunneling/routing. 17:20 < dvl> Hyphenex: I am not a mind reader, I have no idea what OS you are using. :) But if you were using a real OS, it would have some kind of traffic shaper in it. I would use pf. Not available outside BSD 17:21 < dvl> Plouj: I know nothing about iptables either. That's some kind of linux-specific thing isn't it? ;) 17:21 < Hyphenex> dvl: Thanks, I'll look up installing pf on openBSD... or would netBSD be better? 17:21 < Plouj> dvl: yeah, I guess it is. 17:22 < dvl> Plouj: the URL I gave you has nothing to do with iptables, I promise. :) 17:22 < dvl> Hyphenex: FreeBSD would be my recommendation. 17:22 < Plouj> humm 17:25 < grendal_prime> ok got it working 17:26 < grendal_prime> sooo now that it is pushing that ip address for that cert, it will not assign another box that ip address correct? 17:26 < grendal_prime> ecrist: that question was for you 17:50 < Plouj> the ssh -w option is only for tunnelling (in other words Windows shared folders won't be accessible over such a VPN), right? 17:50 < Plouj> can OpenVPN easy be setup to allow clients to connect only through ssh? 17:54 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 17:55 < Jason404> are there any issues with running OpenVPN in a virtual machine on the LAN? 17:55 < Jason404> is it ok to use a VM? 17:55 < Jason404> any possible problems with doing that? 18:00 < dvl> Jason404: tried it? 18:00 < Jason404> no, not yet 18:00 < Jason404> i just want to know if it worth doing it first 18:01 < Jason404> and I might not be able to see any possible issues until it is too late if there were any 18:05 < Jason404> like there could be an issue with routing, I imagine, with the host 18:07 < dvl> Dunno, no idea. 18:08 < Jason404> I suppose I'll have to just try it 18:08 < Jason404> I have not used OpenVPN before. 18:09 < dvl> Everyone's a virgin at one time. 18:11 < Jason404> how long did it take you to get to grips with it? is it hard to configure? 18:11 < dvl> I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:11 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:11 < dvl> That should get you going easily. but we'll see. 18:11 < Jason404> cheers dvl 18:12 < Jason404> what's that link about vpnHelper? 18:12 < Jason404> is vpnHelper a bot? 18:12 < dvl> yes 18:12 < Jason404> ok 18:13 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 18:15 < Plouj> I wish there was a bot which would setup openvpn for me 18:15 < dvl> It's called a consultant 18:15 < dvl> They cost 18:15 < Plouj> yeah 18:16 < Plouj> too bad they would probably cost more than some windows based vpn thingy 18:16 < Plouj> and since I'm setting up VPN for a friend, he would probably choose the windows based solution because of price 18:16 < Plouj> and because he'd be able to configure it (at least to some extent) 18:19 < Jason404> maybe he should try Hamachi. you cant get much simpler than that 18:20 < Plouj> yeah, that's an option 18:23 < Plouj> dvl: I guess iptables was a wrong example in my earlier statement. 18:24 < Plouj> dvl: I meant that I don't really have time to figure out all of the deep details of tunneling/bridging. This seems like it has some useful diagrams: http://openmaniak.com/openvpn.php , but how useful would they be when something goes wrong? 18:24 < reiffert> Plouj: how much time you got? 18:25 < dvl> Plouj: I just handed you a step-by-step set of instructions. :) 18:25 < dvl> Plouj: are you saying you're a pillock? ;) 18:25 < Plouj> dvl: I know. Thank you. I'll read it when it comes time to try openvpn. 18:25 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:25 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:25 < dvl> Plouj: OK, then stop yer whining. :) 18:25 < Plouj> reiffert: Lets say one week not counting occasional monthly checkups that I would have to do (I guess). 18:26 < reiffert> Plouj: just follow the official openvpn howto then. 18:26 < Jason404> pillock. you in the UK as well? 18:26 < reiffert> It's a matter of 2-3 hours. 18:26 < Plouj> heh 18:26 < dvl> Jason404: No, I am merely multi-vocabulary. 18:26 < Jason404> ic 18:26 < dvl> reiffert: No, not the how-to. Way TMI. 18:27 < reiffert> dvl: I'm sure as hell. 18:27 < Plouj> reiffert: maybe for someone who does IT for a living. 18:27 < Jason404> yeah, the official webiste has made it seem pretty daunting to me, and I'm a hardcore power user 18:27 < Jason404> ;P 18:27 < reiffert> Plouj: I guess you didnt read further than the caption? 18:28 < Plouj> I recall trying to setup openvpn for myself 2 years ago. Although I spent more than 3 hours, I couldn't figure out what I was doing wrong so it didn't work. 18:28 < dvl> Jason404: ditto. Been writing docs for 11 years... lots of info in there. 18:28 < Plouj> I just read this: "This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS names, netmasks, subnets, IP routing, routers, network interfaces, LANs, gateways, and firewall rules." 18:29 < dvl> What new people need is a simple step by step practical example to get them going. Lower the barrier to entry. Keep It Simpl. 18:29 < dvl> +e 18:29 < Plouj> IP routing, and firewall rules I wouldn't know without reading tutorials 18:29 < dvl> While the HOWTO contains many great pieces of information, it is far TMI for an OpenVPN novice. 18:29 < Plouj> dvl: not really, I think the problem (don't take this as a criticism) is that there is a lot of choice (eg bridging/tunneling). 18:30 < dvl> Once you get up and running with a simple setup, then you can move to other stuff. 18:30 < dvl> Plouj: that is what I mean. 18:30 < Plouj> dvl: if all I had to do was enter a password and choose a subnet address, that would be easy. 18:30 < Plouj> plus, you would know that if something's broken is because the software is malfuncioning 18:30 < Plouj> or the VPN setup that it provides isn't suitable for your usage 18:31 < Plouj> that's how I imagine it 18:31 < Plouj> (when I compare OpenVPN to hamachi) 18:33 < Plouj> makes sense? 18:35 < Plouj> I found this: http://en.wikipedia.org/wiki/Socialvpn 18:35 < vpnHelper> Title: Socialvpn - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:35 < Plouj> which is sort of what I'm looking for in terms of easy setup 18:35 < Plouj> but not tied to a social network, heh... 18:37 < Jason404> i'm behind NAT. does this make things more difficult, apart from having to forward port(s)? 18:37 < Jason404> (with openvpn) 18:38 < Jason404> dvl: you behind NAT 18:38 < Jason404> ? 18:38 < Plouj> humm: http://www.vmware.com/appliances/directory/822 18:38 < vpnHelper> Title: PhoneHome - an openVPN appliance | Virtual Appliance Marketplace (at www.vmware.com) 18:39 < Plouj> and some more: http://www.rpath.org/search?type=Products&search=openvpn 18:39 < vpnHelper> Title: rBuilder Online - Search Results (at www.rpath.org) 18:43 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 18:48 < dvl> Jason404: I am behind NAT, but the OpenVPN server is not. 18:48 < Jason404> will being totally behind NAT be a problem for me? 18:49 < Jason404> surely there would be no problem with the port(s) forwarded to OpenVPN? 18:51 < grendal_prime> im trying ssh-copy-id to ...well do what i does..i keep getting an error about "no identities found" if created the keys wiith ssh-keygen. what the hell am i doing wrong? 18:57 < grendal_prime> nevermind i figured it out...thanks anyway 19:01 < grendal_prime> Jason404: you are behind a nat (the client?) if the client is behind a nat than no..thats the whole point...the server behind a nat then yes you will need to forward ports. 1194 i think is the only one though. 19:03 < Jason404> cheers. forwarding ports is no problem. i was just wondering if there would be any further complications. 19:07 < ecrist> Jason404: shoud be no other problems. 19:08 < Jason404> cool 19:23 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 19:23 -!- mRCUTEO is now known as John 19:23 -!- John is now known as mRCUTEO 19:27 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:27 < mRCUTEO> !configs 19:27 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:30 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 19:31 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 19:53 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 20:12 -!- int [n=quassel@wikia/int] has quit [Excess Flood] 20:12 -!- int [n=quassel@wikia/int] has joined ##openvpn 20:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:31 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has left ##openvpn ["Ex-Chat"] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-f308901d65b6993a] has quit [Remote closed the connection] 20:58 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has joined ##openvpn 22:31 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 22:35 -!- littlerock [n=littlero@219.236.170.71] has joined ##openvpn 22:37 < littlerock> can I connect to openvpn server without installing third-party software in windows XP ? 22:39 < muxpux> openvpn client 22:41 < littlerock> muxpux: can I use software in windows instead of installing openvpn, is it possible 22:49 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:49 < ricoshady> hey dazo, you around? 22:49 < ricoshady> im working on my open-wrt openvpn config 22:59 < cyberjames> littlerock: if you can do that, let me know too :) 23:22 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:27 < ricoshady> anyone know what this mean? http://pastebin.com/m29641edb 23:33 < littlerock> I need to issue CA, KEYs etc to openvpn clients, how to disable a *specific* user in openvpn ? 23:49 < ricoshady> revoke the key you gave to whichever client you want to stop --- Day changed Fri Jan 23 2009 00:18 < littlerock> ok I will try 00:48 < ricoshady> im trying to get my server to dish out ips, im using --ifconfig-pool in the server config, but when I connect the client doesnt get an ip and I get the error " no --ifconfig-pool netmask parameter is available to push to" 01:05 < ricoshady> how do I get the client to automatically get one of the ips from the ifconfig-pool option?? 01:30 < ricoshady> shit, now this is a DEAD fucking room 01:33 < ykut_johny> dazo: i managed to get it working for my vpn yesterday. what i did was, changing the openvpn server to latest version and and the old version 2.0.6 to become client and whoola, everyhing working just fine..:) 01:48 < ricoshady> ykut_johny, are you using ifconfig-pool? 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:50 < ricoshady> anyone know how to configure openvpn? 01:50 < ricoshady> i have a question with ifconfig-pool 01:51 < krzee> whats the question 01:51 < ricoshady> the client connects but does not aquire an ip from the openvpn server 01:51 < ricoshady> im using ifconfig-pool 01:52 < ricoshady> I got it working with server ip netmask, but I want to use same ip for the local net and vpn 01:52 < krzee> !configs 01:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:52 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:52 < onats> hi guys, 01:52 < onats> on an ubuntu system, where does the easy-rsa directory get installed into? 01:52 < onats> i installed openvpn using package manager 01:53 < krzee> find / -name easy-rsa 01:53 < onats> ty 01:53 < ricoshady> http://pastebin.com/m1b6be7cf 01:53 < ricoshady> thats my server config 01:54 < ricoshady> does the vpn server need to be a different ip and subnet from the lan interface? 01:54 < krzee> ricoshady, why dev tap? 01:54 < krzee> ricoshady, yes 01:54 < ricoshady> its bridged 01:54 < ricoshady> so it has to be on a complely different subnet too? 01:54 < krzee> umm 01:55 < krzee> you use --server-bridge to bridge 01:55 < krzee> --server-bridge gateway netmask pool-start-IP pool-end-IP 01:55 < ricoshady> well with tun, it seemed I could only connect one client at a time 01:55 < krzee> no, you can connect many with tun 01:55 < krzee> why are you bridging? 01:56 < ricoshady> with tun tho, my interface came up, it maps one ip to the other 01:56 < ricoshady> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 01:56 < ricoshady> inet addr:10.108.42.1 P-t-P:10.108.42.2 Mask:255.255.255.255 01:57 < ykut_johny> ricoshady: yeah..i did disable it and reenable it as well..seem like openvpn cache the routing 01:57 < ricoshady> 42.1 => 42.2 01:57 < ricoshady> or is that just because I didnt craete a pool 01:59 < krzee> ricoshady, thats normal 01:59 < krzee> !/30 01:59 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:00 < krzee> ricoshady, 02:00 < krzee> !tunortap 02:00 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 02:02 < krzee> onats, np 02:04 < onats> krzee, when maintaining multiple vpn networks ( i need to generate some client keys once in a while), do you just keep copies of their key directory individually? 02:04 < krzee> yes, you may also find ssl-admin useful 02:04 < krzee> !ssl-admin 02:04 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:04 < ricoshady> how do I create my tun device 02:05 < krzee> ricoshady, if you have tuntap loaded in kernel (which you do) it should be made on demand 02:05 < krzee> but you can make it stay with --mktun 02:05 < krzee> openvpn --mktun will create it for good 02:06 < krzee> if you are in windows, it will just work 02:06 < krzee> tap driver does tun mode 02:06 < ricoshady> ic, this is pretty cool, so once I have the VPN up, on the other subnet, I'll need to route traffic to the lan 02:06 < krzee> !route 02:06 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:08 < ricoshady> that is weird, from the VPN, I cant ping the client 02:09 < ricoshady> isnt that becase of the tun interface? 02:09 < krzee> are both sides using tun? 02:10 < ricoshady> yup 02:10 < krzee> repost server conf pls 02:12 < ricoshady> http://pastebin.com/m2b8754d server 02:12 < ricoshady> client http://pastebin.com/mc9bbab7 02:12 < krzee> remove tls-server 02:13 < krzee> and 02:13 < krzee> grep -vE '^#|^;' client.conf 02:13 < krzee> then repost client pls 02:16 < ricoshady> the windows client is windows 02:16 < ricoshady> duh, the client is windows 02:16 < krzee> ok, well remove comments 02:16 < ricoshady> i dont have grep 02:17 < krzee> oh nm you can leave --tls-server in there 02:17 < ricoshady> http://pastebin.com/m60230ab8 02:17 < krzee> my bad, was thinking tcp-server 02:18 < krzee> these machines are on the same lan? 02:19 < krzee> if you have --tls-server the client should have --tls-client 02:20 < ricoshady> yes, same lan 02:20 < krzee> why? 02:20 < krzee> securing wifi? 02:20 < ricoshady> testing 02:21 < krzee> you wont be able to test lan related stuffs 02:21 < krzee> like the stuff in !route 02:21 < krzee> if you have an external box somewhere you can test with that tho 02:21 < ricoshady> k 02:21 < krzee> when it works you use that config on your laptop 02:21 < krzee> doesnt matter what os 02:22 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:33 < krzee> ricoshady, do they connect or give an error? 02:42 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: krzie, trifler, tarbo2, Pagautas, bigjohnto, ikevin_, vpnHelper, Bushmills 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, disposable, tomfmason, worch, thewolf, cyberjames, eliasp, (+6 more, use /NETSPLIT to show all of them) 02:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:55 -!- Netsplit over, joins: bigjohnto, ikevin_, disposable, vpnHelper, Bushmills, fbond, oc80z, tomfmason, eliasp, cyberjames (+11 more) 02:55 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 02:55 -!- Netsplit over, joins: lilalinux, kala 03:13 -!- aar0n_sleeping [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:22 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:43 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has quit ["ChatZilla 0.9.83 [Firefox 3.0.5/2008120122]"] 03:44 -!- littlerock [n=littlero@219.236.170.71] has left ##openvpn [] 03:50 -!- Hyphenex [n=scott@203.219.38.207] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- ledoktre [n=ledoktre@67.224.62.214] has joined ##openvpn 03:50 < ledoktre> good morning. Anyone got time for a quickie? 03:52 < ledoktre> question is : my openvpn-status.log file is not accurately reflecting the connection status of my client pc. it says it is still connected, yet when I check on the client side, it is no longer connected. I wanted to write a script to monitor the connection, and run a script once it is disconnected, however this is going to be difficult, if I cannot seem to get the status log file to update. Any thoughts? 03:56 < dazo> ledoktre: which openvpn version are you using? 04:08 -!- meturaf [i=meshuga@lenin.ww88.org] has joined ##openvpn 04:08 -!- meshuga [i=meshuga@lenin.ww88.org] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has joined ##openvpn 04:35 < rio_> hi, a question: how can i change IFCONFIG_POOL_MAX variable value in ovpn 2.0.9? 04:35 < rio_> i need to use a /B class range 04:37 < rio_> do i have to recompile ovpn modifying pool.h? 04:40 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:51 < dazo> rio_: I vaguely remember this being discussed in the openvpn-devel mailing list last autumn ... maybe check that? 04:52 < rio_> dazo thanks for reply but is not a problem, i just modified pool.h and recompiled :) 04:52 < dazo> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 04:52 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:53 < dazo> rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 04:54 < rio_> btw i think it should be overwritable with some ovpn.conf var 04:55 * dazo think he found the mail thread .... reading .... 04:55 < dazo> http://sourceforge.net/mailarchive/forum.php?thread_name=44e5dffd0806200615r65f02642hc7fd04d35d2b2a89%40mail.gmail.com&forum_name=openvpn-devel 04:55 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:55 < dazo> no clear conclusion .... except you have the same findings .... 04:56 < dazo> rio_: would you mind sending this question also to openvpn-devel mailing list? .... you may add your patch as well, would be nice to get this clarified why this limit exists 04:57 < rio_> well, i could do such thing but i'm a bit overloaded nowadays 04:58 < rio_> i'm not subscribed to maillist aswell :D 04:59 < dazo> rio_: ahh ... I see ... but you had problems with nets bigger than /24 or /16? ... because up to /16 should be supported ... btw, which version are you running? 04:59 < rio_> now 2.1 rc15 04:59 < dazo> rio_: and you had that limitation also in rc15? 05:00 < rio_> tbh i don't know, i modified pool.h before compiling 05:01 < rio_> so now works but pool.h was already modified 05:01 < dazo> rio_: oki ... I see 05:01 < rio_> and i need more that 254 subnets, this is the reason i need a B class 05:01 < rio_> (potentially more than 254) 05:02 < dazo> #define IFCONFIG_POOL_MIN_NETBITS 16 << default in rc15 05:03 < rio_> i think it does not matter 05:03 < dazo> rio_: I follow ... well, I have no problems catching that ... even though, it's quite a lot of nets for a VPN tunnel ;-) 05:03 < rio_> :P 05:03 < dazo> rio_: just out of curiosity .... what change did you do? 05:04 < dazo> the #define I pointed at? 05:05 < rio_> hm 05:05 < rio_> just a sec 05:06 < rio_> in /usr/src/openvpn-2.1_rc15/pool.h @ #define IFCONFIG_POOL_MAX 65536 05:06 < rio_> changed in #define IFCONFIG_POOL_MAX 16777216 05:07 < dazo> hmmm ... interesting .... you opened for more IP addresses then actually ... 05:07 < rio_> yes, i opened for 256*256*256 ip address, a B range 05:08 < rio_> it should be simply overwritable using a conf that, if exists, change this value 05:08 < dazo> that's an A range isn't it? As here you have /8 bit mask .... 05:08 < reiffert> yep 05:09 < rio_> yes, sry 05:09 < rio_> A range 05:09 < rio_> 65536 was already a B range 05:09 < rio_> :P 05:09 < dazo> okey! Then I understand ... but I would still expect that you also would need to change the POOL_MIN_NETBITS as well to 8 ... 05:09 < rio_> dazo i didn't change thats tbh, but it works... 05:10 * dazo not sure if it will always work that nicely 05:10 < dazo> but that depends where the check against IFCONFIG_POOL_MIN_NETBITS is done 05:11 < rio_> dazo im going to update IFCONFIG_POOL_MIN_NETBITS too 05:12 < rio_> hm 05:12 < rio_> dazo var is IFCONFIG_POOL_MIN_NETBITS 05:12 < rio_> MIN 05:12 < rio_> strange, should be named "max" 05:12 < rio_> no, is ok min :P 05:12 < dazo> no, MIN is correct .... minimum 8 bits 05:13 < dazo> :) 05:13 < rio_> ye ye, is ok 05:13 < rio_> modified and compiled 05:14 < rio_> it works as well as before 05:22 < krzee> ledoktre, why use status file to see if its connected? 05:22 < krzee> maybe ping would be a better option 05:23 < krzee> or better yet, if that script is going to reconnect it, use a keepalive instead 05:25 < krzee> and classful networking went out in the mid 90's guys 05:26 < krzee> /8 /16 /24 :-p 05:26 < krzee> s/networking/subnetting 05:26 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 05:27 < krzee> also, if you need that many ips, you should be using: 05:27 < krzee> !topology 05:27 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:28 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 05:28 < joelsolanki> Hi friends 05:28 < joelsolanki> i have been struggling from last 2 days to fix a openvpn client at remote location. 05:28 < joelsolanki> the system is ubuntu 05:28 < krzee> [02:57] rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 05:28 < joelsolanki> and while connecting to openvpn server i am getting this errors 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS handshake failed 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: 59.180.130.198:44463 write UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < dazo> krzee: yes? 05:29 < krzee> dazo, the internal routing of stuff in openvpn can start to melt with that gue of clients 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:29 < krzee> s/gue/huge/ 05:29 < krzee> joelsolanki, you have access to both sides? 05:30 < joelsolanki> i checked on windows system using openvpn and it got connected but in ubuntu linux it gives this trouble. 05:30 < rio_> krzee interesting but now i'm ok 05:30 < joelsolanki> i have access to vpn server. 05:30 < dazo> krzee: yeah, but I'm ignorant to mention that fact ... as I would expect a person setting up this really would not expect it to work flawlessly .... with theoretically 16mill clients ... 05:30 < joelsolanki> i dont have control over vpn client. but a guy is there who gives me the output of any command we asked him. 05:31 < joelsolanki> if it was local system it would be easy to fix. 05:31 < joelsolanki> iptables is not installed so firewall is not an issue 05:31 < joelsolanki> even i checked /selinux/enforce that file also doesnt exist. 05:31 < joelsolanki> so i am doubting what is creating problem 05:31 < dazo> krzee: anyway .... if you get openvpn running with more than 4-500 simultaneously clients on one openvpn server process with a decent throughput ... I would consider it to be a miracle 05:31 < joelsolanki> i can get the logs of openvpn if you want 05:32 < krzee> !configs 05:32 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:32 < krzee> !logs 05:32 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:32 < krzee> with those we may get an idea 05:32 < joelsolanki> hmm let me do that 05:33 < krzee> also give a shot at 1 run on he client with mtu-test in the config 05:33 < krzee> just to rule out mtu issues 05:33 < joelsolanki> ahh how to do that 05:33 < joelsolanki> ? 05:33 < krzee> dazo, agreed, but the amount of ips he wanted to allocate made me think he didnt think the same 05:34 < krzee> how to do what? 05:34 < krzee> how to add the line mtu-test into the client config? 05:34 < krzee> umm, with a text editor i guess 05:34 < krzee> ubuntu comes with nano i believe 05:35 < krzee> should have vi as well 05:35 < joelsolanki> oh ok. i just need to add mtu-test 05:35 < joelsolanki> hold let me have it done and see 05:35 < krzee> oh i shoulda said with --mtu-test to be clearer 05:35 < joelsolanki> ok :) 05:36 < krzee> i just made it to west coast so its really 7:40am for me right now, lol 05:36 < krzee> jet lag and all 05:36 < dazo> krzee: true .... but I expected it to be some kind of subnetting included ... to spread things out .... and to make OpenVPN work with multiple segments over a range larger than /16 can provide, you'd need to patch it ... but I do not say I understand the need for it 05:37 < krzee> if thats what he was aiming for, each process should give a diff subnet and push routes for the others 05:37 < krzee> and any with lans behind go on a seperate one so they can get same 05:38 < krzee> then each client that may connect to others get blocks 05:38 < krzee> so it can try next, next, next til one is cool 05:38 < krzee> and each server gets max-clients statement 05:38 < krzee> then it just works (tm) 05:49 < krzee> dazo, know what i mean? 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has quit [Remote closed the connection] 05:57 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has joined ##openvpn 05:59 < muxpux> hi krzee 06:00 < muxpux> <--lonel 06:23 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 06:29 < Super_Cat_Frog> hi - i have openvpn running on a server, with seperate physical network interfaces for internal and external. We're having strange network problems which the people in the data center are blaming on us having multiple default routes 06:30 < Super_Cat_Frog> sounds reasonable to me - i'm not a networking guy, but when i remove either of the default routes, the vpn fails to route traffic 06:30 < Super_Cat_Frog> any ideas? 06:31 < dazo> krzee: Yes, I do ... and I agree :) 06:33 < dazo> krzee: but we can tell him how to do it when he comes back to us, crying, because openvpn collapses because of his infrastructure :-P 06:40 < Super_Cat_Frog> is there anything i should read / google for to find some more info ? 06:40 < Super_Cat_Frog> the people in the data centre are worried it will cause traffic to loop 06:48 -!- polaru_ [n=polaru@193.33.154.198] has joined ##openvpn 06:49 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 06:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:02 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 07:12 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:20 < Super_Cat_Frog> ah, i'm a tard 07:20 < Super_Cat_Frog> there is only one default gateway, and its working, strange 07:20 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 07:25 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has left ##openvpn ["aloha"] 07:30 < plaerzen> morning irc 07:45 -!- Plouj [n=Plouj@red.cs.yorku.ca] has quit ["bah, red going down for UPS replacement.................."] 07:49 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:56 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 07:59 < ozirus> is it possibile to limit vpn connection with time? say, i want to integrate openvpn server with a rezarvation system and users will book the remote lan and connect to it via vpn. when time expires, openvpn server kills the client connection? 08:03 < dazo> ozirus: not out of the box .... but .... it is possible to write such a plug-in for OpenVPN 08:08 < dazo> ozirus: another approach ... is to write an own connection checker, which uses the management interface of the openvpn-2.1 series 08:32 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 08:52 < ecrist> good morning, bitches 08:59 < plaerzen> hey ecrist 08:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:59 < plaerzen> ecrist, tell me a story please. 09:02 < reiffert> Once upon a time I was born when my parents were on a journey. 09:03 < reiffert> They stood on a potato acre, which wasnt one of ours, which was irrelevant to me as of then. 09:15 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 09:15 < prxtien> hey all 09:15 < prxtien> im running an openvpn instance as privledged user openvpn:openvpn, tunnel works fine on start, but on restart, tunnel fails with SIOCSIFMTU: Operation not permitted 09:15 < plaerzen> reiffert, I like your story 09:22 < prxtien> !configs 09:22 < vpnHelper> prxtien: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:25 -!- polaru__ [n=polaru@93.113.192.70] has joined ##openvpn 09:27 < ecrist> prxtien: the proper way to do that is to run as root, allowing openvpn to su down to an *un*privileged user, such as openvpn 09:27 < prxtien> yes 09:27 < prxtien> thats what i am doing mate 09:27 < prxtien> but when i -HUP it for example 09:27 < prxtien> it crashes out 09:37 -!- polaru_ [n=polaru@193.33.154.198] has quit [Read error: 110 (Connection timed out)] 09:40 < Jason404> does anybody run OpenVPN in a virtual machine? 09:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:48 < ecrist> Jason404: lots of people 09:48 < ecrist> what problems are you having? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 09:49 < Jason404> ecrist: none. I was just wondering if there were any potential problems with doing that. Like the routing to the host machine would be fine etc..? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < Jason404> ecrist: ...and when using virtual NICs and stuff 09:51 < Jason404> i am new to OpenVPN, so I have not actually set it up yet. 09:51 < Jason404> if there were problems regarding VMs, it woudl be better yo know now, other than trying to figure out why its not working, being new to this 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 < MMN-o> Jason404: A NIC that's visible as a "real" NIC (emulated by the host) will work as a real NIC. 10:18 < Jason404> MMN-o: so no issues with virtual NICs? cool thanks 10:35 < dazo> Jason404: just make sure that your firewalling and routing on all your network routers are correct ... and it should work like a charm .... and tcpdump or wireshark will be your best debugging friend 10:37 < Jason404> dazo: okay thanks. I'll make a note of those 10:38 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:42 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 10:42 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 10:42 < RUS> hi all 10:48 < RUS> i have installed openvpn on my server. trying to use build-ca script and see error: you must define KEY_DIR 10:48 < RUS> how i can define it ? 10:50 < dazo> RUS: have you remembered to edit the ./vars file .... and done: source ./vars ? 10:51 < RUS> no. not yet. 10:51 < RUS> i must edit ./vars file ? 10:51 < dazo> RUS: that's needed to make those scripts work 10:51 < dazo> RUS: and you do need to source that file first 10:52 < RUS> it mus be edited before ./make and ./install ? 10:53 < dazo> RUS: no, just edit it .... do: source ./vars ... in your shell (or . ./vars in some shells) ... and then try ./build-ca 10:53 < RUS> ok , thanks. will try now 11:09 < RUS> i have edited my ./vars file, but when i start ./clean-all i see error again. 11:09 < RUS> all scripts /etc/openvpn/easy-rsa 11:09 < RUS> key dir /etc/openvpn/keys 11:09 < RUS> ./vars file have a string: 11:09 < RUS> xport D=`/etc/openvpn` 11:09 < RUS> but doesn't work. 11:10 < RUS> maybe 11:10 < RUS> when i try ../vars i see premission denied 11:11 < RUS> no 11:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 11:16 < dazo> RUS: you must do vars ... | . ./vars | 11:17 < dazo> RUS: can you please pastebin your ./vars file .... and the errors you get? 11:17 < dazo> RUS: I believe there is also a README file in that dir ... I presume you've looked at that one as well 11:18 < RUS> ../vars is not correct. i have vars file in easy-rsa dir 11:18 < RUS> and i try ./vars then ./clean-all 11:19 < dazo> RUS: ... I do not say /vars .... I say /vars .... do you see the difference? 11:20 < dazo> (in some shells {filename} means the same as: source {filename}) 11:20 < RUS> yes 11:20 < RUS> will try 11:20 < RUS> . ./vars 11:20 < RUS> -bash: /etc/openvpn/easy-rsa/: is a directory 11:20 < RUS> NOTE: when you run ./clean-all, I will be doing a rm -rf on /keys 11:22 < RUS> good 11:22 < RUS> that's work after source ./vars 11:22 < RUS> what it mean source ./vars ? 11:24 < dazo> RUS: that means to read and parse and execute the given file, and export all exported variables into the current shell .... man bash might give you a more comprehensive explanation of the 'source' command 11:24 < RUS> thanks dazo 11:26 < dazo> RUS: but I believe you still have something not correct in that ./vars file .... it should give a better response than that on the path to /keys .... unless you tweaked your output here 11:27 < RUS> maybe :)_ 11:27 < RUS> but ./clean-all work well 11:27 < RUS> and i have new error 11:27 < RUS> ./build-ca 11:27 < dazo> RUS: okey ... you might now find your key storage on /keys .... on your filesystem 11:27 < RUS> yes 11:28 < RUS> well. there is 2 files 11:28 < RUS> dir 11:28 < RUS> index.txt serial 11:28 < dazo> yes? 11:29 < RUS> yes 11:29 < RUS> and i have new error after ./build-ca 11:29 < RUS> error on line -1 of /openssl.cnf 11:29 < RUS> No such file or directory:bss_file. 11:29 < RUS> much more errors :) 11:29 < dazo> exactly ... as I anticipated .... you have wrong path on KEY_CONFIG in the vars file 11:30 < RUS> hm... 11:30 < RUS> what's wrong there ? 11:30 < dazo> RUS: from the README file .... (please!! read that one) 11:30 < dazo> 3. Set KEY_DIR to point to a directory which will 11:30 < dazo> contain all keys, certificates, etc. This 11:30 < dazo> directory need not exist, and if it does, 11:30 < dazo> it will be deleted with rm -rf, so BE 11:30 < dazo> CAREFUL how you set KEY_DIR. 11:31 < RUS> ok. i go to read 11:31 < RUS> it 11:32 < dazo> sorry ... I mixed point 2 and point 3 .... point 2 covers the error you see ... but still, read all of it ... and you'll be safe 11:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:42 -!- polaru__ [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:43 -!- ido-- [n=wtf@212.199.189.65] has joined ##openvpn 11:43 < ecrist> afternoon, bitches 11:44 < ido--> i have a client connected to a server, which has a server 10.10.10.0 255.255.255.0 11:44 < ido--> how can i connect to a different network over that link ? 11:44 < ido--> eg, 192.168.0.X 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:45 < ecrist> ido--: !route 11:46 < ido--> yeah, but you could be more specific 11:46 < ido--> if its not too much trouble 11:46 < ido--> i've man'd route already 11:49 < dazo> ido--: that's not the man page .... 11:49 < dazo> !route 11:49 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:49 < ido--> you know what i mean 11:50 < dazo> ido--: it's all about setting up the correct routes .... and if the server side of openvpn wants to access the network behind the client, the clients needs to set iroute ... 11:50 < dazo> ido--: and then it is firewalling ... that's basically all the magic 11:53 < ido--> hrm. 11:53 -!- RUS [n=Mirc@88.214.199.147] has quit [Read error: 113 (No route to host)] 11:53 < ido--> i'm a bit confused about the route 11:53 < ido--> sec 11:53 < ido--> iroute 11:54 < dazo> ido--: see it from the client side .... the client receives a lot of routes .... and then it gets the iroute ... (read it as "I route") ... which means the client will route the given net through the tunnel on request 11:59 < ido--> cool. itworked. thanks 11:59 < ido--> oh wait. it didnt 12:00 < dazo> heh 12:23 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:32 < ido--> back. wasn't here 12:33 < ido--> the server sits on a 192.168 lan 12:33 < ido--> and i've added the push command to its conf 12:33 < ido--> the client now routes to 192.168 network. and i can access the server via its 192 ip 12:33 < ido--> however it wont ping other nodes on the network 12:34 < ido--> the proc>>ip_forward is set to 1 12:34 < ido--> what else should i do ? 12:34 < ecrist> ido--: your other machines need to be able to route the VPN subnet back to the VPN server. 12:35 < ido--> oh. right 12:35 < ido--> its not done via masquarading 12:35 < ido--> how do i do that ? 12:35 < ecrist> well, one of two ways 12:35 < ecrist> 1) have your openvpn box be your network gateway (easiest) 12:36 < ecrist> 2) add a static route to your LAN machines for the VPN subnet, routing to the OpenVPN box. 12:36 < ido--> can i add a route net 10.10.x to the openvpn server on the default gateway of the 192.168 network ? 12:36 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has joined ##openvpn 12:38 < prufrocks> if i'm trying to configure both openvpn and ipsec/l2tp on my server, would each have to provide ip addresses in a different subnet? 12:38 < ecrist> prufrocks: you're missing a lot of data there. 12:38 < prufrocks> ? 12:42 < dazo> ido--: you may try to do that ... but I cannot guarantee that it'll work, I've struggled with that one earlier in life (could be my inexperience at that point, of course).... setting up static routes on those boxes which you want to route that net to, is probably quicker and easier 12:43 < dazo> ido--: or, try static routes first ... and see that it works ... then you can try the other approach, to see if that works for you as well 12:43 < dazo> ido--: and as always .... if you have tcpdump and/or wireshare .... they'll help to see if the routing goes right or not by looking at the different nets you have available 12:44 < ecrist> ido--: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true 12:54 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has quit [] 12:59 < ido--> dazo, that routing thingy worked. 12:59 < ido--> another question though 12:59 < ido--> running tcpdump on the server shows me this 12:59 < ido--> 21:55:48.206748 IP 10.10.10.6.47429 > HOME.12345: UDP, length 14 12:59 < ido--> 21:55:48.206829 IP HOME > 10.10.10.6: ICMP HOME udp port 12345 unreachable, length 50 12:59 < ido--> that ip is the clients ip 13:00 < dazo> ido--: what do you have on port 12345? 13:00 < ido--> hrm. not sure 13:00 < dazo> ido--: or ... which port do you use for openvpn ? 13:00 < ido--> the server was originally on 12345 13:00 < ido--> then moved it to port 80 13:01 < dazo> ido--: and the 10.10.10.* net is your VPN channel? 13:01 < dazo> ido--: and HOME is the public address of your server at home? 13:01 < ido--> oh wait 13:01 < ido--> sorry, the server is on 12345 13:01 < ido--> its being port forwarded from 80 to 12345 13:02 < ido--> because the server is behind firewall. 13:02 < ido--> HOME is the ovpn server name 13:03 < dazo> ido--: ahh ... which IP range do you use for VPN and at home? 13:03 < dazo> (inside the fw) 13:04 < ido--> 192 13:04 < ido--> 192.168.x 13:11 < ido--> dazo ? 13:12 < dazo> ido--: I don't follow this .... you use 192.168.x at home ... and your VPN tunnel is 10.10.10.x ? 13:12 < ido--> yes 13:13 < dazo> ido--: then I don't understand that traffic at all .... which interface where you listening to when you did that tcpdump? eth0 or tun0/tap0 13:13 < ido--> listening on tun0 on the server 13:14 < ido--> i get this: http://www.pastebin.ca/1316218 13:14 < dazo> ido--: that makes more sense .... then I woud check the netstat on your VPN client ... to see which program which tries to connect to your server on port 12345 via the tunnel 13:15 < ido--> 3 types of traffic (what i pasted goes in a loop..) 13:15 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 113 (No route to host)] 13:16 < ido--> the traffic on port udp 9442 13:16 < dazo> ido--: yeah ... multicast traffic is one thing, and can be ignores mostly ... and that covers to of the patterns I see 13:16 < ido--> multicast 13:16 < dazo> ido--: are you sure your tunnel works right now? 13:16 < ido--> my tunnel does work.. 13:17 < dazo> ido--: do you use --redirect-gateway ? 13:17 < ido--> whats that multicast traffic used for ? who is generating it ? 13:17 < ido--> whats --redirect-gateway ? 13:17 < ido--> I'm not using it 13:18 < dazo> multicast traffic is kind of traffic to all available clients ... and can be used for service broadcast ... like pulseaudio server, ssh services, VNC etc ... to tell other boxes that these services are availabe .... in Linux, it's mostly avahi/msDNS which makes use of this 13:18 < ido--> oh wait 13:18 < ido--> its multicast that comes from the server.. 13:18 < ido--> hrm. i need to block this 13:18 < ecrist> ljkjksadfladfsjklas;df 13:18 < ido--> no iptables installed. ugh. 13:18 < ido--> ok 13:18 < dazo> ecrist: something is wrong with your rot13 scramber 13:18 < ido--> i'll deal with that later 13:19 < dazo> ido--: if you don't need such service broadcast ... you can stop the avahi service on the server 13:19 < ido--> back to the port 12345 thingy 13:19 < ido--> openvpn runs on port 12345 tcp, not udp 13:19 < ecrist> ick 13:20 < ecrist> tcp vpn 13:20 < ecrist> why not port 1194? 13:20 < ido--> going through a http proxy.. 13:20 < ido--> they allow only port 80 13:20 < ido--> and 443 13:20 < dazo> thats interesting .... just another reason to check netstat on your VPN client ... to see what kind of programs which is responsible for that 13:21 < dazo> ecrist: I hope you figured he does port forwarding on his router from 80 -> 12345 13:21 < dazo> ido--: but you can use 1194 on the inside without any problem 13:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:22 < ido--> no hrm 13:23 < ido--> hrm 13:23 < ido--> ok, found out what it was 13:23 < ido--> old instances of openvpn, before i changed config 13:24 < ido--> can i make openvpn run only once ? (so i wont be able to make two instances likei had now) 13:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < dazo> ido--: well, afaik, there are no such limitations possibility 13:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Log closed Fri Jan 23 14:32:40 2009 --- Log opened Fri Jan 23 14:55:43 2009 14:55 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:55 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 14:55 -!- Irssi: Join to ##openvpn was synced in 0 secs 14:57 < ricoshady> i have a route that sends all 192.168.109.0 traffic to the tun ptp device 192.168.109.2, but i cant ping the client 14:57 < ricoshady> here are my routes 14:58 < ricoshady> http://pastebin.com/m4f30a8c1 15:02 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:05 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:07 < sparkymakry> hi everyone 15:07 < sparkymakry> can someone help me with some setup problems? 15:08 < sparkymakry> I am having problems receiving pings from the server computer.. 15:10 < sparkymakry> 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:10 < sparkymakry> 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:10 < sparkymakry> that is a tcpdump from the client that I'm pinging from to the server. 15:11 < sparkymakry> it says that there was a reply, but ping says no reply 15:11 < sparkymakry> I have the vpn up and working, but just suddenly the connection died. 15:13 < sparkymakry> hello??? anyone here?? 15:15 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 15:17 < _Sam--> hey ive been running openvpn for about 3 years now....im currently running 2.0.9. recently, every few days VPN connections from outside our lan become terribly slow (not related to bandwidth or server resources) and im having a hard time getting them back to speed. what has worked has been restarting openvpn on the server, and letting the clients sit for like 10 minutes.... 15:17 < _Sam--> i cant continue to do that -- my employees are hating me now already.....any help in tracking down the problem would be appreciated. ive already used all the standard tools like logging, tcpdump, checked firewwalls, etc etc etc. 15:17 < _Sam--> like i said, its been running fine for 3 years, until the past month. 15:18 < ecrist> something changed 15:18 < _Sam--> i wish that were the case, sincerely. 15:18 < _Sam--> what has changed in that time, has been that we've added a few more remote clients. 15:18 < _Sam--> but as i stated, im positive its not bandwidth reltaed. 15:19 < _Sam--> or resources related. 15:19 < ecrist> how many clients, total? 15:19 < _Sam--> actively connected to VPN or certs issued? 15:20 < ecrist> actively connected 15:20 < _Sam--> small number, maybe 10 MAX. 15:20 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 15:20 < ecrist> the 'sitting for 10 minutes' thing doesn't make sense. 15:21 < ecrist> udp? 15:21 < _Sam--> yes, udp. 15:21 < ecrist> you live in Canada? 15:21 < _Sam--> no i dont, im close to philadelphia, USA 15:21 < ecrist> sounds like bandwidth throttling. 15:21 < _Sam--> its not. ive taken down the entire firewall. 15:21 < _Sam--> no shaping or rules. 15:22 < ecrist> on the ISP side, not yours 15:22 < _Sam--> if that were the case, then it would still be fast when i go over the internal network to the external VPN port....but that is slow too. 15:22 < _Sam--> LAN--> WAN port 15:22 < _Sam--> not on internet, differnet NIC, same box. 15:22 < ecrist> udp is used for bittorrent, different ports, but it's become common for ISPs to send RST packets to throttle down connections. 15:23 < ecrist> _Sam--: then you may have a hardware problem with your VPN server 15:23 < _Sam--> other connections out the same NIC, non VPN, work at full speed fine. 15:23 < _Sam--> its definitely related explicitly and specifically to my openvpn. 15:23 < _Sam--> but i cant figure out how or why. 15:23 < ecrist> then something changed. 15:23 < ecrist> code doesn't just 'stop working' 15:24 < _Sam--> my config hadnt changed since like late 07. the server itself was also compiled in 2007. 15:24 < _Sam--> so while i appreciate your theory, i respectfully disagree. 15:24 < ecrist> so, upgrade to 2.1rc15 and see if that fixes your problem. 15:25 < sparkymakry> I have very little experience, but had similar one - ended up that my wireless link was unstable, and openVPN is much more sensitive to out of sequence packets 15:25 < _Sam--> i may do that. id be more intersted in trying any solutions or answers that may fix my current problem. id be willing to pay, because its that important, and because ive done all the diagnostics i can do. 15:25 < ecrist> and, regardless what you think, code doesn't just stop working. something else is the culprit. maybe you updated a linked library, or you've got an intermittent memory problem. 15:26 < ecrist> _Sam--: either 1) try a different piece of hardware, or 2) try 2.1rc15 15:26 < _Sam--> k. ive alrady swapped out the switch that NIC is connected to. 15:26 < ecrist> no, try a different server 15:27 < _Sam--> yeah i could also do that, im sure. but that would require reconfiguring all my clients. 15:27 < ecrist> no it wouldn't 15:27 < _Sam--> i guess not, now that i think. 15:27 < ecrist> you seem unwilling to accept my knowledgable advice... 15:27 < _Sam--> i would have to reconfigure the clients to connect to the new host. 15:27 < ecrist> no you wouldn't 15:27 < _Sam--> unless i did some port forwarding on the old host 15:28 < _Sam--> tell me what you're thinking 15:28 < ecrist> put the new host in place of the old one 15:28 < ecrist> pretty simple concept 15:28 < _Sam--> oh if you are talking about replacing our production server...thats not feasible. its expensive, reliable, and relatively new. 15:28 < _Sam--> i was talking about moving the openvpn service to a diff. server 15:29 < ecrist> during tcpdump, did you see any rejects on your end? what did you see? 15:29 < _Sam--> no rejects, nothing funny...just a LONG delay between for example when i would click on http items, and when data would start moving either on screen or via tcpdump. 15:30 < ecrist> ok, so to rule in/out openvpn server process, move it to another host. 15:31 < _Sam--> yeah i already have openvpn server setup on another box. but tell me exactly what i am trying to see or determine. i already know that if i connect to this other vpn server, that my data works fine. 15:31 < _Sam--> same version of openvpn. 15:31 < _Sam--> same client and server configs. 15:32 < ecrist> we'll you seem convinced it's the openvpn process. 15:32 < ecrist> change it. 15:32 < _Sam--> alright. in order to update to the RC15 version, no changes to any configs? 15:33 < ecrist> nope 15:33 < _Sam--> thank you very sincerely for your time and knowledge. though i seem like a know it all attitude, its very much appreciated. 15:33 < ecrist> uh huh 15:34 < sparkymakry> ecrist, did you read my messages before? 15:34 < sparkymakry> about 15:34 < sparkymakry> [15:16] 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:34 < sparkymakry> [15:16] 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:34 < sparkymakry> [15:17] that is a tcpdump from the client that I'm pinging from to the server. 15:35 < ecrist> sparkymakry: what's your problem? 15:35 < sparkymakry> I know this is not specifically openvpn, or can you direct my to another channel? 15:35 < sparkymakry> that's the output of tcpdump, but ping still says no response 15:35 < sparkymakry> vpn will not connect 15:36 < ecrist> !logs 15:36 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:36 < sparkymakry> messages log? 15:36 < sparkymakry> i'm a newb to linux 15:36 < ecrist> openvpn log files 15:36 < sparkymakry> OK, will try get that.. 15:37 < sparkymakry> thanks 15:37 < _Sam--> ecrist : if making from source (my last bin was a debian package)....a simple configure with no options will make what i need? 15:37 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 15:37 < ecrist> should, yes 15:37 < ricoshady> how come when I flashed the router with openvpn it didnt reset everything? 15:37 < _Sam--> krzie: i dont know what options the debian package may have used. 15:37 < _Sam--> damn nick completion. 15:37 < _Sam--> thanks. 15:38 < ecrist> ricoshady: no idea what you're talking about 15:38 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has left ##openvpn [] 15:38 < _Sam--> sounds like WRT54 question 15:38 < ecrist> I know, wanted him to say that. 15:38 < ecrist> so I could tell hime to join another channel 15:38 < _Sam--> fair enough, tough love! 15:41 -!- sparkymakry [n=mark@200.32.232.82] has quit [Read error: 104 (Connection reset by peer)] 15:41 * ecrist goes away 15:42 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:48 < _Sam--> ecrist : feel free to throw a 'told ya so' out there. i put the new openvpn bin in place, and same thing. however, if i let the clients sit for 10 minutes, they will come back fast! 15:51 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:24 < ecrist> _Sam--: I'm guessing either ISP bandwidth throttling, or hardware/memory issue. 16:27 < sparkymakry> Does this mean that there is traffic between vpn? 16:27 < sparkymakry> Fri Jan 23 16:24:34 2009 us=628069 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742595 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742917 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623274 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623520 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:28 < ecrist> can you ping the VPN server? are there any firewalls in between the client and vpn server? 16:28 < sparkymakry> actually I can't even ping the vpn ip addresses 16:28 < ecrist> start there. 16:28 < sparkymakry> there is a firewall, but 1194 is open, and also pings give replies 16:29 < sparkymakry> actually pings do not give replies from a to b 16:29 < sparkymakry> but I'm at location c, and I can nicely ping a and b 16:29 < ecrist> read !route 16:31 < sparkymakry> the problem I have is not vpn related at all 16:32 < sparkymakry> I don't know where else to post this though, -- if you can direct me to another channel 16:32 < ecrist> read !route 16:32 < sparkymakry> server side 16:32 < sparkymakry> 192.168.111.2 * 255.255.255.255 UH 0 0 0 tun0 16:32 < sparkymakry> 200.32.230.32 * 255.255.255.248 U 0 0 0 eth0 16:32 < sparkymakry> 192.168.2.0 * 255.255.255.0 U 0 0 0 tun0 16:32 < sparkymakry> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 16:32 < sparkymakry> default span-access-dsl 0.0.0.0 UG 0 0 0 eth0 16:33 < ecrist> sparkymakry: did you go read the link available in !route? 16:33 < sparkymakry> client side 16:33 < sparkymakry> sorry, I don't know what you mean 16:33 < ecrist> !route 16:33 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:33 < ecrist> follow that link, read it 16:34 < sparkymakry> but I can't even ping from a to b public to public ip address 16:34 < sparkymakry> so it's before vpn problems 16:34 < ecrist> then you have other issues 16:35 < ecrist> this isn't ##fix-all-my-network-issues 16:36 -!- easymac [i=uminac@users.easymac.org] has joined ##openvpn 16:36 < sparkymakry> I know. 16:37 < sparkymakry> I'm just totally stumped as to what I can do 16:37 < sparkymakry> will look for other chanel maybe 16:37 < easymac> hey guys, i've got an issue with assigning static ips to clients, error says i'm misusing the ifconfig-push command. i've tried ifconfig-push ip subnet and i've tried ifconfig-push ip router-ip 16:37 < easymac> the error remains with both 16:38 < easymac> Options error: Unrecognized option or missing parameter(s) in ccd/uminac:1: ipconfig-push (2.0.6) 16:39 < _Sam--> ecrist :thank you again for all of your time and wisdom. you have finally convinced me of that which you first said -- it aint openvpn or its binary. thanks again. 16:39 < ecrist> first, upgrade to 2.0.9, next read the howto page, read the section on controlling access based on cn 16:39 < ecrist> _Sam--: np 16:43 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 16:45 < easymac> oh, 2.0.9 is required? why the hell is the FreeBSD port so far behind? 16:45 < easymac> heh 16:45 < ecrist> easymac: 2.0.9 isn't required, but it's recommended 16:45 < ecrist> 2.0.6 on freebsd works OK. 16:45 < ecrist> and, if you're on FreeBSD, read my writeup 16:45 < ecrist> !freebsd 16:45 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:45 < easymac> yea, it works fine.. and i've read the howtos 16:47 < easymac> cool, i'll give that a read, but it doesn't appear to show an example of what i'm trying to do, only what i've successfully done. i do like your ssl admin thing though 16:47 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 16:47 < easymac> that looks nifty 16:48 < _Sam--> ecrist : i asked #apache this same thing, but being as that you are all-knowing, i figure its worth a shot.... 16:48 < _Sam--> hey all im having an unusual problem where apache is terribly slow over a single interface , our VPN ip. the box has maybe 3-4 different ips that apache listens on...wan, lan, vpn, etc....but only the VPN apache connections are terribly slow to return data.... 16:48 < _Sam--> we've been running both the same vpn and apache versions for quite some time, and this problem has just arisen recently, with no changes in any config, hardware, or server software. 16:49 < ecrist> could it be faulty hardware? (and, I'm not all-knowing) 16:49 < _Sam--> if it were hardware or memory, one would expect to see symptoms arising in other places besides just the one thing. 16:50 < _Sam--> not saying that you're not correct, just seems that it would manifest itself in more ways. 16:50 < ecrist> seems to me it's arisen in both VPN and apache. 16:50 < easymac> heh 16:50 < _Sam--> i think more accurately, it seems to be EITHER vpn OR apache. and in my research and testing, i have proven its not VPN. 16:50 < _Sam--> i can move data from vpn host to vpn host just fine. 16:50 < _Sam--> just only when i try over http , no go. 16:51 < _Sam--> the same box, http over non-vpn -- same content, same pages...loads faster than fast. 16:51 < _Sam--> http over vpn...same content, same box, same apache, same pages....slower than slow. 16:52 < ecrist> _Sam--: in that case, during the request, watch the filesystem. 16:52 < ecrist> you could be running into raid errors, or other problems. 16:52 < _Sam--> it does run hardware raid, but there is nothing shown or reported as wrong in any logs. 16:52 < _Sam--> and its reading the SAME DATA....whehter over vpn or non vpn 16:53 < _Sam--> but when it reads the files over vpn http...SLOW 16:53 < _Sam--> so that last theory of yours doesnt seem to hold. 16:53 < _Sam--> if it were filesystem...anytime the file was needed to be accessed, a problem would occur. 16:53 < _Sam--> im accessing it fine over non vpn. 16:53 < ecrist> _Sam--: check your MTU, then. 16:54 < ecrist> there's a config option in OpenVPN, --test-mtu or something 16:54 < ecrist> !mtu 16:54 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 16:54 < _Sam--> ive already done much testing with many of those parameters: #tun-mtu 1500 16:54 < _Sam--> #tun-mtu-extra 32 16:54 < _Sam--> #fragment 1450 16:54 < _Sam--> #mssfix 1450 16:55 < _Sam--> no apparent effect. 16:58 < _Sam--> i could tell you even more stuff that would only confuse and cloud things further. its really frustrating and confusing. 17:05 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 17:08 < zoredache> are there any things I should watch out for when I am trying to run 2 openvpn server daemons with different settings on a single machine? 17:11 < zoredache> for example, can I share the subnet that I have provided on my 'server 10.n.n.n' between two daemons? 17:13 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:14 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 17:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 17:44 -!- sparkymakry [n=mark@200.32.232.82] has quit [Remote closed the connection] 17:46 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:48 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 17:54 -!- bigjohnto is now known as bigjohnto_away 18:01 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has joined ##openvpn 18:05 < thei0s> hi, can someone point me to the openvpn protocol specification? 18:08 < thei0s> (the udp and tcp version, because there seems to be an incompatible difference that disallows simply "forwarding/redirecting" tcp packets to udp) 18:14 < zoredache> how would you forward something from tcp to udp.... 18:19 < thei0s> listen on tcp and send everything over a udp socket and vice versa 18:28 < ricoshady> so I finally got my vpn up, I can ping the server from client, and client from server.the vpn is on 10.4.4.0 and my local lan is 10.4.5.0. the vpn is also the gateway for the lan 18:28 < ricoshady> how do I connect them? 18:28 < ricoshady> so I can ping my local lan from the vpn client 18:30 < zoredache> !route 18:30 < vpnHelper> zoredache: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:32 < ricoshady> i know ive read that im still having problems... 18:32 < ricoshady> cause that is more complicated than I need I think 18:39 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 < ricoshady> im pushing the route to the client saying route all lan traffic thru the vpn... do I need anything else cause i still cant get thru 18:43 < zoredache> it doesn't seem like you should need anything more... But then i don't really know 18:46 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:32 < ecrist> thei0s: you can't do that 19:33 < thei0s> am.. I can, but the openvpn ignores such packets (no replys) :) 19:34 < thei0s> therefore I am asking if there exists a document with the openvpn protcol specification that I could look at to see if it is really not compatible or I just need to manipulate the contents a little to make it work 19:41 < ecrist> check the mailing list 19:57 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has joined ##openvpn 20:20 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has quit [Remote closed the connection] 20:20 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:40 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 20:46 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has quit ["Leaving."] 20:49 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has quit [Remote closed the connection] 20:59 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit ["leaving"] 21:17 -!- ledoktre [n=ledoktre@67.224.62.214] has quit [] 21:17 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has joined ##openvpn 21:57 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["[BX] Reserve your copy of BitchX-1.1-final for the Atari 2600 today!"] 22:01 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 22:03 < onats> !sampleconfig 22:03 < vpnHelper> onats: Error: "sampleconfig" is not a valid command. 22:03 < onats> !configs 22:03 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:04 < onats> what's the shortcut for krzie's sampleconfig again? 23:05 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 23:06 < ricoshady> can someone here help me with firewalls/routing? 23:07 < ricoshady> i cant get my vpn client to talk to the local lan. 23:17 < ricoshady> basically the vpn clients are on 10.4.4.0 and the local lan is 10.4.5.0. I puhed a route to the client in order to move traffic from the lan to vpn 23:35 -!- Seb [n=Seb@untangle/dev/seb] has joined ##openvpn 23:35 < Seb> hi fellows 23:36 < Seb> so, if my client is doing "redirect-gateway def1", but also dropping privileges, then I can't expect to have the static route removed form my routing table after I stop openvpn ? 23:37 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Jan 24 2009 00:12 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 00:15 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:18 * tjz swim in 00:55 -!- iamamoron [n=Miranda@210.238.181.187] has joined ##openvpn 00:55 < iamamoron> hi there 00:55 < iamamoron> ho can i migrate all my certs in my new server? 00:55 < iamamoron> any ideaS? 00:58 < iamamoron> ? 02:27 < tjz> is there a newsletter which give us immediate update when there is a new beta/release 02:50 < onats> youreamoron, you can just copy the certs right? 03:32 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has joined ##OpenVPN 03:37 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 03:44 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 04:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 145 (Connection timed out)] 04:23 -!- iamamoron [n=Miranda@210.238.181.187] has quit [Read error: 54 (Connection reset by peer)] 04:42 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 04:42 < ricoshady> hello 05:10 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has joined ##openvpn 05:10 < altus-dominus> hey guys 05:11 < altus-dominus> I been having some issues with openvpn recently, when i run openvpn --config myfile.ovpn i get this eror msg 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Error opening file lwadmin.p12 (OpenSSL) 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Exiting 05:11 < altus-dominus> any ideas ? 05:47 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has quit [Remote closed the connection] 05:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:59 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has joined ##openvpn 06:09 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 06:09 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has quit [Remote closed the connection] 06:17 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has joined ##openvpn 06:36 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 07:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 07:44 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 09:28 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 10:17 < Jason404> i am having problems in making an SSL cert 10:17 < Jason404> been follwing these intructions; 10:17 < Jason404> http://www.freebsddiary.org/openvpn-easy-rsa.php 10:17 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 10:18 < Jason404> but i am using WIndows x64, so I had to change the HOME directory in the vars batch file 10:18 < Jason404> then I ran vars 10:18 < Jason404> no feedback 10:19 < Jason404> ah, i just realised that I did not run it in the CD 10:24 < Jason404> no, still an error 10:24 < Jason404> about openssl.cnf not being found in usr 10:25 < Jason404> but it does not say anything about making that file before running build-ca 10:25 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:25 < Jason404> is there a similar step by step available anywhere for Windows? 10:26 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 10:32 -!- ozirus [n=Furkan@81.214.150.105] has quit ["Kopete 0.12.7 : http://kopete.kde.org"] 10:37 < Jason404> oh what?? Is OpenVPN even supprted on Win x64 ??? 10:39 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:42 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [Client Quit] 10:43 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has left ##openvpn [] 10:44 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- muxpux [n=muxpux@soup.capital-today.net] has quit ["Lost terminal"] 10:53 < Jason404> ok. i found this: http://www.runpcrun.com/howtoopenvpn 10:53 < vpnHelper> Title: OpenVPN Windows HowTo | IT Support London - runPCrun (at www.runpcrun.com) 10:54 < Jason404> you could ave told me about that earlier bot 10:54 < Jason404> what is the point of this bot if it just shows you links you have just mentioned? 10:57 < jpalmer> Jason404: too many people on IRC toss random links out, with no explanation of what it is. the bot grabs the title, so you can determine if it's of interest. 10:58 < Jason404> ah ok. maes sense 10:58 < jpalmer> example: I IRC from work, and don't follow random links, because I don't want porn, or objectionable material popping up. 10:58 < Jason404> of course 10:59 < Jason404> http://www.google.com 10:59 < vpnHelper> Title: Google (at www.google.com) 10:59 < Jason404> ic. it works with any link 11:01 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 11:22 < ecrist> Jason404: that bot doesn't just tell you page titles for links 11:22 < ecrist> it's got shortcuts to various information we have to shell out to nearly everyone that joins this channel 11:23 < Jason404> ic. i have onnly seen it gove link titles, and I thought it was working on keywords that it found in the URLs 11:24 < Jason404> and then gives out the exact same link by coincedence 11:24 < Jason404> that link I found makes setting up openvpn a lot easier 11:25 < Jason404> uses the GUI 11:41 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:41 < joelsolanki> !route 11:41 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:43 -!- Dopefish [i=dopefish@unaffiliated/imk] has joined ##openvpn 11:49 -!- Dopefish [i=dopefish@unaffiliated/imk] has left ##openvpn [] 11:50 -!- Seb [n=Seb@untangle/dev/seb] has left ##openvpn [] 11:53 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 12:00 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has joined ##openvpn 12:01 < sasimo> hello 12:01 < sasimo> do know someone if the openvpn also can comunicate with a nortel router directly? 12:08 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has left ##openvpn [] 13:32 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 14:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:51 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:07 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 17:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:51 -!- Bushmills [n=nl@verhau.de] has quit [Read error: 60 (Operation timed out)] 17:52 -!- Bushmills [n=nnl@verhau.de] has joined ##openvpn 19:01 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 19:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 19:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:09 -!- MRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 20:10 -!- MRCUTEO is now known as mRCUTEO 20:12 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:12 < mRCUTEO> hiya all 20:12 < mRCUTEO> happy chinese new year 20:13 < sasimo> hy everyone. in the listings it is only the answer that openvpn can set up a preshared key. have i an optin to set self a preshared key what will be then made in the key file? 20:13 < onats> kiong hi huat chai! 20:14 < mRCUTEO> :) onats 20:19 < sasimo> someone alive? 20:29 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 20:41 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 110 (Connection timed out)] 20:41 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:42 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 20:51 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has joined ##openvpn 20:52 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has quit [Remote closed the connection] 20:56 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 20:59 -!- blk_ice [n=devnull@bas8-montreal02-1096627565.dsl.bell.ca] has quit [] 20:59 < dvl> your mom! 21:04 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 21:18 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:15 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:26 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 110 (Connection timed out)] 22:47 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:48 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 22:59 < reiffert> no, your mom! 23:24 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 23:24 < joelsolanki> HI all 23:24 < joelsolanki> how much openvpn will support traffic 23:25 < joelsolanki> i want to know is it possible to have 10 Mbps traffic to be passing thru openvpn server and openvpn client ? 23:25 < joelsolanki> for us bandwidth is not an issue but will openvpn accept 10 mbps traffic without any problem ? 23:26 < joelsolanki> any suggestions / recommendation ? 23:33 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has joined ##openvpn 23:33 < frankS2> Sun Jan 25 06:35:42 2009 VERIFY ERROR: depth=1, error=certificate is not yet valid 23:33 < frankS2> anyone know how i can fix this? 23:41 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 23:46 < onats_> !dbf 23:46 < vpnHelper> onats_: Error: "dbf" is not a valid command. 23:56 < frankS2> Certificate is to be certified until Jan 23 05:59:51 2019 GMT (3650 days) 23:56 < frankS2> WTF! 23:56 < frankS2> i want it certified now --- Day changed Sun Jan 25 2009 00:03 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 01:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 02:42 < MMN-o> frankS2: You will have to sign a new one, 02:43 < MMN-o> But "until" means that it will _be_ certified including now _until_ that date. 02:44 < MMN-o> ...urr. I hope. I'm not sure on the exact terminology of openssl's messages 02:45 < MMN-o> In either case, openssl can print certificate sign- and expiration date 02:45 < MMN-o> frankS2: But most important, double-check your local time. Preferrably keep it synchronized with ntp. 02:48 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:50 < MMN-o> Anyway, counting 2019-01-23 minus 3650 days would be correct (jan 25 2009) according to your log timestamp 03:18 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 03:23 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 03:35 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 05:20 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 104 (Connection reset by peer)] 05:21 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 05:21 < MMN-o> bah 05:33 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 06:35 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:47 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:53 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 08:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:01 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 09:03 < aar0n> tjz: yeah 09:03 < tjz> Hello aaron 09:04 < aar0n> tjz: hi 09:04 < tjz> we will copy the .ca and the .ovpn files to library > openvpn 09:04 < tjz> and we are ready to connect , right? 09:05 < aar0n> .ovpn files are for the windows client, tunnelblick will use them also ... 09:06 < aar0n> you will also need the cs the dhXXXX.pem 09:06 < aar0n> cs == ca (sry) 09:06 < aar0n> and of course the certificate 09:06 < tjz> ok 09:06 < tjz> look good 09:07 < tjz> i have the same files copy to config directory for windows xp system 09:07 < tjz> works fine. 09:07 < aar0n> tjz: also be sure that the file path in the .conf or .ovpn is relative to the config file 09:07 < tjz> ah 09:07 < tjz> you are right, aaron 09:07 < tjz> what is the path for mac os? 09:08 < tjz> i am using ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" for windows xp 09:08 < aar0n> tjz: tunnelblick will use the path of the .ovpn | .conf file as a relative base ... 09:08 < tjz> oh 09:08 < tjz> so.. 09:08 < tjz> i will use: 09:08 < tjz> ca ca.crt 09:08 < tjz> am i right? 09:08 < aar0n> yes if the ca and the conf are both in ~/Library/openvpn/ 09:08 < tjz> ok 09:08 < tjz> let me try 09:09 < tjz> should i put : 09:09 < tjz> ca "ca.crt" 09:09 < tjz> or 09:09 < tjz> ca ca.crt 09:09 < aar0n> that doesnt matter 09:09 < tjz> ok 09:10 < aar0n> but its generaly a good idea to put the certs and the ca in a subfolder so that you have something like ca SUBFOLDER/ca.crt in the conf, that comes in handy if you have more than one openvpn server to connect to and need to add more ca.crt files to the directory 09:12 < tjz> ok 09:23 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has left ##openvpn ["Leaving"] 09:50 -!- aar0n is now known as aar0n_away 10:02 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has joined ##openvpn 10:02 < El_Presidente> hi 10:09 < ecrist> hi 10:11 < El_Presidente> ecrist, you remember my vpn problems? i set up a linux system 10:11 < El_Presidente> with an openvpn server on the router 10:12 < El_Presidente> server config: http://pastebin.com/m1b310221 10:12 < El_Presidente> firewall script: http://pastebin.com/m3977f879 10:12 < ecrist> El_Presidente: I don't remember your specific problems, though I think I remember you. 10:13 < El_Presidente> kk 10:13 < El_Presidente> tcpdump: http://pastebin.com/m67ce1b88 10:13 < El_Presidente> right now my vpn clients dont get an ip address from my local dhcp server 10:14 < El_Presidente> dhcpd config 10:14 < El_Presidente> http://pastebin.com/m39951496 10:14 < El_Presidente> the tunnel seems to be up 10:15 < ecrist> ok, what's your problem? 10:16 < El_Presidente> 1st the vpn clients dont get an IP adress 10:17 < ecrist> why are you using tcp? 10:17 < El_Presidente> shall i use udp? 10:18 < ecrist> it is ideal. I'm sure you've been told that before. 10:18 < El_Presidente> well they told me that its not important 10:18 < ecrist> also, what makes you think, from looking at your server config, your clients would get an IP? 10:18 < ecrist> who told you that? 10:18 < ecrist> that has never been said in here, by anyone knowledgable. 10:18 < El_Presidente> someone here in the chat 10:19 < ecrist> !tcp 10:19 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:19 < El_Presidente> okay ty 10:19 < ecrist> to my other question, why do you think you should be getting an IP on the VPN? 10:19 < El_Presidente> i followed the howto for bridging 10:20 < El_Presidente> http://openvpn.net/faq.html#bridge-addressing 10:20 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 10:20 < ecrist> well, the line that would assign an IP to vpn clients is commented out in the config you posted. 10:20 < El_Presidente> and did the second variant 10:20 < El_Presidente> because first did not work 10:20 < El_Presidente> and i find the second variant more appealing 10:21 < ecrist> what's more appealing? 10:22 < El_Presidente> that my local dhcp distributed the ip addresses 10:22 < El_Presidente> to the vpn 10:22 < ecrist> you want to use your LAN dhcp server 10:22 < ecrist> OK 10:22 < El_Presidente> yes 10:22 < ecrist> do you have your bridge built? 10:23 < El_Presidente> yes 10:23 < El_Presidente> with bridge-start 10:23 < El_Presidente> i changed the script according to my needs 10:23 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:23 < joelsolanki> Hi friends 10:23 < joelsolanki> hey ecrist :) 10:24 < joelsolanki> how are you ? 10:24 < El_Presidente> hello joelsolanki 10:24 < joelsolanki> Hi E1 10:24 < joelsolanki> just wanted to know can i have a vpn client to connect to 2 different vpn server. vpn clien is windows based sysem. 10:24 < joelsolanki> system 10:25 < El_Presidente> joelsolanki, create 2 tap devices 10:25 < El_Presidente> and 2 client configs 10:25 < joelsolanki> ok so same openvpn installation will take care of 2 client configs right ? 10:26 < El_Presidente> ecrist, http://pastebin.com/m50e9104 bridge-start 10:27 < ecrist> sorry, gotta go. 10:28 < El_Presidente> okay ty 10:28 -!- onats_ [n=onats@122.53.136.244] has quit [Remote closed the connection] 10:30 -!- aar0n_away is now known as aar0n 10:33 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:22 -!- joelsolanki [i=joelsola@123.237.173.217] has left ##openvpn [] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:52 -!- mcp [n=mcp@wolk-project.de] has quit [Remote closed the connection] 11:52 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 11:53 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 12:00 -!- emcepe is now known as mcp 12:07 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Konversation terminated!"] 12:30 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 12:41 < ozirus> how can i provide an "vpn connection time expire" thing. say, our client book the vpn connection for 1 hour and when 1 hour finishes, server kill the client's vpn connection. (ps: i'm trying to create an e-learning system) 12:44 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 12:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:59 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 12:59 < El_Presidente> http://pastebin.com/m29c1a193 13:00 < El_Presidente> server config: http://pastebin.com/m1b310221 13:00 < El_Presidente> client : http://pastebin.com/m4b763acc 13:00 < El_Presidente> any suggestions? 13:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:17 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:19 < _Sam--> hi, i have 2 hosts, A (openvpn server) and B (windows openvpngui). they are connected over WAN (public internet). when pinging/mtr/traceroute/whatever from either host in either direction OUTSIDE the vpn, there is no packet loss, latency or connectionquality issue of any kind. when i do the same test to the vpn ip of both hosts, i end up with major packet loss and latency as soon as data starts to move over the vpn connection 13:20 < RUS> !configs 13:20 < vpnHelper> RUS: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:21 < _Sam--> thank you...just a min or two. 13:23 < ecrist> _Sam--: did you rule out hardware problems? 13:24 < _Sam--> ecrist : no i havent. 13:24 < _Sam--> but the prblems are only occurring, over the vpn. 13:24 < _Sam--> here is the server 13:24 < _Sam--> port 1194 13:24 < _Sam--> proto udp 13:24 < _Sam--> dev tap 13:24 < _Sam--> ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt 13:24 < _Sam--> cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt 13:24 < _Sam--> key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key 13:24 < _Sam--> dh dh1024.pem 13:24 < _Sam--> ifconfig-pool-persist ipp.txt 13:24 < _Sam--> server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 13:24 < ecrist> _Sam--: pastebin 13:24 < _Sam--> client-to-client 13:24 < _Sam--> keepalive 10 120 13:24 < _Sam--> comp-lzo 13:24 < _Sam--> persist-key 13:24 < _Sam--> status openvpn-status.log 13:24 -!- mode/##openvpn [+o ecrist] by ChanServ 13:24 < _Sam--> log-append openvpn.log 13:24 -!- mode/##openvpn [+b *!*n=sam@*.kneedraggers.com] by ecrist 13:25 -!- mode/##openvpn [-o ecrist] by ecrist 13:25 < RUS> hi all 13:25 < RUS> what i doing wrong ? do it with HOWTO installation guide. but have error. 13:25 < RUS> openvpn /etc/openvpn/server.conf Sat Jan 24 15:55:01 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Jan 22 2009 13:25 < RUS> Sat Jan 24 15:55:01 2009 Diffie-Hellman initialized with 1024 bit key 13:25 < RUS> Sat Jan 24 15:55:01 2009 Cannot load certificate file /etc/openvpn/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:25 < RUS> Sat Jan 24 15:55:01 2009 Exiting 13:26 < ecrist> RUS: pastebin, please 13:26 < RUS> bin ? 13:26 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 13:26 < ecrist> RUS pastebin.com 13:26 < RUS> hm nice. wait plz 13:27 < RUS> http://pastebin.com/m10a97cb 13:27 < ecrist> but, it doesn't matter, as your server.crt file doesn't exist, or is in an incorrect format 13:27 < RUS> ecrist that file is ecsist. 13:27 < RUS> exist 13:27 < RUS> maybe its now PEM _ LIB ? 13:27 < RUS> where i can find and install it ? 13:28 < RUS> now = no 13:28 -!- mode/##openvpn [+o ecrist] by ChanServ 13:28 -!- mode/##openvpn [-b *!*n=sam@*.kneedraggers.com] by ecrist 13:28 -!- mode/##openvpn [-o ecrist] by ecrist 13:28 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:28 < _Sam--> sincere apologies to every for my mistake. im not a retard, just sometimes. 13:28 < ecrist> RUS, read through the following document, see if there are steps you missed. 13:28 < ecrist> !freebsd 13:28 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !freebsd 13:29 < vpnHelper> RUS: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !centos 13:29 < vpnHelper> RUS: Error: "centos" is not a valid command. 13:29 < ecrist> RUS, read the link under freebsd. 13:29 < _Sam--> this is my current server.conf http://pastebin.com/me2786ae 13:30 < ecrist> it only mildly OS-specific 13:30 < ecrist> _Sam--: as I mentioned the other day, either you have a hardware/processor problem, or you have an ISP who's throttling your udp connections 13:30 < ecrist> why are you messing with mtu? 13:31 < _Sam--> because i was seeing if it had any noticeable difference if i tried adjusting it. 13:31 < _Sam--> it did seem to help a little. 13:31 < ecrist> have you looked at the mtu testing built in to openvpn? 13:31 < ecrist> !mtu 13:31 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 13:32 < _Sam--> if i could also give just a few more details , if i traceroute/ping/mtr to hother hosts on the vpn i dont have packet loss, and data flows fine. but to the one particular host which is the vpn server, packet loss occurs. 13:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 13:33 < ecrist> so, pings between clients aren't affected? 13:33 < ecrist> or one client? 13:34 < _Sam--> ecrist : the former. pings, data, packet loss, all perfect between and among all other hosts on the vpn, except for if one of those hosts is the vpn server. 13:36 < _Sam--> i dunno. i have to think you are correct and maybe i am just seeing anomolies in the external network out of my control. but it just doesnt seem it. 13:36 < _Sam--> like you said, isp throttling UDP, prob. 13:37 < _Sam--> its odd that they would do that to our connection after having the same conenctivity with them for 4 years, and having had the vpn fine for the last 2.5 13:37 < ecrist> udp throttling is a recent addition to ISP networks. 13:38 < _Sam--> that amkes sens, cause i remember some network disruption in december when their router was down, at least the one we connect to. matybe they upgraded. 13:38 < ecrist> have you tried switching to TCP, to see if it mitigates your problem? 13:39 < _Sam--> no i havent...but i might do that now. if it does in fact fix it, what is the easiest way to fix the configs of the remote clients? 13:40 < ecrist> ship a new config to your clients and have them install it. 13:40 < ecrist> read !tcp for more info on TCP, though 13:40 < El_Presidente> ecrist, wb 13:40 < _Sam--> yeah. put it on our external site, have them grab it...could be worse. 13:40 < _Sam--> !tcp 13:40 < vpnHelper> _Sam--: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:42 < _Sam--> thank you again for mostly your patience with me, and also your advice, as always. 13:42 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 13:47 < _Sam--> you are RIGHT again. the vpn packet loss and latency only happens between certain routes, and certain ISPs. 13:49 < _Sam--> do some people run 2 different servers listening on both tcp and udp at the same time? 13:49 < ecrist> it can be done, I don't know of anyone who's doing it. 13:50 < _Sam--> while i may sound a bit crazy, i spent a lot of time tracking down this particular problem. it would be cool to maybe compile a list of known throttlers. 13:50 < _Sam--> in my case, its verizon fios. 13:51 < _Sam--> i have to do some more reserach to confirm 100% its them. 13:56 < _Sam--> might you have any suggestion for if i wanted to run another process listening on TCP just to test with, so i dont have to disrut the other actively connected folks? will it complain that its already running? 13:56 < ecrist> different protocal, shouldn't complain. 14:01 < El_Presidente> ecrist, can you please take a look at my second post? 14:02 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 14:02 < El_Presidente> http://pastebin.com/m29c1a193 14:02 < El_Presidente> server config: http://pastebin.com/m1b310221 14:02 < El_Presidente> client : http://pastebin.com/m4b763acc 14:02 < El_Presidente> i was able to get dhcp working 14:03 < ecrist> El_Presidente: did you read the logfile? 14:03 < ecrist> it tells you what you're missing... 14:04 < ecrist> Sun Jan 25 17:20:06 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing 14:05 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has quit [Read error: 145 (Connection timed out)] 14:24 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 14:26 < El_Presidente> ecrist, yes but i supply it ... 14:26 < El_Presidente> in the server config 14:26 < El_Presidente> push " redirect gateway def1 14:26 < El_Presidente> " 14:27 < El_Presidente> ecrist, and i followed the howtos and they say just the 2 options are needed 14:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:30 < El_Presidente> ecrist, http://openvpn.net/index.php/documentation/howto.html#redirect 14:30 < vpnHelper> Title: HOWTO (at openvpn.net) 14:36 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:42 < ecrist> El_Presidente: look up --route-gateway in the howto 14:43 < El_Presidente> i did 14:43 < ecrist> go here: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 14:43 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 14:43 < ecrist> search the page for --route-gateway 14:44 * ecrist goes away 14:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:54 -!- RUS [n=Mirc@88.214.199.147] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 15:41 -!- ozirus [n=Furkan@81.214.150.105] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 16:01 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:02 -!- Plecebo [n=larry@64.62.119.142] has joined ##openvpn 16:05 < Plecebo> I'm using bridge mode and am having trouble pinging other computers on my local network from my client. 16:06 < Plecebo> example: vpn server ip: 192.168.16.55 non vpn machine ip: 192.168.16.5 vpn client ip: 192.168.16.200 16:07 < Plecebo> from the client I can not ping 192.168.16.5 16:07 < Plecebo> I'm connecting ok though (or so the status messages indicate) 16:14 < _Sam--> ecrist : thanks again. tcp is 0% packet loss, all fine. but i wouldnt go so far to say its definitely verizon fios hassling the UDP, im not sure exactly who. 16:14 < _Sam--> but its definitely something UDP related. 16:15 < _Sam--> maybe with this economy, more torrents flowin. dunno! 16:35 < deh> Noob at openvpn. I can ping my server via a client on another machine on the lan; a friend can ping via internet from his house. However, when one pings it appears to lock out the other, and we can't ping each other. Does this make sense? 16:40 < _Sam--> i really dont know much about that kind of stuff, but it might be that both you and your friend are using the same certificate, and maybe even are assigned the same vpn ip....and the vpn server may not know how to route the packets. 16:40 < _Sam--> like i said, i dont know alot, though. 16:42 < deh> Sam: The certificates are definitely different, but it does look like they are being assigned the same vpn ip. Not sure how to correct the latter. 16:43 < _Sam--> well, i believei t would depend on your config, whether you are bridging or not. 16:43 < _Sam--> but there's a setting to assign IPs, and which to assign. 16:46 < deh> Sam: It is set up for routing, i.e. tun 16:47 < _Sam--> well, you would either have some line like this: server 10.8.0.0 255.255.255.0 16:47 < _Sam--> or, server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 16:47 < _Sam--> but prob. not both. 16:47 < _Sam--> therein are the ips for assignment 16:53 < deh> Sam: Thanks for the thoughts. I have to break for dinner. Here is my line in the server config file 'server 10.143.15.0 255.255.255.0'. Maybe it has to do with my connecting to the server from the lan. 16:54 < _Sam--> there are also some settings that tell it to remember your ip based on certificate, and assign it to you again. 17:01 -!- zoredache_ [n=zoredach@c-76-121-86-209.hsd1.wa.comcast.net] has joined ##openvpn 17:01 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 17:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:24 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has quit ["Verlassend"] 17:47 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 18:08 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["BitchX: the ONLY three day cure!"] 18:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 18:16 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Connection timed out] 18:23 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 18:38 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:40 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Leaving"] 18:49 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 18:54 < frankS2> Sun Jan 25 19:58:00 2009 WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0] 18:54 < frankS2> what does this mean? 19:32 < aar0n> frankS2: that your physical local lan network addresses / netmask might colide with the vpn's internet network addresses / netmask 19:34 < frankS2> aar0n, thank you - I have another question for you if thats ok 19:34 < frankS2> aar0n, when i connect to my VPN (tun0 gets up good with ip address and all (192.168.0.5, gw is 192.168.0.1) i am not able to ping 192.168.0.1 19:35 < frankS2> 192.168.0.0/24 is VPN 19:35 < frankS2> Internal network is 10.0.0.0/24 19:36 < aar0n> frankS2: mhh the gateway shouldn't be 192.168.0.1 unless you realy want this ... have you checked iptables on the servers tun0 interface ? 19:37 < aar0n> it must accept INPUT and OUTPUT of traffic 19:37 < frankS2> it should work.. i run pfsense 19:37 < frankS2> with the vpn pacakge 19:37 < frankS2> and i followed the manual of pfsense 19:37 < aar0n> frankS2: i don't know it ... maybe you find a pfsense irc channel 19:38 < aar0n> frankS2: the openvpn howto on openvpn.org is also a good resource 19:39 < frankS2> aar0n, ok thank you 20:10 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has joined ##openvpn 20:11 < QuiescentW> i'm having problems with openvpn. once i get connected to my server i can't get on the internet locally 20:12 < QuiescentW> until i bring tap0 down 20:12 < aar0n> QuiescentW: make sure that the networks do no overlap 20:13 < QuiescentW> my local network is 192.168.1.0 and the openvpn server is on network 192.168.56.0 20:18 < QuiescentW> hmm 20:18 < QuiescentW> something is completely borked 20:18 < QuiescentW> even after it's disconnected now i can't get online 20:18 < QuiescentW> well 20:18 < QuiescentW> i can't resolve any ips 20:19 < aar0n> make sure the netmask is both 24 bit 20:19 < aar0n> eg. 255.255.255.0 20:22 < QuiescentW> they are 20:22 < aar0n> are you pushing any routes dns server or other options in the ccd or config file 20:23 < QuiescentW> do i need this bridge no 20:23 < QuiescentW> ... i mean, no 20:24 < QuiescentW> do i need this server-bridge line in here if I just use brctl to add tap0 to the lan bridge on my openvpn server? 20:25 < QuiescentW> i manually added tap0 on the server into a bridge and when i connect with the client i get a dhcp address outside the range of what is defined with server-bridge in the config file 20:25 < QuiescentW> i tried with that line commented out and not 20:26 < QuiescentW> still i get the same thing where i can't access the internet once i'm connected 20:26 < QuiescentW> i'll pastebin my configs 20:30 < QuiescentW> server: http://pastebin.com/f7c63ddbf client: http://pastebin.com/f3d2bac7c 20:30 < QuiescentW> the server is running on openwrt, i've been manually adding tap0 to the br-lan bridge 20:31 < QuiescentW> then connecting the client 20:31 < QuiescentW> and doing sudo ifconfig tap0 up; sudo dhclient tap0 20:31 < QuiescentW> then my internet breaks 20:31 < QuiescentW> the firewall on the server is completely off and it's connected directly to a modem 20:32 < QuiescentW> and i can't ping my local gateway or the gateway over the vpn 20:34 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 20:39 < aar0n> QuiescentW: sry, would love to help ... but i'm to tired right now ... i'm going to bed 20:40 < QuiescentW> thanks anyway 20:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit ["Read error: Connection reset by peer"] 20:51 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has joined ##openvpn 21:00 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Read error: 60 (Operation timed out)] 21:01 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has quit [Remote closed the connection] 21:01 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has joined ##openvpn 21:38 -!- Plecebo [n=larry@64.62.119.142] has quit [Remote closed the connection] 21:57 -!- easymac [i=uminac@users.easymac.org] has left ##openvpn [] 22:19 -!- zoredache_ is now known as zoredache 22:55 < QuiescentW> does openvpn run the bridge-start and bridge-stop scripts or do i need to do that manually? 22:57 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:58 < onats> hi 23:59 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has quit ["Leaving"] --- Day changed Mon Jan 26 2009 00:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 00:08 < joelsolanki> hey guys 00:08 < joelsolanki> can tcpwrappers gives trouble for connecting openvpn from client machine 00:08 < joelsolanki> my friend has ubuntu 8.0.4 and but vpn is not working 00:09 < joelsolanki> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 00:09 < joelsolanki> this error i recieve on server side. 00:09 < joelsolanki> but the same keys work on windows xp 00:09 < joelsolanki> and even on other linux machine 00:09 < joelsolanki> so does /etc/hosts.allow come in picture for openvpn connecting ? 01:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 02:13 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 101 (Network is unreachable)] 02:21 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:21 < joelsolanki> hello anybody around? 02:22 < joelsolanki> from last 3 to 4 days my friend is facing problem in openvpn on ubuntu 8.0.4 02:22 < joelsolanki> so for checking perfectly i installed ubuntu 8.0.4 on my test machine. 02:22 < joelsolanki> installed openvpn and kept the keys and stuff but i also see it is not working. 02:23 < reiffert> joelsolanki: answer is no, /etc/hosts.allow on the client machine is not responsible. 02:23 < joelsolanki> yes it doesnt seem to be tcp wrappers issue. 02:23 < joelsolanki> it is something different. 02:24 < joelsolanki> ca.cert client.conf joel_vista.cert joel_vista.csr joel_vista.key files are working on my redhat and debian os 02:24 < joelsolanki> but today i installed ubuntu 8.0.4 and copied all this files and started openvpn but it gives error. 02:24 < reiffert> !iptables 02:24 < vpnHelper> reiffert: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 02:25 < joelsolanki> iptables input,output,forward are all set to ACCEPT as default policy 02:25 < joelsolanki> so no firewall 02:25 < joelsolanki> let me pastebin the output in verb 6 02:26 < reiffert> ACCEPT and empty? 02:26 < joelsolanki> yes all is set to ACCEPT and there is no firewall rules 02:27 < joelsolanki> http://pastebin.ca/1318393 02:27 < joelsolanki> this the output of client machine 02:28 < joelsolanki> this is the output of server machine http://pastebin.ca/1318394 02:28 < joelsolanki> see if you find something. 02:30 < reiffert> You mixed up the certificate stuff. See 02:30 < reiffert> !howto 02:30 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:30 < joelsolanki> can you explain me ? 02:30 < reiffert> !configs 02:30 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:31 < joelsolanki> ok 1 sec 02:31 < joelsolanki> http://pastebin.ca/1318395 02:31 < joelsolanki> this is the client config 02:32 < joelsolanki> on my vpn server there are already 4 to 5 users connected. 02:32 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has left ##openvpn [] 02:32 < joelsolanki> maybe i have missed something on client config 02:34 < joelsolanki> this same files. ca.cert, client.conf, joel_vista.cert, joel_vista.csr, joel_vista.key i kept on debian OS before and it connected. same with fedora 5 02:34 < joelsolanki> but on ubuntu 8.0.4 it didnt worked. 02:34 < joelsolanki> not able to understand what is causing problem. 02:35 < joelsolanki> reiffert: still do you think it is certificate stuff ? 02:36 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:37 < joelsolanki> reiffert: you there ? 03:07 < cyberjames> /wi/wind6 03:07 < cyberjames> ops 03:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:53 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 05:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:22 < c64zottel> hello, 05:22 < c64zottel> is it possible, that the user get automatically a ticket from a kerberos server, when he logged in via OpenVPN? 05:25 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 06:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:11 < dazo> c64zottel: I don't know ... but it's an interesting approach .... if you have user/auth authentication enabled in OpenVPN ... you could probably manage to write a script which does the authentication and then issues a request for a ticket ... BUT ... I don't think it will work, since that ticket will only be valid on the OpenVPN server, it will not be "exported" to the client, afaik 06:12 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [Client Quit] 06:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 06:24 < brain0> hi 06:24 < brain0> what ways are there to reduce openvpn server memory usage? 06:25 -!- skx [i=skx@unaffiliated/skx] has joined ##openvpn 06:26 < brain0> with one connected client, it uses almost 7MB of memory, which is pretty much if you have 16MB memory 06:27 < brain0> will the memory usage be reduced with --max-clients 1 or with --mode p2p instead of --mode server? (and will I be able to use push-directives in --mode p2p?) 06:27 < skx> Hello, I would like to set up openvpn tunnel to a computer at home, which does not have public ip address (nor can I forward any ports). However I can create an ssh tunnel to the appropriate port -- can openvpn work in this configuration? 06:29 < brain0> this is my configuration: http://pastebin.com/d503bb027 but I only connect rarely and only with one client, so if there is anything I can do to reduce memory usage, I'd really appreciate it :) 06:29 < dazo> skx: yes, OpenVPN can work as long as you can get access to it via Internet 06:29 < skx> dazo, and ssh tunnel will do? 06:30 < dazo> skx: How is it that you can ssh to the box? if you can SSH to your box ... it's the same for openvpn, just different port numbers 06:30 < skx> it's called reverse ssh tunnel iirc 06:30 < skx> I can ssh to the box by routing this connection through another machine 06:30 < dazo> skx: ahh ... that explains 06:31 < dazo> skx: I've not tried openvpn over ssh tunnel .... it requires openvpn to be in TCP mode ... in theory this should work .... but how well it will work, regarding throughput, I have no idea 06:32 < skx> ok, thanks, will try that then 06:33 < dazo> skx: be aware that you might need to have a closer look on the MTU parameters for this to work as well ... you might need to decrease the MTU values to make it work as well 06:33 < skx> MTU and tcp modce 06:33 < skx> ok 06:33 < skx> I'll probably be back anyway 06:34 < dazo> skx: and since you have the traffic encrypted via SSH first ... I would probably consider not to use encryption in OpenVPN, or a weak one, to avoid CPU time spent on trying to encrypt and compress encrypted data 06:34 < dazo> skx: but if you are paranoid and want to be 100% the data transfer is safe .... use double layer encryption too :) 06:35 < skx> but only traffic between the routing machine and my home box is encrypted 06:35 < dazo> skx: oh true ... good point 06:35 < skx> traffic from my laptop to the routing machine would be in plain text 06:35 < dazo> skx: I thought that this ssh server was on a local network of yours 06:56 < c64zottel> dazo, thx, at least now i know that i understand the stuff right 06:57 < dazo> c64zottel: np! :) 07:02 < c64zottel> but its possible to run a script if openvpn authenticated successfully, so this could be the script to authenticate against kerberos, but, how can i distribute the credentials to it? 07:06 < dazo> c64zottel: well, I was only thinking about the server side ... I don't know how this could work on the client side ... if you use something like --up scripts or similar 07:06 < ecrist> morning, bitches 07:07 < c64zottel> mornich christ 07:07 * ecrist looks around for christ 07:07 * dazo do not acknowledge ecrist as christ .... not before I've seen some miracles .... 07:08 < dazo> c64zottel: but I don't think there are any mechanisms in krb to distribute the credentials .... but I don't know krb so well 07:08 < c64zottel> dazo, right 07:08 < c64zottel> morning, main-bitch 07:11 < ecrist> dazo, I can turn wine into pee... 07:11 < dazo> ecrist: heh ... so can I :-P 07:46 -!- Sir_J [n=Sir_J@86.57.159.207] has joined ##openvpn 07:51 < plaerzen> morning irc 07:55 < ecrist> good morning, plaerzen 07:56 < plaerzen> how was your weekend? 07:56 < ecrist> cold. 07:56 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Pagautas 07:56 < ecrist> played a lot of rock band and sat around the house. 07:56 -!- Netsplit over, joins: Pagautas 07:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:11 < plaerzen> ecrist, yeah, it's been cold here too. 08:12 < plaerzen> ecrist, But, up here, if you hate the cold, you're living in the wrong city. I woke the sun on sunday morning with my cajoling. 08:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has quit ["leaving"] 08:35 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:35 -!- Sir_J [n=Sir_J@86.57.159.207] has quit [Read error: 131 (Connection reset by peer)] 08:38 < ecrist> plaerzen: where's 'up here'? 08:39 < plaerzen> calgary, canada 08:39 < plaerzen> ecrist, 08:55 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 09:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 < ecrist> lol: http://www.i-hacked.com/content/view/274/1/ 09:57 < vpnHelper> Title: I-Hacked.com Taking Advantage Of Technology - Inside Programmable Road Signs (at www.i-hacked.com) 09:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:04 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 10:04 < muxpux> hi..this is my network support 10:04 < muxpux> like 10:05 < muxpux> we have a router/modem 10:05 < muxpux> under it got a server dmzed 10:05 < muxpux> openvpn server running on it 10:07 < muxpux> so the server got private i[ 10:07 < muxpux> ip 10:07 < muxpux> so can i use bridged vpn on that server 10:07 < muxpux> ? 10:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:23 < ecrist> sure, why not? 10:28 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has quit [Read error: 60 (Operation timed out)] 10:30 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 10:30 < mmcgrath> I've got a client that keeps reconnecting to our vpn server. When I ping it (via vpn) it gets about 50% packet loss over time. When I ping it directly (not over vpn) I get 0% packet loss. 10:30 < mmcgrath> the logs on both servers don't really show much but I am seeing: 10:30 < mmcgrath> SIGUSR1[soft,ping-restart] received, process restarting 10:31 < mmcgrath> which almost, to me anyway, implies that something is restarting vpn. 10:31 < ecrist> mmcgrath: tcp or udp? 10:31 < mmcgrath> udp 10:31 < mmcgrath> I used iperf to test udp traffic between the two. I didn't see any errors though it wasn't as fast as I'd thought. 10:31 < dazo> mmcgrath: could it be some mtu issues? 10:32 < mmcgrath> It could be. I've got lots of servers on this LAN (both the client and server are on a LAN) but this is the only host I'm seeing it on. 10:32 < dazo> mmcgrath: which versions (openvpn) are you using on server and client? 10:33 < mmcgrath> openvpn-2.1-0.29.rc15.el5 10:33 < mmcgrath> both 10:33 < mmcgrath> one other thing I've considered is that another host accidently has this hosts certs and is trying to connect as it. 10:33 < dazo> mmcgrath: that should be very fine ... I'm running a similar setup myself, without issues ... even though I haven't benchmarked it yet ... as it seems to be reliable enough 10:34 < mmcgrath> but I thought that would show up in the server logs. 10:34 < dazo> mmcgrath: yeah, that should pop up in logs 10:34 < dazo> mmcgrath: tls enabled? ... or only shared static.key? 10:35 < mmcgrath> tls 10:35 < mmcgrath> is the "SIGUSR1[soft,ping-restart]" entirely generated by openvpn? 10:36 < dazo> mmcgrath: this is really odd ... I'd try a few different mtu values .... to see if that could be the reason 10:36 < mmcgrath> k 10:36 < dazo> mmcgrath: yeah, SIGUSR1 is internally in the openvpn process .... unless you have a third-party application doing kill -USR1 .... or something playing with the management interface, if that's enabled 10:38 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:39 < mmcgrath> OH! 10:39 < mmcgrath> interesting. 10:39 * dazo gets curious now ... 10:39 < mmcgrath> I missed it earlier. I have two tun devices up right now, tun0 and tun1. Both with the vpn IP address. 10:39 * mmcgrath wonders why both of those are up. 10:40 < dazo> both with the same IP addresses? 10:40 < mmcgrath> yeah, its almost as if two openvpn procs are running 10:40 < mmcgrath> and yes, right now two of them actually are running. Most curious. 10:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:42 < dazo> mmcgrath: that can cause such "ping-restart" requests yes ... if the one of the processes don't get the expected response in time 10:43 < mmcgrath> Yeah, it looks like one is just up and running (from like 3 weeks ago or so) and the other one keeps restarting. 10:43 < mmcgrath> I ended up killing the old one and everything is fine now. I'm trying to go through my logs to see what might have caused it. 10:49 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has joined ##openvpn 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:20 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 11:35 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 11:39 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has quit [Remote closed the connection] 11:46 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has quit [Remote closed the connection] 11:48 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has joined ##openvpn 11:48 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:48 < joelsolanki> Good morning guys 11:49 < joelsolanki> i have a strange problem in openvpn. 11:49 < joelsolanki> .key .csr .cert ca.cert all are working well on redhat and debian linux 11:49 < joelsolanki> but all same stuffs on ubuntu 8.0.4 is giving error 11:50 < joelsolanki> let me pastebin the client output of syslog. 11:51 < joelsolanki> http://pastebin.ca/1318736 11:51 < dazo> joelsolanki: the problem is not openvpn ... it's ubuntu :-P 11:51 < joelsolanki> that is what i thought. but i just really dont know how to figure it out. 11:52 < joelsolanki> i have tried my best to solve but no luck. 11:52 < joelsolanki> iptables firewall is OFF. tcpwrappers is OFF. 11:52 < dazo> joelsolanki: install Fedora? :-P 11:52 < joelsolanki> there is no other vpn software on ubuntu too. 11:52 < joelsolanki> naah. i cant do that :( 11:52 < dazo> joelsolanki: well seriously .... the problem is here: VERIFY X509NAME ERROR: /CN=lakefront.countersnipe.com, must be lakefront.countersnipe.com 11:53 < joelsolanki> what is that problem ? 11:53 < dazo> joelsolanki: it's a mismatch between certificate and expected hostname .... are you using tls-verify? 11:54 < dazo> joelsolanki: sorry ... tls-remote 11:54 < joelsolanki> yes this is client.conf http://pastebin.ca/1318739 11:54 < joelsolanki> and it seems it is set perfect in client.conf. take a look at pastebin abov 11:54 < joelsolanki> above 11:56 < dazo> joelsolanki: okey ... I'm guessing the Subject field in your certificate have become screwed up somehow .... Try to create a new certificate ... it's failing on the certificate validation 11:57 < dazo> joelsolanki: the log you sent ... was that from server or client? 11:57 < joelsolanki> log is from client 11:57 < joelsolanki> man i created more than 4 certificate. all are failing. 11:58 < joelsolanki> :) 11:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Success] 11:58 < dazo> joelsolanki: aha .... okey ... which openvpn and openssl version are you using? 11:58 < joelsolanki> let me check 12:01 < dazo> joelsolanki: also check one thing with your certificate .... can you share the result of this command line? -> openssl x509 -noout -subject -in {certfile} 12:01 < dazo> Just to check that the cert looks reasonable 12:02 < joelsolanki> openssl Version: 0.9.8g-4ubuntu3 12:02 < joelsolanki> openvpn Version: 2.1~rc7-1ubuntu3 12:03 < joelsolanki> ok let me see 12:03 < dazo> joelsolanki: both your client cert and the ca.cert 12:04 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 12:04 < joelsolanki> client is subject= /CN=delhi 12:04 < joelsolanki> server is subject= /CN=CounterSnipe openvpn CA 12:04 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:05 < dazo> joelsolanki: and what about the ca.cert ? 12:05 < dazo> joelsolanki: it should be 3 certificates ... client, server and ca 12:05 < boneybastard> Keep getting Connection Refused (code=111) 12:05 < boneybastard> http://paste.debian.net/26965/ 12:05 < joelsolanki> honeybastard: same with me :) 12:06 < boneybastard> thought it was the firewall at first but the ports are forwarded, outgoing udp is allowed 12:06 < boneybastard> and tun0 accepts traffic 12:06 < boneybastard> joelsolanki any success ? 12:06 < aar0n> hi 12:06 < aar0n> i have a strange problem 12:07 < joelsolanki> i gave you client and ca.cert 12:07 < joelsolanki> i m looking for server file. dazo 12:07 < dazo> joelsolanki: just take the ca.cert which you point at in the client config 12:07 < joelsolanki> dazo: what would be file name 12:08 < joelsolanki> oh k 12:08 < aar0n> i have 2 openwrt routers one running an openvpn server one is running a openvpn client ... they both brigde tap0 to the bridge ... until recently this setup gave both networks a transparent connection - but know i can only ping from one site of the network to the other ... the other way around the icmp packets never find the destination 12:08 < joelsolanki> subject= /CN=CounterSnipe openvpn CA 12:08 < joelsolanki> dazo: same results 12:09 < dazo> boneybastard: for me it seems like you might block outgoing traffic on your server .... missing a -m state --state RELATED,ESTABLISHED -j ACCEPT rule in output? 12:09 < dazo> joelsolanki: that' the problem .... openvpn expects lakefront.countersnipe.com ... not CounterSnipe openvpn CA .... 12:09 < boneybastard> hm, its going over udp which is stateless 12:10 < boneybastard> -m state --state RELATED, ESTABLISHED still needed? 12:11 < dazo> joelsolanki: I'm afraid to say, that you most probably should try to setup your CA once again .... create CA key and cert, then create server.key and server.crt ... and then client.key and client.crt .... common_name on server and client must be their hostnames .... common_name for CA can be whatever else 12:12 < joelsolanki> dazo: how come it works in redhat and debian ? 12:12 < joelsolanki> ok 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:12 < dazo> boneybastard: I would expect so, yes .... and if that's not the case .... the traffic is blocked on the client .... again, typical state issue 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:13 < boneybastard> ill snoop around a little, thanks for the help dazo 12:13 < dazo> joelsolanki: that's a good question ... you can try that openssl command on those boxes as well and see what they say .... because I would actually expect this to fail as well 12:13 < dazo> boneybastard: np! 12:13 < joelsolanki> ok let me check 12:14 < joelsolanki> it says same result subject= /CN=CounterSnipe openvpn CA 12:14 < joelsolanki> then it should fail on redhat too 12:14 < dazo> and your client config also says tls-remote? 12:14 < joelsolanki> you want to see the log of redhat ? 12:14 < joelsolanki> yes 12:14 < dazo> please 12:15 < dazo> and config 12:15 < joelsolanki> ok let me do 12:15 < dazo> this is really odd ... 12:17 < joelsolanki> http://pastebin.ca/1318749 12:17 < joelsolanki> take a look 12:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:19 < joelsolanki> sorry verb 6 is not active. let me do and send you logs again 12:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 12:21 < donavan> !route 12:21 < vpnHelper> donavan: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:21 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 12:22 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=1, /CN=CounterSnipe_openvpn_CA 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY X509NAME OK: /CN=lakefront.countersnipe.com 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=0, /CN=lakefront.countersnipe.com 12:22 < joelsolanki> this shows in client 12:22 < boneybastard> dazo nah, -m state --state ESTABLISHED,RELATED -j ACCEPT didnt do the job ;( 12:22 < dazo> joelsolanki: ahh ... I might have missed one thing in the client log .... 12:23 * dazo double checks 12:23 < joelsolanki> what ? 12:24 < dazo> joelsolanki: okey ... you are using the same certificate for server and ca on your server most probably ... or you have a mixture here ... 12:25 < dazo> joelsolanki: and most probably you have managed to flip certs around so it is correct on your RH boxes 12:25 < joelsolanki> ok 12:25 < joelsolanki> it even works on windows xp 12:25 < dazo> joelsolanki: make sure that the ca.cert file is the same on all boxes ... and named as ca.cert ..... the server.cert should be unique/different from ca.cert on ... and only on the server 12:26 < dazo> joelsolanki: and the clients should only have ca.cert and it's own client.cert 12:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 < joelsolanki> yes thats what it is 12:26 < dazo> joelsolanki: you have perfect match on the ca.cert in Ubuntu as well .... but it fails on the validating the server cert 12:26 < joelsolanki> this is not the single box. 12:27 * dazo don't follow 12:27 < dazo> not single box? 12:27 < joelsolanki> my friend was having problem on ubuntu 8.0.4 so i thought he might be doing mistake but then i installed ubuntu on my test machine but it happend same to me so i was shokcked 12:27 < dazo> this gets even more fun 12:27 < joelsolanki> :) 12:28 < joelsolanki> do you use ubuntu ? 12:28 < dazo> joelsolanki: where and when have you created the certificates? On ubuntu/debian ? 12:28 < joelsolanki> debian 12:28 < dazo> joelsolanki: unfortunately, I have one ubuntu box .... will upgrade it when I get time to Fedora 10 12:29 < dazo> joelsolanki: was that before or after this nasty openssl exploit last year? 12:29 < joelsolanki> i think before 12:29 < dazo> joelsolanki: that might be the reason .... you have a vulnerable SSL certificate in that case .... and ubuntu and newer debian clients have checks for this .... 12:30 < joelsolanki> ahh but i installed debian 4 also and it worked on it. 12:30 < dazo> joelsolanki: the openssl bug corrupted the random generator .... so you can easily create a "fake" certificate which will easily be replaced 12:30 < joelsolanki> hmm 12:30 < dazo> debian 4 ... how old/new is that one? 12:31 < joelsolanki> i downloaded before 1 onth 12:31 < joelsolanki> month 12:31 < dazo> that box is safe .... but your ssl certs might be at risk 12:32 < joelsolanki> will upgrading openssl fix the problem ? 12:32 < dazo> I know ubuntu have hacked the openssl library afterhand ... if the certificate is one of x number of known hashes, it will reject any usage of that one 12:32 < joelsolanki> oh 12:32 < dazo> joelsolanki: openssl is fixed .... but your certificates might have the wrong hashes .... 12:32 < joelsolanki> hmm 12:33 < dazo> I might be wrong again here ... but I just have seen such issues as well 12:33 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 12:33 < joelsolanki> i understand 12:33 * dazo had generated ssl certs on ubuntu with this error and needed recreate a lot of certificates and ssh keys 12:40 -!- bny [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:43 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 12:44 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has quit [Remote closed the connection] 12:46 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has joined ##openvpn 12:46 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 13:17 < bny> is there any openvpn switch i can use to specify with outgoing IPaddress it should use? 13:20 < dazo> bny: nafaik :( ... it will listen to all interfaces (server mode) and it will take the suitable one in client mode, depending on IP address 13:20 < bny> crap :E 13:21 < bny> i have 2 external IPs on the same ethernet port 13:21 < dazo> bny: you can probably hack this around with some NAT rules .... 13:21 < bny> clients connect to one of the IPs but get replies from the other IP, hence dropping the packets 13:21 < bny> yea i can probably SNAT outgoing frattic on port 1194 13:22 < dazo> bny: that sounds like misconfig of the DNAT actually .... 13:22 < dazo> bny: using iptables? 13:24 < bny> yup 13:24 < bny> hm are u sure that snat isnt supposed the be used? 13:26 < bny> dazo wanna help me define the rules? 13:26 < dazo> bny: if you are doing port natting on your firewall/entry point ... you'll need to use DNAT in the PREROUTING chain .... --to-destination : 13:26 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:26 < bny> only been using iptables for a week or so :( 13:26 < dazo> bny: np! :) 13:26 < bny> sweet :) 13:27 < dazo> bny: you seem to do pretty well, if this tricky thing is what you're fighting against now :) 13:27 < bny> hehe yea it took quite a while to figure it out i must say 13:28 < dazo> bny: well, but when you've gone through that ... the rest will go like a breeze :) 13:28 < bny> check this out: iptables -t nat -A PREROUTING -p udp -d $MIP (one of the ext interfaces) --dport 1194 -j DNAT --to 192.168.200.1:1194 13:28 < bny> looks ok? 13:29 < dazo> bny: at first sight, this looks very fine .... I can double check it against some of my rules 13:30 < dazo> bny: yeah, looks right :) 13:30 < bny> cool, ill try it then :) 13:31 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:33 -!- whits_ [n=jim@209-20-87-215.slicehost.net] has joined ##openvpn 13:34 < bny> nop, that wasnt enough 13:34 < dazo> bny: are you doing MASQUERADING ? 13:34 < bny> i need the clients to think that the packets are coming from $WIP and not $MIP 13:34 < bny> yea i MASQUERADE the local nets 13:35 < dazo> bny: would you mind sharing a iptables-save on pastebin? 13:35 < dazo> just replace your public IP addresses with something we can understand is public 13:35 < bny> hm, i rather paste portions of the file if its ok 13:35 < bny> some info in it that i dont want disclosed :( 13:36 < dazo> bny: sure! ... and it's the NAT table which is interesting 13:36 < dazo> bny: I just need to see enough to understand why things are getting out wrong 13:37 < bny> think i figured it out, sec 13:37 < dazo> dazo: I only use DNAT in PREROUTING .... and -o -j MASQUERADE in the POSTROUTING table ... and that works like a charm 13:39 < bny> i dont want to masq the whole interface though :P 13:39 < bny> i just need one of the nets to masq on 1194 13:39 < bny> the port that is 13:40 < dazo> bny: aha ... then you need SNAT in addition on the POSTROUTING .... before any masq rules 13:41 * dazo did that some years ago ... don't remember completely now .... 13:41 * dazo tries to remember 13:41 < bny> its kinda tricky 13:42 < bny> does the -s switch only accept host/subnet? 13:44 < bny> it would be pretty solid if you could do iptables -t nat -A POSTROUTING -s IP:port -o $WIF (ext int) -j SNAT --to $WIP (ext IP) 13:44 < dazo> bny: -s is only --source address 13:44 < bny> instead of -s host/subnet 13:44 < bny> yea i know thats the tricky part i want to work around 13:45 < bny> instead of source address i just want the rule to apply when a certain rule is used 13:45 < dazo> bny: but you do that .... with --sport / --dport .... that's more flexible 13:45 < bny> aha! 13:47 < bny> wanan show me an example rule? 13:47 < dazo> bny: misunderstand me correctly please .... you need -s/-d for host/subnet .... and --sport/--dport for ports 13:48 * dazo tries to find some SNAT examples 13:49 < bny> :P 13:49 < ecrist> bny: you can specify what address openvpn listens to. 13:49 < bny> what i want to do is that all traffic going from $MIP:1194 to appear as $WIP:1194 13:49 < bny> only on that particular port 13:50 < dazo> but isn't this what you are achieving already? 13:50 < ecrist> bny, that won't work. 13:50 < bny> why not? :( 13:50 < dazo> bny: are $MIP and $WIP both public facing IP addresses? 13:51 < bny> yea 13:51 < dazo> bny: why do you want to do this? 13:51 * dazo suddenly saw a light 13:51 < bny> they go inside the same physical interface 13:51 < bny> and that messes up openvpn 13:51 < bny> traffic coming on on $WIP and leaving on $MIP 13:52 < dazo> bny: aha! It's one physical interface with two IP addresses? ip aliases? 13:52 < bny> yes! :) 13:52 < bny> that results in no client beeing able to connect 13:53 < dazo> bny: openvpn will never send traffic out on the "wrong" ip address .... if it gets traffic in on $WIP it will send out on $WIP ... unless there are some NAT rules which changes this behaviour 13:53 < ecrist> bny: with TCP, you can't set all outgoing traffic as 1194 if your openvpn instance is listening to 1194 13:54 < bny> its udp :) 13:54 < ecrist> ok, you can't do it with udp, either 13:54 < dazo> bny: one more question .... openvpn is running on the same box as your firewall? Or a separate box? 13:54 < bny> same box 13:54 < ecrist> unless openvpn is listening on udp, and your port mapping is for tcp 13:54 < bny> WIP and MIP are only ipaddreses both coming in on WIF 13:55 < bny> ip aliasing 13:55 < bny> hm i dont follow? 13:55 < dazo> bny: WIF ... what is that? ... the physical interface? 13:55 < bny> yea 13:56 < dazo> bny: so WIP is the IP address of WIF .... and MIP is the IP address of WIF:1 ... (or similar)? 13:56 < bny> yea 13:56 * dazo just needs to be sure now 13:57 < dazo> bny: bring up that DNAT rule once more .... 13:57 < dazo> bny: We need to tweak this one 13:58 < bny> iptables -t nat -A PREROUTING -p udp -d $MIP --dport 1194 -j DNAT --to 192.168.200.1:1194 13:58 < dazo> bny: 192.168.200 ... which network is this? an internal one? 13:58 < bny> yea the gateway 13:58 < bny> should i set it to the external ip? 13:59 < bny> $WIP that is 13:59 < dazo> gateway? ... no it should be the IP address to where openvpn listens .... try localhost 13:59 < bny> oh my bad, its the box where vpn listens 13:59 < dazo> dazo: but it might be that this needs to be supported by a SNAT rule ... but that's not often 13:59 < dazo> yeah 14:02 < bny> any clues? 14:03 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 14:03 < dazo> bny: did you try the DNAT rule and just chaning 192 addr to 127.0.0.1? 14:04 < QuiescentW> can someone help me configure openvpn on openwrt. i'm having problems. I have the firewall on my router opened all the way up and when i connect i get an IP address but it cuts all my internet connection off and i can't even ping any of the remote computers 14:04 < ecrist> QuiescentW: your' probably using a conflicting IP range on the vpn subnet and/or your using redirect-gateway without proper NAT on the server end. 14:04 < ecrist> try reading through the following: 14:05 < ecrist> !route 14:05 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:05 < QuiescentW> i'm using ethernet bridging and the remote LAN subnet is different 14:05 < bny> dazo yea same problem 14:06 < dazo> bny: a possible attempt on SNAT ..... iptables -t nat -I POSTROUTING -p udp -s 127.0.0.1 --dport 1194 -o $WIF --to-source $MIP 14:06 < dazo> bny: but you need to experiment with the --to-source .... --to-source $MIP:1024-65535 ... might be another attempt 14:10 < dazo> QuiescentW: be aware that openwrt uses bridging as default .... and you might want to bridge tap0 to br0, where you have your internal network 14:10 < QuiescentW> i have tap0 bridged with br-lan which has all the eth adapters except wan in them 14:11 < QuiescentW> let me get my configs on pastebin if someone will please look at them for me 14:12 < bny> nah still same 14:12 < dazo> QuiescentW: I needed to do /usr/sbin/openvpn --mktun --dev tap0 --dev-type tap ... and then /sbin/ifconfig tap0 0.0.0.0 promisc up ... and then brctl addif br0 tap0 before I could start openvpn 14:12 < bny> can you try to explain what that rule does dazo? :) 14:12 < dazo> bny: the SNAT rule? 14:12 < bny> yea 14:13 < QuiescentW> i' 14:13 < QuiescentW> i'll try that 14:14 < dazo> bny: it takes all UDP packages coming from 127.0.0.1 with destination port 1194 going out on the $WIF interface and rewrites the source address to $MIP with a dynamic port ranges as source port 14:15 < bny> kk 14:15 < bny> adn the DNAT rules we wrote before is still needed? 14:15 < dazo> bny: yes ... because that does almost the "opposite" 14:16 < dazo> bny: the DNAT rule takes the packages to $MIP at destination port 1194 and rewrite destination to localhost:1194 14:17 < dazo> and then the kernel takes this package and sends it through the routing layer in the network 14:17 < dazo> while SNAT rules are picked up after the kernel have done the package routing 14:18 < dazo> so DNAT is the first pass from outside to inside .... and SNAT is the last pass from inside to outside 14:19 < bny> hm still swrong ip when i do tcpdump :( 14:19 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 14:20 < dazo> bny: I'm worried I'm not able to help you completely out ... since I don't know if you have any other conflicting rules in your chains 14:22 < bny> yea its ok 14:22 < bny> ill dig into it tomorrow 14:22 < bny> thanks a lot for your help though 14:22 < dazo> bny: np! :) 14:22 < bny> amma head out for a while, cya 14:23 < bny> been working with this darn setup for several hours 14:24 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:24 < QWonder> i'm getting this: 'private key password verification failed'... i'm using PKI but no passwords anywhere 14:25 < dazo> QWonder: you have some issues with your private key ... that's for sure ... try to remove the password with some openssl commands (don't remember them now) 14:26 < QWonder> i'm just going to delete all my config and pki files and start over 14:27 < QWonder> i must have done something wrong 14:34 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 14:38 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 15:01 < brain0> hi. I was here before but nobody answered :) ... I want to know if I can reduce the memory usage of openvpn. this is my configuration: http://pastebin.com/d503bb027 ... I only need support for one client, will p2p mode use less memory? any other tricks? 15:27 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 15:28 < nullboy> hey is the 'extra' challenge password something that should be set or should not be set? 15:28 < nullboy> what are the ramifications of not setting it? 15:28 < nullboy> this is during the build-key-server 15:30 < skx> I have openvpn server on freebsd using tap, how can I change MTU? 16:10 < ecrist> evening, bitches 16:29 < ecrist> skx: 16:29 < ecrist> !howto 16:29 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:35 < nullboy> lol 16:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:13 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 17:35 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 17:49 -!- brain0 [n=brain0@archlinux/developer/brain0] has left ##openvpn [] 18:05 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:08 < plaerzen> !plaerzen 18:08 < vpnHelper> plaerzen: Error: "plaerzen" is not a valid command. 18:08 < plaerzen> :( 19:07 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 19:08 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 21:01 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has quit [Remote closed the connection] 21:01 -!- needo [n=needo@superhero.org] has joined ##openvpn 21:02 < needo> I am attempting to setup OpenVPN 2.0.9 on CentOS 5. However when I connect to the VPN I get assigned the address .6 and my gateway is .5. Shouldn't it be .1? 21:06 < ecrist> needo: no, it shouldn't. 21:06 < ecrist> the addressing you're seeing is correct 21:07 < muxpux> hi,i am doing bridge-mode vpn,so inorder access the machines on the same network of teh server,do i need to add extra push route or something? 21:07 < needo> ecrist: Why? Should I be able to ping .5? 21:08 < ecrist> needo: tun mode of OpenVPN assigns a series of /30 subnets (one for each client). Internally, OpenVPN responds for it's end of the /30 PPP link, but doesn't actually assign the address to its interface 21:08 < ecrist> no, you shouldn't be able to ping .5 21:09 < needo> Thanks. 21:09 < ecrist> muxpux: you need to make certain that your LAN on the OpenVPN server side is assigning IPs to the vpn clients, or that the OpenVPN instance is assigning address from the same range as what's available on the LAN 21:11 < muxpux> ecrist: yeah suppose the dhcp in my network is 192.168.1.0/24 21:11 < needo> Now its time to futz with the iptables. Woohoo. :) 21:12 < muxpux> and in ovpn ,if i give arange from .128 - .254,thats okay? 21:12 < ecrist> yep 21:13 < muxpux> alright :) 21:14 < muxpux> ecrist: one more q 21:14 < muxpux> push "redirect-gateway" 21:14 < ecrist> should be push "redirect-gateway def1" iirc 21:14 < muxpux> will redirect the gateway as well,and enables all web browsing of the client through server? 21:14 < muxpux> def1? 21:14 < ecrist> aye 21:14 < ecrist> read the manual 21:14 < muxpux> ok :) 21:41 < needo> I am having a really hard time getting my iptables right. I want everything that comes in through the VPN (tun0) to have access to the Internet via eth1. 21:42 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 21:42 < mepholic> ok 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit [Read error: 104 (Connection reset by peer)] 21:43 < mepholic> is there a way to have a client or server use 2 tap interfaces 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 21:44 < mepholic> i don't mean virtual interfaces like tap0:0 21:44 < mepholic> unless you can bridge that and still be able to use tap0 on the host 21:45 < mepholic> my issue is that i have an openvpn server running on the host computer of an openvz vps node 21:46 < mepholic> and i need to bridge a vps's ethernet adaptor to an openvpn adaptor 22:03 -!- needo [n=needo@superhero.org] has left ##openvpn [] 22:15 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 22:16 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 22:27 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit ["leaving"] 22:46 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:46 < onats> hi guys 22:46 < onats> i have a question. if i have 2 site to site routers connected via vpn, i have to create /ccd/ entries for the router/clients right? 22:47 < onats> for a remote worker client, which gets an ip of say 10.0.66.x, what do i need to do in order for me to be able to ping devices behind the other routers? 22:47 < onats> i mean other clients? 22:47 < onats> krzie are you there? 22:54 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:54 < grendal_prime> hey guys. 22:56 < grendal_prime> I have a situation where we have several openvpn servers with several CA's and we have been looking for a way to sort of cluster them together so we have one server with the certs and keys. We already have a way of backing that up off site. However i have contrived a way of connecting several other servers to the primay server to use the keys on that server. This way we only have to create credentials in one loaction. 22:58 < grendal_prime> Ive tested it and it works. Im just wondering if there is a product out there that already does this...or if there is some sort of configureation that i overlooked for doing this sort of thing? 23:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, dogmeat 23:05 -!- Netsplit over, joins: muxpux 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, justdave, meturaf 23:05 -!- meshuga [i=meshuga@65.23.153.3] has joined ##openvpn 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mcp, Typone 23:05 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:06 -!- Netsplit over, joins: mcp 23:06 < QWToo> alright, i have this crap working 23:06 < QWToo> the problem was 23:06 < QWToo> i guess 23:06 < QWToo> i was bringing up tap0 on the client and then running dhclient 23:07 < QWToo> and it was supplying a gateway 23:07 < QWToo> or something 23:07 < QWToo> and breaking my internet 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: whits_, QWToo, roentgen, smk 23:07 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: MMN-o, whits 23:07 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn --- Log closed Mon Jan 26 23:07:53 2009 --- Log opened Mon Jan 26 23:09:13 2009 23:09 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, disco-, grendal_prime 23:09 -!- Irssi: Join to ##openvpn was synced in 14 secs 23:09 -!- WHATEVER [n=evaldo@207.192.75.23] has joined ##openvpn 23:09 -!- Netsplit over, joins: grendal_prime 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: reiffert, kaii 23:09 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 23:09 -!- Netsplit over, joins: int 23:09 < grendal_prime> QWToo: ? not sure what you mean....you cant push them a gateway? 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposable, kaii_, mcp, donavan, MMN-o 23:10 -!- disposab1e [i=disposab@blackhole.sk] has joined ##openvpn 23:10 -!- mcp [n=mcp@78.46.210.50] has joined ##openvpn 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, aar0n, onats 23:10 < QWToo> they don't need a gateway 23:11 < QWToo> i don't really know how this works 23:11 < QWToo> what happens is that the clients connect 23:11 -!- Netsplit over, joins: MMN-o 23:11 < QWToo> and their default internet gateway is changed to a different address 23:11 < QWToo> then they can't get online 23:11 < QWToo> because the gateway is an address in a different network 23:11 < QWToo> somewhere else 23:11 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposab1e, krzie, trifler, ikevin_, MMN-o, smk_ 23:12 -!- Netsplit over, joins: trifler 23:12 < grendal_prime> ok wait wait..i think you are thinking about this wrong 23:12 -!- munga` [n=munga@81.194.35.9] has joined ##openvpn 23:12 -!- Netsplit over, joins: MMN-o 23:12 -!- krzie [i=krzee@66.11.114.210] has joined ##OpenVPN 23:12 < grendal_prime> the vpn is to connect you to the vpnserver..if you want to route out past that, you need to set up the vpn server for routing. if you want to use the vpn as a sort of gateway to the internet. 23:12 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 23:13 < QWToo> no 23:13 < QWToo> i don't want to use it as a gateway 23:13 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: tarbo2, bigjohnto_away, mmcgrath_, plaerzen 23:13 < QWToo> the problem was 23:13 < grendal_prime> ok so what your saying is when you connect your client no longer uses its configured gateway.. 23:13 < QWToo> yeah 23:13 < QWToo> i was using dhclient on the tap adapter 23:13 < grendal_prime> ok that is a setting ithink you have to set up in windows. 23:14 < QWToo> and it changes the default gateway to the address in the other network, which it can't get to without going through my local gateway. in turn my internet is broken 23:14 < QWToo> no 23:14 < QWToo> it's all linux 23:14 < grendal_prime> like set default gateway or something like that...i dont use windows...in any capacity at all so im not sure.. 23:14 < QWToo> i did until maybe six months ago 23:14 < grendal_prime> ok 23:14 < QWToo> so i'm pretty new to all this 23:15 < grendal_prime> so when your linux client connects it looses its default gateway? 23:15 -!- nullboy [n=nullboy@97-94-107-72.static.mtpk.ca.charter.com] has joined ##openvpn 23:15 -!- Netsplit over, joins: tarbo2 23:16 < QWToo> yeah 23:16 < QWToo> it changes to the default gateway of the openvpn server 23:16 < grendal_prime> thats pretty odd...now i do know when i connect to my work openvpn, i get a...its like a confused state every now and again...but it usually figures it out in a min. 23:16 < QWToo> i mean, when my linux client connects the tap0 adapter is down 23:16 < QWToo> i don't have a startup script yet 23:16 < grendal_prime> ya see i dont use tap devices with linux 23:17 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 23:17 < QWToo> so i was doing this: sudo ifconfig tap0 up; sudo dhclient tap0; 23:17 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:17 -!- disco- [i=disco@discomb0bulated.com] has joined ##openvpn 23:17 < QWToo> and dhclient was changing the default gateway address 23:17 -!- smk [n=scott@64.90.184.122] has joined ##openvpn 23:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:17 < QWToo> on the local machine to an address that isn't on this network 23:17 < QWToo> heh 23:17 < grendal_prime> sounds like yoru server is pushing a route that may be messing with that 23:18 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 23:18 < QWToo> i don't know 23:18 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:18 < grendal_prime> you using ubuntu? 23:18 < QWToo> nothing should be routed 23:18 < QWToo> yeah 23:18 < grendal_prime> do you have controle of the server? 23:18 < QWToo> i don't think anything should be routed 23:18 < QWToo> yeah 23:18 -!- ikevin_ [n=kevin@90.33.40.180] has joined ##openvpn 23:18 < QWToo> it's right here 23:18 < QWToo> it's all bridged 23:18 < QWToo> because i didn't know how to do the routing 23:19 < grendal_prime> did you do the quicksetup illustrated on the openvpn.net site? 23:19 < QWToo> i used some bridged howto on the openwrt site 23:19 < grendal_prime> the reason i ask is that has proven to be pretty failproof and..well it does not illustrate using the tap device. 23:19 < QWToo> which is what the server is running on 23:19 < grendal_prime> o 23:19 < grendal_prime> so you need it to be bridged? 23:20 < QWToo> at least i've figured out what's wrong 23:20 < QWToo> i dont' need it bridged 23:20 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 23:20 < QWToo> i just didn't want to deal with setting up routes 23:20 -!- disposable [i=disposab@92.240.234.34] has joined ##openvpn 23:20 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 23:20 < QWToo> and i have all the machines i want accessible to the vpn clients in their own vlan 23:20 < grendal_prime> ya...you should try that howto..it sets up what your looking for i think...and...well it should work for openwrt as well. 23:21 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 23:21 < grendal_prime> http://openvpn.net/index.php/documentation/howto.html#quick 23:21 < vpnHelper> Title: HOWTO (at openvpn.net) 23:21 < grendal_prime> its never failed... 23:21 < grendal_prime> well its never failed me anyway 23:21 < grendal_prime> i got to roll good luck 23:21 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 23:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:23 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits, deever, thewolf, trifler, worch, dazo, bny, donavan, skx, eliasp, (+5 more, use /NETSPLIT to show all of them) 23:23 -!- MMN_o [n=mmn@barjack.com] has joined ##openvpn 23:23 -!- whits_ [n=jim@jim.505.ru] has joined ##openvpn 23:23 -!- udk [i=evaldo@freenode/staff/udontknow] has joined ##openvpn 23:23 -!- Netsplit over, joins: huslu 23:23 -!- dazo [n=dazo@nat/redhat/x-ec6c25d10518a59b] has joined ##openvpn 23:23 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 23:23 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:24 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits_, nullboy, int, skx, munga`, mepholic, QWToo, troy-, plaerzen, boney, (+18 more, use /NETSPLIT to show all of them) 23:25 -!- QWToo [n=Quiescen@71.122.68.221] has joined ##openvpn --- Log closed Mon Jan 26 23:28:20 2009 --- Log opened Mon Jan 26 23:28:31 2009 23:28 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:28 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 23:28 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 23:28 -!- Irssi: Join to ##openvpn was synced in 13 secs 23:28 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:29 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 23:29 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 23:30 -!- jpalmer [n=jpalmer@fl-209-26-20-205.sta.embarqhsd.net] has joined ##openvpn 23:31 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 23:31 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:33 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 23:33 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: skx 23:33 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 23:33 < muxpux> hi 23:33 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 23:33 -!- Netsplit over, joins: skx 23:33 < muxpux> my ovpn-bridge is up and fine 23:33 < muxpux> now i need to route all the internet traffic 23:34 < muxpux> since my vpn is bridge ,there is no need for me to do nating in the linux machine right? 23:34 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 23:37 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has joined ##openvpn 23:37 -!- tomfmason [n=tom@tomfmason.net] has joined ##openvpn 23:38 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 23:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 23:55 -!- Gray9Mar [i=surf___@gateway/tor/session] has quit [Nick collision from Idoru.] 23:56 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn --- Day changed Tue Jan 27 2009 00:07 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:20 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 01:22 < nullboy> hello, i'm using wireshark on a client system that is connected to an openvpn server. the client and the server are on the same lan and i have used push "redirect-gateway local def1" in the server's config but i can see DNS queries being leaked in wireshark 01:55 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:58 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has left ##openvpn ["Leaving"] 03:17 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 03:22 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:22 < muxpux> hey 03:22 < muxpux> ovpn is pptp or l2tp ? 03:23 < floyd_n_milan> neither 03:23 < floyd_n_milan> ssl 03:24 < muxpux> alright 03:55 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:59 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:06 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 04:06 < joelsolanki> Hi dazo 04:06 < joelsolanki> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 04:06 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 04:09 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 04:38 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:47 -!- udk [i=evaldo@freenode/staff/udontknow] has quit ["leaving"] 05:01 < muxpux> hi 05:02 < muxpux> is it possible to make mac osx 10.5 as a n openvpn client? 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 < whits_> 1:32 -!- ERROR Closing Link: [85.91.225.194] Z:Lined (Transitive external IP range - InetC) 05:28 < whits_> oops 05:28 * dazo is not sure if "duuhh" ... is a proper answer 05:28 < dazo> muxpux: sure ... that's just to use a client configuration file instead of a config which prepares the openvpn process to act like a server 05:58 < muxpux> dazo:/win 10 05:58 < muxpux> hehe 05:58 < muxpux> dazo: i mean ,ovpn port of mac is also there? 06:14 < ecrist> muxpux: google code for tunnelblick 06:14 < ecrist> you know, that question is easily answered by a google search 06:46 < muxpux> yeah 06:46 < muxpux> i sen that name 06:46 < muxpux> seen 06:46 < muxpux> thought like a3rd part product 06:50 -!- innni1 [n=andre@92.2.28.116] has joined ##openvpn 06:51 < innni1> can people at home behind local routers create a VPN 06:52 < innni1> for example create a VPN so that three people can play a game 06:53 < dazo> innni1: Without going deep ... yes, that's the main purpose of VPN, to create a virtual private network 06:54 < innni1> dazo: even though each local box has a dynamic IP? 06:54 < dazo> innni1: I presume that you mean that there are 3 different persons, sitting behind each their router 06:54 < innni1> yes 06:55 < innni1> this is the normal setup too, I assume 06:55 < dazo> innni1: yes ... but in this case, I would recommend to also sign up for a dyndns/dynalis/etc service ...so you do have a hostname to a dynamic ip address 06:55 < dazo> innni1: the reason I asked was because it sounded like they were behind the same router ... which would make the use of VPN pretty unneeded ;-) 06:56 < innni1> good call 06:57 < dazo> innni1: one of these three locations needs to provide the openvpn server somehow ... the two others connect to the server as clients ... and if you enable client-to-client in the openvpn config, those clients can also see eachother on the VPN 06:57 < dazo> innni1: pretty basic setup, actually 06:58 < innni1> I am in UK, got a mate in Siberia :) 06:58 < dazo> innni1: even this is not a problem :) 06:58 < innni1> I wanna do the VPN more than any game really 06:59 < dazo> heh 06:59 < dazo> good approach! 06:59 < dazo> ;) 06:59 < innni1> maybe today 06:59 < innni1> I have done the crypto stuff 07:00 < innni1> need to create the config files 07:00 < dazo> innni1: have a close look at the different docs available for openvpn ... howto's etc ... it's not that difficult 07:00 < dazo> !howto 07:00 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:01 < dazo> innni1: and you will be pretty good if you manage this without trampling into routing issues .... :-P 07:01 < innni1> I expect I will have issues 07:03 < dazo> innni1: routing is not difficult ... if you have a little bit overview over how basic networking routing works .... mostly it is just minor details, not reading docs/howto's well enough, rushing into things without making sure all those small and gory details are right 07:03 < innni1> what does a \ufeffsign up for a dyndns/dynalis/etc get me 07:03 < innni1> presumably the missing link in my thinking as to how this all works 07:04 < dazo> innni1: it gives you a hostname .... f.ex. mybox.dyndns.org .... and you will have a client running on your box, which will then update this DNS record whenever your IP changes 07:04 < dazo> innni1: and it's only needed for the server 07:04 < dazo> innni1: but you might want to have a look into the --float option in openvpn as well 07:04 < innni1> what you are saying will take time to sink in 07:04 < innni1> I am probably 80% savvy 07:05 < innni1> maybe 70% 07:05 < dazo> innni1: just don't rush :) Take your time and let it sink in .... then it'll work, I'm sure 07:05 < innni1> :D 07:05 < dazo> "Nothing is impossible, it just take a little bit longer time" 07:06 < innni1> I will have to teach my 0% savvy friend all this too :D Gonna be fun 07:08 < dazo> innni1: no, not really ... if you manage to setup a good server config ... you can just send him key files and configuration .... and then he just unpack this in a directory and starts openvpn as root .... and that's all 07:09 < dazo> innni1: the key is if you manage to provide a good client config file for her/him or not 07:10 < dazo> innni1: which OS are you deploying this on? what do you and the others use? 07:10 < innni1> we are both ubuntu boys 07:11 < dazo> innni1: okey .... be aware of some issues with openvpn on ubuntu and certificates ..... https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 07:12 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 07:14 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has joined ##openvpn 07:15 < innni1> dazo: thanks. Anything else I should know? 07:17 < dazo> innni1: grab a lot of what ever you like to drink when hacking on your computer ... maybe add some snacks .... relax and have fun digging into the wonderful world of openvpn! :) 07:17 < bender183> hey guys 07:17 < innni1> i got food and drink stocks 07:17 < innni1> hi bender 07:18 < bender183> hows it going? 07:20 < innni1> i am cool thank bender :) u? 07:22 < bender183> not too bad, worked out this morning.....im always happier when i work out in the mornings :> 07:23 < bender183> anyways i have an issue with openvpn....i have no knowledge of openvpn, and ive been franticaly rtfm'n ....the client can ping the openvpn server but the server cant ping the client side 07:23 < ecrist> good morning, bitches 07:23 < bender183> here are the pastebins 07:23 < innni1> people say to me "do you work out" :) I never done any exercise in my life 07:23 < bender183> server = http://pastebin.com/m4ed98aa 07:23 < bender183> client = http://pastebin.com/m2b31c2ab 07:23 < bender183> server logs = http://pastebin.com/m375bc965 07:24 < innni1> <- this slut is no bitch 07:24 < ecrist> bender183: client can ping server IP, but server can't ping client IP? 07:24 < bender183> you know they say that working out makes your iq higher' 07:24 < bender183> yes 07:24 < ecrist> that doesn't make sense. 07:24 < bender183> i know ... 07:24 < ecrist> have you checked the firewall on the client side? 07:25 < bender183> yes i have ... 07:25 < bender183> outbound is set to accept 07:25 < bender183> errr 07:25 < bender183> wait 07:25 < bender183> hold on 07:25 < bender183> hehe 07:25 < bender183> i hope thats the problem ;D 07:26 * ecrist points to the chan topic 07:26 < bender183> yes i know ... 07:26 < bender183> but if you take a look at the logs 07:27 < bender183> that i pasted 07:27 < bender183> *cough* 07:27 < bender183> you can see they are speaking to each other 07:27 < ecrist> right, but you're talking about two different things. 07:27 < ecrist> most firewalls allow outgoing connections without problem 07:27 < dazo> bender183: yeah ... but firewalling also means firewalling on the VPN net as well ...... 07:28 < ecrist> that would be the case on your VPN client. 07:28 < ecrist> however, my guess is that your client is blocking incoming (unsolicited) ICMP packets. 07:28 < ecrist> ICMP = Ping 07:28 * dazo seconds that 07:28 < bender183> interesting 07:28 < bender183> i think you may of nailed it 07:29 < bender183> and you did 07:30 < bender183> gratzi 07:30 < ecrist> np 07:30 < bender183> now i can finally finish up my nagios install :> 07:31 < bender183> well i always could, i was just checking the tunnel the incorrect way 07:31 < bender183> hehe 07:33 < ecrist> with nagios, I've found pings are the best method to test openvpn tunnels 07:33 < bender183> my friend suggested check_tcp 07:33 < bender183> but i could see why you would say that 07:33 < ecrist> could do some parsing of the openvpn-status log, but there's potential for stale files 07:33 < ecrist> bender183: anyone who knows better, who can, runs OpenVPN over udp 07:34 < bender183> ohhhhhh 07:34 < bender183> i wish you could tell that to my middle earth former co-worker 07:35 < ecrist> !tcp 07:35 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:35 < ecrist> point him there ^^^ 07:35 < bender183> it makes sense 07:36 < ecrist> to sum it up, problems with the tcp window size 07:36 < bender183> interesting 07:36 < ecrist> 5lbs of shit in a 5lb bag that's already filled with 1lb of shit. 07:38 < dazo> ecrist: nice link! 07:38 < ecrist> that was krzee's find 07:38 < bender183> seems like this dude didnt make any iptables rules to allow the vpn to pass through other clients either 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:11 < ecrist> um, a program doesn't catch a sig 11. 08:11 < ecrist> the kernel catches sig 11 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:12 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:13 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:17 < ecrist> ebf0: make up your mind 08:19 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Read error: 104 (Connection reset by peer)] 08:20 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:21 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:22 < ecrist> ebf0: stop the join/part 08:33 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:37 < ecrist> /kick ebf0 08:37 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 08:37 < Federico2> hi guys 08:38 < ebf0> ey... dont 08:38 < ebf0> I got the ppl to stop :) 08:38 < Federico2> is in normal that I cannot ping the VPN endpoints on the virtual interfaces (tun0)? 08:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:39 < ebf0> found a nice error in ircproxy... might even be sploitable :) 08:55 -!- innni1 [n=andre@92.2.28.116] has quit ["Leaving."] 09:03 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 60 (Operation timed out)] 09:03 < dvl> ebf0: dircproxy? 09:05 < dvl> ircproxy seems to be a generic name, not a particular applicatoin. 09:06 < ecrist> Federico2: yes 09:07 < muxpux> hi 09:07 < muxpux> i am getting Bad LZO decompression header byte: 42 09:07 < muxpux> what that means 09:07 < muxpux> i am trying to connect from a mac machine using viscosity 09:08 < muxpux> any ideas? 09:09 < ecrist> wtf is viscosity 09:09 < muxpux> client for mac 09:09 * ecrist looks it up 09:09 < ecrist> the recommended mac client here is Tunnelblick, not heard of Viscosity 09:12 < ecrist> Tunnelblick is free 09:15 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 09:15 < ebf0> dvl: http://www.night-light.net/ircproxy/ 09:15 < vpnHelper> Title: Night Light IRC Proxy "Bouncer" (ircproxy) (at www.night-light.net) 09:16 < ecrist> muxpux: that's a pretty smooth looking client 09:17 * ecrist wonders if he can weasle a free copy of viscosity from the dev... 09:17 < ecrist> weasel* 09:25 < muxpux> heeh 09:25 < muxpux> ecrist: i am using tunnelblick 09:25 < muxpux> now 09:25 < ecrist> $9 after 30 days 09:25 < muxpux> it says an error 09:25 < muxpux> like this ca_cert can only be specified in tls mode 09:26 < muxpux> so do we have any options' 09:26 < ecrist> muxpux, need to see your client config. both viscosity and tunnelblick are simply front-end parsers for the standard config file and openvpn binary 09:27 < muxpux> ecrist: the same configs works for win/linux machines 09:27 < muxpux> i mean the client config 09:28 < muxpux> sec i will paste 09:29 < muxpux> http://pastebin.com/m2ccbf4fc 09:30 < ecrist> looking 09:31 < muxpux> thanks :) 09:31 < ecrist> and your logfiles, please? 09:32 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:32 < muxpux> in client it said ca_cert can only be specified in tls mode 09:33 < muxpux> thinking like is it an issue with my client settings 09:33 < muxpux> works perfectly with linux and windows 09:34 < ecrist> same error in viscosity and tunnelblick? 09:35 < muxpux> viscosity was connecting,getting an ip etc 09:35 < muxpux> but didnt able ping anything 09:35 < muxpux> and the serevr is in vpn-bridge mode 09:35 < muxpux> able to* 09:37 < plaerzen> morning guys 09:38 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:38 < ecrist> hey plaerzen 09:39 < ecrist> muxpux: can you paste your logfiles, please? 09:41 < muxpux> ecrist: nothing much 09:41 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:41 < muxpux> thats it 09:42 < ecrist> muxpux, if you're not going to pastebin your entire log file from tunnelblick, I'm not going to be able to help you. 09:42 < ecrist> if you knew what you were looking for, you wouldn't be asking here. 09:42 < ecrist> also, what version of tunnelblick? 09:42 < muxpux> ecrist: sec 09:48 < muxpux> ecrist: cant see any logs in tunnelblick 09:48 < muxpux> :( 09:49 < ecrist> if you select Details from the drop-down menu, you'll see the logs. 09:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:58 -!- MMN_o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 10:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 * ecrist gives up 10:18 < muxpux> ecrist: 10:19 < muxpux> i was working with a client who was with his osx(you know whats that means),finally gives up atm trying with macosx client 10:19 < muxpux> i am sorry 10:30 < ecrist> muxpux: don't really bother me. 10:30 < ecrist> for your edification, if you need it, I just wrote the following: http://www.secure-computing.net/wiki/index.php/Tunnelblick 10:30 < vpnHelper> Title: Tunnelblick - Secure Computing Wiki (at www.secure-computing.net) 10:32 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 10:51 -!- randra [n=sleepkno@200.215.81.98] has joined ##openvpn 10:56 -!- skx [i=skx@217.17.32.190] has quit ["changing servers"] 11:04 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has joined ##openvpn 11:05 < rwaite> hi everyone, i'm trying to setup openvpn on windows to connect my work lan with my home lan and i'm way past confused at this point 11:06 -!- randra [n=sleepkno@200.215.81.98] has quit ["tra"] 11:07 < rwaite> !route 11:07 < vpnHelper> rwaite: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:08 * rwaite off to read 11:11 < muxpux> ecrist: nice odc thanks 11:15 < muxpux> doc 11:15 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 11:34 < rwaite> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing << 11:34 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 11:34 < rwaite> in this document, when they say "2 client with lans behind them" 11:35 < rwaite> are those two clients assumed to be the routers for their respective lans? 11:35 < ecrist> rwaite: basically, yes. 11:36 < ecrist> but, with some advanced networking and routing, they don't have to be the gateways for those lans. 11:36 < rwaite> so if i had a machine behind a soho router, i'd need to enable some sort of routing on the soho? 11:36 < rwaite> well, my main issue is the openvpn server and the openvpn client are both behind a soho router on their networks 11:37 < dazo> rwaite: In this case, the usual approach is to put up the route on each the machine which should be reachable on the inside ... if setting up the routing in the soho router doesn't work 11:38 < rwaite> so make some sort of batch file to setup the routes. that would work. would i also need to enable routing on the client, too, then, for that to work? 11:39 < rwaite> this is a windows machine, fyi. (i think im in a bit over my head here, i need to learn how this routing works exactly) 11:39 * rwaite smacks face. hold up, i missed the 'routes to add outside of openvpn' section 11:40 < dazo> rwaite: look at it like this: A user on your "openvpn server side" with IP address 172.16.10.50 (example) accesses 192.168.10.10 (example) which is routed via the VPN (10.8.0.1) ... the package reaches 192.166.10.10 ... and it responds to it ... but since it do not know about the 172.16.10.* network, it will send this traffic to the default gateway instead of your openvpn client router 11:42 < rwaite> i see, so the default gateway must know to send traffic for the client network back to the vpn 11:44 < rwaite> so i think i am thinking of this wrong - what i really want is two servers that act as clients to each other. 11:44 < dazo> rwaite: yeah, but to reroute traffic through another router on the same network as the package came from (192.168.10.*) might cause the package to get dropped by the default router .... that's why it's clever to set up this route explicit on the "servers" on the openvpn client side as well 11:45 < dazo> rwaite: and in the openvpn world ..... that's doable with openvpn server on one side and openvpn client on the other side 11:46 < rwaite> dazo: but if i want the machines on the server side to also be able to reach the machines on the client's side, too? 11:46 < dazo> rwaite: what makes it difficult for you now, is that you do not have the openvpn client as a router between your internal network and your default gateway 11:46 < rwaite> hmm. 11:47 < dazo> rwaite: when the openvpn client (server too actually) is located as a "normal" box, on the internal network ... all clients usually do need to have explicit routes to the other network, which points at the openvpn box in the local network 11:49 < rwaite> ok ok. but then it seems (and i think the doc says to) that i should be able to add a route to the other network to the soho router/gateway, which points at the local client (server) 11:50 < rwaite> as long as the two networks are different (192.168.1.0 vs 192.168.2.0) this should work 11:51 < rwaite> i think a big part of what i was misunderstanding too was i wasnt aware of the purpose of the "vpn network" (the 10. one) 11:51 < dazo> rwaite: if that works, you're lucky :) ... but I know some routers rejects such routes .... some routers do not know how to handle the traffic when the next router is on the same network as the package came from 11:51 < rwaite> oh i see, that's what you meant before 11:52 < rwaite> the easiest setup, then, would be openbsd as the gateway with openvpn on it on both sides :) 11:52 < rwaite> which i wish i could do, but alas, im the only one here who would spring for a homemade router 11:52 < dazo> rwaite: that's right :) 11:53 < rwaite> well thank you, i think i know enough now to read thru all the documentation without scratching my head every 5 seconds 11:54 < dazo> rwaite: well .... you can always aim for such Linksys router or similar ones, which can run openwrt or x-wrt or similar Linux based firmwares .... I'm using x-wrt as a openvpn server to "phone home" myself 11:54 < rwaite> oh they come with openvpn on them? 11:54 < dazo> rwaite: but the more usual part is to use such routers as a client against another server 11:55 < dazo> rwaite: yeah, well, you install this x-wrt firmware .... go to web admin, click on openvpn and it ask you if you want to install it 11:55 < dazo> rwaite: when that's done .... it's configure time 11:55 < rwaite> our router here has dd-wrt, but i dont see anything about openvpn. maybe i will check out x-wrt 11:56 < dazo> rwaite: dd-wrt have it's own vpn enabled one as well .... but I stopped using dd-wrt when I found some iptables/firewall rules which opened it up from some hard coded IP addresses 11:57 < dazo> rwaite: then I went over to x-wrt .... and I'm a happy camper 11:57 < rwaite> my dream would be to get a soekris device and get something setup on it 11:58 < dazo> nice one 11:59 < dazo> rwaite: any idea what these boxes costs? 11:59 < rwaite> it depends on what is included, the one i was looking at before had 4 ethernet ports and was around ~280 with the enclosure 11:59 < rwaite> us $ 12:00 < dazo> rwaite: that's not too bad 12:00 < rwaite> not at all, and considering what it can do. you can put linux, freebsd, or openbsd that i know of. probably more 12:00 * dazo would like such one with eSATA or Firewire interface as well 12:02 < dazo> (to be released 2009) "net6501, a faster and more advanced mainboard, up to 1.5 Ghz CPU, 2 Gbyte DRAM, 4 Gigabit Ethernet ports and PCI Express expansion." 12:02 < dazo> PCI Express expansion .... my dream might come true .... 12:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:07 < rwaite> heh, that thing is beefier than my old workstation i used to run xp on 12:07 < dazo> heh 12:07 < dazo> I just noticed that even the old 5501 got traditional PCI slot as well .... 12:08 < dazo> maybe my dream is closer than I thought .... 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < rwaite> thanks for all the help 12:16 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has quit ["Leaving"] 12:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:24 -!- joelsolanki [i=joelsola@124.125.148.121] has joined ##openvpn 12:24 < joelsolanki> dazo: HI 12:24 < joelsolanki> my problem got fixed by installing the lastest version from openvpn.net 12:24 < joelsolanki> there was a bug in openvpn package for ubuntu 8.0.4 12:25 -!- joelsolanki [i=joelsola@124.125.148.121] has quit [Client Quit] 12:28 < krzee> !wz 92109 12:28 < vpnHelper> krzee: Error: "wz" is not a valid command. 12:28 < krzee> !weather 92109 12:28 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 56.7°F (10:29 AM PST on January 27, 2009). Conditions: Scattered Clouds. Humidity: 58%. Dew Point: 42.8°F. Pressure: 30.38 in 1028.7 hPa (Rising). 12:29 < dazo> krzee: cool ... support for for non-us areas as well? 12:30 < krzee> no idea, welcome to try 12:31 < dazo> !weather Brno 12:31 < vpnHelper> dazo: The current temperature in Brno / Turany, Czech Republic is 33.8°F (7:00 PM CET on January 27, 2009). Conditions: Mist. Humidity: 80%. Dew Point: 32.0°F. Pressure: 29.92 in 1013 hPa (Rising). 12:31 < dazo> !weather Dehli 12:31 < vpnHelper> dazo: Error: HTTP Error 500: Server Error 12:32 < dazo> !weather CPH 12:32 < vpnHelper> dazo: The current temperature in Copenhagen, Denmark is 35.6°F (7:20 PM CET on January 27, 2009). Conditions: Overcast. Humidity: 75%. Dew Point: 28.4°F. Windchill: 32.0°F. Pressure: 30.06 in 1018 hPa (Steady). 12:32 < dazo> !weather HKG 12:32 < vpnHelper> dazo: The current temperature in Victoria Peak, Hong Kong, Hong Kong is 49.8°F (2:36 AM HKT on January 28, 2009). Conditions: Mostly Cloudy. Humidity: 92%. Dew Point: 48.2°F. Windchill: 50.0°F. Pressure: 29.93 in 1013.4 hPa (Steady). 12:32 < dazo> krzee: it takes airport codes .... perfect! :-P 12:34 < krzee> =] 12:45 -!- lvtn [n=azambuja@189.32.146.89] has joined ##openvpn 12:48 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:57 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has joined ##openvpn 13:11 < krzee> !weather 92109 13:11 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 59.0°F (11:14 AM PST on January 27, 2009). Conditions: Mostly Cloudy. Humidity: 45%. Dew Point: 37.4°F. Pressure: 30.36 in 1028.0 hPa (Rising). 13:20 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:21 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 13:25 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:03 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Read error: 104 (Connection reset by peer)] 14:04 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:21 < huslu> !weather TLN 14:21 < vpnHelper> huslu: The current temperature in Hyeres, France is 46.4°F (9:00 PM CET on January 27, 2009). Conditions: Clear. Humidity: 53%. Dew Point: 30.2°F. Windchill: 42.8°F. Pressure: 29.65 in 1004 hPa (Steady). 14:21 < huslu> !weather TLL 14:21 < vpnHelper> huslu: The current temperature in Tallinn, City center, Estonia is 32.5°F (10:15 PM EET on January 27, 2009). Conditions: Overcast. Humidity: 90%. Dew Point: 30.2°F. Windchill: 32.0°F. Pressure: 29.97 in 1014.8 hPa (Steady). 14:21 < ecrist> krzee: did you fix my perms on the bot? 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < huslu> too bad it doesn't give temperatures in celsius 14:23 < ecrist> nobody that matters uses celcius 14:23 < ecrist> celsius even 14:23 < ecrist> see? it's not even important enough to spell correctly 14:27 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 14:29 < techqbert> I was using a wireless router earlier. Now I'm using ethernet hooked up right up to the cable modem. I can nmap my VPN server, mount shares, but no longer can I ls those shares, SSH to the box, or go to http://x.x.x.x:8080 What do you think is going on? Does OpenVPN require a NAT? Is the ISP blocking certain packets? 14:31 < techqbert> As well, scp no longer works to the network even when not on the 10 subnet, just WAN. What the hell? 14:32 < techqbert> Yet filezilla can move the files, even on the same 32 port for WAN. 14:33 * ecrist is lost 14:34 < ecrist> you don't give us any real details, so nobody can help you. 14:34 < techqbert> ecrist: might I need to supply. I'm just as bankrupt for ideas. 14:34 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 14:35 < techqbert> What might I need to supply? * 14:37 * ecrist points to channel topic 14:40 < techqbert> !route 14:40 < vpnHelper> techqbert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:41 < techqbert> Ecrist: thanks for the help. I have no firewall and I need not set up lans behind openvpn. 14:42 < ecrist> ah, but you missed the 'We need !configs and !logs' part? 14:43 < techqbert> !configs 14:43 < vpnHelper> techqbert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:45 < techqbert> ecrist: may I ask you a simple question before I embark on gathering logs and config files. Should an openvpn VPN work regardless of whether the VPN client is behind a router or hooked directly to the ethernet port of the router? 15:03 < ecrist> yep 15:04 < ecrist> gotta go. bbl8r 15:14 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 15:14 < techqbert> Hey guys I went from wireless LAN to direct ethernet to router on my client side and now my machine won't access NFS shares on the VPN, or go to VPN web sites. I can only ping. 15:14 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 15:14 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has quit [] 15:21 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has joined ##openvpn 15:25 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has quit [Client Quit] 15:39 -!- neverblue [n=jezus@unaffiliated/neverblue] has joined ##openvpn 15:39 < neverblue> get out! 15:39 < neverblue> you guys have your own channel :D 15:40 < neverblue> but, the question is, is anyone around to answer questions 15:41 < neverblue> when I edit my .conf.ovpn file, in Wordpad, then save it, i lose associations with the .ovpn extension to openvpn 15:42 < neverblue> how can I repair this ? 16:58 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:37 -!- Netsplit over, joins: aar0n 17:40 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:40 -!- Netsplit over, joins: aar0n 18:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:29 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 18:29 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Client Quit] 18:29 < hardwire> any idea how to assign static ip's (pushed) per client? 18:30 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:31 < hardwire> other than using DHCP 18:32 < hardwire> ah 18:32 < hardwire> client-config-dir 18:32 < hardwire> woota 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 19:51 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:27 < ecrist> evening, fuckers 20:29 < muxpux> hi 20:29 < muxpux> lol 20:50 < ecrist> neverblue: what do you mean that you lose associateions with the .ovpn exension? 23:35 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Wed Jan 28 2009 00:59 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 01:36 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:54 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 -!- casa0816 [n=casa@193.197.157.150] has joined ##openvpn 02:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 02:20 < QWToo> neverblue, right click the ovpn and click open with -> custom -> then select or browse for openvpn and make sure you tick the "always open with this program" checkbox and click okay 02:21 < QWToo> your associations should stay with openvpn unless you follow that process with wordpad 02:29 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 02:29 < nullboy> !route 02:29 < vpnHelper> nullboy: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:36 < QWToo> just bridge 02:38 < Rawplayer> so why is there an iptables exampe in the freebsd openvpn ports?:) 02:38 < Rawplayer> *example 02:41 < nullboy> QWToo: was that for me? bridging over routing? 02:42 < QWToo> yeah 02:42 < QWToo> cause screw iptables 02:43 < nullboy> so routing method done properly would require nat, is that correct? 02:44 < QWToo> i don't really know anything about networking 02:44 < nullboy> does this directive apply to bridge mode as well as route mode? push "redirect-gateway local def1" 02:44 < QWToo> stop being an ass 02:45 < nullboy> wtf? 02:45 < QWToo> oh, nevermind then 02:45 < QWToo> sorry 02:45 < Rawplayer> nullboy: which bridging you can make 2 seperate locations into one broadcast domain 02:45 < QWToo> my point was that i don't know anything about networking 02:45 < QWToo> but that i didn't have to 02:46 < QWToo> because there isn't much to configure if you use briding 02:46 < nullboy> Rawplayer: the problem I'm having with route mode is that the vpn server is on the same lan as the vpn client so some things are leaking out into the lan that should be in the tunnel 02:46 < nullboy> i think it's a route issue 02:46 < QWToo> oh yeah, you can't bridge if you do that 02:47 < nullboy> i can kill the real subnet's default gw but if you kill the route to the real subnet's network everything dies 02:47 < Rawplayer> nullboy: draw your setup 02:47 < nullboy> k 02:47 < Rawplayer> nullboy: is the client getting his IP from dhcp? 02:47 < Rawplayer> you can also handout /30 netmasks 02:47 < nullboy> clkient gets real subnet's ip from dhcp and also gets vpn ip from vpn dhcp 02:48 < Rawplayer> ok, what should the client do in his "real" subnet 02:49 < nullboy> let me get all artsy 03:04 < nullboy> http://home.pacbell.net/morticus/openvpn.diar.1.jpg 03:05 < Rawplayer> nullboy: so what are you trying to achieve? 03:06 < Rawplayer> remind that you need to explain something who does not know how your network looks like.. 03:06 < Rawplayer> + to someone 03:06 < nullboy> what is not explained in that? did you read the box? 03:07 < nullboy> why are some packets being leaked into the real lan? 03:07 < Rawplayer> nullboy: vpn ip's should not reach interl ip's from real subnet? 03:08 < nullboy> dns, icmp echo req/reply, some aim traffic, that should be using the vpn is hitting the real lan plaintext 03:08 < nullboy> http goes down it though 03:08 < Rawplayer> nullboy: the reason is that your real ip is direct connected 03:09 < Rawplayer> that is preferred instead of using the vpn connection 03:09 < nullboy> i understand that part but if you kill the real route you loose vpn connectivity 03:09 < nullboy> so how can i really force everything down the vpn? 03:09 < Rawplayer> nullboy: setup /30 dhcp entries 03:10 < nullboy> where? on the vpn or the lan? 03:10 < Rawplayer> then you have 2 usable ip's in your subnet 03:10 < Rawplayer> 1 for the lan client 03:10 < Rawplayer> 1 for the other end 03:10 < nullboy> then use host routes? 03:10 < Rawplayer> and then firewall the routing between the subnets on your router 03:11 < Rawplayer> then it works fine 03:11 < nullboy> got it thanks 03:11 < Rawplayer> because you can only reach two ip's when you are not connected to the vpn 03:11 < Rawplayer> instead of the whole subnet 03:12 < nullboy> wait... 03:12 < nullboy> you mean turn the whole physical lan into a a /30? 03:12 < nullboy> this is a diagram showing a particular situation that includes a whole LAN 03:12 < nullboy> not just 3 devices 03:14 < nullboy> i think moving the vpn server to the border router would be better 03:14 < Rawplayer> nullboy: you want to reach the other lan clients over the vpn right? 03:14 < Rawplayer> instead of direcT? 03:15 < nullboy> i don't think you and me are on the same channel here 03:16 < nullboy> i'll mess with the /30 thing though 03:17 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["battery died"] 03:17 < Rawplayer> nullboy: that is what i mean with " remind that you need to explain something who does not know how your network looks like.." 03:17 < Rawplayer> what a ass 03:30 -!- mahdi_ja [n=chatzill@212.50.230.204] has joined ##openvpn 03:31 < mahdi_ja> hi all. 03:31 < mahdi_ja> can i use openvpn for share internet connection. 03:35 < dazo> mahdi_ja: ehhh .... not sure what you really are asking about now 03:37 < mahdi_ja> dazo: i have one server and i have one internet connection.if create a vpn server in my system and another user connect to this,they can use internet. 03:39 < dazo> mahdi_ja: openvpn will not change things for other users ... depending on how you setup openvpn and how your openvpn server is located in your network, your clients might get access to the VPN network itself too, but the basic Internet communication for other users should not break if things are done properly 03:46 < mahdi_ja> dazo: i have a system with windows 2003 server with 2 nic card one connect to lan an other to the adls modem.user with vpn connect to this and use internet( i share internet).i want change this server to linux and openvpn .can i do it with openvon 03:47 < dazo> mahdi_ja: sounds like a good approach ... yes, you can! :) in fact, this is a very common configuration 03:48 < mahdi_ja> dazo: do you have any resource for this ? 03:49 < dazo> mahdi_ja: what kind of experiences do you have with topics like Linux, networking, iptables and VPN? 03:49 * dazo just needs to know this to find good resources 03:50 < mahdi_ja> in linux and vpn and network good but iptable no. 03:51 < dazo> mahdi_ja: that sounds good! ... iptables is not difficult. I would then recommend you to just setup a default setup, install iptables, but make sure it is completely open in the beginning ... 03:51 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:51 * dazo looks for resources 03:52 < onats> !iroute 03:52 < vpnHelper> onats: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 03:52 < onats> !ccd 03:52 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 03:52 < onats> !route 03:52 < vpnHelper> onats: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:52 < mahdi_ja> dazo: thank you. 03:53 < dazo> mahdi_ja: np! ... any experience with openvpn? 03:54 < mahdi_ja> dazo: i read this now reading this book:OpenVPN 03:54 < mahdi_ja> Building and Integrating Virtual Private 03:54 < dazo> mahdi_ja: I haven't read it myself ... but I believe that can be a good starting point 03:55 < mahdi_ja> dazo: it is simple and useful. 03:57 < mahdi_ja> dazo: have a nice day,bye.\ 03:57 < dazo> mahdi_ja: I'm not done 03:57 < dazo> mahdi_ja: I'm still looking for your info 04:00 < mahdi_ja> dazo: in "Linux Networking Cookbook" chapter 9 there is a good tutorial for creating vpn network with open vpn.step by step. i read this,and it is very usefull. 04:01 < dazo> mahdi_ja: nice .... does it also cover iptables? 04:01 < mahdi_ja> dazo: yes. 04:01 < dazo> mahdi_ja: then you have all you need already 04:02 * dazo stops searching 04:03 < mahdi_ja> dazo: i test this and i disturb you again. 04:04 < dazo> mahdi_ja: sure! :) 04:04 < mahdi_ja> dazo: thank you my firend 04:05 < mahdi_ja> dazo: thank you my friend i see you again. 04:05 < dazo> mahdi_ja: np 04:05 -!- mahdi_ja [n=chatzill@212.50.230.204] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 04:10 < onats> anyone up? 04:11 < onats> i'm having issues on a windows XP box.. route is not working. 04:11 < onats> The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP address table for the machine 04:11 < onats> krzie are you tehre? 04:15 < dazo> onats: have you studied the --ip-win32 argument? 04:15 < dazo> onats: and --route-method 04:16 < onats> dazo, not familiar with those two 04:16 < onats> yet 04:16 < onats> can you enlighten me? 04:16 < onats> im just having issues with a windows xp client 04:16 < onats> with the exact same configurations, on a win2k3 server box, it connects properly 04:16 < onats> !ip-win32 04:16 < vpnHelper> onats: Error: "ip-win32" is not a valid command. 04:17 < dazo> those sets how openvpn will interact with the IP layer in Windows ... which is different in the different windows versions 04:17 < dazo> !man 04:17 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:17 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Remote closed the connection] 04:18 < dazo> onats: but it can also be that the TAP device is wrongly created, or you have some mismatch between tap indexes and the available tap devices 04:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 04:18 < onats> dazo, but i installed openvpn using the installer with openvpngui 04:18 < dazo> onats: I believe --show-adapters can help you figure out that 04:19 < dazo> onats: yeah, but that's not for sure it always works perfect ..... 04:20 < onats> oh boy 04:20 < onats> the problem is the client device isnt in front of me... gahh... 04:20 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 110 (Connection timed out)] 04:21 < onats> dazo, what information can i derive from show adapters? 04:21 < onats> should i reinstall the application then? 04:21 < onats> or recreate the tap drivers? 04:21 < dazo> onats: I don't remember, just reading man pages and throwing out ideas .... 04:21 < dazo> onats: I'd create to recreate tap devices ..... 04:22 * dazo checking on a winxp box now .... to see if he sees something clever 04:23 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 04:24 * dazo sees that --show-adapters gave less info than anticipated 04:24 < ohzie> If I /etc/init.d/openvpn start and I get a fail on the startup, is there anywhere more detailed than 'error' so that I know what I'm supposed to fix? 04:24 < ohzie> Even asking a question about it, I have to know why it's failing first. :P 04:24 < onats> i think you can set verbosity of logs and a log file in the config? 04:24 < onats> #status /tmp/openvpn-status.log #log /tmp/openvpn.log 04:25 < onats> add those to your config file 04:25 < onats> without the comment outs of course 04:25 < ohzie> Well my problem is I don't know where it's putting this error. All I see is "* Autostarting VPN 'server' ..............................[fail]" 04:25 < ohzie> [shell] 04:25 < onats> also set "verb 9" 04:26 < ohzie> Do you know where the default log is? 04:27 < onats> my best bet is to specify a log file 04:28 < ohzie> and that's just " log /path/to/log.file" 04:28 < ohzie> ? 04:28 < onats> yeah 04:28 < onats> but you have to set a verbosity level too 04:28 < dazo> ohzie: default is system logger if openvpn is started as a daemon .... console if not 04:28 < onats> oh that im not sure.. basta thats how i use the log file.. 04:29 < dazo> verb 9 is very verbose ..... you might catch alot with verb between 4-6 04:29 < ohzie> Yeah log /path/to/file.name doesn't work 04:29 < ohzie> Anyone else know how I can find or specify a log file? I don't know where 'system logger' would be 04:29 < ohzie> like where I'd read that stuff. 04:30 < dazo> ohzie: which OS? 04:30 < ohzie> ubuntu 04:30 < dazo> ohzie: /var/log/messages most probably 04:31 < dazo> ohzie: if you do ls -ltr /var/log .... in the bottom of this list, you will always find the last changed files 04:31 < ohzie> There's a lot of stuff there, but nothing from openvpn 04:32 < dazo> ohzie: grep openvpn /var/log/* ? 04:33 < ohzie> I found it 04:33 < ohzie> It was putting them in daemon.log 04:33 < ohzie> What a fucking jerk program 04:33 < dazo> onats: you may also check out --show-net ... that gave some info about adapters and their indexes as well 04:33 < ohzie> Okay that's weird "Unrecognized option or missing parameter(s) 04:33 < onats> which is a jerk program? openvpn? 04:33 < onats> heheh 04:34 < ohzie> Yes. 04:34 < ohzie> Okay so if it says server.conf:2 04:34 < ohzie> that means line 2, right? 04:34 < dazo> ohzie: I would guess so, yes 04:35 < ohzie> And now I know what the problem was 04:35 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:36 < ohzie> The dick who wrote this sample from his home network used a rich text editor like word. Everything is capitalized properly, at the beginning of a new line. Every single config option in the config file. 04:37 * dazo would never trust people who use rich text editors for writing config files ....... 04:37 < dazo> that's like using canons for fishing 04:40 < ohzie> Or a metal spatula in a nonstick pan 04:40 < ohzie> Thanks for the help, I couldn't have figured it out without you. :D 04:43 * dazo shrugs 05:21 -!- neverblue [n=jezus@S0106001a706142cc.gv.shawcable.net] has joined ##openvpn 05:27 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has joined ##openvpn 05:27 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has joined ##openvpn 05:28 < indra> hi all 05:28 < indra> I installed openvpn in my debian and and configured everything 05:28 < indra> everything is working fine 05:29 < indra> I am using 192.168.53.111 as my vpn server, 05:29 < gfolkert> !route 05:29 < vpnHelper> gfolkert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:29 < indra> now, i want another ip address in 52 domain, like 192.168.52.111 also to act as the vpn server 05:29 < indra> juts adding a eth1:1 to the 52.111 ip is not working 05:29 < indra> is there anything else to be configures 05:30 < indra> configured to work with multiple ip address as vpn server 05:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 104 (Connection reset by peer)] 05:48 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 05:49 < tjz> Hello 05:49 < Rawplayer> hi 05:51 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has quit ["http://www.mibbit.com ajax IRC Client"] 05:54 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has left ##openvpn [] 05:54 < tjz> i am getting this error on windows vista system: 05:54 < tjz> openvpn route gateway is not reachable on any active network 05:57 < aar0n> !weather 05:57 < vpnHelper> aar0n: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < aar0n> !weather braunschweig 05:57 < Rawplayer> !weather 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < vpnHelper> Rawplayer: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < Rawplayer> only for us? 05:57 < aar0n> !weather germany 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < Rawplayer> !weather netherlands 05:57 < vpnHelper> Rawplayer: Error: HTTP Error 500: Server Error 05:57 < aar0n> lame! 05:58 * Rawplayer nullroutes vpnHelper 05:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:23 < dazo> !weather FRA 06:23 < vpnHelper> dazo: The current temperature in Mörfelden-Walldorf, Germany is 39.4°F (1:00 PM CET on January 28, 2009). Conditions: Scattered Clouds. Humidity: 73%. Dew Point: 32.0°F. Windchill: 33.8°F. Pressure: 30.04 in 1017.2 hPa (Steady). 06:23 < dazo> Rawplayer: ^ ^ ^ .... try airport codes .... 06:30 < ecrist> good morning, bitches 06:31 < tjz> good morning 06:31 < tjz> haha 06:44 < tjz> happy chinese new year~~~~~~~~~~ 06:56 -!- casa0816 [n=casa@193.197.157.150] has quit ["Verlassend"] 07:04 < tjz> anyone into starcraft? 07:07 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:08 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:08 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:12 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 07:13 < ecrist> dvl, what sort of nastiness are you up to? 07:19 < dvl> ecrist: what were you seeing? 07:19 < ecrist> 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:20 < dvl> ecrist: Oh, that was dueling IRC sessions. On on each laptop. 07:20 < ecrist> ah 07:20 < dvl> each one trying to get control of the BNC 07:20 < ecrist> BNC? 07:20 < dvl> And I did not notice it. 07:20 < dvl> I call it a BNC, don't know why. 07:20 < ecrist> the mask? 07:21 < dvl> mask? 07:21 * ecrist is confused 07:21 < dvl> http://www.gotbnc.com/ 07:21 < dvl> Call it a proxy, that holds my connection when I close my IRC client. 07:22 < ecrist> ah 07:22 < ecrist> I have a solution for that, irssi and screen on one of my servers. 07:22 < dvl> Advantages: logs while I'm away.... keeps my nick.. 07:23 < dvl> ecrist: That would work. But I use xchat in a gui. And my solution will with with any IRC client. It is client agnostic. 07:23 < dvl> I do like screen though. 07:23 < dvl> It also means if the kiddies want to flood me, they'll flood my server, not my home connection, or the office, etc. 07:24 < ecrist> I like xchat, but the aqua version hasn't been updated in quite a while, and I've found irssi is more than sufficient. 07:24 < dvl> I prefer mIRC, but it's not available on all my OS now. 07:25 < ecrist> ick 07:25 < dvl> On the topic of cars? Who said cars. 07:25 * cpm wonders why one would get themselves in a place where 'the kiddies want to flood me' was a real possibility. 07:25 < dvl> Considering buying a new Subaru (would be my 3rd). drove an Outback XT Limited last night. 07:25 < dvl> cpm: Kids acting up in a channel, you kick them out... etc 07:25 < ecrist> where did the car topic come from? 07:26 < cpm> 3rd in how long? 07:26 < dvl> cpm: I've been flooded for having the nick 'dvl' 07:26 < ecrist> my wife has a 2000 2.5RS 07:26 < dvl> cpm: current car is a 2001 Legacy wagon. Bought it new. 07:26 < dvl> cpm: before that, was a '91 used Wagon, sold it because I moved across the pacific. 07:26 < dvl> ecrist: It didn't. ;) 07:28 < mRCUTEO> hiya tjz 07:28 < dvl> cpm: the wife's car, is that a Legacy? what? I do not know it. 07:28 < mRCUTEO> :D 07:28 < ecrist> dvl, are you on drugs? 07:29 < cpm> dvl, well, I sure like subies, I've got just under $300K on my legacy outback. Not sure I'd buy another one, don't care for the new ones so much. but I'll hate it if this one ever goes. She's been fighting off the rust so far, as long as she doesn't get rust, I'll keep fixing her. 07:31 < dvl> ecrist: no, why do you ask? :) 07:31 < dvl> cpm: Mine has 100k miles just now. 07:31 < cpm> what year? 07:32 < cpm> '01? 07:32 < cpm> yer good to go! 07:32 < dvl> cpm: I wanted to upgrade, newer features. That's all. Plus, needs new tires, making some new sounds from the rear. And I have the cash now. 07:32 < ecrist> my wife's next car is going to be an STi 07:32 < dvl> cpm: yes, very reliable car. May see if one of my friends wants it. 07:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 07:33 < dvl> Heard aobut them. 07:33 < dvl> ecrist: It's too small for me. I do a bit of mountain biking, so I need the room to carry the bike in the back if there's salt on the roads, and room for gear on longer trips. 07:36 < dvl> ecrist: I just started my caffeine drip... does that count as drugs? 07:40 < ecrist> prehaps. ;) 07:42 -!- Guest96894 [n=Anon472@86.99.102.197] has joined ##openvpn 07:42 < Guest96894> general ssl question (not related to openssl) 07:42 < Guest96894> i generated a CSR in IIS win 2k3. and have a cert signed from my provider 07:43 < ecrist> ok 07:43 < Guest96894> but, between that period, i deleted the pending request 07:44 < Guest96894> so, now, i'm afraid the CSR also includes a private key?? 07:44 < ecrist> what do you mean? 07:44 < Guest96894> it's all in IIS, u familiar with it? 07:44 < ecrist> with a CSR, you generate the request, as well as a matching key. 07:44 < ecrist> the signed certificate is worthless without the key 07:44 < Guest96894> matching key == private? 07:44 < ecrist> yep 07:44 < Guest96894> well, i went into that interface and clicked on "Delete pending request" 07:45 < ecrist> well, sounds like you deleted the key 07:45 < Guest96894> ways to retreive it? 07:46 < ecrist> none that I know of. 07:46 < ecrist> I'm not familar with the IIS certificate tools, so would be hard to help you there. 07:46 < ecrist> recover it from the backups I'm sure you're making... 07:46 < Guest96894> i think you are right that it's deleted 07:46 < Guest96894> nah, no backup for this i'm damn sure 07:46 < Guest96894> so i need to have another CSR again? 07:46 < ecrist> first mistake, there. ;) 07:47 < ecrist> yep 07:47 < Guest96894> 1st mistake, production environment!! 07:47 < Guest96894> 2nd point: do CAs provide resigning a request without considring it as a totally new request? 07:47 < Guest96894> i don't want to pay twice! 07:47 < ecrist> yes, they should support you. I know godaddy does. 07:48 < ecrist> just tell them you need to rekey your certificate. 07:48 < ecrist> they revoke the current one and will issue you a new one. everything in the CSR needs to be the same, aside from your private key (same CN, etc) 07:48 < Guest96894> alright.. 07:49 < Guest96894> thsi is releifing!! 07:49 < Guest96894> the director is involved.. 07:49 * dazo hopes Guest96894 is having a cooperative CA ... 07:49 < Guest96894> dazo: nah, sadly... 07:50 < Guest96894> there is no reason why we don't have 07:50 < ecrist> really, it's Guest96894's fault to begin with for not having backups. 07:50 < Guest96894> yeah... 07:50 < Guest96894> it's my stupid mistake 07:50 < dvl> Guest96894: For backups, I recommend http://www.bacula.org/ 07:50 < vpnHelper> Title: Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, and Windows (at www.bacula.org) 07:51 < dazo> Guest96894: dvl: http://www.boxbackup.org/ << my recommendation ;-) 07:51 < vpnHelper> Title: Box Backup (at www.boxbackup.org) 07:52 < dazo> (not as heavy and enterprisey as bacula ... even though bacula is good as well) 07:52 < dvl> dazo: I use Bacula to backup my systems at home and abroad. Just me, nobody else. No enterprise here. 07:53 < dazo> dvl: mm ... well, I do the same with boxbackup ... but the footprint of boxbackup is much smaller .... and a lot easier to setup 07:54 < Guest96894> dazo: i'm using windows 07:54 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 07:54 < dazo> Guest96894: I'm sorry for you 07:54 < Guest96894> this is funny 07:55 < dazo> ;-) 07:55 < Guest96894> i'm sad about this case 07:55 < Guest96894> sighhhh :( 07:55 < Guest96894> wondering what message to deliver to my boss hehehehe 07:55 < Guest96894> "i deleted private key, sorry" 07:55 < dazo> dvl: and the feature I like is that it have some kind of file/directory based raid solution embedded ... so it spreads the backup data on the storage server over three directories ... and can then easily be rsynced to 3 different locations and your backup data will not be compromised if one part is lost 07:56 < dazo> Guest96894: you can ALWAYS blame it on bad security in Windows :-P 07:56 < Guest96894> dazo: oh man... he is PRO windows!! 07:56 < Guest96894> dazo: he makes fun out of me when talking of open source stuff 07:56 < dazo> Guest96894: now I really, sincerely feels sorry for you 07:56 < Guest96894> dazo: he calls stupid complixity "unix-like stuff" 07:56 < dvl> dazo: I don't understand why that's in your backup solution and not in your filesystem solutoin. 07:56 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has joined ##openvpn 07:57 < Shadowcat> how long does it usually take to generate dh parameters? 07:57 < dazo> dvl: off-site backup .... to do that in an secure way 07:57 < Guest96894> dazo: i didn't know that windows deletes private key when CSR is deleted!!!!! 07:57 < Guest96894> private key is different than CSR >_< - what i know 07:58 * dazo never deletes things if I do not need to delete it 07:58 < Shadowcat> dazo: rm -rf / ;) 07:58 < Guest96894> dazo: there was a need. iis was down, and to bring back the self signed cert i had to delete it 07:58 < Guest96894> dazo: thanks to window's narrow minded gui! 07:58 < Shadowcat> why are you using the GUI if you're managing a windows server? 07:58 < dazo> Guest96894: yeah ... I use to move files away to another directory 07:59 < Guest96894> dazo: it's locatioin is not in a directory i guess 07:59 < Guest96894> dazo: i should have used mmc to back it up 07:59 < dazo> Guest96894: aha ... well, I'm not pro-windows ..... you probably noticed :-P 07:59 < Shadowcat> Guest96894: and what's wrong with Windows Explorer? 07:59 < Shadowcat> if it's a key file just copy the file 07:59 < Shadowcat> not very hard 07:59 < Guest96894> Shadowcat: i'm talking about IIS 07:59 < dazo> Shadowcat: it's a key in the certificate register 08:00 < Shadowcat> regedit 08:00 < Shadowcat> :) 08:00 < Guest96894> regedit is ugly 08:00 < Shadowcat> regedit works 08:00 < Guest96894> but ugly and creepy hidden below stuff 08:00 < Guest96894> stuff like i don't know 08:00 < Guest96894> i hope, just hope, my CA will rekey it :( 08:00 < Shadowcat> ok..... so export the entire tree 08:01 < Shadowcat> it's very hard to miss something if you export the entire tree 08:01 < Guest96894> i have no luck 08:01 < Guest96894> see you tomorrow 08:01 < Guest96894> bye 08:01 -!- Guest96894 [n=Anon472@86.99.102.197] has quit ["leaving"] 08:01 < Shadowcat> it'll give you a 100mb txt file, but it'll be there 08:01 < Shadowcat> ... 08:02 < ecrist> what will be there? 08:09 < dvl> pr0n 08:09 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:13 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:28 < tjz> hahahaha 08:37 < dvl> ASCII pr0n 08:38 < tjz> oh 08:38 < tjz> hahaha 08:39 < cpm> 100mb acsii porn file? 08:39 < cpm> need a hi speed dot matrix with a good tractor feed to print. 08:41 < ecrist> and triplicate tractor-feed forms. 08:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 08:43 < tjz> hAHAHHAHA!! 08:49 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has joined ##openvpn 09:04 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 09:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:30 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:39 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 09:39 < frankS2> /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf where can i get this file? its not there 09:40 < frankS2> all the other files are there except whichopensslcnf 09:40 < frankS2> (openbsd) 09:42 < kyrix> well i dont know in openbsd 09:43 < kyrix> http://www.netfrag.org/cgi-bin/dwww/usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf 09:43 < vpnHelper> Title: /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf (at www.netfrag.org) 09:43 < kyrix> probably similar to that one 10:07 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:12 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:19 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has quit [Read error: 131 (Connection reset by peer)] 10:31 < fbond> Hi, I am assisting someone remotely who is running OpenVPN 2 on a Windows server with the firewall disabled. We are unable to connect to the OpenVPN server at all (Connection refused). We are using port 443 (at his request), and `nc [ip address] 443` gives Connection Refused. Directly on the server, `telnet localhost 443` also gives Connection Refused. Any ideas? 10:32 < krzee> windows firewall 10:33 < krzee> also 10:33 < krzee> it may not be listening on localhost depending on config 10:33 < krzee> !configs 10:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:33 < dazo> fbond: check with netstat .... if you have something listening on port 443 10:35 < fbond> dazo: Um, does Windows have netstat? 10:35 < dazo> fbond: well, I believe I've used that on winxp .... yes 10:35 < fbond> krzee: I've been told that Windows firewall is disabled. 10:35 * dazo don't have windows access right now ... so he can't check 10:36 < fbond> !configs 10:36 < vpnHelper> fbond: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < fbond> Oh, right. 10:36 < fbond> Where do I paste? 10:37 < dazo> !pastebin 10:37 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:37 < krzee> pls remove comments 10:40 < fbond> http://www.pastebin.ca/1320751 10:40 < fbond> That's the server config. 10:40 < fbond> I'm not even using a client yet since I can't connect to the port. 10:41 < fbond> Microsoft Windows [Version 5.2.3790] 10:44 < neverblue> QWToo it doesn't 10:45 < neverblue> QWToo: the extension association, done that way, associates which 'editor' the .ovpn will use. My issue is that the context menu doesnt have the 'Use OpenVPN with this config' 10:45 < neverblue> so it is a bit different 10:46 < krzee> netstat -a 10:46 < krzee> do you see * 443 UDP LISTEN ? 10:46 < krzee> something like that 10:46 < krzee> (no windows here to see exact) 10:47 < krzee> !winfw 10:47 < vpnHelper> krzee: Error: "winfw" is not a valid command. 10:47 < krzee> !factoids search win 10:47 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 10:47 < krzee> hrm 10:47 < fbond> krzee: Yep, waiting for a response on that... 10:52 < krzee> also, i dont think nc uses udp by default 10:57 -!- lvtn [n=azambuja@189.32.146.89] has left ##openvpn [] 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 < fbond> krzee: Agh, my fault. 11:31 < fbond> I was using udp but then testing with telnet/nc over TCP. His firewall, meanwhile, was only port-forwarding TCP. 11:31 < fbond> krzee: Is there a good reason to prefer UDP? 11:31 < krzee> yes 11:31 < krzee> !tcp 11:31 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:34 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 11:35 < Cope> !route 11:35 < vpnHelper> Cope: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:36 < Cope> hmm 11:36 < Cope> ok - if I have a user with a home network on 192.168.0.1/24 and an office network on the same subnet, how can I route packets reliably between the 2 networks? 11:37 < krzee> by changing one of the subnets 11:37 < Cope> surely on home.lan if I try to hit 192.168.0.31, it won't know which subnet to use? 11:37 < Cope> krzee: is tehre no other way? 11:37 < dazo> Cope: nope 11:37 < Cope> bugger 11:37 < krzee> theres another way involving nat, but its the wrong way 11:37 < krzee> and i wont help with it 11:38 < krzee> just change 1 side 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:48 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:55 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 12:04 < fbond> krzee: Can using TCP cause immediate connection reset after authentication? 12:05 < fbond> krzee: I don't see auth errors in the server log... 12:09 < krzee> verb 6 12:09 < krzee> !logs 12:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:13 < fbond> I think I have verb 8 right now, acceptable? 12:13 < fbond> krzee: Getting new logs is a round trip to my remote friend... 12:14 < krzee> thats why i never help people who cant access both sides themselves 12:14 < krzee> but im making an exception cause im bored til my friend gets here to pick me up 12:14 < krzee> which is soon now 12:18 < fbond> krzee: Thanks... 12:20 < krzee> np 12:21 < fbond> krzee: http://www.pastebin.ca/1320851 12:23 < krzee> try to disable all packet filtering in firewalls for that port udp 12:23 < ecrist> will someone make a vpn for me on my network? 12:23 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 12:24 < fbond> krzee: We're using TCP right now... 12:24 < krzee> !tcp 12:24 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:24 < fbond> krzee: Yes, I was wondering if this problem can be caused by using TCP... 12:24 < fbond> krzee: Do you think that that is the cause? 12:25 < krzee> no 12:25 < krzee> unless your firewall is playing with packets 12:25 < krzee> im not used to verb 8 logs 12:25 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 12:26 < fbond> I don't think the firewall is doing any packet filtering on that port. 12:26 < krzee> friends here 12:26 < fbond> Ack, okay. 12:26 < fbond> Thanks for your help. 12:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:26 < kyrix> !route 12:26 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:27 < kyrix> i always forget this link 12:30 * dazo wonders if vpnHelper is becoming a public bookmark storage :-P 12:30 * dazo goes home 12:48 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 12:53 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:14 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:21 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Connection reset by peer] 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 13:42 < krzee> !weather 92109 13:42 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 61.5°F (11:44 AM PST on January 28, 2009). Conditions: Partly Cloudy. Humidity: 40%. Dew Point: 37.4°F. Pressure: 30.23 in 1023.6 hPa (Falling). 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:47 < kyrix> oh boy, ashley is getting mad at krzee 13:48 < kyrix> !weather a-1150 13:48 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:48 < kyrix> didnt expect it to work 13:48 < kyrix> ;) 13:48 < reiffert> !weather netherlands 13:48 < vpnHelper> reiffert: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather austria 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather AT 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> doesnt matter, its far worse than in san diego 13:52 < reiffert> :) 13:57 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:57 -!- worch [i=worch@battletoad.com] has joined ##openvpn 14:00 < krzee> airport code works 14:01 -!- troy- [n=troy@worldnet.tauri.ca] has quit [SendQ exceeded] 14:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 14:02 < kyrix> hehe 14:03 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 14:05 < ecrist> will someone make a vpn for me on my network? 14:05 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 14:06 < krzee> wassup eric 14:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:06 < ecrist> sup krzee 14:07 < krzee> not much man 14:07 < krzee> im gunna head into florida to send out those servers 14:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:08 < ecrist> sweet. 14:10 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 14:10 < bigjohnto> on my windows xp box, i have openvpn setup and config sets.... i also have it on a laptop... the laptop works fine and resolves the hostname on the desktop which is also windows xp... it gives Cannot resolve hostname.... i can ping the host but for some reason something is blocking it.... any ideas? 14:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:14 -!- kreg is now known as Kreg-Work 14:20 < bigjohnto> norton internet security seems to be the issue 14:20 < bigjohnto> any specific rules to be placed ? 14:22 < kyrix> sorry, dont use norton security, dont use windows. but try checking if there is something where you can allow opening outgoing "ports" 14:22 < bigjohnto> kyrix, 1194? 14:22 < kyrix> well, yes. but outgoing. 14:22 < kyrix> and try just turning it off and seeing if it works 14:23 < kyrix> ah hold on... 14:23 < kyrix> the desktop cant even resolve the hostname. 14:24 < bigjohnto> kyrix, desktop can, but openvpn can't when internet security is on... if i disable it, it works, but i want to see if i can with it enabled.... 14:24 < bigjohnto> 1194 outgoing doesn't seem to have resolved it.... is there a binary "/bin" on the openvpngui that does the resolving? 14:25 < kyrix> cant help you really with the windows port 14:25 < kyrix> i could probably barely help you with the linux port ;) 14:25 < bigjohnto> np 14:26 < kyrix> isnt there a list of apps trying to get out? or try adding all the apps under openvpn to the whitelist of your firewall 14:26 < bigjohnto> ok thanks, away for abit while i try 14:29 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:54 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:56 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:50 -!- kaii [n=kai@ciphron.de] has left ##openvpn [] 15:50 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 15:55 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 16:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:10 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 16:20 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 16:25 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:26 < neverblue> guys, having an issue with using OpenVPN in Vista. Is there any common resolutions to fix issues (I have the latest release of OpenVPN installed) 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:37 < reiffert> neverblue: start by reading logs. 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit [Client Quit] 17:01 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:02 < ocuevas> hello 17:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:02 < ocuevas> hello 17:03 < ocuevas> Does anybody know what's the best way to revoke a vpn user? 17:04 < reiffert> revoke the certificate. 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 17:12 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:14 < ocuevas> yeah but from the pfsense we don't have the certs on it. 17:14 < ocuevas> how do I create a pem clr list is maybe a better question 17:15 < reiffert> !howto 17:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:17 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:24 < plaerzen> ugh. 17:28 < ecrist> oh, that command should be in 17:28 < ecrist> !crl 17:28 < vpnHelper> ecrist: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with 17:28 < vpnHelper> ecrist: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 17:28 < ecrist> grr 17:28 < ecrist> krzie: fix my damn bot perms 17:28 < ecrist> lemme get the command for you 17:29 < ecrist> openssl ca -gencrl -out CRL.pem -config openssl.cnf 17:30 < reiffert> why not read it up in the howto? 17:31 < ecrist> reiffert: not everyone uses ssl-admin or easy-rsa. 17:31 < reiffert> ecrist: can we assume that everyone uses openvpn that comes to that channel? 17:32 < ecrist> nope 17:32 < ecrist> we get a fair amount of traffic here on general SSL stuff 17:32 < reiffert> ecrist: can we assume further that the official openvpn howto will be valid for all openvpn users that ask questions about openvpn on ##openvpn? 17:32 < ecrist> get up on the wrong side of the bed today, reiffert? 17:33 < reiffert> ecrist: cant remember, just like every other day I guess. 17:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:38 < reiffert> ecrist: maybe it's that I like much more a general approach than a particular solution. The general approach here might help the guys solve a whole bunch of problems alltogether... 17:39 < reiffert> at once 17:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:49 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:52 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:55 < ecrist> ouch, my wiki is a bit out of date. 17:56 < ecrist> I think I'll update it tomorrow. 17:56 < dvl> slacker 17:56 < dvl> sitting around on IRC all day.... 17:56 < ecrist> MediaWiki 1.10.0, current is 1.13.1 17:57 < ecrist> that cuts deep, dvl 17:58 < dvl> ecrist: I can see the sadness in your face. 17:58 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:59 < dvl> That said, my openvpn is running flawlessly. 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 18:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:33 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit ["Leaving"] 19:04 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has joined ##openvpn 19:21 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:22 -!- muxpux [n=muxpux@soup.capital-today.net] has left ##openvpn [] 19:30 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 < shadowhywind> hay all, i just installed the openvpn plugin for knetworkmanager, in my config I have it setup to route all my traffic throught the vpn, Can i still do that with the knetworkmanager - openvpn? 19:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:59 -!- sputnick [n=sputnick@unaffiliated/sputnick] has joined ##openvpn 19:59 < sputnick> hi there 20:09 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has left ##openvpn [] 20:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Client Quit] 20:28 -!- sputnick [n=sputnick@unaffiliated/sputnick] has left ##openvpn ["bip...bip...bip...krssh!...beep...beep...beep"] 20:32 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:50 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 20:53 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:54 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 20:55 < WebGuest> anyone know openvpn well? 20:56 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:57 < tjz> yes, sir! reporting in!! 20:57 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has quit [Remote closed the connection] 20:57 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:59 < krethan> i want the server part to see the client's computers 20:59 < krethan> how do i do that 21:02 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has quit [Client Quit] 21:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:27 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 21:50 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 21:50 < prxtien> hey all, does anyone have binaries for powerpc 21:50 < prxtien> i need a binary for a dreambox ;) 21:50 < ecrist> prxtien: there are some out there. 21:50 < ecrist> go to Tunnelblick website (use google to find) and download an old copy of their program. 21:51 < ecrist> actually, a new copy may work, as well. 21:51 < prxtien> i just cant compile it 21:51 < prxtien> no space to compile on this system 21:51 < ecrist> follow my directions above, you should be fine 21:51 < prxtien> /dev/root 3.9M 3.9M 0 100% / 21:51 < prxtien> /dev/mtdblock/1 2.8M 900.0k 1.9M 32% /var 21:52 * ecrist goes to bed. 21:52 < prxtien> okay 22:13 < frankS2> http://pastebin.com/m7985a474 <-- hello i am having problems with that clients connected to the server can not assign the internal network, this is my config file anyone that could help me? :) 22:27 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 22:30 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 22:35 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 60 (Operation timed out)] 22:44 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:44 < grendal_prime> im looking for info on usning one CA for several open vpn servers. 22:45 < grendal_prime> this is probably a simple thing to do..but im unable to locate anything that sounds like what im trying to do. 22:45 < grendal_prime> basically we want one ca where we generate all the certs and keys and the other vpn servers to use those keys and certs. Is this possible with openvpn2.0 ? 22:46 < grendal_prime> we dont want to have to replicate the credentials to the other servers. 22:46 < grendal_prime> does that make any sence? 23:09 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:49 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] --- Day changed Thu Jan 29 2009 00:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 00:00 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 00:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:38 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 00:46 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 01:04 < reiffert> moin 01:29 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 01:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:41 < tjz> i sense a chinese.. 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:47 -!- zheng [n=zheng@218.82.136.169] has quit ["Leaving"] 02:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:41 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 03:48 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:55 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 03:58 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 04:06 < nobody999> hi 04:06 < nobody999> I'm trying to establish a vpn roadwarrior connection. 04:06 < nobody999> the client is a windows vista machine and the server is a linux machine. 04:06 < nobody999> Both machines are behind a router. 04:06 < nobody999> The openvpn client tells me that the connection is established but a ping from client to server doesn't give an answer. 04:06 < nobody999> I think I have a routing problem. 04:06 < nobody999> Is ther someone who can help me? 04:10 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:12 < nobody999> my routing tables --->http://pastebin.com/d5a3b20bf 04:13 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 04:13 -!- kaii [n=kai@ciphron.de] has quit [Read error: 60 (Operation timed out)] 04:14 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:15 < dazo> nobody999: do you have some configs as well? 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:16 < dazo> nobody999: at first glance, it looks like you are missing a ' push "route " ' statement in your server config .... I can't say I see any routing being pushed to your internal network behind the server on your client 04:18 < nobody999> can you tell me how the route should look like? 04:19 < dazo> nobody999: I would presume .... route 192.168.0.0 255.255.255.0 04:23 < nobody999> my server.conf -->http://pastebin.com/d5881fb3c 04:24 < nobody999> you think the route 192.168.0.0 is wrong? 04:25 < dazo> nobody999: seems you have the route here .... did you modify the config before posting it? .... this route should show up in your windows box .... 04:25 < dazo> nobody999: are you running openvpn with privileges? It needs administrator (or maybe networking is enough) privileges to be able to add that route on your client 04:26 < dazo> nobody999: check your log files carefully for errors .... use verb 3 in client config to find most obvious failures 04:27 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:28 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 110 (Connection timed out)] 04:29 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 04:30 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:33 < nobody999> I didn't modify the configs 04:34 < nobody999> openvpn is running as root 04:34 < nobody999> and I have verb 3 in client conf but I don't see an error:( 04:36 < dazo> nobody999: but is openvpn running with admin privileges on your windows box? 04:36 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 04:37 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:37 < nobody999> yes it is 04:37 < nobody999> client logfile --->http://pastebin.com/d54278110 04:37 * dazo needs to catch a tram in 5 min 04:38 < dazo> client log looks fine .... it claims to have the route setup OK .... 04:38 * dazo don't understand why it do not show up with the route command 04:39 < nobody999> are you sure there is a route missing? 04:39 < dazo> nobody999: I'm so so so sorry! I see the route now .... 04:39 < dazo> 192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 31 04:39 < nobody999> :) 04:40 * dazo is blind 04:40 < dazo> but needs to run now 04:40 < nobody999> but I get no answer when i send a ping 04:40 < nobody999> iptables on server is disables 04:41 < nobody999> on windows firewall is also disables 04:41 < nobody999> disabled 04:42 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:54 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 06:17 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 06:47 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 06:47 < metbsd> this channel is my last hope.. 06:48 < metbsd> my client can connect from nic1 1.2.3.4/255.255.255.0, but cannot ping 5.6.7.8/255.255.255.192 06:48 < metbsd> how should i config them 06:51 < reiffert> so you have a working openvpn setup, means client connects to server? 06:51 < metbsd> yes 06:51 < metbsd> this pc has two nics, two networks 06:51 < metbsd> 1.2.3.4/255.255.255.0 is where client connect openvpn 06:51 < reiffert> all you want is to have the client get routing information like: send all the stuff that belongs to 5.6.7.8/6 directly over the openvpn 'wire'? 06:52 < metbsd> 5.6.7.8/255.255.255.192 is at nic2 06:52 < metbsd> i need this client to ping 5.6.7.1/255.255.255.192 06:52 < reiffert> nic2 of what host? 06:53 < metbsd> nic1 and nic2 are on same pc 06:53 < reiffert> server or client? 06:53 < metbsd> server 06:53 < metbsd> nic1 and nic2 are on same server 06:53 < reiffert> have push "route 5.6.7.0 255.255.255.192" in your server config 06:53 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:53 < metbsd> yes did that 06:53 < reiffert> great. 06:54 < metbsd> it's wrong? 06:54 < reiffert> no. 06:55 < metbsd> what should i put for 'server' 06:55 < reiffert> sorry? 06:55 < metbsd> for the option "server ...." 06:55 < reiffert> 13:55 < reiffert> so you have a working openvpn setup, means client connects to server? 06:55 < reiffert> 13:55 < metbsd> yes 06:55 < reiffert> dont change anything but add a single line: 06:55 < reiffert> 13:58 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:56 < reiffert> the option "server ..." does not change. 06:56 < metbsd> ok 06:57 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 06:57 < reiffert> to pastebin.ca 06:58 < metbsd> ok 07:00 < metbsd> nic1 for internet: 192.168.1.118/255.255.255.0 07:00 < metbsd> nic1 for internet vpn client: 192.168.1.118/255.255.255.0 07:00 < ecrist> good morning, chicken fuckers! 07:00 < metbsd> nic2 for LAN: 10.100.1.8/255.255.255.192 07:02 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 07:02 < metbsd> reiffert: can you plz help me 07:02 < reiffert> 14:01 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 07:02 < reiffert> 14:02 < metbsd> ok 07:02 < reiffert> 14:02 < reiffert> to pastebin.ca 07:02 < reiffert> still waiting for that. 07:03 < metbsd> ok it's coming 07:03 < metbsd> thanks for help 07:05 < metbsd> http://pastebin.ca/1321713 07:06 < metbsd> plz help me out 07:06 < reiffert> Let's fix the conversational problems first: 07:07 < reiffert> a "routing table" is what you get by entering the command: netstat -nr 07:07 < reiffert> what you got me is the openvpn logfile 07:07 < metbsd> ok 07:07 < metbsd> wait plz 07:08 < metbsd> i'm on windows.. 07:08 < metbsd> ok asking client to send it over 07:09 < reiffert> !configs 07:09 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:09 < reiffert> gonna need that as well. 07:12 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 07:13 < metbsd> http://pastebin.ca/1321720 server/client conf file 07:15 < reiffert> looks ok, but we still need the clients routing table. 07:16 < reiffert> open a dosbox (start->run->cmd enter), type netstat -nr 07:17 < reiffert> the client logfile would be nice to have as well 07:18 < metbsd> ok 07:19 < metbsd> http://pastebin.ca/1321725 netstat 07:21 < reiffert> As we can see from line 14, the push "route 10.100.1.0 255.255.255.192" worked. 07:22 < metbsd> but he cannot ping 10.100.1.1 from nic2(10.100.1.8/255.255.255.192) 07:22 -!- nobody999 [n=bla@89.246.131.77] has quit [] 07:22 < reiffert> does ping 10.100.1.8 work? 07:22 < reiffert> on the client 07:23 < metbsd> yes 07:23 < reiffert> whats the default gateway of the 10.100.1.0/26 net? 07:24 < metbsd> empty 07:24 < metbsd> i didn't set it 07:24 < metbsd> wait 07:24 < metbsd> i set it 07:24 < metbsd> 10.100.1.1 07:24 < reiffert> how should 10.100.1.1 know where to send packets to that should get outside of 10.100.1.0/26 then? 07:25 < reiffert> ah, so 10.100.1.1 is the default gw for that net? 07:25 < metbsd> for nic2, 10.100.1.8/255.255.255.192 as netmask, and default gateway is 10.100.1.1 07:25 < metbsd> yes 07:25 < reiffert> what kind of operating system is running on 10.100.1.1? 07:25 < metbsd> linux 07:25 < metbsd> redhat 07:25 < reiffert> great. go to that computer and add a route: 07:26 < metbsd> ok 07:26 < reiffert> route add -net 10.100.2.0 255.255.255.0 gw 10.100.1.8 07:26 < reiffert> wait 07:27 < reiffert> route add -net 10.100.2.0/24 gw 10.100.1.8 07:28 < reiffert> then from the commandline of 10.100.1.1 type: ping 10.100.2.5 07:30 < metbsd> it works 07:30 < metbsd> but why though 07:30 < reiffert> look: 07:31 < reiffert> packets that come from the client have the source IP 10.100.2.5, right? 07:31 < metbsd> yes 07:32 < reiffert> they come to the openvpn server. the server knows: ah, the destiantion PC, 10.100.1.1 is on NIC2, so I pass the packet to that interface 07:32 < reiffert> the packet reaches 10.100.1.1 who then sends a ping reply to 10.100.2.5, which he knows can be reached at 10.100.1.8 07:33 < metbsd> i see 07:33 < metbsd> thanks alot man 07:34 < reiffert> when you send a ping packet to 10.100.1.200, that machine will send the ping reply packet to 10.100.1.1 who tells the 10.100.1.200 machine: hey dude, the 10.100.2.0 net can be reached on 10.100.1.8, and 10.100.1.200 will follow that 07:34 < metbsd> oh, 07:34 < reiffert> oh? 07:34 < metbsd> and after that? 07:35 < reiffert> machine 10.100.1.200 will send the ping reply to 10.100.1.8 which is your openvpn server, which sends the packet to the openvpn client. 07:35 < metbsd> ah 07:35 < reiffert> cool, eh? 07:36 < metbsd> yah, networking is ,, fantastic 07:36 < metbsd> how do you get so good 07:36 < reiffert> I call that basic concepts of networking. 07:36 < metbsd> ok thanks man 07:36 < metbsd> i'm vpn newbie 07:37 < metbsd> i don't know how it works 07:37 < metbsd> good night 07:37 < reiffert> welcome 07:37 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 07:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:11 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:16 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:21 -!- c64zottel [n=hans@141.37.33.125] has quit [Client Quit] 08:21 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has joined ##openvpn 08:21 < aurel42> Ah, that's nice. 08:21 < aurel42> !route 08:21 < vpnHelper> aurel42: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:25 < aurel42> That doesn't seem to help. 08:25 < ecrist> aurel42: we need more information to help you. 08:26 < aurel42> I'm trying to tunnel a routed network (non-RFC 1918), I'd like to know whether OpenVPN has special provisions for handling the default route. 08:26 < ecrist> I don't know what you're asking, specifically. 08:26 < reiffert> !redirect 08:26 < vpnHelper> reiffert: Error: "redirect" is not a valid command. 08:26 < aurel42> In a perfect world, it would set up a new default route when establishing the tunnel, and revert to the "old" default route when the tunnel went down. 08:27 < ecrist> there is a lot of information on the howto on setting default routes 08:27 < aurel42> Uhm. Lemme go back there. 08:27 < reiffert> aurel42: check out the manpage, --redirect-gateway with option def1 in particular. 08:27 < ecrist> aurel42: that topic is covered well on the howto 08:27 < aurel42> reiffert: thanks, I'll look in the howto specifically for --redirect-gateway 08:28 < aurel42> I mainly checked the FAQ and the man page and was looking for a term like "default route" ;) 08:28 < reiffert> aurel42: which leads you to --redirect-gateway def1 08:28 < reiffert> at least for my 2.1 manpage. 08:29 < aurel42> Now that I know what I was looking for, I can clearly see it's there. 08:29 < aurel42> I bet you won't believe me that it wasn't, before. :D 08:30 < reiffert> selfadjusting manpage, nice one 08:31 < ecrist> I hate when that happens. 08:31 < aurel42> 0.0.0.0/1 - what a neat trick, I would've never thought of that. 08:32 < reiffert> ecrist: it happens when I read C library manpages and after that look at example code. 08:33 < aurel42> Well, if it works, I'm probably going to timeout now. 08:36 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 08:43 < reiffert> outtiming is one thing ... 08:43 < reiffert> not coming back the other ... 08:43 < ecrist> hehe 08:54 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 08:54 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 08:56 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 09:03 -!- Bushmills [n=nnnl@verhau.de] has left ##openvpn ["Leaving."] 09:09 < nobody999> hi 09:09 < nobody999> I have a established roadwarrior connection. 09:09 < nobody999> if the roadwarrior send a ping to the vpn server or another client on the server side I get an answer. 09:09 < nobody999> But if I try to access a website nothing happens.Only websites on the vpn server can be accessed, but not on the other machines in the same subnet. 09:09 < nobody999> how can that be? 09:14 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 09:23 < ecrist> nobody999: you need to setup a proper default route, and NAT from the VPN server out to the internet for VPN clients. 09:27 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:28 < nobody999> I think i have:) 09:28 < nobody999> and a ping is working to all machines 09:28 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 09:29 < nobody999> but I have no access via http to the router for example 09:30 < ecrist> I'd check your firewall, then. 09:40 < nobody999> oh I see the firewall tells me "LAN-side SYN Flood" 09:44 < nobody999> ok it was the IP Flood Detection 09:44 < nobody999> thanks:) 09:46 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 09:46 < clustermagnet> gents, question :) 09:46 < clustermagnet> i've been using openvpn for quite some time, for small tasks 09:47 < clustermagnet> im about to roll out a bigger VPN network, and need your advise 09:47 < clustermagnet> lets say there is an office, with a NAS, exporting CIFS and NFS... 09:47 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 09:47 < clustermagnet> lets say that network is 10.10.10.20/24 09:47 < ecrist> nobody999: np. Our chan topic is usually accurate... 09:47 < clustermagnet> if you have road warrior VPN clients and macbook pros running openvpn clients 09:48 < clustermagnet> can they easily mount to these cifs/nfs exports via openvpn? :) 09:48 < ecrist> clustermagnet: yes, but I'd recommend soft mounts for NFS 09:48 < clustermagnet> ecrist: awesome :) 09:48 < clustermagnet> ecrist: the tunnel configuration on the clients.... should it be TUN or TAP? 09:48 < ecrist> hard mounts, if the connection goes down, will hang the client machine. 09:49 < ecrist> clustermagnet: I recommend TUN, unless you have a legit reason for needing TAP. 09:49 < clustermagnet> ecrist: perfect 09:49 < ecrist> i.e. a non-IP protocol 09:49 < ecrist> like NetBIOS 09:49 < clustermagnet> ecrist: i'm having issues now with NFS, thats why i asked :( 09:49 < clustermagnet> ecrist: thanks :) 09:49 < ecrist> clustermagnet: i'd recommend against NFS shares over a VPN 09:49 < clustermagnet> ecrist: do you mind looking into my current issue as well? :) 09:49 < ecrist> use something more fault tolerant 09:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < clustermagnet> right now, I have a VPN server, im hosting it az an instance on EC2 :) 09:50 < clustermagnet> so there are 2 clients connecting, one from home, other from office 09:50 < clustermagnet> home client has an NFS server with some music 09:50 < clustermagnet> i'd love to mount the same export in the office 09:50 < clustermagnet> ]thats not working :( 09:52 -!- nobody999 [n=bla@89.246.131.77] has quit [] 09:52 < ecrist> clustermagnet: why not use MacFUSE or something similar? 09:52 -!- Gorkhaan [n=Administ@87.229.108.75] has joined ##openvpn 09:53 < ecrist> absolves the need for a VPN all together, really. 09:53 < ecrist> complicated != better 09:53 < clustermagnet> ecrist: macfuse, as in ssh mounts? 09:54 < clustermagnet> ecrist: now, there is a larger task, reason why it has to be NFS 09:54 < clustermagnet> essentically the NAS is configured to export the same files via CIFS and NFS :) 09:54 < clustermagnet> thats why i have to stick to NFS 09:54 < clustermagnet> in anycase, do you know why i cant mount up NFS in such fashion? :) 09:54 < ecrist> nope 09:55 < clustermagnet> ecrist: you sure i can mount up NFS/CIFS with road warriors then? 09:55 < ecrist> don't know why you couldn't. 09:55 < ecrist> I do it here on occasion 10:00 < clustermagnet> ecrist: do you mount NFS or CIFS, or both 10:01 < ecrist> NFS 10:02 * dazo uses CIFS over VPN from time to time as well 10:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:05 < clustermagnet> dazo: ecrist thanks guys 10:08 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 10:13 < reiffert> well, CIFS was designed to play a role in LANs. 10:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:37 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 104 (Connection reset by peer)] 10:41 < dvl> anyone seen a traffic shaper for LInux that limits incoming bandwidth? Say so your client doesn't upload more than 100KB/s for example. 10:41 < dvl> I'm *told* they exist only for outgoing connections. 10:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:45 < reiffert> dvl: so it is. 10:46 < reiffert> dvl: there is some igress shaping concept but it doesnt work well as part of IP. http://lartc.org for better understanding. 10:46 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org) 10:46 < reiffert> damn, thats linux. 10:47 < ecrist> dvl: pf can limit in both directions, works best with a bridging gateway with in inbound and outbound NIC 10:47 < ecrist> I've got a wiki page on it, let me find it 10:47 < dvl> reiffert: some people keep asking for traffic management as part of Bacula. Most devs say no, we won't do it. 10:47 < ecrist> http://www.secure-computing.net/wiki/index.php/Traffic_Shaping_with_pf/ALTQ 10:47 < vpnHelper> Title: Traffic Shaping with pf/ALTQ - Secure Computing Wiki (at www.secure-computing.net) 10:47 < dvl> ecrist: Yes, to pf, I know that solution, but this guy needs linux. 10:48 < ecrist> oh, linux FTL 10:48 < reiffert> dvl: http://lartc.org/howto/lartc.adv-qdisc.ingress.html 10:48 < vpnHelper> Title: Ingress qdisc (at lartc.org) 10:48 < ecrist> dvl, you could probably hack something together with a gif interface and limit traffic between eth0 and the gif 10:48 < reiffert> dvl: there is nice and working approach: have a real interface and a virtual one. The ingress on the real interface is egress heading to the virtual one, and that one can be shaped. 10:49 < reiffert> dvl: was doing this once, let me get some details. 10:49 < ecrist> hah reiffert! I beat you to it. 10:49 * ecrist > reiffert (today anyway) 10:49 < dvl> reiffert: nice. 10:50 < reiffert> dvl: it called imq 10:50 < reiffert> http://snap.reifferscheid.org/imq.sh.txt 10:51 < reiffert> well thats what's left in my projects/ folder, I remember it was working :) 10:52 < reiffert> and here is more about it http://lartc.org/howto/lartc.imq.html 10:52 < vpnHelper> Title: The Intermediate queueing device (IMQ) (at lartc.org) 10:52 < reiffert> ecrist: time to show up now. 10:53 * ecrist slinks away 10:54 < reiffert> dvl: I remember I had to try several kernel versions until I got a working module ... 10:54 < reiffert> dvl: back in 2.6.1x times. 10:57 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 11:01 < ecrist> dvl: bacula doesn't have a means to throttle backup bandwidth? 11:11 < dvl> ecrist: correct, by design. 11:22 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 11:22 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:24 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:25 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 11:43 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 11:54 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 12:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:01 < ecrist> dvl, seems like a missing feature to me. 12:01 < ecrist> it uses rsync and similar protocols, doesn't it? 12:07 < dvl> ecrist: it does not. 12:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 12:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:39 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:43 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has joined ##openvpn 12:43 < dgodfather> Hi to all 12:44 < ecrist> dvl, seems like a missing feature to me. 12:44 < dgodfather> i can't succeed configuring my openvpn i dont know why anymore. i read the articles and followed it 12:44 < ecrist> what articles? 12:45 < dgodfather> still can't. when i tried to use a tap interface and bridge it, it failed mostly because of the bridging itself 12:45 < dgodfather> ecrist, sorry bad choise of words, meant the tutorial in openvpn site 12:46 < dgodfather> and when trying to work with tun, i get the new network for the vpn connection but cant even ping between hosts with that address 12:46 < dgodfather> can you please help me, it's very important and please guide me with what ever you need for that 12:46 < dgodfather> i will supply all relevant files and configurations i have 12:47 < dgodfather> except the .key .crt files etc :) 12:47 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:47 < ecrist> read channel topic 12:47 < dgodfather> i waisted my whole day on that and still it doesn't work 12:47 < dgodfather> yeh i see you need configs and logs 12:48 < dgodfather> where are the logs? 12:48 < ecrist> ::gran:: 12:48 < ecrist> !logs 12:48 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:48 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:48 < ecrist> !configs 12:48 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:48 < dgodfather> i am exactly now pasting the .conf files 12:48 < dgodfather> OK that will take a few 12:49 < dgodfather> Linux debian 2.6.26-1-amd64 12:49 -!- xattack [n=xattack@132.248.108.239] has joined ##openvpn 12:52 < dgodfather> ecrist, server.conf -> http://pastebin.com/m4b287db3 12:55 < ecrist> dgodfather, with tun, were you able to get a working VPN, where the client could connect to and ping the VPN server? 12:56 < dgodfather> nope 12:56 < dgodfather> it can't even ping the server 12:56 < dgodfather> sending the client config 12:56 < dgodfather> clinet config -> http://pastebin.com/m6740ba0e 12:57 < dgodfather> though i got to say it doesn't feel to good exposing the whole structure of my vpn 12:57 < ecrist> lol, you're nothing special 12:57 < ecrist> you're not revealing anything that couldn't be found out in other ways 12:57 < dgodfather> yeh i know and yet many people just like to ruin other peoples lives for fun 12:58 < dgodfather> true, that is because i am trying not to :) 12:58 < ecrist> first problem, dev needs to match between client and server 12:58 < ecrist> your client config show tap, server config tun 12:58 < dgodfather> they are both dev tun 12:58 < dgodfather> ohhhhh well it was changed now 12:58 < dgodfather> sec let me check again 12:58 < ecrist> well, then pastebin.com changed it on you 12:59 < dgodfather> nope, i changed it trying to make things work from one form to the other 13:00 < dgodfather> last time i forgot to return it, non the less still i cant ping the server 13:00 < dgodfather> by the way the debian is for the server 13:00 < ecrist> now, you could have changed the remote address to not reveal that. ;) 13:00 < dgodfather> the client is on windows 13:00 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 13:00 < ecrist> I gathered that part. 13:00 < dgodfather> ohhhhhhh shit 13:00 < dgodfather> well i will change that 13:00 < ecrist> too late 13:01 < dgodfather> ecrist, well you are kind of making me worrie 13:01 < ecrist> lol 13:01 -!- Gorkhaan [n=Administ@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 13:01 < dgodfather> well how can i make my vpn work? 13:02 < ecrist> dgodfather: with the client config set to tun, your client should be able to connect, if the local statement in your server config and your server-side firewall are setup correctly 13:02 < ecrist> why do you have local ? 13:02 < dgodfather> what do you mean my local statement? 13:02 < dgodfather> ohhhhhh just because i tried that too. 13:02 < ecrist> line one of your server.conf: local 192.168.2.100 13:02 < dgodfather> remove it? 13:03 < ecrist> yes 13:03 < ecrist> and restart openvpn on the server 13:04 < dgodfather> OK, still no ping 13:04 < ecrist> hang on. I didn't tell you to connect yet, did I? 13:05 < dgodfather> no you didn't 13:05 < dgodfather> disconnected 13:05 < ecrist> after a restart, is openvpn on the server listening to the public IP of the server? 13:06 < dgodfather> well i am behind a router so i guess it should be listening to the router address? 13:06 < dgodfather> and how do i establish if that is the case? 13:08 < dgodfather> ecrist, are you here? 13:09 < ecrist> dgodfather: yes, I'm here, but I have a job that pays me to be somewhere else, too. be patient 13:09 < dgodfather> it's OK, i am waiting just didn't know where you went 13:09 < ecrist> dgodfather: is your openvpn server on a machine physically behind your LAN gateway? 13:10 < dgodfather> yes 13:11 < ecrist> ok, do you have a proper port-forwarding rule setup on your internet gateway to redirect udp port 1194 to your openvpn server? 13:12 < dgodfather> yes 13:13 < dgodfather> other wise the client will not have been able to successfully connect 13:22 -!- Federico2 [n=Fede@193.200.193.239] has quit ["Leaving"] 13:25 < ecrist> you didn't tell me it successfully connected. 13:27 < dgodfather> yes i did, i said it's connected only it doesn't ping the server 13:27 < dgodfather> and the server can't ping it as well 13:28 < ecrist> 13:04 < dgodfather> OK, still no ping 13:28 < dgodfather> yep no ping 13:28 < dgodfather> what do i do to make it work 13:28 < dgodfather> ? 13:28 < ecrist> I need to see you client logs 13:28 < dgodfather> where can i find them? 13:29 < ecrist> !logs 13:29 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:29 < dgodfather> yes well it doesn't really give me the location does it?! 13:29 < dgodfather> but i found them 13:30 < dgodfather> it's in the logs directory of the installation in windows 13:33 < dgodfather> ecrist, http://pastebin.com/m3963e177 13:34 < ecrist> dgodfather: is that a recent log? 13:34 < ecrist> says 6:55AM today 13:35 < ecrist> not sure what timezone you're in 13:35 < dgodfather> sec 13:35 < dgodfather> im fromisrael 13:36 < ecrist> ok 13:37 < dgodfather> i will send another one which i think is the correct one 13:37 < dgodfather> sorry for the hassle 13:37 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has left ##openvpn [] 13:37 < dgodfather> http://pastebin.com/m27b473b8 13:38 < ecrist> still shows you using a tap device 13:38 < ecrist> thought we were doing tun here. 13:39 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 13:39 < dgodfather> wait i changed it. you now what, i am deletng all log files reconnecting and sending you the log 13:40 < ecrist> I'm sorry, but I've gotta get back to some of my own work. I'll be on still in about an hour, if you wait, otherwise someone else can help you. 13:40 < dgodfather> well i will be here in an hour then thank you 13:40 < dgodfather> unless some else want's to help me? 13:48 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 13:54 < krzee> whats the problem? 13:54 < krzee> if it doesnt take long ill help 13:54 < krzee> (im on vacation) 13:55 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:55 < krzee> looks like you cant connect, or can connect but no ping 13:55 < krzee> (from a quick scroll-up) 13:56 < krzee> dgodfather 13:58 < dgodfather> krzee, YES SORRY 13:58 < dgodfather> krzee, yes i connect but no ping 14:00 < dgodfather> it's very important to me cause it's for school stuff. i want any remote connection to my pc to be secure and heard openvpn is very much so 14:00 < dgodfather> but i can't succeed in making it work for me. not tun nor tap configuration 14:00 < dgodfather> krzee, are you still here? 14:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Remote closed the connection] 14:18 < krzee> !logs 14:18 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:18 < krzee> !configs 14:18 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:19 < krzee> so the goal is to access files on your home server while outside the house 14:19 < krzee> possibly to upload homework, that sort of thing... 14:20 -!- xattack [n=xattack@132.248.108.239] has quit [] 14:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:47 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has joined ##openvpn 14:47 < MTecknology> anybody have experience setting up ovpn on pfsense? 14:57 < krzee> MTecknology, isnt pfsense just freebsd bundled with some tools and a web gui? 14:59 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [] 15:01 < dgodfather> krzee, hi, 15:02 < ecrist> krzee: yes. 15:02 < ecrist> MTecknology: see here: 15:02 < ecrist> !freebsd 15:02 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:02 < dgodfather> krzee, not only, i need to give access to a friend to my network 15:02 < dgodfather> ecrist, hi 15:02 < dgodfather> would you like to help me now? 15:03 < dgodfather> ecrist, keep on going where we stopped 15:04 < ecrist> dgodfather: switch your server and client back over to tun 15:04 < dgodfather> ecrist, they are in tun 15:04 < dgodfather> i can send the latest log 15:04 < ecrist> you've got about 10 mins before I go out to the living room and grab a beer. 15:04 < ecrist> please do so 15:05 < dgodfather> client log ->http://pastebin.com/m686a6c80 15:05 < ecrist> ok, from the client, you should be able to ping 10.8.0.1 15:06 < dgodfather> ecrist, well i can't 15:06 < ecrist> then the server has a firewall, blocking the traffic 15:06 < dgodfather> i get request timed out 15:07 < ecrist> on the server, what are the contents of openvpn-status.log? 15:07 < dgodfather> i will delete all firewall rules 15:08 < dgodfather> http://pastebin.com/m76b7a3f 15:09 < ecrist> ok, without the firewall rules, does ping work? 15:10 < dgodfather> well b4 it didn't now it does 15:10 < dgodfather> that's good but that is not all 15:10 < ecrist> ok, now what? 15:10 < dgodfather> my lan has different ip 15:10 < krzee> hah now he posts those 15:11 < krzee> i was waiting for !logs !configs for awhile 15:11 < dgodfather> i want my server address processes to be available to someone connected from the vpn 15:11 < ecrist> krzee: it's been an up-hill battle 15:11 < dgodfather> say my ip is 192.168.2.100 15:11 < krzee> i see 15:11 < dgodfather> my vpn ip is 10.8.0.1 15:11 < krzee> dgodfather, 15:11 < krzee> !route 15:11 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:12 < krzee> or is the server process on the same machine? 15:12 < dgodfather> it is on the same machine 15:12 < dgodfather> on the server of the ovpn 15:12 < ecrist> dgodfather: the server running openvpn is the system with the files you want to share, right? 15:13 < dgodfather> yes 15:13 < ecrist> then you don't need to worry about the other network 15:13 < dgodfather> and processes i want to share access to 15:13 < krzee> push a route 15:13 < ecrist> if they're all on the vpn server, then that's all you need. 15:14 < krzee> then you will be able to access it by lan ip of vpn server over the vpn 15:14 < dgodfather> now isn't it better and more correct to use tap and bridging? 15:14 < ecrist> dgodfather: not if everything you want to share is on the vpn server 15:14 < krzee> negative 15:14 < krzee> !tunortap 15:14 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:14 < ecrist> tap is for ethernet protocols, tun is for IP protocols 15:14 < dgodfather> i will be able to use the 192.168.2.100 from the 10.8.0.6 client? 15:14 < ecrist> NO 15:14 < ecrist> use 10.8.0.1 15:14 < krzee> if you push a route 15:15 < dgodfather> wait if i push a route i can use 192.168.2.100 and if not i can use 10.8.0.1 only but it's the same result? 15:15 < krzee> if the route is pushed, i think he can access either interface, more correct is to access 10.8.0.6 15:16 < krzee> assuming firewall allows and ip_forward is enabled 15:16 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has left ##openvpn [""http://profarius.com/""] 15:16 < dgodfather> but a push is towards the client not other way around isn't it? 15:16 < krzee> right, the client needs the route to server's lan ips 15:16 < krzee> so the server pushs the route to the client 15:17 < krzee> as if you were going to access the lan behind the vpn server 15:17 < dgodfather> so the server pushes the route to the client, and the client can now use the 192.168.2.100 to access the server 15:18 < dgodfather> great thank you guys 15:18 < dgodfather> you where a big help 15:18 < krzee> np 15:19 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has quit ["Leaving"] 15:20 < ecrist> *bang* *bang* 15:21 * ecrist drinks beer 15:29 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 15:29 < Rawplayer> !bridge 15:29 < vpnHelper> Rawplayer: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 15:29 < vpnHelper> Rawplayer: where the protocol uses MAC addresses instead of IP addresses. 15:29 < Rawplayer> !alive 15:29 < vpnHelper> Rawplayer: Error: "alive" is not a valid command. 15:29 < Rawplayer> hey, i have freebsd with openvpn(works fine) 15:30 < Rawplayer> but for some reason i wont get the default gw pushed 15:30 < Rawplayer> the thing is, the tap0 interface and a fysical interface are in bridge1 15:30 < krzee> you're bridging? 15:30 < krzee> ya you dont push gateway like that in bridge mode 15:30 < Rawplayer> the only ip i have used is on bridge1 15:31 < krzee> why are you using bridge? 15:31 < Rawplayer> to connect my wifi network to my wired network 15:31 < Rawplayer> and to use windows networking on a nice way 15:31 < Rawplayer> but that is not the point 15:32 < Rawplayer> how can i get a gateway on my client? 15:32 < krzee> hah 15:32 < krzee> bridging in same lan with openvpn? 15:32 < Rawplayer> yes 15:33 < krzee> using same ips as wired lan? 15:33 < Rawplayer> yes, the same subnet 15:33 < krzee> err same subnet 15:34 < Rawplayer> i was thinking about setting up a normal dhcp server instead of using the dhcp from openvpn 15:34 < krzee> then you shouldnt need to push any gateway 15:34 < Rawplayer> krzee: sure i do, how can i otherwise get on the internet 15:34 < Rawplayer> with my clients 15:34 < krzee> let it get its ip from the lan dhcp server 15:37 < krzee> http://openvpn.net/index.php/documentation/install.html?start=1#dhcp 15:37 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 15:37 < krzee> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 15:39 < Rawplayer> krzee: so the push default-gateway is only for routed mode? 15:39 < krzee> im not very familiar with bridging, havnt done it in a long time, but you should be able to add a route with bridged mode too 15:39 < krzee> you would just use the route command on the client 15:41 < krzee> you would just use something like route 0.0.0.0 192.168.2.1 15:52 -!- infinity_ [i=brendon@saleen.netcal.com] has joined ##openvpn 16:25 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:42 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:08 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 17:09 < MrTelephone> anyone have trouble with windows machines losing openvpn connection and when it tries to reauthenticate it is using the default gateway of the stale TAP32 adaptor? 17:12 < infinity_> can someone help get around this error? 17:12 < infinity_> http://pastebin.com/m12f4bada 17:21 -!- tomfmason [n=tom@unaffiliated/tomfmason] has quit [Read error: 110 (Connection timed out)] 17:30 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 60 (Operation timed out)] 17:34 -!- thewolf [n=rowan@67.207.129.26] has left ##openvpn ["WeeChat 0.2.6"] 17:46 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:33 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 110 (Connection timed out)] 18:44 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has joined ##openvpn 18:46 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 18:47 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Client Quit] 19:10 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 19:10 -!- Netsplit over, joins: jfkw 19:15 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 19:20 < ecrist> infinity_: it looks like ou've got an invalid server certificate. 19:48 < mepholic> guess wat dshocker comin' 19:52 < dvl> eh? 19:52 -!- Huza [n=kvirc@78.96.46.99] has joined ##openvpn 20:10 < infinity_> ecrist: i got past that 20:10 < infinity_> ecrist: finally... and now i can't ping through the openvpn server 20:11 < infinity_> i can ping the lan interface, but not other computers. not sure what the problem is yet 20:11 < infinity_> i checked ip_forward and i added a route the the shitty netopia. 20:34 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:42 < infinity_> think i got it 20:44 -!- mepholic_ [n=mepholic@209.17.190.90] has joined ##openvpn 20:56 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 20:56 < krzee> infinity_, 20:56 < krzee> !route 20:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:04 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has joined ##openvpn 21:04 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 54 (Connection reset by peer)] 21:05 < rickb|server> Hello, I am trying to create a new vpn server, I don't know the port for management and there was nothing in the documentation about it. I need that to give webmin control over clients. Any ideas? 21:06 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has quit [Client Quit] 21:11 < infinity_> any idea how to do netbios DNS without doing bridge mode 21:29 < krzee> infinity_, WINS 21:29 < krzee> which i recommend over bridging 21:31 < infinity_> krzee: ack. i don't have a wins server 21:32 < infinity_> maybe i'll just do hosts file 21:32 < infinity_> anyway, once i disconnect, when i reconnect, i can't ping through the vpn. i have to reboot the winXP box (vpn client) 21:33 < krzee> linux samba server? 21:34 < infinity_> krzee: yea. possibly. 21:34 < krzee> has wins server built in 21:34 < infinity_> anyway. any idea whats up with this stale vpn connection 21:35 < infinity_> i just rebooted the xp box. going to see if i can ping 21:36 < infinity_> when it doesn't work, it takes a long time for the client ot get an IP 21:36 < infinity_> yup. doesn't work. very strange. 21:38 < infinity_> oh weird. the vpn client said it gave me an ip, but ipconfig says 0.0.0.0 21:42 < infinity_> thats weird. my a bucnh of automatic services aren't running on my windows client 21:43 < infinity_> strange 21:43 < infinity_> works now :) wonder if its SP3 related 21:52 < ecrist> windows is the debil 21:53 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has joined ##openvpn 21:59 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:01 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 22:21 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 22:21 -!- Netsplit over, joins: jfkw 22:40 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 22:43 < ecrist> oh, and evening fuckers 22:47 -!- mRCUTEO [i=info@58.26.212.3] has joined ##openvpn 22:47 < mRCUTEO> hiya all :D 22:48 -!- mRCUTEO [i=info@58.26.212.3] has quit [Client Quit] 23:05 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 23:06 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 23:06 -!- rmull [n=rmull@acsx02.bu.edu] has joined ##openvpn 23:07 < rmull> Hi gents, I see the crowd hasn't changed much :D 23:08 < tjz> darn 23:08 < tjz> yea 23:09 < tjz> 50% of them should be robots 23:09 < tjz> oh, and evening fuckers <-- LOL 23:09 < rmull> I used to be around these parts a lot during the summer 23:10 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:20 < ecrist> yeah you did. 23:20 < ecrist> how goes, rmull? 23:24 < rmull> ecrist: yoyo! 23:24 < rmull> It goes well. 23:24 < rmull> Busy busy with school. 23:24 < rmull> How about yourself? 23:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 23:35 < ecrist> busy busy with work, and life in general 23:36 < ecrist> omw to bed now. been working on a server OS upgrade since 9PM 23:36 < ecrist> FreeBSD 6.3->7.1, + 9 jails to update 23:36 < ecrist> mergemaster can be a bitch 23:38 < ecrist> well, g'night folks 23:38 < ecrist> see you tomorrow 23:40 < rmull> Have a good one 23:40 < rmull> I'm off to hit the hay too. 23:45 -!- mepholic_ is now known as mepholic --- Day changed Fri Jan 30 2009 00:10 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 00:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:43 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 00:49 < metbsd> reiffert: hi 00:49 < metbsd> can you explain to me again about yesterday problem? 00:51 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 01:03 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 01:15 < huslu> i'm seeing that ovpn for the --up script doesn't pass correct 'remote_1' variable 01:16 < huslu> both 'local_1' and 'remote_1' are the same (but they shouldn't as configuration defines them different) 01:16 < huslu> known bug? 01:22 < krzee> ive never seen those, you got them from the manual? 01:22 < krzee> !man 01:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:52 < reiffert> moin 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:43 -!- Huza [n=kvirc@78.96.46.99] has quit ["When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net"] 03:32 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has joined ##openvpn 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:15 -!- whits_ [n=jim@jim.505.ru] has quit ["leaving"] 04:16 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 04:17 < ScribbleJ> Hey folks, been using openvpn forever, love it to death. This is not absolutely an openvpn question - I set up a new openvpn server, but found I could not connect with --float because it responds on udp 1024 instead of 1194. Any ideas why? 04:21 < ScribbleJ> I'm sorry, could not connect /without/ --float. tcpdump on server indicates the packets goout as port 1024; not like a firewall in-between is munging them. 05:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 06:03 -!- int [n=quassel@int.matrixtelecom.net] has quit [SendQ exceeded] 06:25 -!- int [n=quassel@wikia/int] has joined ##openvpn 06:37 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:39 < c64zottel> hello 06:40 < c64zottel> i have some trouble reaching the servers wins-server through openvpn 06:41 < c64zottel> i found some information about it, but is there a detailed tutorial around the internet? 06:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:49 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 06:57 < ecrist> morning, bitches 07:02 < c64zottel> mornig ecrist 07:19 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has joined ##openvpn 07:51 < ecrist> man, I LOVE CARP (Common Address Redundancy Protocol) 07:51 < ecrist> instant failover support 07:51 < ecrist> zero downtime 07:55 -!- zheng_ [n=zheng@218.82.143.81] has joined ##openvpn 07:59 -!- zheng [n=zheng@218.82.136.169] has quit [Read error: 60 (Operation timed out)] 08:47 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has joined ##openvpn 08:47 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 08:48 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 09:14 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:24 < reiffert> c64zottel: reaching by ping ip works? 10:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:27 < c64zottel> reiffert: thx, i solved it 10:27 < reiffert> what was it? Config of WINSS? 10:28 < c64zottel> i think a couple of thinks, first the config, then there are few master-browsers in the lan, and i can just see them 10:28 < c64zottel> and broadcastings are not routed 10:28 < c64zottel> but, another question 10:28 < reiffert> broadcast relay, comes with pptp 10:29 < c64zottel> how can i configure a for my smbtree to use a special wins-server only? 10:29 < reiffert> it's part of a dhcp option. 10:29 < reiffert> option netbios-name-servers ip-address [, ip-address...]; 10:30 < reiffert> The NetBIOS name server (NBNS) option specifies a list of RFC 10:30 < reiffert> 1001/1002 NBNS name servers listed in order of preference. NetBIOS 10:30 < reiffert> Name Service is currently more commonly referred to as WINS. WINS 10:30 < reiffert> servers can be specified using the netbios-name-servers option. 10:30 < reiffert> or to speak in openvpn: 10:30 < c64zottel> i am just using linux 10:30 < reiffert> --dhcp-option WINS addr 10:30 < c64zottel> the option is pushed 10:30 < c64zottel> but how can i use it under linux? 10:30 < reiffert> set it in a file 10:30 < reiffert> have smb.conf include that file 10:30 < reiffert> ; wins server = w.x.y.z 10:31 < c64zottel> i did that 10:31 < reiffert> have a shell script write the setting into that file 10:31 < reiffert> done 10:31 < c64zottel> but its not working 10:31 < reiffert> it's not working aint no error message. 10:31 < c64zottel> ok, i will check it 10:31 < reiffert> be sure to run a broadcast relay. 10:33 < c64zottel> its not working, i can see via tshark that the msg reaches the server 10:34 < c64zottel> and that is all what the server responses: 4525.613222 10.23.0.1 -> 10.23.0.2 NBNS Name query response unknown 10:34 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 10:35 < c64zottel> may that be a problem with the firewall? ... but when i shut down, the local wins-server here, i can smbtree over the ovpn without problems 10:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:40 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 < ecrist> fyi, I'm taking my website down for a few minutes to upgrade freebsd 6.3 to 7.1 10:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:02 < ecrist> ugh 11:02 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Connection timed out] 11:03 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 11:11 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 11:24 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 11:30 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 11:32 < hellham> good morning all, im new to openvpn, what is the best new user tutorial for both unix/linux and wondows? for someone who knows very little? thank you 11:40 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit ["thanks for your time"] 11:47 < c64zottel> i have written in my config file push "dhcp-option WINS 10.23.0.1" 11:47 < c64zottel> whereas 10.23.0.1 is my openvpn-tunnel end to server, its a routed tap device 11:47 < c64zottel> but it has no effect on windows 11:47 < ecrist> but, is your openvpn-tunnel server also a WINS server? 11:47 < c64zottel> i guess its because there is a master-browser around here 11:47 < c64zottel> ecrist: it is 11:49 < c64zottel> is there a way to enter the wins server manually 11:49 < c64zottel> question-mark 11:54 < c64zottel> ok, i found it 11:54 < c64zottel> but now it is just showing the network. openvpn 11:55 < c64zottel> which is the domain of my ovpn-server 11:55 < c64zottel> and the domains behind the ovpn server are still hidden 12:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:11 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:18 < ikarius> oops. I just blowed up my home linux server's networking. guess I won't get openvpn properly set up today 12:18 < ikarius> ... damn me for misconfiguring bridging. 12:22 < ikarius> and for not reading the docs completely before editing /etc/network/interfaces 12:23 < ikarius> ok, so I've got a question about OpenVPN in the meantime 12:23 < ikarius> if I set up bridging/tap.... will clients automatically get IPs from the DHCP server on the subnet? 12:26 < dazo> ikarius: VPN clients no ... local clients yes 12:27 < ikarius> ok, so then I'd need to set the openvpn up to operate as a DHCP server? 12:27 < ikarius> to the VPN clients? 12:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:30 < dazo> ikarius: if you use ifconfig-pool or whatever the right option is again ... you'll have that automatically 12:30 < ikarius> ah, ok 12:31 < dazo> ikarius: openvpn will be the DHCP "server" for VPN clients only .... and the real DHCP server on your local net just needs to be told to stay away from the IP range you've given to openvpn 12:31 < ikarius> ok 12:32 < ikarius> I'll just double check the bootp range set on the DHCP server and set something different for the ovpn DHCP range 12:33 < ikarius> also... there's no reasonable way to set up DNS so that if I'm on some local network, which has a local DNS server, when I connect to ovpn, I use a DNS server across the VPN *only* for a particular domain, is there? 12:34 < ikarius> ... I think that's not configurable with out-of-the-box DNS resolver libraries on most OSes 12:35 < dazo> ikarius: nope, nafaik 12:37 < ikarius> k. that's what I thought. It's suboptimal, but it's rather a limitation of the OSes. To work around it the ovpn client would need to pretend to be a DNS server, look at requests, and forward them to the desired DNS server 12:37 < ikarius> and you probably aren't interested in building that functionality into the ovpn client 12:42 < ScribbleJ> Hey, any tips/ideas/pointers on why my Openvpn UDP server responds with a source port of 1024 rather than 1194 (causing my clients to require --float to succesfully connect)? port option in server config is 1194 as expected. 12:43 < ScribbleJ> I confirmed via tcpdump it's happening on the server machine itself; not like a device in-between the client and server that nats the ports. 12:57 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 13:00 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:41 < c64zottel> name_query failed to find name SOMENAME 13:41 < c64zottel> does it look like a routing problem or more a problem with the samba proxy server? 13:42 < ecrist> c64zottel: this isn't #NetBIOS 13:42 < ecrist> sorry 13:42 < c64zottel> true 13:43 < c64zottel> but there is no netbios... 13:44 < ecrist> 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:45 < ecrist> just don't want you to be like others and become a PITA when we don't know/don't care to answer your netbios questions. 13:46 < c64zottel> i meant, there is no channel, i thought it is maybe a routing problem und OpenVPN, but ok, i try #samba 13:48 -!- ohzie [n=ohzie@24.174.3.123] has quit [Read error: 110 (Connection timed out)] 13:48 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 14:13 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 14:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 14:18 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 14:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 14:36 < dazo> ecrist: pm 14:40 -!- dazo [n=dazo@nat/redhat/x-5b79a3572794935f] has quit ["Leaving"] 16:00 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:02 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: worch, c64zottel, ScribbleJ, temba 16:02 -!- Netsplit over, joins: temba, ScribbleJ, c64zottel, worch 16:13 -!- Kreg-Work is now known as soberbit 16:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:41 < krzee> !route 16:41 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:47 < krzee> !factoids search wins 16:47 < vpnHelper> krzee: No keys matched that query. 16:47 < krzee> !factoids search lin 16:47 < vpnHelper> krzee: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 16:47 < krzee> !samba 16:47 < vpnHelper> krzee: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:50 < krzee> !learn shorewall as http://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls. 16:50 < vpnHelper> krzee: Joo got it. 16:52 < krzee> !learn wins as http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:52 < vpnHelper> krzee: Joo got it. 16:57 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 17:00 -!- Janos [n=cramos@190.10.52.104] has joined ##openvpn 17:01 < Janos> hey there, anyone knows if it's possible to assign static ip address using ifconfig-push and client-config-dir directives in a bridged openvpn enviroment, the example only mentions tun servers and i can't get it to work 17:10 < Janos> or any other way to assign a static ip addres in a openvpn bridged enviroment 17:14 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:23 < krzee> why are you bridging? 17:27 < reiffert> because routing is boring. 17:28 < Janos> nvm i found the problem, ifconfig-push and client-config-dir do work you just have to add the client directive to the client file so it pulls the config from the server :) 17:28 < krzee> actually, pull 17:28 < krzee> which is implied along with other stuff by client 17:28 < Janos> i'm bridging because i want my vpn user to be on the same network as my internal network 17:29 < Janos> yeah pull not pulls, syntax error :P 17:30 < krzee> you're using layer2 protocols over the vpn (besides netbios for windows shares)? 17:31 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:32 < Janos> pretty much every windows software use broadcast to do everything ( go figure ) so yeah that's the reason, besides, why not ?, it works great, i do use tun for lan to lan vpns though 17:34 < krzee> umm 17:34 < krzee> windows needs broadcasts for normal stuff other than NetBios? 17:34 < Janos> so most of the time i have bridged server for users and a routed server for remote offices 17:35 < krzee> interesting 17:35 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has quit ["Leaving."] 17:35 < krzee> thats extra overhead that you likely dont need to use 17:35 < krzee> but you sound comfortable with it 17:35 < krzee> and sounds like you know how to use it well 17:36 < reiffert> moin 17:36 < reiffert> hi krzee 17:36 < krzee> remember you open your network up to layer2 vulns over the bridges when you design your network 17:36 < krzee> wassup reiffert! 17:36 < krzee> moin moin 17:36 < reiffert> yeah, moin moin! 17:36 < reiffert> how is life? 17:39 < Janos> well yeah i've been using ovpn for a long time so i know my way around, and yes you might have a point that there is no need to use bridged mode, but i'm pretty sure a lot of things will stop working on the MS world, so i guess i'll give it a try and let you know the details :) 17:39 < krzee> nah main thing is just NetBios 17:39 < krzee> which you use WINS for 17:39 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 17:39 < krzee> the broadcasts is how windows deals with not having a WINS server to contact 17:39 < Janos> yeah but most of the time you don't even have a wins server 17:39 < krzee> reiffert, very good 17:40 < reiffert> krzee is right. 17:40 < krzee> Janos, right, but you save overhead by having one 17:40 < krzee> and if you use samba, it is SIMPLE 17:40 < krzee> !wins 17:40 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:40 < reiffert> there is broadcast relay 17:40 < reiffert> it's a software 17:40 < reiffert> it comes with pptp 17:40 < krzee> that too 17:40 < krzee> although quite often just WINS is good enough for your avg people 17:41 < reiffert> !learn broadcast-relay as it's a software that comes with pptp. use it when needing wins/samba and/or broadcasts. 17:41 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:41 < reiffert> fuck u 17:41 < krzee> in fact i know of people that recommend using WINS even if bridging 17:42 < krzee> !learn broadcast-relay as a software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough. 17:42 < vpnHelper> krzee: Joo got it. 17:47 < Janos> krzee: i agree if you are the one that designed the whole network things would be very nice, i have a samba running as DC with an LDAP backend replicated to other 5 remote samba servers, centralized auth for proxy, mail, windows and linux logons, wins server (sadly it can't be replicated yet), dns, dhcp, ddns and much more :). But most of the time people don't know what they are doing and are afraid to change anything so telling them that you will have to 17:47 < Janos> add a netbios-name-servers option to their dhcp server scares them to hell 17:48 < Janos> that assuming they have a dhcp server :) 17:49 < Janos> so the simple vpn server project that cost $x ends up costing $xxx cuz you had to redesign their whole network 17:50 < krzee> once you are vpn'ed in you should be able to make that change :-p 17:52 < Janos> lol yeah well like i said i'll give it a try and let you know the details 17:55 < Janos> later thanks for the help 17:55 -!- Janos [n=cramos@190.10.52.104] has quit ["Ex-Chat"] 18:04 < reiffert> you are typing way too fast for mee... 18:04 < reiffert> ah, he quit. next. 18:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:08 < reiffert> next 18:40 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:45 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 18:48 < downhill_> Why would dropping the permissions after the daemon starts (config options "user nobody" and "group nogroup") on a Debian host cause me to get the error MULTI: bad source address from client ... packet dropped? 18:49 < downhill_> And actually, everything works fine on the LAN-side if I use an IP of .6, instead of the configured .21. Anybody have any idea what might be going on? 18:50 < downhill_> (that's with the permissions dropped. not dropping them allows everything to work as it should) 18:51 < reiffert> downhill_: the prior got nothing to do with dropping permissions. 18:52 < downhill_> but it doesn't happen when I don't drop permissions. 18:52 < downhill_> please elaborate. 18:53 < reiffert> sorry, gone to bed. 18:54 < downhill_> >.< 19:00 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has quit ["Ex-Chat"] 19:04 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 19:28 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 19:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 20:06 -!- zheng_ [n=zheng@218.82.143.81] has quit ["Leaving"] 20:43 < ScribbleJ> Hah 20:43 < ScribbleJ> Downhill, I suspect you are having the same issue as me. 20:43 < ScribbleJ> Well, more or less. 20:43 < ScribbleJ> YOu are using UDP, not TCP. 20:44 < ScribbleJ> YOu need to take a look at your network traffic - while you are trying to connect to .21, the replies are coming from another address than that, I bet, and your client wants to reject them because it's not where they hsould be coming from 20:45 < ScribbleJ> If it's not another IP, I bet it's an odd source port (I had the first problem, now I moved on to the second, personally) 20:49 < downhill_> ScribbleJ; TCP 20:50 < downhill_> I'm using TCP, and yeah, I can take a more in-depth look, but it still doesn't explain why dropping the privs causes this. 20:51 < downhill_> uncommenting "user nobody" and "group nogroup" makes it happen, commenting them fixes it. you can't possibly tell me it's unrelated :) 20:51 < ScribbleJ> Haaa, suppose I can't 20:51 < ScribbleJ> I wonder if that would solve my problem. 20:52 < ScribbleJ> I'm stumped - I'm using UDP and right now if I connect, let's say clientip:clientsource -> vpnserver:1194 I'd expect the traffic back to look like vpnserver:1194 -> clientip:clientsource 20:52 < ScribbleJ> But it does /not/ the traffic back all has a source port of 1024. 20:53 < downhill_> interesting 20:53 < downhill_> at this very moment I can't look, but thanks for the tip :) 20:53 * downhill_ scribbles a note 21:27 -!- [intra]lanman [n=Raymond@99-196-39-200.cust.wildblue.net] has joined ##openvpn 21:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 23:49 -!- ohzie [n=ohzie@24.174.3.123] has quit ["Leaving"] --- Day changed Sat Jan 31 2009 00:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:04 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:23 -!- c64zottel [n=hans@p5B178936.dip0.t-ipconnect.de] has joined ##openvpn 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:00 < ropetin> Evenin'! 04:01 < downhill_> heya 04:02 < ropetin> How's it going in here lately? It's been FOREVER since I manged to get on IRC 04:25 -!- bandini [n=bandini@host64-111-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:33 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 145 (Connection timed out)] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 05:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 05:45 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 05:48 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:29 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:45 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 07:46 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:06 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:14 < ecrist> fuckers 08:17 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 08:17 < tjz> hi 08:22 < tjz> Hello 08:22 < tjz> anyone... 09:14 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:31 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:25 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:42 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 11:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tarbo2, infinity_ 11:51 -!- Netsplit over, joins: infinity_ 11:52 -!- Netsplit over, joins: tarbo2 12:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn --- Log closed Sat Jan 31 13:04:12 2009 --- Log opened Sat Jan 31 18:54:15 2009 18:54 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 18:54 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 18:54 -!- Irssi: Join to ##openvpn was synced in 1 secs 19:08 < ecrist> fuckers --- Log closed Sat Jan 31 19:44:41 2009 --- Log opened Sat Jan 31 22:27:41 2009 22:27 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 22:27 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 22:27 -!- Irssi: Join to ##openvpn was synced in 1 secs 22:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 22:47 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 60 (Operation timed out)] --- Day changed Sun Feb 01 2009 00:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:09 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 01:39 -!- ikarius [n=ross@216.27.182.3] has left ##openvpn [] 02:42 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has joined ##openvpn 02:56 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:00 -!- rubydiam_ [n=rubydiam@123.236.183.30] has joined ##openvpn 03:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 03:50 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:56 -!- rubydiam_ [n=rubydiam@123.236.183.30] has quit [Read error: 110 (Connection timed out)] 05:30 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 07:12 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 07:26 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:36 -!- cb22 [n=cb22@moinmoin/developer/federico] has joined ##openvpn 07:37 -!- countd [n=quassel@unaffiliated/countd] has joined ##openvpn 07:39 < cb22> Hi, is it possible to get two VPNs connecting to the same server to speak to each other? 07:40 < cb22> As in -> (server) <- . VPN 1 can ping server, and the same for VPN 2, but they cannot ping each other, even though I think i've got all the routes needed 07:44 < ecrist> yep 07:45 -!- countd [n=quassel@unaffiliated/countd] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:46 -!- countd [n=countd@cpc3-lewi3-0-0-cust928.bmly.cable.ntl.com] has joined ##openvpn 08:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has quit ["Leaving."] 09:09 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:16 -!- tjz [n=tjz@bb116-15-71-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 09:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 10:34 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 10:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:50 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn 10:50 -!- smk [n=scott@cobra.httpd.org] has quit [Read error: 104 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 11:09 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has left ##openvpn [] 11:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 12:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 12:27 -!- eddieb [n=eddieb@eddieb.xs4all.nl] has joined ##openvpn 12:28 -!- eddieb [n=eddieb@unaffiliated/eddieb] has left ##openvpn ["Leaving"] 12:42 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 13:29 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 13:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:45 -!- c64zottel [n=hans@141.37.33.125] has quit ["Leaving."] 14:06 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- ikevin [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 14:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:06 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 15:08 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 15:09 < Spockz|servert> I tried the introduction setup on a OS X machine and I am now at the point of testing the install 15:09 < Spockz|servert> but as soon as I connect I get these errors: 15:10 < Spockz|servert> http://spockz.pastebin.com/m261e532c 15:10 < Spockz|servert> Does anyone know what this means? 15:12 < Spockz|servert> those errors are server-side 15:26 < disco-> Hi all, the shaper option in OpenVPN seems to have no effect when I put it in a ccd file. Is it ok to do this, and if so, any ideas why it isn't working? 15:45 < ecrist> Spockz|servert: you need to run as root 15:46 < Spockz|servert> ecrist: I do, sudo, but I run bridged. 15:46 < ecrist> disco-: I don't generally use the shaper in OpenVPN. we could help more if you provided logs. 15:46 < ecrist> the vpn client, as well as the scripts for the bridging, need to be run as root. 15:46 < disco-> ok ecrist, I'll see if I can get anything relevant 15:47 < Spockz|servert> ecrist: ah, the bridge-start/stop scripts don't work on OS X :( 15:47 < ecrist> disco-: I'm leaving for a superbowl party, so I won't be around now, until late tonight. 15:48 < disco-> ecrist: Ah ok, have fun :) 15:49 < ecrist> Spockz|servert: why not? 15:49 < ecrist> they should. OS X uses FreeBSD user-land. 15:49 < ecrist> write some that *do* work. 15:49 < Spockz|servert> ecrist: brctl: command not found 15:51 < ecrist> ::sigh:: 15:51 < Spockz|servert> *grin* 15:51 < ecrist> Spockz|servert: what bridging scripts are you using? 15:51 < Spockz|servert> ecrist: the ones from the sample dir 15:51 < ecrist> write your own, that use the proper tools. 15:53 < Spockz|servert> the problem is that I don't know which tools those are 16:05 < ecrist> Mac OS X is the server? 16:08 < Spockz|servert> ecrist: yes 16:09 < Spockz|servert> I tried ifconfig tap0 bonddev en0 but that fails. And I read in the man pages that it would render en0 useless 16:12 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 16:39 < Spockz|servert> ecrist: I can't find a method to bridge the connections. Do you have any hints? 16:41 -!- Spockz [n=info@71pc198.sshunet.nl] has joined ##openvpn 16:50 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:53 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:53 -!- rmull [n=rmull@acsx02.bu.edu] has quit ["leaving"] 17:11 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 17:53 -!- Spockz [n=info@71pc198.sshunet.nl] has quit [] 18:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 18:40 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 19:12 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [] 19:58 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:20 -!- phr0st_e [n=phr0st@76.252.191.193] has joined ##openvpn 20:25 < phr0st_e> am currently using openvpn 2.x on current version of ubuntu, bridged connection, with one interface. When I make the vpn connection, I get a "no route to host" (error code 64 and 65). I can no longer ping the server once the connection is made. I think it's because I only have one interface. I'm trying to set up an alias ip, but it's not coming up at boot. Any ideas? 20:42 < dvl> that indicates to me there is no route. netstat -nr will show you. 20:49 < phr0st_e> that makes sense, what would a good route look like? here's my netstat -rn: 20:51 < phr0st_e> default 192.168.2.1 UGSc 23 640 en1 20:51 < phr0st_e> 127 127.0.0.1 UCS 0 0 lo0 20:51 < phr0st_e> 127.0.0.1 127.0.0.1 UH 2 170 lo0 20:51 < phr0st_e> 155.79.11/24 link#9 UC 1 0 tap0 20:51 < phr0st_e> 155.79.11.19 link#9 UHRLW 1 24 tap0 13 20:51 < phr0st_e> 169.254 link#6 UCS 0 0 en1 20:51 < phr0st_e> 172.16.80/24 link#7 UC 1 0 vmnet8 20:51 < phr0st_e> 172.16.80.255 link#7 UHLWb 1 4 vmnet8 20:51 < phr0st_e> 192.168.2 link#6 UCS 8 0 en1 20:51 < phr0st_e> 192.168.2.1 0:0:c0:87:7:eb UHLW 15 65 en1 1155 20:51 < phr0st_e> 192.168.2.3 0:c0:4f:14:1:de UHLW 24 415 en1 1154 20:51 < phr0st_e> 192.168.2.20 0:b:db:70:45:e7 UHLW 1 1007 en1 928 20:51 < phr0st_e> 192.168.2.32 0:d:93:64:99:2e UHLW 0 11 en1 1098 20:51 < phr0st_e> 192.168.2.143 127.0.0.1 UHS 0 0 lo0 20:51 < phr0st_e> 192.168.2.173 0:1a:e9:83:9f:19 UHLW 0 0 en1 716 20:51 < phr0st_e> 192.168.2.255 link#6 UHLWb 2 27 en1 20:51 < phr0st_e> 192.168.187 link#8 UC 1 0 vmnet1 20:51 < phr0st_e> 192.168.187.255 link#8 UHLWb 1 4 vmnet1 20:51 < phr0st_e> where I'm currently at home behind 129.168.2.x 20:52 < phr0st_e> and my server has a single IP address of 155.79.11.19 21:02 < phr0st_e> just curious...would this be more likely to work if I throw in a second nic? 21:32 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 113 (No route to host)] 21:59 < dvl> phr0st_e: 2nd nic not required. 22:00 < dvl> routing shows your server is on tap0, so that should work. What is the output of ifconfig tap0 ? 22:00 < dvl> I bet it is 155.79.11.19 22:01 < dvl> But that's supposed to be the server you say. It appears to be local, not remote. 22:19 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:19 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:19 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:19 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:19 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:19 < phr0st_e> collisions:0 txqueuelen:100 22:19 < phr0st_e> RX bytes:0 (0.0 B) TX bytes:100173 (100.1 KB) 22:23 < phr0st_e> yeah...tap0 has no ip address 22:24 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:24 < phr0st_e> netstat -rn on my server looks like this: 22:25 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:25 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:25 < phr0st_e> ifconfig on my server looks like this: 22:26 < phr0st_e> br0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 < phr0st_e> inet addr:155.79.11.19 Bcast:129.79.11.255 Mask:255.255.255.0 22:26 < phr0st_e> inet6 addr: 2001:18e8:2:11:211:43ff:febd:b8e1/64 Scope:Global 22:26 < phr0st_e> inet6 addr: fe80::211:43ff:febd:b8e1/64 Scope:Link 22:26 < phr0st_e> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 22:26 < phr0st_e> RX packets:2299 errors:0 dropped:0 overruns:0 frame:0 22:26 < phr0st_e> TX packets:1051 errors:0 dropped:0 overruns:0 carrier:0 22:26 < phr0st_e> collisions:0 txqueuelen:0 22:26 < phr0st_e> RX bytes:254738 (254.7 KB) TX bytes:188688 (188.6 KB) 22:26 < phr0st_e> eth0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 -!- phr0st_e [n=phr0st@76.252.191.193] has quit [Excess Flood] 22:26 -!- phr0st_e [n=phr0st@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] has joined ##openvpn 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> collisions:0 txqueuelen:100 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> RX bytes:0 (0.0 TX bytes:100173 (100.1 KB) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:28pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> yeah...tap0 has no ip address 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> netstat -rn on my server looks like this: 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:30pm 22:29 -!- mode/##openvpn [+o ecrist] by ChanServ 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 -!- phr0st_e was kicked from ##openvpn by ecrist [ecrist] 22:30 <@ecrist> dvl he been doing that long 22:30 <@ecrist> ? 22:33 -!- mode/##openvpn [+b *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] by ecrist 22:33 -!- mode/##openvpn [-o ecrist] by ecrist 22:33 < ecrist> g'night 22:52 < dvl> ecrist: no, just once. 23:15 < ykut_johny> !route 23:15 < vpnHelper> ykut_johny: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:33 < ecrist> dvl, sorry I wasn't around to kick him out when he started it. --- Day changed Mon Feb 02 2009 00:05 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 00:06 < renic> having issues getting the gui client to work in VISTAx64 - any advice? this is my current problem: 00:06 < renic> Sun Feb 01 22:08:14 2009 CreateFile failed on TAP device: \\.\Global\{5BFF639A-C56D-4CC1-96EB-3BE76AD88045}.tap 00:06 < renic> Sun Feb 01 22:08:14 2009 All TAP-Win32 adapters on this system are currently in use. 00:06 < renic> Sun Feb 01 22:08:14 2009 Exiting 00:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit ["i upgraded to the release candidate, and it fixed the problem"] 00:49 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 03:07 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:22 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 04:30 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 04:38 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 04:50 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has joined ##openvpn 04:50 < jolelion> hello 04:52 < jolelion> I don't understand the differences between "server/client mode" and "p2p mode"? 04:53 < jolelion> and I didn't find answer on the openvpn Website. Does anyone can help me? 04:57 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Read error: 104 (Connection reset by peer)] 05:23 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:29 < kyrix> jolelion: p2p means peer 2 peer. you will probably want server/client mode, what do u want to do 05:43 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 05:49 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 06:28 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 06:33 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 06:40 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 06:59 < jolelion> kyrix: the vpn-clients need to talk together 07:14 < ecrist> morning, bitches 07:14 < reiffert> $100/kiss each. 07:23 < ecrist> o.O 07:28 < ecrist> http://www.explosm.net/comics/1543/ 07:28 < vpnHelper> Title: Comics - Explosm.net (at www.explosm.net) 07:33 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:47 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 07:57 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 07:59 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:07 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:08 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 08:14 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 08:16 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:22 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:41 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:50 -!- dim [n=Dimitri@83.167.62.196] has joined ##openvpn 08:53 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 09:32 < ecrist> it's too quiet in here. 09:37 < kyrix> the weather in Vienna is .... :) 09:38 < kyrix> on the other hand, it means the openvpn networks out there are working fine probably :) 09:39 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 09:43 < ecrist> very true 09:44 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has quit ["leaving"] 09:49 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 09:58 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:58 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 09:58 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 09:59 < ikarius> hey, looking for some help. I've installed openvpn on my unbuntu 8.0.4 server edition, and I'm trying to set up the PKI stuff. I'm following the how-to on the openvpn site, but when generating keys, a couple things appear to be going wrong 10:00 < ikarius> the scripts are complaining about "index.txt" not existing, and no server.crt file gets generated. It appears to generate server.key just fine though 10:01 < ikarius> I've tried using the build-key-server script, as well as the pkitool script 10:03 < reiffert> then you probably missed sourcing vars.bar. 10:03 < ikarius> nope, did that 10:03 < ikarius> and verified via the "env" command that it set appropriate variables 10:04 < reiffert> or missed init-config. 10:04 < reiffert> that index file missing sounds like you are using a different openssl.cnf file other than the one that ships with easy-rsa. 10:05 < ikarius> init-config? 10:06 < ikarius> init-ca is shown in the instructions and the usage for pkitool, but not init-config 10:06 < reiffert> !howto 10:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:07 < reiffert> "Generate the master Certificate Authority (CA) certificate & key" 10:08 < ikarius> init-config didn't come in the openvpn package distributed for ubunty 10:09 < ikarius> ubuntu even 10:09 < ikarius> the instructions indicate it's just supposed to copy the config files into the right places 10:09 < ikarius> but... openssl.cnf, it appears I'm not getting that correctly 10:09 < ikarius> let me dig into that bit 10:11 < ikarius> no, I'm getting the openssl.cnf distributed with openvpn 10:11 < reiffert> export KEY_DIR="$EASY_RSA/keys" 10:12 < ikarius> that's already there 10:12 < reiffert> find that in your vars file? 10:12 < reiffert> cause 10:12 < reiffert> openssl.cnf: 10:12 < reiffert> dir = $ENV::KEY_DIR # Where everything is kept 10:12 < reiffert> database = $dir/index.txt # database index file. 10:12 < ikarius> yes, those lines are in the openssl.cnf I have 10:12 < reiffert> However, follow the howto again please and paste what you get from the beginning and we'll see. 10:13 < reiffert> outforasmoke 10:13 < ikarius> how critical should init-config be? 10:13 < reiffert> forget init-config. 10:13 < ikarius> ok 10:13 < ikarius> I'll restart and paste 10:14 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 < ikarius> AH. found the problem. 10:16 < ikarius> I did not run clean-all to begin with. That initializes index.txt and serial 10:17 < reiffert> welcome 10:18 < ikarius> I skipped it because I'd done a "mkdir" on keys, so I didn't think anything needed to be deleted... 10:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:18 < ikarius> the name is slightly misleading; I expect "clean" to simply remove any traces of a previous config...but thank you 10:22 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:23 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 10:25 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 10:29 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:38 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 10:38 < Federico2> hi guys 10:39 -!- wonko [n=wonko@wiggum.4amlunch.net] has joined ##openvpn 10:39 < wonko> ugh, i think i'm missing something stupid silly 10:41 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:41 < ecrist> what's that? 10:48 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:55 < plaerzen> hello irc 11:05 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has joined ##openvpn 11:06 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has left ##openvpn [] 11:10 < wonko> ecrist: hey there 11:10 < wonko> i'm trying to do a basic two private networks behind both client and server vpn end-nodes 11:10 < wonko> and it's just not behaving at all 11:12 < wonko> all the routing table entries point to the IP on the "near" side of the vpn tunnel, but i can't ping/ssh/anything to that IP, I need to go against the IP on the "far" side of the tunnel, which works 11:12 < wonko> but i can't set my routing tables to use that 11:16 < ecrist> !configs 11:16 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:16 < wonko> ah, yes, that would likely help. :) 11:19 < Federico2> guys 11:19 < Federico2> afaik there is no simple way to let an unprivileged user create and deploy certificate files for openvpn clients 11:20 < Federico2> I'm writing something to invoke easy-rsa, build a certificate, package it in a zip file as well as configuration file, openvpn installer, guide... 11:20 < Federico2> am I reinventing the wheel?bd 11:20 < ecrist> yes 11:20 < ecrist> !ssl-admin 11:20 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:22 < ecrist> Federico2: the documentation on the site isn't that great for ssl-admin 11:22 < ecrist> that does a lot of what you're asking 11:22 < Federico2> so I reinvented the wheel.... 11:23 < ikarius> hmm. is there a particular verbosity level where I should see DHCP requests come from a client? 11:23 < Federico2> thanks a lot 11:23 < ikarius> I *think* I have DHCP configured properly on the server side, but the client is always getting 169.254.8.126, which I think is a private "fallback" IP 11:24 < ikarius> if I can set the verbosity to see DHCP requests, and no DHCP request shows up, I'll know my problem is client-side 11:25 < wonko> http://sial.org/pbot/34850 11:25 < vpnHelper> Title: Paste #34850 from "wonko" at 147.140.233.16 (at sial.org) 11:27 < ecrist> Federico2: that project is on-going, and in active development, so if there's something you'd like to see, feel free to request it or contribute it. 11:28 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:29 < Federico2> ecrist, I wrote something more specific for a different use case 11:30 < Federico2> I want an unprivileged user to be able to create certificates and deploy a .zip file containing the openvpn installer as well 11:31 < Federico2> ssl-admin is almost there - it could be tweaked a bit to prevent the user to tweak with other parameters 11:32 < Federico2> uh... it's run by root! 11:35 < Federico2> crazy 11:37 < ecrist> ssl-admin, in it's current inception, is root-only, but it's a very minor tweak to change that 11:37 < ecrist> could be easily geared toward checking for a specific group membership 11:37 < ecrist> my point for pointing it out is, it's *almost* what you need. 11:37 < ecrist> just have to add in the remaining bits 11:38 < Federico2> I already wrote mine - so right now I'll use it - but it's a pity not to have a complete solution 11:38 < ecrist> ok 11:38 < Federico2> minor tweak? 11:38 < ecrist> aye 11:39 < Federico2> there could be a lot to change if you want to run it without root privs 11:40 < wonko> ecrist: get a change to look at my paste? 11:41 < ecrist> wonko, looking now 11:41 < ecrist> wonko, no 11:42 < ecrist> chmod -R a+rwx ssl-admin/* 11:42 < ecrist> and one line in the code, iirc 11:45 < ecrist> wonko: I'm guessing your firewall for ping failures. 11:45 < ecrist> client should be able to ping 172.20.1.1 11:47 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 11:47 < ecrist> it can ping .6 because that's it's own address. 11:49 < wonko> the client can't ping .6, it can only ping .1 (dunkirk is the client) 11:49 -!- dim [n=Dimitri@83.167.62.196] has quit [Remote closed the connection] 11:50 < wonko> firewall is disabled 11:59 < ecrist> so it *can* ping .1? 11:59 < ecrist> PING 172.20.1.1 (172.20.1.1): 56 data bytes 11:59 < ecrist> --- 172.20.1.1 ping statistics --- 11:59 < ecrist> 2 packets transmitted, 0 packets received, 100.0% packet loss 11:59 < ecrist> your notes seem to indicate otherwise 12:00 < wonko> that's from the server 12:00 < wonko> if you look down at the bottom of the paste 12:01 < wonko> the last ping is the ping from the client to 172.20.1.1 12:01 < ecrist> oh, ok. 12:03 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has joined ##openvpn 12:03 -!- kyrix [n=ashley@91-115-186-194.adsl.highway.telekom.at] has joined ##openvpn 12:04 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has left ##openvpn [] 12:07 < Federico2> bye 12:07 < ecrist> wonko: you're not going to be able to ping the .5 or the .2 ips 12:07 < ecrist> just FYI 12:07 < wonko> yeah, but i should be able to ping the .1 and .6 from both ends 12:08 < ecrist> to recap here, the client *can* ping 172.20.1.1, and can the server ping 172.20.1.6? 12:08 < wonko> the part that really confuses me is that i can ping the IP on the *remote* machine 12:08 < ecrist> doesn't appear to 12:08 < wonko> the client can ping .1 (which is on the server) and the server can ping .6 (which is on the client) 12:08 < ecrist> ok, but they can't ping themselves? 12:08 < wonko> nope 12:09 < ecrist> weird, should be able to. let's just pretend they can. 12:09 < ecrist> can they ping the remote networks, then? 12:09 < wonko> no since the routes for those networks point to the local IPs 12:12 < ecrist> the the VPN client can't ping itself? 12:12 < ecrist> that doesn't make sense. 12:13 < wonko> i know 12:14 < wonko> that's why I was hoping I was doing something stupid in the config files. :) 12:15 < wonko> and to top it off, (in an unrelated project) the F5 load balancers have decided to start kicking my ass today as well 12:15 < wonko> it's *gotta* be monday 12:15 < wonko> ;) 12:21 < ecrist> lol 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: bandini, dvl 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, justdave, clustermagnet, meshuga, disco-, rubydiamond, pa, skx, disposable, aar0n, (+22 more, use /NETSPLIT to show all of them) 12:22 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: donavan, Federico2, krzie, kaii, dogmeat, munga, cpm, huslu, troy-, techqbert 12:26 < ecrist> 12:41 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has joined ##openvpn 12:41 -!- Netsplit over, joins: dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22, [intra]lanman (+33 more) 12:47 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, donavan, Federico2, justdave, krzie, clustermagnet, meshuga, disco-, rubydiamond, pa, (+34 more, use /NETSPLIT to show all of them) 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:58 -!- Netsplit over, joins: kyrix, dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22 (+34 more) 13:03 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] --- Log closed Mon Feb 02 13:04:19 2009 --- Log opened Mon Feb 02 13:04:22 2009 13:04 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:04 -!- Irssi: ##openvpn: Total of 49 nicks [0 ops, 0 halfops, 0 voices, 49 normal] 13:04 -!- Irssi: Join to ##openvpn was synced in 19 secs 13:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has quit [Nick collision from services.] 13:04 -!- You're now known as ecrist 13:06 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:40 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:50 < wonko> hmmm, i seem to have stumped you 13:50 < wonko> i wish that meant I won 13:50 < wonko> ;) 13:52 < ecrist> sorry 13:52 < wonko> it's ok 13:52 < wonko> i'm just being a dick. :) 14:06 < ecrist> you're good at it. 14:09 < wonko> i know 14:09 < wonko> ;) 14:09 < plaerzen> ecrist, what is openvpn ? 14:11 < ecrist> plaerzen: it's this thing you put in your mom's butt. 14:13 < ecrist> rather, a thing *I* put in your mom's butt. 14:13 -!- mode/##openvpn [+o ecrist] by ChanServ 14:13 -!- ecrist was kicked from ##openvpn by ecrist [quit talking about plaerzen's mom!] --- Log closed Mon Feb 02 14:13:49 2009 --- Log opened Mon Feb 02 14:13:57 2009 14:13 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:13 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 14:13 -!- Irssi: Join to ##openvpn was synced in 1 secs 14:14 < ecrist> sorry about that 14:14 < plaerzen> lol 14:15 < ecrist> w00t, my writeup for disk quotas on os x got a mention on macosxhints.com 15:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 16:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has joined ##openvpn 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 16:06 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:11 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has quit [Read error: 60 (Operation timed out)] 17:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has quit ["Leaving."] 17:17 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 17:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 17:34 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 17:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:38 < ScribbleJ> This is driving me bananas... openvpn on debian etch, server set for udp, 'port' and 'lport' both set to 1194; it always sends it's traffic as lport 1024 though. 17:38 < ScribbleJ> Any ideas what I did/should do? 17:44 < ScribbleJ> openvpn is clearly /listening/ on 1194. iptables has no rules that are related. netcat will happily let me send traffic with sport of 1024, but 1194 I can't since it's bound for openvpn 17:46 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 17:46 < cj> hey all 17:46 < cj> I need some help setting up a mitm proxy 17:47 < cj> I want to pcap an ssmtp session I'm initiating. I'd like to set up a proxy on localhost which talks to smtp.foo.com:ssmtp and listens on localhost:smtp 17:48 < cj> I'll have mutt use smtps://user:pass@localhost:25/ at which point I can `tcpdump -i lo -w session.pcap port 25` 17:48 < cj> anyone know of a tool I can do the listening on? 17:49 < cj> stunnel seems to do the opposite 17:49 < krzee> umm, ssh i think 17:50 < cj> oooh 17:50 < krzee> but definately not openvpn 17:50 < ikarius> ssh and port forwarding should be able to do what you want, but unless you're running as root, you'll probably need to set it to listen on a port higher than 1024 17:50 < cj> well, I'm asking here 'cuz folks have domain experience, not because I'd use openvpn. sorry for being OT :) 17:51 < krzee> ikarius, im not sure about all os, but in fbsd you can give a diff user access to open a lower port 17:51 < krzee> cj, np 17:51 < ikarius> krzee: I think you're right, but I think you need root to grant that access in the first place.... I think. 17:52 < krzee> oh yes 17:52 < krzee> well depends 17:52 < krzee> you need root to grant the access, but after that the user doesnt need to start as root then drop privs 17:52 < ikarius> disclaimer: I am not liable if my half-remembered tips cause your computer to eat your family dog and light the house on fire 17:52 < krzee> hahah 17:53 < krzee> ya that goes for me too 17:53 < cj> okay, so -L 127.0.0.1:25:smtp.foo.com:465 would forward the port without tls... 17:53 < ScribbleJ> cj, are you trying for an mitm proxy, or do you just want to decrpyt and read the ssl traffic? 17:53 < cj> how do I add the tls encapsulation? 17:53 < cj> ScribbleJ: the latter 17:54 < ScribbleJ> cj, I'll tell you what I'd do, just pcap the traffic with tcpdump as normal, then read the log into wireshark which I beleive has an option to decrpyt and ssl strem provided the key 17:54 < ecrist> rawr 17:54 < cj> okay. where do I get the client key for mutt? :) 17:55 < krzee> wassup eric 17:55 < ScribbleJ> Got me, I was expecting you had the server key. :) 17:55 < ecrist> sup krzee 17:55 < krzee> lol 17:55 < krzee> not much man 17:55 < krzee> getting ready to leave vegas 17:55 < cj> ha. if I use stunnel, I do! Thanks :) 17:55 < krzee> headed to the bay area 17:58 < krzee> ecrist, howd ya like the superbowl? 18:03 < plaerzen> oh shit. I missed the superbowl. 18:04 < krzee> lol 18:08 < cj> ScribbleJ: do you happen to know what arguments to use to specify the ssl key? 18:08 * cj asks #wireshark 18:09 < ScribbleJ> cj, I don't, but earlier when I googled wireshark decrypt ssl, the first guide that came up had some nice pictures of where to put it in the gui. 18:09 < cj> cool beans 18:09 < cj> oh, wait... I was hoping for tshark 18:09 < cj> anyway, I'll copy the ssl key to the windows box... 18:10 < ScribbleJ> Yeah, I typically use tcpdump then wireshark, can't help with tshark. 18:10 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 18:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:24 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 18:26 < grendal_prime> ok we have several of these machines now really digging them...however the window it guys are iffy because they have no tool to really monitor what is happening and who is loged in. I have showed them the terminal based tools but they are not very inpressed(windows guys) Sooo is there some sort of windows openvpn management utill? Web based would be fine. I looked at the webmin tool but openvpn has to be installed with the webmin tool and 18:26 < grendal_prime> besides it doesnt offer much more than the terminal. 18:41 < ecrist> ::yawn:: 18:41 < ecrist> grendal_prime: afaik, there's nothing at this time. 18:42 < ecrist> feel free to write one, though 18:50 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has quit [Remote closed the connection] 19:00 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 19:17 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:51 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:55 < grendal_prime> well..like i say there is the webmin module....unfortunatly the way that it works is somewhat, disfunctional for existing openvpn installations. 19:56 < grendal_prime> in fact it breaks existing connections. 19:57 < grendal_prime> the entire server because it rewrites the server.conf. 20:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:49 -!- tjz [n=tjz@bb121-7-26-157.singnet.com.sg] has joined ##openvpn 20:50 * tjz reporting in, sir! 20:53 -!- wonko [n=wonko@wiggum.4amlunch.net] has left ##openvpn [] 21:03 < tjz> is it possible to auto generate the .ca ,crt with a click /command? 21:13 < grendal_prime> click command? 21:14 < grendal_prime> like with a mouse type deal? 21:15 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 21:29 < tjz> in centos server.. 21:34 < tjz> i don't have to hit "enter" manually.. 21:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:48 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit ["Lost terminal"] 21:49 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 22:09 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 22:15 -!- smk_ is now known as smk 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has quit [Client Quit] 22:20 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:22 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 22:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:28 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:45 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 22:50 < ikarius> freaking FINALLY 22:51 < ikarius> man, it took a lot of digging to come up with the right way to configure Ubuntu to do a bridged OpenVPN 22:52 < ikarius> http://openvpn.pastebin.com/m50d387de - interfaces file 22:54 < ikarius> then some scripts to add tap devices to the bridge when openvpn needs them 22:59 < ikarius> there were a lot of obsolete instruction sets.... which did not work --- Day changed Tue Feb 03 2009 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 00:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 01:14 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 01:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:39 < reiffert> moin 02:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 02:25 -!- MehdiAK [n=Mehdiak@94.101.188.97] has joined ##openvpn 02:26 -!- MehdiAK is now known as Inil 02:29 < Inil> i want use ldap authentication in openvpn but plugin can't connect ldap server and i have password error? 02:29 < Inil> encryption type must be change 02:29 < Inil> on ldap authentication plugin?! 02:32 < Inil> any idea? 02:34 < reiffert> you could use pam authentication and have pam do the ldap stuff, I guess you already have pam_ldap auth on your system? 02:47 < Inil> reiffert: document or manual ? :) 02:54 < reiffert> pam_ldap or openvpn->pam? 02:55 < reiffert> /openvpn-2.1~rc11/plugin$ ls auth-pam/ 02:55 < reiffert> Makefile README auth-pam.c pamdl.c pamdl.h 02:58 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-b90fc6b3825fe6e1] has joined ##openvpn 02:58 < Natilous> Hi Inil ... 02:58 < Natilous> Hi reiffert 03:00 < Inil> reiffert: i have ldap server &it's OK! , and i want run openvpn server that use ldap for Authentication & installed openvpn-uth-ldap plugins and want use it but have problems! 03:00 < Inil> hi Natilous :) 03:01 < reiffert> Inil: You already said that. 03:01 < Natilous> reiffert: the plugin can't bind with ldap. 03:02 < reiffert> Natilous: my proposal was: 03:02 < reiffert> have pam do the ldap stuff and use the pam auth that comes with openvpn. 03:02 < reiffert> Natilous: as my question was: I guess you already have pam_ldap auth on your system? 03:03 < reiffert> Natilous: which add ldap auth to pam. 03:03 < Natilous> reiffert: are you hve a document to explain how can I do ? 03:03 < Natilous> I don't know .. ldap admin not here right now. 03:04 < reiffert> pam_ldap pam_auth_ldap 03:04 < reiffert> common packagename on various unix distriubtions. 03:05 < reiffert> you'll need the ldap admin and a guy who cares about the pam stuff. 03:05 < reiffert> you running a unix server dont